Do Your Clients Care if You Use Dropbox?

I had lunch with Mike Frasier yesterday, who said one of his clients wouldn’t let his firm store the client’s files in Dropbox. I’ve heard people say this before, but I’m wondering if it’s more prevalent. so, have any of your clients told you not to store their files in Dropbox?

Edit: For those of you whose clients say no, what’s their hangup?


  1. Avatar Jeff Taylor says:

    I don’t think any of my clients know I use Dropbox to store files. If they did though, I’d hope they’re not going to dictate what and how I operate. I should, barring some problems with confidentiality, be able to use the services I want that will help my practice be more efficient and productive.

  2. Avatar Martin says:

    Using Dropbox for client data without any encryption is IMHO a no-go. Using Dropbox in agreement with clients, for example for the exchange of large attachments or to share some documents, is of course fine – many clients ask me for specific ways of communication, sharing etc. and Dropbox is often mentioned.

  3. Avatar Mark Lyon says:

    The appropriate question is not “Do your clients care if you use Dropbox?” but is instead “Should your clients care if you use Dropbox?” or, even better, “Should you use third party services to store client data?”

    Clients should absolutely be concerned about the security of their information, but many don’t even know to ask the question. That’s why we have an ethical duty to protect their information (whether in a digital file or a hanging folder in your left-hand-drawer).

    Not all needs require you to avoid using third party storage services (and not all self-operated solutions are better than trusting a third party), but if you’re storing data you should take reasonable steps to protect it from disclosure while retaining usefulness. Encryption – under your control – can make using a third party quite attractive. I use TrueCrypt quite often, but other tools like SecretSync might work better for certain workflows.

    Trusting Dropbox (or anyone else) to maintain the security of your data is foolish. In Dropbox’s case, they have already proven that they can’t protect data stored with them 100%. For instance, there was a period where anyone could access anyone else’s account. Further, they’re quite clear that their internal people can access your data.

  4. Avatar Joel Smith says:

    If your clients have a problem with Dropbox and its security issues, you might consider switching to a service with client-side encryption such as SpiderOak. Because the encryption is client-side (vs. server-side as with Dropbox, SugarSync, Box, SkyDrive, etc.) it will only get decrypted locally. SpiderOak servers cannot see what is stored. This has the added bonus of effectively making your data SUBPOENA PROOF!

    • Sam Glover Sam G. says:

      Unfortunately, I haven’t heard many good things about the service itself. SpiderOak seems to have security, but little in the way of reliability or usability.

      • Avatar Martin says:

        SpiderOak shouldn’t be considered secure because you cannot use your own key to encrypt your data – all encryption is based on keys derived from your password and as soon as you login on the SpiderOak website with your password, SpiderOak knows it … pretty much of their security model as presented on their website is pure snakeoil.

        A secure alternative often used by lawyers in Western Europe is Wuala, a spin-off from the Swiss Federal Institute of Technology and owned by Lacie but still based in Switzerland:

    • Avatar Greg Broiles says:

      I tried SpiderOak – I really like their attitude and their technology model – but it just didn’t perform well for me. The Windows client was unresponsive, and it was tough to figure out whether or not it was really doing anything. I dont’t think – but I’m not sure – that I ever got all of my files synced, and I was a paid user for a year.

      I hope someday they get things fixed so it’ll have the usability/simplicity of Dropbox + good security/privacy features.

      I will note that a provider that stores data using an encryption key under my control will always spend more on storage (internally) than a provider that uses their own key – providers that can see my real files can do de-duplication, meaning that if you and I store the same file, they store 1 copy of it, not two. I don’t know what Dropbox’s ratio of apparently stored files to actual disk space used is, but I bet they get some pretty good savings from deduplication. I dump a ton of files that I download (or otherwise run across from a public source) in Dropbox because then they’re easy to find – but I’m sure that thousands of other people do exactly the same thing with exactly the same file, and Dropbox only has to store it once.

      So, even in a perfect world, Spider Oak will probably be more expensive than Dropbox. But I don’t mind paying the premium for improved security/privacy.

  5. Avatar Jeff Vail says:

    I get the concern over cloud based storage, but you need to put it in a larger security context. If someone wants your data, and they’re sophisticated and willing to break the law, they’re going to get it unless you take extraordinary security measures. In 99% of cases, your physical security is more vulnerable than your cyber security. It’s just that you’re more likely to lose data online as part of some larger-scale theft that didn’t target you than you are to physical intrusion–but these massive data losses are far less likely to result in exploitation of your client’s data specifically. Turn on two factor security, encrypt stuff that is actually important, but thinking you can really stop a pro is not much different than a non-lawyer thinking they can handle sophisticated legal work on their own.

