This is a ridiculous response, and one which seems very ungrounded in the law. Dropbox made a mistake—a big one. They pushed bad code to production that allowed for unauthenticated account access.
But, they're still a startup. There's no SLA. They responded quickly, fixed the bug as soon as they caught it, and have been thorough in investigating any unauthorized access of accounts.
Why sue them? It's just going to disrupt a very good service. It's not going to help them recover (I'm sure they've already learned heavily from the mistake.)
> This is a ridiculous response, and one which seems very ungrounded in the law.
What is the basis of such assertion? Let the courts decide that if the basis is unfounded or not.
> But, they're still a startup.
This is no excuse, if you charge money for your services AND claim to be military grade secure with respect to data. https://www.dropbox.com/security
> There's no SLA. They responded quickly, fixed the bug as soon as they caught it, and have been thorough in investigating any unauthorized access of accounts.
They took 4 hours to know entire dropbox was accessible to everyone, and tried to sweep the incident under the rug by not emailing the issue to users.
> Why sue them? It's just going to disrupt a very good service. It's not going to help them recover (I'm sure they've already learned heavily from the mistake.)
Because they are not entitled to be on the goodside of the user, which unacceptably bad handling of the situation. They, like everyone else, are not entitled to anything, other than what is contracted. You screw users, you get screwed. It is as simple as that.
If you see the OP, the woman behind the lawsuit seems angry that she had to find out about it in the news rather than with Dropbox informing her. That is a serious mistake and one that Dropbox should take heat for. Bugs happen but not communicating to users was a deliberate move.
She was not mailed because there was no access to her account or did I read it wrong that everyone whose account was accessed was mailed?
What should they have told her? "Someone could have accessed your account in the last few hours due to a bug, but that didn't happen. Nothing to worry about!"
I completely agree. Dropbox made a huge mistake. Dropbox is run by humans, and humans make mistakes, that's life. But when it came to communicate the issue they screwed up IMHO. I shouldn't need to subscribe to their blog RSS to know this kind of stuff.
They should have mailed everyone, encouraging users to change their passwords right away while they investigated the issue.
I see the run by humans argument a lot, but what you need to keep in mind is that a company is NOT a human. No one's suing the individual employees here, but a company. There is a massive difference.
By their nature companies are entirely selfish (especially companies with outside investment) and unless you're going to hold the humans within a company individually responsible for a companies douchebaggery then by the same logic you also shouldn't give the company a break because it's run by humans.
The important thing about this bug is that it allowed log-ins without passwords. No passwords were compromised. Therefor, asking users to change their passwords would have been FUD, as well as making it more difficult to identify which users were affected by the person exploiting the bug (if almost every user logs in during 4 hours, you're going to have a lot of trouble identifying the <100 accounts who were accessed by the attacker).
How do you know? (Note that the point of a punitive lawsuit is not only to encourage the culprit not to do it again, but also to encourage other potential culprits not to do it again.)
I guess the answer is "because it was just a mistake", but (1) not informing their customers promptly when they found they'd made a disastrous security screwup wasn't just a mistake, and (2) since they themselves say they're improving their procedures in response to the incident, it seems clear that there are things they could have done that would have either avoided the just-a-mistake or mitigated its consequences.
But, they're still a startup. There's no SLA. They responded quickly, fixed the bug as soon as they caught it, and have been thorough in investigating any unauthorized access of accounts.
Why sue them? It's just going to disrupt a very good service. It's not going to help them recover (I'm sure they've already learned heavily from the mistake.)