May 23, 2018

Is Dropbox Safe for Canadian Law Firms?

Nowadays more and more companies, including law firms, store their files and data in the cloud. A popular option is Dropbox, whose servers are located in the U.S. Thus, it raises a legitimate concern for Canadian firms: Is Dropbox safe to use?

Unboxing Dropbox

Dropbox is a file hosting service that allows people to keep their files in the cloud and share them with other individuals. For large organizations there’s Dropbox Business and Dropbox Enterprise, which allow teams to collaborate and manage their files online. The beauty of cloud storage is that when a file is updated in Dropbox, it is automatically synced to all devices that share the same account.

Dropbox stores two types of data:

  • files, photos, video, and all other data you store in Dropbox, which collectively can be called “your stuff”
  • profile information about you (name, email address, etc.), how you use their services, and information about the devices you use

With the rise of cyberattacks, it’s more important than ever to protect your data stored in the cloud. The question though is: Safe from whom?

Illegal Access of Data

Hackers, phishers, and anyone seeking illegal access to your information can come from anywhere, so it doesn’t matter where Dropbox’s servers are located.

To thwart hackers, Dropbox has been improving and updating its security measures. It uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to prevent hackers from listening in or “sniffing” your data while in transmission during sync. And Dropbox encrypts files using 256-bit Advanced Encryption Standard (AES), a sophisticated encryption algorithm that has become a global standard for sending information securely. A secret key is required to decrypt the files in the server, doubling the security for account owners. This level of security is available for free accounts, while Business and Enterprise users have increased levels of security, including admin controls.

Phishing is also a big threat. It is a cybercrime in which an attacker tries to get you to reveal valuable personal information, like passwords or access numbers, through email and other forms of communication that seemingly come from reputable companies. Dropbox’s vulnerabilities are often due to user behavior. If you use Dropbox, you need to take extra steps to protect yourself from phishing attempts:

  1. Be suspicious of an email that asks you for personal information. Double-check before you click on any link.
  2. Change your password regularly.
  3. Set strong passwords. Mix letters and numbers, upper and lower case, and use special symbols.
  4. Set up the 2-step verification.
  5. Check the IP address of the last known device connected to your account.
  6. Whenever you can, unlink devices, web sessions, and apps from your Dropbox account.

Should you end up uploading a file with malware in Dropbox, there’s a nifty feature that can save you. Whenever you sync your files, Dropbox keeps the older version for 30 days (for free accounts; other accounts can extend this period). So long as you know which version of your file was infected, you can recover the earlier uninfected version. Better yet, install an anti-malware program to prevent malware from latching onto your files.

Thinking Outside the Box

When it comes to preventing unauthorized access to your profile information and stuff, Dropbox has stringent security measures in place. But it is still vulnerable to the following examples of security breach:

  1. A rogue Dropbox employee
  2. Hackers getting their hands on your encryption key
  3. Dropbox voluntarily providing your information

The first two examples are highly unlikely to happen. And those kinds of breaches aren’t exclusive to Dropbox; they can also happen to other file hosting services. The third example is possible because of the difference between U.S. and Canadian privacy laws.

Legal Access to Your Data

Should Canadian law firms be concerned that Dropbox’s servers are located in the U.S.? Compared with U.S. privacy laws, Canada’s are stricter. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) states that an organization that has your data is fully responsible for its protection. This law also requires companies to seek the consent of individuals first before sharing their personal information (with very few exceptions, especially those related to national security).

But Dropbox’s servers aren’t under the jurisdiction of PIPEDA. Prior to 9/11, U.S. laws granted the U.S. government access to someone’s personal information if it was in the custody of U.S. companies, like Dropbox. After 9/11, the U.S. implemented the USA Patriot Act, which made it a lot easier for authorities to conduct searches and compel companies to disclose information of individuals even without their consent.

Box It Or Drop It?

The bottomline is that Dropbox continues to be one of the most popular cloud-based file hosting services. Because of its size and market dominance, you can rest assured that it will keep its service as secure and private as possible. But if a greater concern for you is the ability of the U.S. authorities to access your data, then you should think twice before using Dropbox.

It is important for your law firm to partner with an IT service provider that’s on top of what’s happening in the world of information technology and in the legal industry. We at Vertex Solutions are experts in more than a dozen law applications, and we’re recognized as one of the best managed services providers in Canada. If you’re in the Greater Toronto Area and want to know more about specialized IT services, call our experts today.

inquire us

Get Your Free Assessment

At Vertex, we’re dedicated to transforming your IT into an asset. Contact us today for your free assessment.