How to industry sign banking north carolina form secure
Oh hello and welcome to the webinar this is a CLE entitled message security and the post email law firm today we're going to be talking about how to maintain message security I'm going to give you a little bit of background on the history and workings of email and toward the end give you some backs best practices on making sure that your communication with your clients or other attorneys will be as secure as possible so here is our agenda today as you can see it's fairly full we are going to start with some background on a communication in general I'm going to talk about the very first email that was ever since and how email has evolved from there we're going to be discussing a an introduction to encryption we'll talk about legal and ethical obligations surrounding data security and then we're going to give you some practical tips about how to make email or other communications as secure as possible and if you can't make email more secure how you can avoid sending email all together so let's jump right into it my name is John McHugh I work for Citrix ShareFile where I'm a partnership specialist I have my JD from the University of North Carolina at Chapel Hill and the company I work for ShareFile is an online document storage and encryption service we are a member a benefit of the Florida Bar so you'll see a link at the end if you're interested in our service so let's talk about the history of communication the very first recorded concept for an electronic communication system was actually made in an anonymous letter to a Scottish engineering publication in 1754 over the next 200 years the concept of the electronic communication system would bloom from a simple point-to-point wired communication system to an international digital communication system and it's important to note that the history of the communication has always been the history of e-commerce if you look to the right that is the patent picture for the first East signature machine that's called the pin Telegraph using a modified telegraph line it actually sent digital signatures in the form of real-estate documentation and and Bank checks in France more than 150 years ago and today we live in an information economy driven by the need from near instantaneous information that's connected by a worldwide system and networks that we call the Internet but in 1971 while international it wasn't so ubiquitous here's what the internet looked like in 1971 would do at the time it was called ARPANET ARPANET was a collection of universities and research labs that were tied together by various phone lines using specialized computer terminals that were referred to as ms/ms means interface message processor protocol terminals so here's what the imps look like and the first email was sent from one em to another amp in 1971 what made this classified his email was the use of the @ symbol to specify a specific recipient in a specific location and as if to underline how generally insecure and unreliable email is we don't actually have a digital or paper copy of that first email the only evidence that we have that the first email was sent in 1971 is the testimony of the parties involved and a handwritten note on a pad next to the receiving em so from there let's talk a little bit about how email actually works 2016 in 2016 email turned 45 and had a little bit of a midlife crisis email security or lack thereof an email privacy or lack thereof we're the big story in the 2016 presidential campaign and it's not hard to understand why emails as a communication system are designed around ease-of-use and accessibility not security and to make how secure it takes time effort and attention to detail to maintain a workable security policy around this form of communication although the lat the twenty six story in 2016 surrounded by Podesta and the DNC's email lack of security is non partisan and apolitical Hillary Clinton : Powell they've all they both been hit by email leaks the head chair of the Republican Committee in North Carolina my state was hit with an actual hacking attempt from his email account and email hacking hits individuals of all parties corporations big and small and firms of all size all told more than 205 billion emails are sent daily and there have been research studies that actually have shown that frequent email users have higher anxiety have higher levels of stress hormones in their body and they actually have a higher resting heart rate than people who do not frequently check their email but email is here to stay it's fact of life in the 21st century so let's go and take a look at the different types of emails that are typically in use so generally speaking there are there's bifurcation and the types of email services people use either an on-premise solution or a SAS solution and my SAS I mean software as a service in the on-premise solution that's what we usually call a LAN or a local area network that uses a physical server in the same building that you're operating that server connects to the internet typically if you're using an on-premise solution you're probably using Microsoft Outlook or the Mac equivalent using exchange servers that are located somewhere either in your building or in your in your company's intranet or firms Internet land by its nature is a premium professional service meaning that you get to choose both your name and your domain name so it's probably your name at great lawyer.com or.net whereas webmail has a has many more different types it's a cloud-based software and by that mean it's a software-as-a-service meaning that you access your a remote server that is not located in your building or in your firm usually by an app or through a website example of this are Gmail or Yahoo or Outlook which used to be called hotmail and I will point out that the reason it's called hotmail which is kind of an odd name is that the distinguishing characteristic when hotmail was first introduced was that it was not in a notepad system but in a web form so hotmail is actually HTML and the original spelling of hotmail actually had those letters capitalized web mail typically comes in both premium offerings and free offerings and while it seems largely the same to both the the front end user and the recipient there are some very radical differences between the free offers the free web mails and the premium webmail addresses in terms of both the ability to create your own domain and the Terms of Service requirements and various