Will using Dropbox put your CEO in jail?


Credit: Pinar Ozger
Stephanie Tayengco of Logicworks, Luke Kanies of Puppet Labs, Richard Nicholson of Paremus, and James Urquhart of enStratus at Structure 2012

Stephanie Tayengco of Logicworks, Luke Kanies of Puppet Labs, Richard Nicholson of Paremus, and James Urquhart of enStratus at Structure 2012. (c) 2012 Pinar Ozger. pinar@pinarozger.com

With everything moving to the cloud, companies suddenly find themselves confronted with a whole new set of challenges. For example: Is all that stuff even legal? “There is a good chance that almost every organization that is out there that is using Dropbox or that is using Box is breaking the law,” proclaimed Puppet Labs CEO Luke Kanies (see disclosure) during the last panel of the day at GigaOM’s Structure conference Thursday.

Kanies wasn’t out to scare people, but he had a point: Most companies don’t even have internal rules for the use of data with cloud services, save for a clear understanding of the law. Fellow panelist and enStratus VP of Product Strategy James Urquhart agreed, pointing out that courts have yet to decide whether Fourth Amendment rights apply to documents saved in the cloud.

But legal issues like these are only one of the challenges facing companies as they move away from infrastructure-centric to app-centric architectures. The other is that people have to adopt an entirely new way of thinking. “A lot of organizations have problems with the application structure,” said Paremus CEO and Founder Richard Nicholson, and his co-panelists agreed: Putting apps at the center makes it necessary to rethink how companies are spending their money, and who makes the decisions about services. For example, Logicworks VP of Network Operations and Engineering Stephanie Tayengco said that she sees a lot of IT requests come from creative types, as opposed to more technically-oriented CIOs.

Of course, that shift also comes with tremendous opportunities: When IT provides a platform that allows people to experiment with apps as opposed to having IT sign off on every single project, great things can happen. And if IT isn’t ready for that, employees will just bring their own services to the work place and upload things to their personal Dropbox account. “One of the reasons is that if you ask your IT, whatever the question is, they say no,” quipped  Kanies. So people don’t ask, but start doing. Which is great, despite any potential legal challenges. Said Kanies: “It can be a low-risk way of letting that small team play with something.”

Disclosure: Puppet Labs is backed by True Ventures, a venture capital firm that is an investor in the parent company of this blog, Giga Omni Media. Om Malik, founder of Giga Omni Media, is also a venture partner at True.

Check out the rest of our Structure 2012 coverage, as well as the live stream, here.

Watch live streaming video from gigaomstructure at livestream.com



Very interesting post. Never given any though to the legal issues with all these cloud apps that we are using…


Deja vu anyone? Centralization vs decentralization of applications has been an IT issue for at least 15 years. It’s probably been an issue since cave painting was invented. Security? ID Management? Business vs IT control? Not to mention the debate over whether it’s best to keep everything, some things forever, some things for six months or a year? What if it can come back and bite you in the butt? What if it can save your butt.


Lots of FUD. Based on that criteria, would using Gmail also get them thrown in jail? What about using Crashplan or Mozy or Carbonite? All of these store data offsite. Also, I’m curious, which of these panelists has a degree in law?

Texas PC Geeks

Very good story. With all the legalities facing shared uploading sites, this has a lot of useful information to pass along.

Julia Mak

Maintaining data control and compliance requirements are major concerns for enterprise CIOs. The company I work for, Oxygen Cloud, solves the problem by providing mobile access to private, on-premise enterprise storage so companies can keep their data. We have successfully deployed with ING Direct Canada interviewed their CIO: http://youtu.be/y6bzjUJbCUU


I work for a company that provides a file sharing product that is an on-premise storage solution rather than cloud. We’ve had success in the healthcare industry because they can’t use Dropbox because of HIPPA.

Phil Cox

Please tell me exactly why “they can’t use Dropbox”? There is no technology restriction on HIPAA. You CAN use it if you do it right AND contractual language is appropriate. When you make blanket claims, please provide factual info for backup.


Which so many options for storing content online users end up with content in more than one service. Even if you like one service your friend or another group in the company might like some other service (say box or Sugarsync) and share files with you from that service so you have to interface more than one service at a time.

We, at Primadesk (www.primadesk.com), are working to help users manage all their cloud services and cloud content from one place. Users get a virtual view of all their content in one place and they can easily manage their content.


Presumably the laws at risk of being broken are the various regulatory laws and regimes like SOX, HIPPA, PCI, SEC etc. and the various international information custody and privacy regulations. This is still a very young area for caselaw and most of the questions revolve around information control. If you put content on a server somewhere outside of your control, are you still complying with the rules and regulations that govern that information? At this point adoption is ahead of regulation (a good thing for innovation!) but it can quickly snap-back in the event of some high-profile suit that re-establishes the requirement for businesses to maintain full control over all digital information for its life cycle.

Disclosure: I work for Digitiliti – a B2B cloud content and intelligent archiving company.


I think the writer thinks “save for” means “not even.”


I think the writer thinks “save for” mean “not even.”


“Kanies wasn’t out to scare people, but he had a point: Most companies don’t even have internal rules for the use of data with cloud services, save for a clear understanding of the law.” This sentence is gibberish. The writer obviuosly does not know what the phrase “save for” means.

Adam Block

The various grammatical and spelling errors in this obviously-not-proofread article aside (does no one hire a copy editor any more?), it never explains what exactly about using Dropbox stands a “good chance” of being illegal.


True Adam, it was pretty thin on information and not proofed well.

Comments are closed.