Content

Dropbox not Suitable for HIPAA or PCI Data

Monday 7 November 2011 - Filed under Cloud Computing

It’s good to get reminders of what we hopefully all know as security professionals, that Dropbox is not a solution for PHI, PII, PCI payment card data, or confidential financial data. Read on for the full story…

Analysis: Dropbox Carries Risks For SMBs
By Edward F. Moltzen, CRN
November 04, 2011 3:50 PM ET
http://www.crn.com/news/cloud/231902380/analysis-dropbox-carries-risks-for-smbs.htm?pgno=1

Dropbox, known as a purveyor of cheap cloud storage for consumers, is now targeting small and mid-sized businesses with a new service offering. However, SMBs considering the service need to bear in mind that it lacks key compliance certifications many businesses need, potentially leaving them open to significant financial penalties.

The new Dropbox for Teams cloud storage service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law, executives and media representatives from the San Francisco-based company confirmed to CRN this week.

Failing to meet compliance requirements could carry catastrophic consequences to SMBs, including some businesses that Dropbox is targeting with its Teams cloud storage offering. Dropbox executives, though, defend the product saying customers who beta-tested it prior to launch were concerned with collaboration and ease-of-sharing, not PCI, HIPAA or SOX.

“This is not what our customers are asking about right now,” said Chenli Wang, team lead of business and sales operations for Dropbox regarding Dropbox for Teams’ lack of regulatory compliance. “But there are things we always evaluate. We are just getting started.”

Wang noted that SOX compliance is aimed at publicly traded companies, which Dropbox is not targeting with Teams. HIPAA compliance, he said, is “more complex” because “it is not just about the technology compliance, but also data access and practices. That is more around how the businesses themselves enforce policies.”

Still, Wang said, HIPAA compliance is an area that “we may potentially look at.”

With PCI compliance, Wang said, that benchmark is more directed at the storing of customer credit card and personal data and “that’s not what they’re using [Dropbox for Teams] for.”

The build out of cloud-based storage solutions, for both businesses and individual consumers, is encountering a push-pull between cost in a price-sensitive environment and need for security, privacy and regulatory compliance.

However, for many businesses, compliance could be the whole ballgame.

For example, here is what Bank of America says in an online FAQ about what happens to a business that does not comply with PCI regulations:

“If you do not comply with PCI [Data Security Standard], your business may face significant financial and reputational risks.

“If your cardholder data is compromised, you could be required to reimburse us for card brand fines ranging up to $500,000 per incident, as well as subsequent fraud losses incurred by card issuers resulting from the compromised card data, which may exceed fine amounts.”

In addition, Bank of America says, a business could have its entire account blocked for a lapse in PCI compliance. And that’s even if a business conducts fewer than 20,000 credit card transactions in a year.

With HIPAA, health care providers themselves are often small businesses with the same regulatory compliance requirements as large, multi-global health insurance companies.

Even SOX requirements could be a factor for small, privately held companies. Under the act, third-party providers of significant services to publicly traded companies — like VARs or consultants — have to maintain the same controls as the publicly traded companies themselves. So the impact of non-compliant technology in even smaller organizations could loom large.

Wang acknowledges that Dropbox does not provide any warnings for small businesses with its Dropbox for Teams service to let them know the risks of storing regulated data on its non-compliant infrastructure.

PCI compliance, Wang said, “may apply to a small subset of potential customers. For the vast majority,[the focus is on] collaboration and creative assets. We’re not talking about bank statements.”

He said that security, and functions like encryption, were in fact considered and included in the development of Teams, and customers have been happy with that. His comment comes after some customers of Dropbox’s consumer service have had security complaints.

In unrelated cases, Dropbox has been fending off customer concerns about its security for some time. Those concerns — which have led to at least two lawsuits and a complaint with the U.S. Federal Trade Commission — include the alleged access of some Dropbox employees to individual customer data, as well as a one-time glitch that allowed some customer data to be accessed even without a password. Dropbox has been defending itself vigorously against criticism of its security, however, and has not been deterred in working to expand its addressable market.

Launched primarily as a consumer-focused tool for storing a small capacity of data online, Dropbox last month disclosed that it was launching Teams for collaboration — targeted at SMBs. Dropbox for Teams, which is sold directly online, is priced at $795 per year for use by up to 5 people. Dropbox advertises Teams as providing “bank-grade” encryption, and the service allows for quick sharing of data stored in its online service — including via Apple’s iPhone.

The market for cloud-based collaboration and storage is crowded, and there are competing solutions that do provide regulatory compliance and channel support. These solutions include, for example, IBM’s IBM Lotus Connections combined with IBM Vantage.

On the issue of working through third-party solution providers, Wang said the company only sells Dropbox for Teams direct, not through a channel of solution providers

While Teams may address needs for quick, low-touch solutions for cloud-based collaboration and sharing in an organization, the unaddressed risks it brings may become an increasingly important topic of conversation for even the smallest of businesses. The sooner and more focused that conversation begins, the better.

For now, there appears to be nothing wrong with using Dropbox’s base consumer service for storing innocuous files and having access to them across platforms. Moreover, many organizations may even find Dropbox for Teams to be a solid offering that is easier to use for file sharing and storage than e-mail.

However, for others, there may be $500,000 (or more) worth of reasons to be cautious about taking the quick, cheap and easy route.

2011-11-07  »  Joshua Spencer

  • Browse in category: Cloud Computing -

Share your thoughts

Re: Dropbox not Suitable for HIPAA or PCI Data







Tags you can use (optional):
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>