MTC: London's iPhone Theft Crisis: Critical Mobile Device Security Lessons for Traveling Lawyers 📱⚖️

/ The Tech-Savvy Lawyer.Page/

lawyers can learn about cyber mobile security from the recent iphone thefts in london

Recent events in London should serve as a wake-up call for every legal professional who carries client data beyond the office walls. London police recently dismantled a sophisticated international theft ring responsible for smuggling approximately 40,000 stolen iPhones to China in just twelve months. This operation revealed thieves earning up to £300 per stolen device, with phones reselling overseas for as much as $5,000. With over 80,000 phones stolen in London last year alone, this crisis underscores critical vulnerabilities that lawyers must address when working remotely.

The sophistication of these operations is alarming. Criminals on electric bikes snatch phones from unsuspecting victims and immediately wrap devices in aluminum foil to block tracking signals. This industrial-scale crime demonstrates that our mobile devices—which contain privileged communications, case strategies, and confidential client data—are valuable targets for organized criminal networks operating globally.

Your Ethical Obligations Are Clear

ABA Model Rule 1.1 requires lawyers to maintain competence, including understanding "the benefits and risks associated with relevant technology". This duty of technological competence has been adopted by over 40 states and isn't optional—it's fundamental to ethical practice. Model Rule 1.6(c) mandates that lawyers "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client".

When your phone disappears—whether through theft, loss, or border seizure—you face potential violations of these ethical duties. Recent data shows U.S. Customs and Border Protection searched 14,899 devices between April and June 2025, a 16.7% increase from previous surges. Lawyers traveling internationally face heightened risks, and a stolen or searched device can compromise attorney-client privilege instantly.

Essential Security Measures for Mobile Lawyers

Before leaving your office, implement these non-negotiable protections. Enable full-device encryption on all smartphones, tablets, and laptops. For iPhones, setting a passcode automatically enables encryption; Android users must manually activate this feature in security settings. Strong passwords matter—use alphanumeric combinations of at least 12 characters, avoiding easily guessed patterns.

lawyer need to know how to protect their client’s pii when crossing the boarder!

Two-factor authentication (2FA) adds critical protection layers. Even if someone obtains your password, 2FA requires secondary verification through your phone or authentication app. This simple step dramatically reduces unauthorized access risks. Configure remote wipe capabilities before traveling. If your device is stolen, you can erase all data remotely, protecting client information even when physical recovery is impossible.

Disable biometric authentication when traveling internationally. Face ID and fingerprint scanners can be used against you at borders where Fourth Amendment protections are diminished. Restart your device before crossing borders to force password-only access. Consider carrying a "clean" device for international travel, accessing files only through encrypted cloud storage rather than storing sensitive data locally.

Coffee Shops, Airports, and Public Spaces

Public Wi-Fi networks pose serious interception risks. Hackers create fake hotspots with legitimate-sounding names, capturing everything you transmit. As lawyers increasingly embrace cloud-based computing for their work, encryption when using public Wi-Fi becomes non-negotiable

Always use a trusted VPN (Virtual Private Network) when connecting to public networks. VPNs encrypt your internet traffic, preventing interception even on compromised networks. Alternatively, use your smartphone's personal hotspot rather than connecting to public Wi-Fi. Turn off file sharing on all mobile devices. Avoid accessing highly sensitive client files in public spaces altogether—save detailed case work for secure, private connections.

Physical security deserves equal attention. Visual privacy screens prevent shoulder surfing. Position yourself with your back to walls in coffee shops so others cannot observe your screen. Be alert to your surroundings and maintain physical control of devices at all times. Never leave laptops, tablets, or phones unattended, even briefly.

Border Crossings and International Travel

Lawyers crossing international borders face unique challenges. CBP policies permit extensive device searches within 100 miles of borders under the border search exception, significantly reducing Fourth Amendment protections. New York State Bar Association Ethics Opinion 2017-5 addresses lawyers' duties when traveling with client data across borders.

The reasonableness standard governs your obligations. Evaluate whether you truly need to bring confidential information across borders. If travel requires client data, bring only materials professionally necessary for your specific purpose. Consider these strategies: store files in encrypted cloud services rather than locally; use strong passwords and disable biometric authentication; carry your bar card to identify yourself as an attorney if questioned; identify which files contain privileged information before reaching the border.

If border agents demand device access, clearly state that you are an attorney and the device contains privileged client communications. Ask whether the request is optional or mandatory. If agents conduct a search, document what occurred and consider whether client notification is required under Rule 1.4. New York Rule 1.6 requires taking reasonable steps to prevent unauthorized disclosure, with heightened precautions necessary when government agencies are opposing parties.

Practical Implementation Today

Create firm policies addressing mobile device security. Require immediate reporting of lost or stolen devices. Implement Mobile Device Management (MDM) software to monitor, secure, and remotely wipe all connected devices. Conduct regular security awareness training covering email practices, phishing recognition, and social engineering tactics.

Develop an Incident Response Plan before breaches occur. Know which experts to contact, document cybersecurity policies, and establish notification protocols. Under various state laws and regulations like California Civil Code § 1.798.82 and HIPAA's Breach Notification Rule, lawyers may be legally required to notify clients of data breaches.

Lawyers are on the front line of cybersecurity when on the go!

Communicate with clients about security measures. Obtain informed consent regarding electronic communications and any security limitations. Some firms include these discussions in engagement letters, setting clear expectations about communication methods and encryption use.

Stay current with evolving threats. Subscribe to legal technology security bulletins. The Tech-Savvy Lawyer blog regularly covers mobile security issues, including recent coverage of the SlopAds malware campaign that compromised 224 Android applications on Google Play Store. Technology competence requires ongoing learning as threats and safeguards evolve.

The Bottom Line

The London iPhone theft crisis demonstrates that our devices are valuable targets for sophisticated criminal networks operating internationally. Every lawyer who works outside the office—whether at coffee shops, client meetings, or international destinations—must take mobile security seriously. Your ethical obligations under Model Rules 1.1 and 1.6 demand it. Your clients' confidential information depends on it. Your professional reputation requires it.

Implementing these security measures isn't complicated or expensive. Enable encryption. Use strong passwords and 2FA. Avoid public Wi-Fi or use VPNs. Disable biometrics when traveling. Maintain physical control of devices. These straightforward steps significantly reduce risks while allowing you to work effectively from anywhere.

The legal profession has embraced mobile technology's benefits—now we must address its risks with equal commitment. Don't wait for a theft, loss, or border seizure to prompt action. Protect your clients' confidential information today.

MTC

📖 Word of the Week: The Meaning of “Data Governance” and the Modern Law Practice - Your Essential Guide for 2025

/ The Tech-Savvy Lawyer.Page/

Understanding Data Governance: A Lawyer's Blueprint for Protecting Client Information and Meeting Ethical Obligations

Lawyers need to know about “DAta governance” and how it affects their practice of law.

Data governance has emerged as one of the most critical responsibilities facing legal professionals today. The digital transformation of legal practice brings tremendous efficiency gains but also creates significant risks to client confidentiality and attorney ethical obligations. Every email sent, document stored, and case file managed represents a potential vulnerability that requires careful oversight.

What Data Governance Means for Lawyers

Data governance encompasses the policies, procedures, and practices that ensure information is managed consistently and reliably throughout its lifecycle. For legal professionals, this means establishing clear frameworks for how client information is collected, stored, accessed, shared, retained, and ultimately deleted. The goal is straightforward: protect sensitive client data while maintaining the accessibility needed for effective representation.

The framework defines who can take which actions with specific data assets. It establishes ownership and stewardship responsibilities. It classifies information by sensitivity and criticality. Most importantly for attorneys, it ensures compliance with ethical rules while supporting operational efficiency.

The Ethical Imperative Under ABA Model Rules

The American Bar Association Model Rules of Professional Conduct create clear mandates for lawyers regarding technology and data management. These obligations serve as an excellent source of guidance regardless of whether your state has formally adopted specific technology competence requirements. BUT REMEMBER ALWAYS FOLLOW YOUR STATE’S ETHIC’S RULES FIRST!

Model Rule 1.1 addresses competence and was amended in 2012 to explicitly include technological competence. Comment 8 now requires lawyers to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology". This means attorneys must understand the data systems they use for client representation. Ignorance of technology is no longer acceptable.

Model Rule 1.6 governs confidentiality of information. The rule requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client". Comment 18 specifically addresses the need to safeguard information against unauthorized access by third parties. This creates a direct ethical obligation to implement appropriate data security measures.

Model Rule 5.3 addresses responsibilities regarding nonlawyer assistants. This rule extends to technology vendors and service providers who handle client data. Lawyers must ensure that third-party vendors comply with the same ethical obligations that bind attorneys. This requires due diligence when selecting cloud storage providers, practice management software, and artificial intelligence tools.