security surrounding the documentation so I would recommend that if you're going to go with a web mail service that you go ahead and get the premium service it's important to know if there's not a absolute division here we I work for a company that has a land but I can still check my email through an app or via a web page if I'm not on site and if I'm using web mail I can download all my Gmail messages onto my physical hard drive and have them stored locally but the the real difference between these two services is that one of them is a physical server located on the property the other one you're accessing via the web in some manner so let's talk about what's in an email so I'm going to start one of my hand fisted analogies now so the first thing you have is the subject line which is the cloak that goes over the entire message it lets your recipient know what you're writing about the message itself which in this example is represented by a avatar of a cute blonde girl and then whatever attachments that you might need to add to an email either directly or indirectly that are represented here by a basket of goodies so what is the story of email over the river and through the woods to grandmother's house so you want to send an email to grandmother's house to your grandmother this is represented by in this case Little Red Riding Hood now email doesn't travel in a straight line it doesn't go directly from point A to point B there are actually several stops along the way the first thing that happens this is the over the river portion is that once you hit Send the message goes from your computer to an SMTP server which is Simple Mail Transfer Protocol server who then sends the address that you're sending it to to the DNS server which is the domain name server that looks up the recipients domain name and IP address at that point the SMTP server sends the message through the Internet it goes travels through the internet it rose at the recipients MTA the mail transfer agent server at which point it gets sent to the MX the recipients MX the mail exchange server and then depending on how the recipient has their email system configured it uses either a pop or an IMAP server to fetch the message down into the computer so they can read it themselves so that's a whole bunch of steps what does that mean well when it's going from your system through your server is is a fairly simple process and when it goes from the MX account to the recipients computer that's a fairly simple step that through the woods bit is what we're going to be focusing on because that's the the part where bad things can happen so the Internet is not a giant amorphous thing really what the Internet is is a network of networks in what we think of as sort of the cloud or the internet or the matrix even is really just an environment of cables and computers connected over hundreds of miles and you don't have to just worry about one big bad wolf because there might be a big bad wolf out there but there also might be a bear or attack of velociraptors or even a dragon or two and depending on where you go in the internet it you can have different levels of security and a and the ability to spot dangers so it's important to note the first thing that's going to happen is that your email is going to be scanned both by your service and by the recipients service this is one of the reasons why it's important to use a premium service because every free webmail service uses scanning to provide targeted ads to help pay for the cost of the service so you can imagine the difficulty of sending a client an email on planning for his upcoming divorce and then all of a sudden his computer which he may or may not share with his spouse starts getting ads for divorce attorneys that can obviously be a pretty big problem additionally emails can be intercepted and altered in transit meaning that at one point when you receive an email there might be one letter changed and a link that you added or a link inserted to get your recipient to click on that because it's from a trusted source that takes them to a place that that may be there to do damage to the computer upload malware or try to steal personal information and really this is a function of the different levels of security in the different parts of the woods where your message is being sent for example half of all email traffic goes through one building in Moscow a series of floor contains all these the the server's the floor below that is rented by Google so they can be as close as possible to the server to provide rapid rapid service to their customers that part of the world the floor above that is actually owned by the FSB the Russian security services so that's obviously not a particularly safe location and it's also possible depending on how the recipient has their their system set up that the message isn't even safe when it gets to grandmother's house if they're checking their email from an open network the wolf may already be in grandmother's bad and they may be able to intercept that message as it comes into their computer so I'm going to mix my metaphors a little bit here and I've already mentioned this a little bit that every email you send leaves the trail of breadcrumbs both the SMTP server and the MX servers are going to make copies of the every email that you send out it's also going to be in your outbox and your recipients inbox all those locations can be a location where a data breach can happen where a hack can happen where information can be pulled off pull pull out of your email if you think about this as as a UPS package your UPS package is scanned at many locations it's going to be scanned at the pickup location it's going to be scanned at a number of the transfer nodes and then it's going to be scanned at your door when it's received just so UPS can keep track of your where that package is and how far along the delivery process that is email is similar to that the difference is that instead of just using a barcode scanner a copy of that package gets recreated and left in each one of those locations and that's obviously not the most secure way to send send any kind of information so you want to be very careful about that they're generally state laws that are going to protect the integrity of the emails but the people that are trying to read your emails are not going to be particularly interested in those laws and you yourself have several obligations surrounding a client or sensitive communication that you have an affirmative obligation to