Over the past month, there has been much discussion regarding possible vulnerablities in Dropbox security that might make the service unsuitable for use by attorneys and others required to protect the confidentiality of data. Reportedly, these issues have been addressed by a software fix. See http://hytechlawyer.com/?p=339 However, for lawyers a more fundamental inquiry is required. Daily, we use the internet, email, telephone, cloud document repositories, copy services, etc., to process, repackage, transfer and/or store data and client files. We do this confident in the fact that the third parties to whom we have entrusted this data have, by legal agreement, bound themselves to maintain the confidentiality of the data entrusted to them in a manner sufficient to meet our ethical obligations to protect client confidences. Those of us in large firms have traditionally relied upon our IT professionals, technology committee members, ethics committee, and/or the firm general counsel to ensure that the agreements with our vendors contained adequate provisions for the protection of confidential data.
The IT world has changed. We are now in a new age of mobile devices such as the tablet computer (iPad, Xoom, Tab, Playbook, etc.) and the smartphone, which promise not only significant advantages in efficiency and mobility, but also massive security headaches. The reality is that many lawyers are using these devices for both work and personal use, with little thought being given to security issues. Applications abound to make these mobile devices more functional for legal work and more fun for personal use. Typically, these applications are downloaded and used by the individual lawyer, with no oversight or due diligence by those responsible for the firm’s IT security. New applications are introduced every day, making it impossible for overworked IT departments to vet applications, much less create an approved list. The popular file transfer and storage program/site Dropbox (over 25 million users) is just one of many examples of useful applications that pose fundamental security concerns for lawyers.
Previously, I recommended Dropbox as a “must have” application for the iPad lawyer, because it provided a means of easy data transfer from a desktop to the iPad or other mobile device. In my first post on the subject, I examined Dropbox’s representations as to its security policy. http://hytechlawyer.com/?p=49 Dropbox formerly represented that data uploaded to its site was encrypted in such a manner that even Dropbox personnel could not decrypt the data. In other words, nobody had access to the uploaded data. In April, however, Dropbox “dropped” the bombshell that their staff did maintain keys and could decrypt the data transmitted to Dropbox. Further, Dropbox’s newly modified Terms of Service now allow for the disclosure of this decrypted data to third-parties for a variety of reasons beyond the traditional compulsion by legal process—for example, to protect Dropbox’s “property rights.” Further, Dropbox disclaims all responsibility for maintaining the confidentiality of user data and urges those concerned about security to separately encrypt any data uploaded.
FROM THE DROP BOX TERMS OF SERVICE
You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services. Without limiting the foregoing, you will be responsible for all costs and expenses that you or others may incur with respect to backing up, and restoring and/or recreating any data and information that is lost or corrupted as a result of your use of the Site, Content, Files and/or Services.”
[Comment—If you cannot rely upon Dropbox to protect the confidentiality of your client’s data is it reasonable to entrust this data to Dropbox]
You are responsible for safeguarding the password that you use to access the Site, Content, Files and Services. You agree not to disclose your password to any third party. You agree to take sole responsibility for any activities or actions under your password, whether or not you have authorized such activities or actions. You will immediately notify Dropbox of any unauthorized use of your password. You acknowledge that if you wish to protect your transmission of data and/or files to Dropbox, it is your responsibility to use a secure encrypted connection to communicate with and/or utilize the Site, Files and Services.”
[Comment: The takeaway here is that unless the lawyer encrypts his or her data before placing it in Dropbox, the company provides no assurance that the date will be maintained as confidential]
“Use of the Site at Your Own Risk
Your access to and use of the Site, Content, Files and Services and is at your own risk. Dropbox will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Site, Content, Files or Services. ”
[Comment— not much comfort here]
“Limitation of Liability
IN NO EVENT WILL DROPBOX BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, DIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, OR FROM YOUR ACCESS TO OR USE OF, OR INABILITY TO ACCESS OR USE, THE SITE, CONTENT, FILES AND/OR SERVICES, OR FOR ANY ERROR OR DEFECT IN THE SITE, CONTENT, FILES OR SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, OR ANY OTHER LEGAL THEORY, WHETHER OR NOT DROPBOX HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. YOU SPECIFICALLY ACKNOWLEDGE THAT DROPBOX IS NOT LIABLE FOR THE DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF OTHER USERS OR THIRD PARTIES AND THAT THE RISK OF INJURY FROM THE FOREGOING RESTS ENTIRELY WITH YOU. FURTHER, DROPBOX WILL HAVE NO LIABILITY TO YOU OR TO ANY THIRD PARTY FOR ANY THIRD PARTY CONTENT UPLOADED ONTO OR DOWNLOADED FROM THE SITE OR THROUGH THE SERVICES AND/OR THE FILES, OR IF YOUR DATA IS LOST, CORRUPTED OR EXPOSED TO UNINTENDED THIRD PARTIES.”
[Comment: Dropbox users waive all liability related to access of data by unitneded third-parties.]
“Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights.
We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”
[Comment: “To protect Dropbox’s property rights.” What does that mean? In my opinion this is a loophole big enough to drive a truck through, i.e., Dropbox reserves the right to disclose confidential data to third-parties pretty much whenever it determines that it is in Dropbox’s best interest to do so.].
FROM THE DROPBOX SECURITY POLICY:
We understand and guard your privacy to the best of our ability. We do our utmost to protect your information from unauthorized access.
“Compliance with Laws and Law Enforcement
[Comment: Dropbox has indicated that while it will remove its own encryption when producing data for law enforcement, it will not remove encryption installed by the user. Lesson—If you are going to use Dropbox, encrypt your data]
“How to Add Your Own Layer of Encryption to Dropbox
Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms.”
[Comment: Dropbox encourages the use of additional encryption.
Dropbox has two main functions: (1) the transfer of data/files between device and computers and (2) the storage of data. If Dropbox is used only to transfer files between devices, and the file once transferred is promptly deleted from Dropbox, the risk to client confidentiality would appear to be small, but nonetheless present. However, if Dropbox is used as a storage location for client files, then unless the files are separately encrypted, the Terms of Service and related policies of Dropbox do not provide adequate assurances of confidentially to give this lawyer confidence that they pass ethical muster.