To Dropbox or Not: Brief Do’s and Don’t’s of Secure Cloud Document Storage and Collaboration
Is Dropbox secure, or if you’d like to be technical about it (which I do), is Dropbox “HIPAA, FERPA, SAS 70, ISO 9001, ISO 27001, or PCI compliant?”
In a word, and according to DropBox, no. Here’s the answer provided by Dropbox on its website as of the date of this post:
“Dropbox complies with the U.S. – E.U. Safe Harbor Framework and the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. Unfortunately, Dropbox does not currently have HIPAA, FERPA, SAS 70, ISO 9001, ISO 27001, or PCI certifications.”
Throw in data privacy requirements of the various states such as Massachusetts (e.g., 201 CMR 17.00 PDF), many cautious attorneys should choose against Dropbox. But they don’t. In a room full of 175 CIOs and CTOs from a wide spectrum of law firms at the recent CIO CTO Forum held in conjunction with LegalTech in NYC this year, an informal survey found that many of the practicing attorneys at these firms try to use Dropbox—much to the IT department’s clearly discussed peril and chagrin.
Let’s face it, Dropbox is very easy to use—and therein lies the reason the practicing attorneys continue to use Dropbox, despite their better judgment. This is especially true of the solo or small firm practitioners who would otherwise not be able to avail themselves of the business advantages provided by Dropbox such as low-cost data backup services if a natural disaster renders the on-premises system unrecoverable.
The question is: Is the fix worth the consequences?
Don’t Throw the Baby out with the Bath Water
This is not to persuade avoiding the use of online storage altogether; that argument, quite frankly, is nearly anachronistic. However, it would be prudent for practicing attorneys to research the applicable data security and data privacy requirements for their practices. A good place to start is the American Bar Association Cloud Ethics Opinions section that lists ethics opinions by state bar. A review of these state ethics opinions indicates that there is no absolute bar against an attorney using cloud storage for confidential data, but lawyers must exercise “reasonable care” in the selection and use of the cloud storage.
For example, in New York, attorneys are recommended to check, and do, the following:
- Vendor must have an enforceable obligation to preserve confidentiality and security, and should notify lawyer if served with process for client data.
- Use available technology to guard against foreseeable attempts to infiltrate data.
- Investigate vendor security practices and periodically review to be sure they remain up-to-date.
- Investigate any potential security breaches or lapses by vendor to ensure client data was not compromised.
But these guidelines differ from state to state.
Due Diligence: Steps You Can Take
While the above list is not meant to be exhaustive, it illustrates the level of due diligence practicing attorneys should exercise when investigating the possible use of a cloud storage vendor under the applicable bar ethical rules in order to demonstrate their satisfaction of the “reasonable care” requirement.
Although the specific inquiries are dependent on your jurisdiction, a simplified approach would be to focus on how the cloud vendor handles security and confidentiality. An initial inquiry would be the terms and conditions and representations offered by the cloud vendor. If the cloud vendor expressly states that it is not compliant with certain security standards, you must review the sensitivity and legal compliance requirement of the data you intend to entrust to the vendor. Doing so determines if you would be in breach of such requirements by using that vendor, such as Dropbox. Some cloud vendors, however, represent that they are compliant with many security standards including ISO 27001, and provides the security controls customers can use to help to secure electronic health records (for purpose of HIPAA’s security and privacy rules). Amazon is one example, and you can read about its security and compliance here.
Dropbox uses the Amazon cloud but it’s not compliant with certain security certifications because, in part, it does not provide you with the requisite controls over your data. There are cloud providers that do—and that should be a differentiating factor in an attorney’s investigation.
In the end, while attorneys don’t need to be IT experts in order to be compliant with the applicable bar ethical rules, if the cloud vendor says it’s certified under various third-party security standards, that is certainly a good start to (or maybe the end of) your due diligence investigation and exercise of reasonable care.