So, Here are Some of What I am Seeing
Especfially at work. At work (I work for the government), the people in my department were working with a local (but large) police department to implement a solution using one of these online public cloud services. That police department backed out at the last minute. Why? Because neither of the BIG providers are CJIS-compatible. They wanted to keep criminal and case data on the public clouds so it is readily available to everyone. Unfortunately, we have laws governing this in the U.S. The Criminal Justice Information Service dictates standards and, despite the use of a police office in one of their testimonial ads, neither of the big guys are legal for them to put this data on. Let's also look at the medical industry. Doctors, Health Maintenance Organizations, etc. There are also laws that dictate what a doctor's office can and cannot do. This is commonly refered to as "HIPAA" or "HITECH". Please look these up. While they do say that medical records must be encrypted while at rest or in transit (over a network), they also specify who is not allowed to view this data.
So, what it boils down to is this: Let's take Google but you will find that dropbox is about the same:
If you are dealing with criminal data, CJIS has a say in who can see that data. If you are dealing with medical records, HIPAA dictates the same thing. Both of the BIG services discussed here tell you straight up-front that they look at your stuff. That their employees look at your stuff. There are articles out there they say you may be subject to a HIPAA fine if you put this kind of data on these services. At my office, a violation (not a breach) is suppossed to bring a fine of $1.5 million. Google, only as an example, has stated that no public cloud is compatible with CJIS. Not true, take a look at DATAMAXX (2 X's). As far as HIPAA is concerned, reportedly, Google said that THEY are not subject to HIPAA laws. That has not been determined, to my knowledge one way or another but certainly the medical offices that put data on these services are responsible. Google (according to their FAQ's) assumes "no responsibility" for the user's HIPAA certification.
So, if we go back to the original question asked, should one put their business data on Google or Dropbox? The answer is that it depends. Was the person part of a medical group? Were they a government agency or a law firm concerned with confidential case data? Were they one of the myriad firms that I buy things from and are they planning to keep my credit card data online? (Just like HIPAA and CJIS, the credit card processors have to conform to a set of laws called the FACT Act).
I don't believe that any of the general public services screen any of their employees especially with servers kept around the world. Do they read your UPLOADS? The big guys say that they do read them. It's in the Terms and I'm not making this up. Is this a violation? Maybe? I don't know if it is but it should be. I'd not sure I trust my credit card, medical information nor criminal history to someone in a foreign country who makes a lower wage than someone making U.S. minimum wage? I'm not predjudice but look at the economics.
On the question of losing your data. While I know that both Google and Dropbox have had hacking "adventures" that exposed data, I don't know if they ever lost data at least permenently. If they don't like your data, they say they can shut down your account, but I don't know if anything has ever gotten permanently lost. But maybe hardware and software issues could result in temporary loss of your data, even when you need it the most. Like during a presentation. Read their terms. They all say that they have NO RESPONSIBILITY for anything.
Was this reply helpful? (0) (0)