Can You Trust Google Apps (And Other SaaS)?

cloud-computingCloud computing, or software as a service (SaaS), means moving your applications from your computer to the “cloud.” It is the difference between Microsoft Word (locally-hosted, since it is on your computer) and Google Docs (remotely-hosted, since it is on Google’s computers).

The most-common objection to using SaaS is the fear of waiving the attorney-client privilege, usually because “free” e-mail services like Yahoo! Mail, Gmail, and Hotmail scan users’ e-mail for keywords to target advertising. But SaaS is an attractive alternative for many lawyers, who would rather not deal with IT themselves or maintain an expensive IT consultant. As a result, many lawyers and law firms are looking at Google Apps, hosted Exchange, and Zimbra as less-expensive alternatives to having a local server.

I use Google Apps, and I am not worried about security, privacy, or waiving the attorney-client privilege. Here is why:

You and your clients are already using SaaS

If you use e-mail, you are probably using SaaS, even though you may not realize it.

First, many—perhaps most—of your clients are already using cloud services like Gmail, Yahoo! Mail, Hotmail. These are SaaS providers that scan your clients’ messages—including the ones from you—to provide relevant advertising. Whether or not you use SaaS yourself, if the attorney-client privilege was so easily waived, you would probably have waived it already for many of your communications.

Second, you are also probably using SaaS yourself. Have a Blackberry, iPhone, or any other mobile messaging device? That information is going through the servers of RIM, Apple, or whoever, where third parties have access to it. If you are like most law firms, you have a hosted e-mail provider like Comcast, A2, or GoDaddy, where third parties also have access to your e-mail. They may not scan it for advertising, but their computers store it, just like Google’s.

But don’t worry . . .

The clouds are not reading your e-mail

Read the privacy policy of any cloud-based service you do business with. If you are using a free service, their computers may scan e-mail for the purpose of inserting ads. This does not mean anyone is reading your e-mail.

Instead, you will find that most SaaS providers go to great lengths to ensure your data remains private and secure. Google’s privacy policy for Gmail is a good example.

The difference between free services and paid services is usually advertising. If you buy a premium Google Apps account or you pay for a hosted Exchange server, your provider will not scan your e-mail to insert advertising. They probably will still scan your e-mail and (calendar and other items) so you can search for things, later.

Inadvertent disclosure does not waive the attorney-client privilege

Only the client can waive the attorney-client privilege, although they can do so through carelessness. If using a cloud-based e-mail service is enough to waive the privilege, then many clients have already done so. But at least one New Jersey court did not bring up this possibility when finding that the attorney-client privilege protected a client’s Yahoo! Mail account, even when she accessed it on her employer’s computer.

It seems unlikely that a data breach at your SaaS provider would mean your attorney-client communications must be revealed to opposing counsel.

Although suspicion prevails, talk to your IT provider and your local ethics board before deciding whether or not you are comfortable using the cloud for your client-related data.

(photo: akakumo)

Sam Glover
Sam is the founder of, the best place for lawyers to learn how to start, manage, and grow a modern law practice, and home to the community of innovative lawyers building the future of law.


  1. Avatar Diedre Wachbrit Braverman says:

    I am more concerned about the reliability of my cloud data. I am fortunate to have a very reliable internet provider (it has gone down only once in five years). But what if I have a billing dispute with my SaaS provider. Or they have a technical problem? So I make weekly backups of my SaaS data. Might take a tech guru to unscramble the data but at least I have it.

  2. Sam Glover Sam Glover says:

    You bring up a good point. I still backup my cloud data, even though they do, too. One of the things I like, in fact, is how easily I can move all my data from Google to Zimbra or to Exchange.

  3. Your comments re: owning a RIM device (BlackBerry) or an iPhone are dead on. RIM started the practice of requiring e-mail to go through their servers before pushing to each customer’s personal mobile device (or larger companies needed to purchase and maintain a RIM server).

    Hence, I have always owned and used Palm devices. Treo, Centro and the Pre are configured to directly pull e-mails to the unit from your own e-mail server/provider/host. They do not require that your private communications be routed through a third party server in order to get them on your device.

    As for using Google. Just say “no”. While the present TOS may say Google only scans for advertising purposes, I’m fairly certain there’s some language somewhere in those TOS that says Google can pretty much do whatever they want, whenever they want.

    I say leave your private communications off of Google’s servers, and you never have to worry.

  4. Great post. There have been a lot of chatter on privacy & cloud computing concerns with regards to attorney ethics. I still backup my cloud data when possible.

  5. I’m not sure it’s about waiving privilege and HAVING to reveal your client’s data to opposing counsel so much as the fear that that data simply might be revealed to opposing counsel. If your client’s document ends up on the front page of the Wall Street Journal then opposing counsel sees it whether they were supposed to or not.

