top of page

Microsoft 365 + Copilot for Law Firms: The 2–4 Week Readiness Program for ABA Rule 1.6

  • Writer: Nick Curran
    Nick Curran
  • 24 minutes ago
  • 4 min read

nicwerks deploys Microsoft 365 Copilot to California law firms in a way that satisfies ABA Model Rule 1.6(c), the California State Bar's December 2025 expanded AI guidance, and the cyber insurance attestation. Since 1999 we have run Microsoft tenants for LA-area firms — and we have seen what happens when a firm flips Copilot on without first configuring Purview sensitivity labels, Conditional Access, and DLP. The fix is not to ban Copilot; it is to deploy it correctly. Our 2–4 week readiness program ships a tenant where Copilot is useful for non-privileged work, blocked from privileged matter folders by policy, and fully audit-logged for the bar and the carrier.

The problem we solve

Three Copilot-specific risks recur at California firms. First, indexing of privileged matter folders — Copilot inherits a user's existing access, so a paralegal who can read a sealed-matter folder will see Copilot summarize that matter in response to an unrelated prompt. Without Purview sensitivity labels, the firm has no technical boundary between "Copilot can use this" and "Copilot cannot." Second, prompt and response retention — Copilot prompts and outputs are stored in the user's mailbox and OneDrive for Microsoft 365 audit and eDiscovery. That is good for the bar's "supervision" requirement but creates discovery exposure if not understood. Third, the ABA Formal Opinion 512 (July 2024) competence and confidentiality duties — lawyers using generative AI must "ensure competence" and "protect confidentiality," and the California State Bar's expanded December 2025 guidance now treats unsupervised Copilot use as a Rule 1.6 risk. Cyber insurance carriers in 2026 are adding AI-specific attestation questions; firms without a written AI policy and tenant controls are increasingly being declined.

What nicwerks delivers

  • Copilot readiness assessment — tenant audit covering license posture, Purview state, Conditional Access, DLP, and privileged-folder permissioning.

  • Microsoft Purview sensitivity labels deployed on privileged matter folders, attorney-client work product, and HR/financial data, with auto-labeling rules where defensible.

  • Conditional Access tied to compliant managed devices — Copilot only runs on devices with EDR, current OS patches, and MFA, blocking BYOD prompt leakage.

  • Data Loss Prevention (DLP) policies that prevent Copilot from indexing labeled content and prevent users from pasting labeled content into Copilot Chat or Bing Chat Enterprise.

  • Written AI use policy — firm-specific, reviewed by your GC or outside counsel, mapping ABA Formal Opinion 512, California State Bar guidance, and the cyber insurance AI questions.

  • Audit logging and eDiscovery configuration — Copilot prompts and responses retained per firm retention schedule and surfaced in Purview eDiscovery for matter holds.

  • Attorney and staff training — 60-minute live sessions covering what to put into Copilot, what not to, and what the audit trail will show.

  • Quarterly tenant review to catch drift in label coverage, policy violations, and license sprawl.

For broader AI policy across all tools (ChatGPT, Claude, Harvey), see AI governance for law firms.

Why law firms choose nicwerks

Microsoft-fluent since 1999. We have run Microsoft 365, Exchange, and SharePoint for LA-area law firms for 25+ years. Copilot-specific, not generic Microsoft. We know what Purview labels look like in a NetDocuments-integrated tenant versus a SharePoint-only firm. ABA-aligned. Every Copilot deployment maps to ABA Formal Opinion 512, the California State Bar's December 2025 guidance, and ABA Rule 1.6(c). No long-term contract. Month-to-month.

Is Copilot safe for a law firm?

Yes — but only with Microsoft 365 E5 or the Copilot-specific add-ons configured correctly: Enterprise Data Protection, Conditional Access on compliant devices, Microsoft Purview sensitivity labels on privileged matter folders, and DLP policies that prevent Copilot from indexing labeled content. Without those four controls, Copilot inherits whatever access the user already has and may surface privileged client information in unintended contexts. With those controls, Copilot is appropriate for non-privileged drafting, summarization, and email work.

What does Copilot Enterprise cost?

Microsoft 365 Copilot is $30 per user per month on top of a qualifying base license (Microsoft 365 E3, E5, Business Standard, or Business Premium). For a 25-attorney firm, that's $750/month for Copilot licenses plus the base Microsoft 365 spend. Most firms license Copilot only for attorneys and senior staff initially, not every receptionist or billing clerk. nicwerks will rightsize licensing during the readiness assessment based on who actually needs Copilot for billable work.

Does Copilot store our prompts?

Yes — Copilot prompts and responses are stored in the user's Microsoft 365 mailbox and OneDrive for audit, eDiscovery, and compliance purposes. Microsoft does not use the prompts to train its foundation models under the Copilot Enterprise commercial data protection terms. The retention is actually beneficial for the ABA's supervision and competence duties — a partner can audit what an associate ran through Copilot — but firms should configure retention policies and matter-hold workflows to manage discovery exposure.

Will Copilot ingest privileged matter folders?

Yes — by default, Copilot inherits the user's existing access and can summarize any document the user can read, including privileged matter folders. The fix is Microsoft Purview sensitivity labels with content-marking and encryption, paired with DLP policies that prevent Copilot from indexing labeled content. nicwerks deploys this as part of the 2–4 week Copilot readiness program. Without labels and DLP, a paralegal asking Copilot for "all matters with a deadline this week" may see sealed or ethically-walled matters summarized.

How long does Copilot readiness take?

Two to four weeks for a 25-attorney firm. Week one is tenant audit and label design, week two is Purview deployment and DLP rollout, week three is Conditional Access tuning and pilot user enablement, week four is firm-wide rollout, training, and policy publication. Larger firms (75+ attorneys) take four to six weeks because label coverage requires per-practice-group customization. We sequence the work so attorneys keep using Microsoft 365 throughout — only Copilot is gated until readiness completes.

Turn on Copilot without a Rule 1.6 problem

A Copilot readiness assessment is included in our free security assessment, or we can scope a Copilot-only engagement separately. Either way, the first conversation is a 30-minute call covering your current Microsoft 365 tenant state, license posture, and AI governance maturity.

 
 
 

Recent Posts

See All

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page