<SEC-DOCUMENT>0001467623-24-000036.txt : 20241025
<SEC-HEADER>0001467623-24-000036.hdr.sgml : 20241025
<ACCEPTANCE-DATETIME>20240614160651
<PRIVATE-TO-PUBLIC>
ACCESSION NUMBER:		0001467623-24-000036
CONFORMED SUBMISSION TYPE:	CORRESP
PUBLIC DOCUMENT COUNT:		1
FILED AS OF DATE:		20240614

FILER:

	COMPANY DATA:	
		COMPANY CONFORMED NAME:			DROPBOX, INC.
		CENTRAL INDEX KEY:			0001467623
		STANDARD INDUSTRIAL CLASSIFICATION:	SERVICES-PREPACKAGED SOFTWARE [7372]
		ORGANIZATION NAME:           	06 Technology
		IRS NUMBER:				260138832
		STATE OF INCORPORATION:			DE
		FISCAL YEAR END:			1231

	FILING VALUES:
		FORM TYPE:		CORRESP

	BUSINESS ADDRESS:	
		STREET 1:		1800 OWENS STREET, SUITE 200
		CITY:			SAN FRANCISCO
		STATE:			CA
		ZIP:			94158
		BUSINESS PHONE:		415-986-7057

	MAIL ADDRESS:	
		STREET 1:		1800 OWENS STREET, SUITE 200
		CITY:			SAN FRANCISCO
		STATE:			CA
		ZIP:			94158

	FORMER COMPANY:	
		FORMER CONFORMED NAME:	Dropbox, Inc.
		DATE OF NAME CHANGE:	20140210

	FORMER COMPANY:	
		FORMER CONFORMED NAME:	Evenflow, Inc.
		DATE OF NAME CHANGE:	20090702
</SEC-HEADER>
<DOCUMENT>
<TYPE>CORRESP
<SEQUENCE>1
<FILENAME>filename1.htm
<TEXT>
<html><head>
<!-- Document created using Wdesk -->
<!-- Copyright 2024 Workiva -->
<title>Document</title></head><body><div id="i72bc9b5142f74786bd184b75e6d1267f_1"></div><div style="min-height:36.72pt;width:100%"><div style="padding-left:3.15pt"><font><br></font></div><div style="padding-left:3.15pt"><font><br></font></div></div><div style="margin-top:7.5pt;padding-left:36pt;padding-right:36pt;text-align:right"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">June 14, 2024 </font></div><div style="margin-top:1.85pt;padding-left:3.5pt"><font><br></font></div><div style="margin-top:10pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-style:italic;font-weight:700;line-height:120%;text-decoration:underline">Via EDGAR</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%"> </font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">U.S. Securities and Exchange Commission</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Division of Corporation Finance</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Office of Manufacturing</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">100 F Street, N.E.</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Washington, D.C. 20549-3720</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Attn&#58;&#160;&#160;&#160;&#160;Geoffrey Kruczek</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">&#160;&#160;&#160;&#160;Suzanne Hayes</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:12pt;font-weight:400;line-height:120%">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:700;line-height:120%">Re&#58; </font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:12pt;font-weight:400;line-height:120%">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:700;line-height:120%">Dropbox, Inc.</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:12pt;font-weight:400;line-height:120%">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:700;line-height:120%">Form 8-K filed May 1, 2024</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:12pt;font-weight:400;line-height:120%">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:700;line-height:120%">File No. 001-38434</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:12pt;font-weight:400;line-height:120%">&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Ladies and Gentlemen&#58;</font></div><div style="margin-top:9pt;text-indent:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Dropbox, Inc. (&#8220;we&#8221;, &#8220;our&#8221; or the &#8220;Company&#8221;) submits this letter in response to a comment from the staff (the &#8220;Staff&#8221;) of the Securities and Exchange Commission (the &#8220;Commission&#8221;) received by letter (the &#8220;Comment Letter&#8221;) dated June 3, 2024, relating to the Company&#8217;s Current Report on Form 8-K (File No. 001-38434) filed with the Commission on May 1, 2024  (the &#8220;Form 8-K&#8221;).</font></div><div style="margin-top:9pt;text-indent:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">In this letter, we have recited the comment from the Staff in italicized, bold type and have followed the comment with the Company&#8217;s response.</font></div><div style="text-indent:36pt"><font><br></font></div><div style="margin-top:6pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%;text-decoration:underline">Form 8-K filed May 1, 2024</font></div><div style="margin-top:9pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%;text-decoration:underline">General</font></div><div style="margin-top:9pt;padding-left:36pt;text-indent:-18pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-style:italic;font-weight:700;line-height:120%">1.</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-style:italic;font-weight:700;line-height:120%;padding-left:9.75pt">We note the statement that you experienced a cybersecurity incident in your Form 8-K filed on May 1, 2024. Please advise us as to why you determined to file under Item 1.05 of Form 8-K given your statement that the incident has not had a material impact on your business operations, you do not believe it is likely to have a material impact on your overall business operations and you have not determined whether the incident is reasonably likely to material impact financial condition or results of operations.