Generative AI & a lawyer’s duty of confidentiality.

Michael 2 Comments

Okay.  Having shared my opinion that Generative AI doesn’t require us to amend the Rules of Professional Conduct and that misconduct is more appropriately attributed to users than to the technology, it’s time to move on to addressing the professional duties most likely to be implicated by a legal professional’s use of GAI. Today, I post to address the duty of confidentiality.

Let’s start here: the duty of competence includes a duty to understand “the benefits and risks associated with relevant technology.”[1] GAI is relevant technology. As such, a lawyer must understand its benefits and risks. One risk is that a legal professional might improperly disclose confidential information when using GAI. 

Next, V.R.Pr.C. 1.6 is the confidentiality rule.  Paragraph (a) states:

  • “(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is required by paragraph (b) or permitted by paragraph (c).”[2]

The rule goes on:

  • “(d) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”[3]

Finally, Comment [18] makes clear that “a lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”[4] That is, read together, Rules 1.1 and 1.6 impose a duty to act competently to safeguard client information.

So, what are the confidentiality risks associated with the use of GAI?  This post shouldn’t be viewed as exhaustive.  Rather, I’ll share a few of the more common risks.

In Ethics Opinion 388, the DC Bar made a statement that I find helpful:

  • “Lawyers . . . should understand that many GAI products currently on the market are specifically designed to collect and use information received from users—which may include client confidences and secrets—for the GAI’s own training and for transmission to future users of the technology.”

To avoid disclosing a client’s confidences, the opinion suggests asking two questions:

  • “Will information I provide to the GAI be visible to the GAI provider or other strangers to the attorney-client relationship?”
  • “Will my interactions with the GAI affect answers that later users of the GAI will get in a way that could reveal information I provided to the GAI?”

The opinion advises:

  • “From the perspective of confidentiality, an affirmative answer to the first is at least a red flag but, perhaps, one that can be resolved after a negotiation with the GAI provider (or an upgrade to a paid product with better terms) to improve the data security and prevent third party access. An affirmative answer to the second might be more challenging to resolve. A lawyer should be reasonably satisfied that her interaction with the GAI will not reveal Client Confidential Information to future users of the GAI. If the lawyer is not so satisfied, she should not reveal Client Confidential Information to the GAI or should not use the GAI.”  (internal citation omitted).

For more detail, check out the opinion.

Other bars have highlighted confidentiality concerns associated with a legal professional’s use of GAI.

For instance, in Opinion 24-1, the Florida Bar advised that the considerations outlined in prior advisory opinions related to a lawyer’s use of cloud storage “are equally applicable to a lawyer’s use of third-party generative AI when dealing with confidential information.”  That is, a lawyer should understand, among other things, whether the GAI product provider:

  • has an enforceable obligation to maintain the confidentiality of information a lawyer shares or inputs;
  • will inform the lawyer if the provider’s security is breached; and,
  • will keep the information submitted by the lawyer even after the lawyer stops using the product.

In other words, whatever GAI tool you use, understand the terms of service.

The California State Bar has also weighed in.  Last year, its Standing Committee on Professional Responsibility and Conduct released Practical Guidance For The Use Of Generative Artificial Intelligence In The Practice Of Law. With respect to the duty of confidentiality, the California committee:

  • advised against inputting confidential information “into any generative AI solution that lacks adequate confidentiality and security protections;”
  • recommended consulting with “with IT professionals or cybersecurity experts to ensure that any AI system in which a lawyer would input confidential client information adheres to stringent security, confidentiality, and data retention protocols;”
  • urged lawyers to investigate whether and how a GAI product will share information that the lawyer or lawyer’s associate or assistant inputs; and,
  • suggested ensuring “that the provider does not share inputted information with third parties or utilize the information for its own use in any manner, including to train or improve its product.”

Finally, earlier this year, the New York State Bar Association’s Task Force on Artificial Intelligence released its Report & Recommendations. With respect to confidentiality, the Task Force’s recommended guidelines for a legal professional’s use of AI “tools” are:

  • “When using the Tools, you must take precautions to protect sensitive client data and ensure that no Tool compromises confidentiality. Even if your client gives informed consent for you to input confidential information into a Tool, you should obtain assurance that the Tool provider will protect your client’s confidential information and will keep each of your client’s confidential information segregated. Further, you should periodically monitor the Tool provider to learn about any changes that might compromise confidential information.”

In sum, a legal professional should understand that there are confidentiality concerns associated with the use of GAI.  Those concerns do not create an absolute barrier to using GAI.  However, when using GAI, a lawyer must not otherwise violate Rule 1.6, whether by revealing information without the client’s informed consent or by disclosing information that is not impliedly authorized to be disclosed to carry out the representation.

In other words, as I’ve suggested with technologies that burst onto the scene in years past, a lawyer has a duty to take reasonable precautions to protect against the inadvertent disclosure of or unauthorized access to information relating to the representation of a client.

As always, let’s be careful out there.

[1] See, V.R.Pr.C. 1.1, Cmt. [8].

[2] Paragraphs (b) and (c) are not relevant to this discussion. So, I’ll focus on the prohibition against revealing confidential information absent a client’s informed consent or unless disclosure is impliedly authorized to carry out the representation.

[3] Comments 18 and 19 are instructive and I suggest reviewing them if you’re interested in an explanation of the rule’s purpose.

[4] Also citing to, V.R.P.C. 1.1 (Competence), V.R.Pr.C. 5.1 (Responsibilities of Supervisor), and V.R.Pr.C. 5.3 (Responsibilities Regarding Non-Lawyer Assistants).

Related posts:

2 thoughts on “Generative AI & a lawyer’s duty of confidentiality.

Leave a comment