MTC: The Hidden AI Crisis in Legal Practice: Why Lawyers Must Unmask Embedded Intelligence Before It's Too Late!

/ The Tech-Savvy Lawyer.Page/

Lawyers need Digital due diligence in order to say on top of their ethic’s requirements.

Artificial intelligence has infiltrated legal practice in ways most attorneys never anticipated. While lawyers debate whether to adopt AI tools, they've already been using them—often without knowing it. These "hidden AI" features, silently embedded in everyday software, present a compliance crisis that threatens attorney-client privilege, confidentiality obligations, and professional responsibility standards.

The Invisible Assistant Problem

Hidden AI operates in plain sight. Microsoft Word's Copilot suggests edits while you draft pleadings. Adobe Acrobat's AI Assistant automatically identifies contracts and extracts key terms from PDFs you're reviewing. Grammarly's algorithm analyzes your confidential client communications for grammar errors. Zoom's AI Companion transcribes strategy sessions with clients—and sometimes captures what happens after you disconnect.

DocuSign now deploys AI-Assisted Review to analyze agreements against predefined playbooks. Westlaw and Lexis+ embed generative AI directly into their research platforms, with hallucination rates between 17% and 33%. Even practice management systems like Clio and Smokeball have woven AI throughout their platforms, from automated time tracking descriptions to matter summaries.

The challenge isn't whether these tools provide value—they absolutely do. The crisis emerges because lawyers activate features without understanding the compliance implications.

ABA Model Rules Meet Modern Technology

The American Bar Association's Formal Opinion 512, issued in July 2024, makes clear that lawyers bear full responsibility for AI use regardless of whether they actively chose the technology or inherited it through software updates. Several Model Rules directly govern hidden AI features in legal practice.

Model Rule 1.1 requires competence, including maintaining knowledge about the benefits and risks associated with relevant technology. Comment 8 to this rule, adopted by most states, mandates that lawyers understand not just primary legal tools but embedded AI features within those tools. This means attorneys cannot plead ignorance when Microsoft Word's AI Assistant processes privileged documents.

Model Rule 1.6 imposes strict confidentiality obligations. Lawyers must make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client". When Grammarly accesses your client emails to check spelling, or when Zoom's AI transcribes confidential settlement discussions, you're potentially disclosing protected information to third-party AI systems.

Model Rule 5.3 extends supervisory responsibilities to "nonlawyer assistance," which includes non-human assistance like AI. The 2012 amendment changing "assistants" to "assistance" specifically contemplated this scenario. Lawyers must supervise AI tools with the same diligence they'd apply to paralegals or junior associates.

Model Rule 1.4 requires communication with clients about the means used to accomplish their objectives. This includes informing clients when AI will process their confidential information, obtaining informed consent, and explaining the associated risks.

Where Hidden AI Lurks in Legal Software

🚨 lawyers don’t breach your ethical duties with AI shortcuts!!!

Microsoft 365 Copilot integrates AI across Word, Outlook, and Teams—applications lawyers use hundreds of times daily. The AI drafts documents, summarizes emails, and analyzes meeting transcripts. Most firms that subscribe to Microsoft 365 have Copilot enabled by default in recent licensing agreements, yet many attorneys remain unaware their correspondence flows through generative AI systems.

Adobe Acrobat now automatically recognizes contracts and generates summaries with AI Assistant. When you open a PDF contract, Adobe's AI immediately analyzes it, extracts key dates and terms, and offers to answer questions about the document. This processing occurs before you explicitly request AI assistance.

Legal research platforms embed AI throughout their interfaces. Westlaw Precision AI and Lexis+ AI process search queries through generative models that hallucinate incorrect case citations 17% to 33% of the time according to Stanford research. These aren't separate features—they're integrated into the standard search experience lawyers rely upon daily.

Practice management systems deploy hidden AI for intake forms, automated time entry descriptions, and matter summaries. Smokeball's AutoTime AI generates detailed billing descriptions automatically. Clio integrates AI into client relationship management. These features activate without explicit lawyer oversight for each instance of use.

Communication platforms present particularly acute risks. Zoom AI Companion and Microsoft Teams AI automatically transcribe meetings and generate summaries. Otter.ai's meeting assistant infamously continued recording after participants thought a meeting ended, capturing investors' candid discussion of their firm's failures. For lawyers, such scenarios could expose privileged attorney-client communications or work product.

The Compliance Framework

Establishing ethical AI use requires systematic assessment. First, conduct a comprehensive technology audit. Inventory every software application your firm uses and identify embedded AI features. This includes obvious tools like research platforms and less apparent sources like PDF readers, email clients, and document management systems.

Second, evaluate each AI feature against confidentiality requirements. Review vendor agreements to determine whether the AI provider uses your data for model training, stores information after processing, or could disclose data in response to third-party requests. Grammarly, for example, offers HIPAA compliance but only for enterprise customers with 100+ seats who execute Business Associate Agreements. Similar limitations exist across legal software.

Third, implement technical safeguards. Disable AI features that lack adequate security controls. Configure settings to prevent automatic data sharing. Adobe and Microsoft both offer options to prevent AI from training on customer data, but these protections require active configuration.

Fourth, establish firm policies governing AI use. Designate responsibility for monitoring AI features in licensed software. Create protocols for evaluating new tools before deployment. Develop training programs ensuring all attorneys understand their obligations when using AI-enabled applications.

Fifth, secure client consent. Update engagement letters to disclose AI use in service delivery. Explain the specific risks associated with processing confidential information through AI systems. Document informed consent for each representation.

The Verification Imperative

ABA Formal Opinion 512 emphasizes that lawyers cannot delegate professional judgment to AI. Every output requires independent verification. When Westlaw Precision AI suggests research authorities, lawyers must confirm those cases exist and accurately reflect the law. When CoCounsel Drafting generates contract language in Microsoft Word, attorneys must review for accuracy, completeness, and appropriateness to the specific client matter.

The infamous Mata v. Avianca case, where lawyers submitted AI-generated briefs citing fabricated cases, illustrates the catastrophic consequences of failing to verify AI output. Every jurisdiction that has addressed AI ethics emphasizes this verification duty.

Cost and Billing Considerations

Formal Opinion 512 addresses whether lawyers can charge the same fees when AI accelerates their work. The opinion suggests lawyers cannot bill for time saved through AI efficiency under traditional hourly billing models. However, value-based and flat-fee arrangements may allow lawyers to capture efficiency gains, provided clients understand AI's role during initial fee negotiations.