The High Cost of Data Governance Failures

lawyers need to know the multiple facets of data Governance

Law firms face average data breach costs of $5.08 million. These financial losses pale in comparison to the reputational damage and loss of client trust that follows a security incident. A single breach can expose trade secrets, privileged communications, and personally identifiable information.

The consequences extend beyond monetary damages. Ethical violations can result in disciplinary action. Inadequate data security arguably constitutes a failure to fulfill the duty of confidentiality under Rule 1.6. Some jurisdictions have issued ethics opinions requiring attorneys to notify clients of breaches resulting from lawyer negligence.

Recent guidance from state bars emphasizes that lawyers must self-report breaches involving client data exposure. The ABA's Formal Opinion 483 addresses data breach obligations directly. The opinion confirms that lawyers have duties under Rules 1.1, 1.4, 1.6, 5.1, and 5.3 related to cybersecurity.

Building Your Data Governance Framework

Implementing effective data governance requires systematic planning and execution. The process begins with understanding your current data landscape.

Step One: Conduct a Data Inventory

Identify all data assets within your practice. Catalog their sources, types, formats, and locations. Map how data flows through your firm from creation to disposal. This inventory reveals where client information resides and who has access to it.

Step Two: Classify Your Data

Not all information requires the same level of protection. Establish a classification system based on sensitivity and confidentiality. Many firms use four levels: public, internal, confidential, and restricted.

Privileged attorney-client communications require the highest protection level. Publicly filed documents may still be confidential under Rule 1.6, contrary to common misconception. Client identity itself often qualifies as protected information.

Step Three: Define Access Controls

Implement role-based access controls that limit data exposure. Apply the principle of least privilege—users should access only information necessary for their specific responsibilities. Multi-factor authentication adds essential security for sensitive systems.

Step Four: Establish Policies and Procedures

Document clear policies governing data handling. Address encryption requirements for data at rest and in transit. Set retention schedules that balance legal obligations with security concerns. Create incident response plans for potential breaches.

Step Five: Train Your Team

The human element represents the greatest security vulnerability. Sixty-eight percent of data breaches involve human error. Regular training ensures staff understand their responsibilities and can recognize threats. Training should cover phishing awareness, password security, and proper data handling procedures.

Step Six: Monitor and Audit

Continuous oversight maintains governance effectiveness. Regular audits identify vulnerabilities before they become breaches. Review access logs for unusual activity. Update policies as technology and regulations evolve.

Special Considerations for Artificial Intelligence

The rise of generative AI tools creates new data governance challenges. ABA Formal Opinion 512 specifically addresses AI use in legal practice. Lawyers must understand whether AI systems are "self-learning" and use client data for training.

Many consumer AI platforms retain and learn from user inputs. Uploading confidential client information to ChatGPT or similar tools may constitute an ethical violation. Even AI tools marketed to law firms require careful vetting.

Before using any AI system with client data, obtain informed consent. Boilerplate language in engagement letters is insufficient. Clients need clear explanations of how their information will be used and what risks exist.

Vendor Management and Third-Party Risk

Lawyers cannot delegate their ethical obligations to technology vendors. Rule 5.3 requires reasonable efforts to ensure nonlawyer assistants comply with professional obligations. This extends to cloud storage providers, case management platforms, and cybersecurity consultants.

Before engaging any vendor handling client data, conduct thorough due diligence. Verify the vendor maintains appropriate security certifications like SOC 2, ISO 27001, or HIPAA compliance. Review vendor contracts to ensure adequate data protection provisions. Understand where data will be stored and who will have access.

The Path Forward

lawyers need to advocate data governance for their clients!

Data governance is not optional for modern legal practice. It represents a fundamental ethical obligation under multiple Model Rules. Client trust depends on proper data stewardship.

Begin with a realistic assessment of your current practices. Identify gaps between your current state and ethical requirements. Develop policies that address your specific risks and practice areas. Implement controls systematically rather than attempting wholesale transformation overnight.

Remember that data governance is an ongoing process requiring continuous attention. Technology evolves. Threats change. Regulations expand. Your governance framework must adapt accordingly.

The investment in proper data governance protects your clients, your practice, and your professional reputation. More importantly, it fulfills your fundamental ethical duty to safeguard client confidences in an increasingly digital world.

🎙️ Ep. 123: Former Federal Prosecutor Reveals How AI Levels the Playing Field in Criminal Defense 🎙️⚖️🤖

/ The Tech-Savvy Lawyer.Page/

My next guest is Lance Kennedy. Lance is a former federal prosecutor who now operates a tech forward criminal defense practice in Texas. He combines his prosecutorial experience with cutting edge AI and automation tools to compete against well-resourced government teams, helping criminal defense attorneys leverage technology for data analytics, digital forensics, and case management across both federal and state courts.

Join Lance Kennedy and me as we discuss the following three questions and more! 🎯

  1. What are the top three ways criminal defense attorneys can leverage technology to level the playing field against well-resourced prosecution teams? And how has your prosecutorial experience informed your approach to implementing these tools?

  2. With your experience handling both federal cases and state Texas matters, what are the top three technological tools or approaches that criminal defense attorneys should prioritize differently when managing federal cases versus state cases? And how can technology help attorneys navigate the distinct procedural and evidentiary challenges of each system?

  3. What are the top three ethical and practical considerations criminal defense attorneys must address when implementing AI tools in their practice? And how can lawyers ensure they maintain the 'human in the loop' while maximizing AI's benefits for client representation?

In our conversation, we cover the following ⏱️

00:00:00 - Introduction

00:01:00 - Guest's Current Tech Setup

00:05:00 - Top Three Ways Criminal Defense Attorneys Can Leverage Technology

00:08:00 - Federal vs State Technology Tools and Approaches

00:10:00 - Top Three Tech Tools Better Than Government Systems

00:13:00 - Data Privacy and PII Protection in AI Tools

00:14:00 - Ethical and Practical Considerations for AI Implementation

00:16:00 - Where to Find Lance Kennedy

RESOURCES 📚

Connect with Lance Kennedy 🤝

Mentioned in the Episode 💡

Hardware Mentioned in the Conversation 💻

Software & Cloud Services Mentioned in the Conversation ☁️

TRANSCRIPT

Introduction

Michael D.J. Eisenberg: Episode 123 former federal prosecutor reveals how AI levels the playing field in criminal defense.

My next guest is Lance Kennedy. Lance is a former federal prosecutor who now operates a tech forward criminal defense practice in Texas. He combines his prosecutorial experience with cutting edge AI and automation tools to compete against well-resourced government teams, helping criminal defense attorneys leverage technology for data analytics, digital forensics, and case management across both federal and state courts.

All this and more, enjoy.

AD# 1: Consider Giving The Tech-Savvy Lawyer.Page Podcast A Five-Star ⭐️ Review!

Michael D.J. Eisenberg: Have you been enjoying the Tech Savvy lawyer.page podcast? Consider giving us a five star review on Apple Podcasts or wherever you get your podcast feeds.

Lance, welcome to the podcast. Thanks for having me on. I appreciate you being here. [00:01:00] And to get things started, please tell us what your current tech setup is.

Our Guest's Current Tech Setup!

Lance Kennedy: Well, you know, it really has evolved since I started my practice, but currently I do have, a MacBook Pro that I use kind of as my normative computer.

I do use Mac almost exclusively along with a dual sim. iPhone 17 Pro Max. Mm-hmm. Which has two different lines. One for business, one for personal use, so it can kind of consolidate it into one. And then on my actual desk, which I actually use a, standing desk. Really, it makes it nice to be able to adjust along with a gaming chair.

'cause I think that was actually the most comfortable, best. Chair that Define was actually a gaming chair, and its Secret Lab is the company, so Yep. You're looking for a good one. That's, my recommendation. And then of course, extended monitors, because we use so many different systems, so that's more of the hardware setup.

In terms of software though, we, I use of course, Gmail interface for our firm along with our website, which is managed by Scorpion, one of , the ad companies. And then other software that we utilize are matics for our [00:02:00] CRM and my case for our client management portal, along with some other intake software that we utilize.

So I'm gonna ask, which MacBook Pro do you have? That's a good question. So I bought it a little bit, but it's the, you know, it has , the M two chip in it. Okay. 16 gig MacBook Air. So I've had it for about a year and a half and Excellent.

Michael D.J. Eisenberg: Really

Lance Kennedy: well for me.

Michael D.J. Eisenberg: Yep. And of course you have a Apple store.

Business account, right? I do. Yeah, of course. Excellent. And what about your monitors? Do you have a particular brand?

Lance Kennedy: Well, the monitors I currently am using , are, curved Samsung monitors. Mm-hmm. They, and then I have a articulating arm that I have them on just so I can kind of maneuver them.

I still use my, my laptop for most things with the laptop screen, and then use the extended monitors to kind of host documents or platforms that I'm utilizing.

