For anyone who hasn’t come across DropBox, the strapline on their site is as good an introduction as any: “Your stuff, anywhere.”
In (slightly) more technical terms, DropBox is a cloud-based storage service which maintains a copy of one of more folders on your computer. The clever part is that it also ensures that the local copy (on pretty much any computer, tablet and phone you may have) and on the DropBox server are automatically synchronised.
Personal use for cloud storage
I have used DropBox extensively for my personal documents for several years, increasingly so since I bought a Doxie Go scanner and started to use a paperless system for as much of my personal stuff as possible.
My personal use is pretty basic, using a folder structure to store various scanned documents in PDF for future reference. There are a couple of tips I would share though if you are using DropBox as part of a paperless system for scanned documents. Firstly, it is beneficial to use a scanner with decent OCR or a software package like PDFPen on the Mac which adds OCR data to PDFs as this allows you to do a full text search across all your scanned documents. I also use a utility called Hazel which picks out certain pieces of content from scanned documents (like an electricity bill account number) and files the scanned document in the appropriate folder automatically, saving a lot of time on the filing front.
Sharing and collaboration issues
Things get more interesting when you start to look at using DropBox in the course of legal practice.
The uses which clients make of DropBox tend to focus more on its sharing and collaboration functions. This means that you can securely share a folder of documents with other people working on a matter without having to email copies around and it also allows basic collaboration and version control (ie anyone can upload a new version of a document and DropBox maintains copies of the various previous versions).
I have written in the past about how I can’t square this with professional regulation and Data Protection Act obligations. However, the goalposts have moved somewhat as since February 2012, DropBox has been certified as compliant with the EU-US Safe Harbour Scheme, which means that transferring data outside of the EU by uploading it to the DropBox servers in the US should not, of itself, give rise to a breach of the 8th Data Protection Principle.
The 7th Data Protection Principle is still relevant, however, to the extent that DropBox acts as a data processor in respect of data.
The Data Protection Act requirements in this case include that you are able to check that security measures promised by the processor are being put into practice and also that there must be a written contract setting out what the processor can do with the data and requiring it to take the same security measures as you would have to if you were processing it yourself.
DropBox do have a comprehensive privacy policy as well as a detailed breakdown of the security measures which are in place to protect data and these seem robust; however, their terms do contain the usual purported exclusion of any liability arising from the use of the service which would appear to include data security breaches.
Your Dropbox data is actually stored on Amazon’s S3 storage service, which means that it is securely encrypted but that DropBox retain the encryption keys and could theoretically access it. Indeed, DropBox’s privacy policy states that certain employees have this power for use when data is legally required to be disclosed.
It is possible to encrypt data yourself before uploading it, which would avoid this problem, but in the absence of this lawyers should be aware that US rules which allow forced disclosure of data could apply to information stored in your DropBox account.
It is also unlikely that you will be able to take any steps to evaluate whether DropBox are complying with their terms and conditions, so where does this leave you from a DPA perspective?
The Information Commissioner’s Office guidance note on cloud computing acknowledges this issue with public cloud services and suggests that audit by an approved third party may be sufficient. The ICO has indicated that it supports the use of privacy seals and launched a consultation last year with a view to considering these in more detail, but at this stage it isn’t clear whether the TrustE Privacy Seal (which DropBox is covered by) would carry any weight in terms of compliance with the 7th Data Protection Principle.
On balance, I still don’t think that I could recommend a law firm pro-actively to adopt DropBox for use with confidential client information, although in reality I suspect the security they have in place is over and above that which many law firms could boast for their own servers.
However, the debate doesn’t end here as the use of DropBox is starting to be driven more by clients who present it as their chosen tool for basic data rooms, document collaboration and information sharing. In that context the discussion is rather different as it may be difficult to tell the client that you don’t want to use it and would prefer to stick to exchanging information by email (which of course offers no guarantee of security anyway). Maybe the answer here is to ensure you have a compliant alternative in place which you can offer to use instead (there are plenty around although they are certainly not free).
The pressure from clients to use this type of service is only likely to increase and my personal view is that we will end up with a situation where third party audit and certification (like the TrustE seal) are seen as sufficient to satisfy the requirements of the Data Protection legislation. However, I’m not sure we are there yet and if you do intend to use DropBox for confidential personal data then it would still be advisable to make sure it is encrypted before uploading.
Jon Bloor is a partner in the corporate services team at Prettys in Ipswich and Chelmsford, specialising in business and share sales, management buy-outs and private equity investment. He has a particular interest in the digital and online sectors.
Email jbloor@prettys.co.uk.
Nothing in life is perfect or 100% foolproof. Let’s face it, even crossing the road carries a risk. Is the lack of 100% guaranteed security in every single case really so significant a problem that we should avoid Dropbox entirely?. After all, newspaper phone hacking doesn’t stop us using the phone and the Royal Mail is hardly 100% secure – with items being stolen or wrongly delivered on a massive scale. That’s not to mention the fact that recently, DX completely lost one of our briefs – causing significant problems as it didn’t get to Chambers on time [if we had scanned in and sent the documents through dropbox, we could simply have pressed send again.]
Our firm is in the process of introducing Dropbox on a much wider scale – so that all briefs to Council are sent by Dropbox – the time spent in photocopying, and the money spent on D X/post should be significantly reduced – and it gets documents to Counsel quicker. What interesting is we’ve just done a survey of all the major chambers we use – and every one, without exception, said they would welcome the use of electronic briefs using Dropbox. In fact, one set of Chambers was positively encouraging their solicitors to use Dropbox for electronic briefs – but so far without success.
As solicitors, we are great inn seeing risk – but sometimes, surely our obsession with avoiding risk gets out of proportion. I firm has taken a commercial decision to use Dropbox – and I’m hoping that this will play its part in cutting costs, so essential in the current and future climate for the legal profession.
We have been using Dropbox for all our internal files since early this year. I think this is a case where UK/EU Data Protection authorities are going to have to bow to global realities. Dropbox is here to stay and we’re all starting to use it.
We have been using Dropbox for a long while now, and in our case, it is here to stay. The security and data protection issues argued lately is draining the life blood of any small business especially the small legal practice, some of whom are already heavily regulated by the SRA et al. In my opinion the ICO are almost on par with the HSE when it comes to regulation and as such do not take into account real practicalities of any business, regulated or otherwise.
Jon
Apologies if I have missed the point, but couldn’t you get around potential client confidentiality risks (which as you say are probably fairly remote) by advising them of these issues and getting them to sign a waiver to say they agree to your firm using Dropbox to store their information? Email probably poses a bigger security risk in reality, not least from human error when someone sends the email and vital information to the other side!
What is your view on Skydrive by the way? Does it have the same issues?
“Dropbox is here to stay and we’re all starting to use it.” Kevin, couldn’t agree more. The ease of personal cloud use has forced the issue on business (whether they know it or not). So we’re past the time of having the debate on whether or not Dropbox is “here” in the business stack (not to mention Box, SkyDrive, Google’s Drive). And on the consumer side, it’s building out a market of vendors for protecting your data at its source, including our own Viivo software. Curious what third-party tools you all have checked out, liked or otherwise? As attorneys seem to be taking the lead on this aspect of cloud and security, what features would you like to see more of?
The absolute best alternative I have ever seen is GetIt Remote. Secure and you can access and share your files and data without putting anything into the cloud and no syncing yet you get cloud access to them via browser, iPhone, iPad and Android. Perfect solution for the legal industry. Already quite a few firms in Louisville, Lexington and other areas using it. It’s over at http://www.getitremote.com