Dropbox is not a good choice for REALTORS® to store and share sensitive information. The service was designed to let casual users share vacation pictures and other non-critical items with friends and family. Even though Dropbox has added some pricey “business” features, neither the free nor the business versions address the basic security needs of the real estate industry, with its specific processes and regulatory mandates. If you are a broker or REALTOR® and you are using Dropbox for any part of the document or transaction management process, you are using the wrong tool.
Dropbox fails the three tests of computer security: confidentiality, integrity, and availability. Can you trust the service to allow only the right people to access your documents at appropriate times? Can you rely on it to make sure your documents have not been altered in a way you don’t want, and that they reflect the actual state of what you’ve done with them? And can you be certain that your documents will be available when you need them over the long term?
When REALTORS® put files on Dropbox with the intention of sharing them with each other and with clients, they are not fulfilling their duty to keep them confidential; this lapse can come back to haunt them if they are later held accountable legally. From a security perspective, Dropbox is simply not the way to go. Every year since 2011, Dropbox has had its annual security breach; apologies are made, invitations to change passwords are extended, and business continues as usual. To be fair to Dropbox, many companies have fallen prey to security problems in a time when threats are both aggressive and persistent. But Dropbox never seems to fully lock the barn door, even after the horse escapes three years in a row. As a result of a Dropbox breach, you may be obligated to do your own client notification, which would cost you time, money, and reputation.
Sharing files on Dropbox relies on a discredited security principle called “security through obscurity.” To share a folder, you hand out a web address Dropbox gives you with a sequence of fifteen random numbers and letters in it. The person with whom you want to share then goes to that web address, and can get your files. Who could possibly guess fifteen random numbers and letters? Your password is probably shorter than that. Short answer: people aren’t good at it, but computers are. Dropbox just doesn’t provide the strong level of authentication required to protect unauthorized access to the kind of sensitive information REALTORS® may post.
Integrity is the second security criterion on which Dropbox falls down. When dealing with real estate transactions, it is crucial to know who has made what changes to a file at what time. It is equally important to be able to reverse changes that have been made, and to “lock” files against further modification. Dropbox for Business will allow you to retrieve prior versions of a file, but provides no indication as to how or by whom it was modified, and nothing prevents two people from working on the same file at the same time and overwriting each other’s work.
The final security criterion where Dropbox comes up short is availability. Dropbox makes no guarantees as to how long your files will be available to you or, for that matter, how long they will be in business. Canadian real estate brokers are required by regulators to keep all records for five years, with some variation in when that period starts. If Dropbox’s cloud-based hardware fails or if they suffer an adverse business event, you will be out of compliance, or, at the very least, scrambling to find a new home for your files. There is already precedent for Dropbox’s suffering an adverse business event. On June 1, 2011, Dropbox announced new Terms of Service, which essentially stated that all material they hosted was now their intellectual property. People’s first reaction was to take their files off Dropbox immediately. Dropbox backpedaled furiously within a day; this had been a clear overreach on the part of their lawyers. But if a mass exodus had continued, it would have brought the company down, leaving its remaining customers with a serious records retention problem. This incident should also make clear that Terms of Service on cloud-based services like Dropbox can change without notice, and many Terms of Service assert that you automatically assent to changes by your use of the service. Dropbox may remain up, but you may need to move your files. Dropbox itself may change or become unavailable without notice and you will have no recourse.
There are safe alternatives to Dropbox that have been developed with the real estate industry in mind. They’re called “document management systems,” and they go beyond simply sticking files in the cloud and retrieving them later. They allow you to grant different levels of access to different parties, track the changes to documents and establish when people have seen them, check for missing documents, manage document approval and review, and a good deal more. They cost less than Dropbox for Business. And they allow you to stay compliant with regulatory requirements for data confidentiality, integrity, and availability. Dropbox isn’t even an alternative; it’s an accident waiting to happen.