Lawyers cannot bill clients for time spent learning AI tools—maintaining technological competence represents a professional obligation, not billable work. As AI becomes standard in legal practice, using these tools may become necessary to meet competence requirements, similar to how electronic research and e-discovery tools became baseline expectations.

Practical Steps for Compliance

Start by examining your Microsoft Office subscription. Determine whether Copilot is enabled and what data sharing settings apply. Review Adobe Acrobat's AI Assistant settings and disable automatic contract analysis if your confidentiality review hasn't been completed.

Contact your Westlaw and Lexis representatives to understand exactly how AI features operate in your research platform. Ask specific questions: Does the AI train on your search queries? How are hallucinations detected and corrected? What happens to documents you upload for AI analysis?

Audit your practice management system. If you use Clio, Smokeball, or similar platforms, identify every AI feature and evaluate its compliance with confidentiality obligations. Automatic time tracking that generates descriptions based on document content may reveal privileged information if billing statements aren't properly redacted.

Review video conferencing policies. Establish protocols requiring explicit disclosure when AI transcription activates during client meetings. Obtain informed consent before recording privileged discussions. Consider disabling AI assistants entirely for confidential matters.

Implement regular training programs. Technology competence isn't achieved once—it requires ongoing education as AI features evolve. Schedule quarterly reviews of new AI capabilities deployed in your software stack.

Final Thoughts 👉 The Path Forward

lawyers must be able to identify and contain ai within the tech tools they use for work!

Hidden AI represents both opportunity and obligation. These tools genuinely enhance legal practice by accelerating research, improving drafting, and streamlining administrative tasks. The efficiency gains translate into better client service and more competitive pricing.

However, lawyers cannot embrace these benefits while ignoring their ethical duties. The Model Rules apply with equal force to hidden AI as to any other aspect of legal practice. Ignorance provides no defense when confidentiality breaches occur or inaccurate AI-generated content damages client interests.

The legal profession stands at a critical juncture. AI integration will only accelerate as software vendors compete to embed intelligent features throughout their platforms. Lawyers who proactively identify hidden AI, assess compliance risks, and implement appropriate safeguards will serve clients effectively while maintaining professional responsibility.

Those who ignore hidden AI features operating in their daily practice face disciplinary exposure, malpractice liability, and potential privilege waivers. The choice is clear: unmask the hidden AI now, or face consequences later.

MTC

📖 Word ("Phrase") of the Week: Mobile Device Management: Essential Security for Today's Law Practice 📱🔒

/ The Tech-Savvy Lawyer.Page/

Mobile Device Management is an essential concept for lawyers.

Mobile Device Management (MDM) has become essential for law firms navigating today's mobile-first legal landscape. As attorneys increasingly access confidential client information from smartphones, tablets, and laptops outside traditional office settings, MDM technology provides the security framework necessary to protect sensitive data while enabling productive remote work.

Understanding MDM in Legal Practice

MDM refers to software that allows IT teams to remotely manage, secure, and support mobile devices used across an organization. For law firms, this technology provides centralized control to enforce password requirements, encrypt data, install security updates, locate devices, and remotely lock or wipe lost or stolen devices. These capabilities directly address the ethical obligations attorneys face under the ABA Model Rules of Professional Conduct.

Ethical Obligations Drive MDM Adoption

The legal profession faces unique ethical requirements regarding technology use. ABA Model Rule 1.1 requires lawyers to maintain technological competence, including understanding "the benefits and risks associated with relevant technology". Rule 1.6 mandates that lawyers "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client".

ABA Formal Opinion 498 specifically addresses virtual practice considerations. The opinion cautions that lawyers should disable listening capabilities of smart speakers and virtual assistants while discussing client matters unless the technology assists the law practice. This guidance underscores the importance of thoughtful technology implementation in legal practice.

Core MDM Features for Law Firms

Device encryption forms the foundation of MDM security. All client data should be encrypted both in transit and at rest, with granular permissions determining who accesses specific information. Remote wipe capabilities allow immediate data deletion when devices are lost or stolen, preventing unauthorized access to sensitive case information.

Application management enables IT teams to control which applications can access firm resources. Maintaining an approved application list and regularly scanning for vulnerable or unauthorized applications reduces security risks. Containerization separates personal and professional data, ensuring client information remains isolated and secure even if the device is compromised.

Compliance and Monitoring Benefits

lawyers, do you know where your mobile devices are?

MDM solutions help law firms maintain compliance with ABA guidelines, state bar requirements, and privacy laws. The systems generate detailed logs and reports on device activity, which prove vital during audits or internal investigations. Continuous compliance monitoring ensures devices meet security standards while automated checks flag devices falling below required security levels.

Implementation Best Practices

Successful MDM implementation requires establishing clear policies outlining device eligibility, security requirements, and user responsibilities. Firms should enforce device enrollment and compliance, requiring all users to register devices before accessing sensitive systems. Multi-factor authentication enhances security for sensitive data access.

Regular training ensures staff understand security expectations and compliance requirements. Automated software updates and security patches keep devices protected against evolving threats. Role-based access controls prevent unauthorized access to corporate resources by assigning permissions based on job functions.

MDM technology has evolved from optional convenience to ethical necessity. Law firms that implement comprehensive MDM strategies protect client confidentiality, meet professional obligations, and maintain competitive advantage in an increasingly mobile legal marketplace.

Keep Your Practice Safe - Stay Tech Savvy!!!

MTC: London's iPhone Theft Crisis: Critical Mobile Device Security Lessons for Traveling Lawyers 📱⚖️

/ The Tech-Savvy Lawyer.Page/

lawyers can learn about cyber mobile security from the recent iphone thefts in london

Recent events in London should serve as a wake-up call for every legal professional who carries client data beyond the office walls. London police recently dismantled a sophisticated international theft ring responsible for smuggling approximately 40,000 stolen iPhones to China in just twelve months. This operation revealed thieves earning up to £300 per stolen device, with phones reselling overseas for as much as $5,000. With over 80,000 phones stolen in London last year alone, this crisis underscores critical vulnerabilities that lawyers must address when working remotely.

The sophistication of these operations is alarming. Criminals on electric bikes snatch phones from unsuspecting victims and immediately wrap devices in aluminum foil to block tracking signals. This industrial-scale crime demonstrates that our mobile devices—which contain privileged communications, case strategies, and confidential client data—are valuable targets for organized criminal networks operating globally.

