In a number of previous posts, I have written critically about Dropbox security issues and opined that the Dropbox Terms of Service (“TOS”) did not meet the minimum professional ethics requirements for the reasonable protection of confidential client communications. Now that the Dropbox has revised its TOS , a fresh look is warranted, especially given the popularity of this service with iPad users.
ABA Ethics Opinion 95-398 (10/95) noted 16 years ago that “in this era of rapidly developing technology. . . lawyers now use outside agencies for numerous functions such as accounting, data processing and storage, printing, photocopying, computer servicing, and paper disposal.” The outside service providers would be considered to be non-lawyer assistants under Model Rule 5.3 which states that lawyers have an obligation to ensure that the conduct of the non lawyer employees they employ, retain or become associated with is compatible with the professional obligations of the lawyer:
Under Rule 5.3, a lawyer retaining such an outside service provider is required to make reasonable efforts to ensure that the service provider will not make unauthorized disclosures of client information. Thus, when a lawyer considers entering into a relationship with such a service provider he must ensure that the service provider has in place, or will establish, reasonable procedures to protect the confidentiality of information to which it gains access, and moreover, that it fully understands its obligations in this regard.”
Id. (emphasis added).
Dropbox TOS Changes
The prior version of the Dropbox TOS also had the following provisions that were of concern:
You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services. Without limiting the foregoing, you will be responsible for all costs and expenses that you or others may incur with respect to backing up, and restoring and/or recreating any data and information that is lost or corrupted as a result of your use of the Site, Content, Files and/or Services.”
CURRENT REVISED VERSION
. . . You, and not Dropbox, are responsible for maintaining and protecting all of your stuff. Dropbox will not be liable for any loss or corruption of your stuff, or for any costs or expenses associated with backing up or restoring any of your stuff. . .
You are responsible for safeguarding the password that you use to access the Site, Content, Files and Services. You agree not to disclose your password to any third party. You agree to take sole responsibility for any activities or actions under your password, whether or not you have authorized such activities or actions. You will immediately notify Dropbox of any unauthorized use of your password. You acknowledge that if you wish to protect your transmission of data and/or files to Dropbox, it is your responsibility to use a secure encrypted connection to communicate with and/or utilize the Site, Files and Services.”
Comment: Better! However, note that Dropbox acknowledges that to protect the data being transmitted you must have a secure encrypted connection. Compare this with my previously discussed favorite SpiderOak in which the data you transmit is pre-encrypted.
“Use of the Site at Your Own Risk
Your access to and use of the Site, Content, Files and Services and is at your own risk. Dropbox will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Site, Content, Files or Services. ”
“Limitation of Liability
IN NO EVENT WILL DROPBOX BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, DIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, OR FROM YOUR ACCESS TO OR USE OF, OR INABILITY TO ACCESS OR USE, THE SITE, CONTENT, FILES AND/OR SERVICES, OR FOR ANY ERROR OR DEFECT IN THE SITE, CONTENT, FILES OR SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, OR ANY OTHER LEGAL THEORY, WHETHER OR NOT DROPBOX HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. YOU SPECIFICALLY ACKNOWLEDGE THAT DROPBOX IS NOT LIABLE FOR THE DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF OTHER USERS OR THIRD PARTIES AND THAT THE RISK OF INJURY FROM THE FOREGOING RESTS ENTIRELY WITH YOU. FURTHER, DROPBOX WILL HAVE NO LIABILITY TO YOU OR TO ANY THIRD PARTY FOR ANY THIRD PARTY CONTENT UPLOADED ONTO OR DOWNLOADED FROM THE SITE OR THROUGH THE SERVICES AND/OR THE FILES, OR IF YOUR DATA IS LOST, CORRUPTED OR EXPOSED TO UNINTENDED THIRD PARTIES.”
Dropbox is Available “AS-IS”
Though we want to provide a great service, there are certain things about the service we can’t promise. For example, THE SERVICES AND SOFTWARE ARE PROVIDED “AS IS”, AT YOUR OWN RISK, WITHOUT EXPRESS OR IMPLIED WARRANTY OR CONDITION OF ANY KIND. WE ALSO DISCLAIM ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. (We are not shouting- it’s just that these disclaimers are really important, so we want to highlight them). Dropbox will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Services or Software. Some states do not allow the types of disclaimers in this paragraph, so they may not apply to you.
Limitation of Liability
TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT WILL DROPBOX, ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, SUPPLIERS OR LICENSORS BE LIABLE FOR (A) ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL (INCLUDING LOSS OF USE, DATA, BUSINESS, OR PROFITS) DAMAGES, REGARDLESS OF LEGAL THEORY, WHETHER OR NOT DROPBOX HAS BEEN WARNED OF THE POSSIBILITY OF SUCH DAMAGES, AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE; (B) AGGREGATE LIABILITY FOR ALL CLAIMS RELATING TO THE SERVICES MORE THAN THE GREATER OF $20 OR THE AMOUNTS PAID BY YOU TO DROPBOX FOR THE PAST THREE MONTHS OF THE SERVICES IN QUESTION. Some states do not allow the types of limitations in this paragraph, so they may not apply to you.
Comment: Much shorter and removes the specific “unintended disclosure to third parties” exception. However, still states that use of the service is at YOUR OWN RISK and attempts to severely limit liability. These provisions are fairly common and may or may not be effective depending upon your jurisdiction.
NEW POLICY PROVISIONS
“Your Stuff & Your Privacy
By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below.
We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews. It also includes design choices we make to technically administer our Services, for example, how we redundantly backup data to keep it safe. You give us the permissions we need to do those things solely to provide the Services. This permission also extends to trusted third parties we work with to provide the Services, for example Amazon, which provides our storage space (again, only to provide the Services).
You are responsible for safeguarding the password that you use to access the Services and you agree not to disclose your password to any third party. You are responsible for any activity using your account, whether or not you authorized that activity. You should immediately notify Dropbox of any unauthorized use of your account. You acknowledge that if you wish to protect your transmission of data or files to Dropbox, it is your responsibility to use a secure encrypted connection to communicate with the Services. . .”
Comment: Use of services still at you own risk but nice affirmative statement about protecting customers data. Another reminder that unencrypted data is not secure in transmission.
“3. Information Sharing and Disclosure
. . . Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox. . . . ”
Comment: This section remains unchanged from the previous version. Once again you must encrypt your data yourself to protect it from disclosure from law enforcement (not a particular concern of mine). Compare SpiderOak where the encryption cannot be removed by the service provider because they do not have a key.
Bill—a/k/a The Hytechlawyer