When and Why PDF Documents Must Be Password-Protected

OVERVIEW:

Applies to: PDF-EXPLODE users sending invoices, payroll, tax, or medical documents by email.

PDF-EXPLODE enables automated email delivery of PDF documents.

While many business documents (such as invoices) can be sent openly, documents containing personal, financial, or medical information must be secured .

In most jurisdictions, emailing unprotected sensitive documents is considered a data breach , even if sent to the correct recipient.

This article explains: 

• Which document types require passwords

• Why password protection is legally required

• The applicable U.S. and European (GDPR) regulations

• Best-practice password methods

DETAILS :

What Is Considered “Sensitive Data”?

Sensitive data includes any information that can identify a person or expose private details, such as:

• Date of birth

• Government ID numbers (SSN, National ID)

• Tax information

• Payroll and income data

• Medical or health information

• Patient or employee identifiers

When such data is present, password protection is mandatory . 

Document Types and Password Requirements

U.S. Legal Requirements (Summary)

 In the United States, unprotected transmission of sensitive documents may violate:  

• HIPAA – Medical and patient data

• IRS Safeguards (Pub 1075) – Tax documents

• FTC Safeguards Rule – Payroll and employee data

• State privacy breach laws

 Sending sensitive PDFs without encryption or password protection can trigger:   

• Mandatory breach notifications

• Financial penalties

• Civil liability 

  European GDPR Requirements (Summary)

Under GDPR , organizations must:  

• Protect personal data against unauthorized access

• Apply “appropriate technical measures” (Article 32)

• Apply higher protection to medical and health data (Article 9) 

Emailing a PDF containing personal data without protection may be considered:  

• A failure of security controls

• A reportable data breach

• Grounds for regulatory fines

 GDPR does not require passwords to be sent separately — it requires that data is protected in transit . 

  Recommended Password Method (Best Practice)

 The safest and most widely accepted approach is:

  Passwords are generated from information already known to the recipient

Examples:  

• Date of Birth (DDMMYYYY or MMDDYYYY)

• Family name + DOB

• First name + last 4 digits of ID number

• Patient ID (partial) + DOB

Why This Works  

• No password is transmitted

• No password storage required

• No pre-advice necessary

• Fully compliant with U.S. and GDPR requirements and in most western countries including Australia, UK, Canada and New Zealand

 Important Do’s and Don’ts     

✅ Do 

• Automatically apply passwords based on document type

• Use recipient-known information

• Use consistent rules across all documents

❌ Don’t  

• Email passwords

• Reuse a single password for multiple recipients

• Leave password protection to user discretion

• Send medical or payroll documents unprotected 

 How PDF-eXPLODE Supports Compliance

 PDF-EXPLODE allows password protection to be:  

• Automatically applied by document type with the use of data variables inserted into the PDF-eXPLODE Tag

• Generated per recipient

• applied by the PDF-eXPLODE process and without operator decision/intervention

 This ensures:  

• Consistent compliance

• Reduced human error

• Audit-ready delivery processes