Your Ethical Obligations Are Clear

ABA Model Rule 1.1 requires lawyers to maintain competence, including understanding "the benefits and risks associated with relevant technology". This duty of technological competence has been adopted by over 40 states and isn't optional—it's fundamental to ethical practice. Model Rule 1.6(c) mandates that lawyers "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client".

When your phone disappears—whether through theft, loss, or border seizure—you face potential violations of these ethical duties. Recent data shows U.S. Customs and Border Protection searched 14,899 devices between April and June 2025, a 16.7% increase from previous surges. Lawyers traveling internationally face heightened risks, and a stolen or searched device can compromise attorney-client privilege instantly.

Essential Security Measures for Mobile Lawyers

Before leaving your office, implement these non-negotiable protections. Enable full-device encryption on all smartphones, tablets, and laptops. For iPhones, setting a passcode automatically enables encryption; Android users must manually activate this feature in security settings. Strong passwords matter—use alphanumeric combinations of at least 12 characters, avoiding easily guessed patterns.

lawyer need to know how to protect their client’s pii when crossing the boarder!

Two-factor authentication (2FA) adds critical protection layers. Even if someone obtains your password, 2FA requires secondary verification through your phone or authentication app. This simple step dramatically reduces unauthorized access risks. Configure remote wipe capabilities before traveling. If your device is stolen, you can erase all data remotely, protecting client information even when physical recovery is impossible.

Disable biometric authentication when traveling internationally. Face ID and fingerprint scanners can be used against you at borders where Fourth Amendment protections are diminished. Restart your device before crossing borders to force password-only access. Consider carrying a "clean" device for international travel, accessing files only through encrypted cloud storage rather than storing sensitive data locally.

Coffee Shops, Airports, and Public Spaces

Public Wi-Fi networks pose serious interception risks. Hackers create fake hotspots with legitimate-sounding names, capturing everything you transmit. As lawyers increasingly embrace cloud-based computing for their work, encryption when using public Wi-Fi becomes non-negotiable

Always use a trusted VPN (Virtual Private Network) when connecting to public networks. VPNs encrypt your internet traffic, preventing interception even on compromised networks. Alternatively, use your smartphone's personal hotspot rather than connecting to public Wi-Fi. Turn off file sharing on all mobile devices. Avoid accessing highly sensitive client files in public spaces altogether—save detailed case work for secure, private connections.

Physical security deserves equal attention. Visual privacy screens prevent shoulder surfing. Position yourself with your back to walls in coffee shops so others cannot observe your screen. Be alert to your surroundings and maintain physical control of devices at all times. Never leave laptops, tablets, or phones unattended, even briefly.

Border Crossings and International Travel

Lawyers crossing international borders face unique challenges. CBP policies permit extensive device searches within 100 miles of borders under the border search exception, significantly reducing Fourth Amendment protections. New York State Bar Association Ethics Opinion 2017-5 addresses lawyers' duties when traveling with client data across borders.

The reasonableness standard governs your obligations. Evaluate whether you truly need to bring confidential information across borders. If travel requires client data, bring only materials professionally necessary for your specific purpose. Consider these strategies: store files in encrypted cloud services rather than locally; use strong passwords and disable biometric authentication; carry your bar card to identify yourself as an attorney if questioned; identify which files contain privileged information before reaching the border.

If border agents demand device access, clearly state that you are an attorney and the device contains privileged client communications. Ask whether the request is optional or mandatory. If agents conduct a search, document what occurred and consider whether client notification is required under Rule 1.4. New York Rule 1.6 requires taking reasonable steps to prevent unauthorized disclosure, with heightened precautions necessary when government agencies are opposing parties.

Practical Implementation Today

Create firm policies addressing mobile device security. Require immediate reporting of lost or stolen devices. Implement Mobile Device Management (MDM) software to monitor, secure, and remotely wipe all connected devices. Conduct regular security awareness training covering email practices, phishing recognition, and social engineering tactics.

Develop an Incident Response Plan before breaches occur. Know which experts to contact, document cybersecurity policies, and establish notification protocols. Under various state laws and regulations like California Civil Code § 1.798.82 and HIPAA's Breach Notification Rule, lawyers may be legally required to notify clients of data breaches.

Lawyers are on the front line of cybersecurity when on the go!

Communicate with clients about security measures. Obtain informed consent regarding electronic communications and any security limitations. Some firms include these discussions in engagement letters, setting clear expectations about communication methods and encryption use.

Stay current with evolving threats. Subscribe to legal technology security bulletins. The Tech-Savvy Lawyer blog regularly covers mobile security issues, including recent coverage of the SlopAds malware campaign that compromised 224 Android applications on Google Play Store. Technology competence requires ongoing learning as threats and safeguards evolve.

The Bottom Line

The London iPhone theft crisis demonstrates that our devices are valuable targets for sophisticated criminal networks operating internationally. Every lawyer who works outside the office—whether at coffee shops, client meetings, or international destinations—must take mobile security seriously. Your ethical obligations under Model Rules 1.1 and 1.6 demand it. Your clients' confidential information depends on it. Your professional reputation requires it.

Implementing these security measures isn't complicated or expensive. Enable encryption. Use strong passwords and 2FA. Avoid public Wi-Fi or use VPNs. Disable biometrics when traveling. Maintain physical control of devices. These straightforward steps significantly reduce risks while allowing you to work effectively from anywhere.

The legal profession has embraced mobile technology's benefits—now we must address its risks with equal commitment. Don't wait for a theft, loss, or border seizure to prompt action. Protect your clients' confidential information today.

MTC

📖 Word of the Week: The Meaning of “Data Governance” and the Modern Law Practice - Your Essential Guide for 2025

/ The Tech-Savvy Lawyer.Page/

Understanding Data Governance: A Lawyer's Blueprint for Protecting Client Information and Meeting Ethical Obligations

Lawyers need to know about “DAta governance” and how it affects their practice of law.

Data governance has emerged as one of the most critical responsibilities facing legal professionals today. The digital transformation of legal practice brings tremendous efficiency gains but also creates significant risks to client confidentiality and attorney ethical obligations. Every email sent, document stored, and case file managed represents a potential vulnerability that requires careful oversight.

What Data Governance Means for Lawyers

Data governance encompasses the policies, procedures, and practices that ensure information is managed consistently and reliably throughout its lifecycle. For legal professionals, this means establishing clear frameworks for how client information is collected, stored, accessed, shared, retained, and ultimately deleted. The goal is straightforward: protect sensitive client data while maintaining the accessibility needed for effective representation.

