Email has been around a long time and has evolved into a mission-critical resource to deliver documents and communicate with clients. It’s the default for most businesses—convenient, easy, and mature—and has all but replaced time-consuming faxing and manual delivery of documents. However, while email has been a trusted delivery tool for years—is it safe?
“Security” and “Privacy” have significant importance in the accounting profession. Unlike the recent trending topics such as “paperless” and “workflow”, the measure in which firms assure data security and privacy has been a focus for accountants for decades. And now with new state and federal mandates hitting the profession at warp speed, ensuring the security of data and the privacy of client information has a renewed significance and has elevated to Job 1.
First, it’s important to understand the difference between security and privacy if firms are to comply with mandates geared toward client data protection. Consider each separately:
Security is comprised of three primary elements—authentication, authorization, and audit:
Privacy is really a subset of Authorization. It centers on ensuring that an individual’s privacy is protected during the course of sharing data with others, whether that data is shared online or stored in file cabinets in the office (who has access to those files?). When we are talking about sharing and collaborating over the Internet, it’s easiest to think of security as the padlock—no one gets in without the right combination. Privacy is the shield that protects a person’s identity while actively sharing information via the Web.
Second, it’s critical that firms understand why they should care about security and privacy.
The Internet is the foundation of communication in most businesses—including accounting firms. Accountants send hundreds of emails every week. Without worry, financial statements, tax returns, and other common reports and forms are attached and sent. A few may send email links to documents, which are secure, but don’t require the user to have an email and password to access the document. And without user authentication, there is no way to verify that the person accessing the document is the intended recipient. Translation: sending links anonymously does not equal secure file sharing.
Some firms have advanced to using encryption as a means to protect documents, which can mean a lot of added complexity managing hundreds of passwords for the documents encrypted. You also have to think about how you are getting the password to the recipient. If you are emailing it, that could be a security risk. And if the password is lost or expires, the document is effectively “dead” and unable to be opened by the sender or the recipient. The result is that you end up duplicating effort in order to recreate and send the information again.
Bottom line: most firms are riding on the hope that email is safe.
But what if it’s not? It only takes one time, one breach of a client’s data, and your firm’s reputation is at stake. In fact, consider all that you are risking—your clients’ business privacy, your firm’s privacy, and civil and criminal penalties. Also consider that as the topic of data privacy continues to garner attention, clients may look to you as an expert, seeking education on how they can protect themselves against potential data breach, and find solutions for secure file sharing. These are all good reasons to care and give security and privacy their due attention.
Now for the big question: Is email safe for sending sensitive documents? The truth is that if most people were aware of the multiple stops an email makes en route to its final destination, they might think twice about sending private information.
Email doesn’t simply move from your inbox to the recipient’s. It is transported across multiple servers, and at each stop point ‘sits’ unprotected. IT experts refer to this as “data in the clear.” While in the clear, emails are open game and at the mercy of the server administrator…who can alter or even delete a message. Below is simplified version of the typical email journey.
Email will most certainly continue to be a primary delivery tools for firms. But as new data privacy mandates continue to emerge, firm leaders may want to look at alternatives for delivering sensitive financial data.
A better solution for exchanging documents that contain private client data is through secure client portals. Other industries have converted to secure file sharing portals as a primary delivery tool; for example the banking and healthcare industries. And clients within these niche markets have come to expect this level of service. Think about it. Would you even consider using a bank that didn’t offer online banking? Pretty soon, firms that don’t offer secure file sharing portals will be in the same category.
It is important to note that no one is saying email should be abandoned completely. Email will continue to be a firm’s primary communication source. It’s only when sensitive information, like tax returns, social security numbers, or financial statements, are attached within an email that firms should consider a better alternative—like client portals. The best client portal solution also offers the ability to use email as the core communication tool. However, via client portals, sending a link to a document is secure because the document is stored online, not attached in the email.
Exchanging and delivering documents using client portals eliminates the need to send complete documents as attachments in emails. It also alleviates several other pain points associated with emailing client information, such as encrypting files and creating, managing, and communicating hundreds of passwords. Client portals allow firms to store sensitive documents within a secure, personalized online space. Firms can then simply provide a link to a secure location where clients can log in and access current versions of their financial documents at any time and from anywhere with an Internet connection.
A key reason why portals are fast becoming a popular document delivery tool is ease of use for clients. The newest client portals offer the best of both worlds: You can use your own email system to send emails to your clients, but send them a link to a document in a secure file sharing portal, rather than attached the document itself to the email. This can be as easy as sending a friend a link to an interesting article on the Web, but it is secure, auditable, and compliant. Clients really don’t even need to understand what a portal is. To access the document, they simply click on a link in the email.
Client portals are also exceptionally secure, offering advanced, built-in security features. Secure file sharing portals require recipients to log in using a unique user ID and password to access documents. This ensures authentication and authorization in one fell swoop. Most client portals also automatically provide an audit trail that enables administrators to view and set user permissions and track usage, and support automatic back up of data. Even better, client portals teach your clients a safer way to communicate, as well—no more sending your firm sensitive information, like SSNs, via email. Everything can be exchanged in the client portal. It’s a win-win.
For sensitive documents, it’s important that you do this with a portal for secure file sharing – which requires your clients have a username and password. While some client portals let you share documents using “anonymous” links, whereby users are not required to have a username/password, those links are not secure and are vulnerable to discovery over the Internet. That’s why such products put these documents in a temporary folder that is deleted after a short period of time, usually 30 days or less. You can password protect these documents for safety, but communicating the password over email is not safe, and access to these documents is not auditable.
There’s a lot that firms need to keep up with these days, and privacy and security of client data should be at the forefront. The good news is that technology can make secure file sharing easy for your firm and for your clients. Portals provide a secure platform for exchanging sensitive information and files, alleviating firms of having to deal with time-consuming document encryption, password creation, and general management of a complex delivery process.
Sending links to documents via email offers clients a familiar communication channel, while leveraging secure client portal technology. Client portals are defined by built-in security and offers one of the safest and most intuitive platforms for secure file sharing between accountants and their clients. Why take the risk of breaching client privacy by sending documents via email when client portals offer a solution with all the security and privacy functionality built in? The insecurities of email are complex. However, with advancements in cloud technologies like portals, the answer to this very real and very difficult issue has gotten much simpler.
Eric Pulaski, CEO and Founder – SmartVault Corporation
With over 20 years of experience in network security systems and a focus on cloud computing, Eric founded SmartVault Corporation in November of 2007, and currently serves as the company’s Chief Executive Officer. Eric has made it his mission to deliver a simple, low-cost document management solution that uses cloud-based technology (low cost) but is centered around integration with applications customers already use, such as QuickBooks® (simple). Reach Eric at email@example.com.