Michael D.J. Eisenberg: For your curve monitors, do you have more than one on your desk? I have two. And so the curve monitor, my understanding of the concept is to kind of keep your eyes on the screen so that you don't lose anything.

You [00:03:00] know, moving from left to right, you know, I've got a three monitor set up, main one and two FLA flanking left and right. They say that having a curve monitor is better because you need, again, you keeping your eyes on the screen. Do you find to have any conflict with that, given that you have two curved monitors?

Lance Kennedy: I don't find any real issue with it. I mean, they're not the most extreme, you know, curved monitors. Some of them are, have a, I dunno if it's concave or convex, but point is, is that they do have a little bit more of an angle to them. Right. These are almost flat, but they do have a slight curve and I really haven't found an issue with, it, it just, it works for me and I kind of have them set up on opposite sides of my deck and

Michael D.J. Eisenberg: that's all that matters.

Your iPhone 17 pro. Is it a pro promax or pro promax? And did you get the orange? I did get

Lance Kennedy: the orange. How do you like that? It's all right, but I have a OtterBox, one of the defender. Mm-hmm. OtterBox cases. And I know some people think the Promax versions are a little large, and then I add a, an additional right kind of bulk to it.

But I figured if I'm gonna have that expensive of a piece of hardware, [00:04:00] I'm gonna get the most rugged. Protective system that I could get, which is the defender.

Michael D.J. Eisenberg: I do the same thing, and I agree with you. I've got some sort of, I have a knockoff case for my iPhone, PROMAX 17, but the nice thing about it is it has a little kickstand built.

It's really nice. So that comes in handy, like when you're, elsewhere, you wanna just prop it up, whether you're in the kitchen, dining room table or at a Starbucks and you only have your phone with you. That's been a little trick that I found out from my last anchor case that I had for my 16.

I'm on the annuals recycle program with Apple, so I get the new phone every year. Well let's get into the questions.

Q?#1:  What are the top three ways criminal defense attorneys can leverage technology to level the playing field against well-resourced prosecution teams?And how has our guest's prosecutorial experience informed your approach to implementing these tools?

Michael D.J. Eisenberg: Question number one. Lance as a former federal prosecutor who now runs a tech forward criminal defense practice. What are the top three ways criminal defense attorneys can leverage technology to level the playing field against well-resourced prosecution teams?

And how has your prosecutorial experience informed your approach to implementing

Lance Kennedy: these tools? Yeah, those are great questions. And so what I would say on the outset, as you know, particularly with the new AI revolution, I [00:05:00] think we're at the onset of it. It still has, you know, a lot to go. We'll see where it takes us.

But really with these technological changes, what I see in at least our market, and I think it's probably in any practice area, it's becoming. More key is you're g you're really gonna have firms that take advantage of the full weight of technology available to them. And those that don't, and the ones that don't, are just gonna be left behind because they're not able, they're not gonna be able to leverage their time and resources in the same way.

Mm-hmm. And it goes to, you know, the different ways we're utilizing technology, I mean, the first would be data analytics and, and case management with all the AI tools available. You know, you have to, of course, make sure you're following bar rules and not sharing PII in places. Right. Utilizing AI either on your own server or running it without sharing data has been a game changer because what you can do is you can organize discovery and spotting consistencies or quickly cross-reference evidence and you know, which is really critical when you're going against prosecution teams with more manpower.

Whenever you, you know, you're up against the federal government or a state government, [00:06:00] they have almost unlimited resources available to them, investigators, analysts, experts and and whatnot. And so having that ability to quickly analyze data and spotting consistencies is key. The next would be digital forensic tools.

You know, by employing such like forensic software or utilizing experts that have access to forensic software, like cell tower data, digital communication or, or different types of video analysis, we've been able to really. Bolster our client's defense. And part of that is my prosecutorial background, particularly with the Department of Justice, , taught me how the government's gonna build a case against you.

Mm-hmm. So we want to utilize the same tools to, to be able to dismantle a case, or at least provide the best defense to our clients. And in our area, of course, is criminal defense. Most of this is gonna be done though through experts that have, you know, either DEC decryption tools or other analytic tools.

And, and starting to leverage again, the same forensic opportunities that the, the state or government has. And then finally, I kind of touched on this with data analytics is really AI and automation. This is, you [00:07:00] know, things such as automated receptionist, document review, legal research. All of these have, we've been able to successfully offload to AI platforms.

And that does free up bandwidth for our team to focus on, strategy rather than just paperwork. So those would be the three ways, categories of the ways we're utilizing technology.

Ad#2: Consider Buying The Tech-Savvy Lawyer a Cup of Coffee ☕️ or Two ☕️☕️!

Michael D.J. Eisenberg: Pardon the interruption. I hope you're enjoying the Tech Heavy Layer page podcast. As much as I enjoy making them consider buying us a cup of coffee or two to help toray some of the production costs, thanks and enjoy.

Q?#2: What are the top three technological tools or approaches that criminal defense attorneys should prioritize differently when managing federal cases versus state cases? And how can technology help attorneys navigate the distinct procedural and evidentiary challenges of each system? system. .

Michael D.J. Eisenberg: So let's move on to question number two. With your experience handling both federal cases and state and Texas state matters, what are the top three technological tools or approaches that criminal defense attorneys should prioritize differently when managing federal cases versus state cases? And how can technology help attorneys navigate the distinct procedural and evidentiary challenges of each

Lance Kennedy: system. Great question. So I'll take these kind of separately because federal and state work are, are somewhat distinct, albeit both [00:08:00] kind of deal with the same subject matter, federal cases and, and the federal system. Of course, you have a, you have a unified online platform, ECF case, sir.

And then of course you have box, which is the, the typical way that evidence is shared with you from, you know, the agency's DOJ, the prosecutor to you as the attorney. And so when it comes to utilizing technology with federal cases, particularly those that are, you know, again, very, have a very large amount of discovery such as white collar cases, wire fraud, things of that nature.

We utilize and leverage, for instance, like co-counsel with Westlaw to be able to, to create trial books and really look at the discovery and help us manage our, the vast amount of discovery. I mean, you know, a small white collar case could have 10, 15,000. Exhibits or files, they're white collar cases that go into hundreds of thousands, if not millions of documents.

So, mm-hmm. You know, quickly being able to utilize AI rather than have to have, you know, an associate comb through those and really look for things has, is a, is definitely something that you should leverage if you're [00:09:00] not doing that already. In terms of, you know, state practice things, you know, 'cause criminal practices and state work, you're dealing with a lot of volume of clients such as, UIs, assaults, drugs, right.

And the like. So utilizing AI and, and other automated technologies for rapid response call tracking, text automation, even like case management software mm-hmm. You know, are very helpful. And that's just because state cases can move pretty quickly. Or involve high client volume. And so you want to be able to utilize automation as much as possible.

So that's what we do as well. And then finally, the technol technological advantage you get by utilizing all these different platforms. You know, like for instance, using dashboards to track procedural deadlines or evidentiary issues really enables you to, to stop things from slipping through the cracks.

Michael D.J. Eisenberg: So my question to you, going back to the first, and, course the second question. As you mentioned that you wanna be using the same platforms as the government does, whether it's state or federal. Have you found, say, maybe three [00:10:00] pieces of tech or software. That you find to be better than what the state or federal government uses.

Lance Kennedy: I mean, you don't have access to their internal systems. Right. And then mm-hmm. In terms of like state, the state, and I'm speaking of particularly the federal system that, the state prosecution, depending on the county, can be fairly antiquated. You know, because we work throughout Texas. My firm Lance Kennedy law, we work through all the major metros of the Texas Triangle, but also rural counties with five, 6,000 people. Right? And so you see a wide discrepancy between tools that they're using. And so what I would say is you may have access, for instance, to like Westlaw, which they're gonna be utilizing. Mm-hmm. In preparation as well. But I would venture to say that if you're a tech savvy defense attorney, like in my position, you're gonna have access to more platforms and be willing to use , more platforms, right.

In the state or feds. And that's just because. You know, they're not gonna go outta their way to purchase a software that's not being provided for them. Right. Whereas, if you're running your own business, you can select [00:11:00] the best software possible to help your clients. Are you willing to share your top three?

Yeah, I would say, I mean, the easiest for me is chat. GPTI do have a pro account that would be top of the list. There's just so many features available with the new agents that they've rolled out. Deep research functionality, copy editing, replying, you know, for instance, making sure that whatever communication is compliant with whatever rules of professional conduct or Texas Code of Criminal procedure, you can really utilize, you know, AI in that capacity to shore up your communication, even if it's merely looking at, what you're typing , or research question or the like.

The next one would be Westlaw, the AI enabled Westlaw with co-counsel. Just because it makes, you know, when I, when I went into law school, we were still learning how to, , and granted it was still, it was antiquated at this point, but they were still making us learn how to pull cases from the volumes in the library.