The framework defines who can take which actions with specific data assets. It establishes ownership and stewardship responsibilities. It classifies information by sensitivity and criticality. Most importantly for attorneys, it ensures compliance with ethical rules while supporting operational efficiency.

The Ethical Imperative Under ABA Model Rules

The American Bar Association Model Rules of Professional Conduct create clear mandates for lawyers regarding technology and data management. These obligations serve as an excellent source of guidance regardless of whether your state has formally adopted specific technology competence requirements. BUT REMEMBER ALWAYS FOLLOW YOUR STATE’S ETHIC’S RULES FIRST!

Model Rule 1.1 addresses competence and was amended in 2012 to explicitly include technological competence. Comment 8 now requires lawyers to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology". This means attorneys must understand the data systems they use for client representation. Ignorance of technology is no longer acceptable.

Model Rule 1.6 governs confidentiality of information. The rule requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client". Comment 18 specifically addresses the need to safeguard information against unauthorized access by third parties. This creates a direct ethical obligation to implement appropriate data security measures.

Model Rule 5.3 addresses responsibilities regarding nonlawyer assistants. This rule extends to technology vendors and service providers who handle client data. Lawyers must ensure that third-party vendors comply with the same ethical obligations that bind attorneys. This requires due diligence when selecting cloud storage providers, practice management software, and artificial intelligence tools.

The High Cost of Data Governance Failures

lawyers need to know the multiple facets of data Governance

Law firms face average data breach costs of $5.08 million. These financial losses pale in comparison to the reputational damage and loss of client trust that follows a security incident. A single breach can expose trade secrets, privileged communications, and personally identifiable information.

The consequences extend beyond monetary damages. Ethical violations can result in disciplinary action. Inadequate data security arguably constitutes a failure to fulfill the duty of confidentiality under Rule 1.6. Some jurisdictions have issued ethics opinions requiring attorneys to notify clients of breaches resulting from lawyer negligence.

Recent guidance from state bars emphasizes that lawyers must self-report breaches involving client data exposure. The ABA's Formal Opinion 483 addresses data breach obligations directly. The opinion confirms that lawyers have duties under Rules 1.1, 1.4, 1.6, 5.1, and 5.3 related to cybersecurity.

Building Your Data Governance Framework

Implementing effective data governance requires systematic planning and execution. The process begins with understanding your current data landscape.

Step One: Conduct a Data Inventory

Identify all data assets within your practice. Catalog their sources, types, formats, and locations. Map how data flows through your firm from creation to disposal. This inventory reveals where client information resides and who has access to it.

Step Two: Classify Your Data

Not all information requires the same level of protection. Establish a classification system based on sensitivity and confidentiality. Many firms use four levels: public, internal, confidential, and restricted.

Privileged attorney-client communications require the highest protection level. Publicly filed documents may still be confidential under Rule 1.6, contrary to common misconception. Client identity itself often qualifies as protected information.

Step Three: Define Access Controls

Implement role-based access controls that limit data exposure. Apply the principle of least privilege—users should access only information necessary for their specific responsibilities. Multi-factor authentication adds essential security for sensitive systems.

Step Four: Establish Policies and Procedures

Document clear policies governing data handling. Address encryption requirements for data at rest and in transit. Set retention schedules that balance legal obligations with security concerns. Create incident response plans for potential breaches.

Step Five: Train Your Team

The human element represents the greatest security vulnerability. Sixty-eight percent of data breaches involve human error. Regular training ensures staff understand their responsibilities and can recognize threats. Training should cover phishing awareness, password security, and proper data handling procedures.

Step Six: Monitor and Audit

Continuous oversight maintains governance effectiveness. Regular audits identify vulnerabilities before they become breaches. Review access logs for unusual activity. Update policies as technology and regulations evolve.

Special Considerations for Artificial Intelligence

The rise of generative AI tools creates new data governance challenges. ABA Formal Opinion 512 specifically addresses AI use in legal practice. Lawyers must understand whether AI systems are "self-learning" and use client data for training.

Many consumer AI platforms retain and learn from user inputs. Uploading confidential client information to ChatGPT or similar tools may constitute an ethical violation. Even AI tools marketed to law firms require careful vetting.

Before using any AI system with client data, obtain informed consent. Boilerplate language in engagement letters is insufficient. Clients need clear explanations of how their information will be used and what risks exist.

Vendor Management and Third-Party Risk

Lawyers cannot delegate their ethical obligations to technology vendors. Rule 5.3 requires reasonable efforts to ensure nonlawyer assistants comply with professional obligations. This extends to cloud storage providers, case management platforms, and cybersecurity consultants.

Before engaging any vendor handling client data, conduct thorough due diligence. Verify the vendor maintains appropriate security certifications like SOC 2, ISO 27001, or HIPAA compliance. Review vendor contracts to ensure adequate data protection provisions. Understand where data will be stored and who will have access.

The Path Forward

lawyers need to advocate data governance for their clients!

Data governance is not optional for modern legal practice. It represents a fundamental ethical obligation under multiple Model Rules. Client trust depends on proper data stewardship.

Begin with a realistic assessment of your current practices. Identify gaps between your current state and ethical requirements. Develop policies that address your specific risks and practice areas. Implement controls systematically rather than attempting wholesale transformation overnight.

Remember that data governance is an ongoing process requiring continuous attention. Technology evolves. Threats change. Regulations expand. Your governance framework must adapt accordingly.

The investment in proper data governance protects your clients, your practice, and your professional reputation. More importantly, it fulfills your fundamental ethical duty to safeguard client confidences in an increasingly digital world.

MTC: 🔒 Your AI Conversations Aren't as Private as You Think: What the OpenAI Court Ruling Means for Legal Professionals

/ The Tech-Savvy Lawyer.Page/

A watershed moment in digital privacy has arrived, and it carries profound implications for lawyers and their clients.

The recent court ruling in In re: OpenAI, Inc., Copyright Infringement Litigation has exposed a critical vulnerability in the relationship between artificial intelligence tools and user privacy rights. On May 13, 2025, U.S. Magistrate Judge Ona T. Wang issued an order requiring OpenAI to "preserve and segregate all output log data that would otherwise be deleted on a going forward basis". This unprecedented directive affected more than 400 million ChatGPT users worldwide and fundamentally challenged assumptions about data privacy in the AI era.[1][2][3][4]

While the court modified its order on October 9, 2025, terminating the blanket preservation requirement as of September 26, 2025, the damage to user trust and the precedent for future litigation remain significant. More importantly, the ruling illuminates a stark reality for legal professionals: the "delete" button offers an illusion of control rather than genuine data protection.

