Download PDF (139 KB)
PDF version — print or share with your team.
Lawyers are asking a sharper version of the question every owner asks about Claude Cowork: can an agent that reads and writes files on a desktop touch client matters without breaching confidentiality? According to Statistics Canada, professional, scientific, and technical services lead Canadian AI adoption at 31.7%, so the staff at most firms are already trying these tools. The duty to get it right sits with the firm, not the software.
Mike Pearlstein, CISSP, MSc AI, founder of Fusion Computing, which has secured IT for Canadian law firms across Toronto, Hamilton, and Metro Vancouver since 2012.
Key takeaways
- A firm can use Claude Cowork on a Team or Enterprise plan with scoped access and a written policy. The confidentiality duty stays with the firm.
- Point Cowork at one matter folder, never the whole document-management system.
- Cowork stores its work locally, so it sits outside your audit logs. For litigation hold and Law Society supervision, you build that record yourself.
- Keep a lawyer signing off on anything client-facing or filed.
Can Ontario law firms use Claude Cowork without breaching confidentiality?
Yes, a firm can use Claude Cowork for client work on a Team or Enterprise plan, with scoped access and a written policy. The Law Society of Ontario duty of confidentiality (Rule 3.3-1) binds the firm, not the software, so the controls around the tool keep the firm onside. On the business plans, your content is not used to train Anthropic’s models by default.
The reason matters. Confidentiality is the firm’s obligation under the Rules of Professional Conduct, and no vendor setting removes it. What a firm controls is the scope: which files the agent can open, which plan governs the data, and who reviews the output.
Get those right and Cowork behaves like a careful junior who never leaves the building with a file. On the plan question, Anthropic’s privacy commitments put the “not trained on by default” promise on the business tiers, which is exactly where a firm’s client work belongs.
It’s the same secure-adoption logic we lay out in the pillar guide on using Claude Cowork securely in your business, applied to a firm’s duties, and it sits alongside our broader IT for law firms work.
What Claude Cowork actually does for a law firm
Claude Cowork completes multi-step document work rather than answering a single question. For a firm, the practical jobs are first-pass document review, organizing a matter folder, building a chronology or index from a disclosure set, drafting correspondence and memos from source materials, and pulling key dates out of documents. Each one is a draft for a lawyer to verify, not a final work product.
Here’s how those jobs map to the day, with the guardrail that keeps each one safe. Fusion Computing walks firms through this table before any pilot, the same way we scope any AI services engagement.
Book a 30-minute call to scope Claude Cowork for your firm safely →
| Task | What Cowork does | The guardrail |
|---|---|---|
| First-pass document review | Reads a matter folder, summarizes, flags clauses and issues | Scope to one matter; a lawyer verifies every finding |
| Matter-file organization | Renames, sorts, and deduplicates documents | One matter folder, never the DMS root |
| Disclosure or discovery synthesis | Builds an index or chronology from a document set | Privilege check before anything is produced |
| Drafting correspondence and memos | Produces a first draft from the source materials | A lawyer edits; nothing client-facing ships unreviewed |
| Deadline and limitation extraction | Pulls dates from documents into a list | Treated as a draft, not the system of record |
The confidentiality and privilege guardrails
The core guardrail is least privilege: point Cowork at one matter folder, not the whole document-management system. Classify what is allowed in (working documents for the active matter) and what is not (privileged communications and client identifiers outside the scoped folder). Keep a human reviewing anything client-facing. Cowork runs in an isolated virtual machine on the lawyer’s computer, but the prompts still reach Anthropic, so scope is the control that limits exposure.
The mistake we flag most often is folder scope. When a firm points the agent at a synced document-management root, a single task can read every client’s file. Scope it to the active matter and most of the risk disappears.
Field note. In the firm pilots I’ve run, the first thing I change is access. I’ve watched a paralegal point a desktop agent at an entire OneDrive that mirrored the DMS. We scoped it to one folder, and the same workflow that felt reckless became routine. The work’s identical; the blast radius isn’t.
The policy work is the other half. A short written rule set, the kind we cover in our guide on what belongs in an AI acceptable use policy, names the approved tool, the data that may go in, and who may run it. Fusion Computing pairs that with the controls in a cybersecurity review so the firm has a defensible position if anyone asks.
The oversight gap that matters for litigation hold and Law Society audits
Claude Cowork stores its conversation history locally on each user’s computer, and that activity is not captured by audit logs, the Compliance API, or data exports. For a law firm this is the sharpest issue: litigation hold and Law Society supervision both assume the firm can reconstruct what happened. Team and Enterprise owners can stream Cowork events to a SIEM through OpenTelemetry, but Anthropic is explicit that this does not replace audit logging for compliance.
According to Anthropic’s guidance on using Cowork on Team and Enterprise plans, the local history “is not subject to Anthropic’s standard data retention policies and cannot be centrally managed or exported by admins.” The Enterprise audit logs that do exist capture metadata, not the content of the work.
That gap doesn’t rule Cowork out. It means a firm has to design supervision in. Fusion Computing wires the OpenTelemetry stream into the same monitoring we run for managed detection and response, so a firm sees tool calls and file access even though the transcript stays on the device.
