Client Web Portals

In the United States, it’s illegal in many states to send an unencrypted email containing a person’s Social Security number (An example is the 2006 New York Social Security Number Protection Law).  This regulatory constraint has a significant impact on the way in which American tax practices communicate with their clients.Secure Portal Image

While we don’t have such specific legislation in the UK, the Data Protection Act does place a duty of care on practices who wish to communicate personal information via email.

The seventh Data Protection Principle in the Act says : “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

It’s a truism that you should never write anything in an email that you wouldn’t write on the back of a postcard – email is NOT secure.  From this, it is clear that sending a clients tax return as a PDF attachment without protecting it from interception is a breach of the Act.    Of course in the real world, the risk of interception is low, but it does exist – particularly when dealing with clients who are in the public eye.

The obvious solution is to encrypt the email (using Public Key Encryption software), but this tends to require a degree of coordination between sender and receiver, and while the practice might be happy to invest in the appropriate software, clients are not.   In practice, I’ve NEVER seen such a system in use.

You could just encrypt the attachment (a password protected PDF, etc).  This is quite a common approach, as it can be implemented very quickly without much (or any) cost.  The difficulty arises in maintaining such a system.    You must ensure that the client knows the password you are going to use on the secured document, and all staff likely to send a document to that client must also know that password.  Ideally, the password for each client should be unique (which now means you need to maintain a list of hundreds or even thousands of passwords in the office).    It goes without saying that you should not communicate the password to the client via email!   In short, this approach runs the risk of creating an administrative burden that encourages staff to bypass the rules when in a hurry.

This is where a ‘Secure Client Portal’ comes in.

A portal is a secure web-site that is used to accept, store, and publish documents to authorised users.  The practice and all clients have access to the web-site through a username and a password.   The practice can see ALL documents for all clients.  The clients can see only those documents meant for them.    You may already have used a system like this if you opt to receive paperless bills from your phone provider, utility company or insurer.

In practice, a fee-earner uploads the draft tax return (or whatever) to the web-site over an encrypted link (coding it to the appropriate client), and the document remains stored securely until the client logs in to review it (also over an encrypted link).   The client is also able to upload information for delivery back to the practice.

While these sorts of systems are undoubtedly secure, they demand user names and passwords, so are inevitably a little less convenient than just dashing off an email, and herein lies the problem: Getting clients to use it.

Many years ago, a colleague of mine told me of a secure client portal that he had been involved with in Australia.  The product worked well, and was well received by accountancy practices who could see the product as a way of making themselves stand out from their competitors.   It sold very well….in the first year.    Soon practices found that clients liked the idea of the portal, but didn’t actually use it.  The process of navigating to a special web-site and entering a username and password was all too much trouble compared to just sending an email, and there was not enough perception of real danger associated with email to overcome that extra hassle factor.

The real competition for client portals, then, is email.   Email is easy, familiar and quick.  The inherent insecurity of email is not high enough in people’s consciousness to push them to use a less convenient tool.     It’ll almost certainly take a high-profile court-case to get everyone’s attention and encourage a big change.

In the meantime, if secure document exchange portals are to succeed then, they have to offer something extra to both the practice and the client – beyond the rather unglamorous world of risk-mitigation.

Where portals can really make an impact is if they deliver additional features that puts them back ahead of email in the sheer convenience stakes – features such as on-line approval with digital signatures providing genuine reductions in time and effort for practice AND client.

Conclusion

A properly implemented portal can offer genuine benefits for the security of sensitive client communications.  Clients may not seem that interested by it, so you should accept that it will be several years before it becomes routine.

My key recommendations:

1. Don’t do it yourself – use a portal that is hosted by a professional hosting company.  You don’t need the hassle of managing a web-server and the associated infrastructure.  This also helps to maintain a very clear ‘firewall’ between your own files and the documents that are published to clients.

2. Pick the RIGHT host – If your portal is hosted on servers that are outside the EU, then the data is NOT protected by EU data protection legislation (‘Safe harbour’ agreements are OK as far as they go, but I’d still feel happier when my data stays inside the EU).  At the very least, you should confirm with your PII provider that they are happy with your choice and make sure your clients are aware that you will be storing their data on external systems.

There’s an exciting EU discussion document on the subject of cloud data-storage here….

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf

3. Be cautious about using the ‘consumer’ cloud storage services such as DropBox and Google Drive.  Some of the T&C’s used by these services are really not up to scratch.   Fine for holiday pictures, NOT fine for a clients tax affairs!    If nothing else, these services will not be easy to use when working with multiple clients – none of whom should see each other’s files.

4. Pick a portal that integrates with your document management system – the extra hassle involved in keeping TWO systems synchronised just isn’t worth it.

Sidekick – a Cloudy object lesson

In the last few days, a cautionary tale has been unfolding in the world of cloud computing. There’s a Smartphone offered by T-Mobile, called ‘Sidekick’. It does the usual stuff – Internet access, email, diary, camera, contacts database, etc.

One of the key features it espoused was its close integration with ‘the cloud’ via a central datacentre for many of its functions. It was ahead of the industry in many respects, and gained a loyal following.

The product itself was created by a company called ‘Danger Inc’, which was bought by Microsoft last year.

On 1st October, ALL Sidekick users, worldwide, started to experience problems – and some completely lost their data-connections – which meant that a lot of users suddenly couldn’t do basic things, like accessing their contact databases.

After several days of erratic behaviour, T-Mobile have announced that, following some problems at their datacentre, many users may have permanently lost all of the data that was being stored, and advises current users not to reset their devices at any cost, because of a risk that they will also be wiped.

While the full details are yet to come out, it apppears that, during an upgrade of the servers at the Danger datacentre, something went wrong, and it then transpired that NO BACKUPS had been taken before the upgrade got underway.

To coin a phrase…..”Doh!”

Let’s be clear – this isn’t some startup company running on a wing & a prayer – it’s a subsidiary of Microsoft. Early reports are that the problem is being blamed on a sub-contractor who was hired to perform the upgrade, so it looks like one of those classc cases where everybody thought someone else had a certain responsibilty, only it turned out nobody did.

What to take from this?

Microsoft are not novices at the Datacentre game – they are putting HUGE resource into it, and are recognised as one of the world leaders in terms of technical design and development of best practices in the field. Yet despite this – something fell through the cracks, Sod’s Law kicked in, and hundreds of thousands of users were left high and dry, with very little chance of much more compensation than a refund of this months’ subscription fees.

If cloud computing is to succeed, then it is critical that suppliers can demonstrate they can be trusted with our data, and that they have processes and technologies in place to deliver on that. They may also be forced to offer Service Level Agreements that provide better compensation levels than are currently offered before they will ever stand a chance of gaining contracts with larger organisations. If Facebook goes down and loses your Mafia Wars score (or whatever), it would be annoying but not fatal. If your ERP system suddenly vanishes….