Privacy & Cybersecurity Law Blog

A putative class action complaint filed on June 22, 2011, in the United States District Court for the Northern District of California alleges that the popular cloud-based storage provider Dropbox, Inc. failed to secure users’ private data or to notify the vast majority of them about a data breach.  According to the complaint, Dropbox announced in a blog post on its website that it had “introduced a bug” on June 19, 2011, which allowed users logged in to its system to log into other users’ accounts and access those users’ data stored on Dropbox.  The complaint further claims that Dropbox did not notify most, if not all, of its 25 million users that their information had been compromised.  The complaint defines the plaintiff class as all current or former Dropbox users as of June 19, 2011, whose accounts were breached.

The suit – which states claims for violation of the California unfair competition law, invasion of privacy, negligence, and breach of express and implied warranty – is the second recent legal challenge to Dropbox’s security measures.  As we previously reported, in May 2011 a complaint submitted to the Federal Trade Commission alleged that Dropbox made false claims about the security of its users’ data.

Among other things, the plaintiffs allege that Dropbox’s failure to disclose the breach to users constituted a fraudulent act or practice in violation of California’s unfair competition law, and that Dropbox violated users’ reasonable expectation of privacy in the private data they stored on Dropbox by failing to safeguard their data.  The negligence claim states that Dropbox failed in its duties to have procedures preventing unauthorized access of private data, and to disclose the breach in a timely manner.

The complaint requests that Dropbox institute reasonable security measures to prevent similar incidents in the future, and actual, compensatory, punitive, and statutory damages, injunctive relief, attorneys’ fees and costs.