</font></div><div style="margin-top:9pt;padding-left:36pt;text-indent:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">We respectfully advise the Staff that, as disclosed in the Form 8-K, we became aware of unauthorized access to our Dropbox Sign production environment on April 24, 2024. Over the course of the next several days, we engaged in an investigation, in which we discovered </font><font style="background-color:#ffffff;color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also </font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. We did not at that time, and do not now, have evidence that the threat actor had accessed the contents of users&#8217; accounts, such as their agreements or templates, or their payment information. </font></div><div style="margin-top:9pt;padding-left:36pt;text-indent:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Dropbox Sign represents a low single-digit percentage of our total revenue, its infrastructure is largely separate from other Dropbox services, and the unauthorized access did not impact our operations or the operations of our users outside of Dropbox Sign. Given the relative size of Dropbox Sign&#8217;s operations and financial contribution to our overall business, we did not believe that </font></div><div style="height:77.04pt;position:relative;width:100%"><div style="bottom:0;position:absolute;width:100%"><div style="text-align:center"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:154%">1</font></div></div></div><hr style="page-break-after:always"><div style="min-height:36.72pt;width:100%"><div style="padding-left:3.15pt"><font><br></font></div><div style="padding-left:3.15pt"><font><br></font></div></div><div style="margin-top:9pt;padding-left:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">the unauthorized access was reasonably likely to be material to our overall business operations and we had not determined that the incident was reasonably likely to materially impact the financial condition and results of operations of the Company as a whole.   However, as noted by the Commission in the adopting release for the new cybersecurity rules</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:7.15pt;font-weight:400;line-height:120%;position:relative;top:-3.85pt;vertical-align:baseline">1</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%"> and more recently, in the statement issued by Erik Gerding, Director of the Commission&#8217;s Division of Corporation Finance,</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:7.15pt;font-weight:400;line-height:120%;position:relative;top:-3.85pt;vertical-align:baseline">2</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%"> the analysis with respect to disclosure obligations and materiality should not be limited to financial and operational impacts. Accordingly, we took into account the Commission&#8217;s statements that, in assessing the impact of incident (or reasonably likely impact), companies should assess all relevant factors, &#8220;</font><font style="background-color:#ffffff;color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">that assessment should not be limited to the impact on &#8216;financial condition and results of operation,&#8217;&#8221; and &#8220;companies should consider qualitative factors alongside quantitative factors.&#8221;&#160; For example, companies should consider whether the incident will &#8220;harm . . . &#91;its&#93; reputation, customer or vendor relationships, or competitiveness.&#8221;</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:7.15pt;font-weight:400;line-height:120%;position:relative;top:-3.85pt;vertical-align:baseline">3</font><font style="background-color:#ffffff;color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">&#160; Companies also should consider &#8220;the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.&#8221;</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:7.15pt;font-weight:400;line-height:120%;position:relative;top:-3.85pt;vertical-align:baseline">4</font><font style="background-color:#ffffff;color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%"> In the days after we discovered the unauthorized access, we assessed the number of users impacted, the requirement to notify regulatory authorities, the possibility of litigation, the potential for reputational harm, and the potential impact on our customer relationships.  </font></div><div style="margin-top:9pt;padding-left:36pt;text-indent:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Taking into account these additional qualitative factors in the aggregate, many of which were uncertain and remain uncertain, we determined that it was reasonably possible that investors would believe that the incident was important.  We also took into account that we did not expect to have certainty on these qualitative factors and the impact on our business for some time. We further considered that, at the time of our filing on May 1, 2024, many other companies that had experienced incidents and had come to similar conclusions determined to file a Form 8-K under Item 1.05.  We evaluated the requirements of Item 1.05 and concluded that a filing prior to a definitive determination regarding materiality was permissible, and, given that a specific item number had been provided for disclosing cybersecurity incidents, we believed that it was advisable to file our disclosure under Item 1.05.  