Ask HN: How to securely send legal docs to clients?
Here's a pain point my lawyer friend has - in order to reduce her liability exposure she has to find a way to securely send files to her clients. She asked me how to do this, and I don't know a good way. She's an estate lawyer so a lot of her clients are on the older side and not too tech savvy.
I know that she could password-protect the docs, but she would still have to email the passwords to her clients, which defeats the whole scheme.
Does anyone have any ideas on how to do this? Does anyone know of any web apps that would let her upload the docs and then invite people to look at the docs - sort of a specialized / streamlined / secure version of google docs? I am pretty sure that she'd pay a monthly subscription fee if that would solve her problem.
(Her email to me is below ...)
----------
Well, I have an ulcer after attending a webinar sponsored by my malpractice carrier. Lawyers may have to deal with the FACTA rules which has "red flag rules" to prevent id theft. You may know about this. I basically know nothing.
During the seminar, the speaker said that encrypting data (separating the client name from the information) helps. More and more, I send clients drafts and final pdf docs via email. What can you tell me about encrypting? I have received encrypted attachments from two financial planners in the past, and I thought they were being way too Dick Tracey at the time; however, it seems this is the future. They would send me a password to open the docs (couldn't someone intercept the password?).
What do I need to know? Big sigh. Thanks SO MUCH.
22 comments
[ 3.9 ms ] story [ 56.6 ms ] threadI liked ShareFile better (UI), but both of them worked as advertised and would be ideal for your described scenario.
The problem is that if the clients aren't super tech savvy, they're not going to wind up correctly using whatever the tech is. The simplest tech solution would be to have a tutorial for having the clients install thunderbird with pgp on their computer, but even that might backfire. If the main concern is liability, i'd suggest the boilerplate approach
She obviously has the boilerplate in her emails. The idea is how can she reduce the likelihood of sensitive information getting into the wrong hands.
I think it would be hard to get her clients to install thunderbird and PGP - they are not necessarily tech savvy individuals - think wealthy elderly people.
The simplest solution that I've managed to come up with so far is to send the encrypted file and then send the password via a different channel. So you email the encrypted file and then phone the person to tell them the password. Or host the file at a login-required https URL and provide log in details over the phone.
Of course those approaches are only justifiable for information that isn't too sensitive. Once you have to worry about people tapping your phones and intercepting your email then you really need tech savvy recipients. Of course, I'm hoping that someone in this thread will mention a solution that proves me wrong.
The one way that isn't too difficult for people is to encrypt the data and then give out the password over the phone or something similar.(separate medium of communication)
Although I haven't been too strict doing this because even to tech-y people, explaining why email or IM is insecure takes a lot of time and energy.
And also agree that once you have to start worrying about people tapping your phone or intercepting all your communication, then you have bigger problems to worry about than that single document.
http://www.workshare.com/products/wsprofessional/
Use a secure website per person.
2. Use password protected PDFs. Tell your lawyer friend to use the person's last name and/or DOB (or some equivalently easy to remember token) as the password. Pre-arrange the password over the phone--since it is based on their name it is easy to tell them what it is. The key here is to stop the vast majority of folks who might stumble across the email. Again, given a sufficiently motivated intruder, this is pointless, but still more secure than plain old email.
3. Use encrypted archives of the documents. The files can be encrypted with AES256 or an equivalently difficult cypher. Test the type of archive/encryption to ensure that Windows XP and above will be able to decrypt the file easily w/ the build in archive folders. This can avoid any potential compatibility problems with #2 from above. It might introduce new ones.
Using a web drop service doesn't eliminate the need to protect the file. If you password protect the file then you need to share the password. If you password protect access to the file, you need to share the password. The link in an email is nearly equivalent to an attachment, so it doesn't really solve anything unless you have an easy way to share a secret with the receiver.
My startup (http://www.goclio.com) makes web-based practice management software for lawyers - specifically solos and small firms.
One of our newer features, called ClientConnect, does exactly what you're looking for. ClientConnect allows Clio users to securely share documents with clients. It essentially creates an extranet for each client the lawyer deals with, and allows them to securely publish documents to that extranet. The client can then view and comment on the documents. The client sets up their password the first time they access their ClientConnect account.
You can see the full ClientConnect announcement here: http://www.goclio.com/blog/2009/02/announcing-client-collabo...
Cheers, Jack