Is Dropbox Secure for Lawyers? (5 Reasons Why)

As one of the leading cloud storage services in the market, Dropbox is an essential service to many lawyers and law firms who are looking to store sensitive client information.

But, when storing your client's data, it's important to be attuned to the digital responsibility of storing client data in the cloud, and understand how to keep your risk for data leaks and cyber threats low.

After all, as a lawyer, you're obligated to upholding:

• Client-attorney privilege
• Data regulations (GDPR, HIPAA)
• Maintaining the privacy of your clients

In this post, we are going to do a deep dive on Dropbox's security features so you can understand how they keep your data safe.

If you're looking for a quick answer to "is Dropbox secure for lawyers", then allow me to calm your nerves and tell you: Dropbox is secure for lawyers.

If you're interested in the "why", then read on! I'll go over the top reasons why Dropbox is safe for lawyers.

Reason 1: Dropbox Uses End-to-End Encryption

Dropbox encrypts all your files both in-transit and at-rest. This means only you and Dropbox have access to your files, and eavesdroppers won't be able to "listen in" when you're accessing your Dropbox files. This is perfect for law firms, where your client's files have to be completely confidential.

If you're not familiar with encryption, encryption is a way to protect information by ensuring only authorized parties can access certain data. It is more than just keeping your data in a secret spot, it is more like putting a lock on your data.

For example, it's not like hiding a flash drive in a drawer, but more like putting a flash drive into a locked industrial-grade vault where you're the only one with the key.

That explains encryption, but you may be wondering: what does it mean to encrypt in-transit and at-rest?

What is End-to-End Encryption?

There are two common moments when encryption is applied: in-transit and at-rest.

In-transit encryption means encryption is applied when you are uploading or downloading files from Dropbox. This is what keeps eavesdroppers (or a "man-in-the-middle") from accessing your data as it is being transferred between you and Dropbox's servers.

At-rest encryption means your files are protected with encryption while they are "sitting" on Dropbox's storage servers. This means, if someone happened to get access to your files via either direct access to a Dropbox data center or through unauthorized software access, they would not be able to access any of your files.

Because Dropbox has both in-transit and at-rest encryption, you can be confident that your files are stored and transferred securely. However, its important to note that Dropbox is the owner of your keys. Meaning they can always unlock your encrypted data without any warning (and any cyber attackers can too).

To be truly secure, you'll want to own your own encryption keys. We will cover this in the last section on Dropbox's integration with Boxcryptor.

Reason 2: Dropbox Is Compliant With International Data Security Regulations

Dropbox is GDPR compliant, SOC 2 compliant, and HIPAA compliant. It is even compliant with many different international regulations.

GDPR compliance is important if you do business with anyone from the European Union (EU), as the EU has strict rules on cyber security and user privacy.

SOC 2 compliance is a testament to Dropbox's overall security posture, proving that it has processes that ensure user privacy, data integrity, and availability. Dropbox has third parties audit to ensure that it is up-to-code to meet the rigid requirements of SOC 2 compliance.

HIPAA compliance is critical if your law firm will be storing any protected health information (PHI) on behalf of your clients. To meet HIPAA compliance, you will have to sign a business associate agreement (BAA) with Dropbox. This is standard practice, and is a common workflow for businesses who use Dropbox's business services. In fact, you may have already signed your BAA.

To learn more about HIPAA, check out the summary from the US department of Health and Human services found here.

In the remaining sections, we will discuss all of the security features Dropbox adds to prevent unauthorized access to your account, and the remediations Dropbox provides in case your devices are compromised.

Reason 3: Dropbox Has Multi-Factor Authentication (MFA/2FA)

According to a study by Microsoft, enabling multi-factor authentication (MFA/2FA) reduces your risk of your account being compromised by over 99% (see full study here). You'll be glad to know that all Dropbox accounts support MFA, which means the odds of anyone at your firm having their account compromised is very low.

If you're not familiar with MFA, it is just an additional step where you verify a code from your email, a text, or an authenticator app as you login. Typically, MFA proves that you have some physical device, which is the reason why it is secure. An attacker would need to gain access to your physical property.

On top of having MFA, Dropbox also allows you to require MFA for all logins, so you can be sure that everyone's account has the protections afforded by MFA.