    I think the bigger issue, however, is with loss of control of the data. If the data resides in a 3rd party’s server then what happens if, as Diedre points out, we have a billing dispute with our provider? What if our provider goes out of business (as nearly all of the old “ASP” providers did)? What if our provider outsources their storage to a host in a foreign country…maybe a country that isn’t especially friendly or doesn’t have the kind of privacy laws we do in the U.S.?

    GoogleDocs is not HIPAA compliant, what if we practice in areas of law that require those sorts of levels of compliance? How do we audit a hosted data center for compliance? If the government serves a warrant for another customer’s data how can we be sure that ours won’t get picked through as well?

    These are just a few of the dozens of questions a SaaS vendor would have to answer before I was willing to put my confidential client work-product solely in their hands.

    I know SaaS is attractive for a lot of reasons, but I really don’t think convenience and a reduction of our operational budget is a good excuse for forgetting our duty of care to our clients and our firms.

    My $.02. Keep the change.

  6. Sam Glover Sam Glover says:

    Ben, I don’t really understand your first paragraph. How would an e-mail end up on the first page of the WSJ unless you send it to a WSJ reporter? The only time this happened that I am aware of, the attorney was not using an SaaS service, and sent the e-mail directly to the New York Times, albeit inadvertently.

    As for some of the other concerns, I think you do have a duty to make sure your contract with your SaaS providers satisfies whatever conditions your practice requires. But this is true of everyone you contract with, from document shredding companies to e-mail providers.

  7. Sam,

    It’s not just about e-mail, it’s about ANY data you store in “the Cloud”. Inadvertent disclosure can happen in a number of different ways, from an unpatched security vulnerability in the Cloud provider’s system to a configuration error, to an employee with access who, intentionally or unintentionally, leaks the data to an outsider.

    We need look no further than Former Gov. Sarah Palin for an example of e-mail from a hosted provider getting leaked to the press. And Google Docs had an issue with inadvertent disclosure earlier this year.

    I absolutely agree that we have a duty to make sure our contract with the SaaS provider is satisfactory. My fear is that too many firms are seeing the attractive price points and just rushing to “The Cloud” without considering the possible ramifications.

  8. This is an important discussion. I agree with Ben that there are greater risks to the data than inadvertent disclosure, such as the service provider going belly up or a natural disaster that interrupts internet service (even a good Minnesota hailstorm can knock out power for a couple of days).

    On the subject of security and disclosure of privileged or confidential information, the risk is likely small, but each person has to assess their own risk and how much of a target they might be for hackers or what the consequences of disclosure might be. Someone with million-dollar artwork on the walls of their house is going to have a much better home security system than someone whose greatest asset is an analog TV. Similar for data. If you have a straightforward, local practice in family, PI, criminal, etc., it’s unlikely you are a target for hackers and the inadvertent release of your data would likely be uninteresting and useless to anyone who saw it. It could be reasonable to rely on the representations and reputation of the SaaS provider. But if you have an IP practice, or you represent movie stars and professional athletes, or you discuss trade secrets with your Fortune 500 clients, or you keep long lists of your client’s credit card transactions, you should probably think carefully before using Servers-R-Us to store your client information. One size may not fit all.

  9. Avatar The SaaS affect says:

    Agree completely with you but I’m more intrigued about SaaS options for time and billing, document management, and practice management than just a simple hosted exchange.

    I’ve been hearing a lot about companies like Clio, AdvologixPM, RocketMatter, NetDocuments, Bill4Time, springCM, etc. That offer SaaS tools beyond email. I guess the key now is to find the best solution(s) that fit what I’m doing.

    – Stay SaaSy San Diego –

  10. Ms. Braverman, who commented above that her concern was more in the realm of reliability of data storage rather than just privacy, is not alone in that concern.

    What would happen if google’s servers had some kind of failure which resulted in all of your emails simply being lost? Should we download and backup elsewhere? (probably)

    It’s actually a concern with any kind of data storage, whether on your hard drive, on your network, online, burned onto cds or dvds, or some combination of those.

    IT people I’ve spoken to suggest that this concern does not go away when your data is in “the cloud” on google’s (or anyone else’s) servers.

    Question: is there more risk using the free services like gmail and docs as opposed to a paid service like google apps?

  11. Sam Glover Sam Glover says:

    On backup, yes, you should always back up your data! If you use Google, you can back it up just by using Google Gears to get local access from your browser. Or you can access your e-mail using Outlook,, Thunderbird, or a hundred other mail programs. Same for your calendar.

    If you use Google Docs, you should back up local copies of any crucial data, as well.

  12. Avatar Larry Port says:

    Sam, another great point. All valid ones. As a SaaS provider and engineer myself, with an awareness of how these systems are built and what can go wrong if not done properly, I can’t stress enough for attorneys or others using a SaaS app to do their due diligence when choosing a solution.

