Legal Industry / Business Management
 

Leveraging AI: Securing Data Assets

The ethical and operational responsibilities of administrators now extend to understanding and managing the benefits, along with the risks, introduced by AI-driven technologies.
By Al Marcella, PhD, CISA, CISM
October 2025
 

Artificial intelligence is a current force transforming how businesses across all economic sectors, sizes and markets operate. For law firms, AI is already affecting everything from case management to protecting critical and sensitive firm data. As it becomes increasingly embedded in legal practice, administrators must confront not only its transformative potential but also its implications for data security and client confidentiality.

John Kitchen, an IT security expert, warns of the heightened vulnerability around data exposure: “As law firms explore the benefits of AI, many remain justifiably cautious, uncertain whether training data is truly secure or could later be used against them,” he says. “The risk of inadvertently exposing proprietary or personal information (PI/PII) during AI integration is real and potentially catastrophic. With AI adoption accelerating, safeguarding sensitive firm data through rigorous vetting, real-time monitoring and ethical governance must be a non-negotiable priority for any legal organization.” 

Data Protection and Data Security: Same Coin, Different Sides 

Data protection encompasses data security, as well as policies, legal compliance and user rights related to the collection, storage and use of data. Fundamentally, data protection aims to safeguard the confidentiality, integrity and availability of critical and essential business data. Data security focuses on the tools and techniques — such as encryption, firewalls and access controls — used to guard data from unauthorized access, breaches or theft. 

With AI adoption accelerating, safeguarding sensitive firm data through rigorous vetting, real-time monitoring and ethical governance must be a non-negotiable priority for any legal organization. 

In short, data security is how you protect the data, while data protection is why and under what rules you determine (or are required) to protect it. 

Artificial Intelligence and Data Risk 

AI poses both unique challenges and operational risks for law firms. Some significant risks include, but are certainly not limited to, the following: 

Increased Risk of AI-Generated Fraud 

Generative AI poses unique challenges for law firms, including AI-generated voice or video fraud. Firms lacking robust measures to detect or prevent such fraud leave sensitive client information vulnerable, revealing the need for advanced detection tools and training to address these risks. 

Challenges in Maintaining Confidentiality 

As lawyers use AI tools to analyze client data, there is a heightened risk of exposing sensitive and confidential client information. Lawyers must ensure that AI providers always adhere to (and that firms implement) strict data protection and security protocols to avoid breaches of attorney-client privilege. 

Vulnerabilities to Cyberattacks 

AI can be exploited by cybercriminals (or even by disgruntled current or former employees) for activities such as ransomware phishing attacks, data manipulation and outright deletion or destruction. Threat actors can utilize AI to identify patterns in computer systems and applications that reveal weaknesses in installed security programs that can lead to the unauthorized disclosure of sensitive client and personnel information.  

This undermines confidentiality, a cornerstone of legal practice, and may result in leaked sensitive data or compromised legal strategies. Without proper detection measures, law firms risk breaching ethical duties and client trust, potentially facing legal and reputational consequences. Many firms lack robust measures to detect or prevent such fraud, leaving sensitive data assets vulnerable. 

Further, AI can be used to automate and personalize phishing attacks by analyzing user data to craft convincing messages. AI can also enhance malware and ransomware by adapting in real time to evade detection and exploit vulnerabilities more effectively, revealing weaknesses in installed security programs and potentially leading to the unauthorized disclosure of privileged data. 

Addressing the emergence of AI and the associated risks, Kitchen stresses, “As AI becomes integral to business operations, organizations must understand that it introduces not only innovation but also complex risks to their most valuable asset (beyond personnel), that being data and/or proprietary information.” He recommends that firms vet AI tools to reinforce data security. “Failing to address AI’s dual nature, as both a powerful defense tool and a potential liability, organizations jeopardize leaving critical, privileged data exposed to an increasingly aggressive threat environment,” he says. 

Why Is Data Security Important in the Age Of AI? 

The rapid adoption of AI technologies and their ability to process vast amounts of sensitive information make data security a critically important issue. 

A firm’s data is not only a valuable business asset, but it is also one that is increasingly subject to external regulation, scrutiny and audit. Global regulations, such as the General Data Protection Regulation (GDPR), the AI Act (EU) and U.S. legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), require that firms implement rigorous internal controls designed to protect the confidentiality, integrity, privacy, security and access to sensitive and critical data.

ActionStep
ActionStep

As businesses leverage AI technologies to enhance their operations, they must also be prepared to navigate an evolving regulatory landscape that places greater emphasis on how data is handled, shared, stored and protected. 

Hannah Ji-Otto, Partner in the St. Louis office of Quarles & Brady LLP, provides further direction, stating, “It’s important for the general counsel’s office and privacy attorneys to be involved from the very beginning of any firm-wide AI deployment. Their role extends beyond identifying legal risks; they also help shape the ethical and responsible use of AI.”  

Ji-Otto details that innovative firms have teams who work closely with practice groups to determine when to use AI and therefore create training strategies to protect confidentiality and data utility. “This kind of cross-functional collaboration is fundamental to building systems that are secure, compliant and prepared for the future,” she says. 

What Is AI’s Role in Data Security? 

AI systems use algorithms that can recognize known attack patterns and detect subtle warning signs that humans might miss. For example, AI can identify outdated software that hackers might exploit or flag misconfigured system settings, both of which are vulnerabilities that could be fixed before an attack. 

