Google Apps for Business: Security, Confidentiality and Ethics

Millions of corporations, small businesses, solo lawyers, large and small law firms, and federal, state and local governments have “gone Google”—meaning that they have moved from hosting their own e-mail servers (and in some cases calendars and documents) to using Google Apps. Companies that have gone Google range from Konica Minolta and Jaguar to the solo law practice Craig Law Firm (North Carolina) and the 12-office law firm Bradford & Barthel. Government users include the U.S. General Services Administration, the U.S. National Oceanic and Atmospheric Administration, the State of Wisconsin, the New Mexico Attorney General’s Office, and the City of Pittsburgh

Some of the first questions we get when discussing Google Apps are, “What about the security, confidentiality, and ethics of the information stored in those documents and e-mails? Is it secure enough for lawyers to use?” Although the answer to those questions depends on whom you ask, a growing numbers of attorneys and law firms have been answering “yes” and adopting Google Apps.

“As a law firm handling confidential information for our clients, Bradford & Barthel takes security extremely seriously,” said the firm’s Director of Knowledge Strategy and Technology, Eric Hunter, in a guest post on the Official Google Enterprise Blog (available at “We’re responsible for private information on individuals and companies and our best security option is Google Apps,” he continued. “Google has many security features – SAS70 Type II certification and two-step verification included – that allow us to feel confident our data and the data of our clients is much safer than if we hosted it on premise.”

Even with the security measures Google has in place for Google Apps, you still have a responsibility to make your account as secure as is reasonably possible by using a strong (hard to guess) password and 2-step authentication to access your account. You should also continually focus on security in everyday use and consider additional security features as they become available.

There are a number of critics who question the security of any off-site web-based application or storage service while others seem biased against only certain providers. Interest in the security of Google’s cloud offerings has been renewed in light of the company’s recent implementation of a new set of Terms of Service. Additionally, the widely-reported move by the City of Los Angeles to halt implementation of Google Apps to its criminal justice entities like the LAPD and the Criminal Division of the City Attorney’s Office has also raised security concerns. This is despite the fact that the Civil Division and other City agencies completed the implementation of Google Apps.

Before using  Google Apps or any cloud computing service provider, lawyers should make a reasonable effort to insure that confidential client information stored on those systems will remain confidential to comply with the recent addition of Section (c) to ABA Model Rule 1.6 (available at, which reads, “A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.” (While the ABA Model Rules are not binding on lawyers, most states will probably adopt this new Section.)

There are a growing number of state bar association ethics opinions that approve of lawyers using these cloud services as long as they use reasonable measures to ensure security. A collection of these opinions and analysis can be found at Regardless of whether lawyers are storing files “in the cloud” or on their office’s local network, most of the ethics opinions explain that attorneys must make a  “reasonable effort” to keep that information secure to insure that their computers are as protected as they can be.  The ethics opinions explain that lawyers need to know what security measures are practiced by whatever cloud service provider they are considering, as well as where and how often vendors back-up the information stored with their services, among other concerns.

In Chapter 22 of Google Gmail and Calendar in One Hour for Lawyers we take a close look at the security practices Google has put in place for the information stored in Google Apps and we survey State Bar ethics opinions related to cloud computing services.

This post is adapted from the authors’ forthcoming book, Google Gmail & Calendar in One Hour For Lawyers. Carole and Mark will be presenting a Meet the Authors session during ABA TECHSHOW covering some of the content of that book on Thursday, April 4 at 3:30pm in the Expo Hall.

 – By Carole Levitt JD, MLS & Mark Rosch