(713) 965-7200
(713) 965-7200
AI

AI Data Leak Prevention in Law Firms

Zachary Kitchen
  • 11 Jun 2026
AI Data Leak Prevention in Law Firms

Article summary: Data leak prevention in law firms now includes governing AI use. Staff may already be using AI tools without approved platforms, clear policies, or visibility into where client data goes. Texas firms reduce confidentiality risk by identifying AI use, blocking unauthorized tools, and setting rules that align with Texas Disciplinary Rule 1.05.

A junior associate at a litigation firm is facing a 4 p.m. deadline to summarize a 200-page merger agreement. He opens a public AI tool, pastes in the document, and asks for the key deal terms. The summary is ready in seconds, and the deadline is met.

The problem is that speed does not eliminate risk. By uploading the document to an unapproved AI platform, the associate may have shared confidential client information, privileged communications, financial data, or sensitive transaction details with a third-party service without the firm’s knowledge or authorization.

This scenario is becoming increasingly common. AI adoption has grown rapidly across the legal profession. According to Clio’s 2024 Legal Trends Report, 79% of legal professionals reported using AI in some capacity. Yet Thomson Reuters found that only 10% of law firms had implemented formal policies governing generative AI use.

That gap creates risk. Attorneys are increasingly using AI tools to save time and improve efficiency, but many firms have yet to establish clear guidelines for handling confidential information, reviewing AI-generated work, or determining which tools are approved for client matters.

The issue is not whether firms should use AI. It is whether they are using it responsibly.

Under Texas Disciplinary Rule 1.05, attorneys have a duty to protect confidential client information from unauthorized disclosure. Texas Bar Ethics Opinion 705 issued in February 2025, applies that obligation to generative AI. Before using AI tools with client information, attorneys must understand how the technology works, evaluate the associated confidentiality risks, and take reasonable precautions to safeguard client data.

For most firms, that starts with a written AI policy, approved AI platforms, staff training, and clear guidance on what information can and cannot be entered into AI systems. Without those safeguards, well-intentioned employees can create confidentiality and compliance risks in seconds.

Why AI Data Leaks Are Different from Traditional Breaches

Most data breaches involve an attacker doing something unauthorized. AI data leaks are different.

Most AI-related confidentiality risks don’t come from bad actors. They come from attorneys and staff using convenient tools to work more efficiently. The employee uploading client information to an AI platform is usually trying to meet a deadline, not create a compliance issue.

Research from Cyberhaven found that 27.4% of the corporate data employees entered into AI tools was classified as sensitive, up from 10.7% a year earlier. 

Most AI providers retain user inputs for model improvement unless organizations specifically opt out. Personal accounts have weaker data protections than enterprise agreements. Most staff members don’t distinguish between the two.

For law firms, the confidentiality risks are obvious. Client information, deal terms, litigation strategy, deposition summaries, settlement discussions, and medical records can all be entered into AI tools by well-intentioned employees without a full understanding of how that information is stored, processed, or protected.

The Five-Part AI Governance Framework for Law Firms

1. Know what tools are already in use

Shadow AI (unauthorized AI tools adopted by staff without IT or firm approval) is becoming increasingly common in law firms as attorneys and staff look for ways to work more efficiently.

Running a shadow AI audit is often the first step in reducing AI-related data exposure. Once a firm understands which tools are being used and by whom, it can begin implementing appropriate policies, controls, and training.

Common sources of shadow AI include browser extensions with AI capabilities, SaaS tools that have enabled AI features without notice, personal AI accounts, and AI writing assistants built into Microsoft 365 without firm configuration.

2. Establish an approved AI tool list

Designate which AI tools are approved for firm use and under what conditions. 

Enterprise-tier agreements with providers like Microsoft Copilot for Microsoft 365 or OpenAI’s enterprise plan include contractual commitments that user inputs are not used for model training. This is a baseline requirement before any tool is cleared for client work.

Tools that have not been approved for firm use should be clearly identified and restricted where appropriate. Just as importantly, AI policies must be documented, communicated to employees, and consistently enforced.

3. Define what can and cannot go into any AI tool

Even approved tools require use policies. 

Staff need to understand that client names, case identifiers, financial terms, settlement amounts, medical details, and any document marked confidential never enter an AI prompt (on any platform).

Texas Opinion 705 makes clear that an attorney’s professional responsibilities do not change simply because AI is involved. Attorneys must understand the technology they use, protect client confidentiality, train and supervise personnel who use AI tools, and independently review AI-generated work before relying on it in client matters or court filings. Ultimate responsibility for accuracy, compliance, and professional conduct remains with the attorney.

