Is Copilot Safe for Lawyers? What Legal Professionals Need to Know

In 2024, at least 21 law firms reported data breaches, making it the biggest year in the history of law firm breach reports. Orrick, Herrington & Sutcliffe agreed to pay $8 million to settle class action claims from a 2023 breach. According to IBM, professional services organizations including law firms now face an average breach cost of $5.08 million per incident.

Against this backdrop, attorneys across the country are adopting AI assistants like Microsoft Copilot to draft motions, summarize depositions, and research case law. The productivity gains are real. But so is the risk. The question every lawyer needs to answer: does using Copilot with client data create the next breach headline or ethics violation?

The short version: If you need to redact sensitive documents before they reach AI systems, PaperVeil handles that layer. The rest of this article explains where it fits in the broader governance architecture.

What "Safe" Means for Legal Practice

When lawyers ask whether Copilot is "safe," they're asking multiple questions at once.

Privilege preservation: Will confidential client communications remain protected, or does sending them to Microsoft constitute disclosure to a third party?

Ethics compliance: Does using Copilot satisfy the competence, confidentiality, and communication requirements under the Model Rules of Professional Conduct?

Malpractice exposure: Could AI usage create liability if something goes wrong?

Regulatory defensibility: If the state bar investigates, can you demonstrate reasonable safeguards?

The answer to each question depends on how you use Copilot and what data you expose to it.

Legal Data at Risk

Law firms handle some of the most sensitive information in any industry. A partial inventory of what flows through typical legal workflows includes:

Privileged communications: Attorney-client correspondence, legal strategy discussions, case assessments, and settlement negotiations.

Work product: Legal research, draft briefs, internal memoranda, and case theories developed in anticipation of litigation.

Client personal information: Social Security numbers, financial records, medical histories, immigration documents, and family information for estate planning.

Litigation materials: Deposition transcripts, witness statements, expert reports, and discovery documents.

Transaction documents: M&A materials, due diligence findings, contract drafts, and closing documents.

Criminal defense materials: Case files containing accusations, evidence, and defense strategies where disclosure could harm clients or obstruct justice.

Every category carries distinct obligations. Privileged communications require confidentiality to maintain their protected status. Work product requires protection from disclosure to adversaries. Client personal information must be safeguarded under state and federal data protection laws.

How Copilot Handles Data

Microsoft 365 Copilot works within your existing Microsoft 365 environment. Understanding its data handling is essential for legal use.

Enterprise data protection: Microsoft acts as a data processor under their Data Protection Addendum (DPA). Your data is encrypted at rest and in transit. Microsoft states that prompts and responses aren't used to train foundation models.

Existing permissions apply: Copilot can only access data that users already have permission to see. It surfaces information through Microsoft Graph, respecting your existing access controls.

No cross-tenant leakage: Microsoft's architecture prevents data from leaking between tenants or user boundaries.

Compliance certifications: Microsoft 365 Copilot is covered by SOC 1/2/3 attestation, ISO 27001, and the ISO 42001 standard for AI management systems.

Audit capabilities: The Copilot Control System provides tenant-level visibility into Copilot usage, data-sharing events, and compliance monitoring.

Subprocessor addition: Starting January 7, 2026, Anthropic is a subprocessor for Microsoft 365 Copilot. Anthropic models operate under Microsoft's Product Terms and Data Protection Addendum.

The Attorney-Client Privilege Problem

Even with enterprise Copilot, fundamental questions remain about privilege.

The American Bar Association addressed this directly in Formal Opinion 512, issued in July 2024. The opinion confirms that Model Rules related to competency, confidentiality, and informed consent apply to generative AI use. Specifically:

Model Rule 1.6 (Confidentiality): Lawyers must keep confidential all information relating to client representation. Using AI with client information requires the lawyer to be cognizant of this duty and take appropriate precautions.

Model Rule 1.1 (Competence): Lawyers must maintain technological competence. This means understanding how AI tools work, what happens to data submitted to them, and what safeguards are available.

Model Rule 1.4 (Communication): Depending on circumstances, lawyers may need to inform clients about AI use in their matters, particularly when confidentiality concerns arise.

Several state bars have issued additional guidance. Florida's Advisory Opinion 24-1 recommends obtaining "affected client's informed consent prior to utilizing a third-party generative AI program if the utilization would involve the disclosure of any confidential information."

The privilege concern is specific: inputting confidential client information into AI platforms may constitute disclosure to a third party. While Microsoft's enterprise terms provide strong protections, the ultimate determination of privilege waiver falls to courts, not software vendors.

Where Copilot Falls Short for Legal

Let's be specific about the gaps.

No attorney-client privilege certification: Microsoft's enterprise certifications address security and privacy, but they don't specifically address the legal requirements for maintaining attorney-client privilege. That determination ultimately falls to courts.

The human review question: Microsoft's Copilot interactions aren't routinely reviewed by humans, but Microsoft's terms allow for review in certain circumstances such as abuse detection. While this is limited, any human review outside your firm creates potential privilege concerns for the most sensitive matters.

The subprocessor question: With Anthropic becoming a subprocessor in January 2026, client data now flows through an additional party's systems. Anthropic operates under Microsoft's terms, but you're adding complexity to your privilege analysis.

