Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How to securely send legal docs to clients?
9 points by idoh on June 21, 2010 | hide | past | favorite | 21 comments
Hello Hacker News,

Here's a pain point my lawyer friend has - in order to reduce her liability exposure she has to find a way to securely send files to her clients. She asked me how to do this, and I don't know a good way. She's an estate lawyer so a lot of her clients are on the older side and not too tech savvy.

I know that she could password-protect the docs, but she would still have to email the passwords to her clients, which defeats the whole scheme.

Does anyone have any ideas on how to do this? Does anyone know of any web apps that would let her upload the docs and then invite people to look at the docs - sort of a specialized / streamlined / secure version of google docs? I am pretty sure that she'd pay a monthly subscription fee if that would solve her problem.

(Her email to me is below ...)

----------

Well, I have an ulcer after attending a webinar sponsored by my malpractice carrier. Lawyers may have to deal with the FACTA rules which has "red flag rules" to prevent id theft. You may know about this. I basically know nothing.

During the seminar, the speaker said that encrypting data (separating the client name from the information) helps. More and more, I send clients drafts and final pdf docs via email. What can you tell me about encrypting? I have received encrypted attachments from two financial planners in the past, and I thought they were being way too Dick Tracey at the time; however, it seems this is the future. They would send me a password to open the docs (couldn't someone intercept the password?).

What do I need to know? Big sigh. Thanks SO MUCH.




1. Use fax. Practically, it is more secure. Given a motivated intruder, it is no less secure than email.

2. Use password protected PDFs. Tell your lawyer friend to use the person's last name and/or DOB (or some equivalently easy to remember token) as the password. Pre-arrange the password over the phone--since it is based on their name it is easy to tell them what it is. The key here is to stop the vast majority of folks who might stumble across the email. Again, given a sufficiently motivated intruder, this is pointless, but still more secure than plain old email.

3. Use encrypted archives of the documents. The files can be encrypted with AES256 or an equivalently difficult cypher. Test the type of archive/encryption to ensure that Windows XP and above will be able to decrypt the file easily w/ the build in archive folders. This can avoid any potential compatibility problems with #2 from above. It might introduce new ones.

Using a web drop service doesn't eliminate the need to protect the file. If you password protect the file then you need to share the password. If you password protect access to the file, you need to share the password. The link in an email is nearly equivalent to an attachment, so it doesn't really solve anything unless you have an easy way to share a secret with the receiver.


Hi there,

My startup (http://www.goclio.com) makes web-based practice management software for lawyers - specifically solos and small firms.

One of our newer features, called ClientConnect, does exactly what you're looking for. ClientConnect allows Clio users to securely share documents with clients. It essentially creates an extranet for each client the lawyer deals with, and allows them to securely publish documents to that extranet. The client can then view and comment on the documents. The client sets up their password the first time they access their ClientConnect account.

You can see the full ClientConnect announcement here: http://www.goclio.com/blog/2009/02/announcing-client-collabo...

Cheers, Jack


I'll take a look, thanks!


I have used both http://www.sharefile.com and http://www.leapfile.com for this exact purpose.

I liked ShareFile better (UI), but both of them worked as advertised and would be ideal for your described scenario.


Thanks! I'll take a look at those two.


I'm sure that I'm not the only one here who's seen people who should know better email encrypted files with the password in plain text in the email body.

The simplest solution that I've managed to come up with so far is to send the encrypted file and then send the password via a different channel. So you email the encrypted file and then phone the person to tell them the password. Or host the file at a login-required https URL and provide log in details over the phone.

Of course those approaches are only justifiable for information that isn't too sensitive. Once you have to worry about people tapping your phones and intercepting your email then you really need tech savvy recipients. Of course, I'm hoping that someone in this thread will mention a solution that proves me wrong.


Agreed.

The one way that isn't too difficult for people is to encrypt the data and then give out the password over the phone or something similar.(separate medium of communication)

Although I haven't been too strict doing this because even to tech-y people, explaining why email or IM is insecure takes a lot of time and energy.

And also agree that once you have to start worrying about people tapping your phone or intercepting all your communication, then you have bigger problems to worry about than that single document.


My lawyer friend asked me to set up some "extranets" for her, because she came from a firm background where having private websites for each client was the norm. I looked into this a bit and I found "Ajax File Browser" available at SourceForge. This was a good solution if you want to do all the hosting yourself because you don't trust third-parties.


My company, Greenview Data, provides a hosted email encryption solution that would cover your lawyer friend perfectly. It allows you to encrypt emails with attachments up to 50mb that the client then accesses through a secure web portal which they create a username/password for, so there's no need for your friend to manage any keys or certificates. Clients can also reply to emails through the portal, keeping all communication encrypted. There are even special scanning algorithms specifically for legal professionals (and health, finance, government, etc.) that will automatically encrypt emails with sensitive data even if your friend forgets to do it herself. It's all designed to make encrypted email as simple as regular email so nobody has to worry about it. Check it out at www.greenviewdata.com/encryption.


umm, the standard thing most law firms and financial institutions do is 1) require that all email be done via the business email and 2) automatically append to all emails some boilerplate about "if you are not the intended recipient, please do not use or disseminate this information, yadda yadda yadda".

The problem is that if the clients aren't super tech savvy, they're not going to wind up correctly using whatever the tech is. The simplest tech solution would be to have a tutorial for having the clients install thunderbird with pgp on their computer, but even that might backfire. If the main concern is liability, i'd suggest the boilerplate approach


Thanks for the response.

She obviously has the boilerplate in her emails. The idea is how can she reduce the likelihood of sensitive information getting into the wrong hands.

I think it would be hard to get her clients to install thunderbird and PGP - they are not necessarily tech savvy individuals - think wealthy elderly people.


well, maybe the simplest approach is to say "hey, would you like me to send you sensitive documents via email as i've been doing, or I could use certified registered mail and include the over head of doing that in my billable hours", since as you've said, a tech solution kinda rules itself out


Maybe use a product like Workshare Professional to manage and remove hidden metadata in the documents. Then since the clients are not very tech savvy put the files on a USB flash drive and drop it in the FedEx. Low tech solution, but I'll bet the clients would like it. Especially if the USB drive came with a neck strap to keep it from getting lost with the attorney's name and phone number on it.

http://www.workshare.com/products/wsprofessional/


Email encryption options would work okay, but they are generally limited to one way encryption. Meaning their clients couldn't send back files encrypted. A better solution may be to use something like IPSwitch's web transfer module which you can use SSL with. You can find out more here: http://www.ipswitchft.com/Business/Products/WebTransferModul... I've set this up for clients before and it's worked well.


Wouldn't a nice clean frontend to PGP(or something similar) be the answer? Lawyer knows the public keys of his clients, uses that key to encrypt it, only the intended recipients can decode it.


That would require her clients to make a public and private key, send her the key, and then know how to use the private key to decrypt the resulting doc. Too much work for them.


You mail them the password, not email.

Use a secure website per person.


Why not use web base email, connecting via https eg gmail or hushmail?


Using https just means that your connection to the server is encrypted. Your email will still be sent between mail servers unencrypted unless you encrypt it separately.


Dropbox?


I think it would be too hard to set up her clients with drop box accounts. They aren't necessarily tech savvy and many are elderly (it is an estate law practice).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: