top of page

Blog

Sometimes we take a break from building cutting edge cryptography and data protection to stretch our academic muscles and write about privacy and stories.

Why Email Is Still the Biggest Confidentiality Risk for Law Firms

  • Jan 29
  • 1 min read


Law firms handle some of the most sensitive documents in the world — contracts, litigation drafts, due diligence files.


Yet most of these documents are still shared the same way:

as email attachments.


And that’s where confidentiality quietly breaks down.


Email Was Built for Communication, Not Control

Email is convenient. Universal. Fast.


But once an attachment is sent:

  • It can be downloaded

  • Saved locally

  • Forwarded to others

  • Stored indefinitely


The sender has no ability to control or track what happens next.

For law firms, that’s a major vulnerability.


Where Confidentiality Actually Fails

Confidentiality doesn’t usually fail inside the law firm’s document system.

It fails when:

  • A client forwards a draft contract internally

  • A consultant receives documents outside the intended scope

  • A former employee still has old attachments


These situations are rarely malicious. They’re simply uncontrolled sharing.


The Limits of NDAs and Policies

Firms rely on:

  • NDAs

  • Engagement letters

  • Internal confidentiality policies


These are legal safeguards, not technical controls.


They may help after a breach, but they don’t prevent:

  • Accidental forwarding

  • Unauthorized access

  • Data leakage before disputes arise


The Need for Post-Delivery Control

Modern document sharing is shifting toward:

  • View-only access

  • Expiry-based availability

  • Revocation even after sending

  • Access tracking


This doesn’t replace legal protections — it strengthens them with technical enforcement.


Closing Thought

In legal practice, confidentiality is everything.

But confidentiality should not end at the “Send” button.


Firms that adopt controlled sharing aren’t just protecting documents — they’re protecting client trust.


 
 
 

The Hidden Compliance Risk in Sharing Medical Reports

  • Jan 29
  • 2 min read


Most diagnostic labs invest in secure systems to store patient data.But the real compliance risk begins the moment a report is shared.


Whether it’s sent via email, WhatsApp, or downloaded as a PDF, that report is now outside the lab’s control — and often outside audit visibility.


The Illusion of “Secure Storage”

Labs typically focus on:

  • Secure lab information systems (LIS)

  • Encrypted databases

  • Access controls inside their systems


But regulators don’t only assess storage security. They also care about data handling and sharing practices.


A report shared casually can:

  • Be forwarded to unauthorized individuals

  • Be stored on personal devices

  • Be uploaded to insecure platforms


Once this happens, the lab usually has no visibility.


Why Sharing Is the Weakest Link

Common sharing methods:

  • WhatsApp to patients

  • Email attachments to doctors

  • Downloadable PDFs from portals


These methods have three major issues:

  1. No Control After Sending

    Once downloaded, the lab cannot revoke access.

  2. No Visibility

    Labs don’t know who opened or forwarded reports.

  3. No Audit Trail

    During disputes or audits, proving controlled access becomes difficult.


This creates legal and compliance exposure that most labs underestimate.


Real-World Consequences

Uncontrolled sharing can lead to:

  • Patient privacy complaints

  • Legal disputes over data misuse

  • Regulatory scrutiny

  • Loss of trust with hospital partners


Often, the lab followed all internal security policies — but lost control after delivery.


A New Approach: Control After Delivery

Forward-thinking healthcare providers are starting to ask:

“What if we could still control reports even after sharing them?”

Modern solutions now allow:

  • View-only access

  • Time-based expiry

  • Revocation of access

  • Access activity logs


This shifts compliance from “we sent it securely” to

“we retained control even after sending.”


Closing Thought

In healthcare, the risk isn’t just where data is stored.

It’s what happens after it leaves your system.


Labs that address this gap aren’t just improving security — they’re strengthening compliance readiness and patient trust.

 
 
 

Story: “What happened at Stella Università”

  • Dec 20, 2025
  • 3 min read

(“Stella Università” is a fictional Italian university, but the story is grounded on real-events in Italy.)



Background


Stella Università is a mid-sized public university in Italy, with ~20,000 students, dozens of departments, and a growing set of online services (student portals, research data, administrative files). Professors routinely share lecture materials, student records, research drafts, and collaboration documents among staff, students and external partners.