AI differs from traditional software applications because it uses machine learning algorithms that can continuously learn from vast amounts of data and adapt over time, while most older security software relies on fixed rules or known threats. Instead of just checking files against a list of bad software, AI looks for unusual patterns or behaviors that might signal a new or hidden attack. This means AI can spot problems faster and even catch threats that no one has seen before. Proactive defense means AI doesn’t just wait for attacks; it actively hunts for risks. It identifies risks and helps organizations fix weak spots before they’re exploited. 

Utilizing the predictive capabilities of AI not only helps the firm avoid a costly data breach but also helps to ensure that firms maintain client trust and remain compliant with legal and ethical responsibilities regarding data protection.  

Proactive defense means AI doesn’t just wait for attacks; it actively hunts for risks. 

Leveraging AI to Secure Digital Assets 

Using AI as part of a firm-wide data security strategy may include, but is certainly not limited to, the following applications: 

Enhanced Data Encryption 

AI strengthens encryption through the use of machine learning to analyze data patterns and detect potential vulnerabilities in real-time. It can dynamically adjust encryption protocols, making it harder for unauthorized users to crack the code. 

Example: A law firm managing cross-border cases could use an AI tool that automatically encrypts emails and client documents, ensuring compliance with international privacy laws like GDPR while maintaining easy access for authorized users. 

Continuous Monitoring 

AI enhances data system surveillance by continuously analyzing network activity, user behavior and data access patterns to spot anomalies in real-time. The ability of AI systems to monitor in real time, detect threats and take proactive actions helps firms keep their data safe, maintain client trust and comply with legislation. 

Example: A law firm handling sensitive client data may use AI-based security platforms to detect unusual data access patterns. If an unauthorized device attempts to access confidential files, AI alerts the administrator instantly to block access and investigate further.

ALA
ALA

Legislative Compliance 

AI can help firms stay compliant with state, federal and international data protection laws by monitoring how data flows through the firm’s IT systems, enforcing data handling policies and keeping detailed records of data usage and access. These logs are essential when organizations must prove they are following privacy laws, especially during audits or investigations. Ewelina Paczkowska, Solution Architect at Threatscape’s Microsoft Security Practice, in her blog “Data Protection in The AI Era,” states that AI tools can amplify the risks related to data security, but they also offer an opportunity to enhance compliance and streamline data protection. 

Example: An international firm dealing with GDPR compliance could use AI-based tools to continuously audit their data protection practices, ensuring that all client data transfers comply with cross-border privacy regulations and alerting administrators to any compliance gaps. 

AI-Driven Access Control 

Firms can utilize AI to dynamically manage access controls, ensuring that only authorized personnel can access certain data based on real-time behavior analytics.  

Example: A firm could implement an AI solution where access to sensitive litigation documents is granted based on factors like location, device and usage patterns. If a junior associate suddenly tries to access high-profile case files from an unknown location, the system can flag or restrict access. 

AI-Powered Data Loss Prevention (DLP) 

Investigate implementing and using AI to predict and prevent data leaks by identifying unusual behaviors, such as unauthorized file sharing or data transfers.  

Example: A legal office dealing with mergers and acquisitions could leverage AI tools that prevent sensitive contract information from being emailed outside the firm or uploaded to unapproved cloud services, reducing the risk of accidental or malicious data breaches. 

AI-Powered Backup and Disaster Recovery 

Consider employing AI-based automatic and predictive backup solutions to back up sensitive data and predict potential system failures, ensuring backup and timely recovery of critical data in case of a breach or attack. 

Example: A firm managing complex intellectual property disputes may use AI predictive applications to perform backups of client files and litigation documents. AI’s predictive analytic capabilities execute data backups before a cyberattack or data loss occurs, minimizing downtime and data loss. 

AI for Predictive Cybersecurity 

Employ AI systems that predict potential security breaches or vulnerabilities before they occur, allowing for preemptive measures.  

Example: A law firm with high-profile clients may use AI-driven solutions that analyze system vulnerabilities and alert system administrators about potential weak points in the firm’s network. If the AI tool predicts a possible exploitation in the firm’s virtual private network (VPN), the system administrator can direct IT to proactively patch the VPN before any malicious attempt is made. 

Adopting AI — Cautiously 

Artificial intelligence is transforming the legal industry by enhancing data protection through continuously monitoring for anomalies, enforcing dynamic access controls and supporting legal compliance through real-time auditing and record-keeping.  

However, its capabilities can be exploited by attackers, enabling more sophisticated phishing schemes, deepfake fraud and adaptive malware that challenge traditional defenses.  

As firms adopt AI technologies, they must rigorously vet these tools involving legal and IT teams early to ensure ethical, secure and compliant implementation. Proactively leveraging AI as both a shield and a sentinel is essential to protecting sensitive firm data in an increasingly complex digital landscape. 

About the Author

Al Marcella, PhD, CISA, CISM

Al Marcella, PhD, CISA, CISM

President
Business Automation Consultants, LLC

Al Marcella, PhD, CISA, CISM, President of Business Automation Consultants (BAC) LLC, is an internationally recognized public speaker, researcher, IT consultant and workshop and seminar leader with extensive experience in IT, having authored numerous articles and over 30 books on various IT, audit and security related subjects. Marcella’s clients include organizations in financial services, IT, banking, petrol-chemical, transportation, services industry, public utilities, telecommunications and departments of government and nonprofits. When partnering with Madeline Parisi, the Training Resource Center, LLC, is a jointly operated entity providing training and consulting services, specializing in Environment, Social and Governance (ESG). They and Brian Moore are authors of a book series written for teachers about cyber safety for K-8 students.

Also in This Issue

Back to Top
ALA Logo

Copyright © 2025
The Association of Legal Administrators.
All rights reserved.