The permission inheritance problem: Copilot surfaces information users already have access to. Research shows over 15% of business-critical files are at risk from oversharing and inappropriate permissions. If your firm's permission structure is overly permissive, Copilot will expose that data more efficiently. Case files that should be restricted to specific attorneys might become accessible through Copilot queries.

Integration with firm systems: For Copilot interactions to be part of your matter files (as they arguably should be under some records retention policies), you need proper archival workflows. This requires integration with legal practice management systems that many firms haven't implemented.

The shadow AI problem: Up to 40% of law firms have experienced security breaches. Associates using personal AI accounts outside approved workflows create uncontrolled exposure that firm management may not detect.

Making Copilot Safe for Legal Practice

The solution follows the same pattern that works across regulated industries: remove confidential information before it reaches the AI.

Legal document with confidential information
    ↓
Automated redaction (client names, case details, privileged content)
    ↓
Redacted content used with Copilot
    ↓
AI processes only sanitized data
    ↓
Confidential information never leaves firm control

With proper redaction:

  • Privilege is preserved (no confidential information disclosed)
  • Ethics obligations are easier to satisfy (the AI never receives protected data)
  • Malpractice exposure is reduced (you can demonstrate reasonable safeguards)
  • Regulatory defense is strengthened (clear documentation of data handling)

Practical Implementation for Law Firms

Step 1: Audit current AI usage

Before you can secure AI usage, you need to know where it's happening. Survey your attorneys and staff:

  • Who is using Copilot or other AI assistants?
  • What types of matters involve AI assistance?
  • What data is being inputted?
  • Are they using personal accounts or firm-approved tools?

Expect to find shadow AI usage. The goal is to understand and redirect to secure workflows.

Step 2: Classify by sensitivity

Highest risk (mandatory redaction or prohibition):

  • Active litigation materials
  • Attorney-client privileged communications
  • Criminal defense case files
  • Settlement negotiations
  • Client Social Security numbers and financial data

High risk (strong redaction recommended):

  • Draft briefs and motions containing case specifics
  • Deposition transcripts
  • Discovery documents
  • M&A due diligence materials

Lower risk (enterprise controls may suffice):

  • Legal research on general topics
  • Form document templates without client specifics
  • Firm administrative matters

Step 3: Configure Microsoft Purview

Apply Microsoft Purview sensitivity labels to confidential legal documents. When Information Rights Management (IRM) controls are applied, Copilot cannot retrieve those protected files to generate responses.

For the most sensitive client data, client-side encryption (CSE) creates an absolute barrier. CSE-protected files are completely inaccessible to Copilot.

Step 4: Implement automated redaction

Manual review doesn't scale and misses things. Deploy automated detection and removal of:

  • Client and party names
  • Case numbers and matter identifiers
  • Dates and locations that could identify matters
  • Financial figures and account numbers
  • Any information that could identify specific clients or matters

Step 5: Establish firm-wide governance

Document and enforce:

  • Which AI tools are approved for which tasks
  • What data categories require redaction before AI processing
  • Review and approval workflows for AI-assisted work product
  • Incident response procedures if confidential data is accidentally shared
  • Client disclosure practices regarding AI use

Step 6: Train your attorneys

Lawyers need to understand:

  • ABA Formal Opinion 512 requirements
  • Why AI creates privilege and ethics risks
  • How to use approved redaction workflows
  • When to escalate questions to the ethics partner

The Ethics Trajectory

The legal profession's approach to AI is evolving rapidly. In 2024, courts certified 40% of data breach class actions, up from 16% in 2023. The litigation risk for firms that mishandle data has never been higher.

The ABA and state bars are actively developing AI guidance. Formal Opinion 512 was just the beginning. As AI capabilities expand and more attorneys adopt these tools, expect additional guidance addressing specific scenarios and more detailed requirements.

The firms that avoid ethics complaints and malpractice claims will be those that implemented controls before problems emerged. Waiting for a bar complaint to clarify your obligations is not a strategy.

The Sensitivity Label Approach

Microsoft Purview sensitivity labels provide a straightforward mechanism for protecting client data from Copilot processing.

Create labels for different sensitivity levels:

  • Highly Confidential: CSE-protected, completely inaccessible to Copilot
  • Privileged: IRM controls prevent Copilot retrieval
  • Client Confidential: Standard encryption with access logging
  • Internal: Normal Copilot access with audit trails

Apply labels consistently across client matters. Train staff on which labels to apply. Use Microsoft Purview DLP policies to enforce labeling requirements.

This creates defensible compliance: privileged and confidential documents are explicitly protected from AI processing, with documentation proving the controls were in place.

Your Next Step

Microsoft Copilot can enhance legal practice. The productivity gains from AI-assisted research, drafting, and analysis are real. But realizing those gains while maintaining your professional obligations requires intentional implementation.

Enterprise-grade access, proper Microsoft Purview configuration, sensitivity labeling, firm-wide governance, and automated redaction workflows together create defensible AI usage for law firms.

If your firm is using AI with any documents that could contain confidential client information, automated redaction before processing is the safeguard that protects both your clients and your license.

PaperVeil lets you redact all your sensitive information from PDFs in a simple drag and drop flow. Detect and remove PII, match custom patterns, strip metadata, and generate audit trails. The redaction layer that makes AI document processing actually safe.