It was big news last month when Dropbox, the popular cloud storage provider, announced that it was offering new multiuser business accounts at a competitive price. The business which initially launched as a consumer service announced that it woiuld now be offering its new service to small and medium size corporate clients. Corporate users would be able to create virtual disk folders on their computers which would be mirrored on the cloud and would be available anywhere.
The promotional information for the new service promoted its high level of security which includes password protection and user side encryption. What Dropbox did not easily disclose in its promotional materials was that the service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law. Use of the service by a corporation subject to these acts could result in substantial fines and penalties.
Although many similar servies also do not meet these requirements, Dropbox’s new service is directed not at the home user but at corporate customers in industries likely to be governed by these regulations. Dropbox’s explanation for not emphasizing this shortcoming in its promotional literature was that its customers were more concerned with collaborative ease than with regulator compliance.
Ultimately, this is an example of the basic rule of all cloud computing – user beware. A corporation in a regulated industry needs to be proactive in confirming that a service which it intends to use fulfills its regulatory requirements. Furthermore, corporations need to create, promote and enforce internal guidelines to avoid use of cloud based services which could results in regulatory violations. For such guidelines to be effective, the company’s employees need to be educated to avoid using such services for company information without prior company approval.