I strongly suggest you enable an MFA policy at your law firm, as requiring MFA is the easiest way to keep your firm secure.

Reason 4: Dropbox's Remote Wipe Feature

Wiping Devices with Dropbox's Remote Wipe Feature (Image Source)

One of Dropbox's best productivity features is the ability to sync your files between your computer and the cloud. However, this opens up a security threat if any of your physical devices are stolen.

To combat the threat of physical media theft, Dropbox has a feature called Remote Wipe that allows you to delete data from your device even if you don't have access to it anymore.

This is an awesome additional security measure that Dropbox provides for all devices including laptops, phones, tablets, and desktop.

Just be aware, that you need to have a Plus, Professional, or team plan to use Remote Wipe.

Reason 5: Dropbox's Boxcryptor Integration (Not Available Yet)

Dropbox's Acquisition of Boxcryptor (Image Source)

In 2022, Dropbox announced that they are acquiring Boxcryptor. Boxcryptor is a service that runs on top of cloud storage providers like OneDrive, Box, and Dropbox that provides zero-knowledge encryption (sometimes known as private encryption).

You might be wondering if Dropbox already has end-to-end encryption, why would you need anything else (like zero-knowledge encryption)?

The answer lies in who has the keys to unlock your encrypted data. If you're just using Dropbox's standard end-to-end encryption, Dropbox is the owner of the keys, and therefore, they are free to view your data at any time. This also means that if there is a security breach at Dropbox, and keys are leaked, attackers would also gain access to your information.

With zero-knowledge encryption, you have the keys to your own data. This means that even if Dropbox wanted to, they couldn't view your data.

The Dropbox and Boxcryptor integration is not yet complete, but when it is, Dropbox will be providing zero-knowledge encryption for all its business tier users.

What Security Features is Dropbox Missing? (Dropbox vs OneDrive)

While Dropbox has an adequate set of security features, it is missing some features that other cloud providers (like OneDrive) have. For that reason, I'd say that Dropbox is less secure than a enterprise solution like OneDrive.

Here's some features that OneDrive has, but DropBox doesn't:

• Safe Link scanning
• • OneDrive automatically scans links and detects phishing and malware
• Malware detection
• • OneDrive's Advanced Threat Protection will scan files for malware and alert you
• Data Loss Prevention (DLP) Policies
• • With OneDrive, you can create DLP policies that offer an additional layer of defense against your client's private information being leaked (e.g. social security numbers, credit card numbers, HIPAA/PHI data).
  • Automatic remediations can be applied which delete and report before any data is leaked.

If you really want to be sure your client data is safe, I recommend looking into OneDrive over Dropbox. While each of these security features is not critical for Dropbox to have, as a whole, they add up to what could be a deal-breaker if you need that extra level of defense against cyber threats.

Need to Share Files with Client Securely? Consider a Secure Client Portal

While Dropbox is certainly secure, it wasn't designed for sharing files with clients. This is because it is mainly a cloud storage service, and not a client portal. Many law firms choose to use a secure client portal instead, because it is a more seamless experience for their clients and comes with essential productivity features.

Some features you'll find in a client portal for law firms are:

• Secure file sharing with clients
• A secure messenger to send clients encrypted messages
• Email and desktop notifications for all portal activity
• Audit trails for every action (login, file download, file upload, etc...)
• Client multi-factor authentication (MFA/2FA) support
• E-signatures
• Custom forms to collect specific client information
• Secure email via Microsoft Outlook
• An internal knowledge base builder to share internal business documents and trainings
• Desktop and mobile support

Additionally, with a client portal, each client has their own account, which allows clients easy access to their files and an open channel of communication with their lawyers.

If you're looking for a secure client portal for your law firm, you can't go wrong with Foyer. Foyer is a secure client portal that is built for law firms that provides every feature your law firm would need, all at a great price ($10 per month per internal user).

You can get started today for free (no commitment) by visiting our onboarding page. Onboarding is automatic and takes 1 minute. If you have any existing data, Foyer's support team is around to assist with any migration needs you have.

Thanks for reading! If you have any comments or feedback please send a comment below. Whether you're sticking to Dropbox or using Foyer, I wish all the best for your firm!