And anyone who stored that sort of data in dropbox more or less had it coming. HIPAA & finance laws are very clear about the security they require -- dropbox has always been hand-wavey in their explanation of their security.
What's your point? The IT guys can't catch a break, can they? If they say "no you can't install stuff on your machine", message board geeks are up in arms. But when normal people, for whom these computer systems are designed in the first place, make (layperson-) reasonable decisions about what folders to put files in, there's the message board geek again, harassing them for not understanding how transparent cloud file sync works under the covers and interacts with regulated data.
If you're a 'normal person', you shouldn't be making decisions about the security of my health-care or financial data; If you're in the position to make that decision, you should have been aware that dropbox was not a "safe" third party;
On the part of the _users_ of dropbox, I have empathy; In part of those running their medical/finance business on assumptions of dropboxes security, I have nothing but emnity.
I hate to be the one to break this to you†, but normal people make up almost the entire chain of custody for regulated data. Normal people write your health records. Normal people check them out of databases and read them. Normal people load them into spreadsheets. Normal people generate reports. Businesses do not exist to support super-savvy BOFH's. It is rather the other way around.
I didn't say they do, but they should hire people competent to make educated decisions in the regulatory environment they're in. That's why they pay bofhs -- not because they like our views, but because we _read_ the specs.
EDIT: To phrase less hostilely -- HIPAA and various finance laws consist of thousands of pages of what to do and what not to do. Dropbox is a shiney webpage that isn't PCI certified or HIPAA certified. If you chose to operate in a business that requires HIPAA/PCI, and used dropbox for that data, _you_ are at fault, not dropbox, not the bofhs, and not the coder. In the case of HIPAA - you would be the criminal.
Friend of mine worked for a drug company, medical data on patients (they were handling the side-effect reports) was just emailed around, and I know they had work documents on their home computer.
I would never be foolish enough to say it _doesn't_ happen, simply that the rules say it _mustn't_ happen. Anyone who ends up complaining that they're forced to disclose because they didn't follow best practices, just learned why they're best practices.
I admit readliy it's mostly the problem of bad luck (being targeted) or careless (losing emailed reports w/ identifying data <g>) - but if and when that drug company gets sued for something like that, guess which side the law will be on?
HIPAA does not have thousands of pages on what and what not to do. It's actually quite vague, and mostly comes down to fines after the fact. There's also no such thing as a government sanctioned HIPAA certification. There's just random people willing to 'certify' you.
Quite right -- a better example is PCI compliance (hundreds of pages IIRC, and several volumes depending on exactly what you're doing; not a law, but similar ramifications if you don't comply);
Still, complying with HIPAA does make one point _very_ clear -- audit controls - Dropbox has none exposed to you, and thus it simply does not comply unless you have your own layer of controls (encryption) on top.
It also seems to fall down under 'Standard: Person or entity authentication' as well, but that's just me being snarky.
Health-care and finance are places with legal (or contractual) obligations -- and that was my main point: if you have a set of rules (or even best practices), and you fall afowl of them, don't go screaming that someone else is to blame.