protect so how do we protect that email basically the best tool that you have in your arsenal is what we call encryption and when most people think of encryption this is what they think about they think of the matrix if this green the screen of green cascading numbers with bits of information floating by and what encryption really is is a process of obscuring information in some way that's used historically that's been used by a variety of different methods but in today's world encryption really is done by a complicated process of what we call substitution that's swapping one character for another character and using a mathematical formula to control both the initial swamp and the unscramble at the other end and you know when you see encryption in movies or TV shows you see people furiously typing away on a keyboard and one part of a message over on the left suddenly comes them scrambled and another set of numbers characters lock into place on the other side of the screen and that part becomes readable that's not really how a Christian works so the the matrix is not really a great guide in fact I like to use a different example to explain encryption and that's a Christmas story there the seasonal favorite starring Ralphie getting his Red Ryder BB gun if you remember the scene in a Christmas Story where Ralphie gets his decoder ring this is actually a really good example of how encryption works so his the The Little Orphan Annie message if he receives on the radio is what is called a substitution cipher it's actually a the one of the earliest types of encryption that dates back more than 2,000 years it's a one to one substitution cipher meaning that every letter every number that he receives corresponds to one letter in the alphabet and using his decoder ring and the the key number that he receives the beginning of the broadcast remember there was I think was b3 Ralphy can use that to unscramble the message this is not a particularly strong form of encryption um it probably wouldn't hold up to any kind of scrutiny today but it's a good example of the basic points of how encryption functions and I like to use this example for two reasons the first is that it illustrates that the encryption that the security that encryption provides is encryption from understanding the content of the message it's not a the security is not designed to hide the message or prevent the message from being intercepted if you remember the movie the encrypted message was actually broadcast on a radio so anybody that had a radio device could intercept the message it's that the it's the fact that the message was encrypted was which is the thing that made it secret the second part is that it neatly illustrates the notion of the key the key is that v3 the first the first thing that Ralphy set his decoder ring to that is the bit of information that allows somebody to both encrypt the message and decrypt the message and the key is really the most important security element when you're sending an encrypted message so ralphie's encryption system had only 25 possible combinations but modern encryption is typically measured in the number of potential key combinations and modern encryption because it's digital is measured in bits the current modern standard is 256 bit AES t
at stands for advanced encryption system encryption and it's the same type of encryption that Amla is used in online banking the so we've gone from 25 possible combinations to this number on the screen right now which is an 11 with 90 zeros behind it so that's quite a bit more possible combinations and if you were trying to brute-force this kind of encryption meaning if you try to record an input every single potential key combination for 256 bit encryption that will require more than a hundred quintillion gigs of information and that's more that would require more data storage and currently exist on the planet Earth so 256 bit encryption is actually quite strong and very secure so in that instance it's much easier to try to figure out what your email is your password is rather than try to break your encryption and this is my last movie reference but if everyone remembers from the scene in Spaceballs regarding the the combination we're the print the planet planetary shield over Judea it was one two three four or five in the running joke is that's the kind of that's the kind of code an idiot would have on his luggage and really you owe it to people if you if you feel strongly enough that you need to encrypt the message if that message has protected or privilege or confidence information in it you owe it to have a password that is not going to be able to be guessed right off the bat so to quote a friend of mine passwords are like underwear you should always have it you should never show anybody you should change it often and it's cold on the internet so the longer the better so there's a few other things that you need to look for when you're picking an encryption system one of them is the difference between in transit and addressed encryption and address encryption is pretty self-explanatory it's files that are being encrypted while they're sitting on a server somewhere or while they're sitting in your hard drive somewhere and think about this as locking your file cabinet and then locking the door behind you there's also in transit encryption which happens when a piece of information is being moved or copied or downloaded or sent to somebody and the way that in transit encryption is handled is by a system we call SSL or secure socket layer x' which is basically a server creating a digital encrypted handshake with whatever the uploading or downloading source is so you can think about this conceptually as choosing to send a message on a postcard where anybody could read at a glance what's while it's in motion versus sending a message through a diplomatic or highly secure courier service where it's going to be picked up by hand and delivered by hand and the integrity of that message is always going to be maintained so now we're going to shift over and talk a little bit about your ethical and legal obligations surrounding message security the first is there are four were relevant Florida rules professional conduct that have to do with either using a cloud storage a cloud service for digital storage maintaining confidentiality of information and how you can make sure that if you do pick a third party service that they're living up to the same legal obligations that you have these largely track the ABA Model Rules so