The incident


One day, the IT office detected irregular activity: a staff shared a sensitive research dataset and student personal-data spreadsheets through a collaboration chat. That file was forwarded externally to a partner institution, and later appeared on an unauthorized forum.Simultaneously, a ransomware group claimed a cyber-attack and exfiltrated ~500 GB of files from the university’s shared storage system. A public notice explained that personal contact info, administrative and contract data were affected. unisi.it+1


At the same time, the university was using a proctoring system for online exams which processed students’ biometric data without proper legal basis. The Italian Data Protection Authority (“Garante”) fined another university €200,000 for this exact issue. edpb.europa.eu+1


Consequences


  • The university had to notify thousands of students, faculty and staff about the breach.

  • It faced reputational damage: prospective students raised doubts; collaborators paused research work.

  • It incurred legal and regulatory pressure under GDPR and Italian privacy law: lack of proper controls meant huge risk of further fines.

  • The forwarded file (student records + research data) could no longer be “taken back”, even though access should have been limited.


What the professors & departments felt


  • A professor who shared the dataset felt guilt: “I thought sharing with our partner was fine, but I lost control once it left our system.”

  • The research office realised that just encrypting the files wasn’t enough; they needed dynamic control over who could view, forward or save them, and ability to revoke access later.

  • The university’s privacy officer admitted: “We had no way to ensure that after one of our staff forwarded the file, the recipient couldn’t further share it.”



How Privitty steps in & what it solves


Here’s how Privitty could have changed the story at Stella Università:

  • When the professor uploads the dataset or student-records, the file is shared via the collaboration tool with Privitty controls.

  • The professor sets rules: “Only this partner department can view; they cannot forward; they cannot save a local copy; and access must expire after 90 days.”

  • Even if the partner tries to forward the file, an unauthorised user sees only encrypted gibberish.

  • If a staff member leaves or a project ends, the university admin revokes access in one click — the file instantly becomes unreadable for that party.

  • Auditing: The university can see who accessed the file, when, and what actions they took. That means strong compliance with GDPR / Italian rules about data access and processing.

  • For the online exam scenario: any exam recordings or biometric files are encrypted and access-governed — even if the proctoring tool exports a result, access is tightly controlled, minimizing risk of illegal biometric profiling.



The key take-aways for colleges/universities & professors


  • Data sharing is essential in academia (lectures, research, collaboration), but once you share, the risk grows unless you control what happens afterwards.

  • Italian cases show that even universities are vulnerable — major breaches, fines, uncontrolled biometric processing. unisi.it+1

  • Encryption alone isn't sufficient; what matters is who can use the file, how they can use it, and the ability to revoke access later.

  • With Privitty, the university regains dynamic governance over academic-data, student-data and research-data — not just safe storage, but safe sharing.

  • That supports compliance with GDPR / Italian privacy laws, protects institutional reputation, and builds trust with students and staff.



Source / References:

  • Italian SA finds monitoring system for online university exams is a breach — Garante per la protezione dei dati personali found that a university processed biometric data without a lawful basis in Italy. edpb.europa.eu+1

  • The Italian Data Protection Authority fines Luigi Bocconi University €200,000 for unlawful processing of students’ personal data through proctoring software during exams. DataGuidance+1

  • Italy’s facial recognition ban (except law enforcement) — Italy has banned use of facial recognition systems in municipalities pending legal basis. AI News

  • The Garante (Italian privacy watchdog) conducts investigations, audits, imposes sanctions and is increasingly active in enforcing data protection in Italy. Reuters

  • Personal data anonymization and risk of DPO in Italy — shows fines and sanctions by the Garante in Italian context around data-protection breaches. privacymatters.dlapiper.com

  • Biometrics for attendance recording: Italian SA fines high-school for biometric data processing without basis. edpb.europa.eu



 
 
 

Privitty is a secure, decentralized messaging app with advanced privacy features like message revocation and time-limited access.

logo_mark_purple.png
Privitty Typemark purple.png

Sobha Silicon Oasis, Electronics City, Bangalore.
info@privittytech.com

We're looking for talented, passionate folks to join our team.

© 2025 by Alanring Technology Ptv. Ltd.

  • GitHub
  • LinkedIn
  • Twitter
bottom of page