The CIA Triad Meets Legal Privilege

Alice: Welcome to Security for Legal SaaS. I’m Alice.

Dan: And I’m Dan. Episode 5 — The CIA Triad Meets Legal Privilege. Alice, the CIA triad is probably the most fundamental concept in information security. Confidentiality, integrity, availability. But I suspect you’re going to tell me it means something different when you’re building for lawyers.

Alice: Not different. Heavier. The same three properties, but each one carries legal consequences that generic security guidance never accounts for. A confidentiality breach in legal tech doesn’t just expose data — it can permanently waive attorney-client privilege. That’s not a fine. That’s a case collapsing.

Dan: Walk me through that. How does a technical security failure translate into a legal privilege waiver?

Alice: Attorney-client privilege protects communications made in confidence for the purpose of obtaining legal advice. The keyword is “confidence.” If those communications are disclosed — even inadvertently — the protection can be lost. Federal Rule of Evidence 502 provides a safety net, but only if the privilege holder took “reasonable steps to prevent disclosure.” Your platform architecture is the reasonable steps. If it’s inadequate, the disclosure isn’t treated as an accident. It’s treated as a waiver.

Dan: So the firm’s choice of technology platform becomes evidence in the privilege waiver analysis.

Alice: Exactly. And we have real-world examples of what happens when that architecture fails. Mossack Fonseca — the Panama Papers. Eleven point five million privileged attorney-client documents exfiltrated. Two point six terabytes. Their flat network architecture meant one breach point gave access to everything. The firm closed permanently. Not because of the scandal — because no client could ever trust them with privileged information again.

Dan: The confidentiality failure destroyed the entire value proposition. What about integrity — the second leg of the triad?

Alice: In generic SaaS, integrity means your data is accurate. In legal tech, integrity means you can prove to a judge that a document has not been tampered with since it entered your system. Courts require authentication of digital evidence. If your contract management platform can’t demonstrate an unbroken chain of custody — cryptographic hashes at ingest, signed audit logs for every access, immutable version history — then neither party can rely on your platform’s version as authoritative.

Dan: Give me a concrete scenario.

Alice: A royalty agreement on your platform. Someone changes the definition of “net revenue” to “gross revenue” in a single clause. That one word change could shift millions in payment obligations. If your platform only stores the current version with no integrity proof of what the original said and who changed it and when — you’ve just created a situation where a multi-million dollar dispute has no reliable documentary evidence.

Dan: That’s terrifying. And the third leg — availability. Uptime, right?

Alice: Uptime with teeth. Missed filing deadlines are the number one source of legal malpractice claims. Courts don’t care why a filing was late. The statute of limitations doesn’t pause because your cloud provider had an outage. The filing fails, the case dies, the malpractice suit begins. Your platform’s availability during a filing window isn’t an SLA metric — it’s a negligence question.

Dan: DLA Piper learned this the hard way.

Alice: June 2017. NotPetya hit DLA Piper — one of the largest law firms on the planet. Every Windows server, globally, taken down. No email for four days. Fifteen thousand hours of IT overtime to rebuild the entire infrastructure from scratch. Their flat network architecture — same structural weakness as Mossack Fonseca — let the malware propagate across forty countries in minutes. If any court deadlines fell in those two weeks of paralysis, the platform failure would have constituted negligence regardless of what caused it.

Dan: So we’ve got three properties, each with legal-specific consequences that are dramatically more severe than in standard SaaS. Let’s talk solutions. Starting with confidentiality — is encryption enough?

Alice: No. And this is the critical insight most teams miss. Encryption prevents data from being read. But privilege requires something stronger: the ability to prove that unauthorised access never occurred. Those are two fundamentally different security properties. Opposing counsel’s forensic team will not ask “was the data encrypted?” They will ask “can you prove no unauthorised person accessed this document between these dates?”

Dan: How do you prove a negative like that?

Alice: Four layers. First — encryption. AES-256 at rest, TLS 1.3 in transit, per-tenant keys. Necessary but insufficient. Second — access attestation. Every access event cryptographically signed with the accessor’s identity, timestamp, and document hash. Third — negative proof capability. Hash-chained audit logs where gaps are structurally impossible, not merely unlikely. Fourth — compartmentalisation. Architectural enforcement that one compromised component cannot reach privileged data in another compartment.

Dan: The Grubman Shire breach in 2020 is a perfect example of missing that fourth layer.

Alice: REvil exfiltrated 756 gigabytes of privileged celebrity client data in a single operation. Contracts, NDAs, personal correspondence — everything from Lady Gaga to Bruce Springsteen. No internal segmentation prevented lateral movement. Once in, everything was reachable. Forty-two million dollar ransom demand. The firm had encryption. What they didn’t have was compartmentalisation.

Dan: So to summarise — the CIA triad in legal tech is really about three legal standards wearing technical clothing.

Alice: Confidentiality means preserving privilege — proving reasonable steps under FRE 502 and ABA Opinion 477R. Integrity means proving non-tampering to a judicial authentication standard. Availability means guaranteeing access during legal deadlines to avoid negligence. Generic security gets you partway there. Legal-specific architecture gets you the rest of the way.

Dan: And here’s what strikes me — these three aren’t independent. A breach of any one can cascade. An availability failure during discovery could look like spoliation — an integrity problem. An integrity failure in access logs undermines your ability to prove confidentiality was maintained.

Alice: That’s the interconnection most teams discover too late. Your integrity controls protect your confidentiality claims. Your availability guarantees protect against integrity challenges. Build for all three simultaneously, or you’ll find the one you neglected is the one opposing counsel targets.

Dan: Practical takeaway for someone building legal SaaS right now?

Alice: Ask yourself one question about every architectural decision: “Can I prove this to a court?” Not “is this secure?” — that’s table stakes. “Can I demonstrate, with cryptographic evidence, that privilege was maintained, documents were not tampered with, and the system was available when it needed to be?” If the answer is no, you have a gap that no amount of encryption alone will close.

Dan: Next episode starts Module 2 — Transport and Network Security. We’re going to take TLS and HTTPS completely apart. How the handshake works, why certificate management matters, and what actually happens when your browser shows that little padlock icon.

Alice: Until then, I’m Alice.

Dan: And I’m Dan.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.