Right. I've never done that actually, in practice. It was a waste of time, but then of course, we were using Westlaw, but you had to use some of , the connectors and you had to [00:12:00] be really adept at the coding of how you phrased a question. Now, that's not even , a question. You can literally type in any search query and sort it by case, like, how does XJ judge handle this matter?

And it leverages the entire Westlaw database. And then finally, I would say a really easy one to utilize is Grammarly. And so , my team is Grammarly integrated in all of our platforms that enables us to. Make sure that our copy is clear and professional and gets the right tone. And when you're dealing with criminal clients, many times you're gonna get a client screed, you can't even understand it's gonna be, you know, run on sentences , and stream of consciousness.

So to be able to quickly utilize AI to interpret it and then respond with a proper tone , is incredible as well. So I'd say those were my top three.

Michael D.J. Eisenberg: Excellent. Excellent. I appreciate you sharing that, but I'm gonna focus on one, which is gonna bleed into our third question. Talked about chat, GPT Pro. Now, is the information that you put into that system at that tier, is that still protected or are you [00:13:00] worried get to be wary of your PII?

Lance Kennedy: Yeah, that, that's a, that's kind of a real open question right now. So most of the LMS and other platforms are gonna enable you to turn off data sharing. Mm-hmm. And so that should, for, for all intents and purposes, protect your data. But, but really ensure, you know, you're doing what is compliant with your bar.

The next thing is you can actually host your own, you know, server with mm-hmm. AI on it and just kind of keep it in a closed ecosystem. So that's the safer method. But I think probably both of them meet the criter and confidentiality. The issue is you just don't want PII getting onto the internet some way, somehow inadvertently, and I think as long as it's not being shared.

That should prevent that from ever occurring. But again, you know, that's just my opinion and you have to kind of figure it out. I think the issue , is that, you know, state bars are, you know, and I would say advertising committees, there are government workers or individuals mm-hmm. That never run a business. And there's Right, they know impetus for them to move quickly on these types of issues or be sensible or reasonable. And so. [00:14:00] I would just say be a smart practitioner and don't put yourself in any type of harm's way. And for our last question,

Q?#3: What are the top three ethical and practical considerations criminal defense attorneys must address when implementing AI tools in their practice? And how can lawyers ensure they maintain the quote unquote human in the loop while maximizing AI's benefits for client representation?

Michael D.J. Eisenberg: as someone who has worked on both sides of the courtroom and now integrates AI into your defense strategies, what are the top three ethical and practical considerations criminal defense attorneys must address when implementing AI tools in their practice?

And how can lawyers ensure they maintain the quote unquote human in the loop while maximizing AI's benefits for client representation ?

Lance Kennedy: You know, I think this kind of goes to the use of any technology is. When it comes to replacing repetitive tasks, things that really are, I would say, tasks that don't take a true technician or someone with a mm-hmm.

Skill set to do. Those are the ones that need and should be automated and can be automated.

Michael D.J. Eisenberg: Mm-hmm.

Lance Kennedy: As quickly, even things like receptionist. Mm-hmm. You have an AI receptionist. So the point is, is that there are things that generally do have a human like component or interact. Mm-hmm. Can be easily replaced with ai.

However, you know, depending on your competency and where you're [00:15:00] practicing, what type of law. For instance, you know, we're never gonna replace attorneys in the courtroom, at least right. For the way foreseeable future things like hearings or visiting a client in jail. Or making phone calls to family members to, you know, assure them everything's being done.

Those are the tasks that of course we are still gonna have to have a human touch. The more we automate, the more we leverage technology, the more we're utilizing AI to be able to help us do things like research or in something that took us. Five hours we can now do in 30 minutes. Right. We're gonna leverage because that frees up my attorneys to do the things that they're really paid to do, which is, you know, win cases, resolve them favorably for our clients and keep them in the loop.

And, and that's where, technology really is enabling us to

Michael D.J. Eisenberg: succeed.

Have you come across any ethical pitfalls in dealing with ai? Maybe not necessarily with yourself, but you've seen with other colleagues?

Lance Kennedy: No. I mean, what, you know, the question , is like, what would be the ethical grounds here?

It's the, the same rules apply whether guides writing copy for you from mm-hmm. Or [00:16:00] producing a video. Then if you did it on your own, I think as long as the presentation is accurate and doesn't give clients or potential clients the wrong. Opinion of you or your team or your staff. Mm-hmm. You know, then you're in good territory.

So it's a tool, but it doesn't replace ethical behavior or discretion. Gotcha.

Michael D.J. Eisenberg: Well, Lance, I wanna thank you for being here today. Please.

Where You Can Find Our Guest!

Michael D.J. Eisenberg: Where can people find you?

Lance Kennedy: You can find me@lancekennedy.com. It's our firm's website. You can also find me on LinkedIn, TikTok, Instagram, and Facebook. Excellent. Well, Lance,

Michael D.J. Eisenberg: again, thank you for being here.

Absolutely. Thank you.

See You In Two Weeks!

Michael D.J. Eisenberg: Thank you for joining me on this episode of the Tech Savvy Lawyer Page podcast. Our next episode will be posted in about two weeks. If you have any ideas about a future episode, please contact me at Michael DJ at the Tech Savvy lawyer.page. Have a great day and happy [00:17:00] lawyering.

🚨 BOLO: Solo and Small Law Firms Lag in AI Adoption: Key Insights from ClioCon 2025 and Steps Forward

/ The Tech-Savvy Lawyer.Page/
🚨 BOLO: Solo and Small Law Firms Lag in AI Adoption: Key Insights from ClioCon 2025 and Steps Forward

Solo and Small Law Firms Falling Behind in AI Adoption: Insights from ClioCon 2025 and How to Close the Gap

Read More

MTC: Deepfakes, Deception, and Professional Duty - What the North Bethesda AI Incident Teaches Lawyers About Ethics in the Digital Age 🧠⚖️

/ The Tech-Savvy Lawyer.Page/

Lawyers need to be aware of the potential Professional and ethical consequences if they allow deepfakes to enter the courtroom.

In October 2025, a seemingly lighthearted prank spiraled into a serious legal matter that carries profound implications for every practicing attorney. A 27 year-old, North Bethesda woman sent her husband an AI-generated photograph depicting a man lounging on their living room couch. Alarmed by the apparent intrusion, he called 911. The subsequent police response was swift and overwhelming: eight marked cruisers raced through daytime traffic with lights and sirens activated. When officers arrived, they found no burglar—the woman was alone at home, a cellphone mounted on a tripod aimed at the front door, and the admission that it was all a prank.

The story might have ended as a cautionary tale about viral social media trends gone awry. But for the legal profession, it offers urgent and multifaceted lessons about technological competence, professional responsibility, and the ethical obligations that now define modern legal practice.

The woman was charged with making a false statement concerning an emergency or crime and providing a false statement to a state official. Though the charges are criminal in nature, they illuminate a landscape that the legal profession must navigate with far greater care than many currently do. The intersection of generative AI, digital deception, and legal ethics represents uncharted territory—one where professional liability and disciplinary action await those who fail to understand the technology reshaping evidence, testimony, and truth-seeking in the courtroom.

The Technology Competence Imperative

In 2012, the American Bar Association amended Comment 8 to Model Rule 1.1 (Competence) to include an explicit requirement that lawyers remain competent in "the benefits and risks associated with relevant technology." This was not a suggestion; it was a mandate. Today, 31 states have adopted or adapted this language into their own professional conduct rules. The ABA's accompanying committee report emphasized that the amendment serves as "a reminder to lawyers that they should remain aware of technology." Yet the word "reminder" should not be mistaken for optional guidance. As the digital landscape grows more sophisticated—and more legally consequential—ignorance of technology is increasingly indefensible as a basis for professional incompetence.

This case exemplifies why: An attorney representing clients in disputes involving digital media—whether custody cases, employment disputes, criminal defense, or civil litigation—cannot afford to lack foundational knowledge of how AI-generated images are created, detected, and authenticated. A lawyer who fails to distinguish authentic video evidence from a deepfake, or who presents such evidence without proper verification, may be engaging in conduct that violates not only Rule 1.1 but also Rules 3.3 and 8.4 of the ABA Model Rules of Professional Conduct.

Rule 1.1 creates a floor, not a ceiling. While most attorneys are not expected to become machine learning engineers, they must possess working knowledge of AI detection tools, image metadata analysis, forensic software, and the limitations of each. Many free and low-cost resources now exist for such training. Bar associations, CLE providers, and technology vendors offer courses specifically designed for attorneys with moderate tech proficiency. The obligation is not to achieve expertise but to make a deliberate, documented effort to stay reasonably informed.

Lawyers may argue that they "reasonably believed" the photograph was authentic and thus did not knowingly violate Rule 3.3. But this defense grows weaker as technology becomes more accessible and detection methods more readily available.

