ABA Model Rule 1.6 expects you to know your tenant. Most firms don't.
Privilege-aware audit, SOC 2 + client confidentiality mapped. Free 14-day trial.
Why This Matters for Legal
Law firms hold the most sensitive information of any client-facing industry — and adversaries know it. A breach does not just expose data; it can end client relationships and trigger bar complaints.
ABA Model Rule 1.6 Is Not Optional
ABA Model Rule 1.6(c) requires lawyers to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. ABA Formal Opinion 477R (2017) makes clear that securing electronic communications — including email, file sharing, and collaboration platforms — is central to this duty. The commentary explicitly references the need to understand technology used in connection with a representation, including the benefits and risks associated with the technology.
Law Firms Are a Tier-One Target
Nation-state threat actors and financially motivated attackers specifically target law firms because they hold privileged information about multiple high-value clients simultaneously — M&A targets, litigation strategy, government contracts, and regulatory investigations. A single M365 compromise can expose privileged communications across hundreds of matters. FBI and CISA advisories have repeatedly named law firms as preferred targets precisely because their security posture has historically lagged behind the sensitivity of the information they hold.
Enterprise Clients Now Demand Evidence
Large corporate clients — financial institutions, healthcare systems, government contractors — increasingly include cybersecurity requirements in their outside counsel engagement letters and conduct annual vendor security assessments of their law firms. Firms that cannot provide documented evidence of their M365 security controls are losing panel position. The ABA's Legal Technology Survey consistently shows that firms winning enterprise client relationships are those that can demonstrate, not just assert, a mature security posture.
What We Audit
Controls mapped to the specific risks that expose attorney-client privileged information and client confidences in Microsoft 365.
Email Security & Confidentiality
External forwarding rules that could route privileged communications off-network, anti-phishing protections for attorney accounts, DMARC enforcement to prevent impersonation, and message encryption for sensitive client communications.
Matter File Access Controls
SharePoint site permissions, external sharing policies for matter workspaces, sensitivity labels on document libraries containing privileged files, and DLP policies preventing unauthorized external transmission of client documents.
Identity & Privileged Access
MFA enforcement for all attorney and staff accounts, conditional access policies for remote and unmanaged device access, privileged role governance for IT administrators, and former employee account deprovisioning — a common gap in firms with high associate turnover.
Teams & Collaboration Governance
External guest access controls for client-facing Teams channels, retention and legal hold policies for Teams conversations involving privileged communications, and third-party app governance for integrations that may process client data.
Audit Logging & Incident Detection
Unified Audit Log enablement, alert policies for high-risk activities on privileged matter files, and Defender for Office 365 detection coverage — essential for demonstrating due diligence and enabling forensic reconstruction after a security incident involving client data.
Azure & Cloud Infrastructure
Azure storage access controls, encryption posture for client data at rest, network exposure of systems hosting client information, and Key Vault access policies — the cloud infrastructure layer increasingly used by legal technology platforms integrated with M365.
Compliance & Ethics Coverage
Findings mapped to the standards that regulators, bar associations, and enterprise clients are measuring you against.
ABA Model Rules 1.1, 1.6, and 5.3
Competence, Confidentiality, and Supervision of Nonlawyers
We map your M365 configuration to the specific ABA model rule obligations most relevant to your technology environment. Rule 1.1 (competence) includes understanding the technology used in representation. Rule 1.6 requires reasonable efforts to prevent unauthorized access. Rule 5.3 requires supervision of third-party service providers with access to client information. Your assessment generates documented evidence of reasonable efforts across all three obligations.
SOC 2 Type II
Trust Services Criteria — Security, Confidentiality, Privacy
Enterprise clients increasingly require SOC 2 Type II reports from outside counsel. We map your M365 configuration to the Trust Services Criteria — specifically the Security and Confidentiality categories — generating the technical evidence your auditor needs for a SOC 2 examination. Use findings to close gaps before your audit engagement begins.
State Bar Cybersecurity Guidance
California, New York, Texas, Florida, and other bar association standards
Multiple state bar associations have issued formal cybersecurity guidance and ethics opinions that reference specific technical controls — MFA, encryption, access controls, and incident response capabilities. Our assessment aligns findings to the most widely adopted state bar guidance, giving you a defensible posture regardless of your primary jurisdictions.
ISO 27001 & NIST 800-53
International and federal security control frameworks
Enterprise client security questionnaires for outside counsel frequently reference ISO 27001 control families and NIST 800-53 control categories. We map your M365 and Azure configuration to both frameworks, giving you pre-populated answers and technical evidence for the vendor security assessments that large financial, healthcare, and government clients require annually.
Legal Industry Risk Spotlight
The M365 and Azure findings that carry the highest risk of privileged information exposure or bar ethics violations for law firms.
Privileged Emails Forwarded Externally
Auto-forwarding rules routing attorney-client communications to personal email accounts — a direct Rule 1.6 violation that is easy to miss in a large firm and trivial for an attacker to implant post-compromise. Among the most commonly surfaced findings in legal firm assessments.
Matter Files Shared with "Anyone"
SharePoint matter workspaces with anonymous link sharing enabled — meaning privileged documents are accessible to anyone with the URL, with no authentication and no audit trail. A single sharing misconfiguration can expose a confidential M&A file to the public internet.
Departed Attorney Accounts Still Active
Former associate or partner accounts left active after departure — with full access to matter files, client communications, and firm systems. A significant privilege and confidentiality risk that also creates insider threat exposure if the departure was contentious.
Unmanaged Devices Accessing Client Files
Partners and senior associates accessing M365 from personal unmanaged devices with no conditional access policy enforcement — a gap in the "reasonable efforts" standard that bar ethics opinions increasingly expect, particularly for partners handling sensitive litigation or regulatory matters.
Third-Party LegalTech Apps Without Governance
eDiscovery, document review, and contract management tools connected to M365 via OAuth with delegated access to privileged matter files — with no admin consent policy or periodic review. Rule 5.3 supervision obligations extend to these service providers.
No Alerting on Privileged File Access
No alert policies for mass download, external sharing, or unusual access patterns on SharePoint sites containing privileged client files — meaning a data exfiltration event could go undetected for weeks. Audit log review is increasingly a bar ethics expectation for firms with enterprise clients.
"A Fortune 100 client required us to complete their vendor security questionnaire before renewing our panel engagement. We had no idea what our actual M365 configuration looked like beyond the IT team's assurances. The assessment gave us the documented technical evidence we needed to answer every question with specifics. We retained the client — and immediately fixed the 11 gaps the assessment found."
Documented security posture your clients will trust.
Get a complete view of the controls protecting attorney-client privileged information across your M365 and Azure environment — in under 10 minutes.
Read-only access — attorney-client data never collected — results in under 10 minutes.