Analysis: Dropbox Carries Risks For SMBs


Dropbox, known as a purveyor of cheap cloud storage for consumers, is now targeting small and mid-sized businesses with a new service offering. However, SMBs considering the service need to bear in mind that it lacks key compliance certifications many businesses need, potentially leaving them open to significant financial penalties.

The new Dropbox for Teams cloud storage service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law, executives and media representatives from the San Franciso-based company confirmed to CRN this week.

Failing to meet compliance requirements could carry catastrophic consequences to SMBs, including some businesses that Dropbox is targeting with its Teams cloud storage offering. Dropbox executives, though, defend the product saying customers who beta-tested it prior to launch were concerned with collaboration and ease-of-sharing, not PCI, HIPAA or SOX.

“This is not what our customers are asking about right now,” said Chenli Wang, team lead of business and sales operations for Dropbox regarding Dropbox for Teams' lack of regulatory compliance. “But there are things we always evaluate. We are just getting started.”

Wang noted that SOX compliance is aimed at publicly traded companies, which Dropbox is not targeting with Teams. HIPAA compliance, he said, is “more complex” because “it’s not just about the technology compliance, but also data access and practices. That is more around how the businesses themselves enforce policies.”

Still, Wang said, HIPAA compliance is an area that “we may potentially look at.”

With PCI compliance, Wang said, that benchmark is more directed at the storing of customer credit card and personal data and “that’s not what they’re using [Dropbox for Teams] for.”

The buildout of cloud-based storage solutions, for both businesses and individual consumers, is encountering a push-pull between cost in a price-sensitive environment and need for security, privacy and regulatory compliance.

However, for many businesses, compliance could be the whole ballgame.

For example, here’s what Bank of America says in an online FAQ about what happens to a business that does not comply with PCI regulations:

NEXT: The Consequences Of Ignoring Compliance Regulations


See the latest cloud technologies, learn best practices, and interact with your peers at the channel’s first all-inclusive cloud event: NexGen Cloud Conference & Expo, December 4-5, 2014 at the San Diego Convention Center. Register now at  www.NexGenCloudCon.com