Client Web Portals

In the United States, it’s illegal in many states to send an unencrypted email containing a person’s Social Security number (An example is the 2006 New York Social Security Number Protection Law).  This regulatory constraint has a significant impact on the way in which American tax practices communicate with their clients.Secure Portal Image

While we don’t have such specific legislation in the UK, the Data Protection Act does place a duty of care on practices who wish to communicate personal information via email.

The seventh Data Protection Principle in the Act says : “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

It’s a truism that you should never write anything in an email that you wouldn’t write on the back of a postcard – email is NOT secure.  From this, it is clear that sending a clients tax return as a PDF attachment without protecting it from interception is a breach of the Act.    Of course in the real world, the risk of interception is low, but it does exist – particularly when dealing with clients who are in the public eye.

The obvious solution is to encrypt the email (using Public Key Encryption software), but this tends to require a degree of coordination between sender and receiver, and while the practice might be happy to invest in the appropriate software, clients are not.   In practice, I’ve NEVER seen such a system in use.

You could just encrypt the attachment (a password protected PDF, etc).  This is quite a common approach, as it can be implemented very quickly without much (or any) cost.  The difficulty arises in maintaining such a system.    You must ensure that the client knows the password you are going to use on the secured document, and all staff likely to send a document to that client must also know that password.  Ideally, the password for each client should be unique (which now means you need to maintain a list of hundreds or even thousands of passwords in the office).    It goes without saying that you should not communicate the password to the client via email!   In short, this approach runs the risk of creating an administrative burden that encourages staff to bypass the rules when in a hurry.

This is where a ‘Secure Client Portal’ comes in.

A portal is a secure web-site that is used to accept, store, and publish documents to authorised users.  The practice and all clients have access to the web-site through a username and a password.   The practice can see ALL documents for all clients.  The clients can see only those documents meant for them.    You may already have used a system like this if you opt to receive paperless bills from your phone provider, utility company or insurer.

In practice, a fee-earner uploads the draft tax return (or whatever) to the web-site over an encrypted link (coding it to the appropriate client), and the document remains stored securely until the client logs in to review it (also over an encrypted link).   The client is also able to upload information for delivery back to the practice.

While these sorts of systems are undoubtedly secure, they demand user names and passwords, so are inevitably a little less convenient than just dashing off an email, and herein lies the problem: Getting clients to use it.

Many years ago, a colleague of mine told me of a secure client portal that he had been involved with in Australia.  The product worked well, and was well received by accountancy practices who could see the product as a way of making themselves stand out from their competitors.   It sold very well….in the first year.    Soon practices found that clients liked the idea of the portal, but didn’t actually use it.  The process of navigating to a special web-site and entering a username and password was all too much trouble compared to just sending an email, and there was not enough perception of real danger associated with email to overcome that extra hassle factor.

The real competition for client portals, then, is email.   Email is easy, familiar and quick.  The inherent insecurity of email is not high enough in people’s consciousness to push them to use a less convenient tool.     It’ll almost certainly take a high-profile court-case to get everyone’s attention and encourage a big change.

In the meantime, if secure document exchange portals are to succeed then, they have to offer something extra to both the practice and the client – beyond the rather unglamorous world of risk-mitigation.

Where portals can really make an impact is if they deliver additional features that puts them back ahead of email in the sheer convenience stakes – features such as on-line approval with digital signatures providing genuine reductions in time and effort for practice AND client.

Conclusion

A properly implemented portal can offer genuine benefits for the security of sensitive client communications.  Clients may not seem that interested by it, so you should accept that it will be several years before it becomes routine.

My key recommendations:

1. Don’t do it yourself – use a portal that is hosted by a professional hosting company.  You don’t need the hassle of managing a web-server and the associated infrastructure.  This also helps to maintain a very clear ‘firewall’ between your own files and the documents that are published to clients.

2. Pick the RIGHT host – If your portal is hosted on servers that are outside the EU, then the data is NOT protected by EU data protection legislation (‘Safe harbour’ agreements are OK as far as they go, but I’d still feel happier when my data stays inside the EU).  At the very least, you should confirm with your PII provider that they are happy with your choice and make sure your clients are aware that you will be storing their data on external systems.

There’s an exciting EU discussion document on the subject of cloud data-storage here….

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf

3. Be cautious about using the ‘consumer’ cloud storage services such as DropBox and Google Drive.  Some of the T&C’s used by these services are really not up to scratch.   Fine for holiday pictures, NOT fine for a clients tax affairs!    If nothing else, these services will not be easy to use when working with multiple clients – none of whom should see each other’s files.

4. Pick a portal that integrates with your document management system – the extra hassle involved in keeping TWO systems synchronised just isn’t worth it.

Personal Email at Work

I’ve been asked several times recently about personal emails on work IT systems.

I’ve been doing a bit of work to assemble some information on the issue and cut through some of the assumptions that are made.

I should make it clear that I am not a lawyer, and that even if I was, I wouldn’t be your lawyer, so seek advice if you are unsure or feel that your circumstances are unusual.  This article is intended more as a common-sense guide to the main issues.  I should also make it clear that I am talking about the situation in the UK only.

