That question has been debated almost as long as the web has been around. I’m not sure if you mean is it secure enough against intrusion or secure enough against loss? My answer to both is “yes.” If you transmit client file materials and confidential communications through e-mail, you’re already content that a user ID and password arrangement is sufficient protection of privilege. I’ve never understood why we thought U.S. mail to be especially secure. I don’t know about you, but my mail sits in a box at the curb until I retrieve it. Anyone brazen enough to do so could drive up and take it. I hope they pay my bills promptly.
The ABA would say that the security you must afford privileged items is commensurate with the sensitivity and risk. Some things that would be, e.g., too sensitive to mail, may be too sensitive to e-mail without use of encryption and, thus, require more secure storage. Encryption is a prescription for many ills, but it just hasn’t taken hold in our profession. Not even among our cadre of legal technology cognoscenti, I suspect. We can do it. We just don’t bother, right?
As to security against loss, a periodic backup is always a good idea, no matter what mechanism we use for our client files. I’ve never lost a Google Document, which is not to say that something couldn’t happen today such that they would all be gone. FWIW, I’ve done all my timekeeping for client matters solely in Google Docs for years and nothing has ever occurred to cause me to rue that practice, even having no backup of same. Personally, I put the risk of loss via Google’s failure as being no greater than the risk of loss due to burglary, fire or natural disaster. Certainly, the risk is lower than the risk my drives will fail–which has happened and will happen with certainty in the future–so real risk versus real risk, I think I’m more likely to lose data relying upon local storage than I am relying upon Google Docs.
Just my humble opinion. Your mileage may vary and objects in mirror may be closer than they appear.
I meant to add that good passwording practices are important, especially being careful not to re-use passwords across mutiple sites and not making it child’s play for someone to change your password using security questions that are easily guessed or determined from online research, like one’s mother’s maiden name or the name of a high school mascot. It’s not a bad idea to use the ability Google affords to track how many persons are logged into your account and from what IP addresses. Online storage can be pretty much as safe as we want it to be, but nothing is immune from our own lack of vigilance.