Home/Learn/Guides
Guides

AI security for Naples law firms: protecting privileged data and trust-account wires

AI-driven fraud and ungoverned AI tools now threaten the two things a Naples law firm cannot afford to lose: privileged client data and the money in its trust account. Here is what the risk really looks like, what Florida ethics rules now require, and how to build verifiable controls.

11 min read·Updated 2026-07-01·8 sources

What is AI security for a law firm?

AI security for a law firm is the practice of governing how artificial intelligence is used against the firm and inside the firm, so that privileged client data stays confidential and trust-account funds cannot be diverted. It covers two fronts: defending against AI-driven fraud like deepfake voice and email attacks, and controlling the AI tools staff use so client confidences are not leaked.

For a Naples or Southwest Florida practice, both fronts touch the same nerve. A single wire diverted from an IOLTA trust account or one privileged file exposed can trigger a bar complaint, a malpractice claim, and permanent loss of client trust. The threat is no longer theoretical. Reported cybercrime losses in the United States reached $16.6 billion in 2024, a 33% jump over the prior year, according to the FBI Internet Crime Complaint Center.

$16.6B
Reported US cybercrime losses in 2024, up 33% year over year
FBI Internet Crime Complaint Center 2024 Annual Report, 2025 ↗

How does AI-driven fraud target law firm trust accounts and wires?

AI-driven fraud usually arrives as business email compromise or a cloned voice. An attacker monitors a real estate closing or settlement, then times a fraudulent request to redirect a wire from the trust account to an account they control. AI makes the impersonation faster, cleaner, and harder to catch, because the fake email or phone call now sounds exactly like the person it claims to be.

Business email compromise remains the costliest wire fraud category. It drove close to $2.8 billion in reported losses in 2024, and nearly $8.5 billion over the three years from 2022 through 2024, per FBI IC3 data compiled by Nacha. Law firms sit directly in the blast radius because they hold client funds and coordinate closings.

$2.8B
Business email compromise losses reported to the FBI in 2024
Nacha analysis of FBI IC3 data, 2025 ↗

Real estate and title work, a staple of many SWFL practices, is a favorite target. In real estate, the average business email compromise incident results in losses of roughly $150,000 to $200,000, and nearly 30% of title companies reported an attempted BEC attack in the prior year, according to figures cited by CertifID from FBI and American Land Title Association data. For a firm holding closing funds in trust, that is a direct hit to client money.

The attack does not break your encryption. It impersonates a person your staff already trusts and asks them to move money.

Voice cloning has turned this from an email problem into a phone problem. Deepfake-enabled vishing attacks surged more than 1,600% in the first quarter of 2025 compared with the fourth quarter of 2024 in the US, and US deepfake-related fraud losses reached an estimated $1.1 billion in 2025, roughly triple the prior year, per figures compiled by DeepStrike. A caller who sounds like a managing partner authorizing a wire is now a plausible weekly event, not a movie plot.

1,600%+
Surge in deepfake-enabled vishing attacks, Q1 2025 vs Q4 2024 (US)
DeepStrike, Deepfake Statistics 2025 ↗

How do ungoverned AI tools put privileged client data at risk?

Ungoverned AI tools leak privileged data when staff paste client facts, documents, or case strategy into a public chatbot that may store, train on, or expose that input. Once confidential information leaves the firm's control, the lawyer cannot guarantee it stays privileged. The risk is quiet, because nothing looks broken while it is happening.

The ABA addressed this directly in Formal Opinion 512, issued July 29, 2024. It states that lawyers are responsible for knowing how a generative AI tool uses data and for putting adequate safeguards in place so client information is not susceptible to unauthorized disclosure. The opinion also warns that boilerplate consent buried in an engagement letter is not adequate for using client confidences in an AI tool.

Formal Op. 512
First ABA ethics guidance on lawyers' use of generative AI
American Bar Association, 2024 ↗

Breaches are expensive even before a bar complaint. The global average cost of a data breach reached $4.88 million in 2024, a 10% increase and the largest jump since the pandemic, according to IBM and the Ponemon Institute. Notably, the same report found organizations that used AI and automation extensively in defense workflows saved an average of $2.2 million per breach, which is the case for governing AI rather than banning it.

$4.88M
Global average cost of a data breach in 2024
IBM Cost of a Data Breach Report, 2024 ↗

Governing AI use is exactly what our AI governance program is built to do: define which tools are approved, what data can touch them, and how each use is logged. Defending against the impersonation side is the focus of our deepfake defense work.

What does Florida's duty of technology competence require?

Florida requires lawyers to understand the benefits and risks of the technology they use. Comment to Rule 4-1.1 of the Rules Regulating The Florida Bar ties competence to keeping abreast of relevant technology, and Florida attorneys must complete three technology CLE credit hours in each three-year cycle. Competence expressly includes safeguarding confidential information.

Florida also issued specific AI guidance. Ethics Opinion 24-1, approved by the Board of Governors on January 19, 2024, permits lawyers to use generative AI but requires them to protect client confidentiality under Rule 4-1.6, supervise AI tools much like nonlawyer assistants under Rule 4-5.3, provide competent service, and avoid improper billing. In plain terms, the tool is allowed, but the lawyer owns the outcome.

Florida ethics rules do not ask whether you used AI. They ask whether you governed it and protected the client. Those answers should be verifiable, not assumed.
  • Duty of competence, including understanding technology risks (Rule 4-1.1)
  • Duty of confidentiality across all information learned in representation (Rule 4-1.6)
  • Duty to supervise nonlawyer assistants and, by extension, AI tools (Rule 4-5.3)
  • Three technology CLE credit hours required per three-year cycle
  • Florida Ethics Opinion 24-1 guidance on generative AI, issued January 2024

These duties are why a Naples firm should be able to show, not just say, that its controls work. A verifiable record of who accessed what, which AI tool touched which data, and how a wire request was confirmed is the difference between a defensible practice and a hopeful one.