There is a (mistaken) view in some quarters that – if an employee does something on a work computer then the employer ‘owns’ the data and therefore has an automatic right to read it. In Europe, there is clear case law (derived from article 8 of the European Convention on Human Rights) that allows an employee a degree of privacy – even when using company systems to send personal communication.   Especially if they haven’t been told that monitoring may take place (and therefore have a greater expectation of privacy that might lead them to be less cautious about what they say).

http://news.bbc.co.uk/1/hi/wales/6559873.stm

http://plc.practicallaw.com/1-369-8081

Needless to say – there are grey areas. There is no one single clear statute that sorts it all out for us!   Instead, you have to navigate the interactions of:

  • Human Rights Act 1998,
  • The Data Protection Act 1998,
  • The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000,
  • Regulation of Investigatory Powers Act 2000  (RIPA)

As an employer, you do NOT have an absolute right to read an employees personal emails.  In fact RIPA now actually makes it a criminal offence to intercept (i.e. read) emails without ‘lawful authority’ (Yes, even when you own the email system on which the communication is taking place).

‘Lawful authority’ in this case basically falls into two groups:

  1. The permission of the sender and recipient
  2. An assortment of specific activities such as prevention of crime, ensuring regulatory compliance, etc.

Note that the second group only appears to apply to business-related communications, so they are not a carte blanche to intercept personal emails – you’d need to be able to justify your actions.

http://plc.practicallaw.com/9-101-3059

In essense – if you want the option to intercept employees personal emails – you categorically need their permission – most likely in the form of a clause in their employment contract and/or a clearly worded ‘internet use policy’ that states that personal communications may be subject to monitoring.  In the absence of that permission, you will leave yourself open to legal action.

Conclusions
Decide, as a matter of principle, if you are happy for your staff to use the firm’s systems for personal communication at all.

Decide if this means they can use the firms email system, or if you prefer them to use personal email addresses via web-mail systems like Hotmail.  (Pro:dodgy personal emails aren’t emblazoned with your company’s name.  Con: Web mail won’t go through your central email filters, so it could be a source of viruses).

Once the decision has been taken to permit personal use – then it all comes down to the practical aspects of constructing the policy and communicating it to employees.  There are lots of examples out there, so I won’t go through the chapter and verse, but I will suggest a few points for consideration:

  • Clearly state that all messages in and out of the system MAY be subject to monitoring, and WHY (compliance, reputational risk to the firm, etc.)
  • Remind users that emails may be archived for extended periods of time on servers, backup tapes, and the like – even if they have been deleted from the user’s own desktop software.
  • Point out that using web-mail systems may result in some content being stored in temporary folders on desktop PC’s or on the firm’s internet firewall.  This could include logon information such as passwords.

At the end of the day, you need to make it clear that if your employees are THAT concerned about their privacy, then they shouldn’t use the firms IT systems.  They can then make informed decisions on the level of risk they are taking.

One approach I have seen recommended is to establish a clear protocol for personal messages – so that if, for example, you need to access an employees mail while they are away or off sick – you can distinguish work from personal without actually opening the message.   Ask employees to put ‘PERSONAL’ in the subject line of the email, for example, or get them to create rules in Outlook that move all incoming personal messages to a seperate folder.  You may want to also ask that staff use a different signature when composing personal emails (excluding mention of their job-title or other corporate branding).

As a final point:- if you do allow personal email traffic, then once it’s on your systems it becomes your responsibility to protect it under the Data Protection Act – make sure that access to staff emails is suitably protected so that the messages can be accessed only with a valid reason.

Emailing Attachments – A Car Crash waiting to happen

It’s long been said that emails should be treated like postcards – only use them when you don’t mind them being read by the postman.

Email, by its nature is horribly insecure. The underlying technology (SMTP) was designed and built by a bunch of Californian geek types (at UCLA, mainly) who gave almost NO thought to security because it was assumed that it would be used within a single organisation only.

When you send an email – it travels to its destination via other people’s hardware – that’s the way the Internet works. The exact route taken can vary from minute to minute.

If you send a draft tax-return to a client as an unencrypted PDF file – that file can be intercepted and read with an ease that makes postcards look like paragons of discretion.

Now, let’s not overstate things. The reality, of course, is that the chances of this actually happening are tiny – not many people are THAT interested in your client’s tax returns, and they’d have to wade through the VAST quantities of other data that is streaming across that corner of the Internet.

Nevertheless – it can be argued that sending something like a tax return over unencrypted email could be a breach of your responsibilities under the Data Protection Act. All it would take is the right combination of high-profile client and tabloid feeding-frenzy, and your PII providers will be earning their money for the next few months.

The solution doesn’t have to be complex. Every PDF-creation system I’ve seen (including the ones built into tax products) has an option to set a password. This feature encrypts the data in the PDF to a degree that will deter all but the most determined (and well resourced).

Make arrangements with each of your clients to use a standard password for all email communications, and make sure that this password is used whenever sending email attachments. It’s an extra hassle for your staff, but one day, it’s going to save your bacon.