I’ve been a loyal Dropbox user for quite a while, and until recently I had no reason to end the love fest. That is until the most popular off-site backup company in the world let slip that their employees had access to our precious data. What compounded the situation occurred a few weeks later when Dropbox admitted that a software update of their design allowed a four-hour window in which any username and password combo would grant access to your data. It was a PR nightmare. Many folks, me included, jumped ship to other competitors. It was a mistake.
After trying the competition out for the last few weeks I have learned why Dropbox is king. For one thing it is by far the easiest platform to utilize. In fact, anyone who has ever created a new folder in windows and subsequently moved a file into it already understands how Dropbox works. Want to work on a file at the office and pick it up later at home on your iPad? Dropbox automatically syncs the file among all devices that have the program installed. The competition just doesn’t get it. Spideroak wants you to select which files to sync. Same with Sugarsync.
Another area where Dropbox has no equal is in platform integration. Dropbox plays well on iOS, Mac, Windows, or Android devices. Even better is nearly every app that wants to save a file on your device now has the option to “open in dropbox.” Goodreader for iOS loves Dropbox. It doesn’t even support Spideroak. You can even open email attachments in Dropbox for storage. Kismet.
After wasting these past weeks trying to make the competitors play as well with my iOS devices as Dropbox, I gave up and called the Bar ethics committee. My question? After the events of late is it still ethical to use Dropbox for our offsite storage of client files? In talking to general counsel for the ethics committee I was quickly informed that the Alabama State Bar has already addressed the situation. In ETHICS OPINION 2010‐02 entitled “Retention, Storage, Ownership, Production and Destruction of Client Files” I learned that:
A lawyer may also choose to store or “back‐up” client files via a third‐party provider or internet‐based server, provided that the lawyer exercises reasonable care in doing so. These third‐party or internet‐based servers may include what is commonly referred to as “cloud computing.”
The article goes on to say that there exist many benefits to storing information in the cloud, but what is the definition of “reasonable care?”
The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third‐party provider. If there is a breach of confidentiality, the focus of any inquiry will be whether the lawyer acted reasonably in selecting the method of storage and/or the third party provider.
After the release that Dropbox can access our data the company felt compelled to clarify their Terms of Service. While little changed it did finally explain that our data is encrypted on Dropbox’ server end, and that hypothetically an employee could abuse his privilege and access our data by way of their encryption key. That sounds bad, but how is that different than an untrustworthy employee in our own office poking around in client files? Our state bar can’t see the difference either.
If you want to store files in the cloud you need to read and understand the terms of service of the potential storage company. Thankfully Dropbox has rewritten their TOS to make it easy to comprehend. After getting familiar with the TOS of your potential storage choice, you need to decide if they will take reasonable precautions to secure your data. While no data is untouchable, Dropbox has struck a good balance between security and functionality. They use industry standard encryption methods while providing ease of use to consumers. Need an extreme example of a lack of balance? Spideroak boasts that they have a “zero knowledge” policy that states that your data encryption key is your username which they don’t store on their servers. You hold your key. If you ever forget that username Spideroak can’t reset it and your data is forever locked in a server where not even Spideroak can access it! As for me I’ll let Dropbox hold onto my encryption key.
At the end of the day the threat of our client data being accessed is just as real in our office where employees, thieves, and fire exists, as in cyberspace where an unruly Dropbox employee or hacker resides. You must ask yourself do the benefits of ease of access to files on the go, collaboration on documents with colleagues, or the security in knowing your data doesn’t live in your brick and mortar office outweigh the potential threats of cyberspace? In my opinion the juice is worth the squeeze. Dropbox, Daddy’s home.