Law firms run on a software stack that almost nobody in the firm understands as software. The partners think of their tools as productivity products, the litigation support team thinks of them as workflow platforms, and the IT director thinks of them as outsourced services that came with a contract. The reality is that a modern AmLaw 200 firm runs Relativity or Reveal for e-discovery, iManage or NetDocuments for document management, Aderant or Elite for practice and billing management, Intapp for risk and conflicts, plus dozens of point solutions for time tracking, eSignature, deposition video, expert witness sourcing, court reporting, and translation. Every one of those products is a software supply chain that the firm has implicitly inherited.
The data those products hold is privileged, confidential, and frequently subject to protective orders that the partner who signed them does not realize have software implications. When a third-party document review platform gets breached, the firm's exposure is not just regulatory; it is potentially a malpractice claim, a sanctions motion, and a client relationship that does not survive the disclosure. ABA Formal Opinion 483 made it clear in 2018 that lawyers have an affirmative duty to make reasonable efforts to detect and respond to data breaches, and the legal-tech vendor surface is where most firms are weakest at meeting that duty.
What does the legal-tech supply chain actually look like?
The e-discovery platform is the highest-value target in most firms because it concentrates document populations from many matters in a single tenant. Relativity, whether the on-premises RelativityOne predecessor or the current SaaS offering, runs a complex ecosystem of analytics modules, processing engines, and partner-built applications from the Relativity App Marketplace. Each marketplace app is a third-party piece of software that gains access to the matter workspace it is installed into, and the firm rarely has any visibility into the SBOM of those apps or the patch cadence of their dependencies. Reveal, Everlaw, and Logikcull have similar third-party ecosystems with similar visibility gaps.
The document management system is the second high-value target because it holds the full text of every document the firm has produced for any client. iManage Work and NetDocuments dominate the market and both have moved aggressively to cloud over the past five years, which shifts the supply chain from a firm-controlled deployment to a vendor-controlled multi-tenant platform. The firm's risk now includes the vendor's CI/CD pipeline, their dependency hygiene, and the third-party services they integrate with for OCR, full-text search, and AI summarization. The recent push to embed generative AI into document review and contract analysis has materially expanded that surface in the last eighteen months.
How does ABA Formal Opinion 483 change the duty of care?
Opinion 483 establishes that the duty of competence under Model Rule 1.1 includes understanding the risks of the technology a firm uses, and the duty of confidentiality under Rule 1.6 includes taking reasonable measures to prevent unauthorized disclosure. The opinion does not require any specific control, but it does require that the firm have a process for evaluating, monitoring, and responding to risk from its software vendors. That language is what makes third-party risk management a duty rather than a courtesy.
The opinion has been followed by state-level guidance that goes further, and by client outside counsel guidelines that explicitly require SBOMs, SOC 2 Type II reports, and breach notification commitments from any vendor that touches client data. Sophisticated clients, particularly financial institutions and healthcare systems whose own regulators have started asking about counsel risk, are pushing outside counsel guidelines that read like a vendor security questionnaire. Firms that cannot produce evidence of vendor due diligence are losing business to firms that can, and the cost of producing that evidence keeps rising as the vendor list grows.
What happened with the Mossack Fonseca breach and what should have been learned?
The Panama Papers leak in 2016 was not a supply chain attack in the strict sense, but it was a software security incident at a law firm whose practice management systems were outdated and unpatched, and the lessons are directly applicable to the supply chain question. A WordPress plugin and an outdated Drupal installation were among the vectors, and the firm had no inventory of what was deployed or what its dependencies were. The 2.6 terabytes that leaked were the kind of dataset that any firm's e-discovery platform could lose if a single dependency in the platform's vendor stack were compromised in the right way.
The pattern has repeated at smaller firms in less spectacular ways every year since. A managed-services provider serving a regional firm gets ransomed and the firm's matters are exfiltrated. A document review vendor gets breached and the names of witnesses in a protective-order matter end up on a paste site. The legal industry's response has been mostly to demand contractual breach notification, which is necessary but not sufficient. The technical work of inventorying the software that handles privileged data and monitoring its supply chain for emerging risk is still done at most firms by no one in particular.
What does a defensible third-party risk program look like for a firm?
The minimum is an inventory of every software product that touches client data, including SaaS, including the marketplace apps inside those SaaS products, and including the integrations that move data between them. That inventory needs to be reviewed at least annually with the responsible partner, not just with IT, because the partner is the one whose name is on the engagement letter and whose duty under the Model Rules is implicated. The inventory should record the vendor's SOC 2 status, the date of the most recent attestation, the date of the next renewal, and any open findings the vendor has disclosed.
The next layer is monitoring. Vendors get acquired, change their subprocessor lists, suffer breaches, and ship vulnerable releases at a cadence that no annual review can keep up with. A firm with two hundred legal-tech vendors needs an automated mechanism to ingest vendor security disclosures, CVE feeds for the components those vendors are known to use, and risk score changes from a third-party data source. Without that monitoring, the firm is making the duty-of-care argument on the basis of a snapshot that was already stale by the time it was filed.
How Safeguard Helps
Safeguard gives law firms a software supply chain view that maps every legal-tech vendor in the practice to the components and dependencies that vendor is known to ship, with TPRM scoring tuned to the legal sector's specific risk profile around e-discovery, document management, and practice management platforms. Griffin AI continuously monitors the SBOMs and disclosure feeds for vendors like Relativity, iManage, NetDocuments, Aderant, and Intapp, and surfaces emerging risk against the matters and client data those vendors hold. Policy gates can require minimum attestation standards for any marketplace app installed into an e-discovery workspace, blocking installation of apps that do not meet the firm's evidentiary or confidentiality requirements. The audit trail Safeguard maintains is exactly the kind of evidence that an Opinion 483 review or a sophisticated client's outside counsel guidelines audit will ask for, and it scales with the firm's vendor list rather than requiring a proportional increase in staff.