In the United States, it’s illegal in many states to send an unencrypted email containing a person’s Social Security number (An example is the 2006 New York Social Security Number Protection Law). This regulatory constraint has a significant impact on the way in which American tax practices communicate with their clients.
While we don’t have such specific legislation in the UK, the Data Protection Act does place a duty of care on practices who wish to communicate personal information via email.
The seventh Data Protection Principle in the Act says : “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
It’s a truism that you should never write anything in an email that you wouldn’t write on the back of a postcard – email is NOT secure. From this, it is clear that sending a clients tax return as a PDF attachment without protecting it from interception is a breach of the Act. Of course in the real world, the risk of interception is low, but it does exist – particularly when dealing with clients who are in the public eye.
The obvious solution is to encrypt the email (using Public Key Encryption software), but this tends to require a degree of coordination between sender and receiver, and while the practice might be happy to invest in the appropriate software, clients are not. In practice, I’ve NEVER seen such a system in use.
You could just encrypt the attachment (a password protected PDF, etc). This is quite a common approach, as it can be implemented very quickly without much (or any) cost. The difficulty arises in maintaining such a system. You must ensure that the client knows the password you are going to use on the secured document, and all staff likely to send a document to that client must also know that password. Ideally, the password for each client should be unique (which now means you need to maintain a list of hundreds or even thousands of passwords in the office). It goes without saying that you should not communicate the password to the client via email! In short, this approach runs the risk of creating an administrative burden that encourages staff to bypass the rules when in a hurry.
This is where a ‘Secure Client Portal’ comes in.
A portal is a secure web-site that is used to accept, store, and publish documents to authorised users. The practice and all clients have access to the web-site through a username and a password. The practice can see ALL documents for all clients. The clients can see only those documents meant for them. You may already have used a system like this if you opt to receive paperless bills from your phone provider, utility company or insurer.
In practice, a fee-earner uploads the draft tax return (or whatever) to the web-site over an encrypted link (coding it to the appropriate client), and the document remains stored securely until the client logs in to review it (also over an encrypted link). The client is also able to upload information for delivery back to the practice.
While these sorts of systems are undoubtedly secure, they demand user names and passwords, so are inevitably a little less convenient than just dashing off an email, and herein lies the problem: Getting clients to use it.
Many years ago, a colleague of mine told me of a secure client portal that he had been involved with in Australia. The product worked well, and was well received by accountancy practices who could see the product as a way of making themselves stand out from their competitors. It sold very well….in the first year. Soon practices found that clients liked the idea of the portal, but didn’t actually use it. The process of navigating to a special web-site and entering a username and password was all too much trouble compared to just sending an email, and there was not enough perception of real danger associated with email to overcome that extra hassle factor.
The real competition for client portals, then, is email. Email is easy, familiar and quick. The inherent insecurity of email is not high enough in people’s consciousness to push them to use a less convenient tool. It’ll almost certainly take a high-profile court-case to get everyone’s attention and encourage a big change.
In the meantime, if secure document exchange portals are to succeed then, they have to offer something extra to both the practice and the client – beyond the rather unglamorous world of risk-mitigation.
Where portals can really make an impact is if they deliver additional features that puts them back ahead of email in the sheer convenience stakes – features such as on-line approval with digital signatures providing genuine reductions in time and effort for practice AND client.
A properly implemented portal can offer genuine benefits for the security of sensitive client communications. Clients may not seem that interested by it, so you should accept that it will be several years before it becomes routine.
My key recommendations:
1. Don’t do it yourself – use a portal that is hosted by a professional hosting company. You don’t need the hassle of managing a web-server and the associated infrastructure. This also helps to maintain a very clear ‘firewall’ between your own files and the documents that are published to clients.
2. Pick the RIGHT host – If your portal is hosted on servers that are outside the EU, then the data is NOT protected by EU data protection legislation (‘Safe harbour’ agreements are OK as far as they go, but I’d still feel happier when my data stays inside the EU). At the very least, you should confirm with your PII provider that they are happy with your choice and make sure your clients are aware that you will be storing their data on external systems.
There’s an exciting EU discussion document on the subject of cloud data-storage here….
3. Be cautious about using the ‘consumer’ cloud storage services such as DropBox and Google Drive. Some of the T&C’s used by these services are really not up to scratch. Fine for holiday pictures, NOT fine for a clients tax affairs! If nothing else, these services will not be easy to use when working with multiple clients – none of whom should see each other’s files.
4. Pick a portal that integrates with your document management system – the extra hassle involved in keeping TWO systems synchronised just isn’t worth it.