let's get right into it the first one first rule Professional Conduct is Rule four - four point one that's confidence promptness diligence and on owing ongoing education of attorneys the rule one point one particularly is confidence and the important part here is the part I've highlighted the the in the continuing studying education including an understanding of the benefits and risks associated with use of technology this substantially tracks with revised model rule 1.1 comment eight which requires a lawyer to quote keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology those changes were made relatively recently and they're specifically targeted at attorneys to make sure that attorneys are keeping up with technology at times we're in the 21st century clients expect to have continuous instantaneous communication with people with their attorneys they expect to have their attorney that is technologically literate and understands how to use technology and more importantly how not to use technology so this really has given us people like me the ability to talk to attorneys and make sure that help it be a part of that educational process and make sure that you understand your risks while using what has become the default method of communication 21st century so the next rule is for the rule of Professional Conduct 41.6 this is outlining communications and this is all about maintaining confidentiality and maintaining privilege so a lawyer must not reveal information relating to a representation of a client a lawyer must strive to make reasonable efforts to prevent inadvertent or unauthorized disclosures unauthorized access to information relating to the reputation of client and a fundamental principle in the lawyer-client relationship is that a lawyer must not reveal information regarding relating to the representation this is substantially similar to a be a model rule 1.6 which requires a lawyer to make reasonable efforts spent on their authorized disclosures this really is all about preventing data breaches when we're talking about the cloud you know information is very valuable in particularly information that you hold about your clients is extremely valuable and you should be making best efforts to prevent somebody who's not authorized for getting at getting their hands on that information because it can do your client and yourself real real lasting harm the final rule that we're going to talk about briefly here is a rule 4 - 5 point 3 which is responsibilities regarding on lawyer assistance a lawyer may use non lawyer assistance in hiring a document management company to create a database sending client documents to a third party for printing or scanning and using an internet-based service to store client information you must but when doing that you must make clear that the whatever third party you're using is living up to their obligations that you have to your client and this is very similar to rule a be a model rule 5.3 which is reasonable efforts at all third parties live up to their obligations in both model rules and rule 5.30 they authorizes the use of internet-based services to store client information and really where you're going to find the information that a a third party is going to be maintaining these obligations is by reading the Terms of Service or the the service level agreement which will outline who owns the information how often you have access to the information what happens when information is deleted these are all very relevant rule very relevant elements to a third party and you have an obligation I think to review those Terms of Service and make sure that you control your data and that your client information is going to be protected so we're going to talk about two specific classes of information that you have legal obligations to protect the first one is pH I or protected health information pH I is something that it is a classification of data that is created by HIPAA and then modified by hi-tech if you have a fewer a holder of pH I you probably already know because you're either employed by or have a client that is a health care provider and you've probably had to sign a B a a a business associate agreement in order to handle that information but to review very quickly pH is information that's related to a specific individual healthcare or provision of Health Services it includes any biometric information and any billing information related to healthcare covered entities generally generate protected health information or pH I and anyone who works with the covered entity is going to be considered a business associate business associates are going to have to sign an agreement that basically state that a business associate is obligated to follow all the requirements for data protection encryption and information masking that a covered entity is required to follow the second one is a little more broader it's P I or personally identifiable information PII is defined typically as a last name and a first name and first initial and then something else that makes it qualify as PII this is typically a an identifying number like a social security number driver's license number or maybe some sort of financial information or biometric information effectively it's anything that can aid someone in identity theft or fraud that's going to be legally protected currently 48 states that's everyone except Alabama and South Dakota have consumer protection laws all these consumer protection laws require notice to persons whose information has been breached or leaked and typically a notice to the consumer protection authority typically an attorney general's office in that state and all of them but one have a safe harbor provision for encryption and the only one that doesn't is Illinois which has an affirmative requirement that a holder API I take reasonable steps to secure that information so I think that requires using encryption and it's important to note that if you have clients in a number of different states that the jurisdiction of the consumer protection law that attaches is the the resident of the person whose information was leaked not the location of the holder of the personal identifiable information or the location of the person who where the breach happened so you may be under several different schemes all at once this is Florida's personally identifiable information consumer protection law its Florida Statute 501 - 171 security of confidential personal information it identifies personal identified in excuse me personal