In the wake of Google's indexing of non-standard documents, there have been quite a few incidents [europemedia.net] where private documents have been acquired and redistributed by Google.

As this issue has grown, we've come to realize, that it just isn't a rookie webmaster who made some security mistakes. There is a real danger here that many webmasters do not appreciate. It is very easy to make a security mistake.

- Double check those index files. Test every directory and see if you can retrieve an /index file for that directory. If you can, you give them the url to every document in the directory.
- Are you leaking private urls? If you are in a semi-private environment (non https) don't href hyperlinks - make them copy and paste. They can't hack you, if they can't find you.
- Just because you put the company report in an obscure format, doesn't mean a search engine won't index it. The days of hiding semi-private data in PDF's and .doc files is over.
- Does it need to be on the server? What if someone finds it?
- How sensitive is the data? Who is it intended for?
- If ultrasensitive, assume that the document will be found by 3rd parties. Can you assure the integrity of the data while it is just setting on the disk at the website?