# Exfiltration-Only Extortion at Law Firms

> Some 2026 extortion campaigns skip encryption, steal client files, and threaten to leak them. Why backups cannot help and what long-lived protection requires.

[Home](https://rankshieldlegal.com/) / [Blog](https://rankshieldlegal.com/blog/) / Firm Security Breach & extortion
# The Extortion That Skips the Ransomware: Why Backups Do Not Save You From Data Theft
A growing share of extortion campaigns in 2026 no longer bother to encrypt anything. The attacker steals client files, leaves your systems running, and then threatens to publish what was taken unless the firm pays. Backups restore data you still have; they do nothing about data that has already left the building. For a law firm, the leverage is confidentiality itself, which is why this shift changes what a firm should be protecting and how.

By [Jamie Kloncz](https://rankshieldlegal.com/about/), Founder, RankShield ** 20 min read ** Published July 5, 2026

Exfiltration-only extortion is a data-theft attack in which the intruder copies sensitive files out of a firm's environment and then demands payment to keep them from being leaked, without ever encrypting the systems those files came from. Because nothing is locked, backups do not resolve the situation. The harm is disclosure, not the loss of access, and no amount of recovery capability answers a threat to publish. This piece explains how these attacks work, why the wider extortion market is moving toward them, why law firms are a chosen target, and what actually reduces the risk once you accept that prevention can fail.
A note on the figures used below. Several come from cyber-insurance claims data and threat-intelligence reporting rather than from an audited registry of confirmed losses, so they are best read as directional signals about where attacker behavior is heading. That framing is deliberate. The point of the numbers is not a precise total but a clear direction of travel, and each figure is attributed to its source so you can weigh it yourself. The analysis is built on that honest foundation rather than on inflated certainty.

## What is exfiltration-only extortion, and why do backups not help?
Backups answer the question can we get our data back. Exfiltration-only extortion asks a different question entirely: can we stop someone else from publishing the copy they already took. A restore does not touch that second question.
Exfiltration-only extortion, sometimes called encryptionless ransomware or data-theft extortion, describes an attack that steals data and monetizes the theft through a threatened leak, without deploying any encryption payload. The desktops do not lock. There is no ransom splash screen. Systems keep running as if nothing happened. The first sign a firm gets may be a direct message from the attacker naming files they have already taken. The entire model rests on a single point of leverage: the threat to expose confidential material the firm is obligated to protect.
This is precisely the scenario that backups were never designed to solve. Backups answer an availability problem. They exist so that when data is encrypted, corrupted, or deleted, the firm can restore a clean copy and carry on. Exfiltration-only extortion does not create an availability problem. The firm still has every file; the attacker simply has a copy too. Restoring from backup gives you back data you never lost and does nothing to retrieve or neutralize the stolen copy. A perfect backup regime and a perfect exfiltration attack can coexist without contradiction, because they operate on entirely different axes: one is about having your data, the other is about someone else also having it.
That distinction is the whole reason this article exists. For years, the standard answer to ransomware has been recovery: keep tested, offline backups, and you can refuse to pay because you can rebuild. Against a pure data-theft campaign, that answer collapses. The question is no longer whether you can restore, but whether you can survive the disclosure, and for a firm holding privileged client material the answer to that second question is often far less comfortable than the answer to the first.