information as a last name first initial or first name and any of these elements an identifying number health information finance banking information health insurance information or an email address with an attached password or a security question that can allow somebody to get into that information if you have a reasonable belief that PII personal ID information that you're holding has been breached you're required to give notice to the individual Department of Legal Affairs if the breach includes 500 or more persons and credit reporting agencies if breach includes a thousand or more person persons and happily florida still has the safe harbor provision that if the information is stored in an encrypted manner if that that if that information is breached if it is made if the encryption is maintained then that doesn't count as a breach of information you do not have to give notice so the florida rules the florida professional ethics board has come out with two holdings that mention encryption the first one deals with cloud-based services generally so if you're having your your email held by one of those SAS process providers that we mentioned this reply and and in this opinion 12-3 really focuses on confidentiality and adequate security so these are some best practice elements that they have which is reputation and security of the provider which anyone who tried to listen to this webinar the first time around knows how important the reputation and and the the reliability of the provider can be that you should review your provider Terms of Service particularly with an eye toward who actually owns the date of your Surratt's storing on that service that the lawyer must be able to access the without limit that the lawyer must be able to control the axe anyone elses access to the information and finally that the information held in a third party is password protected and encrypted the only other reference we have to encryption or message security is a Florida Bar opinion 0 0 - 4 which just states that you're not required to send an email to a client in an encrypted format if that if that email contains a protected or confidential information but it's probably a good idea so in absence of any strong rules or best practices in the state of Florida we'll turn to the one state whose ethics board actually has addressed this question which is Texas so the question that was asked the Texas Ethics Board for opinion 648 which came out in 2016 is that under the Texas disciplinary rules of professional conduct may a lawyer communicate confidential information by email and this was prompted by the Snowden revelations and the fact that the NSA was uh was indiscriminately collecting a communication metadata and in some cases looking at email there was some concern over a group of lawyers that that NSA review may cause trouble when dealing with either clients that are involved in anything involving national security issues or if it may impact a privilege itself and the the conclusion that the Ethics Board came to is that it may be appropriate for a lawyer to advise and caution a client to the dangers inherent in sending or accessing emails from cuke from computers that are accessible by someone elder the client but at this time there was no requirement that information be sent in an encrypted manner but they did give us some best practices and these best practices really boil down the six best practice boil down three big categories and they're they're really kind of common sense things that you wouldn't want to send an unsecured email with confidential information if the information in the email is highly sensitive if the client knows that the account is unsecure or when the lawyer knows that the device or network is unsecure so for example don't send and a an email involving a divorce particulars to an email address a client shares with his or her spouse don't send an email regarding employment discrimination information to clients work email who whose boss may have access to that information or don't send information where the client the lawyer knows the client is checking from an open network or from say a public device such as a library and finally because it's Texas sending an email for lawyers concerns the NSA other law enforcement agency may be reading the line of the lawyer's email communication with or without a warrant because Texas so we've talked about your obligations we've talked about how email works and we've talked about how encryption works so let's talk about how we can go about securing your email either the message itself or the attachments so as we've mentioned email is the accepted form of communication in the legal business world you have an ethical obligation to understand the risks and benefits related to technology you use in your law practice lawyers have an ethical obligation not to disclose client information or communications and to prevent unauthorized access to information that is relevant to your client and your representation and publicly available information and public and protected health information must be protected under either state or federal law so returning to our red riding-hood metaphor what are the tools that we need to make sure that red riding-hood and/or basket gets really to grandmother's house what are we going to use to be our heroic continent in this situation so step one is going to be deciding what needs to be protected now obviously public of publicly available information doesn't need to be protected because that's not protected information if it's if you if I can look it up on the internet from a publicly available source then the risk of harm of somebody accessing that information from an email is zero and trivial matters such as where you want to have lunch with a client don't are not going to rise to the level of needing additional security measures but if you're transmitting confidential otherwise protected information over email it is in your best interest to not only send that information in a secure manner but to make sure that your client is able to receive it and understand the dangers of sending that sort of information over an unencrypted channel and we've already discussed that encryption and its role in securing data and there are a bunch of different ways to actually encrypt emails and by emails I mean the body of an email there are a few systems such as Gmail as one of those SAS services that me
