

Ask HN: How to securely send legal docs to clients? - idoh

Hello Hacker News,<p>Here's a pain point my lawyer friend has - in order to reduce her liability exposure she has to find a way to securely send files to her clients. She asked me how to do this, and I don't know a good way. She's an estate lawyer so a lot of her clients are on the older side and not too tech savvy.<p>I know that she could password-protect the docs, but she would still have to email the passwords to her clients, which defeats the whole scheme.<p>Does anyone have any ideas on how to do this? Does anyone know of any web apps that would let her upload the docs and then invite people to look at the docs - sort of a specialized / streamlined / secure version of google docs? I am pretty sure that she'd pay a monthly subscription fee if that would solve her problem.<p>(Her email to me is below ...)<p>----------<p>Well, I have an ulcer after attending a webinar sponsored by my malpractice carrier. Lawyers may have to deal with the FACTA rules which has "red flag rules" to prevent id theft. You may know about this. I basically know nothing.<p>During the seminar, the speaker said that encrypting data (separating the client name from the information) helps. More and more, I send clients drafts and final pdf docs via email. What can you tell me about encrypting? I have received encrypted attachments from two financial planners in the past, and I thought they were being way too Dick Tracey at the time; however, it seems this is the future. They would send me a password to open the docs (couldn't someone intercept the password?).<p>What do I need to know? Big sigh. Thanks SO MUCH.
======
lrm242
1\. Use fax. Practically, it is more secure. Given a motivated intruder, it is
no less secure than email.

2\. Use password protected PDFs. Tell your lawyer friend to use the person's
last name and/or DOB (or some equivalently easy to remember token) as the
password. Pre-arrange the password over the phone--since it is based on their
name it is easy to tell them what it is. The key here is to stop the vast
majority of folks who might stumble across the email. Again, given a
sufficiently motivated intruder, this is pointless, but still more secure than
plain old email.

3\. Use encrypted archives of the documents. The files can be encrypted with
AES256 or an equivalently difficult cypher. Test the type of
archive/encryption to ensure that Windows XP and above will be able to decrypt
the file easily w/ the build in archive folders. This can avoid any potential
compatibility problems with #2 from above. It might introduce new ones.

Using a web drop service doesn't eliminate the need to protect the file. If
you password protect the file then you need to share the password. If you
password protect access to the file, you need to share the password. The link
in an email is nearly equivalent to an attachment, so it doesn't really solve
anything unless you have an easy way to share a secret with the receiver.

------
jack
Hi there,

My startup (<http://www.goclio.com>) makes web-based practice management
software for lawyers - specifically solos and small firms.

One of our newer features, called ClientConnect, does exactly what you're
looking for. ClientConnect allows Clio users to securely share documents with
clients. It essentially creates an extranet for each client the lawyer deals
with, and allows them to securely publish documents to that extranet. The
client can then view and comment on the documents. The client sets up their
password the first time they access their ClientConnect account.

You can see the full ClientConnect announcement here:
[http://www.goclio.com/blog/2009/02/announcing-client-
collabo...](http://www.goclio.com/blog/2009/02/announcing-client-
collaboration-and-online-bill-paying-clio-clientconnect/)

Cheers, Jack

~~~
idoh
I'll take a look, thanks!

------
portman
I have used both <http://www.sharefile.com> and <http://www.leapfile.com> for
this exact purpose.

I liked ShareFile better (UI), but both of them worked as advertised and would
be ideal for your described scenario.

~~~
idoh
Thanks! I'll take a look at those two.

------
Kev
I'm sure that I'm not the only one here who's seen people who should know
better email encrypted files with the password in plain text in the email
body.

The simplest solution that I've managed to come up with so far is to send the
encrypted file and then send the password via a different channel. So you
email the encrypted file and then phone the person to tell them the password.
Or host the file at a login-required https URL and provide log in details over
the phone.

