Dropbox is not appropriate for all kinds of data.
The following categories of legally protected data are inappropriate for storage on Dropbox:
- Data subject to United States export control or trade embargo regulations. Cloud-based storage platforms may be acceptable for some forms of Controlled Information, please contact the Export Office for further information.
- Social Security numbers, driver's license or other state ID card numbers, and financial account, credit card, or debit card numbers. If you have a need to store this information, contact firstname.lastname@example.org for guidance.
- Third-party data received under a Data Use Agreement that specifies particular methods for securing data
If you are unsure if you are handling legally protected data, please contact IS&T at email@example.com for assistance.
The following categories of legally protected and sensitive data are appropriate for storage on Dropbox, provided that you take reasonable steps to secure the data in your Dropbox account:
- Student information
- Confidential information about employees
- Information about human research subjects
- Data received subject to access and use restrictions under a Data Use Agreement or Nondisclosure Agreement
- HIPAA-protected data or other personally identifiable health information. MIT has signed a BAA agreement with Dropbox, but it does not cover Dropbox Paper files. HIPAA-protected data should NOT be stored in Dropbox Paper.
- Other information of a confidential or sensitive nature
Such data should be reasonably secured by sharing only with persons who need to access the data for a permissible purpose, and under strict instructions that these persons (a) may not share the data with any third party, absent permission from you, and (b) should delete the data from their local systems when they are finished with it.
Devices used to access such data should be appropriately protected regardless of where the data is stored. Please review IS&T guidelines for device encryption and Encrypting a file before sharing for guidance.
When using Dropbox, you should always:
- Comply with applicable laws and MIT's policies, including those relating to Responsible Use of IT Resources
- Be mindful of your folder settings, and locate data appropriately
- Double-check the security settings on any folders prior to sharing them with another Dropbox user.
- Remember the "analog hole": once data has been converted to a human readable form, there is no way to truly protect it. For example, even a PDF file with printing, saving, and copying restrictions can still be copied if the recipient uses a screen-capture tool, takes a picture with a mobile phone, or even copies the document longhand onto a piece of paper. Therefore, you should only share data with those you trust, and with only the minimum number of people necessary.
Dropbox should never be used to:
- Infringe others' intellectual property rights, including by sharing copyrighted content
- Violate the privacy of others
- Distribute harmful or malicious code