You may have heard of Dropbox, SecuriSync, Citrix ShareFile, Rackspace and similar electronic file sharing and storage service providers. You may even use one of these service providers. But are they safe? This is an important conversation to have from both individual and business perspectives.
In today’s electronic-driven environment, businesses and individuals should be aware of the risks associated with sending, receiving and storing sensitive information, such as tax information, using electronic file sharing and storage service providers. While they may be a free or low-cost and convenient file sharing and storage solution, they are not the most secure way to transfer and store sensitive documents. In short, the privacy concerns appear to far outweigh the convenience and affordability.
It is nearly impossible to listen to the news today and not hear reports of hackers gaining illegal access to large corporate networks and stealing sensitive customer information, such as credit card numbers, bank account information, names, addresses and other personal information. Users of electronic file sharing and storage service providers are vulnerable to such hacking, as well. Using Dropbox as just one example: If a hacker was to get their hands on your encryption key, which is possible since Dropbox stores the keys for all of its users, hackers can then steal your personal information stored on Dropbox. Just recently, Dropbox reported that more than 68 million users’ email addresses and passwords were hacked and leaked onto the Internet. In August 2016, Dropbox sent out notifications to users recommending they change their passwords.
As if the thought of a hacker gaining access to your personal information is not alarming enough, potentially even more concerning is the fact that because these service providers own their own servers, they also own any information residing on them. Hence, they can legally access any data on their servers at any time. Additionally, many of these companies house their servers outside of the United States, which means the use, operation, content and security of such servers may not be protected by U.S. law.
Furthermore, consider the policies regarding the sharing of your information with third parties. Among others, Dropbox has said that if subpoenaed, it will voluntarily disclose your information to a third party, such as the Internal Revenue Service.
We at the Tax Accounting Group of Duane Morris (TAG) go to great effort to minimize our client data from exposure to unwanted breaches and avoid risk of outsiders’ willingness to turn over our clients’ personal information to third parties. TAG has consistently discouraged clients from using such services regarding their taxes, and instead, for many years and at no cost to our clients, have provided safer alternatives for file sharing, including secure and encrypted software and personalized portals. We believe it is worthwhile for businesses and individuals to thoroughly consider the methods they select to share and store their personal data electronically.
Recently, our colleagues in the Information Technologies and Telecom Practice Group of Duane Morris LLP issued an Alert in response to the recent national cyberattack. While this Alert primarily focuses on business electronic breaches, it illustrates the potential risks, as well as steps businesses (and to a certain extent, individuals) should consider to ensure readiness in the event of a cyberattack.