encrypt fill in .pdf form

Mike Davis

I have a client that has a background check form (created with Acrobat Pro as a fillable & saveable form) they want to be encrypted after the end user fills it out so that it's encrypted when they send it back. From what little I've read, you have to have Acrobat Standard or better (not reader) to encrypt a .pdf, and that's just to open it, not to let some one fill it in and then encrypt it with your key and send it back.

If the forms were purely electronic, it would seem that a secure website form would be the better way to go, but some people choose to print the form, fill it in by hand, and mail it.

Can anyone recommend a solution?

gjacobse

Creating an editable PDF isn't that difficult. But the cavet is that it won't save the data. But having just typed that, I recall the US Passport application being an editable PDF that you can then print.

But to submit your information to a company or agency for a background check via a webpage would require a little more in terms of security. And a SMB may not wish to delve into that realm of risk and liabilities.

You may be better to choose a third party to handle it completely.

Not sure if this will help any, but this article from Business News Daily maybe a starting point:

http://www.businessnewsdaily.com/7636-choosing-a-background-check-service.html

scottalanmiller

I use encrypted PDF all the time and don't even have any Adobe products at all. On Linux, Encrypted PDFs open natively. I know that my CPA uses them and they don't have issues with clients opening them or responding in them.

On Linux, I can fill in a form and return it encrypted, I believe, just by default.

Mike Davis

I already created the form and "extended it" so that it's a fill in form and saveable. Something that only an actual Adobe product will let you do. I can encrypt it with a password there, but it seems that the person opening it would need the password to open it. Then they would fill it out, save it, and send it back. At that point I would open it with the password. Since the password would have to be sent with the form (I suppose it could be sent out of band, but this isn't practical for our group) it defeats the point of encrypting it.

I'm looking for a way to allow the person to encrypt it automatically when they save it with my public key so that I'm the only one that can open it when they are done filling it out.

As far as liability, the organization has a background company and the checks are completed by that company, but we have to have the forms on file for the auditors.

Mike Davis

@scottalanmiller said:

I use encrypted PDF all the time and don't even have any Adobe products at all. On Linux, Encrypted PDFs open natively. I know that my CPA uses them and they don't have issues with clients opening them or responding in them.

On Linux, I can fill in a form and return it encrypted, I believe, just by default.

Searching on the web it seems that on a Mac there is native support, but not on Windows...

Dashrender

@Mike-Davis said:

@scottalanmiller said:

I use encrypted PDF all the time and don't even have any Adobe products at all. On Linux, Encrypted PDFs open natively. I know that my CPA uses them and they don't have issues with clients opening them or responding in them.

On Linux, I can fill in a form and return it encrypted, I believe, just by default.

Searching on the web it seems that on a Mac there is native support, but not on Windows...

Windows 10 natively supports PDFs inside Edge now. It's not perfect, but it is usable.

As for Scott's use, I'm guessing his use is what you were talking about. Pre encrypted, password shared through a different channel.

Dashrender

Maybe a secure online form for those that want to fill out online, and a PDF for printing and mailing. Keep the process simple and separate.

scottalanmiller

I think that probably PDF is just the wrong tool in this use case. Having people fill things out offline adds some serious complications.

Mike Davis

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

Jason

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

Mike Davis

@Jason I'm just looking for a secure way to get their SSN across the internet.

Jason

@Mike-Davis said:

@Jason I'm just looking for a secure way to get their SSN across the internet.

Google is not the place you want to have SSNs going..

Also you really need something both encrypted in transit and at rest.

Dashrender

@Jason said:

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.

Jason

@Dashrender said:

@Jason said:

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.

Depeding on where this is there are many laws that will block that. This isn't a secure method of storing Sensitive data anyway. If something happens a court will no doubt find you negligent.

scottalanmiller

This is a case where a simple custom app might be incredibly powerful and simple. But would be complex if you tried to address offline use as well.

Dashrender

@Jason said:

@Dashrender said:

@Jason said:

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.

Depeding on where this is there are many laws that will block that. This isn't a secure method of storing Sensitive data anyway. If something happens a court will no doubt find you negligent.

For my own education - what's not secure about it?

Google will sign a BAA for HIPAA for example, just like MS will.
https://support.google.com/a/answer/3407054?hl=en

So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.

I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.

Jason

@Dashrender said:

So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.

HIPAA isn't about keeping data secure.. it does the opposite.

BRRABill

@Dashrender said:

I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.

It's amazing how insecure the healthcare field really is.

I think the thing to remember is that if you aren't bound by regulations (for example with HIPAA, if you aren't a covered entity) just the concept of security applies to you, not the law itself.

scottalanmiller

@Jason said:

@Dashrender said:

So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.

HIPAA isn't about keeping data secure.. it does the opposite.

It doesn't exactly force the opposite, just encourages it. HIPAA is more an excuse for not being secure than an encouragement to actually be secure. I definitely mostly run into HIPAA as "well HIPAA doesn't stop me from being insecure so I'm not worried about" rather than "oh man, I have to do extra secure because of HIPAA."

scottalanmiller

@BRRABill said:

@Dashrender said:

I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.

It's amazing how insecure the healthcare field really is.

I think the thing to remember is that if you aren't bound by regulations (for example with HIPAA, if you aren't a covered entity) just the concept of security applies to you, not the law itself.

Actually, HIPAA provides a defence against litigation that previously would have been more viable. It doesn't completely block litigation but it is a very, very strong tool used by healthcare to protect itself from needing to meet the standards of the world in general.