When Copilot opens the wrong file
A lawyer is working on a contract dispute for Client A. She asks Copilot to compile all relevant documents on contract law. Copilot delivers. Among the results: an internal memo from a completely different matter. Client B. Different facts, different client, but related legal subject matter.
The lawyer now has information about Client B that she shouldn’t have. Not because she went looking for it. Because her SharePoint permissions give her technical access to both client folders. Copilot did exactly what it was built to do: assemble the best possible answer from all available sources.
The problem isn’t Copilot. The problem is that “all available sources” in many law firms includes far more than any individual lawyer should see.
Double regulatory exposure
Law firms face a problem that goes beyond what tax firms deal with. They’re subject to not one, but two parallel confidentiality obligations.
Section 203 of the German Criminal Code protects professional secrecy with criminal sanctions. A lawyer who discloses a client’s secrets, even unintentionally, risks up to one year of imprisonment. Technical access is enough to trigger liability.
Section 43a(2) of the Federal Lawyers’ Act (BRAO) imposes an additional professional duty of confidentiality. This obligation goes further than Section 203 in some respects. It covers not just secrets in the criminal law sense, but everything the lawyer learns in the course of professional practice. The bar associations (Rechtsanwaltskammern) monitor compliance and can impose professional disciplinary sanctions.
When Copilot compiles information across client matters, it can violate both obligations simultaneously. This isn’t a theoretical scenario. It happens as soon as a lawyer has access to SharePoint folders belonging to matters they’re not involved in.
The Chinese Wall problem
Law firms are familiar with information barriers. In practice this means: when a firm represents two clients whose interests might conflict, the teams must work in strict separation. No information flow between the matter teams. No shared files. No conversations about the other case.
In larger firms this is managed with organizational measures: separate teams, separate spaces, documented barriers. It works as long as people follow the rules.
Copilot doesn’t know about Chinese Walls. It searches everything the user has technical access to. SharePoint has no concept of “this user may access these files, but Copilot shouldn’t search here.” Either the access exists or it doesn’t.
In smaller firms with five to fifteen lawyers, this problem is especially acute. Partners often have access to all client folders. In practice that was never an issue because nobody read through other people’s case files. Copilot reads through everything it can access. Every day, with every query.
What Copilot can do for a law firm
The positive side shouldn’t be underestimated. Smaller firms without large support staff benefit the most:
Copilot searches the firm’s knowledge base for relevant case law and internal memos. It summarizes extensive case files. It drafts correspondence based on existing client communications. It analyzes contract clauses and identifies critical points. It generates summaries for time tracking.
For a solo practitioner or small firm, these are functions that would otherwise require a junior associate or research assistant. The productivity gain is real.
But it only works if the boundaries are right.
Label architecture for law firms
The Sensitivity Label structure for a law firm needs to be more granular than for a tax firm. The reason: more complex matter structures and the need to enforce information barriers technically.
Each matter gets its own label: “Confidential: Matter [reference number].” The label isn’t just a classification. It controls access. Documents with this label are only accessible to members of the matter team. Copilot can only search these documents if the requesting user is assigned to the matter team.
For Chinese Walls there’s an additional layer: Barrier Labels. When two matters involve a potential conflict of interest, both matters get a Barrier Label that technically prevents cross-access. Even if a lawyer were theoretically assigned to both teams (which shouldn’t happen, but is technically possible), the Barrier Label blocks cross-matter access through Copilot.
The tier structure:
Tier 1: Strictly Confidential, Matter. Encrypted, no external access, only named team members. Copilot search restricted to the matter. For matters with conflicts of interest, additional Barrier Labels.
Tier 2: Confidential, Firm. Internal documents with matter reference but no confidentiality criticality. Template briefs created from a matter but anonymized.
Tier 3: Internal. Firm organization, training, general templates. Copilot has unrestricted access.
Tier 4: General. Public information.
SharePoint structure: one site per matter
For tax firms, client groups work. For law firms, the minimum requirement is stricter: a separate SharePoint site per matter. Not per client. Per matter.
A client can have multiple matters. If Client X has a contract dispute and an employment law issue, those two matters need their own SharePoint sites as soon as different lawyers are working on them. The corporate lawyer handling the contract dispute doesn’t need access to the employment file, even though it’s the same client.
The M365 group structure mirrors this: one group per matter, members are the assigned lawyers and staff. When a lawyer hands off a matter, they get removed from the group. Permissions follow automatically.
Auto-labeling for firm operations
Auto-labeling rules for law firms need to recognize case numbers and matter references:
- Documents containing case reference numbers get “Confidential: Matter [corresponding reference]” automatically
- Emails to and from matter-related contacts get labeled
- Documents in matter-specific SharePoint sites inherit the site label
- Court filings and legal briefs get “Strictly Confidential, Matter”
Auto-labeling configuration is more involved for law firms than for tax firms because the matter structures are more complex. But it’s the only way to ensure consistent classification across hundreds or thousands of documents.
The key difference from tax firms
Tax firms have clear client boundaries. One client, one tax advisor, one file. Cross-connections between clients are rare.
Law firms work differently. A client can have multiple matters. Matters can overlap in time. Different lawyers work on different aspects of the same case. And conflicts of interest can arise where the firm must actively prevent information from flowing between matter teams.
That makes the label taxonomy more complex. It makes the SharePoint architecture more demanding. And it makes Chinese Wall enforcement not optional, but mandatory.
Rolling out Copilot in a law firm without reflecting this complexity in the configuration opens a risk that goes well beyond GDPR fines.
Next step
I build label architectures and SharePoint permission structures specifically for regulated firms. The methodology is the same. The configuration is tailored for law firms: matter-specific separation, Chinese Wall labels, granular access control.
The Copilot Compliance Audit shows you in two to three days where your environment stands and what needs to be configured before a Copilot rollout.
Book a 30-minute intro call. No sales pitch. Just an assessment of whether your SharePoint structure is ready for Copilot.
Jose Lugo is a CISSP-certified AI compliance consultant with M365 Endpoint Administrator certification. He configures SharePoint permissions and Sensitivity Labels for regulated law firms in Germany.