tioned before encrypts email and transit automatically from machine to ooh machine the company that I work for that I'm most familiar with is secure file and we actually use an outlook plugin you download directly into your Outlook it puts this green padlock on your system and you click on that to encrypt the the the body of an email and the way this works is pretty interesting actually it treats an email as it would treat an attachment that we'll talk about a little bit later so effectively turns the message that you're sending into an encrypted attachment and sends that through an email so that maintains that encryption from point to point in some encrypted email systems the email recipient needs to set up an account with the sender's encryption service in order to be able to access the the email Gmail is decrypted if the recipient receiving reading the emails also has a gmail accounts so if it's John at gmail.com to Bob at gmail.com that is that encryption messages being sent but not if it's sent to another email encryption service for share file they would have a recipient receive an email in their inbox saying you received an encrypted message click here they would go to a portal where they would be asked to sign in their username would be their email address they would create their own password and then they would be taken to what looks like a a webmail style interface where they would have the ability to read the message and then respond and you would receive that message back in an encrypted format in your Inbox since sensitive information can be exchanged safely with encrypted email attorneys that are under that BAA or work with HIPAA or sarbanes-oxley documents probably already use encrypted messages to be able to send information there is a caveat that because of the way that encrypted message is or free only sent by turning and infirm a message into an encrypted file encrypted emails are typically incompatible with email archiving services so if you have additional legal obligations under for example other like a financial requirement that has a worm read once right excuse me right once you read many requirement you may not be able to use this style of encrypted message you may have to rely on a different system so a encrypted attachment so you need to send a document let's say a will or and in contract through email the contents of which are highly protected or highly confidential or contains instead of information how do you attach that to an email to send that to your client or to another attorney to make sure that encryption is is maintained well there are a couple different ways you can do this the first way is to attach a protected file this requires you to set up with your recipient on the other end the password key password or the encryption key before before or after sending which is an additional potential security breach you're going to typically have with anything you attach to an actual email you're going to have a size limitation on the email provider of my company Citrix has a 5 megabytes limit if you try to send me an email that has an attachment that is over 5 megabytes that email is going to get bounced back and you have to turn on the protection prior to sending the email meaning you have to take a few steps to make sure that the file is encrypted prior to attaching it and sending it and I want to pause here for a moment and make sure that everyone on the webinar understand that password protecting a document is not the same thing as encrypting a document sometimes that information can be conflated by a company that's trying to sell a service of some sort but a mere password protection is not sufficient security to qualify for those safe harbor provisions and the Florida State law for example so what you really want to do is encrypt a mess before sending it if you're choosing to go down that route now an alternative is to use a service that provides secure downloads and the company I work for which is ShareFile does this this is a screenshot of what that's going to look like box will do it there are a number of different providers that allow you to generate an encrypted link or what what in the instance that you're looking at here appears to be a file attachment but is actually just an encryption button that you can attach to the body of an email before you send it now this doesn't actually send the files through the email what it does is it allows the recipient to click on a button or click on a link and then download those files in an encrypted manner now the benefits of using this method is if you're using a system like share file that has an outlook plug-in it's exactly the same workflow that you would use for attachment normal document you just click on a green paper clip rather than a black paper clip to attach the files additionally you can attach any number of files to an email rather than a preset limit through most email services you can attach any size files so to get around that 5 megabyte limit you can attach files up to say a hundred megabytes now they your recipient still has to download that file so that might not be the best idea but if you have to stay in a very very large file say an entire recording of a deposition through an email that's that's an option and so that can be an extremely useful system and as I said most services that provide online storage encryption will allow you to add that link to send in an email so let's talk about that we've already talked about how to make email as safe as possible let's talk a little bit about how we can avoid email altogether in a way that provides service to that protects you and your client at the same time so one of the problems that we frequently run into is too much or not enough problem so and that is you only get to control the level of security that you choose for your communications you don't have any control over what your client or what another attorney is going to use so you may have one client that thinks like Fort Knox that has a extremely high security connection that connects directly into they say has a wired connection don't rely on Wi-Fi at all they have very strong firewalls that may flag links as spam or delete them all together and you and so you have a client that does everything right that you could just attach a file to a document and send it to them and not be worried about that information being leaked or breached or and on the other hand you might have a client who doesn't use passwords at all or uses you know qwe rty or one two three four five as their password they might have no firewalls at all they might have