Use of Dropbox by Lawyers is Risky Business—Ethical Issue

Over the past month, there has been much discussion regarding possible vulnerablities in Dropbox security that might make the service unsuitable for use by attorneys and others required to protect the confidentiality of data.  Reportedly, these issues have been addressed by a software fix.  See  http://hytechlawyer.com/?p=339   However, for lawyers a more fundamental inquiry is required.  Daily, we use the internet, email, telephone, cloud document repositories, copy services, etc., to process, repackage, transfer and/or store data and client files.  We do this confident in the fact that the third parties to whom we have entrusted this data have, by legal agreement, bound themselves to maintain the confidentiality of the data entrusted to them in a manner sufficient to meet our ethical obligations to protect client confidences.    Those of us in large firms have traditionally relied upon our IT professionals, technology committee members, ethics committee, and/or the firm general counsel to ensure that the agreements with our vendors contained adequate provisions for the protection of confidential data.

The IT world has changed.  We are now in a new age of mobile devices such as the tablet computer (iPad, Xoom, Tab, Playbook, etc.) and the smartphone, which promise not only  significant advantages in efficiency and mobility, but also massive security headaches.   The reality is that many lawyers are using these devices for both work and personal use, with little thought being given to security issues.  Applications abound to make these mobile devices more functional for legal work and more fun for personal use.   Typically, these applications are downloaded and used by the individual lawyer, with no oversight or due diligence by those responsible for the firm’s IT security.  New applications are introduced every day, making it impossible for overworked IT departments to vet applications, much less create an approved list.  The popular file transfer and storage program/site Dropbox (over 25 million users) is just one of many examples of useful applications that pose fundamental security concerns for lawyers. 

Previously, I recommended Dropbox as a “must have” application for the iPad lawyer, because it provided a means of easy data transfer from a desktop to the iPad or other mobile device.   In my first post on the subject, I examined Dropbox’s representations as to its security policy.  http://hytechlawyer.com/?p=49  Dropbox formerly represented that data uploaded to its site was encrypted in such a manner that even Dropbox personnel could not decrypt the data.  In other words, nobody had access to the uploaded data.  In April, however,  Dropbox “dropped” the bombshell that their staff did maintain keys and could decrypt the data transmitted to Dropbox.  Further, Dropbox’s newly modified Terms of Service now allow for the disclosure of this decrypted data to third-parties for a variety of reasons beyond the traditional compulsion by legal process—for example, to protect Dropbox’s “property rights.”  Further, Dropbox disclaims all responsibility for maintaining the confidentiality of user data and urges those concerned about security to separately encrypt any data uploaded.

Pertinent parts of the Dropbox Terms of Service, Privacy Policy and Security Policy are set forth below with links and comments:

 

FROM THE DROP BOX TERMS OF SERVICE

https://www.dropbox.com/terms

“Your Responsibilities

You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services. Without limiting the foregoing, you will be responsible for all costs and expenses that you or others may incur with respect to backing up, and restoring and/or recreating any data and information that is lost or corrupted as a result of your use of the Site, Content, Files and/or Services.”

[Comment—If you cannot rely upon Dropbox to protect the confidentiality of your client's data is it reasonable to entrust this data to Dropbox]

Account Security 

You are responsible for safeguarding the password that you use to access the Site, Content, Files and Services. You agree not to disclose your password to any third party. You agree to take sole responsibility for any activities or actions under your password, whether or not you have authorized such activities or actions. You will immediately notify Dropbox of any unauthorized use of your password. You acknowledge that if you wish to protect your transmission of data and/or files to Dropbox, it is your responsibility to use a secure encrypted connection to communicate with and/or utilize the Site, Files and Services.”

 [Comment:  The takeaway here is that unless the lawyer encrypts his or her data before placing it in Dropbox, the company provides no assurance that the date will be maintained as confidential] 

Use of the Site at Your Own Risk

Your access to and use of the Site, Content, Files and Services and is at your own risk. Dropbox will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Site, Content, Files or Services. ”

[Comment—  not much comfort here]

Limitation of Liability

IN NO EVENT WILL DROPBOX BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, DIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, OR FROM YOUR ACCESS TO OR USE OF, OR INABILITY TO ACCESS OR USE, THE SITE, CONTENT, FILES AND/OR SERVICES, OR FOR ANY ERROR OR DEFECT IN THE SITE, CONTENT, FILES OR SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, OR ANY OTHER LEGAL THEORY, WHETHER OR NOT DROPBOX HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. YOU SPECIFICALLY ACKNOWLEDGE THAT DROPBOX IS NOT LIABLE FOR THE DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF OTHER USERS OR THIRD PARTIES AND THAT THE RISK OF INJURY FROM THE FOREGOING RESTS ENTIRELY WITH YOU. FURTHER, DROPBOX WILL HAVE NO LIABILITY TO YOU OR TO ANY THIRD PARTY FOR ANY THIRD PARTY CONTENT UPLOADED ONTO OR DOWNLOADED FROM THE SITE OR THROUGH THE SERVICES AND/OR THE FILES, OR IF YOUR DATA IS LOST, CORRUPTED OR EXPOSED TO UNINTENDED THIRD PARTIES.”

