Is the popular Dropbox file sharing application a huge eDiscovery risk?


First let me say the Dropbox file sharing program is one of the greatest applications I’ve run across in a long time and to date has approximately 25 million users world-wide. What is Dropbox? Dropbox is a cloud storage application which synchronizes files between computers and other electronic devices like iPhones. Installing Dropbox creates a special folder on your computer. Anything that you put in this folder is automatically synchronized with any other computer or iPhones on which you’ve installed the service. The files you drop in for synchronization are also located on a remote server, which means you can download files even when all of your other devices are turned off or offline. It’s easy to understand why instant synchronization across all your computers and iPhones is inherently fantastic. You drop a file into your Dropbox folder on say your work computer and it’s almost instantly on all your other computers (with an internet connection) and iPhones, be it at home, work, on the road or on vacation. What’s greater than that?

You need to be aware of a couple of potential problem areas if you are going to install Dropbox; first when you delete a file in your Dropbox folder on your computer it is not really deleted from the Dropbox cloud. It is classified as “Deleted” and will disappear out of your desktop folder but in the Dropbox cloud it still exists and can be “Undeleted”.

Dropbox saves a history of all deleted and earlier versions of files for 30 days for all Dropbox accounts by default. If you have the Pack-Rat add-on, Dropbox saves those files for as long as you have the Pack-Rat add-on. With Pack-Rat, you never have to worry about losing an old version of a file. You can permanently delete files inside of the 30 days but that must be done in your web account.

Another capability to be aware of is the “Events” tab in the web account.

The Events window shows you all of the recent(?) activity that has taken place in your account. This includes a wide variety of data such as the addition and deletion of files, moving files, adding and removing folders, sharing files and folders, linking computers to your account and more. At this point I’m not sure how long this history is available in a given account but in my account, the history is showing info back to when I created the account 6 months ago.

All of these great capabilities point out two areas of concern that organizations need to be aware of. First, could intellectual property theft get any easier? A worst case scenario would be the following; an employee decides to leave the company and wants to take some IP he or she has been working on for the last 7 months. The employee can simply drag the electronic files to his Dropbox folder on their company supplied computer and later that night access it from their computer at home or even worse, give their new employer the password to their Dropbox account and within seconds all that IP is sitting on the new employer’s desktop…it can happen in a matter of seconds, would the current employer even be able to tell if that IP was copied?

An even more interesting concern arises around eDiscovery risk. Would the fact that a custodian has or had at one time a Dropbox account, make all of their non-business supplied computers and iPhones a target of eDiscovery if they were a party to litigation in their organization?

An opposing counsel’s questioning might go something like this;

Opposing counsel: “Bill, do you now or did you during the time period in question have a Dropbox account?”

Bill: “Possibly…I’ve had one for sometime”

Opposing counsel: “While you’ve had the Dropbox account, have you ever copied work related documents or emails to your Dropbox account for whatever reason?”

Bill: “Yes I have”

Opposing counsel: “Could you have copied files that are relevant to the current case?”

Bill: “Maybe…I don’t remember”

Opposing counsel: “You don’t remember…is that the truth?

Bill: “Is that the truth? …YOU CAN’T HANDLE THE TRUTH!! (Jack Nicolson flashback)”

Opposing counsel: “Judge, I would like to include every computer and iPhone Bill has access to in the eDiscovery request as well as Bill’s  Dropbox account to view any deleted files as well as his “Events” history.”

Bill: “You’ve got to be kidding…Judge?”

Judge: “Do I look like I’m kidding? …Makes sense, approved”

Is the preceding example a possibility? Sure it is. So how would your organization defend against this type of eDiscovery risk?

In my experience, if you inform employees (in writing) that by using the Dropbox application from their work as well as personal computers and company supplied iPhone, they open themselves to having their personal home computers or any computer that had the Dropbox application installed on to be potentially accessed and reviewed by attorneys, most employee will refrain from installing it on their work related computers. It would also be a good insurance policy to create a computer use policy which includes a directive against installing the Dropbox application on work owned assets.

Again, let me stress that I think the Dropbox application is fantastic and has great uses for everyday life but employees and organizations need to be aware of the risks associated with it in litigation.

Advertisements

3 thoughts on “Is the popular Dropbox file sharing application a huge eDiscovery risk?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s