Alabama Ethics and Dropbox

dropbox iphone app logo Alabama Ethics and Dropbox

smalllaw 450 300x110 Alabama Ethics and DropboxThis article won the SmallLaw Pick of the Week. SmallLaw is a free weekly email newsletter that provides helpful information for those who manage and work in small law firms.

I’ve been a loyal Dropbox user for quite a while, and until recently I had no reason to end the love fest. That is until the most popular off-site backup company in the world let slip that their employees had access to our precious data. What compounded the situation occurred a few weeks later when Dropbox admitted that a software update of their design allowed a four-hour window in which any username and password combo would grant access to your data. It was a PR nightmare. Many folks, me included, jumped ship to other competitors. It was a mistake.

After trying the competition out for the last few weeks I have learned why Dropbox is king. For one thing it is by far the easiest platform to utilize. In fact, anyone who has ever created a new folder in windows and subsequently moved a file into it already understands how Dropbox works. Want to work on a file at the office and pick it up later at home on your iPad? Dropbox automatically syncs the file among all devices that have the program installed. The competition just doesn’t get it. Spideroak wants you to select which files to sync. Same with Sugarsync.

Another area where Dropbox has no equal is in platform integration. Dropbox plays well on iOS, Mac, Windows, or Android devices. Even better is nearly every app that wants to save a file on your device now has the option to “open in dropbox.” Goodreader for iOS loves Dropbox. It doesn’t even support Spideroak. You can even open email attachments in Dropbox for storage. Kismet.

After wasting these past weeks trying to make the competitors play as well with my iOS devices as Dropbox, I gave up and called the Bar ethics committee. My question? After the events of late is it still ethical to use Dropbox for our offsite storage of client files? In talking to general counsel for the ethics committee I was quickly informed that the Alabama State Bar has already addressed the situation. In ETHICS OPINION 2010‐02 entitled “Retention, Storage, Ownership, Production and Destruction of Client Files” I learned that:

A lawyer may also choose to store or “back‐up” client files via a third‐party provider or internet‐based server, provided that the lawyer exercises reasonable care in doing so. These third‐party or internet‐based servers may include what is commonly referred to as “cloud computing.”

The article goes on to say that there exist many benefits to storing information in the cloud, but what is the definition of “reasonable care?”

The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third‐party provider. If there is a breach of confidentiality, the focus of any inquiry will be whether the lawyer acted reasonably in selecting the method of storage and/or the third party provider.

After the release that Dropbox can access our data the company felt compelled to clarify their Terms of Service. While little changed it did finally explain that our data is encrypted on Dropbox’ server end, and that hypothetically an employee could abuse his privilege and access our data by way of their encryption key. That sounds bad, but how is that different than an untrustworthy employee in our own office poking around in client files? Our state bar can’t see the difference either.

If you want to store files in the cloud you need to read and understand the terms of service of the potential storage company. Thankfully Dropbox has rewritten their TOS to make it easy to comprehend. After getting familiar with the TOS of your potential storage choice, you need to decide if they will take reasonable precautions to secure your data. While no data is untouchable, Dropbox has struck a good balance between security and functionality. They use industry standard encryption methods while providing ease of use to consumers. Need an extreme example of a lack of balance? Spideroak boasts that they have a “zero knowledge” policy that states that your data encryption key is your username which they don’t store on their servers. You hold your key. If you ever forget that username Spideroak can’t reset it and your data is forever locked in a server where not even Spideroak can access it! As for me I’ll let Dropbox hold onto my encryption key.

At the end of the day the threat of our client data being accessed is just as real in our office where employees, thieves, and fire exists, as in cyberspace where an unruly Dropbox employee or hacker resides. You must ask yourself do the benefits of ease of access to files on the go, collaboration on documents with colleagues, or the security in knowing your data doesn’t live in your brick and mortar office outweigh the potential threats of cyberspace? In my opinion the juice is worth the squeeze. Dropbox, Daddy’s home.

  • Chad

    For me, I have found Sugarsync to be a better user experience.

    • Thesoulpractitioner

      I tried Sugarsync. I really wanted to like it, but it didn’t make sense that not every file would auto sync. Only those that were placed in the “Magic Briefcase”.

  • Bruce

    If banks didn’t expose customer data and credit cards never had to be reissued wouldn’t we all be happier. I think Drobbox does a fine job. They have taken steps to tighten up security — just as the banks do once there is a breach. We all strive to do better and the leap-frog game of computer data security will always be a concern.

  • Kevin Maloney

    I use Trend Micro Safe Sync for all confidential files, and Dropbox for everything else. I also like the new BoxCrypter add on for Dropbox.

  • Pingback: Discontinue Dropbox? « Tech Blog – Technically Speaking…

  • Ben M. Schorr

    The difference between Dropbox and one of our own employees poking around in client files is that we hired the employee. We know who they are. We can interview them, monitor them, conduct our own bit of voir dire you might say. Anybody the least bit suspicious you can choose not to hire. Anybody who acts inappropriately you can choose to dismiss.

    With our own files in our own offices (physical or digital) we control the keys. We can (and in some cases should) lock them away from eyes that don’t need to see them and don’t give the keys to non-essential personnel.

    With Dropbox you don’t have the slightest idea who or where their employees are. We have no control over the keys – anonymous Dropbox staffers (and occasionally, accidentally, the entire world) have the keys to all of our files (at least the ones you choose to upload).

    For some files, that’s fine. We all have files that we don’t especially care if outsiders can see. I have files that I don’t mind uploading to Dropbox. But for other files, I simply won’t do it. Medical records, financial/banking records, other sensitive/confidential documents…I don’t think it’s responsible to put those in a banker’s box and store them on the floor in the hallway.

  • Ehren

    Thanks for your great post on Dropbox. We use the corporate/teams version and find it to be fantastic. People who nit-pick on the terms of service fail to put them in the context of the alternatives i.e., an attorney trying to maintain her/his own security on a server. On balance, it’s a great service.

  • eddiedavidson

    great post!