Dropbox Security | Client files in Dropbox? It's time to reconsider
Cloudy skies for Dropbox (via Wikimedia Commons)
Even a slew of recent security breaches have not deterred lawyers from enjoying the convenience of Dropbox, a cloud-based storage service. According to the American Bar Association Legal Technology Survey Report, 31% of lawyers used the cloud for work in 2013, on the rise from 21% in 2012. More specifically, a study by Clio reports that 26% of lawyers used Dropbox in 2013.
Dropbox allows users to access their files from any device as well as share files within their office without dealing with a physical server. It sounds simple and easy, but lawyers–whose business depends on keeping client files confidential–should be wary of the cloud. Dropbox, in particular, has a checkered past.
In early May 2014, BBC reported on a Dropbox security vulnerability that risked making a user’s files public when they shared the links to those files with others. Dropbox was criticized for being slow to post about the breach on their blog. This raises another concern inherent in using a cloud provider: you lose personal control over what happens to your files, so you will not find out right away if your data is compromised – you may never find out at all.
“Dropbox uses certain trusted third parties” the company says in its Privacy Policy. Who are they, and what does Dropbox use them for? one might wonder. Dropbox doesn’t specify. Dropbox employees are not mentioned in the Privacy Policy, either, although a page in the more obscure Help Center section of their site says “Dropbox employees are prohibited from viewing the content of files you store in your account.” Astute critic Michael Kassner notes that this is a modification of their former claim that “Dropbox employees aren’t able to access user files.”
On their website, Dropbox boasts “256-bit AES encryption” for the primary storage of your data, as well as secure transfer using SSL/TLS. The main threat to your data security is not primary storage, but the Dropbox capability to access files on various mobile devices. The sharing feature that makes Dropbox so convenient also opens the door to vulnerabilities, as evidenced by the shared links breach. Most Dropbox users take advantage of the service to access their files from their phones, tablets, and laptops in addition to their desktop. Particularly if these devices are not protected by encryption, Dropbox files accessed on them are vulnerable.
Whether you use Dropbox or not, it is always a good idea to encrypt your devices. Apple makes it easy, providing built-in encryption on their products – you just have to activate it. For an iPad or iPhone, it’s as simple as enabling the passcode (under Settings > General > Passcode). For added security, it’s a good idea to turn off Simple Passcode, allowing you to use a longer code with letters as well as numbers. It’s also smart to turn on Erase Data, which deletes your encryption key after ten incorrect passcode entries in a row, rendering your data inaccessible. Android phones also come with optional encryption that requires you to enter your PIN to unlock your phone. First set up a PIN, then go to Settings > Security > Encrypt phone. Encryption will take about an hour, but the security of your data will be well worth the wait.
The convenience of Dropbox may look appealing, but it is never worth putting your files at risk, especially if you work for a law firm or other company that handles confidential client information. A better solution is a file-sharing system that operates within the office network, like OpenAFS. If you’re drawn to the cloud, our favorite cloud service is Citrix ShareFile. The Citrix ShareFile Cloud for Healthcare is HIPAA-compliant, so you may legally host client personal and medical information there.
There are better alternatives out there. If you’re still using Dropbox, it’s time to make the switch.
