There has been a putative class action complaint filed on June 22, 2011, in the United States District Court, for the Northern District of California alleging that the popular cloud-based storage provider Dropbox, Inc. failed to secure its users’ private data or to notify the vast majority of them about a recent data breach. According to the complaint, Dropbox announced in a blog post on its website that it had “introduced a bug” on June 19, 2011, which allowed users logged in to its system to log into other users’ accounts and access those users’ data stored on Dropbox. The complaint further claims that Dropbox did not notify most, if not all, of its 25 million users that their information had been compromised. The complaint defines the plaintiff class as all current or former Dropbox users as of June 19, 2011, whose accounts were breached.
If proven, this would be a good idiom example of “Trust but verify” and “Look before you leap” wouldn’t it? One of the rituals I would perform as a Chief Security Officer or Chief Privacy Officer is examining the contractual language before trusting any service provider who will be entrusted with my data. This is precisely the reason, and the biggest reason why, I sound the alarm on cloud computing or hosting services in general. People do not take the time to negotiate or even understand service contracts and blindly entrust their data to strangers. Strangers who in many cases like this one, are not worthy of this trust.
The suit, which states claims for violation of the California unfair competition law, invasion of privacy, negligence, and breach of express and implied warranty, is the second recent legal challenge to Dropbox’s security measures. A complaint previously submitted to the Federal Trade Commission on May 2011 alleged that Dropbox made false claims about the security of its users’ data.
Among other things, the plaintiffs allege that Dropbox’s failure to disclose the breach to users constituted a fraudulent act or practice in violation of California’s unfair competition law, and that Dropbox violated users’ reasonable expectation of privacy in the private data they stored on Dropbox by failing to safeguard their data. The negligence claim states that Dropbox failed in its duties to have procedures preventing unauthorized access of private data, and to disclose the breach in a timely manner.
The complaint requests that Dropbox institute reasonable security measures to prevent similar incidents in the future, and actual, compensatory, punitive, and statutory damages, injunctive relief, attorneys’ fees and costs. Dropbox must fix its culture of customer disregard or surely risk going out of business. With a potential class of 25 million customers, their past may very well have sealed their fate already. From a corporate standpoint, my employee users have been blocked through the firewall to the site and the installed software has been removed.
The complaint is available here: Dropbox complaint