Change in Dropbox’s Terms and Conditions Highlights Fundamental Cloud Issue

As you may no doubt have read, online storage vendor Dropbox recently updated its terms and conditions to reflect that it may be required to turn over customer data stored on its servers in response to governmental requests. The change is not unique to Dropbox. It is simply reflecting a fact-of-life for all cloud providers: the government has broad rights to compel such providers to turnover customer information stored on their servers. In many cases, this disclosure is done without notice to the customer.

Since data may be subject to governmental subpoenas and other requests regardless of its location (either remote or locally) there is no way to avoid disclosure. The risk raised by storage in the cloud, however, is that the disclosure may be made without notice to the customer. That is, the customer would not have the opportunity to seek court intervention to limit the disclosure request or avoid it entirely.

If the data was stored locally, the customer would be on notice from the minute the request is made and, potentially, be in position to take action to ensure its data is protected. By electing to store its data in the cloud, the customer is potentially assuming the risk of not receiving notice.

While the best protection in this situation is to negotiate with the cloud provider to require immediate notice if it receives a request for disclosure of its data, this will not be possible in many instances. Even with that protection, in some instances the cloud provider may be prohibited by law from giving the notice. The only way to be sure of having notice in the event of the request is to locally host the data. Since this is clearly not a reasonable solution for most businesses, they must appreciate this risk and use their best efforts to include at least some minimal protection in their cloud contracts for notice.