4. Apply technical controls

Policy alone isn’t enough. Governing your team’s AI use requires technical enforcement.

This includes blocking access to unauthorized AI sites and tools at the network layer, configuring Microsoft 365 Data Loss Prevention (DLP) policies to flag sensitive content before it’s shared, and reviewing browser extension permissions that may silently access open documents and emails.

These controls won’t eliminate every risk. Personal devices and independent internet connections can be more difficult for firms to monitor and manage. However, they can significantly reduce exposure by addressing the most common ways unapproved AI tools are accessed within the firm.

5. Train staff on the actual risk

Most staff AI data leaks happen because no one explained the risk in plain terms. 

A focused 20-minute training session should explain how public AI tools process user data, the confidentiality risks associated with entering client information into those platforms, and the firm’s obligations under Texas Rule 1.05.

Reinforce training annually and update it as tools change.

The AI Governance Gap Many Firms Haven’t Addressed

For law firms, AI governance is more than an operational concern. It’s a matter of confidentiality, risk management, and professional responsibility.

Firm leadership should be able to answer a few basic questions with confidence: Which AI tools are employees using? What information can be entered into those systems? Which platforms have been approved for client-related work? And what safeguards are in place to protect confidential information?

If those answers are unclear, it’s time to take a closer look.

Digital Crisis helps Texas law firms evaluate AI-related risks, identify unapproved AI use, implement governance controls, and develop practical policies that align with their professional obligations.

Call (713) 965-7200 or contact us here to schedule an AI governance review.

Article FAQs

Is it a Texas ethics violation to use ChatGPT with client data?

Not necessarily. Texas Ethics Opinion 705 does not prohibit the use of AI tools, but it does make clear that attorneys remain responsible for protecting confidential client information when using them. For many firms, that means AI use should be limited to approved platforms that have been reviewed for security, confidentiality, and data handling practices.

What is shadow AI?

Shadow AI refers to AI tools that staff adopt and use without firm authorization or IT awareness. It’s called shadow AI because it happens outside the firm’s visibility and governance, which is exactly what makes it a data leak risk.

Does Microsoft 365 Copilot protect client confidentiality?

Microsoft 365 Copilot for enterprise customers includes data protections that prevent inputs from being used for model training and keeps data within the firm’s Microsoft 365 tenant. These protections apply when the firm has a qualifying Microsoft 365 license and proper configuration is in place. Personal or consumer-tier Microsoft products do not carry the same guarantees.

What should a Texas law firm’s AI policy cover?

At minimum: an approved tool list with the conditions for each, a prohibited-use list covering what data cannot enter any AI tool, a staff training requirement, a supervision obligation for attorneys overseeing AI-assisted work, and a review schedule. 

Zachary Kitchen

Get Your Free Cybersecurity Guide

Protect your business with expert tips. Fill out the form to download our comprehensive guide and enhance your cybersecurity.

This field is for validation purposes and should be left unchanged.

By downloading you’re confirming that you agree with our Terms and Conditions.

What business owners are saying about us...

Read testimonials from satisfied clients who trust Digital Crisis for their IT needs. Discover how we’ve helped businesses like yours.

Quote icon

When Our Server Crashed, I Expected Downtime For Days, They Had Us Back in Hours

As a small law firm, we needed reliable IT support that wouldn’t break the budget—but still delivered at the highest level. Digital Crisis gave us exactly that.
 
They helped us modernize our systems, move to the cloud, and streamline how we work. Now our team can securely access everything we need from anywhere—and we’ve never been more efficient.
 
When our server went down unexpectedly, they had us fully operational again within three hours. No panic. No delays. Just fast, professional support when we needed it most.
 
With Digital Crisis, we feel like we have a world-class IT department—without the overhead.
Scott Davenport
Managing Attorney, Davenport Law Firm
Quote icon

We Knew Something Had to Change

As a managing partner of our firm, I needed a technology partner who understood urgency—and our old IT company just didn’t get it. Every time we had an issue, we were forced to submit a ticket just to speak with someone. No one ever answered the phone. Everything felt like a battle, and we were stuck in a long-term contract with no flexibility.

 

When I called Digital Crisis, they picked up immediately. No ticket. No runaround. Just answers. Within minutes, they had already started helping us.

 

Looking back, I wish we had made the switch sooner. I didn’t need to be a tech expert—I just needed to make one good decision for my team. Now our systems are secure, we actually get support when we need it, and I don’t have to worry about IT holding us back.