If a record could be discoverable or subject to a hold, that’s a decision for the lawyer, made before the work starts. The tool won’t keep that record for you, so the firm’s own log is the one that counts.
Plan tier and a setup checklist for a law firm
The plan tier is the first decision: only Team and Enterprise carry the “not trained on by default” commitment and the admin controls a firm needs. From there, a safe rollout is a short checklist: scope to one matter folder, keep the agent in “ask before acting” mode for client files, write a usage policy, turn on OpenTelemetry monitoring, keep a lawyer signing off, and review the vendor terms against Law Society duties.
Cowork is available on Pro, Max, Team, and Enterprise plans per Anthropic’s release notes, but only the two business tiers fit client work. Here’s the checklist Fusion Computing runs with a firm before the first real matter goes near the tool.
Why Canadian firms bring this work to Fusion Computing
CISSP-led, a Microsoft Solutions Partner and a CompTIA Managed Services Trustmark holder, securing IT for Canadian SMBs across Toronto, Hamilton, and Metro Vancouver since 2012.
Get a CISSP-led review of how AI tools reach your client files →
- Choose Team or Enterprise. A lawyer running client matters on a personal Pro or Max account is the first risk to fix.
- Scope to one matter folder. Never the document-management root. Widen only with a reason.
- Default to “ask before acting.” Cowork always asks before deleting files; keep approvals on for client work.
- Write an acceptable use policy. Name the approved tool, the data that may go in, and who may run it.
- Turn on OpenTelemetry monitoring. It’s the only visibility you have into what the agent did.
- Keep a lawyer signing off. Nothing client-facing or filed ships without review.
- Map the terms to your duties. Check Anthropic’s data handling against your Law Society obligations before go-live.
None of it’s exotic, and most of it takes an afternoon. We set it up as part of the managed IT work we already do for firms, and the same pattern carries to accounting firms, wealth management firms, and healthcare clinics under their own regulators. If you want a second set of eyes before your firm pilots Cowork, talk to us or read more about how we work.
Claude Cowork is worth adopting for the document-heavy work that fills a practice. The firms that set the plan, the scope, and the policy first are the ones that’ll use it calmly while their competitors are still arguing about whether it’s allowed.
Fusion Computing helps Canadian businesses across Toronto and the GTA, Hamilton, and Metro Vancouver with managed IT, cybersecurity, and Microsoft 365.
Frequently Asked Questions
Is Claude Cowork confidential enough for client files?
Claude Cowork can handle client files when a firm runs it on a Team or Enterprise plan, scopes access to a single matter folder, and reviews the output. The work runs locally and, on the business plans, is not used to train Anthropic’s models by default. Confidentiality stays the firm’s duty under Law Society rules, so the controls around the tool are what make it safe.
Does using Claude Cowork breach solicitor-client privilege?
Using Claude Cowork does not breach privilege by itself. The risk comes from careless use. Privilege depends on keeping privileged material confidential, so a firm should scope the agent to the documents it needs, keep privileged communications out of unscoped folders, and have a lawyer review anything before it leaves the firm. The tool is a drafting aid, not a store for privileged advice.
What plan does a law firm need for Claude Cowork?
A law firm should use the Team or Enterprise plan, not a personal Pro or Max account. Only the business tiers carry Anthropic’s commitment not to train on your content by default, plus the owner and admin controls a firm needs. A lawyer running client matters on a personal account is the first risk to remediate in any rollout.
Can opposing counsel discover Claude Cowork drafts?
Possibly. A draft created with Claude Cowork is a document like any other, and its discoverability depends on what it is and where it lives, not on the tool. Because Cowork stores its session history locally and outside central audit logs, a firm cannot assume those sessions are captured for a litigation hold. Decide what must be preserved before the work starts.
Want an AI use policy that holds up to your Law Society duties? →
Is Claude Cowork allowed under Law Society rules?
No Law Society rule names Claude Cowork, so the answer depends on how a firm uses it. The duties of confidentiality, competence, and supervision all apply. A firm that scopes access, writes a usage policy, keeps a lawyer reviewing output, and can account for what the tool did is in a defensible position. The obligation sits with the firm, not the vendor.
How is Claude Cowork different from Harvey or CoCounsel?
Harvey and CoCounsel are legal-specific platforms built around legal research and workflows. Claude Cowork is a general agent that works inside your own files and apps on the desktop, using the same engine as Claude Code. For a firm, the practical differences are where the data lives, the admin and audit controls, and whether the tool is purpose-built for legal tasks or general document work.
Does Claude Cowork work on Windows or only Mac?
Claude Cowork works on both macOS and Windows through the Claude desktop app, and it reached general availability on both on April 9, 2026. It is not available on the web or on mobile. Some capabilities, such as computer use, arrived first as research previews, so confirm the current feature list for your platform inside the app.
Who at the firm should run Claude Cowork?
Start with a small group who understand the matter and the confidentiality duty, not the whole firm at once. Cowork is an organization-wide setting that owners can switch on or off, but granular per-user controls are limited, so a deliberate pilot with named users is safer than a broad rollout. Pair it with training and a written policy before wider use.
