Dropbox Pursues Business Accounts, But Falls Short On Privacy Laws

deadeyefred writes "Dropbox last month launched its Teams service, targeted at small and mid-sized businesses — but acknowledges it's not PCI-, HIPAA- or Sarbanes-Oxley compliant. Company executives say they also don't provide a highly visible warning largely because customers in beta tests didn't make it an issue. Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

Compliance == Smart Business

[ohnocitizen]

If they are smart they will be compliant, and advertise that highly. How long until a competitor springs up who is compliant? When it comes to business needs, security is rightly a key focus. Not catering to that is ignoring the very market they want to serve.

Re:Doesn't matter

[Sancho]

It's all in the PCI DSS, which you can find via Google. Generally speaking, you have to isolate the machine on which the encrypted data is stored. I believe the requirements still call for the machine to be behind a NAT firewall, to be accessed with two-factor authentication, and for passwords to adhere to certain requirements as well as be changed every 90 days. The entire system has to be documented including network diagrams (that you probably won't have from Dropbox--I doubt that a giant cloud would be sufficient, but I could be wrong.)

They don't need warnings.

[flimflammer]

Companies should assume they are not compliant unless the company tells them they are. I don't think Dropbox should need to put they are not compliant on their webpage, but they should be able to answer questions regarding their compliance if asked by a prospective business client.

get a clue

[Tom]

Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

Neither. With all of those compliance regulations, it is the job of the company to ascertain compliance. You don't assume anything - if you do, you're not compliant. You not only need to know, you need to document your knowledge.

So really, it's a non-issue except that it means Dropbox won't be used in environments that require this kind of compliance.

Disclaimer: I used to be SOX compliance manager. I know what I'm talking about. /. would be a much better place if people submitting stories would, too.

Re:Call me old fashioned

[mark_elf]

Some mook I was working for forced a team of ten of us onto dropbox last year because we weren't all in the same office and he couldn't figure out how to FTP. The dropbox advertising seemed very simple and reassuring to him. It makes sharing files easy! It was the right thing. Immediately everyone was walking around saying how they loved dropbox! It has a very simple graphic design people liked, like Apple computers and Google websites (most of the people on the team were "creative"). They even have an iPhone app!

The first thing that happened was some other mook accidentally the entire share because he didn't need all the files, not understanding how the folders are synced. There is no "mook" permission, no permission structure at all. Just in or out.

After that, none of us were shared with "everything" anymore, so it became a completely unmanageable mishmosh of invites. Everyone used different folder structures and ways of naming things, which you have to live with. The dumbest person on the team gets to set the SOP, which is just chaos of course. The only people who liked it were the ones who dumped files on there and didn't have to ever open them again (graphic designers). It tends to fill up your hard drive with stuff that maybe has a 20% chance of being for you. People work to these folders because they are local, not realizing or caring that everyone else has to download all their crap.

So when everyone is in the same room, it nukes the wi-fi completely as everyone tries to sync the same garbage at the same time.

If you do really care about a file, you have to copy it out of the dropbox folder so that someone else doesn't fuck it up. So you have to have two copies of everything. It ends up being a kind of fuzzy FTP anyway, which you have to manage, but is not manageable.

If you understand email and FTP you don't need it. If you don't understand those things, you definitely will not understand dropbox. I learned this when someone kept asking me to just "show her where the files are".

So to answer your question, you should trust them because they make sharing your files easier.