 

If you’re tired of being ignored by your IT guy, do what I did. Take back control. Call Digital Crisis.

Rudy Culp
Managing Partner, Horrigan & Goehrs, LLP
Quote icon

I Couldn’t Afford IT Headaches When Starting My Firm

As the Managing Partner of a newly established law firm, I can confidently say that the seamlessness of our start-up is due in large part to the exceptional IT support provided by Zach and the team at Digital Crisis. From day one, they have been more than just a service provider—they've been true partners in our success.

Zach and his team have an incredible ability to anticipate our needs before we even voice them. Their proactive approach, deep expertise, and commitment to keeping our systems secure and efficient have given us the confidence to focus fully on building our practice.

Having reliable IT support is critical in the legal field, where security and uptime are non-negotiable. Thanks to Digital Crisis, we’ve had both—plus the peace of mind that comes from knowing we’re in capable hands. We couldn’t ask for a better tech partner.

Stacy Kelly
Mangaing Partner, Texas Probate Attorney, PLLC
Quote icon

They’re a Valuable Member of Our Team

Zach is great at explaining to us about our IT in plain-speak, rather than “geek-speak.” I genuinely feel like hiring Digital Crisis was the best decision I’ve made for my firm. If you want an IT expert who charges reasonable rates and is not just an IT guy, but a valuable member of your team, call Zach.
Keith Morris
Founder, Surplus Attorneys
Quote icon

My Firm Runs Like a Well-Oiled Machine

I’ve worked with Zach for over 15 years. Digital Crisis takes their time to understand my practice and doesn’t try to shove a cookie-cutter system down our throat. When Digital Crisis first came in, they took the time to understand our firm and helped streamline and modernize our processes.
Kelly Forester
Senior Partner, Matthews Forester Law Firm
Quote icon

My Firm’s Efficiency DOUBLED Overnight

I thought my firm was doing just fine with my previous IT setup- boy, was I wrong! Digital Crisis came in Updated Equipment and Technology. I wish I had used them ten years earlier when I first met Zach. You will be sold immediately by their knowledge, patience, and willingness to help.
Craig Ribbeck
Senior Partner, Ribbeck Law Firm
Quote icon

Digital Crisis Saves Us Thousands Every Year

We used to enter data quarterly that would easily take an average of two weeks each quarter to enter. Then, when Digital Crisis came in, they fully automated our process, taking minutes instead of weeks to process the same data, not only faster but more accurately, removing room for human error. The new system gets things done faster and saves us thousands every year in labor alone!
Sandy Hickey
Executive Assistant, PAS Online
Quote icon

We Make Money FASTER Because of Digital Crisis

In 2010, my business had an old DOS-based server from 1995 that ran our proprietary software, which crashed. If it weren’t for Zach, we’d have to start completely over! Not only was Digital Crisis able to restore all our data, but they were also able to migrate us to a modern system which allowed us to get paid faster and work remotely.
Sandra Van der Vorm
Owner, Vansteen Marine Supply
Quote icon

They Rescued My Practice

On a Friday, my practice had to be moved immediately without any notice. Digital Crisis not only managed to come out and get our IT up and running, but they had our phones and internet up and running by Monday morning, and we didn’t lose a single day of business!  I can’t recommend Zach and his team enough.
Marietta Cline, MD
Owner, Cline Pediatrics
Quote icon

I Never Lost a Day of Work During the Pandemic

Zach truly understands my firm’s needs and always provides valuable tips and tools to make my firm run more efficiently. For example, when the COVID pandemic hit in 2020, I didn’t lose a single day of work since Digital Crisis had me set up on their cloud system, and I could remote in from anywhere.
Pamela Stewart
Owner, Law Office of Pamela Stewart
read more from our clients

Protect Your Network Against Cyber Threats

Contact Digital Crisis for a network security consultation and ensure your business is safeguarded against cyber threats.

This field is for validation purposes and should be left unchanged.

Related Posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

A piece of cardboard with a keyboard appearing through it
AI
How to Run a “Shadow AI” Audit Without Slowing Down Your Team
 Read More
Uploading Client Agreements to AI? Here’s What Your Cyber Insurance Carrier Won’t Like
AI
Uploading Client Agreements to AI? Here’s What Your Cyber Insurance Carrier Won’t Like
 Read More
a-computer-generated-image-of-the-letter-a
AI
Beyond Chatbots: Preparing Your Small Business for “Agentic AI” in 2026
 Read More