• United States



Change in Dropbox’s Terms and Conditions Highlights Fundamental Cloud Issue

May 03, 20112 mins
Data and Information Security

As you may no doubt have read, online storage vendor Dropbox recently updated its terms and conditions to reflect that it may be required to turn over customer data stored on its servers in response to governmental requests. The change is not unique to Dropbox. It is simply reflecting a fact-of-life for all cloud providers: the government has broad rights to compel such providers to turnover customer information stored on their servers. In many cases, this disclosure is done without notice to the customer.

Since data may be subject to governmental subpoenas and other requests regardless of its location (either remote or locally) there is no way to avoid disclosure. The risk raised by storage in the cloud, however, is that the disclosure may be made without notice to the customer. That is, the customer would not have the opportunity to seek court intervention to limit the disclosure request or avoid it entirely.

If the data was stored locally, the customer would be on notice from the minute the request is made and, potentially, be in position to take action to ensure its data is protected. By electing to store its data in the cloud, the customer is potentially assuming the risk of not receiving notice.

While the best protection in this situation is to negotiate with the cloud provider to require immediate notice if it receives a request for disclosure of its data, this will not be possible in many instances. Even with that protection, in some instances the cloud provider may be prohibited by law from giving the notice. The only way to be sure of having notice in the event of the request is to locally host the data. Since this is clearly not a reasonable solution for most businesses, they must appreciate this risk and use their best efforts to include at least some minimal protection in their cloud contracts for notice.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author