Whether you are looking to compose an email faster or summarize a Word document at speed, there is a chance you have used Microsoft Copilot. Because it is embedded into software that organizations use every day, the volume of data generated by Copilot is significant. While those users may not consider the risks from a legal perspective, they can cause hidden litigation issues during discovery based on the technology’s nuanced, and seemingly sporadic, data storage and collection practices.
“Copilot data is now appearing in almost every application—you can find Copilot as a standalone tool within a web browser, in Outlook, and in Word and Excel,” says UnitedLex Collections and Forensic Solutions Consultant, Randy Crawford. “Copilot data is showing up in so many areas of our work product now that it’s critical to understand where exactly this AI-generated data resides. By doing so, we can help our clients proactively identify potential data risks.”
Legally, organizations need this proactive perspective for two reasons; first, they need to know where the data is being stored and identify it as potentially responsive, and second, they need to understand the disparate retention categories and policies of Copilot for discovery purposes.
To help organizations better understand these risks, UnitedLex tests and researches Copilot data to provide guidance on how to best manage it for eDiscovery purposes. “Our early testing shows that Copilot data is stored in different folders depending on what apps are being used—and for eDiscovery experts, it may not be intuitive where that data shows up,” explains Crawford.
This matters because legal teams may not have recently performed a thorough data mapping exercise that includes Copilot data, or they may not know all the ways in which their organization uses Copilot and therefore where it could show up when exporting broader Microsoft data for discovery.
“Using Microsoft Purview as an example: even if a user is just interacting with Copilot as a standalone app in a web browser, when exporting mailbox data, any relative Copilot data would also be stored within that data export,” says Crawford.
Research to date shows that prompt data is effectively being treated like chat records.
“Right now, the data itself is being stored similarly to Teams messaging data,” says Crawford. “So, most of the information—any prompts created or generated—is all stored as a Teams conversation. We found that the data is stored under a folder called Skype Spaces data, and then within that sub folder it’s categorized as Teams Meetings, and from there all the Copilot data that we created is stored as Teams Messages data. This can surely be confusing for data practitioners.”
This lack of clarity over where data resides means that if businesses check the Copilot data box when exporting from Purview for eDiscovery purposes, it can include undiscovered Copilot prompts that are categorized as chat data.
Therefore, organizations need to start asking themselves whether they have updated their data retention policies to include Copilot data, whether that data is appropriately included in legal holds, and how they are exporting Copilot data when it is deemed relevant for litigation.
“For example, many organizations retain Teams Messages data for 30 days, whereas other organizations might retain their data for longer or shorter periods,” Crawford notes.
This means legal teams need to think about how to strategize around Copilot data to protect themselves during litigation proceedings or even to identify strategic opportunities against the opposing side.
“With the rush to include AI in everything, it’s all just a bit unclear where the data will end up,” says Crawford.
With legal teams under constant time and budget pressures, attempting to do this data mapping work in-house and to properly assess the scale of risk exposure may not always be feasible. Using external experts who regularly do this kind of work and understand where hidden risks lie helps ensure legal teams do not get blindsided by hidden Copilot data.
For support with your Copilot data assessment or for help managing the discovery process, contact UnitedLex.
