Meta Description: A practical cybersecurity guide for defense firms deploying AI: how to avoid the two risks most firms miss, protect privilege, and choose a platform that's actually built for this work.

Legal organizations experienced 200+ ransomware incidents between 2025 and early 2026, before most firms had meaningfully deployed AI. Meanwhile, the number of cyber incidents involving law firms nearly doubled. The conversation since has focused on hallucinated citations and privilege waivers. Most firms are solving for the wrong problems.

The real risks fall into two categories.

· Inaction: Today, over one-third (38%) of employees acknowledge sharing sensitive work information with AI tools without their employers’ permission. Banning AI doesn’t solve this — it moves the problem to personal devices, where the firm has no visibility at all.

·  Building in-house: Firms that go this route are accidentally becoming a software company. SOC 2 Type II takes six to twelve months and tens of thousands in audit fees. HIPAA compliance, mandatory for any firm touching claims with protected health information, requires a full program of administrative, physical, and technical safeguards. The firm absorbs all of that regulatory overhead without the recurring revenue that software companies use to fund it.

Here, we cut through the noise to focus on the two risks that actually matter, and how OraClaim can handle the certifications and controls firms would otherwise have to build themselves at a fraction of the cost and none of the operational risk.

The Wrong Conversation

Steven Schwartz’s name has, since May 2023, become shorthand for AI gone wrong in legal practice. The New York attorney filed an opposition brief in Mata v. Avianca, citing six federal cases that ChatGPT invented. Judge P. Kevin Castel fined Schwartz, his colleague, and their firm $5,000 each. Subsequent sanctions cases have enforced the same lesson: the lawyer who signs the brief is responsible for everything in it. These are not new principles. They are Rule 11 with a chatbot.

The more recent panic around United States v. Heppner has been similarly overstated. Judge Jed Rakoff held in February 2026 that the defendant's chats with a public AI platform weren't privileged because he used a public platform that explicitly disclaimed confidentiality. A week earlier, in Warner v. Gilbarco, the Eastern District of Michigan held that work-product protection did apply to AI-assisted drafting. Read together, the cases confirm what privilege law has held for decades: who uses the tool, at whose direction, and whether confidentiality is preserved are the questions that matter. The technology is new; the framework is not.

These risks deserve attention. They do not deserve the panic. The firms making serious AI cyber mistakes in 2026 are mostly making different ones.

The First Real Risk: Inaction

Begin with the firms that have decided AI is too dangerous to use.

They have done so, in most cases, without realizing that their staff has already decided otherwise. Recent surveys put that share between 38% and just under half. In one tracked enterprise, 11% of all material pasted into ChatGPT was confidential data. By mid-2025, leaks tied to unauthorized use of generative AI had become a leading category of insider data loss. And none of it generates an audit trail.

What this looks like inside a defense firm is depressingly familiar. An associate, three nights into a brief, pastes a long deposition transcript into a free chatbot to summarize it. A paralegal uses an unvetted transcription service to convert a privileged client call into editable text. A partner uploads opposing counsel's expert report to a generic chatbot to see what it thinks. All three happen, all three violate Model Rule 1.6, and the firm has no visibility into any of it.

The instinctive response to ban it does not work. AI is now embedded in Microsoft 365, Westlaw, and Lexis. New associates are learning to use it in law school. Carriers are rewriting billing guidelines to favor firms with sanctioned tools. A firm that bans AI succeeds only in driving its use onto unmonitored personal devices, where the data-leakage problem is at its most severe and the firm's visibility at its least. Banning a tool that makes the job fundamentally easier for overworked people is a recipe for creating rule breakers, not compliance.

The choice is not whether your people will use AI. It is whether the version they reach for is one the firm has chosen and can see.

There is also a doctrinal point the bar associations have begun to make with some force. ABA Model Rule 1.1, since the 2012 amendment to Comment 8, has explicitly required lawyers to keep abreast of the benefits and risks associated with relevant technology. Most state bars have adopted some version of it. A managing partner who has decided the firm will simply not engage with generative AI is making a defensible bet about the technology and an indefensible bet about the rule.

The Second Real Risk: Building It Yourself

The firms that have decided to engage with AI now confront a more interesting question: build or buy.