## How a data-theft-only attack unfolds inside a firm
The quiet is the defining feature. In an encryption-based incident, the damage announces itself: files become unreadable, systems seize, and the firm knows within hours that something is badly wrong. A data-theft-only attack is engineered to avoid that moment. The intruder gains access, moves through the environment locating the most sensitive material, copies it out, and leaves the infrastructure untouched so that normal operations mask the theft. Detection depends on noticing the exfiltration itself rather than on any visible failure, which is a far harder signal to catch.
The access does not have to arrive over the network. Reporting on the Silent Ransom Group, an extortion operation that Halcyon describes as operating purely as a data theft and extortion group with no encryption payload, documented operators physically entering U.S. law firm offices, in some cases posing as IT support, to reach data directly [[1]](#ref-1). Whether the entry is remote or physical, the back half of the attack is the same: identify the crown-jewel files, move them out, and open a negotiation backed by the threat to publish. Halcyon's alert cited a reported extortion demand of twenty million dollars against a single law firm in one May 2026 case, which indicates the scale of leverage these operators believe confidential legal material can command [[1]](#ref-1).
From the firm's perspective, the timeline of realization is inverted compared to a classic ransomware event. Instead of an abrupt outage followed by a recovery effort, there is a period of apparent normality followed, often much later, by contact from the attacker. By the time the firm learns what happened, the data is already gone, and the only remaining variable is whether it gets published. That inversion is why the usual muscle memory built around encryption incidents, which centers on containment and restoration, does not map cleanly onto this threat. For the encryption-based side of the picture, see our companion pieces on the [2026 law firm ransomware wave](https://rankshieldlegal.com/law-firm-ransomware-wave-2026/) and on [law firm data breach and ransomware response](https://rankshieldlegal.com/law-firm-data-breach-ransomware/).
The absence of an outage is not reassurance. In a data-theft-only attack, systems running normally is the intended appearance, not evidence that nothing was taken.

Source: Resilience; Arctic Wolf; Halcyon Download SVG

## Why the wider extortion market is shifting toward stealing without encrypting
This is not an isolated tactic; it is a measurable trend across the extortion economy, and the direction is consistent across independent sources. Cyber-insurer Resilience reported that sixty-five percent of the extortion-related claims it handled in the second half of 2025 did not involve data encryption, up from forty-nine percent in the first half of that year, and that data theft, alone or combined with encryption, made up the large majority of ransomware claims by year end [[2]](#ref-2). Separately, Arctic Wolf found that in roughly twenty-two percent of cases it examined between November 2024 and November 2025, attackers only threatened to expose stolen data rather than encrypt it, compared with about two percent in the prior period [[3]](#ref-3). Read these as directional signals rather than audited totals, but the direction is unmistakable.
The economics behind the shift are straightforward. Encryption is operationally expensive for an attacker. It requires building and maintaining a reliable locker and decryptor, it produces the loud outage that alerts defenders immediately, and it invites the one countermeasure that reliably defeats it, which is a clean backup. Stripping encryption out of the model removes all three burdens at once. There is less to build, the attack stays quiet longer, and the victim's backups become irrelevant to the negotiation. Arctic Wolf noted that some groups have abandoned encryption entirely to focus on exfiltration and extortion in pursuit of better net returns [[3]](#ref-3). When a tactic is cheaper to run, harder to detect, and immune to the defender's best-established control, its growth is not surprising.
There is a defender-side reason the trend is durable as well. A pure exfiltration attack is genuinely harder to investigate after the fact. With no encryption event to anchor a timeline, and with logs that may have aged out or been altered, a firm can struggle to establish what was taken and when. That difficulty works in the attacker's favor during a negotiation, because uncertainty about the scope of the theft makes it harder for the firm to reason confidently about its exposure.
65% Share of extortion-related insurance claims that did not involve data encryption in H2 2025, per insurer Resilience, up from 49% in H1 2025 [2]. Directional claims data, not an audited total.

## Encryption ransomware and exfiltration-only extortion are different problems
Because the two are often filed under the same word, ransomware, it is worth setting them side by side. They share an origin in the same criminal ecosystem and sometimes the same groups, but they attack different things, they are detected differently, and crucially they are defended differently. Treating them as one problem leads firms to over-rely on the control that only addresses half of it. The table below separates the two so the boundaries stay visible.
Dimension Encryption ransomware Exfiltration-only extortion
Primary harm Loss of access to your own data Disclosure of confidential data to others
How you find out Sudden outage, locked systems Quiet, often a later message from the attacker
Does a backup help? Yes, restore and refuse to pay No, you still have the data; so do they
Attacker's leverage Downtime and disruption Threat to publish or sell the stolen files
What defense centers on Recovery speed and clean backups Preventing theft and protecting confidentiality