Of course those approaches are only justifiable for information that isn't too
sensitive. Once you have to worry about people tapping your phones and
intercepting your email then you really need tech savvy recipients. Of course,
I'm hoping that someone in this thread will mention a solution that proves me
wrong.

~~~
scorpioxy
Agreed.

The one way that isn't too difficult for people is to encrypt the data and
then give out the password over the phone or something similar.(separate
medium of communication)

Although I haven't been too strict doing this because even to tech-y people,
explaining why email or IM is insecure takes a lot of time and energy.

And also agree that once you have to start worrying about people tapping your
phone or intercepting all your communication, then you have bigger problems to
worry about than that single document.

------
thumper
My lawyer friend asked me to set up some "extranets" for her, because she came
from a firm background where having private websites for each client was the
norm. I looked into this a bit and I found "Ajax File Browser" available at
SourceForge. This was a good solution if you want to do all the hosting
yourself because you don't trust third-parties.

------
dgoings
My company, Greenview Data, provides a hosted email encryption solution that
would cover your lawyer friend perfectly. It allows you to encrypt emails with
attachments up to 50mb that the client then accesses through a secure web
portal which they create a username/password for, so there's no need for your
friend to manage any keys or certificates. Clients can also reply to emails
through the portal, keeping all communication encrypted. There are even
special scanning algorithms specifically for legal professionals (and health,
finance, government, etc.) that will automatically encrypt emails with
sensitive data even if your friend forgets to do it herself. It's all designed
to make encrypted email as simple as regular email so nobody has to worry
about it. Check it out at www.greenviewdata.com/encryption.

------
carterschonwald
umm, the standard thing most law firms and financial institutions do is 1)
require that all email be done via the business email and 2) automatically
append to all emails some boilerplate about "if you are not the intended
recipient, please do not use or disseminate this information, yadda yadda
yadda".

The problem is that if the clients aren't super tech savvy, they're not going
to wind up correctly using whatever the tech is. The simplest tech solution
would be to have a tutorial for having the clients install thunderbird with
pgp on their computer, but even that might backfire. If the main concern is
liability, i'd suggest the boilerplate approach

~~~
idoh
Thanks for the response.

She obviously has the boilerplate in her emails. The idea is how can she
reduce the likelihood of sensitive information getting into the wrong hands.

I think it would be hard to get her clients to install thunderbird and PGP -
they are not necessarily tech savvy individuals - think wealthy elderly
people.

~~~
carterschonwald
well, maybe the simplest approach is to say "hey, would you like me to send
you sensitive documents via email as i've been doing, or I could use certified
registered mail and include the over head of doing that in my billable hours",
since as you've said, a tech solution kinda rules itself out

------
Scott_MacGregor
Maybe use a product like Workshare Professional to manage and remove hidden
metadata in the documents. Then since the clients are not very tech savvy put
the files on a USB flash drive and drop it in the FedEx. Low tech solution,
but I'll bet the clients would like it. Especially if the USB drive came with
a neck strap to keep it from getting lost with the attorney's name and phone
number on it.

<http://www.workshare.com/products/wsprofessional/>

------
pbetnah
Email encryption options would work okay, but they are generally limited to
one way encryption. Meaning their clients couldn't send back files encrypted.
A better solution may be to use something like IPSwitch's web transfer module
which you can use SSL with. You can find out more here:
[http://www.ipswitchft.com/Business/Products/WebTransferModul...](http://www.ipswitchft.com/Business/Products/WebTransferModule/)
I've set this up for clients before and it's worked well.

------
gte910h
You mail them the password, not email.

Use a secure website per person.

------
sireat
Wouldn't a nice clean frontend to PGP(or something similar) be the answer?
Lawyer knows the public keys of his clients, uses that key to encrypt it, only
the intended recipients can decode it.

~~~
idoh
That would require her clients to make a public and private key, send her the
key, and then know how to use the private key to decrypt the resulting doc.
Too much work for them.

------
lecha
Why not use web base email, connecting via https eg gmail or hushmail?

~~~
Kev
Using https just means that your connection to the server is encrypted. Your
email will still be sent between mail servers unencrypted unless you encrypt
it separately.

------
rianjs
Dropbox?

~~~
idoh
I think it would be too hard to set up her clients with drop box accounts.
They aren't necessarily tech savvy and many are elderly (it is an estate law
practice).