The Court Order That Changed Everything ⚖️

The preservation order emerged from a copyright infringement lawsuit filed by The New York Times against OpenAI in December 2023. The Times alleged that OpenAI unlawfully used millions of its articles to train ChatGPT without permission or compensation. During discovery, concerns arose that OpenAI had been deleting user conversations that could potentially demonstrate copyright violations.

Judge Wang's response was sweeping. The court ordered OpenAI to retain all ChatGPT output logs, including conversations users believed they had permanently deleted, temporary chats designed to auto-delete after sessions, and API-generated outputs regardless of user privacy settings. The order applied retroactively, meaning conversations deleted months or even years earlier remained archived in OpenAI's systems.

OpenAI immediately appealed, arguing the order was overly broad and compromised user privacy. The company contended it faced conflicting obligations between the court's preservation mandate and "numerous privacy laws and regulations throughout the country and the world". Despite these objections, Judge Wang denied OpenAI's motion, prioritizing the preservation of potential evidence over privacy concerns.

The October 9, 2025 stipulation and order brought partial relief. OpenAI's ongoing obligation to preserve all new output log data terminated as of September 26, 2025. However, all data preserved before that cutoff remains accessible to plaintiffs (except for users in the European Economic Area, Switzerland, and the United Kingdom). Additionally, OpenAI must continue preserving output logs from specific domains identified by the New York Times and may be required to add additional domains as the litigation progresses.

Privacy Rights in the Age of AI: An Eroding Foundation 🛡️

This case demonstrates that privacy policies are not self-enforcing legal protections. Users who relied on OpenAI's representations about data deletion discovered those promises could be overridden by court order without their knowledge or consent. The "temporary chat" feature, marketed as providing ephemeral conversations, proved anything but temporary when litigation intervened.

The implications extend far beyond this single case. The ruling establishes that AI-generated content constitutes discoverable evidence subject to preservation orders. Courts now view user conversations with AI not as private exchanges but as potential legal records that can be compelled into evidence.

For legal professionals, this reality is particularly troubling. Lawyers regularly handle sensitive client information that must remain confidential under both ethical obligations and the attorney-client privilege. The court order revealed that even explicitly deleted conversations may be retained indefinitely when litigation demands it.

The Attorney-Client Privilege Crisis 👥

Attorney-client privilege protects confidential communications between lawyers and clients made for the purpose of obtaining or providing legal advice. This protection is fundamental to the legal system. However, the privilege can be waived through voluntary disclosure to third parties outside the attorney-client relationship.

When lawyers input confidential client information into public AI platforms like ChatGPT, they potentially create a third-party disclosure that destroys privilege. Many generative AI systems learn from user inputs, incorporating that information into their training data. This means privileged communications could theoretically appear in responses to other users' queries.

The OpenAI preservation order compounds these concerns. It demonstrates that AI providers cannot guarantee data will be deleted upon request, even when their policies promise such deletion. Lawyers who used ChatGPT's temporary chat feature or deleted sensitive conversations believing those actions provided privacy protection now discover their confidential client communications may be preserved indefinitely as litigation evidence.

The risk is not theoretical. In the now-famous Mata v. Avianca, Inc. case, a lawyer used a free version of ChatGPT to draft a legal brief containing fabricated citations. While the lawyer faced sanctions for submitting false information to the court, legal ethics experts noted the confidentiality implications of the increasingly specific prompts the attorney used, which may have revealed client confidential information.

ABA Model Rules and AI: What Lawyers Must Know 📋

The American Bar Association's Model Rules of Professional Conduct govern lawyer behavior, and while these rules predate generative AI, they apply with full force to its use. On July 29, 2024, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 512, providing the first comprehensive guidance on lawyers' use of generative AI.

Model Rule 1.1: Competence requires lawyers to provide competent representation, including maintaining "legal knowledge, skill, thoroughness and preparation reasonably necessary for representation". The rule's commentary [8] specifically states lawyers must understand "the benefits and risks associated with relevant technology". Opinion 512 clarifies that lawyers need not become AI experts, but must have a "reasonable understanding of the capabilities and limitations of the specific GenAI technology" they use. This is not a one-time obligation. Given AI's rapid evolution, lawyers must continuously update their understanding.

Model Rule 1.6: Confidentiality creates perhaps the most significant ethical challenge for AI use. The rule prohibits lawyers from revealing "information relating to the representation of a client" and requires them to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation". Self-learning AI tools that train on user inputs create substantial risk of improper disclosure. Information entered into public AI systems may be stored, processed by third-party vendors, and potentially accessed by company employees or incorporated into model training. Opinion 512 recommends lawyers obtain informed client consent before inputting any information related to representation into AI systems. Lawyers must also thoroughly review the terms of use, privacy policies, and contractual agreements of any AI tool they employ.

Model Rule 1.4: Communication obligates lawyers to keep clients reasonably informed about their representation. When using AI tools, lawyers should disclose this fact to clients, particularly when the AI processes client information or could impact the representation. Clients have a right to understand how their matters are being handled and what technologies may access their confidential information.[25][22][20][21]

Model Rule 3.3: Candor Toward the Tribunal requires lawyers to be truthful in their representations to courts. AI systems frequently produce "hallucinations"—plausible-sounding but entirely fabricated information, including fake case citations. Lawyers remain fully responsible for verifying all AI outputs before submitting them to courts or relying on them for legal advice. The Mata v. Avianca case serves as a cautionary tale of the consequences when lawyers fail to fulfill this obligation.

Model Rules 5.1 and 5.3: Supervisory Responsibilities make lawyers responsible for the conduct of other lawyers and nonlawyer assistants working under their supervision. When staff members use AI tools, supervising lawyers must ensure appropriate policies, training, and oversight exist to prevent ethical violations.

Model Rule 1.5: Fees requires lawyers to charge reasonable fees. Opinion 512 addresses whether lawyers can bill clients for time "saved" through AI efficiency gains. The guidance suggests that when using hourly billing, efficiencies gained through AI should benefit clients. However, lawyers may pass through reasonable direct costs of AI services (such as subscription fees) when properly disclosed and agreed upon in advance.

State-by-State Variations: A Patchwork of Protection 🗺️

While the ABA Model Rules provide a national framework, individual states adopt and interpret ethics rules differently. Legal professionals must understand their specific state's requirements, which can vary significantly.[2

Lawyers must protect client’s PII from AI privacy failures!