Some of the larger firms, and a surprising number of mid-size ones, have concluded that the answer is to build. The reasoning is intuitive. We have smart people. We have IT. We have specific workflows nobody else understands. Why pay a vendor a recurring license fee for something we could do in-house, with full control over the data and the model?

The reasoning is also wrong in most cases. Building AI infrastructure for a litigation defense practice is not a project. It is a permanent commitment to operate a small AI software company alongside a law firm, and most failures will not look like AI failures. They will look like cyber incidents.

Capability is not reliability. A team of two motivated engineers can build something that demos beautifully in three months. The gap between that demo and a system you can put privileged work through, every day, without getting it wrong in expensive ways, is roughly the same as the gap between a working prototype and a production aircraft. Retrieval grounded against verified case databases, citation verification, output validation, audit logging, role-based access, the ability to detect and recover from model drift when the underlying API changes. None of this comes free with the demo. All of it has to be built, tested, monitored, and maintained. The vendors that do this for a living have invested years and millions of dollars in the parts that do not show up on the demo screen.

The day after an incident is when DIY hurts most. When something goes wrong, and the base rate suggests it will, the firm must explain what happened to clients, to its malpractice carrier, possibly to a court, possibly to a state bar. A vendor can produce a SOC 2 Type II report, a HIPAA assessment, an incident-response runbook, and a coordinated communications plan, because that is what their entire business exists to produce. A homegrown system typically produces an apologetic email from the CIO. The asymmetry of accountability is striking. With a vendor, the firm is a customer of an audited business with independent attestation of its controls. Without one, the firm is the audited business, except that nobody outside the building has actually audited it.

The team you depend on can leave on Tuesday. A firm that hires two AI engineers has hired two single points of failure. The market for AI engineering talent is the most competitive technical labor market in the country. Senior engineers are routinely poached at well above their current salary, and the people who built your system are exactly the people most likely to be poached. When they go, the system goes with them, not literally, but in the form of all the undocumented decisions, the weird workarounds, the integration knowledge, and the model-prompt tuning that does not appear in any wiki. The firm is then left with critical infrastructure that nobody on staff fully understands. This is a familiar pattern from the early days of legal IT. AI accelerates it.

The pace of change punishes the small. Frontier models change every three to six months. New vulnerabilities are published regularly. The NAIC Model Bulletin has been adopted by 24 states, with 12 launching a pilot evaluation tool in March 2026 that scrutinizes AI used in claims handling, billing disputes, and total-loss decisions. The EU AI Act came into force in August 2024. State privacy laws continue to accumulate. A vendor whose entire business is keeping up with this will keep up. A two-person in-house team supporting a litigation practice will not. They will fall behind, quietly, on the parts of the system that determine whether the firm can credibly tell a regulator that it has reasonable controls.

Along the way, you will accidentally start a security company. SOC 2 Type II takes six to twelve months and costs tens of thousands in audit fees alone. HIPAA compliance, for any firm doing claims work that touches protected health information, requires an entire program of administrative, physical, and technical safeguards. [12] A law firm that builds its own AI is not just building an AI tool. It is taking on the regulatory posture of a software vendor without the recurring license revenue to pay for it.

And the homegrown tool is rarely the easy tool. Even when it works, the in-house build is rarely the most usable option available. Commercial vendors invest heavily in user experience, onboarding, integration, and documentation, the things that determine whether an associate at 11 p.m. reaches for the firm's sanctioned system or for ChatGPT on her phone. A secure path that is also clunky is one that gets quietly abandoned. The firm then ends up paying for both the homegrown system and the shadow-AI problem it was meant to solve.

The pattern across all of these failure modes is the same. AI is unusual in technology, not for what it can do, but for the gap between easy to start and hard to operate safely. Two engineers can clone an open-source model and have something working in a week. Making that the kind of thing a regulated profession can defensibly run privileged client data through is not a week's or a quarter's work. It is a discipline. And it is not, in most defense firms, a discipline that the firm has any particular reason to develop.