    In addition to on-demand backups, I recommend that anyone considering a SaaS solution understand many factors, including but not limited to 1) physical security of the actual servers and data 2) code security and protection against attacks 3) confidentiality policy of the SaaS provider 3) encryption used to protect traffic (128 bit or greater and coverage of sensitive traffic).

    There’s a lot of emerging issues. I recommend people stop by to see the Electronic Frontier Foundation’s site.

  13. Avatar Bart Mallon says:

    I am a lawyer and just switched over to Google Apps and am using the back end for my email. I am not as concerned with disruptions to my email – a prior exchange service had more disruptions and bigger headaches. I am concerned with my ethical responsibilities. Is this a topic which the individual bar associations should be discussing? While it seems like the answer on this board is that it would be ethically permissible to use Google Apps, I would feel more comfortable if my bar association made a specific pronouncement. Any thoughts on whether this would be a topic to discuss with the bar association?

    Thanks in advance – Bart

  14. We are a firm with 15 fee earners, and have switched to Google Apps in January 2010. After about 3 months, most processes (except billing) and documents had been fully transferred to Google Apps. However, recently Google Docs (which obviously we use as storage for all files) has behaved erratically. Google was unable to fix this even after 5 (five) days – as a result, we had to urgently transfer files back to a Microsoft server.

    Clear outcome of this nightmarish experience: Google Apps is NOT YET reliable enough for a law firm. 99.9% uptime are NOT guaranteed. “call-back within 1 hour”-promises were not held. For critical usage such as transactions and litigation matters, DO NOT rely on Google Docs.

    Don’t hesitate to contact me for any further details.

    — Nathan

  15. Sam Glover Sam Glover says:

    I guess I’m curious as to why you decided to use Google Docs for file storage. I haven’t found it to be particularly well-suited to that, and Google Docs aren’t really very good for creating and editing documents.

  16. @Sam:
    I do think the Google Docs storage is the most convenient, especially when you are dealing with many files and several collaborators. Prerequisite is that you do have all your documents there (and not missing any – i.e. single storage solution) and that you and your staff have a good understanding of how sharing works.

    As for creating and editing – correct if you use heavy formatting. But once you got used to work on a long motion on Google docs, in a collaborating style, it is hard to go back to Word – it seems anachronistic at best.

    As for our problems mentioned above, they did eventually get fixed, and Google staff were friendly and helpful. A scare remains, though. We will stick to it and see how things develop over time.

  17. Sam Glover Sam Glover says:

    Google Docs has a few problems that make it inappropriate for writing anything you plan to submit to a court. For example, the lack of a “smart quotes” function means your documents have unacceptable straight ticks in place of curly quotes and apostrophes. Numbered and bulleted lists also require pretty intricate knowledge of CSS styling to make them function even at a basic level.

    If Google ever gets its act together on these—and a few other small but important deal breakers, I might agree with you that Google Docs is a possible option.

  18. Avatar Nick C says:

    I would be more concerned with having all my data backed up on my server than rely on a general statement of redundant systems etc etc. The emails contain valuable information nowadays that noone, especially a lawyer, may unwillingly dispose of.

  19. Avatar Andina says:

    This is an older thread but nevertheless it may worth our time to comment upon.
    We are a mid sized law firm based in Europe and have used our inhouse IT infrastructure for emails files etc however have found the google service quite challenging in terms of efficiency, particularly the ability to really concentrate on one’s work rather than deal with a growing IT headache and budget from licensing to backups etc. However I cannot say that we would ever relax having our sensitive data resting on a third party’s server with some people we never met having access to them. We have had issues in the past where emails were leaked and used in some serious litigation therefore we take data confidentiality very very seriously.
    The only way we would ever consider switching to google apps would be when google allows encryption of all data resting on their services with us holding the keys. This would guarantee to most extent that a google 20 year old odd administrator would not have access to sensitive information.

    • Sam Glover Sam Glover says:

      While, currently, a 20-year old IT administrator has access to your sensitive information. You just feel better about it because you know him or her, even though your agreement with him or her is almost certainly less restrictive and definitely not subject to a comprehensive privacy and security policy like you would get if you signed up with Google Apps.

      • Avatar NC says:

        Well not really. You may get a good policy agreement with google apps but you still have to enforce that agreement if something goes wrong. I wont go into the possibility of the government having access to them too. That is not the case if you physically control the data. Obviously everything is hackable nowadays but at least you dont give someone your data in a plate for him to feast on despite how difficult this may sound because of policy restrictions.
        Amazon s3 has adopted encryption so the minute google follows suit we shall (and I guess a lot others too) will join up, including the lapd i guess.

Leave a Reply