Florida has taken a proactive stance. In January 2025, The Florida Bar Board of Governors unanimously approved Advisory Opinion 24-1, which specifically addresses generative AI use. The opinion recommends lawyers obtain "affected client's informed consent prior to utilizing a third-party generative AI program if the utilization would involve the disclosure of any confidential information". Florida's guidance emphasizes that lawyers remain fully responsible for AI outputs and cannot treat AI as a substitute for legal judgment.

Texas issued Opinion 705 from its State Bar Professional Ethics Committee in February 2025. The opinion outlines four key obligations: lawyers must reasonably understand AI technology before using it, exercise extreme caution when inputting confidential information into AI tools that might store or expose client data, verify the accuracy of all AI outputs, and avoid charging clients for time saved by AI efficiency gains. Texas also emphasizes that lawyers should consider informing clients when AI will be used in their matters.

New York has developed one of the most comprehensive frameworks through its State Bar Association Task Force on Artificial Intelligence. The April 2024 report provides a thorough analysis across the full spectrum of ethical considerations, including competence, confidentiality, client communication, billing practices, and access to justice implications. New York's guidance stands out for addressing both immediate practical considerations and longer-term questions about AI's transformation of the legal profession.

Alaska issued Ethics Opinion 2025-1 surveying AI issues with particular focus on competence, confidentiality, and billing. The opinion notes that when using non-closed AI systems (such as general consumer products), lawyers should anonymize prompts to avoid revealing client confidential information. Alaska's guidance explicitly cites to its cloud-computing predecessor opinion, treating AI data storage similarly to law firm files on third-party remote servers.

California, Massachusetts, New Jersey, and Oregon have issued guidance through their state attorneys general on how existing state privacy laws apply to AI. California's advisories emphasize that AI use must comply with the California Consumer Privacy Act (CCPA), requiring transparency, respecting individual data rights, and limiting data processing to what is "reasonably necessary and proportionate". Massachusetts focuses on consumer protection, anti-discrimination, and data security requirements. Oregon highlights that developers using personal data to train AI must clearly disclose this use and obtain explicit consent when dealing with sensitive data.[31]

These state-specific approaches create a complex compliance landscape. A lawyer practicing in multiple jurisdictions must understand and comply with each state's requirements. Moreover, state privacy laws like the CCPA and similar statutes in other states impose additional obligations beyond ethics rules.

Enterprise vs. Consumer AI: Understanding the Distinction 💼

Not all AI tools pose equal privacy risks. The OpenAI preservation order highlighted critical differences between consumer-facing products and enterprise solutions.

Consumer Plans (Free, Plus, Pro, and Team) were fully subject to the preservation order. These accounts store user conversations on OpenAI's servers with limited privacy protections. While users can delete conversations, the court order demonstrated that those deletions are not permanent. OpenAI retains the technical capability to preserve and access this data when required by legal process.

Enterprise Accounts offer substantially stronger privacy protections. ChatGPT Enterprise and Edu plans were excluded from the preservation order's broadest requirements. These accounts typically include contractual protections such as Data Processing Agreements (DPAs), commitments against using customer data for model training, and stronger data segregation. However, even enterprise accounts must preserve data when covered by specific legal orders.

Zero Data Retention Agreements provide the highest level of protection. Users who have negotiated such agreements with OpenAI are excluded from data preservation requirements. These arrangements ensure that user data is not retained beyond the immediate processing necessary to generate responses.

For legal professionals, the lesson is clear: consumer-grade AI tools are inappropriate for handling confidential client information. Lawyers who use AI must ensure they employ enterprise-level solutions with proper contractual protections, or better yet, closed systems where client data never leaves the firm's control.

Practical Steps for Legal Professionals: Protecting Privilege and Privacy 🛠️

Given these risks, what should lawyers do? Abandoning AI entirely is neither realistic nor necessary. Instead, legal professionals must adopt a risk-management approach.

Conduct thorough due diligence before adopting any AI tool. Review terms of service, privacy policies, and data processing agreements in detail. Understand exactly what data the AI collects, how long it's retained, whether it's used for model training, who can access it, and what security measures protect it. If these answers aren't clear from public documentation, contact the vendor directly for written clarification.

Implement written AI policies for your firm or legal department. These policies should specify which AI tools are approved for use, what types of information can (and cannot) be input into AI systems, required safeguards such as data anonymization, client consent requirements, verification procedures for AI outputs, and training requirements for all staff. Document these policies and ensure all lawyers and staff understand and follow them.

Default to data minimization. Before inputting any information into an AI system, ask whether it's necessary. Can you accomplish the task without including client-identifying information? Many AI applications work effectively with anonymized or hypothetical scenarios that don't reveal actual client matters. When in doubt, err on the side of caution.

Obtain informed client consent when using AI for client matters, particularly when inputting any information related to the representation. This consent should be specific about what AI tools will be used, what information may be shared with those tools, what safeguards are in place, and what risks exist despite those safeguards. General consent buried in engagement agreements is likely insufficient.

Use secure, purpose-built legal AI tools rather than consumer applications. Legal-specific AI products are designed with confidentiality requirements in mind and typically offer stronger privacy protections. Even better, consider closed-system AI that operates entirely within your firm's infrastructure without sending data to external servers.

Never assume deletion means erasure. The OpenAI case proves that deleted data may not be truly gone. Treat any information entered into an AI system as potentially permanent, regardless of what the system's privacy settings claim.

Maintain privileged communication protocols. Remember that AI is not your attorney. Communications with AI systems are not protected by attorney-client privilege. Never use AI as a substitute for consulting with qualified colleagues or outside counsel on genuinely privileged matters.

Stay informed about evolving guidance. AI technology and the regulatory landscape are both changing rapidly. Regularly review updates from your state bar association, the ABA, and other professional organizations. Consider attending continuing legal education programs on AI ethics and technology competence.

Final thoughts: The Future of Privacy Rights in an AI World 🔮

The OpenAI preservation order represents a pivotal moment in the collision between AI innovation and privacy rights. It exposes uncomfortable truths about the nature of digital privacy in 2025: privacy policies are subject to override by legal process, deletion features provide psychological comfort rather than technical and legal certainty, and third-party service providers cannot fully protect user data from discovery obligations.

For legal professionals, these realities demand a fundamental reassessment of how AI tools fit into practice. The convenience and efficiency AI provides must be balanced against the sacred duty to protect client confidences and maintain the attorney-client privilege. This is not an abstract concern or distant possibility. It is happening now, in real courtrooms, with real consequences for lawyers and clients.

