Critical Choices and Challenges: Three Trends Forcing Legal Teams to Rethink Data Protection in 2025

Like the rest of the working world, lawyers and the professionals who support them are navigating a new landscape, one that is both stretched by remote collaboration and strengthened by digital tools, including AI. No one knows precisely where it’s headed, but everyone agrees: the pace of change is accelerating.

But legal work isn’t like other industries. It deals in privileged, high-stakes content and operates on immovable deadlines. Matters must move forward. At the same time, data from clients, regulators, and partners must remain protected.

In 2025, legal teams face critical choices and challenges, and three major trends are forcing them to rethink how they protect sensitive data.

Trend 1: Legal Work Has Moved to the Cloud - But Security Hasn’t

Whether it’s large firms modernizing at a steady pace or in-house legal teams evolving rapidly, the how and where of legal work is fundamentally changing. Distributed teams, hybrid models, and the rise of ALSPs are now standard across the industry.

Legal professionals are collaborating across more platforms, partners, and jurisdictions than ever before. In fact, 76% now use cloud-based services to manage cases and workflows, and 63% work in hybrid or remote environments.

That shift has driven flexibility and productivity, but it’s also exposed cracks in the industry’s ability to secure sensitive data. Most of the systems powering modern legal work weren’t designed with privilege, revocation, or regulatory scrutiny in mind.

And the numbers confirm it: just 41% of legal organizations report having mature data governance policies in place.

This growing gap between working in the cloud and working securely in the cloud is one of the most urgent risks facing legal teams today.

To close it, firms and legal departments must rethink how data is protected:

• Know where sensitive data lives and flows

• Control who (or what, including AI tools) can access it

• Revoke access on demand

• Prove these controls to clients, courts, and regulators

Outdated perimeter defenses aren’t enough. Security must travel with the data itself.

Trend 2: GenAI Is Introducing Unseen Risk Into Legal Workflows

Legal teams have historically been slow to adopt new tools, especially in the areas of security and collaboration. But GenAI is different.

Its consumer breakout has accelerated demand across the industry. At the same time, early-stage legal use cases, such as research, contract review, and discovery, are starting to deliver real value. As a result, legal teams are increasingly piloting LLMs inside workflows once considered off-limits to automation.

But as adoption grows, so do the risks.

GenAI introduces a radically different data model:

• Prompts often include privileged or sensitive information

• Outputs can contain retained context or unintentionally reveal client data

• Underlying models operate as black boxes, making governance difficult

These realities have caught the attention of regulators and risk leaders alike.

In 2023, the UK Information Commissioner’s Office (ICO) issued detailed guidance warning that user inputs into AI systems may qualify as personal or sensitive data, triggering obligations under the UK GDPR, including limits on automated decision-making and requirements for transparency and explainability.

In the U.S., national AI regulation remains a work in progress. But state bars are stepping in. The State Bar of Texas, for example, has published a dedicated AI Toolkit for lawyers, highlighting core ethical duties, such as confidentiality, competence, and supervision, as they apply to GenAI tools.

Legal teams are now responsible for more than just how they use AI.

They must secure:

• The data going into LLMs

• The data generated by LLMs

• The potential retention or misuse of that data by underlying systems

This requires more than traditional cybersecurity.

It demands data-centric security that persists across MLOps and GenAI pipelines, ensuring that only authorized users (human or AI) can access sensitive content, and that protections remain in place regardless of platform.

Selective encryption, in particular, enables legal teams to protect just the portions of documents or datasets that require restriction, supporting both compliance and collaboration without friction.

Trend 3: Regulation Is No Longer Advisory - It’s Operational

For years, organizations had flexibility in how they approached data protection. Regulations were often framed as “best practices,” and compliance meant aligning with broad principles, like encrypting sensitive data or enforcing access controls.

That era is over.

Regulators are now moving from suggestions to requirements - and from broad standards to specific, enforceable mandates. Legal teams that once focused on advising clients through compliance challenges must now ensure their operations meet an expanding set of technical, jurisdictional, and cross-border rules.

Several shifts are driving this change:

• Executive Orders and Federal Rules

  • Executive Order 14117 now governs the cross-border sharing of sensitive data, placing restrictions on non-traditional bulk data types, including contracts, employment agreements, and legal records.

• U.S. State-Level Mandates

  • The New York Department of Financial Services (NYDFS) has updated its 23 NYCRR Part 500 regulation to include operational security mandates for regulated entities and their vendors, requiring access controls, multi-factor authentication, and mandatory encryption of non-public data.

• Sector-Specific Frameworks

  • Even longstanding frameworks like HIPAA have tightened requirements. Impact case files that include protected health information must now be encrypted at rest and in transit, with fewer exceptions and less interpretive leeway.

• Global Directives

  • In the EU, frameworks like NIS 2 and DORA impose detailed requirements for encryption, access governance, and strategic risk management, further raising the bar for any firm operating internationally or handling multinational clients.

Legal professionals are used to tracking regulatory change on behalf of their clients. But today, they’re also expected to operationalize those rules internally, often with little room for interpretation.

The bottom line: Security can’t be reactive. It must be embedded into legal operations and infrastructure, from cross-border collaboration to everyday case handling.

Legal work must stay fast, but it also has to stay secure

Today’s legal teams are navigating a complex balancing act.

Work is more distributed than ever, stretching traditional security models beyond their limits. GenAI is reshaping legal workflows while introducing new questions around data control and auditability. And regulators—from state bars to federal agencies—are shifting from guidance to mandates, demanding that protections are not just promised, but proven.

In each of these trends, the pattern is clear: The way legal work happens is evolving, but the responsibility to secure it remains absolute.

Meeting that responsibility requires more than firewalls and policies. It demands a modern approach: one that embeds encryption, access control, and auditability into the data itself, so it stays protected, no matter where it goes or how it’s used.

At Confidencial, we help legal teams do just that.

See how we enable secure legal collaboration, GenAI readiness, and audit-ready compliance—without slowing your team down.

👉 Book a demo