What Built-By-Someone-Else Should Look Like

If neither refusing nor reinventing is the answer, the question becomes which vendor and what to ask of them. A practical checklist, in declining order of importance:

SOC 2 Type II is the floor, not the ceiling. A vendor without it should not be considered. HIPAA compliance and a willingness to sign a Business Associate Agreement are non-negotiable for anyone touching healthcare claims. Closed architecture, meaning prompts and outputs are not used to train models, and this is contractually guaranteed rather than merely promised in a marketing FAQ, is essential for privileged work. Retrieval-augmented generation with citation verification addresses the Schwartz problem at the architectural level. Independent third-party penetration testing on a documented cadence addresses cyber posture. The vendor should have an incident-response plan tailored to the legal industry, not a generic one repurposed from the SaaS playbook. The contract should clearly allocate liability, indemnity, and notification obligations in a way that survives an actual breach.

Usability matters nearly as much as security. A vendor whose product is technically sound but operationally clunky has solved only half the problem. The other half is whether the associate at 11 p.m., racing a deadline, will actually reach for the sanctioned tool first. The right question to ask a vendor is not just whether the security architecture holds up, but whether the staff will use what has been built.

OraClaim handles the certifications and controls firms would otherwise have to build themselves: closed architecture, SOC 2 Type II, HIPAA, and legal-industry incident response, at a fraction of the cost and none of the operational risk. It is one option in this market; there are others. The point is not to pick a particular vendor but to recognize that picking one and demanding the certifications is a different proposition, and a much safer one, than rolling your own.

Schwartz's Lesson, and What Follows

The Schwartz problem was never really about AI. It was about supervision. The Heppner panic was never really about AI. It was about confidentiality. The shadow-AI problem is about whether the firm has given its people tools they will use openly. The build-it-yourself trap is about whether the firm understands the real difference between writing software and operating it. Each of these tests existed before generative AI arrived. Each of them has a new edge in 2026.

Lawyers built this profession's reputation for confidentiality with carbon paper, locked filing cabinets, and the discretion of a trusted secretary. Those tools were once novel and faintly threatening, too. The duty did not change. The means did. The firms that will look back well on this decade are those that recognize, faster than their competitors, that the duty of competence is now an active obligation and that the ways of failing it have multiplied.

The cyber question, though, is the precondition for a larger one. A defense firm operating on a secure, audited, integrated AI platform is not merely safer than its rivals. It is in a fundamentally different competitive position. Its own historical case data, depositions, medical records, expert reports, and settlement histories scattered across decades of matters and a dozen incompatible systems become accessible, queryable, and comparable. The platform can integrate with carrier systems, court records, and the wider ecosystem the litigated-claim industry is being rebuilt around. The output is a firm that does not simply bill faster. It is a firm that makes different decisions.

For now, the question on the table is the smaller one: who is going to build the platform on which any of that becomes possible? Schwartz's mistake was not using ChatGPT. It was not reading what he filed. The duty, as it has always been, is to know what goes out under your name and, in 2026, to know what is running underneath it.

Most firms have one or two questions holding up the decision. Learn more at oraclaim.com.

Sources: FBI Internet Crime Complaint Center, “Silent Ransom Group Targeting Law Firms,” 23 May 2025; Halcyon, “INC Ransom Group Mounts Rapid Campaign Against Law Firms,” March 2026; Baker & Hostetler, Data Security Incident Response Report 2026 (ABA Journal, 26 March 2026); Mata v. Avianca, Inc., 678 F.Supp.3d 443 (S.D.N.Y. 2023); Johnson v. Dunn, No. 2:21-cv-1701 (N.D. Ala., 23 July 2025); United States v. Heppner, No. 1:25-cr-00503-JSR (S.D.N.Y., 17 February 2026); Warner v. Gilbarco, Inc. (E.D. Mich., 10 February 2026); IBM Think, “What Is Shadow AI?” 2025; Cyberhaven enterprise data, cited in Balanced+, “What Is Shadow AI? Security Risks and How to Respond,” April 2026; North Carolina Bar Association, “Beyond the Ban: Why Your Law Firm Needs a Realistic AI Policy in 2026,” 13 January 2026; NAIC Model Bulletin on Use of AI Systems by Insurers; Secureframe, “SOC 2 + HIPAA Compliance: The Perfect Duo for Data Security