Mid-sized law firms want Copilot productivity gains, but cannot afford governance gaps around sensitive client data. This blog breaks down real Purview and Copilot considerations that shape a safer, more practical rollout.
We have been working with an increasing number of mid-sized law firms that would like to realize the efficiency gains from Microsoft’s Copilot and AI solutions, but prudently recognize the criticality of having extensive security and governance controls in place over sensitive data before rolling out AI tools broadly to the organization.
These mid-sized firms face the same client demands and information security scrutiny as large firms, but with fewer IT resources. To provide some help to those firms getting started on their data governance and Copilot journey, I have summarized the most common considerations that these firms need to be aware of as they roll out both Purview and Copilot.
Purview: The Long Game
In practice, rolling out Purview is a marathon, not a sprint. Expect 12–18 months to get it working across all tenant data. For most firms, while automation helps with historical data, it isn’t a silver bullet, and staff will need to be aware of and use Purview features daily.
As a result of this, you’ll need equal parts art, science, and realistic expectation setting to get Purview controls dialed in with minimal friction to the business.
Start with written policies and guidelines
Even a rough draft based on your known risks and requirements is better than nothing. Don’t wait for perfection. Get something in writing so you can iterate. Policies should address the various data types, client confidentiality, regulatory requirements, and acceptable use. Include specifics on what is considered sensitive, who can access what, how to share data securely, and required retention periods. These documents should drive your Purview configurations.
Train Your People Early And Often
Staff will interact with labels, DLP, and retention tools daily. Make sure they know what’s expected and why. Training isn’t a one-off. Plan for ongoing refreshers, new hire onboarding, and quick pivots when new risks or use cases pop up. Use real-world scenarios and examples from your firm.
Balance Policy And Practicality
In reality, the perfect policy on paper might not be enforceable by your tools, or even workable for your people. For example, you might want to restrict access to certain data types, but your document management system (DMS) or Teams setup may not support that level of granularity. Be ready to compromise and adjust policies to fit technical realities and user behavior.
Labeling, DLP, and Automation: Legal Data Is Different
Default Labeling And Automated Label Application
Automated labeling is great for identifying and cleaning up historical tenant data, but less effective for new or current data where context matters.
Don’t expect automation to be the primary tool for labeling new data. Manual review and user-driven labeling will still be necessary for most high-value or high-risk content. Set up default labels for common document types and train users to apply them consistently.
Legal Firm DLP Depends On Labels
In legal environments, legal firm DLP policies depend much more on labels than on other sensitive data criteria. While PII is obvious, many law firm documents and emails are extremely varied and much more of the data can be sensitive than simply PII. In many firms, building automated patterns is not a feasible way to protect them. Labels are critical to ensuring the information is identified and restricted appropriately.
DLP And Labels Vs. DMS Security
Sensitivity labels and DLP only protect data moving into/out of your document management system (DMS). Information Protection labels and DLP policies can help protect data as it moves into or out of your DMS via email or sharing. However, these labels are not typically recognized by the DMS systems themselves. DMS security configurations remain critical controls to protect data.
Retention: Be Deliberate and Specific
Recordings and transcripts
Teams will only store call recordings or transcriptions in OneDrive or Teams sites (depending on how the meeting was scheduled), and not in a centralized repository.
From a governance standpoint, decide up front whether you’ll allow recordings and transcripts at all. If you do, set clear rules for acceptable use, sharing, and retention, since the recording files are going to be primarily managed by the users themselves.
Retention labels for Teams recordings
Use Teams policy settings and Purview retention labels to automate the deletion or archiving of recordings after a set period. Communicate retention policies clearly to all staff.
Teams Chat And Copilot Prompt Lifetimes
Chat and Copilot retention are individually configurable and often are not retained as long as documents or email. Be deliberate about setting these policies. Most of the time, firms want to limit exposure to the uncertain content in these areas.
