Think for a minute about how you communicate: with clients, staff, and alliance partners. I’ll bet most of your day-to-day communication is by email and a lot of those emails carry attachments with them. Who hasn’t clicked the little paperclip icon and attached a spreadsheet, document, or PDF file then immediately clicked send? Did you stop and think about how you just put yourself and your firm at a legal and financial risk?
State Privacy Laws
According to the National Conference of State Legislatures, as of December 2008 forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information1. In addition to these “after-the-fact” requirements, two states, Massachusetts and Nevada, have enacted laws which proactively require the encryption of any electronic communication which includes sensitive personal information. The respected security publication SC Magazine calls the Massachusetts law “the strictest data law in the nation.”2
Even if your firm isn’t physically located in Massachusetts or Nevada, if you have clients there you may be subject to the provisions of these laws (check with your own legal counsel!) And, given the proliferation of the privacy breach notification laws, it seems likely that these more stringent regulations will increase over time as well.
The problem is: email is not secure. But, we have become accustomed to its ease of use and convenience. We have developed some bad security habits and now is the time to break them! Fortunately there are easy ways to do this and new habits won’t be hard to form.
In addition to the security considerations outlined above, there are good practical reasons for cutting down the number and size of attachments you send through your email system. Suppose you send a file to three of your associates with a 2MB attachment. A copy stays in your “sent items” box unless you delete it. Even then it sits in your “deleted items” folder unless you purge it periodically. Plus your three recipients now have it in their “inbox” or a storage folder they create. Now we’re up to 8MB of storage space for one file!
Suppose now they make their edits and send it back to you. Now each of them has the original, and a “sent items” copy of their response (now 4 MB for each of them, total of 12MB) and you get the three responses back, plus your original for a total of 8MB. Now we are up to 20 MB of mail storage to exchange one file with three people! Multiply this times the number of people on your staff and the number of emails they routinely send. Is it any wonder your IT mail administrator is tearing her hair out over mailbox sizes?
Ok, so now we agree that there are some inherent problems with sending email with unsecure attachments. What can we do about it? Fortunately there are several alternatives.
Alternatives to Unsecure Attachments
In our own experience at Boomer Consulting, Inc. and in hearing stories from our Boomer Technology Circles (over 100 of the best firms in the nation!) we’ve learned that there are at least three alternatives to explore: encryption of email and attachments, the use of a document portal, or the use of a web-based file transfer application. Each of these has their own compelling merits and drawbacks.
Tools to encrypt email (and their attachments) have been around for years. The technology is well established and commonly understood. Essentially it requires the invocation of an encryption algorithm by the sender and the use of a decryption key at the receiving end. This works and is secure, but it has a few drawbacks. It requires an encryption program and a decryption key.
It takes a few extra steps to use it, and the recipient must be prepared in advance to receive it. In addition there is some training overhead to teach your staff what to do and your clients what to expect. Pretty Good Privacy (PGP) (http://www.pgp.com) is probably the best known encryption product, and one used by many accounting firms.
Many firms have adopted secure web portals as a method of presenting (and in some cases receiving) files to (or from) their clients. Most of the major document management systems used within the accounting profession have a portal capability and posting a file from the DMS to the portal usually takes only a few mouse clicks. The portal itself uses SSL Security (the same kind that protects your credit card when you order something online) and requires pre-established authentication in the form of a user account and password to log in.
To use the portal, you place the document that otherwise would be the email attachment into the recipients private portal space and send an email notification that the document is ready for pickup. Because the email itself contains no sensitive information it does not pose any security risk and does not need encrypted.
The advantages of this system are the integration with the document management system and the relative ease of use. Also, because the portal is a web site it can accessed from anywhere on any Internet connected computer. The biggest drawback is it requires the commitment to the underlying DMS which is a whole additional buying decision for the firm.
Major accounting vendors providing DMS based portals include CCH (ProSystem fx Document – http://tax.cchgroup.com/Document/default) and Thomson Reuters (GoFileRoom ES - http://es.thomsonreuters.com/gofileroom and FileCabinet CS - http://cs.thomsonreuters.com/document-management). Many other vendors provide this capability as well.
Web-Based File Transfer Utilities
A third alternative is really a form of portal as well, but independent of any particular document management system. File transfer protocols have also been around for years (i.e. FTP) but these applications strip away some of the complexities that made earlier transfer utilities cumbersome to use. These are typically user-friendly and add a number of features such as multiple ways to upload files and a form of “audit trail” to track deliveries and receipts.
Examples of these applications include LeapFILE (http://www.leapfile.com) , YouSendIt (http://www.yousendit.com) and a host of others. As a general rule the simplest form of secure transfer is available for free; additional features and services enter the realm of paid services.
Selecting an Alternative
Hopefully by now you have decided that you do indeed need to use some form of secure file transfer instead of unsecure email attachments. The question now remains: which one? The answer will probably revolve around some combination of essential security, ease of use, and desired features.
Fortunately, all the products mentioned in this article should meet the basic security needs for an accounting firm. Ensure though, as you evaluate other possible candidates, that they will in fact meet your security requirements. After all, that is the whole point of this exercise! Remember that simple password protection probably does not meet the security level you are trying to achieve. You will be looking for products which actually encrypt the data while it is in transit.
Ease of use is a bit more subjective, and probably exists in the eye of each user. Our experience has been that there are several indicators you might look for. Does the product integrate smoothly with your email? Remember that you are planning to change email habits; the less that people have to change their work habits the more likely they are to comply. Does the product offer alternative ways to do the same thing?
For example can you go to a web portal to upload a file or right click on the file in Windows Explorer to execute the transfer instead of using an email? These are desirable alternatives which give people options on how they work. Consider also whether your vendor provides training resources or whether you will have to create your own.
A third consideration is additional features offered. Typical considerations might include the ability to include more than one file in the same mailing or upload, the ability to craft a custom message to your recipient, or the ability to track deliveries, receipts, and reads of the files you send. This can be especially handy if you want to verify that your recipient actually received and read the file you sent.
Your Next Action
The time is now to move beyond sending unsecure and bulky attachments through your email system. Fortunately a variety of good alternatives abound. At Boomer Consulting Inc. we have adopted the web-based file transfer system from LeapFILE. It meets all the criteria outlined above: secure, easy to use, and full of useful features.
If you are using a document management system from CCH, Thomson Reuters or another accounting industry vendor you probably already have access to their portal capability. If you aren’t already using it, start doing so! And, if you prefer, it’s still an option to keep sending email attachments but ensure that you apply a quality encryption product to safeguard the information you send.
The choice is yours. Just don’t take the “no action” course of action and do nothing. Your obligation to your clients’ privacy demands more than that! Good luck as you move forward with your privacy safeguards.