🚨

Lawyers may argue that they "reasonably believed" the photograph was authentic and thus did not knowingly violate Rule 3.3. But this defense grows weaker as technology becomes more accessible and detection methods more readily available. 🚨

Candor, Evidence, and the Truth-Seeking Function

The Maryland incident also implicates ABA Model Rule 3.3 (Candor Toward the Tribunal). Rule 3.3(a)(3) prohibits lawyers from offering evidence that they know to be false. But what does a lawyer know when AI makes authenticity ambiguous?

Consider a hypothetical: A client provides a lawyer with a photograph purporting to show the opposing party engaged in misconduct. The lawyer accepts it at face value and presents it to the court. Later, it is discovered that the image was AI-generated. The lawyer may argue that they "reasonably believed" the photograph was authentic and thus did not knowingly violate Rule 3.3. But this defense grows weaker as technology becomes more accessible and detection methods more readily available. A lawyer's failure to employ basic verification protocols—such as checking metadata, using AI detection software, or consulting a forensic expert—may render their "belief" in authenticity unreasonable, transforming what appears to be good-faith conduct into a breach of the duty of candor.

The deeper concern is what scholars call the "Liar's Dividend": the phenomenon by which the mere existence of convincing deepfakes causes observers to distrust even genuine evidence. Lawyers can inadvertently exploit this dynamic by introducing AI-generated content without disclosure, or by sowing doubt in jurors' minds about the authenticity of real evidence. When a lawyer does so knowingly—or worse, with willful indifference—they corrupt the judicial process itself.

Rule 3.3 does not merely prevent lawyers from lying; it affirms their role as officers of the court whose duty to truth transcends client advocacy. This duty becomes more, not less, demanding in an age of manipulated media.

Dishonesty, Fraud, and the Outer Boundaries of Professional Conduct

North Bethesda deepfake prank highlights ethical gaps for attorneys.

ABA Model Rule 8.4(c) prohibits conduct involving dishonesty, fraud, deceit, or misrepresentation. On its face, Rule 8.4 seems straightforward. But its application to AI-generated evidence raises subtle questions. If a lawyer negligently fails to detect a deepfake and introduces it as genuine, are they guilty of "deceit"? Does their ignorance of the technology constitute a defense, or does it constitute a separate violation of Rule 1.1?

The answer likely depends on context. A lawyer who presents AI-generated evidence without having undertaken any effort to verify it—in a jurisdiction where technological competence is mandated, and where basic detection tools are publicly available—may struggle to argue that they acted with mere negligence rather than reckless indifference to truth. The line between incompetence and dishonesty can be perilously thin.

Consider, too, the scenario in which a lawyer becomes aware that a client has manufactured evidence using AI. Rule 8.4(c) does not explicitly prevent a lawyer from advising a client about the legal risks of doing so, nor does it require immediate disclosure to opposing counsel or the court in all circumstances. However, if the lawyer then remains silent while the falsified evidence is introduced into litigation, they may be viewed as having effectively participated in fraud. The duty to maintain client confidentiality (Rule 1.6) can conflict with the duty of candor, but Rule 3.3 clarifies that candor prevails: "The duties stated in paragraph (a) … continue to the conclusion of the proceeding, and apply even if compliance requires disclosure of information otherwise protected by Rule 1.6.

Practical Safeguards and Professional Resilience

So what can lawyers do—immediately and pragmatically—to protect themselves and their clients?

First, invest in education. Most state bar associations now offer CLE courses on AI, deepfakes, and digital evidence. Many require only two to three hours. Florida has mandated three hours of technology CLE every three years; others will likely follow. Attending such courses is not an extravagance; it is the baseline floor of professional duty.

Second, establish verification protocols. When digital evidence is introduced in a case—particularly photographs, videos, or audio recordings—require documentation of provenance. Demand metadata. Consider retained expert assistance to authenticate digital files. Many law firms now partner with forensic technology consultants for exactly this purpose. The cost is modest compared to the risk of professional discipline or malpractice liability.

Third, disclose limitations transparently. If you lack expertise in evaluating a particular form of digital evidence, say so. Rule 1.1 permits lawyers to partner with others possessing requisite skills. Transparency about technological limitations is not weakness; it is professionalism.

Fourth, update client engagement letters and retention agreements. Explicitly discuss how your firm will handle digital evidence, what verification steps will be taken, and what the client can reasonably expect. Document these conversations. In disputes with clients later, such records can be invaluable.

Fifth, stay alert to emerging guidance. Bar associations continue to issue formal opinions on technology and ethics. Journals, conference presentations, and industry publications track the intersection of AI and law. Subscribing to alerts from your state bar's ethics committee or joining legal technology practice groups ensures you remain informed as standards evolve. *You may find following The Tech-Savvy Lawyer.Page a great source for alerts and guidance! 🤗

Final Thoughts: The Deeper Question

Lawyers have the professional and ethical responsibility of knowing how deepfakes work!

The Maryland case is ultimately not about one woman's ill-advised prank. It is about the profession's obligation to remain trustworthy stewards of justice in an age when truth itself can be fabricated with a few keystrokes. The legal system depends on evidence, testimony, and the adversarial process to uncover truth. Lawyers are its guardians.

Technology competence is not an optional specialization or a nice-to-have skill. Under the ABA Model Rules and the rules adopted by 31 states, it is a foundational professional duty. Failure to acquire it exposes practitioners to disciplinary action, malpractice claims, and—most importantly—the real possibility of leading their clients, courts, and the public toward injustice.

The invitation to lawyers is clear: engage with the technology that is reshaping litigation, evidence, and professional practice. Understand its capabilities and risks. Invest in verification, transparency, and ongoing education. In doing so, you honor not just your professional obligations but the deeper mission of the law itself: the pursuit of truth.

Word of the Week: Technology Stack - Your Law Firm's Digital Foundation 📖

/ The Tech-Savvy Lawyer.Page/

A technology stack (commonly called a tech stack) represents the complete collection of software tools, applications, and technologies that work together to support your law firm's operations. This digital infrastructure powers everything from client communication to case management.

Your tech stack functions like building blocks. Each component serves a specific purpose. The foundation includes your operating system and hardware. The middle layer contains your practice management software and document systems. The top layer delivers the interfaces you interact with daily.

Modern law firms require robust tech stacks to remain competitive. These systems streamline workflows and improve efficiency. They also enhance client service delivery.

A well-designed legal tech stack typically includes practice management software as its core. This central system tracks deadlines, manages contacts, and coordinates team workflows. Document management and automation tools handle file storage, retrieval, and template creation. Client intake systems capture potential client information automatically. Communication tools such as Voice Over Internet Protocol (VOIP) systems ensure your firm never misses important calls.

Additional components strengthen your stack's capabilities. Financial management tools automate billing and expense tracking. Legal research platforms provide access to current case law and regulations. Security systems protect confidential client data through encryption and multi-factor authentication. Cloud-based solutions enable remote access and collaboration.

Building an effective tech stack requires careful planning. Start by identifying your firm's core needs. Prioritize tools that integrate smoothly with each other. Evaluate your budget for both licenses and training. Test new tools with a small team before firm-wide deployment. Choose vendors who offer reliable support and clear product roadmaps.

The benefits of a unified tech stack are substantial. Automated processes save hours each week. Smart templates reduce human errors and improve accuracy. Client portals provide real-time case updates that build trust. Enhanced security measures protect sensitive information while maintaining compliance. Scalable systems grow alongside your practice without requiring complete rebuilds.

A well-designed tech stack is important for any modern day law practice.

Your tech stack directly impacts your firm's ability to serve clients effectively. Technology-savvy clients expect modern tools and service levels comparable to other industries. Firms that invest in strong tech stacks gain competitive advantages in case management, client interactions, and overall productivity.

Remote work capabilities have become essential components. Cloud-based case management systems enable real-time collaboration regardless of location. Video conferencing and virtual collaboration tools maintain productivity in hybrid environments. Secure access through robust platforms ensures business continuity.

The legal technology landscape continues evolving rapidly. Artificial intelligence now powers research and document review. Automation handles contract generation and compliance checks. Advanced financial management solutions streamline billing and payment processing. Integration between these systems creates seamless workflows that maximize efficiency.

Choosing the right tech stack positions your firm for long-term success. Focus on solutions that address real problems rather than simply adding tools. Seek platforms that work together rather than operating in isolation. Regularly review your stack as your firm grows and technology advances. This strategic approach ensures your digital infrastructure supports your practice goals effectively.

MTC: 🔒 Your AI Conversations Aren't as Private as You Think: What the OpenAI Court Ruling Means for Legal Professionals

/ The Tech-Savvy Lawyer.Page/

A watershed moment in digital privacy has arrived, and it carries profound implications for lawyers and their clients.