## Why law firms are a chosen target for pure data theft
A law firm is an unusually rich target for an attack whose only currency is confidentiality, because confidentiality is the firm's core obligation and the material it holds is uniquely sensitive. A single firm concentrates the crown-jewel information of every client it represents: litigation strategy, settlement positions, deal terms, trade secrets, and personal records, all in one environment. For an extortionist selling silence, that concentration is the point. Compromising one firm can yield leverage over many clients at once, and the profession's duty of confidentiality raises the reputational and ethical cost of a leak well above that of a typical corporate breach.
The targeting is not hypothetical. Arctic Wolf's analysis placed law firms among the most-attacked sectors for data-only extortion, alongside manufacturing, schools, financial institutions, and healthcare [[3]](#ref-3). The reporting on the Silent Ransom Group describes a group that has historically prioritized law firms specifically, using data-theft-only extortion rather than encryption [[1]](#ref-1). The common thread is that these operators are not treating firms as generic networks that happen to be reachable. They are treating the confidentiality obligation itself as the pressure point, which is exactly what a pure exfiltration model is built to exploit.
There is a structural reason a law firm feels the squeeze more acutely than most businesses. When a retailer loses card numbers, the cards get reissued and the leverage fades. When a firm loses a client's privileged strategy or a sealed matter file, there is no equivalent reset. The material stays sensitive, the duty to protect it does not lapse, and the client relationship, and potentially the firm's professional standing, are exposed in a way that a technical remediation cannot repair. That mismatch between a permanent obligation and a threat the firm cannot simply restore its way out of is what makes the sector so attractive to this specific tactic.

## Why recovery speed stops being the point and confidentiality becomes it
Against a data-theft attack, time to recovery is the wrong yardstick. The systems never went down. The question that decides the outcome is whether the confidentiality of what was taken can still be protected.
Most incident-response planning is organized around time to recovery. How quickly can systems be restored, how current are the backups, how fast can the firm resume serving clients. Those are the right questions for an availability crisis, and they remain necessary. But against exfiltration-only extortion they answer a problem the firm does not have. There is no downtime to recover from. The systems are fine. The measure that matters is not how fast the firm can get its data back but whether the confidentiality of the stolen data can be protected, and that is a fundamentally different objective.
Reorienting around confidentiality changes what a firm invests in. If the harm is disclosure, then the controls that matter are the ones that make theft harder in the first place and that limit the value of whatever is taken. That means reducing the amount of sensitive data an intruder can reach, watching for the signals of exfiltration rather than only for outages, and ensuring that the most sensitive, longest-lived records carry protection that survives the theft itself. Recovery capability does not disappear from the plan, but it stops being the centerpiece, because it was never the answer to a disclosure threat.
This is an uncomfortable reframe for many firms, because recovery is tangible and measurable in a way that confidentiality protection is not. You can test a restore. It is harder to prove that a stolen file remains protected. But the discomfort does not change the underlying logic: when an attacker's entire business model is exposure, the firm's defense has to be built around preventing and devaluing exposure, not around a recovery capability the attacker has deliberately made irrelevant.

## Controls that actually reduce exfiltration risk
Because prevention can fail, the honest posture is an assume-breach one: build so that a determined intruder finds less to take, has a harder time moving it, and gains less from whatever they manage to steal. None of the steps below is exotic, and none is a product you can buy once and forget. They are organizational and architectural decisions that shrink the exfiltration surface and improve the odds of noticing theft while it is happening. Sequenced roughly from limiting what an attacker can reach to protecting the data that matters most, they form a coherent response to a threat whose only aim is disclosure.

- **Limit what any one account or session can reach** Least-privilege access means an intruder who compromises a single account or workstation cannot sweep the entire matter archive. Combined with network segmentation, it turns a firm-wide theft into a contained one, reducing the volume of sensitive data reachable from any single foothold.
- **Watch for the exfiltration itself, not just for outages** Because a data-theft attack produces no visible failure, detection depends on monitoring for large or unusual outbound transfers and data-loss-prevention signals. Treat abnormal egress as an incident indicator in its own right, since it may be the only sign an attack is underway.
- **Raise the cost of the initial foothold** Multi-factor authentication, phishing-resistant where feasible, and hardened remote access make the first step harder to take. This does not stop a physical intruder at a reception desk, but it closes the common remote paths these campaigns rely on.
- **Treat the physical office as part of the attack surface** Where operators enter offices in person, visitor management, badge discipline, screen locks, and after-hours access logs become security controls, not office housekeeping. Decide at the governance level that the building is inside the security boundary [[1]](#ref-1).
- **Forward-secure the longest-lived confidential records** For the files that must stay confidential for years or decades, add protection that survives the theft, so that stolen-and-stored data cannot be quietly decrypted later. This is where [post-quantum, long-lived protection](https://rankshieldlegal.com/quantum-safe-law-firms/) stops being theoretical and becomes a duty-of-care question for archives that never go stale.

## Harvest now, decrypt later: why stolen-and-stored legal files are the sharp case
A data-theft attack does not end when the files leave the building. The attacker can simply store what was taken. That storage sets up a quantum-era problem known as harvest now, decrypt later: encrypted data stolen today can be held cheaply and decrypted in a future era when quantum computers can break the public-key cryptography that protected it. This is an anticipatory risk, not a present-day decryption event. Nobody is claiming that today's stolen archives are being read today. The claim is narrower and defensible: the decision to hold the data has already been made in the attacker's favor, because storage is nearly free and, for the right file, the payoff does not expire.
What makes legal the sharp case is duration, not drama. For a sector whose data goes stale in months, the harvest-now calculus rarely pays off, because the window closes before decryption becomes feasible. For files that must stay confidential for decades, privileged matters, intellectual-property portfolios, sealed records, the window never closes. That is the entire argument, and it does not depend on predicting when large-scale quantum decryption arrives. The honest way to describe post-quantum protection here is quantum-safe rather than quantum-proof: it forward-secures long-lived data against the anticipated threat and raises the cost to an attacker, without pretending to be an unbreakable guarantee.
Exfiltration-only extortion sharpens this risk precisely because it is built around taking and keeping data rather than locking it. A group whose model is to hold stolen material and threaten disclosure over time is, by construction, in the business of long-term storage. For a law firm's most sensitive and longest-retained records, that turns harvest now, decrypt later from an abstract cryptographic concern into a direct extension of the same disclosure threat, just projected further into the future.
Anticipatory, not active. Harvest now, decrypt later is a reason to forward-secure long-lived data today, not a claim that stolen files are being decrypted now. Quantum-safe describes raising the cost, not an unbreakable guarantee.

## What a verifiable, long-lived protection layer adds, and what it does not
Precision about scope matters here, because the wrong expectation is worse than none. A verifiable protection layer does not stop exfiltration. It does not detect the intruder moving data out, it does not replace least-privilege access, data-loss-prevention monitoring, or physical controls, and it is not a substitute for professional incident response. Anyone positioning such a layer as a way to prevent data theft is describing something it is not. RankShield Legal is explicitly the layer that assumes theft can happen and focuses on the records that must stay confidential the longest, sealing them with a verifiable, post-quantum protection so that stolen-and-stored copies are far harder to quietly decrypt later.
The value of that layer is specific to the harvest-now problem rather than to the moment of theft. If an attacker's model is to hold stolen files and extract value over years, then forward-securing the most sensitive, longest-lived records changes what a stored copy is worth to them over time. It does not undo the disclosure threat that exists today, and it does not help with data that was never sensitive for long. It targets the narrow but serious case where a firm's obligation runs for decades and the attacker's storage horizon runs just as long. To be transparent about status, the quantum-safe legal vault described here is in development, not a shipped product, and it should be evaluated as a roadmap capability rather than as something available today.
Positioned honestly, then, the layer is one part of the assume-breach posture, not the whole of it. The controls that reduce exfiltration risk in the first place do the heavy lifting against the immediate threat. A long-lived protection layer addresses the tail of the problem, the stored copy that outlives the incident, for the subset of records where that tail actually matters.

## A measured way to read this shift
The direction of travel is clear enough to act on without overstating it. Independent insurance and threat-intelligence sources show extortion moving toward data theft and away from encryption, and law firms sitting among the most-targeted sectors for that model [[1]](#ref-1) [[2]](#ref-2) [[3]](#ref-3). The right conclusion is not panic or a single rushed purchase. It is a recognition that the standard ransomware answer, tested backups and fast recovery, addresses only half of the current threat, and that the other half, disclosure of confidential client material, needs its own set of controls, as part of a broader approach to [law firm cybersecurity](https://rankshieldlegal.com/law-firm-cybersecurity/).
For most firms, the practical starting point is to accept that prevention can fail and to build accordingly: limit what any intrusion can reach, watch for the theft itself rather than only for outages, keep the core defenses that no evidence or protection layer replaces, and give the longest-lived confidential records protection that survives being stolen. Those steps are durable regardless of which group is active this quarter or which specific figure turns out to be highest, because they respond to the structure of the threat rather than to any one campaign.
This article is general information about a shift in attacker behavior affecting the legal sector, written from a security and engineering perspective. The author is not an attorney, and nothing here is legal advice, security consulting, or a recommendation tailored to any specific firm. The figures cited are directional threat-intelligence and insurance-claims data rather than audited totals, and the appropriate response depends on your firm's size, systems, obligations, and jurisdiction. Treat what follows as a starting point for a conversation with qualified security and legal professionals who can assess your particular environment, not as a substitute for that assessment.

Test yourself
## Data-theft extortion self-test
Three questions on why backups do not answer a threat to publish stolen files.

- 1 Why do backups not resolve an exfiltration-only extortion attack? The backups are usually encrypted too The harm is disclosure, not loss of access Restoring is too slow to matter **Answer:** The harm is disclosure, not loss of access Backups answer an availability problem. In a data-theft attack nothing is locked, so the firm still has every file while the attacker holds a copy, and a restore does nothing about the threat to publish.
- 2 What share of extortion-related insurance claims did not involve encryption in the second half of 2025? 49% 65% 22% **Answer:** 65% Insurer Resilience reported 65% of extortion-related claims in H2 2025 did not involve encryption, up from 49% in H1 2025, read as directional claims data.
- 3 Is harvest now, decrypt later a present-day decryption event or an anticipatory risk? A present-day event happening now An anticipatory risk A myth with no basis **Answer:** An anticipatory risk No one claims stolen archives are being read today. The risk is anticipatory: storage is cheap and, for long-lived legal records, the payoff does not expire.
Honest self-check. There is no sign-up, and nothing is stored.

Questions answered
## Straight answers to the common questions
The questions readers ask about this topic, answered directly. **No forms, no sales pitch.**

JAMIE KLONCZ · SEO AGENCY NAPLES ************** ONLINE
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

← PREV NEXT → [REQUEST ACCESS →](https://rankshieldlegal.com/contact/)