State bars and regulators are responding, but the guidance remains fragmented and evolving. Federal privacy legislation addressing AI has yet to materialize, leaving a patchwork of state laws with varying requirements. In this environment, legal professionals cannot wait for perfect clarity before taking action.

The responsibility falls on each lawyer to understand the tools they use, the risks those tools create, and the steps necessary to fulfill ethical obligations in this new technological landscape. Ignorance is not a defense. "I didn't know the AI was storing that information" will not excuse a confidentiality breach or privilege waiver.

As AI becomes increasingly embedded in legal practice, the profession must evolve its approach to privacy and confidentiality. The traditional frameworks remain sound—the attorney-client privilege, the duty of confidentiality, the requirement of competence—but their application requires new vigilance. Lawyers must become technology stewards as well as legal advisors, understanding not just what the law says, but how the tools they use might undermine their ability to protect it.

The OpenAI case will not be the last time courts grapple with AI data privacy. As generative AI proliferates and litigation continues, more preservation orders, discovery disputes, and privilege challenges are inevitable. Legal professionals who fail to address these issues proactively may find themselves explaining to clients, judges, or disciplinary authorities why they treated confidential information so carelessly.

Privacy in the AI age demands more than passive reliance on vendor promises. It requires active, informed engagement with the technology we use and honest assessment of the risks we create. For lawyers, whose professional identity rests on the foundation of client trust and confidentiality, nothing less will suffice. The court ruling has made one thing abundantly clear: when it comes to AI and privacy, what you don't know can definitely hurt you—and your clients. ⚠️

🚨 AWS Outage Resolved: Critical Ethics Guidance for Lawyers Using Cloud-Based Legal Services

/ The Tech-Savvy Lawyer.Page/

Legal professionals don’t react but act when your online legal systems are down!

Amazon Web Services experienced a major outage on October 20, 2025, disrupting legal practice management platforms like Clio, MyCase, PracticePanther, LEAP, and Lawcus. The Domain Name Service (DNS) resolution failure in AWS's US-EAST-1 region was fully mitigated by 6:35 AM EDT after approximately three hours. BUT THIS DOES NOT MEAN THEY HAVE RESOLVED ALL OF THE BACK ISSUES THAT ORIGINATED DUE TO THE OUTAGE at the time of this posting.  Note: DNS - the internet's phone book that translates human-readable web addresses into the numerical IP addresses that computers actually use. When DNS fails, it's like having all the street signs disappear at once. Your destination still exists, but there's no way to find it.

Try clearing your browser’s cache - that may help resolve some of the issues.

‼️ TIP! ‼️

Try clearing your browser’s cache - that may help resolve some of the issues. ‼️ TIP! ‼️

Legal professionals, what are your protocols when your online legal services are down?!

Lawyers using cloud-dependent legal services must review their ethical obligations under ABA Model Rules 1.1 and comment [8] (technological competence), 1.6 (confidentiality), and 5.3 (supervision of third-party vendors). Key steps include: documenting the incident's impact on client matters (if any), assessing whether material client information was compromised, notifying affected current clients if data breach occurred, reviewing business continuity plans, and conducting due diligence on cloud providers' disaster recovery protocols. Law firms should verify their vendors maintain redundant backup systems, SSAE16 audited data centers, and clear data ownership policies. The outage highlights the critical need for lawyers to understand their cloud infrastructure dependencies and maintain contingency plans for service disruptions.

MTC: Lawyers, Generative AI, and the Right to Privacy: Navigating Ethics, Client Confidentiality, and Public Data in the Digital Age

/ The Tech-Savvy Lawyer.Page/

Modern attorneys need to tackle AI ethics and privacy risks.

The legal profession stands at a critical crossroads as generative AI tools like ChatGPT become increasingly integrated into daily practice. While these technologies offer unprecedented efficiency and insight, they also raise urgent questions about client privacy, data security, and professional ethics—questions that every lawyer, regardless of technical proficiency, must confront.

Recent developments have brought these issues into sharp focus. OpenAI, the company behind ChatGPT, was recently compelled to preserve all user chats for legal review, highlighting how data entered into generative AI systems can be stored, accessed, and potentially scrutinized by third parties. For lawyers, this is not a theoretical risk; it is a direct challenge to the core obligations of client confidentiality and the right to privacy.

The ABA Model Rules and Generative AI

The American Bar Association’s Model Rules of Professional Conduct are clear: Rule 1.6 requires lawyers to “act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure”. This duty extends beyond existing clients to former and prospective clients under Rules 1.9 and 1.18. Crucially, the obligation applies even to information that is publicly accessible or contained in public records, unless disclosure is authorized or consented to by the client.

Attorneys need to explain generative AI privacy concerns to client.

The ABA’s recent Formal Opinion 512 underscores these concerns in the context of generative AI. Lawyers must fully consider their ethical obligations, including competence, confidentiality, informed consent, and reasonable fees when using AI tools. Notably, the opinion warns that boilerplate consent in engagement letters is not sufficient; clients must be properly informed about how their data may be used and stored by AI systems.

Risks of Generative AI: PII, Case Details, and Public Data

Generative AI tools, especially those that are self-learning, can retain and reuse input data, including Personally Identifiable Information (PII) and case-specific details. This creates a risk that confidential information could be inadvertently disclosed or cross-used in other cases, even within a closed firm system. In March 2023, a ChatGPT data leak allowed users to view chat histories of others, illustrating the real-world dangers of data exposure.

Moreover, lawyers may be tempted to use client public data—such as court filings or news reports—in AI-powered research or drafting. However, ABA guidance and multiple ethics opinions make it clear: confidentiality obligations apply even to information that is “generally known” or publicly accessible, unless the client has given informed consent or an exception applies. The act of further publicizing such data, especially through AI tools that may store and process it, can itself breach confidentiality.

Practical Guidance for the Tech-Savvy (and Not-So-Savvy) Lawyer

Lawyers can face disciplinary hearing over unethical use of generative AI.

The Tech-Savvy Lawyer.Page Podcast Episode 99, “Navigating the Intersection of Law Ethics and Technology with Jayne Reardon and other The Tech-Savvy Lawyer.Page postings offer practical insights for lawyers with limited to moderate tech skills. The message is clear: lawyers must be strategic, not just enthusiastic, about legal tech adoption. This means:

  • Vetting AI Tools: Choose AI platforms with robust privacy protections, clear data handling policies, and transparent security measures.

