Advice about using Dropbox.com and other cloud services
Recently, UD Information Technologies (IT) received a request from technology support staff in the College of Agriculture and Natural Resources (CANR) for our comments on the use of Dropbox.com and other cloud services for storing University information. Because of news stories earlier this year, CANR staff were concerned about security breaches and a rapidly changing Terms of Service document at Dropbox.com. In short, CANR staff raised concerns about how commercial cloud providers handle file ownership, privacy, and security.
Use caution in storing information on Google Apps at UD, Dropbox.com, or any cloud service provider. Consider issues like those outlined below before storing data on any non-UD server:
- Privacy rules and regulations (FERPA, HIPPA, etc.)
- The safety of PNPI (personal non-public information such as SSNs, bank account information, etc.)
- The value of your intellectual property to your department and to the University
- Requirements imposed by non-UD owners of intellectual property you are using
- Research restrictions, including but not limited to
- Human subject privacy regulations
- Grant restrictions
- Export restrictions
- Confidentiality agreements
- Critical nature of the information.
Commercial cloud providers like Dropbox.com offer convenient file storage; however, using “the cloud” does not make a good long-term storage solution for certain research data or confidential information. Before you choose to store information on a non-UD server, you must carefully consider
- the sensitivity and critical nature of the information and
- any applicable privacy and security policies, laws, regulations or other restrictions.
If you have any questions about whether cloud storage (at Dropbox.com or any service provider) is an appropriate tool for your storage needs, contact your departmental or college IT administration or contact the central IT Support Center. (Submit a Help Request Form. Email email@example.com. Call  831-6000.)
- Cloud providers can be appropriately used to store non-critical, non-confidential, or non-sensitive information. However, IT urges faculty, staff, and researchers (including graduate students) to assess the relevance of Federal privacy regulations, Federal law, contractual obligations, and grant restrictions before moving University-related files and data to any non-UD storage solution.
- Consider the nature of the information:
- University policy dictates that sensitive personal, non-public information (e.g., Social Security numbers, credit card numbers, protected health information, or confidential educational records) must be stored on encrypted media. Cloud providers do not typically provide an encrypted storage solution.
- Other sensitive personal information: The University is regulated in many areas. These regulations come with requirements on how data can be accessed and where it can be stored. For example, it is not appropriate to store data regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA) on DropBox.com or other cloud services.
- Particularly if the University does not have a contract with the cloud provider, weigh the risks of data loss, data corruption, lack of availability, and disclosure of the data. Be conservative about storing critical information in the cloud: without an appropriate contract, you should only use cloud storage for information that can be replaced with little or no consequence.
- Use of cloud providers can introduce unknown risk.
- The provider may or may not be able to deliver effective service consistently.
- The provider may or may not have effective management controls in place: oversight of third parties, adequate insurance, disaster recovery and business continuity plans.
- What if the cloud service provider is bought by another company? How would that sale affect data ownership, disaster recovery, privacy policies, and other issues that might affect UD data stored with a cloud service provider?
It may not be appropriate to use commercial cloud providers for certain research applications.
- Human subject research may involve the collection of private information or a promise of privacy or confidentiality to research participants. Do not assume that Dropbox.com—or any cloud provider—is a secure environment for such data.
- For financial reasons, many cloud providers locate some of their servers outside the United States. Because you do not know the physical location of the servers on which a provider stores your information, you should exercise caution if any of the information you store in the cloud is subject to any international or export restrictions.
- Research data with restrictions on the participation of foreign nationals, restrictions on publication (prior approval or prior review), or restrictions imposed by non-disclosure agreements should not be stored on a commercial cloud service. Researchers with questions as to whether or not this limitation applies to their projects should consult the University's Export Regulations or contact the University Export Compliance Officer as outlined in the University’s Export Compliance Program Manual.
- UD is frequently entrusted with the IP owned by others as part of collaborative research or in the course of conducting University business. Third-party owners generally provide guidelines on appropriate use and protection of that data. Consult those guidelines to determine if Dropbox.com or other cloud providers’ information security meets those guidelines.
- Consult the University’s Intellectual Property Guide for more information. You could also consult UD’s Office of Economic Innovation & Partnerships about the appropriateness of storing IP at Dropbox.com or on any non-UD storage facility.
If you are using Dropbox.com or another cloud service primarily to send large datasets to colleagues at other universities, IT recommends using the secure UD Dropbox file transfer service instead: