A colleague posed the question, “Is Google Docs Secure Enough to Store Client Files?” I shared my two cents and thought maybe some readers might be wondering the same thing. I replied:
That question has been debated almost as long as the web has been around. I’m not sure if you mean is it secure enough against intrusion or secure enough against loss? My answer to both is “yes.” If you transmit client file materials and confidential communications through e-mail, you’re already content that a user ID and password arrangement is sufficient protection of privilege. I’ve never understood why we thought U.S. mail to be especially secure. I don’t know about you, but my mail sits in a box at the curb until I retrieve it. Anyone brazen enough to do so could drive up and take it. I hope they pay my bills promptly.
The ABA would say that the security you must afford privileged items is commensurate with the sensitivity and risk. Some things that would be, e.g., too sensitive to mail, may be too sensitive to e-mail without use of encryption and, thus, require more secure storage. Encryption is a prescription for many ills, but it just hasn’t taken hold in our profession. Not even among our cadre of legal technology cognoscenti, I suspect. We can do it. We just don’t bother, right?
As to security against loss, a periodic backup is always a good idea, no matter what mechanism we use for our client files. I’ve never lost a Google Document, which is not to say that something couldn’t happen today such that they would all be gone. FWIW, I’ve done all my timekeeping for client matters solely in Google Docs for years and nothing has ever occurred to cause me to rue that practice, even having no backup of same. Personally, I put the risk of loss via Google’s failure as being no greater than the risk of loss due to burglary, fire or natural disaster. Certainly, the risk is lower than the risk my drives will fail–which has happened and will happen with certainty in the future–so real risk versus real risk, I think I’m more likely to lose data relying upon local storage than I am relying upon Google Docs.
Just my humble opinion. Your mileage may vary and objects in mirror may be closer than they appear.
I meant to add that good passwording practices are important, especially being careful not to re-use passwords across mutiple sites and not making it child’s play for someone to change your password using security questions that are easily guessed or determined from online research, like one’s mother’s maiden name or the name of a high school mascot. It’s not a bad idea to use the ability Google affords to track how many persons are logged into your account and from what IP addresses. Online storage can be pretty much as safe as we want it to be, but nothing is immune from our own lack of vigilance.
Michael Fluhr said:
The fuss over Google Docs tickles me a bit because it may be one of the safer places that client data typically resides.
Regarding security against intrusion, lawyers routinely leave sensitive papers on their desks and don’t shut down or log off their computers after leaving work. And how many law firms have any more than trivial security at the office door. Walking into a poorly guarded office after hours and poking around is easier for most people than hacking a Google account.
Regarding security against destruction, I suspect that your comment “I think I’m more likely to lose data relying upon local storage than I am relying upon Google Docs” short sells your near certainty on this proposition. I seldom use Google Docs, but the number of times Google has lost my Gmail (zero) pales in comparison to the number of times I’ve experienced a hard drive crash without full backup. I suspect other users of both Google and local hard drives would report similar numbers.
LikeLike
craigball said:
Agreed. I’ve long boasted that I could walk through any big firm and go almost anywhere if I wore coveralls and carried a four-foot fluorescent tube. With that light bulb in tow (or a wheeled trash can), I’d be invisible in almost any big law setting.
Craig Ball
LikeLike
John said:
Why use internet jargon like FWIW in an article like this? This practice is absolutely nothing like writing an acronym like NASA. Not everyone knows what this means, and unfortunately I can’t grab a dictionary to look it up because, well, it’s not a word. I just don’t understand how one would come to the conclusion that it is a better idea to write four capital letters than to write four words.
There is also little sense in framing it as risk of fire, burglary, etc. vs. Google losing your data. The samsame risk of physical damage or theft exists for all data in your Google account because Google stores this in the physical world (everyone remember what that is?) as well. It might exists in two or more different locations and thus be safer but it is still at risk, so again, why compare? Why not give the sound advice that the risk of data loss is reduced each time the data is stored on another drive and better yet on another drive in another place?
Furthermore putting your data on Google Docs is a huge security risk compared to storing your data on a local drive. There are probably multiple people at Google that could access your data if they wanted to, and there are thousands of hackers capable of accessing it if they thought it was important enough to have. But most of the data we have probably isn’t that important in which case keep using Google Docs if it makes you happy.
LikeLike
craigball said:
OMG and WTF? I used FWIW. because, like etc., ASAP and i.e., enough people understand the reference today (leastwise among my readers) that it is efficient, if inelegant. FYI, it is in Webster’s but I didn’t check the OED. But, point taken, and for what it’s worth, I will try to avoid initialisms in the future. To compensate, I will try to incorporate more emoticons. OK? Pardon, okay? 😉
Apples-to-apples, the risk of loss due to fire is much reduced at Google’s facilities than my own. I do not have 24/7 physical security onsite, nor computer controlled Halon extinguisher systems, biometric security, fireproof doors and video surveillance. I do not replicate my data beyond the risks of regional natural disasters. There are no perfect systems, but we must recognize that there are far better ones than most of us employ in our homes and offices.
LikeLike
daengbo said:
John,
I assure you that Google, whose entire business revolves around data retention and high availability, is better at protecting against catastrophic data loss than anything you would see in an office. Think about what they have:
* Real-time data duplication in multiple, independent locations.
* Regular and complete back-ups outside of duplication (in case corrupted data is duplicated to every location).
* High levels of physical security against break-ins.
* Fire and flood protection.
* A team dedicated to cyber security.
Google is very good at this. It has hundreds of thousands of servers.
LikeLike
Anders Sjöberg said:
I didn’t know immediately what FWIW meant, so i used right click in Chrome to do a Google search, the first hit gave me the explanation. So instead of complaining about it I found out by clicking twice. The beauty of internet made me learn something new 🙂
LikeLike
jjj said:
And so quickly, too.
LikeLike
Brian Lesser said:
You may wish to consider using Google’s two factor authentication system in order to reduce the likelihood of someone guessing your username and password:
http://goo.gl/ltTN7
Data on most office systems can also be accessed by the IT system administrators that support your company’s systems. Presumably they are carefully supervised, work under clear policies and procedures, and are routinely audited as well as Google’s IT administrators are?
Regarding home systems, unless they are behind a firewall, routinely patched and maintained, audited, hardened, only used for business (no downloading games or letting family members use them) it is probably better to keep your files on a remote and properly secured system than to keep them on your personal hard drive at home.
Finally, lost laptops and USB drives that contain unencrypted files lead to an astonishing number of data breaches. If all those files were in the cloud instead of on unencrypted local storage they would be much less likely to have been lost in the first place.
LikeLike
Ron Weiss said:
I agree that the practices of users, hard drive failures, and the capabilities of many are not any where close to a large company’s like Google. I myself use various online services and feel that they are useful.
But I also investigate situations where various clients or their customers share data via some online sort of service and their is a data breached. Or at least they think there is a potential data breach. Let’s say a client normally accesses the web account from Texas and then all of sudden their account is accessed from Russia.
Will you be alerted of an anomalous access? Are you even monitoring the account or the IT staff running the web application? How do you investigate it? How do you assess the loss of data? Are their any contractual or regulatory obligations for notification? How did the breach occur?
What if a configuration or programming error occurs and exposes your data for all to see (i.e. Dropbox)? Is this external web application part of your employee termination process so that your organization revokes access when that person leaves or if the account is suspected of being compromised.
I am not trying to portray the risk as more, but definitely different. Plus dealing with to many intrusion cases and IP theft cases makes one paranoid! 😉
LikeLike
Brian Lesser said:
I think each of your questions applies to local IT departments as well as cloud services. Are the services audited by a third party? How comprehensive are the audits? SAS 70 Type II? Who gets the audit reports? Are weaknesses addressed properly? Are system administrator audits available? Transaction logs for forensic purposes? Is two-factor authentication available? Does your business have a policy that requires the use of two-factor authentication.
Unfortunately, many people think that a local server is by definition more secure than one run by someone else. They are often wrong.
Some information on Google’s Apps for Business security is here:
http://www.google.com/apps/intl/en/business/infrastructure_security.html
Dropbox and other services are each a different story.
LikeLike
Ron Weiss said:
Brian,
I agree and was not attempting to imply that a local server is more secure. It may or may not be. Often, it is not. I just want customers who use these hosted services for critical data and for business operations to think about the risks of these hosted services. Users of these types of services need to think of how they monitor, detect, and respond to potential security issues.
I was attempting to illustrated that there are a variety of factors that should be considered whatever technology is being used. I have investigated a variety of intrusions or compromises into hosted services and my experience shows that there is an increased exposure because if how accessible these services are. Like all risk it can be managed and some organizations have the maturity and foresight to do so. One aspect of my concern is that many consumers of these services have an appliance\black box mentality towards these services and do not know how to assess this risk until the issue occurs. Another aspect is what sort of Incident response\e-discovery protocol is in place with that hosting service.
The risk of cloud\hosted\third party services is appropriate for certain situations and data and dangerous in others. Google, as one example, appears to be doing an excellent job in building a model service that can help customers. But just because they are Google, DoD, or whoever we still have to watch them and make sure our data is safe.
The other issue is the constant barrage against the user by malicious attackers or even poor standard human security practices that exist regardless of technology. Creating another layer between the user and the monitoring/detection functions is just something to consider.
I also agree that this applies to local IT as well. The increasing layers of complexity are just added layers we all have to consider when assessing risk, investigating issues, and monitoring the integrity of our infrastructure.
LikeLike
JohnD said:
You highlight an important concern for secure storage of data. I have been using Google docs for a long time now and I’m looking for ways to overcome several challenges that I’ve faced. Also, you may want to look at upcoming tools such as http//www.collatebox.com/ and Needlebase
LikeLike
encgoo said:
If you worry about the security of the documents you stored in Google Docs, try EncGoo. It is an iPad application that encrypts documents before uploading it to Google Docs. You document is protected by an AES-256 key!
LikeLike
John Power said:
CipherDocs (http://www.cipherdocs.com) is another service that claims to to encrypt the document text in real-time. Also allows for the sharing of documents amongst users. Might be worth checking out.
LikeLike
Juegos Online Gratis said:
Do you mind if I quote a couple of your posts as long
as I provide credit and sources back to your weblog?
My blog site is in the very same area of interest as yours and my visitors would truly benefit from some of the information
you provide here. Please let me know if this ok with
you. Appreciate it!
LikeLike
Pingback: Low Cost Document Management | Google Drive | The Ink Blog
BrianL said:
Hi Craig. Hope you don’t mind me referencing your article here on my own blog. Well written articles, thanks! http://theinkblog.net/2013/01/10/low-cost-document-management-google-drive/
LikeLike