[Comment:  Dropbox users waive all liability related to access of data by unitneded third-parties.]

FROM THE DROPBOX PRIVACY POLICY 

https://www.dropbox.com/terms#privacy

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights.

We may disclose to parties outside Dropbox  files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”

[Comment:  "To protect Dropbox's property rights."   What does that mean?  In my opinion this is a loophole big enough to drive a truck through, i.e., Dropbox reserves the right to disclose confidential data to third-parties pretty much whenever it determines that it is in Dropbox's best interest to do so.].

FROM THE DROPBOX SECURITY POLICY: 

https://www.dropbox.com/terms#security

“Privacy

A copy of our full privacy policy can be found at: https://www.dropbox.com/privacy

We understand and guard your privacy to the best of our ability. We do our utmost to protect your information from unauthorized access.

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.”

[Comment:  This is more like the language I want to see in a third-party agreement.  However, when read in conjunction with the Terms of Service and Privacy Policy, it provides cold comfort that confidential client data will be adequately protected.]

Compliance with Laws and Law Enforcement

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.”

[Comment:  Dropbox has indicated that while it will remove its own encryption when producing data for law enforcement, it will not remove encryption installed by the user.  Lesson—If you are going to use Dropbox, encrypt your data]

How to Add Your Own Layer of Encryption to Dropbox

Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms.”

[Comment:  Dropbox encourages the use of additional encryption. 

CONCLUSIONS

Dropbox has two main functions: (1) the transfer of data/files between device and computers and (2) the storage of data.  If Dropbox is used only to transfer files between devices, and the file once transferred is promptly deleted from Dropbox, the risk to client confidentiality would appear to be small, but nonetheless present.  However, if Dropbox is used as a storage location for client files, then unless the files are separately encrypted, the Terms of Service and related policies of Dropbox do not provide adequate assurances of confidentially to give this lawyer confidence that they pass ethical muster.


Comments

Use of Dropbox by Lawyers is Risky Business—Ethical Issue — 11 Comments

  1. Pingback: SpiderOak Appears to be More Secure Alternative to DropBox for Lawyers | The Hytech Lawyer

  2. Pingback: More DropBox Security Issues- Lawyers Beware | The Hytech Lawyer

  3. This concern, centered around privilege and confidentiality, is not unique to attorneys. We and others, whether CPAs, healthcare and mental health professionals, or any other licensed/regulated professional, must be thinking carefully and critically about this issue. Pre-transmittal encryption, with keys held by the data owner rather than the vendor, is clearly a best practice, but it does tend to defeat a substantial portion of the convenience of Dropbox for the mobile professional (esp. tablet users). Each person must look to his or her state statutes, and those of the states in which their clients/patients may reside, to parse the applicability/enforceability of the relevant data protection and confidentiality rules. Much of the convenience is necessarily thwarted by these increasingly common statutes (federal will be coming sooner than later) and all of these services will either amend their code to comply the the least common denominator of security or perish; hopefully, before users pay too high a price. This is more than a caveat emptor situation and is more akin to a call for a Miranda-like footer: anything you store, however temporarily, may be used against you, your client, your practice, and anyone else we can identify. Because forensic accountants such as me and digital examiners may come calling. Worse, digital perpetrators/black hat hackers may be lurking too.

  4. Pingback: Backup, synch, lost laptops and security « Paperless Chambers

    • SpiderOak is encrypted with the key on your computer (zero knowledge). If others access your data, it will be encrypted. In my opinion, this is secure enough, and much more secure than DropBox.

  5. How is this any different than having a cleaning crew come in your office if you don’t have every file locked in a filing cabinet?

    How is it any different than the off-site storage for my paper files that has multiple keys to every storage unit?

    There’s no such thing as 100% confidentiality. The real question is whether Dropbox provides a *reasonable* expectation of confidentiality.

    • That may be true- however, SpiderOak’s encryption is integrated. I have not investigated the add-on encryption services, so I cannot speak as to their capabilities.

  6. My concern with Dropbox and similar services concerns whether I have ‘imputed knowledge’ of what’s been posted. I’m frequently getting notes that such-and-such has been added to Dropbox — is that akin to me receiving a document by mail? Am I deemed to have received it and know its contents, just because it’s been posted to Dropbox? (If so, this becomes particularly difficult given that the “such-and-such has been added” note only hovers there for a moment, then disappears – if I don’t take a screen shot, how do I remember what’s changed?)

    Similarly, sometimes things are deleted from Dropbox by the other side (in fact it just happened now as I’m typing this comment!) – what does that mean for a paper trail and a track record? If I’ve reviewed an LLC agreement or a Lexis seearch the other side posted, and I have diligence concerns, but then the other side removes that document – where’s my evidence of concern? Can I even make an objection on a no-longer-available document?

    • Jeff:

      I would not use DropBox for document exchange repository with an opposing party. The absence of logging of additions, deletions, etc. is one of the many things that makes DropBox unsuitable for this purpose. I think even old fashioned email is a better choice.

      Bill

Leave a Reply

Your email address will not be published. Required fields are marked *


8 + = nine


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>