The recent court ruling in In re: OpenAI, Inc., Copyright Infringement Litigation has exposed a critical vulnerability in the relationship between artificial intelligence tools and user privacy rights. On May 13, 2025, U.S. Magistrate Judge Ona T. Wang issued an order requiring OpenAI to "preserve and segregate all output log data that would otherwise be deleted on a going forward basis". This unprecedented directive affected more than 400 million ChatGPT users worldwide and fundamentally challenged assumptions about data privacy in the AI era.[1][2][3][4]

While the court modified its order on October 9, 2025, terminating the blanket preservation requirement as of September 26, 2025, the damage to user trust and the precedent for future litigation remain significant. More importantly, the ruling illuminates a stark reality for legal professionals: the "delete" button offers an illusion of control rather than genuine data protection.

The Court Order That Changed Everything ⚖️

The preservation order emerged from a copyright infringement lawsuit filed by The New York Times against OpenAI in December 2023. The Times alleged that OpenAI unlawfully used millions of its articles to train ChatGPT without permission or compensation. During discovery, concerns arose that OpenAI had been deleting user conversations that could potentially demonstrate copyright violations.

Judge Wang's response was sweeping. The court ordered OpenAI to retain all ChatGPT output logs, including conversations users believed they had permanently deleted, temporary chats designed to auto-delete after sessions, and API-generated outputs regardless of user privacy settings. The order applied retroactively, meaning conversations deleted months or even years earlier remained archived in OpenAI's systems.

OpenAI immediately appealed, arguing the order was overly broad and compromised user privacy. The company contended it faced conflicting obligations between the court's preservation mandate and "numerous privacy laws and regulations throughout the country and the world". Despite these objections, Judge Wang denied OpenAI's motion, prioritizing the preservation of potential evidence over privacy concerns.

The October 9, 2025 stipulation and order brought partial relief. OpenAI's ongoing obligation to preserve all new output log data terminated as of September 26, 2025. However, all data preserved before that cutoff remains accessible to plaintiffs (except for users in the European Economic Area, Switzerland, and the United Kingdom). Additionally, OpenAI must continue preserving output logs from specific domains identified by the New York Times and may be required to add additional domains as the litigation progresses.

Privacy Rights in the Age of AI: An Eroding Foundation 🛡️

This case demonstrates that privacy policies are not self-enforcing legal protections. Users who relied on OpenAI's representations about data deletion discovered those promises could be overridden by court order without their knowledge or consent. The "temporary chat" feature, marketed as providing ephemeral conversations, proved anything but temporary when litigation intervened.

The implications extend far beyond this single case. The ruling establishes that AI-generated content constitutes discoverable evidence subject to preservation orders. Courts now view user conversations with AI not as private exchanges but as potential legal records that can be compelled into evidence.

For legal professionals, this reality is particularly troubling. Lawyers regularly handle sensitive client information that must remain confidential under both ethical obligations and the attorney-client privilege. The court order revealed that even explicitly deleted conversations may be retained indefinitely when litigation demands it.

The Attorney-Client Privilege Crisis 👥

Attorney-client privilege protects confidential communications between lawyers and clients made for the purpose of obtaining or providing legal advice. This protection is fundamental to the legal system. However, the privilege can be waived through voluntary disclosure to third parties outside the attorney-client relationship.

When lawyers input confidential client information into public AI platforms like ChatGPT, they potentially create a third-party disclosure that destroys privilege. Many generative AI systems learn from user inputs, incorporating that information into their training data. This means privileged communications could theoretically appear in responses to other users' queries.

The OpenAI preservation order compounds these concerns. It demonstrates that AI providers cannot guarantee data will be deleted upon request, even when their policies promise such deletion. Lawyers who used ChatGPT's temporary chat feature or deleted sensitive conversations believing those actions provided privacy protection now discover their confidential client communications may be preserved indefinitely as litigation evidence.

The risk is not theoretical. In the now-famous Mata v. Avianca, Inc. case, a lawyer used a free version of ChatGPT to draft a legal brief containing fabricated citations. While the lawyer faced sanctions for submitting false information to the court, legal ethics experts noted the confidentiality implications of the increasingly specific prompts the attorney used, which may have revealed client confidential information.

ABA Model Rules and AI: What Lawyers Must Know 📋

The American Bar Association's Model Rules of Professional Conduct govern lawyer behavior, and while these rules predate generative AI, they apply with full force to its use. On July 29, 2024, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 512, providing the first comprehensive guidance on lawyers' use of generative AI.

Model Rule 1.1: Competence requires lawyers to provide competent representation, including maintaining "legal knowledge, skill, thoroughness and preparation reasonably necessary for representation". The rule's commentary [8] specifically states lawyers must understand "the benefits and risks associated with relevant technology". Opinion 512 clarifies that lawyers need not become AI experts, but must have a "reasonable understanding of the capabilities and limitations of the specific GenAI technology" they use. This is not a one-time obligation. Given AI's rapid evolution, lawyers must continuously update their understanding.

Model Rule 1.6: Confidentiality creates perhaps the most significant ethical challenge for AI use. The rule prohibits lawyers from revealing "information relating to the representation of a client" and requires them to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation". Self-learning AI tools that train on user inputs create substantial risk of improper disclosure. Information entered into public AI systems may be stored, processed by third-party vendors, and potentially accessed by company employees or incorporated into model training. Opinion 512 recommends lawyers obtain informed client consent before inputting any information related to representation into AI systems. Lawyers must also thoroughly review the terms of use, privacy policies, and contractual agreements of any AI tool they employ.

Model Rule 1.4: Communication obligates lawyers to keep clients reasonably informed about their representation. When using AI tools, lawyers should disclose this fact to clients, particularly when the AI processes client information or could impact the representation. Clients have a right to understand how their matters are being handled and what technologies may access their confidential information.[25][22][20][21]

Model Rule 3.3: Candor Toward the Tribunal requires lawyers to be truthful in their representations to courts. AI systems frequently produce "hallucinations"—plausible-sounding but entirely fabricated information, including fake case citations. Lawyers remain fully responsible for verifying all AI outputs before submitting them to courts or relying on them for legal advice. The Mata v. Avianca case serves as a cautionary tale of the consequences when lawyers fail to fulfill this obligation.

Model Rules 5.1 and 5.3: Supervisory Responsibilities make lawyers responsible for the conduct of other lawyers and nonlawyer assistants working under their supervision. When staff members use AI tools, supervising lawyers must ensure appropriate policies, training, and oversight exist to prevent ethical violations.

Model Rule 1.5: Fees requires lawyers to charge reasonable fees. Opinion 512 addresses whether lawyers can bill clients for time "saved" through AI efficiency gains. The guidance suggests that when using hourly billing, efficiencies gained through AI should benefit clients. However, lawyers may pass through reasonable direct costs of AI services (such as subscription fees) when properly disclosed and agreed upon in advance.

State-by-State Variations: A Patchwork of Protection 🗺️

While the ABA Model Rules provide a national framework, individual states adopt and interpret ethics rules differently. Legal professionals must understand their specific state's requirements, which can vary significantly.[2

Lawyers must protect client’s PII from AI privacy failures!

Florida has taken a proactive stance. In January 2025, The Florida Bar Board of Governors unanimously approved Advisory Opinion 24-1, which specifically addresses generative AI use. The opinion recommends lawyers obtain "affected client's informed consent prior to utilizing a third-party generative AI program if the utilization would involve the disclosure of any confidential information". Florida's guidance emphasizes that lawyers remain fully responsible for AI outputs and cannot treat AI as a substitute for legal judgment.

Texas issued Opinion 705 from its State Bar Professional Ethics Committee in February 2025. The opinion outlines four key obligations: lawyers must reasonably understand AI technology before using it, exercise extreme caution when inputting confidential information into AI tools that might store or expose client data, verify the accuracy of all AI outputs, and avoid charging clients for time saved by AI efficiency gains. Texas also emphasizes that lawyers should consider informing clients when AI will be used in their matters.

New York has developed one of the most comprehensive frameworks through its State Bar Association Task Force on Artificial Intelligence. The April 2024 report provides a thorough analysis across the full spectrum of ethical considerations, including competence, confidentiality, client communication, billing practices, and access to justice implications. New York's guidance stands out for addressing both immediate practical considerations and longer-term questions about AI's transformation of the legal profession.

Alaska issued Ethics Opinion 2025-1 surveying AI issues with particular focus on competence, confidentiality, and billing. The opinion notes that when using non-closed AI systems (such as general consumer products), lawyers should anonymize prompts to avoid revealing client confidential information. Alaska's guidance explicitly cites to its cloud-computing predecessor opinion, treating AI data storage similarly to law firm files on third-party remote servers.

California, Massachusetts, New Jersey, and Oregon have issued guidance through their state attorneys general on how existing state privacy laws apply to AI. California's advisories emphasize that AI use must comply with the California Consumer Privacy Act (CCPA), requiring transparency, respecting individual data rights, and limiting data processing to what is "reasonably necessary and proportionate". Massachusetts focuses on consumer protection, anti-discrimination, and data security requirements. Oregon highlights that developers using personal data to train AI must clearly disclose this use and obtain explicit consent when dealing with sensitive data.[31]

These state-specific approaches create a complex compliance landscape. A lawyer practicing in multiple jurisdictions must understand and comply with each state's requirements. Moreover, state privacy laws like the CCPA and similar statutes in other states impose additional obligations beyond ethics rules.

Enterprise vs. Consumer AI: Understanding the Distinction 💼

Not all AI tools pose equal privacy risks. The OpenAI preservation order highlighted critical differences between consumer-facing products and enterprise solutions.

Consumer Plans (Free, Plus, Pro, and Team) were fully subject to the preservation order. These accounts store user conversations on OpenAI's servers with limited privacy protections. While users can delete conversations, the court order demonstrated that those deletions are not permanent. OpenAI retains the technical capability to preserve and access this data when required by legal process.

Enterprise Accounts offer substantially stronger privacy protections. ChatGPT Enterprise and Edu plans were excluded from the preservation order's broadest requirements. These accounts typically include contractual protections such as Data Processing Agreements (DPAs), commitments against using customer data for model training, and stronger data segregation. However, even enterprise accounts must preserve data when covered by specific legal orders.

Zero Data Retention Agreements provide the highest level of protection. Users who have negotiated such agreements with OpenAI are excluded from data preservation requirements. These arrangements ensure that user data is not retained beyond the immediate processing necessary to generate responses.

For legal professionals, the lesson is clear: consumer-grade AI tools are inappropriate for handling confidential client information. Lawyers who use AI must ensure they employ enterprise-level solutions with proper contractual protections, or better yet, closed systems where client data never leaves the firm's control.

Practical Steps for Legal Professionals: Protecting Privilege and Privacy 🛠️

Given these risks, what should lawyers do? Abandoning AI entirely is neither realistic nor necessary. Instead, legal professionals must adopt a risk-management approach.

Conduct thorough due diligence before adopting any AI tool. Review terms of service, privacy policies, and data processing agreements in detail. Understand exactly what data the AI collects, how long it's retained, whether it's used for model training, who can access it, and what security measures protect it. If these answers aren't clear from public documentation, contact the vendor directly for written clarification.

Implement written AI policies for your firm or legal department. These policies should specify which AI tools are approved for use, what types of information can (and cannot) be input into AI systems, required safeguards such as data anonymization, client consent requirements, verification procedures for AI outputs, and training requirements for all staff. Document these policies and ensure all lawyers and staff understand and follow them.

Default to data minimization. Before inputting any information into an AI system, ask whether it's necessary. Can you accomplish the task without including client-identifying information? Many AI applications work effectively with anonymized or hypothetical scenarios that don't reveal actual client matters. When in doubt, err on the side of caution.

Obtain informed client consent when using AI for client matters, particularly when inputting any information related to the representation. This consent should be specific about what AI tools will be used, what information may be shared with those tools, what safeguards are in place, and what risks exist despite those safeguards. General consent buried in engagement agreements is likely insufficient.

Use secure, purpose-built legal AI tools rather than consumer applications. Legal-specific AI products are designed with confidentiality requirements in mind and typically offer stronger privacy protections. Even better, consider closed-system AI that operates entirely within your firm's infrastructure without sending data to external servers.

Never assume deletion means erasure. The OpenAI case proves that deleted data may not be truly gone. Treat any information entered into an AI system as potentially permanent, regardless of what the system's privacy settings claim.

Maintain privileged communication protocols. Remember that AI is not your attorney. Communications with AI systems are not protected by attorney-client privilege. Never use AI as a substitute for consulting with qualified colleagues or outside counsel on genuinely privileged matters.

Stay informed about evolving guidance. AI technology and the regulatory landscape are both changing rapidly. Regularly review updates from your state bar association, the ABA, and other professional organizations. Consider attending continuing legal education programs on AI ethics and technology competence.

Final thoughts: The Future of Privacy Rights in an AI World 🔮

The OpenAI preservation order represents a pivotal moment in the collision between AI innovation and privacy rights. It exposes uncomfortable truths about the nature of digital privacy in 2025: privacy policies are subject to override by legal process, deletion features provide psychological comfort rather than technical and legal certainty, and third-party service providers cannot fully protect user data from discovery obligations.

For legal professionals, these realities demand a fundamental reassessment of how AI tools fit into practice. The convenience and efficiency AI provides must be balanced against the sacred duty to protect client confidences and maintain the attorney-client privilege. This is not an abstract concern or distant possibility. It is happening now, in real courtrooms, with real consequences for lawyers and clients.

State bars and regulators are responding, but the guidance remains fragmented and evolving. Federal privacy legislation addressing AI has yet to materialize, leaving a patchwork of state laws with varying requirements. In this environment, legal professionals cannot wait for perfect clarity before taking action.

The responsibility falls on each lawyer to understand the tools they use, the risks those tools create, and the steps necessary to fulfill ethical obligations in this new technological landscape. Ignorance is not a defense. "I didn't know the AI was storing that information" will not excuse a confidentiality breach or privilege waiver.

As AI becomes increasingly embedded in legal practice, the profession must evolve its approach to privacy and confidentiality. The traditional frameworks remain sound—the attorney-client privilege, the duty of confidentiality, the requirement of competence—but their application requires new vigilance. Lawyers must become technology stewards as well as legal advisors, understanding not just what the law says, but how the tools they use might undermine their ability to protect it.

The OpenAI case will not be the last time courts grapple with AI data privacy. As generative AI proliferates and litigation continues, more preservation orders, discovery disputes, and privilege challenges are inevitable. Legal professionals who fail to address these issues proactively may find themselves explaining to clients, judges, or disciplinary authorities why they treated confidential information so carelessly.

Privacy in the AI age demands more than passive reliance on vendor promises. It requires active, informed engagement with the technology we use and honest assessment of the risks we create. For lawyers, whose professional identity rests on the foundation of client trust and confidentiality, nothing less will suffice. The court ruling has made one thing abundantly clear: when it comes to AI and privacy, what you don't know can definitely hurt you—and your clients. ⚠️

🚨 AWS Outage Resolved: Critical Ethics Guidance for Lawyers Using Cloud-Based Legal Services

/ The Tech-Savvy Lawyer.Page/

Legal professionals don’t react but act when your online legal systems are down!

Amazon Web Services experienced a major outage on October 20, 2025, disrupting legal practice management platforms like Clio, MyCase, PracticePanther, LEAP, and Lawcus. The Domain Name Service (DNS) resolution failure in AWS's US-EAST-1 region was fully mitigated by 6:35 AM EDT after approximately three hours. BUT THIS DOES NOT MEAN THEY HAVE RESOLVED ALL OF THE BACK ISSUES THAT ORIGINATED DUE TO THE OUTAGE at the time of this posting.  Note: DNS - the internet's phone book that translates human-readable web addresses into the numerical IP addresses that computers actually use. When DNS fails, it's like having all the street signs disappear at once. Your destination still exists, but there's no way to find it.

Try clearing your browser’s cache - that may help resolve some of the issues.

‼️ TIP! ‼️

Try clearing your browser’s cache - that may help resolve some of the issues. ‼️ TIP! ‼️

Legal professionals, what are your protocols when your online legal services are down?!

Lawyers using cloud-dependent legal services must review their ethical obligations under ABA Model Rules 1.1 and comment [8] (technological competence), 1.6 (confidentiality), and 5.3 (supervision of third-party vendors). Key steps include: documenting the incident's impact on client matters (if any), assessing whether material client information was compromised, notifying affected current clients if data breach occurred, reviewing business continuity plans, and conducting due diligence on cloud providers' disaster recovery protocols. Law firms should verify their vendors maintain redundant backup systems, SSAE16 audited data centers, and clear data ownership policies. The outage highlights the critical need for lawyers to understand their cloud infrastructure dependencies and maintain contingency plans for service disruptions.

🔒 Word (Phrase) of the Week: “Zero Data Retention” Agreements: Why Every Lawyer Must Pay Attention Now!

/ The Tech-Savvy Lawyer.Page/

Understanding Zero Data Retention in Legal Practice

🚨 Lawyers Must Know Zero Data Retention Now!

Zero Data Retention (ZDR) agreements represent a fundamental shift in how law firms protect client confidentiality when using third-party technology services. These agreements ensure that sensitive client information is processed but never stored by vendors after immediate use. For attorneys navigating an increasingly digital practice environment, understanding ZDR agreements has become essential to maintaining ethical compliance.

ZDR works through a simple but powerful principle: access, process, and discard. When lawyers use services with ZDR agreements, the vendor connects to data only when needed, performs the requested task, and immediately discards all information without creating persistent copies. This architectural approach dramatically reduces the risk of data breaches and unauthorized access.