We note, based on Director Gerding&#8217;s Statement, which was published after the Form 8-K was filed, that the Commission believes that prior to a definitive determination of materiality, cybersecurity incidents should be disclosed under Item 7.01 or 8.01. In light of this statement, we may have made a different decision with regard to the item number under which we filed our disclosure.</font></div><div style="margin-top:9pt;padding-left:36pt;text-indent:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">We believe that the content of our disclosure enabled investors to evaluate the facts in the context of their own voting and investment decisions. </font></div><div style="text-align:center"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">*****</font></div><div style="text-align:center"><font><br></font></div><div style="text-align:center"><font><br></font></div><div style="border-bottom:1pt solid black;margin-bottom:5pt;margin-top:10pt;width:150pt"></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:6.5pt;font-weight:400;line-height:120%;position:relative;top:-3.5pt;vertical-align:baseline">1</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%"> </font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-style:italic;font-weight:400;line-height:120%">Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%">, Release Nos. 33-11216&#59; 34-97989 (July 26, 2023) &#91;88 FR 51896 (Aug. 4, 2023)&#93; (the &#8220;Adopting Release&#8221;).</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:6.5pt;font-weight:400;line-height:120%;position:relative;top:-3.5pt;vertical-align:baseline">2</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%"> </font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-style:italic;font-weight:400;line-height:120%">Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%">, May 21, 2024, available at </font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%;text-decoration:underline">https&#58;&#47;&#47;www.sec.gov&#47;news&#47;statement&#47;gerding-cybersecurity-incidents-05212024</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%"> (&#8220;Director Gerding&#8217;s Statement&#8221;).</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:6.5pt;font-weight:400;line-height:120%;position:relative;top:-3.5pt;vertical-align:baseline">3</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%"> Id. (citing the Adopting Release).</font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:6.5pt;font-weight:400;line-height:120%;position:relative;top:-3.5pt;vertical-align:baseline">4</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%"> Id.</font></div><div style="height:77.04pt;position:relative;width:100%"><div style="bottom:0;position:absolute;width:100%"><div style="text-align:center"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:154%">2</font></div></div></div><hr style="page-break-after:always"><div style="min-height:36.72pt;width:100%"><div style="padding-left:3.15pt"><font><br></font></div><div style="padding-left:3.15pt"><font><br></font></div></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">If you have any questions or comments, please contact me</font><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:10pt;font-weight:400;line-height:120%">.</font></div><div><font><br></font></div><div style="padding-left:252pt;text-align:right"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%"> </font></div><div style="padding-left:262.05pt"><table style="border-collapse:collapse;display:inline-table;margin-bottom:5pt;vertical-align:text-bottom;width:45.357%"><tr><td style="width:1.0%"></td><td style="width:70.279%"></td><td style="width:0.1%"></td><td style="width:1.0%"></td><td style="width:27.521%"></td><td style="width:0.1%"></td></tr><tr><td colspan="3" style="padding:2px 1pt 2px 1.02pt;text-align:left;vertical-align:bottom"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:100%">Sincerely,</font></td><td colspan="3" style="padding:0 1pt"></td></tr><tr style="height:14pt"><td colspan="3" style="padding:0 1pt"></td><td colspan="3" style="padding:0 1pt"></td></tr><tr><td colspan="3" style="padding:2px 1pt 2px 1.02pt;text-align:left;vertical-align:bottom"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:100%">&#47;s&#47; Bart Volkmer </font></td><td colspan="3" style="padding:0 1pt"></td></tr><tr><td colspan="3" style="border-top:1pt solid #000000;padding:2px 1pt 2px 1.02pt;text-align:left;vertical-align:bottom"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:100%">Bart Volkmer<br>Chief Legal Officer</font></td><td colspan="3" style="padding:0 1pt"></td></tr></table></div><div style="padding-left:288pt;text-indent:36pt"><font><br></font></div><div><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">cc&#58;&#160;&#160;&#160;&#160; </font></div><div style="padding-left:36pt"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:120%">Lisa L. Stimmell, Wilson Sonsini Goodrich &#38; Rosati, P.C.</font></div><div style="padding-left:36pt"><font><br></font></div><div style="height:77.04pt;position:relative;width:100%"><div style="bottom:0;position:absolute;width:100%"><div style="text-align:center"><font style="color:#000000;font-family:'Times New Roman',sans-serif;font-size:11pt;font-weight:400;line-height:154%">3</font></div></div></div></body></html>
</TEXT>
</DOCUMENT>
</SEC-DOCUMENT>
