July 15 (Westlaw Journals) - Online “cloud” storage provider Dropbox Inc. failed to secure users’ private data or to notify the vast majority of them about a recent data breach, according to a putative class-action suit filed in California federal court.
Plaintiff Christina Wong sued the San Francisco-based company in the U.S. District Court for the Northern District of California. Her five-count complaint state claims for:
• Violation of California’s unfair-competition law, Cal. Bus. & Prof. Code § 17200.
• Invasion of privacy (including intrusion), public disclosure of private facts, misappropriation of likeness and identity, and violation of the state constitutional right to privacy.
• Negligence.
• Breach of express and implied warranties.
Wong seeks to lead a plaintiff class comprising all current or former Dropbox users as of June 19 whose accounts were breached.
Dropbox is an example of the increasingly popular “cloud computing” phenomenon. Cloud computing refers to the offering of storage services and applications over the Internet, or “in the cloud.” Examples of cloud computing applications include Google's Gmail, Docs and Calendar applications; Microsoft's Azure; and Apple's MobileMe.
To that end, Dropbox is a service that allows users to move their files from their personal computers to the company’s Internet-accessible servers. Dropbox advertises its service as allowing users to access their files from anywhere using practically any device, including a laptop, tablet or smartphone.
According to the complaint, one of the most highly touted benefits of Dropbox’s service is its security. The company says it is secure enough that users should feel comfortable storing confidential, personal and business information, the complaint says.
However, Wong claims, Dropbox had a bug in its system that allowed logged-in users to access data contained in other users’ accounts. The company then failed to take any steps to notify users of the breach and instead only mentioned it in an obscure post on its official blog, the suit says.
The blog post Wong references says the breach was discovered at 5:41 p.m. June 19 and that a fix was live on its system five minutes later. The company says it ended all logged-in sessions at the time of the breach as a precaution and that the breach only affected a small percentage of its users (fewer than 100).
”This should never have happened,” the blog post said. “We are scrutinizing our controls, and we will be implementing additional safeguards to prevent this from happening again.”
In addition to class certification, the suit is seeking an order requiring the defendant to better secure its site. It also seeks damages, costs, injunctive relief and attorney fees.
U.S. Magistrate Judge Laurel Beeler is slated to hear the case.
Wong et al. v. Dropbox Inc., No. 11-CV-3092-LB, complaint filed (N.D. Cal. June 22, 2011).
(Reporting by Joe Hylkema, Westlaw Software Law Bulletin)