Cyberattacks against Dropbox are proliferating. Just as litigators have been forced into familiarity with social media as a source of evidence, they will also get to know Dropbox.
As Dropbox and similar file-sharing services are more widely adopted, and as their contents escalate in value – intellectual property and human resources data come to mind – they will be a growing source of leaked information and cyberattacks. Examining security policy, and its enforcement around file-sharing products, will be a key task for litigators, as will discovering which employees have complied and which have not.
In the workplace, data breaches arise from discrepancies between policy and practice. These gaps are an interesting place to search out accountability for damages due to data loss, and we’ll discuss that in a moment.
First, what makes Dropbox an increasingly attractive target?
Last month, we learned that a Dropbox bug allowed intruders to freely view the contents of user accounts, revealing everything from photographs to tax returns. More recently, Dropbox users have begun receiving email messages that appear to be a “share with you” link from a colleague, but spread vicious forms of malware when they’re clicked.
Ironically, success for cyberthieves and technology product developers happens in tandem. The larger the user base, the more successful the product. And the better the odds for criminals seeking high-quality data. The product casts a wide net, offering free versions that emphasize ease-of-use and convenience. Mass-adoption occurs, and the bad guys benefit, launching malware attacks on an ever-growing pool of prospects.
“Free, easy, and convenient” are three propositions that preclude all but the most basic security measures in a product. Dropbox has successfully offered a free version, which induces some users to buy upgrades once they’re hooked. The remainder are users who don’t have sophisticated needs, or who value “free-and-simple” over “secure.”
The drive for productivity in most professional settings is at odds with security policies. IT departments have issued warnings against using Dropbox and other, similar services. But employees will gladly thumb their noses at security policy for an easy way to take work home, or collaborate with others.
Unless the network is configured to prohibit individual users from downloading apps to their desktops, determined employees import whatever helps them achieve their goals. They may be punished if they’re caught – or they may persuade management that whatever they accomplished outweighs the risk they took.
Litigators should consider two points. One is procedural and one is theoretical. The more obvious point is that file-sharing services (which are cloud-storage services) are sources of digital evidence, and should be specified in preservation letters by name, when possible. Broad, non-specific evidence requests (“any and all”) may cause these sources to be overlooked simply because they aren’t named.
The second point is about accountability for cybercrime and data breaches. Is there a company culture of permissiveness when it comes to information governance? Lax attitudes at the management level foster dismissive behavior among the rank-and-file, setting the stage for actionable abuses of information.
Habeas Hard Drive considers written policies, training, and enforcement manuals to be evidence of a company’s competence and intentions toward information governance. There are also standards-based systems to evaluate the scope of the policies, and whether they reasonably address the known threats, and whether personnel are able to exploit loopholes or ignore the rules with impunity.
Proving damages from information theft is highly dependent on the facts of each case, but proving the information governance demeanor of the company is not all that hard.