Legal services professional should not use Dropbox to share documents with clients because of the lack of access controls.
I won’t bother to introduce Dropbox. You’d need to have been living under a stone not to have heard about it by now. Suffice to say that it is probably the most popular Cloud Service for sharing documents between computers.
What I want to discuss is the suitability of Dropbox for one specific use case: sharing documents with clients. This applies to any professional, but I think is of particular applicability to anybody in a regulated industry.
Dropbox and the Legal Services industry
Much has been written about the general use of Dropbox and whether it can be used in the legal services industry and maintain compliance. In general, the jury is still out. A good analysis (from a US perspective) can be found on securityblawg.com. This concentrates on whether Dropbox can be used without jeopardising the tenets of Attorney-Client Privilege. A contrary view can be found in Snippets.
Sharing documents with clients
In this use case, one or other party places a document in a Dropbox folder that has been shared with the other party(s). All participants can now see the document and, crucially, can amend it.
This is the major flaw with Dropbox in a shared environment: It has no access controls. As the Dropbox website itself says:
Any member of the folder can add, delete, or edit files within that folder.
Source: Dropbox
Access Controls
Anybody operating in a corporate, shared, environment will be familiar with access controls on files. The owner of the file or folder can define the access rights of people and groups of people. Some have No Access, some have Read access only and some have Read/Write access. Some may be able to delete a document, others may not.
These are the basic requirements that have to be in place so that one can avoid the circumstances where one person (inadvertently) deletes or corrupts a document belonging to another person; possibly without even realising they did it.
A further requirement in most regulated environments is to be able to maintain an audit trail of who did what and when.
Dropbox supports none of these mechanisms.
The danger of using Dropbox
So, what could be the consequences of using Dropbox to share legally important documents like briefs, patent applications, arguments etc?
Supposing a client chose to share a proposed patent application with an agent using Dropbox. This is likely to be a Word document or something similar. Given that Dropbox has no access controls, there is nothing to catch the occasion when the agent inadvertently makes a change to the document and saves it back.
- What if that change subtly altered the intent and meaning of the document?
- What if the change meant that the application failed?
It’s not hard to think of similar situations in other fields where the detail of a document is of crucial importance.
In Summary
In other posts, I’ll discuss ways in which documents can be shared securely and the need to control access and maintain an immutable audit trial can be met. In the meantime, think very carefully before you use Dropbox to share that document with somebody outside of your organisation.