Balancing Document Security and AI Functionality
Copilot, Microsoft’s AI-driven assistant, is gaining traction across the legal industry, where a powerful tool to streamline document creation and management is a competitive advantage. But with this power comes the responsibility for data security and access boundaries. The complexity of the required can be a hurdle. Governance teams are challenged to reconcile Copilot’s reach with the data security requirements.
To address this, Microsoft developed three innovative features to assert control over Copilot’s usage of data in the Microsoft estate.
- Purview Sensitivity Labels
- Purview Data Loss Prevention Policy
- SharePoint Advanced Management – Restricted Content Discovery ($)
Purview Sensitivity Labels
Law Firms have a duty to prevent Copilot from accessing the organization’s work product, but the inability to unilaterally define which documents were ‘off limits’ presented a compliance challenge.
Solution: To protect sensitive documents from being used with Copilot, firms can apply Sensitivity labels that encrypt the documents and remove the ‘Export’ permission. The action Copilot uses to read data programmatically exports it out of a file, blocking Copilot’s access.
Cavet: Unfortunately, integration with Document Management Systems (DMS) has proven to be a double-edged sword. This encryption has adverse effects on the functionality of the DMS, leading to issues including a lack of indexing and thumbnail generation, which are critical for efficient document retrieval and management.
Purview Data Loss Prevention Policy
This new feature, still in its Preview phase*, Data Loss Prevention (DLP) policy allows Copilot to target the venue of control. The policy uses the presence of a sensitivity label as the condition which prevents the Copilot Chat experience from using a file.
The benefit to this method is that the sensitivity label does not need to encrypt the document. Sensitivity labels that are compatible with any document management system can be applied.
A shortcoming of this control is that it currently only works via Chat experience. It does not exert any control on the use of Copilot within a Microsoft application (Word, Excel, PowerPoint, etc.)
(*caution is recommended with developing features)
In the chat experience, Copilot correctly respected the DLP policy:
But in PowerPoint, it did not…
If this looks familiar, it’s the old =rand(30) content where it dumps random paragraphs from the help file to generate content in a Word doc.
SharePoint Advanced Management – Restricted Content Discovery
Restricted Content Discovery is a key part of SharePoint Advanced Management, (~ $3 per user, per month). The feature allows content discovery to be disabled for a given SharePoint site – (note it must be a full site; you cannot get any more granular). Once this is enabled at the site level, and sufficient time have allowed the Fabric search index to update, the site’s content will be omitted from search results. This will prevent Copilot from finding content in files on the configured SharePoint site.
There is an exception to this restricted content rule– if a user has personally opened the file previously, that specific user will ‘discover’ the file, and the file will appear in search results for that user, and this does facilitate Copilot usability of that file and its contents.
Still, this can be a useful feature if you’re looking to augment Copilot controls and minimize the ‘speed of search’ discoverability of content in your Microsoft estate.
Copilot’s Weight & Balance
As Copilot increases adoption across the legal industry, due diligence remains paramount for law firms, balancing document security and functionality. As new features unlock innovative ways to cross collaborate, proper testing and rollout protocols must remain top priority. Copilot will continue to be a great power and with it, great responsibility for legal professionals.
Learn More
To learn about Kraft Kennedy’s approach to Copilot, or to discuss your unique needs, request a conversation.
Receive industry insights, security alerts, events invites, & more – opt in here.