  6. Avatar Henry Pham says:

    I was very concerned about this issue with Dropbox security, so I researched products that gave you your own private cloud and came across the Synology Diskstation. It’s been great. I canceled my Dropbox account. Has most of what I appreciated about Dropbox. But I’m good enough to be dangerous with basic networking, and realize that for most of us this might not be a good solution.

  7. Avatar jj says:

    Data ownership issues are a problem with Dropbox, Drive, iCloud, etc. By their terms of use, Google in particular *(see below), you grant them license to access and use the data you have stored on their services. In fact, MA (one state I am licensed in) is so sensitive to this issue that they have published an ethics opinion that ties the terms and conditions of your cloud provider’s use agreement to your duty to keep client data confidential under Rule 1.6(a). In other words, if you use a cloud service that has the right to access your client’s data, you may face santions for failing to keep client data confidential. MA also requires that a lawyer refrain from storing sensitive client information on the cloud (they write Internet but mean cloud) without first obtaining the client’s express permission. For this reason, all of my retainer agreements grant me express permission to e-mail, store, whatever on the Internet, client information so long as I exercise reasonable care against unauthroized access. However, I will not use Drive, nor will I use Dropbox or Apple, which, I have been told, have similar terms of service to Google.

    In short, if the client refuses to grant you permission to store his client information on the cloud (which is his right in MA, anyway) you may not store his client information on the cloud.

    * From Google Drive’s Terms of Service
    “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services. “

    • Sam Glover Sam G. says:

      Data ownership issues are a problem with Dropbox, Drive, iCloud, etc. By their terms of use, Google in particular *(see below), you grant them license to access and use the data you have stored on their services.

      This has nothing to do with ownership. It has to do with granting the permissions necessary to move your data around according to your instructions. For example, Dropbox, et al., cannot legally sync your data between two computers unless it has a license from you to do so. If you want to sync files, you have to grant such a license. Every file sync service requires such a license, no matter what level of security it may offer.

      In fact, in order to simply use the Internet, you have to grant a similar license to your ISP. Want email? Same thing, whether you use Gmail or Hotmail or download your own mail. The only way to avoid a license like this is to not use the Internet.

      • Avatar jj says:

        Hi Sam:
        I do not post frequently, nor have you ever directly responded to me. While I have your attention, I want to thank you for the Lawyerist and the LawyeristLab. You are adding immense value to those of us who practice solo or in small shops.

        While I agree with your statement, wouldn’t you also agree that Google Drive’s terms of service create an opportunity for Google to access and potentially use client confidential data? They may never do it. But my ticket to practice law (at least in my mind) is worth considerably more than the convenience of a cloud service.

        Granting Google an express license to “use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute …” client confidential information is a little too rich for my risk averse stomach. Dropbox’s terms of service may be very different from Google’s terms. I have not researched them. If they are similar, however, under MA’s ethics opinions on this matter, I have a duty to obtain my client’s permission before using these services, and further, face the consequences of potential censure or disbarment should Google elect to exercise its hypothetical license from me to publically display my client’s confidential information.

        Until I see how the MA SJC (and other courts) handles a discipline case involving a Dropbox/Drive/iCloud service problem, my inclination is to avoid using them to store client data.

        • Sam Glover Sam G. says:

          When you give client information to a courier, don’t they have the ability to access it? Cleaners? Document storage facilities? Email providers (including your clients’, which you cannot control)? Staff?

          What’s so different about hiring a company to provide some of those services via the Internet?

          Further, none of the services you mentioned (or any I am aware of) ask for a license to display your data without your explicit permission.

          (And thanks! Always nice to hear.)

  8. Avatar Avi Frisch says:

    Dropbox’s terms of use make it clear that they are not claiming an ownership interest in your files and will not use your files for any purpose other than to provide the services you request. I don’t see how anyone can have a problem with this. If you have a big document production and bring it to a copy shop to copy, they also have access to provide the service you requested. The extent of the privacy controls people want would make it impossible to use a computer, a telephone or anything else. If Massachusetts cannot figure that out, then those in charge should be replaced.

Leave a Reply