The Legal Ethics Crisis Hidden in Your Vendor Contracts

Recent court orders have exposed a critical vulnerability in how lawyers use technology. A federal court ordered OpenAI to preserve all ChatGPT conversation logs indefinitely, including deleted content—even for paying subscribers. This ruling affects millions of users and demonstrates how quickly data retention policies can change through litigation.

The implications for legal practice are severe. Attorneys using consumer-grade AI tools, standard cloud storage, or free collaboration platforms may unknowingly expose client confidences to indefinite retention. This creates potential violations of fundamental ethical obligations, regardless of the lawyer's intent or the vendor's original promises.

ABA Model Rules Create Mandatory Obligations

Three interconnected ABA Model Rules establish clear ethical requirements for lawyers using technology vendors.

Rule 1.1 and its Comment [8] requires technological competence. Attorneys must understand "the benefits and risks associated with relevant technology". This means lawyers cannot simply trust vendor marketing claims about data security. They must conduct meaningful due diligence before entrusting client information to any third party.

Rule 1.6 mandates confidentiality protection. Lawyers must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client". This obligation extends to all digital communications and cloud-based storage. When vendors retain data beyond the immediate need, attorneys face heightened risks of unauthorized disclosure.

Rule 5.3 governs supervision of nonlawyer assistants. This rule applies equally to technology vendors who handle client information. Lawyers with managerial authority must ensure their firms implement measures that provide reasonable assurance that vendors comply with the attorney's professional obligations.

Practical Steps for Ethical Compliance

Attorneys must implement specific practices to satisfy their ethical obligations when selecting technology vendors.

1. Demand written confirmation of zero data retention policies from all vendors handling client information. Ask whether the vendor uses client data for training AI models. Determine how long any data remains accessible after processing. These questions must be answered clearly before using any service.

Lawyers Need Zero Data Retention Agreements!

Review vendor agreements carefully. Standard terms of service often fail to provide adequate confidentiality protections. Attorneys should negotiate explicit contractual provisions that prohibit data retention beyond immediate processing needs. These agreements must specify encryption standards, access controls, and breach notification procedures.

Obtain client consent when using third-party services that may access confidential information. While not always legally required, informed consent demonstrates respect for client autonomy and provides an additional layer of protection.

Conduct ongoing monitoring of vendor practices. Initial due diligence is insufficient. Technology changes rapidly, and vendors may alter their data handling practices. Regular reviews ensure continued compliance with ethical obligations.

Restrict employee use of unauthorized tools. Many data breaches stem from "shadow IT"—employees using personal accounts or unapproved services for work purposes. Clear policies and training can prevent inadvertent ethical violations.

The Distinction Between Consumer and Enterprise Services

Not all AI and cloud services create equal ethical risks. Consumer versions of popular tools often lack the security features required for legal practice. Enterprise subscriptions typically provide enhanced protections, including zero data retention options.

For example, OpenAI offers different service tiers with dramatically different data handling practices. ChatGPT Free, Plus, Pro, and Team subscriptions now face indefinite data retention due to court orders. However, ChatGPT Enterprise and API customers with ZDR agreements remain unaffected. This distinction matters enormously for attorney compliance.

Industry-Specific Legal AI Offers Additional Safeguards

Legal-specific AI platforms build confidentiality protections into their core architecture. These tools understand attorney-client privilege requirements and design their systems accordingly. They typically offer encryption, access controls, SOC 2 compliance, and explicit commitments not to use client data for training.

When evaluating legal technology vendors, attorneys should prioritize those offering private AI environments, end-to-end encryption, and contractual guarantees about data retention. These features align with the ethical obligations imposed by the Model Rules.

Zero Data Retention as Competitive Advantage

Beyond ethical compliance, ZDR agreements offer practical benefits. They reduce storage costs, simplify regulatory compliance, and minimize the attack surface for cybersecurity threats. In an era of increasing data breaches, the ability to tell clients that their information is never stored by third parties provides meaningful competitive differentiation.

Final Thoughts: Action Required Now

Lawyers must Protect Client Data with ZDR!

The landscape of legal technology changes constantly. Court orders can suddenly transform data retention policies. Vendors can modify their terms of service. New ethical opinions can shift compliance expectations.

Attorneys cannot afford passive approaches to vendor management. They must actively investigate, negotiate, and monitor the data handling practices of every technology provider accessing client information. Zero data retention agreements represent one powerful tool for maintaining ethical compliance in an increasingly complex technological environment.

The duty of confidentiality remains absolute, regardless of the tools lawyers choose. By demanding ZDR agreements and implementing comprehensive vendor management practices, attorneys can embrace technological innovation while protecting the fundamental trust that defines the attorney-client relationship.

🎙️ Ep. 122: Cybersecurity Essentials for Law Firms: Proven Strategies from Navy Veteran & Attorney Cordell Robinson

/ The Tech-Savvy Lawyer.Page/

My next guest is Cordell Brion Robinson, CEO of Brownstone Consulting Firm and a decorated US Navy veteran who brings an extraordinary combination of expertise to cybersecurity. With a background in Computer Science, Electrical Engineering, and law, plus experience as a Senior Intelligence Analyst, Cordell has created cybersecurity programs that comply with the National Institute of Standards and Technology, the Federal Information Security Management Act, and the Office of Management and Budget standards for both government and commercial organizations. His firm specializes in compliance services, performing security framework assessments globally for commercial and government entities. Currently, he's innovating the cybersecurity space through automation for security assessments. Beyond his professional accomplishments, Cordell runs the Shaping Futures Foundation, a nonprofit dedicated to empowering youth through education, demonstrating his commitment to giving back to the community.

Join Cordell Robinson and me as we discuss the following three questions and more! 🎙️

1. What are the top three cybersecurity practices that lawyers should immediately adopt to secure both client data and sensitive case material in their practice?

2. From your perspective as both a legal and cybersecurity expert, what are the top three technology tools or platforms that can help lawyers streamline compliance and governance requirements in a rapidly evolving regulatory environment?

3. What are the top three steps lawyers can take to overcome resistance to technology adoption in law firms, ensuring these tools actually improve outcomes and efficiency rather than just adding complexity

In our conversation, we cover the following: ⏱️

- 00:00:00 - Introduction and welcome to the podcast

- 00:00:30 - Cordell's current tech setup - Windows laptop, MacBook, and iPhone

- 00:01:00 - iPhone 17 Pro Max features including 48MP camera, 2TB storage, and advanced video capture

- 00:01:30 - iPhone 17 Air comparison and laptop webcam discussion

- 00:02:00 - VPN usage strategies - Government VPN for secure client communications

- 00:02:30 - Commercial client communications and secure file sharing practices

- 00:03:00 - Why email encryption matters and Mac Mail setup tutorial

- 00:04:00 - Bonus question: Key differences between commercial and government security work

- 00:05:00 - Security protocols comparison and navigating government red tape

- 00:06:00 - Question 1: Top three cybersecurity practices lawyers must implement immediately

- 00:06:30 - Understanding where client data comes from and having proper IT security professionals

- 00:07:00 - Implementing cybersecurity awareness training for all staff members

- 00:07:30 - Practical advice for solo and small practitioners without dedicated IT staff

- 00:08:00 - Proper email practices and essential security awareness training skills

- 00:08:30 - Handling data from average clients in sensitive cases like family law

- 00:09:00 - Social engineering considerations in contentious legal matters such as divorces

- 00:10:00 - Screening threats from seemingly reliable platforms - Google Play slop ads as recent example

- 00:10:30 - Tenable vulnerability scanning tool recommendation (approximately $1,500/year)

- 00:11:00 - Question 2: Technology tools for streamlining compliance and governance

- 00:11:30 - GRC tools for organizing compliance documentation across various price points

- 00:12:00 - SharePoint security lockdown and importance of proper system configuration

- 00:12:30 - Monitoring tools discussion - why no perfect solution exists and what to consider

- 00:13:00 - Being amenable to change and avoiding long-term contracts with security tools

- 00:14:00 - Question 3: Strategies for overcoming resistance to technology adoption

- 00:14:30 - Demonstrating efficiency and explaining the full implementation process

- 00:15:00 - Converting time savings to dollars and cents for senior attorney buy-in

- 00:15:30 - Mindset shift for billable hour attorneys and staying competitive in the market

- 00:16:00 - Being a technology Guinea pig and testing tools yourself first

- 00:16:30 - Showing real results to encourage buy-in from colleagues

- 00:17:00 - Real-world Microsoft Word example - styles, cross-references, and table of contents time savings

- 00:17:30 - Showing value add and how technology can bring in more revenue

- 00:18:00 - Where to find Cordell Robinson - LinkedIn, www.bcf-us.com, Brownstone Consulting Firm

- 00:18:30 - Company description and closing remarks

Resources 📚

Connect with Cordell Robinson:

Government & Compliance Frameworks:

Software & Tools: