Uploading Privileged Information
Currently, there remains a plausible argument that uploading confidential client information or privileged client information would destroy confidentiality and privilege.
[AI, including ChatGPT] can record a single user’s notes on any topic and then summarize that information or search for more details. But if those notes include sensitive data—an organization’s intellectual property or sensitive customer information, for instance—it enters the [platform’s] library. The user no longer has control over the information.
“ChatGPT Confirms Data Breach, Raising Security Concerns,” Security Intelligence, May 2, 2023.
Uploading client information to an AI platform potentially exposes the information to an external third party who has not, depending on the privacy agreement and policies, explicitly agreed to maintain your client’s confidentiality. We know that most AI platforms use all inputted data to improve their algorithms and analytic abilities. Therefore, at least theoretically, you’re allowing third parties to use your client’s information in a way that doesn’t benefit your client and could potentially benefit your client's adversaries. There also remains a remote risk that humans may search a platform’s database and uncover your client’s confidential or privileged information. Grammarly, for example, states that it may, under certain limited circumstances, have its employees review any data you input into its system.
With the proliferation of generative AI platforms such as ChatGPT, Google Bard, Grammarly, Lexis+ AI, and others, you should expect a wide range of privacy protections and controls provided by the offering company. You should never assume that a company has agreed to keep the information confidential or private, has robust security against data breaches, or will not use or sell the information you provide unless you have thoroughly researched the issue with the provider.
Best Practices for Use of Confidential Information and AI
Lawyers are notoriously slow adopters of new technologies, and for good reason. The client protections described above and the repercussions for inadvertent disclosure present a high risk for a population of risk-averse professionals in the legal field. However, you should not shy away from implementing AI. In fact, the model rules of professional conduct require you to keep abreast of this new technology, understand it, and implement it effectively for your client.
At this time, and with the information we currently have on the common generative AI platforms, it's smarter and safer to abstain from uploading confidential client information or privileged documents to these platforms. Instead, consider rewriting or summarizing your questions or arguments in a generic way that could not reasonably be traced back to your client. Take an approach similar to one you would take if you were speaking with another lawyer not involved with your case to obtain advice on an ethical matter. As the model rules state, this is permissible under certain circumstances, so long as you don’t present information in a way that would make your client or your client’s confidential or privileged information identifiable in any way. As always, the most prudent course of action is to educate yourself fully on the risks of use and to obtain informed client consent before you use AI to assist you in representing your clients.
Researching the Technology
Thoroughly look into the company’s history, privacy statements, policies, procedures, and any other relevant information you can find before placing your client’s information in jeopardy. This may include in-person discussions with company representatives before you implement the technology. You should track and log your diligence and self-education in this realm. In the worst-case scenario, you must at least show that you took all reasonable steps to ensure your client’s confidentiality when using any new platform. While this may at first seem burdensome, the time you spend on these tasks will improve your competency and use of AI and provide you with peace of mind and defensibility in any future potential objections to your use of AI technology.
Don’t Forgo Client Consent
Any time a new technology presents a risk, you should strongly consider obtaining your client’s informed consent to use that technology before doing so. If you thoroughly research the technology you plan to use and advise your clients of the benefits and risks, then you provide yourself and your client with the best scenario to determine, collaboratively, how to best proceed with the client representation. This practice aligns with how you should always communicate with clients, regardless of the issue presented: after undertaking your due diligence and research, you should always seek to fully apprise your clients of any substantial risk in your representation strategies.
Contractual Obligations to Clients
Recall that your representation of a client is, at its core, a contractual one. If your client does not expect you to use generative AI in your representation, your client may become upset and feel that you breached your client’s reasonable expectations in the representation. Some people still want a human to do all of the work. Until generative AI becomes more widely known and accepted, this provides another strong reason to obtain informed client consent before using this technology to represent clients.
A Broader Perspective of AI
Looking back to the adoption of cloud-based storage and the risks that this technology imposes may provide us with perspective. In the beginning, lawyers, courts, and clients grappled with the permissibility of its use due to the uncertainty regarding the security of the platforms available. Over time, lawyers and courts have researched the providers available, weighed the risks of breach, taken efforts to educate themselves on the best practices of using cloud-based storage, and have since effectively incorporated it into their practice. Importantly, clients now understand and appreciate the effectiveness of cloud-based storage and expect lawyers to implement it to save resources on their behalf. Clients understand the risks involved and how to work with their lawyers to mitigate those risks.
You should similarly seek to educate your clients on the use of generative AI, the benefits you expect it to provide, and the associated risks. Then, your clients may make an informed decision on whether the potential cost of a data breach or loss of confidential information is worth the benefit in savings that generative AI promises to bring. In the coming years, we will all become comfortable using different forms of AI to further our practice of law, and this level of detail may become unnecessary. However, at this time of transition and relative uncertainty, you should err on the side of caution and proceed mindfully.
Looking to the Future
As a new lawyer, you must embrace new technology and expect to adapt to it continuously throughout your career. Constantly educating yourself on the technology, best practices for its use, and how it works will give you a distinct advantage over lawyers who choose not to embrace it early on. By making yourself an expert on new technology, you not only fulfill your ethical duties and mitigate the risks of disclosing confidential client information but also make yourself a valuable asset to your organization.