but they might check their email from a coffee shop or a public library that is an open network that anybody who wants to can see what they're uploading or downloading and you don't have the ability to control what your client is going to do so how do you set up a system that provides both the service that they are expecting and the security that will protect both you and them at the same time so the answer to that is what we call a portal and a portal is a shared virtual space on the Internet in an encrypted environment that allows you to have access controls and create your own I'll structure that you can control and duplicate to make to force your clients into only sharing information with you in an encrypted format this is a this is a way that you can provide protection to your client that your clients not have been aware that you're doing and I myself have used this before last year I bought a house and I didn't want to send all the very sensitive information for example my uh anybody tax information my pay stubs uh to my mortgage broker because I knew he was going to have to keep that on his computer inbox and I didn't want to have to be emailing those files back and forth so what I did was I created a portal for my mortgage broker my my insurance provider and my real estate agent and divided it up into three different a three different files that each one of them had a unique access to so I put all my my my house documents in one I put all my pay my tax and pay information other and I put my insurance information to the third one and when they logged in all they saw was the information that they had access to and a big benefit of this is that I control I can provide I can allow them to upload information into those files so I can see where they are in the process and I can generate a an audit trail to see when somebody uploads or downloads into that portal so I can see if my mortgage broker has actually downloaded my last three pay stubs to run a credit check and make sure that he's actually doing the things that he says he's going to do so I can keep track of that it adds an extra layer of comfort one of the good things about setting up a client portal is that you you could set it up where you get notifications when somebody's uploaded and downloaded by email or within the system itself the client gets to choose his own login and password so he has he or she has a level of security that they're comfortable with it's filetype agnostic you can have photos or documents or files or very large audio/video files interviews with potential witnesses or depositions or video security cam video of an accident or break-in all within that encrypted environment that you can control access to and as I mentioned before you get to create a customized file structure to make sure that the information is organized in the way that you want so you never lose anything within that file so setting up a client portal is actually pretty simple most cloud-based practice management and document management systems include client portals share file does I believe Cleo does several most practice management the the web-based SAS practice management systems do you can create your own fairly simply all you need is one of these you know a ShareFile account or a box account will allow you to create that controlled access and you can depending on which service you pick you their they're different there's a little bit play in the features around the corners you create your own simplifies file structure so every client has the same system so it's easy to know when and where you're uploading or downloading and so it's it's it's really simple to setup you can set it up with your own branding under several system so it looks like an extension of your website so your client always has that extra level or protection of knowing that there are they're in a portal environment that you have created a new control the benefits of the portal are numerous and we've already mentioned some of them you avoid the inherent insecurities of email clients can upload or download very large files there's no limitation as long as have a mobile device and an internet connection they can log in and upload or download you can set your deceived your notification so you can see if somebody has uploaded or downloaded information in an audit style Excel spreadsheet and you get to control the expiration dates and access controls of your files if you need some of it if you want to allow somebody to download something just once you can do that if you give somebody a week to download something you can set that file to delete automatically within a week so they only have access to that information for a limited number of time so these portals they can be an extremely powerful and extremely valuable system to protect your client information to force them into a system that provides them an extra layer of protection even though it's very easy to use it's very easy to set up it has your own custom branding so it looks like your website and really gives you that that that sense of security for your your client that they're not just emailing you their w2 information they're not emailing you you know just typing out their social security number onto a to an email sending it to you you don't have to worry about those liabilities holding that information in a place that may not be as secure where you're actually liable for loss of that information I hope you've enjoyed the webinar if you have any questions this is my email address it's John McHugh that's MCH ugh at Citrix comm CiTR IX comm my direct line here is nine one nine nine four eight one six eight six if you have any questions you want to reach out to me the CLE course number to receive credit for this CLE is to six seven six so make sure you log on to the Florida Bar website to make sure that you get your your CLE credit for sticking with me for the full hour if you have a moment I would really like it if you could fill out a survey link it helps me be able to provide these sort of see what I'm doing wrong see what I'm doing right see if you have a subject you'd really like me to cover in the future and it helps me sell this program to my boss so I can continue to provide what I hope is a fairly high grade a educational program to Florida Bar members so I'd like to thank everyone for their participation and again if you have any questions please drop me a line or send me an email and I look forward to hearing from everybody I hope everyone has a great day