Tuesday, September 13, 2016

What The Dropbox Hack Means For Lawyers


Dropbox confirmed in a recent blog post that 68 million users’ login credentials have been hacked. Keep in mind, they don’t know the extent of what data was accessed (if any) using stolen credentials, just that the credentials were stolen. The login credentials were hacked in 2012, and the full extent of it just came to light about two weeks ago, as described in the blog post on Dropbox’s website. I was one of the lucky email recipients warning me of a potential breach:


I routinely get files shared with me from other lawyers using Dropbox. It seems to remain a popular tool for lawyers to share and store files. As such, now seems an appropriate time to point out some helpful hints when it comes to using the cloud.
What the Hack Means for Lawyers
First and foremost, if you were using Dropbox in 2012 and have not changed your password, you should do that immediately. Keep in mind that this hack does not just affect dropbox.com. If you are like most people, you use the same password on multiple sites. If your Dropbox password from 2012 was also your email password or your online banking password, you should change those too. If I’m a hacker and I buy a list of 68 million usernames and passwords and I try the first combination of login credentials and it doesn’t work, I might also try using those credentials on WellsFargo.com, Bofa.com, Chase.com, google.com, etc. Wells Fargo doesn’t know if you use the same password as you did for Dropbox in 2012, so you would not be getting an email from them telling them to change your password. So, it’s not just your files from Dropbox that are at risk, it’s potentially your online life. You can be subject to state bar discipline if your online account information gets hacked because of a lack of diligence on your part, so here are some hints for complying with the maze of ambiguous ethics opinions on this topic.
As I’ve covered before, a number of states have adopted some kind of ethics opinion authorizing lawyers to use the cloud to store client files. As you would expect from an agency of lawyers, the answer to “Can I use the cloud?” is “It depends.” There is no ethics opinion that specifically says that you cannot use Dropbox. Instead, they generally say that you should use diligence in selecting a service provider for cloud storage. Part of that includes identifying the tools that provider makes available for protecting your data.
For example, the biggest security feature that Dropbox offers is multi-factor verification. In fact, the follow-up blog post to address the rumors of the hack mentions several times that all users should use multi-factor identification. In short, what that does is require that someone has your user name, password, and a unique code texted to your phone. There might be a large circle of hackers in China who could hack into your accounts, but there is a much much smaller circle of individuals from China who can hack your account and have your phone handy.
Look for a provider that has activity logs. Here is a screenshot from the Dropbox page comparing their tiers of paid storage plans:

You can see that with the two business account options, they offer user activity monitoring. That can be helpful to identify if there was a hack, and what files were accessed. So, say for example you operate in California. You access your user tracking logs and see that you logged in from Kansas and the files that were accessed or viewed during that login session were your pie recipes from your Miscellaneous folder. In the alternative, you see that only one client’s files were viewed and you know the exact files that were accessed. Now, you don’t need to blast out a group email to all of your past clients letting them know that their files might have been accessed because you know exactly which files were and were not viewed.
Conclusion
If you store data in the cloud, you’ll want to make sure that you periodically familiarize yourself with the advancements in security technology. Remember, it’s not just a quantifiable economic loss we are talking about, it’s also a loss of your reputation and potential clients.
Jeff Bennion is Of Counsel at Estey & Bomberger LLP, a plaintiffs’ law firm specializing in mass torts and catastrophic injuries. He serves as a member of the Board of Directors of San Diego’s plaintiffs’ trial lawyers association, Consumer Attorneys of San Diego. He is also the Education Chair and Executive Committee member of the State Bar of California’s Law Practice Management and Technologysection. He is a member of the Advisory Council and instructor at UCSD’s Litigation Technology Management program. His opinions are his own. Follow him on Twitter here or on Facebook here, or contact him by email at jeff@trial.technology.


No comments:

Post a Comment