- **What is exfiltration-only extortion?** It is a data-theft attack in which an intruder copies sensitive files out of an organization and then demands payment to keep from publishing or selling them, without encrypting any systems. It is sometimes called encryptionless ransomware or data-only extortion. The desktops do not lock, there is no ransom splash screen, and systems keep running normally, which is intentional: the quiet lets the theft go unnoticed longer. The only source of leverage is the threat to expose confidential data. For a law firm, that leverage is unusually strong, because the stolen material is client information the firm is professionally obligated to keep confidential, and disclosure carries reputational and ethical costs beyond a typical breach.
- **Why do backups not protect against data-theft extortion?** Backups solve an availability problem. They let you restore data that was encrypted, corrupted, or deleted so you can resume operations. Exfiltration-only extortion does not create an availability problem, because nothing is encrypted or destroyed. The firm still has every file; the attacker simply has a copy as well. Restoring from backup returns data you never lost and does nothing to retrieve or neutralize the stolen copy or to remove the threat of publication. A firm can have flawless, tested backups and still be fully exposed to a data-theft attack, because the harm is disclosure, not loss of access, and recovery does not touch disclosure.
- **Is encryptionless extortion actually increasing?** Independent sources point the same direction, though the figures are best read as directional rather than audited. Cyber-insurer Resilience reported that sixty-five percent of the extortion-related claims it handled in the second half of 2025 did not involve encryption, up from forty-nine percent in the first half. Arctic Wolf found that data-only extortion rose to roughly twenty-two percent of the cases it examined between November 2024 and November 2025, from about two percent in the prior period. The economics explain the trend: skipping encryption is cheaper for attackers to run, quieter and harder to detect, and it sidesteps the one control, clean backups, that reliably defeats encryption-based ransomware.
- **Why are law firms targeted for pure data theft?** A single firm concentrates the most sensitive information of every client it serves, including litigation strategy, settlement positions, deal terms, trade secrets, and personal records. For an extortionist whose only currency is confidentiality, that concentration is the attraction, because one intrusion can yield leverage over many clients at once. The profession's duty of confidentiality also raises the cost of a leak well above a typical corporate breach. Reporting places law firms among the most-targeted sectors for data-only extortion, and at least one group is described as historically prioritizing law firms specifically, using data-theft-only extortion rather than encryption. The obligation the firm carries is exactly the pressure point the tactic exploits.
- **What does harvest now, decrypt later mean for stolen legal files?** It describes an anticipatory risk, not a present-day event. An attacker who steals encrypted data today can store it cheaply and attempt to decrypt it later, if and when the cryptography protecting it becomes breakable by future quantum computers. For most industries the data goes stale before that matters, so the risk is bounded. For legal files that must stay confidential for decades, the window never closes, so the risk is not bounded. Exfiltration-only groups, whose model is to hold stolen data and extort over time, are already in the business of long-term storage. Post-quantum protection is best described as quantum-safe rather than quantum-proof: it forward-secures long-lived records without claiming to be unbreakable.
- **Does RankShield stop data from being exfiltrated?** No. RankShield Legal does not prevent exfiltration and is not a data-loss-prevention product or an incident-response service. It does not detect an intruder moving data out or replace least-privilege access, egress monitoring, or physical controls. Its focus is narrower: a verifiable, post-quantum protection layer for the records that must stay confidential the longest, so that stolen-and-stored copies are far harder to quietly decrypt later. That addresses the harvest-now, decrypt-later tail of the problem, not the moment of theft. To be transparent, the quantum-safe legal vault described here is in development rather than a shipped product, and it should be evaluated as a roadmap capability, one part of an assume-breach posture and not a substitute for prevention.
- **Is this article legal or security advice for my firm?** No. This is general information about a shift in attacker behavior affecting the legal sector, written from a security and engineering perspective rather than a legal one. The author is not an attorney, and nothing here is legal advice, security consulting, or a recommendation tailored to any specific firm. The figures cited are directional threat-intelligence and insurance-claims data, not audited totals, and the right response depends on your firm's size, systems, obligations, and jurisdiction. Treat the trends and controls described here as a starting point for a conversation with qualified security and legal professionals who can assess your particular environment, not as a replacement for that assessment.

## References

- Halcyon. An old tactic returns: Silent Ransom Group's active use of physical intrusion against U.S. law firms. 2026-06-11. [https://www.halcyon.ai/ransomware-alerts/an-old-tactic-returns-silent-ransom-groups-active-use-of-physical-intrusion-against-u-s-law-firms](https://www.halcyon.ai/ransomware-alerts/an-old-tactic-returns-silent-ransom-groups-active-use-of-physical-intrusion-against-u-s-law-firms)
- Infosecurity Magazine. Extortion-only attacks increase, with data theft dominating ransomware claims. 2026-06-11. [https://www.infosecurity-magazine.com/news/extortion-only-attacks-surge/](https://www.infosecurity-magazine.com/news/extortion-only-attacks-surge/)
- Cybersecurity Dive. Data-only extortion grows as ransomware gangs seek better profits. 2026-02-17. [https://www.cybersecuritydive.com/news/ransomware-extortion-bec-arctic-wolf/812321/](https://www.cybersecuritydive.com/news/ransomware-extortion-bec-arctic-wolf/812321/)

Written by
## [Jamie Kloncz](https://rankshieldlegal.com/about/)
Founder, RankShield
Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.
[More about Jamie →](https://rankshieldlegal.com/about/)

Try it · Free
## Check a citation against live case-law
Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.
[Try the citation checker](https://rankshieldlegal.com/ai-legal-citation-checker/)

Keep reading
## Related guides
[Firm Security Outside counsel guidelines are adding AI clauses: what clients now demand Read guide →](https://rankshieldlegal.com/blog/outside-counsel-guidelines-ai-clauses/)[Firm Security How to Verify a Legal AI Vendor's "We Don't Train on Your Data" Claim Read guide →](https://rankshieldlegal.com/blog/verify-legal-ai-vendor-no-training-claim/)[Firm Security How to vet a legal AI vendor: the security questionnaire that protects clients Read guide →](https://rankshieldlegal.com/blog/vet-legal-ai-vendor-security-questionnaire/)
