I wonder what the purpose is of changing the names of the client folders when the PDF documents within the folder will reveal the names. Also, I agree with Raj Goel that a requirement of using a PDF document is basically a requirement of using Adobe. I have spent many hours searching for another application, but this is one area where I have not found a suitable open-source alternative or even a suitable private alternative to Adobe Acrobat.

Second, the lawyer would assign unique randomly generated alpha-numeric names and passwords to each online client folder. The folder names contain no information that could identify the client to which it belongs. The password would not be the same as the client folder name

Great – random-character filenames. Either people won't use them, or they'll start creating tiny urls. I worked on a medical project where the guidelines were similar. Long, complex urls to prevent dictionary attacks. Within 10 hours of alpha testing, the userbase switched to tiny-urls, which amplified the attack and created a bigger problem. The project was hastily withdrawn and implemented after careful thought to security.

Security was built into the DNA of the application, not bolted on afterwards.

Secondly, this is even more dangerous:

Third, all online client files would be converted to Adobe PDF (Portable Document Format) files and protected with another randomly generated unique alpha-numeric password.

A) Making any security recommendation vendor-specific is dangerous. Vendors go out of business, get bought out, let products die.

B) For most people PDF == Adobe Acrobat readers, which in itself has a severe security problems. There's (still) an unpatched javascript flaws in the reader that malware writers are using to infect windows PCs.

B1) Recommending PDF as a standard is fine – FoxitPro, SumatraPDF, etc are all good readers, without the security issues inherent in Acrobat.

C) The password-protecion mechanisms built into most commercial software (Microsoft Office, Adobe, etc) are easily crackable. Either the underlying cryptographic mechanism is weak, or the passwords are crackable via dictionary attacks.

There's a commercial MS Office, Zip, etc. password recovery tool where the vendor inserted a time-delay (10-30 seconds) just so the customers wouldn't panic at how fast the passwords were recovered/cracked.

Simply put, the guideline reinvents the wheel for information security, without referring to existing mechanisms and makes layman's mistakes when dealing with infosecurity.

HIPAA has great guidelines for storing and sharing information securely.

PCI-DSS has specific guidelines and methodology for implementing a security architecture.

NIST has standards and guidelines for implementing good infosec programs.

In all cases, you reader an cobble something together on their own, download templates off the web or hire an expert.

Strangely enough, same things happens in law.
- Read Nolo press
- Buy or download forms and templates (wills maker, anyone?)
- Hire an attorney.

Same rules apply here — if your practice is small, and the revenues at stake are small, you can apply one-size-fits-all guidelines. (e.g. download a wills template off the net, fill it out, give it to your heirs. Never mind that your template was from California, you live in New York and the inheritance laws are just a wee bit difference).

If your practice is larger, then retaining an expert to advise/vet your approach is recommended. (e.g. write your own contract, or borrow someone else's, read it carefully, and have a good attorney review it for you).

If the revenues at stake are large enough (and only you can define what large enough means to you – though $3M is a good place to start at), then it's strongly recommended that you retain a security professional to understand the business requiements, and implement a solution that is cost-effective and scalable.

For example, the guidelines above do not address State Privacy Breach laws, which vary from state to state, or address intra-state clients. The FTC has taken a lead on consumer privacy issues and for firms with clients in multiple states, paying attention to FTC guidelines is a good idea.

Hope this discussion keeps up.
-mike.