Last week a prospective litigation client suggested we use Dropbox to share confidential and proprietary information relating to a technology startup. This gave me access to the information that I needed to price the matter, the information was far too voluminous to simply attach to an email, and, perhaps most important in the client’s eyes, “Dropbox is free!”
Dropbox is an intriguing cloud based storage solution: your data is stored on your own computers and servers, and synchronized and accessible from servers in the cloud.
Still, as lawyers, we are supposed to take “reasonable precautions” to safeguard confidential and proprietary client information. Dropbox says that transmissions and storage are encrypted, are password protected, are “hardened against attacks for hackers” and kept on secure Amazon servers. Even assuming you know what all this means, are you ready to give up physical control of your client’s media and place it in this environment? Does simply relying on Dropbox’s no doubt sincere assurances equal “reasonable precautions”?
Dropbox has been the subject of an FTC complaint alleging Dropbox misled users about the privacy and security of their files as well as a class-action lawsuit (since dismissed) based on an alleged instance in which Dropbox accounts could be accessed without passwords for four hours. Whether well-founded or not, allegations such as these place lawyers on notice that they need to be proactive when taking advantage of Dropbox or any other cloud storage service.
Lawyers should take the additional step of encrypting, or pre-encrypting, client data before we give it to Dropbox or any other cloud-based storage solution. This way the Dropboxes of the world have zero knowledge of the contents of your data. You, your client and your malpractice carrier sleep much better knowing this precaution has been taken. Even Dropbox thinks so:
Dropbox: Yes, we have always recommended third-party encryption solutions for advanced users who are comfortable managing their own encryption keys.
(From Michael Kassner’s post Dropbox: Convenient? Absolutely, but is it secure?)
Thanks to my paralegal, Janet Ho, I’ve learned how to use the archiving and file compression features that come with Windows to do the encryption. Here’s how:
The basic idea is to encrypt confidential data before using any cloud services or FTP sites or even before transfer by email as follows:
- Archive/compress the files using WinZip or WinRAR (which have their own encryption algorithms), and then password the archived files
- Upload the password-protected archive files to the cloud room or FTP site; or send them by emails
- On a separate email or any other method, provide the recipients the password to unpack the archive files
The followings are the instructions how to archive files and add password on Windows:
1. Archive the files by selecting all the files and right-clicking to choose “Add to archive…”
2. The following window will pop up and you should choose the archive format (either RAR file or ZIP file), as well as you can limit the maximum size to maybe 1GB or 2GB (there might be size limit for the files you are uploading to the cloud services or even by emails)
3. From the Advanced tab, choose add password to the Archive files:
4. Enter the password and click okay:
5. It will bring you back to the main window, then choose okay at the following window:
6. The files will start being archived:
7. With these password protected archive files, it will be safer for transfer.
True enough, there are more robust encryption applications out there like TrueCrypt, EncFS, SecretSync and BoxCryptor. But if you need to implement a cost effective and defensible encryption in the next 5 minutes that will allow you to take advantage of the great services offered by Dropbox and the like, WinZip or WinRAR look like good options.