And anyone who stored that sort of data in dropbox more or less had it coming. HIPAA & finance laws are very clear about the security they require -- dropbox has always been hand-wavey in their explanation of their security.
What's your point? The IT guys can't catch a break, can they? If they say "no you can't install stuff on your machine", message board geeks are up in arms. But when normal people, for whom these computer systems are designed in the first place, make (layperson-) reasonable decisions about what folders to put files in, there's the message board geek again, harassing them for not understanding how transparent cloud file sync works under the covers and interacts with regulated data.
If you're a 'normal person', you shouldn't be making decisions about the security of my health-care or financial data; If you're in the position to make that decision, you should have been aware that dropbox was not a "safe" third party;
On the part of the _users_ of dropbox, I have empathy; In part of those running their medical/finance business on assumptions of dropboxes security, I have nothing but emnity.
I hate to be the one to break this to you†, but normal people make up almost the entire chain of custody for regulated data. Normal people write your health records. Normal people check them out of databases and read them. Normal people load them into spreadsheets. Normal people generate reports. Businesses do not exist to support super-savvy BOFH's. It is rather the other way around.
I didn't say they do, but they should hire people competent to make educated decisions in the regulatory environment they're in. That's why they pay bofhs -- not because they like our views, but because we _read_ the specs.
EDIT: To phrase less hostilely -- HIPAA and various finance laws consist of thousands of pages of what to do and what not to do. Dropbox is a shiney webpage that isn't PCI certified or HIPAA certified. If you chose to operate in a business that requires HIPAA/PCI, and used dropbox for that data, _you_ are at fault, not dropbox, not the bofhs, and not the coder. In the case of HIPAA - you would be the criminal.
Friend of mine worked for a drug company, medical data on patients (they were handling the side-effect reports) was just emailed around, and I know they had work documents on their home computer.
HIPAA does not have thousands of pages on what and what not to do. It's actually quite vague, and mostly comes down to fines after the fact. There's also no such thing as a government sanctioned HIPAA certification. There's just random people willing to 'certify' you.
Very yes (we don't allow Dropbox† on our machines, but we know of companies that rely on it).
Grandalf's point is extremely well taken. It's actually true. Not only that, but regulated companies (in health care and finance) that have a reasonable belief that any of their systems might have had Dropbox on them technically need to audit now.
I point this out not to bag on Dropbox, but as an illustration of how sane some unreasonable-sounding IT policies (like, "you don't get to install random software on your desktop") turn out to be.