Much of the business world has long since given up on the idea of fax machines. Those old, clunky, and noisy things that transmit images of documents oh-so-slowly. But can we, as attorneys, really give up this technological relic in the name of efficiency?
The Traditional Fax Machine
When you send a document via fax machine, to another physical fax machine, a direct connection is created between the two devices that simply cannot be hacked. It’s not digital. It’s not encrypted. It’s just a very slow, secure, point-to-point connection. To intercept your fax, someone would have to quite literally tap the phone line.
This is in direct contrast to email, for example, where your document could be intercepted at any number of servers along the way, hacked directly from your computer, or pulled from a compromised account. Many lawyers have taken advantage of this added security, treating the fax machine as the most secure way of quickly getting a document to a recipient. But that may have come to an end and all lawyers should be conscious of the new reality, where sending a fax may not be anywhere near as secure as it used to be.
The Advances in eFax Technology
A majority of recipients, including many law firms, have switched to using an eFax. This innovative technology has many advantages. To name a few: you no longer tie up a phone line; you can send and receive multiple faxes at once, sending a fax can be as simple as sending an email or drag and dropping a file into a web interface, the logs are electronic, received faxes can auto-convert to PDF, OCR themselves (Optical Character Recognition, which makes the documents searchable), and land in your email inbox like your other emails. The conveniences, of which I only named a few, abound—as do the dangers.
The eFax needs to be taken apart in order to truly see where the security starts and ends.
Sending an eFax
For the purposes of this article, we will assume that your own file repository system is secure and that until you went to send the eFax, you have not compromised your files in any way. Now you have to take your file (presumably a PDF in most cases), and transmit it to your eFax server. Most eFax providers offer multiple ways of uploading a file for sending. This is the first potential danger point.
In an ideal circumstance (from a security perspective), you enter your fax sending portal through a secure log-in (perhaps even with two-factor authentication), after which you upload your file and set up the transmission through a secure connection. Unfortunately, your eFax provider probably wanted to make things fast and easy. To that end, you are likely able to send an eFax by emailing it to a special transmission server, where the email address itself directs the sending.
So, for example, if you wanted to send a fax to 212-555-1212, you may be able to simply compose an email to email@example.com and throw in the document to be faxed as an attachment. I’ve seen many lawyers do this, reasoning that they were sending a secure fax, rather than an insecure email. What the lawyer fails to realize is that before that fax is ever sent by the secure eFax server, the document has already traveled through an unencrypted email.
But let’s assume for the moment that you are careful, and only upload the documents to your eFax service through a secure connection, or even go the extra mile and use an old Panasonic fax machine you never had the heart to throw away. Are your transmissions safe and secure now? Well, maybe… It all depends on what the recipient is using.
Receiving an eFax
An analysis on receiving an eFax will result in similar conclusions. The eFax server itself needs to be secure and encrypted—not a major problem as most of the commercial vendors are. But what happens next? How does the recipient retrieve that fax? Most recipients, including most lawyers, have the incoming fax emailed by the eFax server, as a PDF attachment, to their email inbox. Convenient? Absolutely. Secure? Not even close.
While many more lawyers are cognizant of the idea of not sending PDFs containing confidential information via email, even to transmit an eFax, most simply don’t seem to notice the fact that the document which the sender may have meant to arrive with great security, has just been automatically converted into an insecure and unencrypted PDF. What can you do? Unfortunately, give up some convenience.
The Compromise and Duty to Inquire
The beauty of eFax is that it is all software run. That means that you can configure your notifications in such a way that while you can have an email sent to you alerting of a new fax receipt, you can disable the feature that would allow the document to be attached to that email as a PDF. Rather, you would have to click a link in the email, log in to your eFax service, and manually download your document. But that only takes care of everything on your end…
The main takeaway here is not just on securing your eFax service. More importantly, it is to be conscious of the fact that sending something by fax, even if you don’t use an eFax, is no longer a means of assured security. If you transmit a document to someone and the contents are confidential enough in nature, don’t just rely on the fax machine to provide security. Inquire how your recipient receives their faxes. Otherwise, you may be inadvertently causing those documents to arrive to the recipient in an insecure email without even thinking about what you might have just done.