How to Securely Use Dropbox in a Legal Environment

Excerpted from “Securely Use Dropbox in a Legal Environment” ABA TECHSHOW 2014

Written by Diane Ebersole, ABA TECHSHOW Board 2015

We have discussed how you can enhance the security of access to your Dropbox files by moving to a two-step verification for login via the Internet. What data protections are provided by Dropbox to protect your data during transmission and while it resides on their servers? How can you improve the security?

The data (file) placed into Dropbox on your computer is transferred to the Dropbox server using Secure Socket Layer protection. This protects your data during transmission. As the file is placed on the Dropbox server it goes through an encryption process. Dropbox holds the key for the encryption. When you access the file from Dropbox servers, it “passes through” the encryption key again and becomes available for your use.

The fact that data arrives at Dropbox in unencrypted form seems to be the point of contention for many. Lawyers seem to worry less about the possibility that the Dropbox servers will be hacked and valuable data stolen, and more about the perceived risk that Dropbox might have to disclose a file pursuant to a lawful court order. Because the file data arrives at Dropbox in unencrypted form, the file could be accessed and reproduced in original format by Dropbox to comply with the court order. If you want to address this security risk, one alternative would be to add encryption to some or all of your files before placing them in your Dropbox drive on your computer.

There are a lot of encryption applications in the marketplace currently. I am not going to attempt to provide a thorough review of the many options and instead will discuss four applications that may meet your needs to add encryption to some of your files. These applications are each designed to work well with Dropbox and other cloud storage systems.

How to these applications work? The basics are really pretty simple. Let’s use Safebox as an example. First the application is downloaded and installed on your computer. Much like Dropbox, Safebox adds another drive to your computer. This drive is where you place a file that you want to be encrypted before it is sent to the Dropbox servers for online storage. Safebox encrypts the file including the file name and then automatically sends it to the Safebox folder residing in your online Dropbox. You can continue to use any of the file management techniques you normally use to move files around on your computer. It is possible to do a “save as” to either the Safebox or Dropbox drives, or you can click and drag files or copies of files to these drives and the organizational structure within these drives.

The short version of how these two “virtual” drives work might be summed up simply. When you put a file in an encryption application folder like Safebox, the only way you can access the file (in its original, form) is through the same application – Safebox. The file will be automatically stored on Dropbox, but accessing through Dropbox will only let you see the encrypted form. Other products that are similar to Safebox include BoxCryptor, Viivo, Safemonk, and CloudFogger

Carefully consider which of your files really need to be encrypted. If you are looking at using Dropbox to back up your personal bank records and tax returns should those be encrypted? If your client has given you the recipe for Pepsi, should it be encrypted before you move it to Dropbox for storage? Encryption of files creates a unique management layer that has the potential to both prevent and create disasters. It is highly unlikely that all of the documents stored on Dropbox require encryption.

If your choice for an encryption application does not provide a recovery key you will not be able to recover your encrypted documents if you have lost or forgotten the password. On the other hand, if the encryption provider has access to your recovery key, do they have access to files that may be subject to the same court order concerns? If the documents stored on Dropbox are not encrypted and a court order results in the disclosure of documents, what would be the consequences? It is a delicate balance. You should not approach the process of encryption casually. If you tend to be a bit scatterbrained, or unfocused be sure to exercise great care as you move into encryption. Perform your due diligence deciding which encryption application to use. Test the applications using frivolous documents that allow you the freedom of experimenting without worrying about data loss.

If you are applying encryption to files for your firm or for your personal life, establish systems that enable your successors at work or at home to access the encrypted files. What happens if you encrypt all of the files for a huge case and your successor cannot access them after your unexpected death?

As you move into the world of digital storage and encryption take time to review the security measures currently protecting documents in your office. Review the security on your computers, servers, external drives, thumb (flash) drives, and paper documents. Encryption will enhance the security of documents stored in the cloud. Remember, document retention and security is a multifaceted endeavor both in the cloud and in your office!

This article is but a taste of what awaits you at the ABA TECHSHOW 2016, March 16-19 at the Hilton Chicago. As a member of Minnesota State Bar Association, we want you to know that you can get a discount on the ABA TECHSHOW 2016. This discount only applies to registrants that qualify for the Standard registration. You can register online and include this unique discount code: EP1601 to receive a discount. 

Reprinted with Permission. 2015© by the American Bar Association.  All rights reserved.  This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.