Copilot: Immediate Wins, But Real Value Can Take Time
In many mid-sized law firms, most firms are not waiting for a complete Purview deployment before enabling Copilot. That said, be thoughtful and deliberate about balancing who gets Copilot with how much of your tenant data is effectively protected so that you can reduce the risk of inadvertent overexposure.
Copilot And DMS Connectors
- DMS connectors should probably not be included in early Copilot deployment. Don’t rush to connect Copilot to your critical DMS data until people have developed good Copilot and AI habits.
- Modern DMS versions are required. If you’re running an outdated version of your DMS, you may need to upgrade before you try to integrate with Copilot. The Copilot connectors provided by many DMS vendors are often only able to work with their current platforms.
- Test DMS connector security and permissions. Before deploying DMS connectors to all Copilot users, be sure to validate that the connector security only allows the right people to access the right data.
Data Location And Visibility
Today, Copilot can’t use data on local file shares. File shares are not indexed into the Graph, so they remain invisible to AI tools. You may need to migrate shares to M365 tenant services to get full use of your data.
Start With Low-Risk Use Cases
Everyone has administrative tasks. Use Copilot for predictable, low-risk tasks first: scheduling, meeting summaries, document search, basic research, drafting routine emails. People will need to build up to specific legal use cases as time goes on and they gain experience with the tools.
Address Recordings And Transcripts Early
Recording and transcripts present unique challenges from a risk and data management standpoint, but it often isn’t realistic to broadly preclude people from recording meetings in the long term.
In practice, using Copilot on Teams meeting content is one of the largest use cases in every organization. Have that policy discussion now and establish your firm’s comfort level with when recording can be used. Remember that Teams and Purview provide numerous ways to govern those files.
AI-Specific Security Controls
- Expect to deploy DSPM for AI. As AI usage expands, Purview Data Security Posture Management for AI is essential for AI usage visibility and restrictions. Deploy the Purview browser plugin and enroll endpoints for full coverage to provide metrics, clarity, and help configure Purview DLP and other features specifically for AI use cases.
- Plan to configure Defender for Cloud Apps. Defender for Cloud Apps augments DSPM for AI, especially for cloud SaaS service DLP and AI usage with sanctioned or unsanctioned applications.
Communication and Training: The Human Factor
Success with Purview and Copilot hinges on communication and training. Each requires a different approach to drive success and adoption.
Purview Communication And Training
- Purview policy development and enforcement will require in-the-weeds, operational, process-driven communications and end-user training.
- Purview controls will likely need to apply to all groups in the firm, not just the ones using Copilot. A Purview implementation may require changes in business processes and tools so that people can handle and share sensitive data safely. It takes time to get people used to adopting these changes.
- Ongoing data governance training is a must, and you also need to have a feedback loop open to respond quickly to unforeseen use cases or restrictions that impact critical operations.
- Purview enablement communication and training is more about pulling people toward desired usage, driven by system requirements they can’t control. Again, with a feedback channel.
Copilot Communication And Training
- Communication and training will be more evolutionary and user-driven. You will get Copilot users started with general guidelines, but best practices will evolve over time by group and function. Contrasted to Purview, it is more of an effort to push people to use the tool and learn how to use it well.
- Be sure to gather lessons learned and update your Copilot usage guidance, published through a Center of Excellence or collaborative team designed to help others get more out of Copilot.
- Copilot champions and subject-matter experts are often people in roles that are in the thick of things, not just leaders.
- Regularly review usage metrics, Center of Excellence feedback, and keep encouraging people to use Copilot to save time.
Bottom Line
Deploying Purview and Copilot in a mid-sized law firm is a marathon, not a sprint, and requires strategic planning to execute well. Focus on Microsoft 365 tenant data first, balance automation with human oversight, and foster a culture of continual learning. The right mix of policy, practicality, and training will help you unlock the full potential of these tools, while keeping risk in check and meeting employee and client needs.
Is Your Firm Ready to Scale Copilot Safely?
eQIP helps your firm assess current controls, identify gaps across Purview and Copilot, and build a practical roadmap for secure AI adoption.