How can a Naples law firm protect its practice with verifiable controls?

A firm protects itself by pairing human process with verifiable technical controls, meaning controls that produce tamper-evident evidence rather than promises. The goal is simple: no wire moves without out-of-band confirmation, no privileged data reaches an unapproved tool, and every AI action leaves a record you can later prove.

Start with the money. Deloitte's Center for Financial Services projects that generative-AI-enabled fraud losses in the US could rise from $12.3 billion in 2024 to $40 billion by 2027, a 32% annual growth rate. That trajectory means callback verification and dual approval on trust-account wires are no longer optional hygiene, they are core risk controls.

$40B
Projected US generative-AI-enabled fraud losses by 2027
Deloitte Center for Financial Services, 2024 ↗
  • Verify every wire and every change to payment instructions by calling a known number, never a number from the email or message requesting the change
  • Require dual authorization for any disbursement from an IOLTA trust account
  • Establish a code word or callback protocol so a cloned voice alone cannot authorize a transfer
  • Approve a short list of AI tools with appropriate data protection, and prohibit pasting client confidences into public chatbots
  • Obtain informed client consent before using client information in an AI tool, beyond boilerplate engagement language
  • Log and retain a verifiable record of AI use and privileged-data access so the firm can prove its controls if questioned
  • Train staff on deepfake voice and email red flags, and rehearse the response to a suspicious wire request

Verifiable is the operative word. The industry has learned that AI-driven attacks fool trained people, so a control that cannot be proven after the fact is a control you cannot rely on. Our security services are built around evidence you can hand to a client, an insurer, or the bar, and our enterprise program extends the same model across multi-office firms.

Looking further out, the same discipline that protects data today prepares a firm for tomorrow. Long-lived privileged records will eventually face threats from future computing, which is why our post-quantum work focuses on durable protection for records that must stay confidential for decades. When you are ready to assess your exposure, contact us for a Naples-based review.

FAQ

Guides — common questions

Are Naples law firms actually being targeted, or is this a big-city problem?
Southwest Florida firms are squarely in scope. Attackers pick targets by opportunity, not zip code, and Naples has a high concentration of real estate closings, estate work, and high-net-worth clients, all of which involve moving significant funds through trust accounts. Business email compromise, the most common wire-fraud method, targets buyers, sellers, real estate attorneys, and title companies alike, according to FBI guidance. In real estate transactions the average incident runs roughly $150,000 to $200,000. The combination of valuable transactions and smaller in-house security teams makes regional firms attractive, not overlooked.
Does using AI put my firm out of compliance with the Florida Bar?
No. Florida Ethics Opinion 24-1, approved in January 2024, expressly permits lawyers to use generative AI. What it requires is governance: protect client confidentiality under Rule 4-1.6, supervise the tool as you would a nonlawyer assistant under Rule 4-5.3, provide competent service, and bill honestly. The ABA's Formal Opinion 512 adds that you must understand how a given tool uses data and obtain meaningful client consent before feeding it confidential information. The compliance risk comes from ungoverned use, not from AI itself. A documented policy and approved-tool list keep you on the right side of the line.
What is the single most effective control against wire fraud?
Out-of-band verification. Before any wire leaves the trust account, and before any change to payment instructions is accepted, confirm it by calling a phone number you already know, never one supplied in the email or message that requested the change. Pair that with dual authorization so no single person can move client funds alone, and a callback code word so a cloned voice cannot authorize a transfer by itself. These steps are low cost and directly counter business email compromise, which drove about $2.8 billion in reported US losses in 2024 according to FBI data. Technology helps, but this human control stops the majority of attacks.
What makes a control verifiable, and why does it matter for a law firm?
A verifiable control produces tamper-evident evidence that it actually ran, rather than a policy that merely says it should. For a wire, that means a retained record showing the callback happened and both approvers signed off. For AI use, it means a log of which tool touched which data and under what consent. This matters because AI-driven fraud is designed to fool trained people, so after an incident you need to prove what your firm did. A verifiable record is what you hand to a client, an insurer, or the bar to show your controls worked. We never claim any system is unhackable, only that its protections can be proven.
How should we handle staff using tools like public chatbots for legal work?
Set a clear, written policy and enforce it. Approve a short list of AI tools that offer appropriate data protection and contractual terms, and prohibit pasting privileged client facts, documents, or strategy into public consumer chatbots that may store or train on the input. ABA Formal Opinion 512 makes lawyers responsible for knowing how a tool uses data and for preventing unauthorized disclosure. Obtain informed client consent before using their information in AI, and note that boilerplate engagement-letter language is not enough. Train everyone on the difference between an approved, governed tool and a public one, then log usage so the firm can demonstrate compliance.

Sources

  1. 2024 IC3 Annual Report · FBI Internet Crime Complaint Center
  2. FBI's IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in Last Three Years · Nacha
  3. 2024 FBI IC3 Cybercrime Report: A Breakdown · CertifID
  4. ABA Issues First Ethics Guidance on a Lawyer's Use of AI Tools (Formal Opinion 512) · American Bar Association
  5. Proposed Advisory Opinion 24-1 Regarding Lawyers' Use of Generative Artificial Intelligence · The Florida Bar
  6. Ethical Obligations for Florida Lawyers on Technology and Confidentiality · LegalFuel (The Florida Bar Practice Resource Center)
  7. IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs · IBM
  8. Deepfake Statistics 2025: The Data Behind the AI Fraud Wave · DeepStrike
Get started

Protect your Naples business against this.

RankShield turns the ideas in this guide into verifiable defense for your Southwest Florida business. Get a no-obligation assessment.