  • Obtaining Informed Consent: Clearly explain to clients how their information may be used, stored, or processed by AI systems—especially if public data or PII is involved.

  • Limiting Data Input: Avoid entering sensitive client details, PII, or case specifics into generative AI tools unless absolutely necessary and with explicit client consent.

  • Monitoring for Updates: Stay informed about evolving ABA guidance, state bar opinions, and the technical capabilities of AI tools.

  • Training and Policies: Invest in ongoing education and firm-wide policies to ensure all staff understand the risks and responsibilities associated with AI use.

Conclusion

The promise of generative AI in law is real, but so are the risks. As OpenAI’s recent legal challenges and the ABA’s evolving guidance make clear, lawyers must prioritize privacy, confidentiality, and ethics at every step. By embracing technology with caution, transparency, and respect for client rights, legal professionals can harness AI’s benefits without compromising the foundational trust at the heart of the attorney-client relationship.

MTC

MTC: Florida Bar's Proposed Listserv Rule: A Digital Wake-Up Call for Legal Professionals.

/ The Tech-Savvy Lawyer.Page/

not just Florida Lawyers should be reacting to New Listserv Ethics Rules!

The Florida Bar's proposed Advisory Opinion 25-1 regarding lawyers' use of listservs represents a crucial moment for legal professionals navigating the digital landscape. This proposed guidance should serve as a comprehensive reminder about the critical importance of maintaining client confidentiality in our increasingly connected professional world.

The Heart of the Matter: Confidentiality in Digital Spaces 💻

The Florida Bar's Professional Ethics Committee has recognized that online legal discussion groups and peer-to-peer listservs provide invaluable resources for practitioners. These platforms facilitate contact with experienced professionals and offer quick feedback on legal developments. However, the proposed opinion emphasizes that lawyers participating in listservs must comply with Rule 4-1.6 of the Rules Regulating The Florida Bar.

The proposed guidance builds upon the American Bar Association's Formal Opinion 511, issued in 2024, which prohibits lawyers from posting questions or comments relating to client representations without informed consent if there's a reasonable likelihood that client identity could be inferred. This nationwide trend reflects growing awareness of digital confidentiality challenges facing modern legal practitioners.

National Landscape of Ethics Opinions 📋

🚨 BOLO: florida is not the only state that has rules related to lawyers discussing cases online!

The Florida Bar's approach aligns with a broader national movement addressing lawyer ethics in digital communications. Multiple jurisdictions have issued similar guidance over the past two decades. Maryland's Ethics Opinion 2015-03 established that hypotheticals are permissible only when there's no likelihood of client identification. Illinois Ethics Opinion 12-15 permits listserv guidance without client consent only when inquiries won't reveal client identity.

Technology Competence and Professional Responsibility 🎯

I regularly addresses these evolving challenges for legal professionals. As noted in many of The Tech-Savvy Lawyer.Page Podcast's discussions, lawyers must now understand both the benefits and risks of relevant technology under ABA Model Rule 1.1 Comment 8. Twenty-seven states have adopted revised versions of this comment, making technological competence an ethical obligation.

The proposed Florida rule reflects this broader trend toward requiring lawyers to understand their digital tools. Comment 8 to Rule 1.1 advises lawyers to "keep abreast of changes in the law and its practice," including technological developments. This requirement extends beyond simple familiarity to encompass understanding how technology impacts client confidentiality.

Practical Implications for Legal Practice 🔧

The proposed advisory opinion provides practical guidance for lawyers who regularly participate in professional listservs. Prior informed consent is recommended when there's reasonable possibility that clients could be identified through posted content or the posting lawyer's identit1. Without such consent, posts should remain general and abstract to avoid exposing unnecessary information.

The guidance particularly affects in-house counsel and government lawyers who represent single clients, as their client identities would be obvious in any posted questions. These practitioners face heightened scrutiny when participating in online professional discussions.

Final Thoughts: Best Practices for Digital Ethics

Florida lawyers need to know their state rules before discussing cases online!

Legal professionals should view the Florida Bar's proposed guidance as an opportunity to enhance their digital practice management. The rule encourages lawyers to obtain informed consent at representation's outset when they anticipate using listservs for client benefit. This proactive approach can be memorialized in engagement agreements.

The proposed opinion also reinforces the fundamental principle that uncertainty should be resolved in favor of nondisclosure. This conservative approach protects both client interests and lawyer professional standing in our digitally connected legal ecosystem.

The Florida Bar's proposed Advisory Opinion 25-1 represents more than regulatory housekeeping. It provides essential guidance for legal professionals navigating increasingly complex digital communication landscapes while maintaining the highest ethical standards our profession demands.

MTC

BOLO: LexisNexis Data Breach: What Legal Professionals Need to Know Now—and Why All Lexis Products Deserve Scrutiny!

/ The Tech-Savvy Lawyer.Page/

LAWYERS NEED TO BE BOTH TECH-SAVVY AND Cyber-SavvY!

On December 25, 2024, LexisNexis Risk Solutions (LNRS)—a major data broker and subsidiary of LexisNexissuffered a significant data breach that exposed the personal information of over 364,000 individuals. This incident, which went undetected until April 2025, highlights urgent concerns for legal professionals who rely on LexisNexis and its related products for research, analytics, and client management.

What Happened in the LexisNexis Breach?

Attackers accessed sensitive data through a third-party software development platform (GitHub), not LexisNexis’s internal systems. The compromised information includes names, contact details, Social Security numbers, driver’s license numbers, and dates of birth. Although LexisNexis asserts that no financial or credit card data was involved and that its main systems remain secure, the breach raises red flags about the security of data handled across all Lexis-branded platforms.

Why Should You Worry About Other Lexis Products?

LexisNexis Risk Solutions is just one division under the LexisNexis and RELX umbrella, which offers a suite of legal, analytics, and data products widely used by law firms, courts, and corporate legal departments. The breach demonstrates that vulnerabilities may not be limited to one product or platform; third-party integrations, development tools, and shared infrastructure can all present risks. If you use LexisNexis for legal research, client intake, or case management, your clients’ confidential data could be at risk—even if the breach did not directly affect your specific product.

Ethical Implications: ABA Model Rules of Professional Conduct

ALL LawyerS NEED TO BE PREPARED TO FighT Data LeakS!

The American Bar Association’s Model Rules of Professional Conduct require lawyers to safeguard client information and maintain competence in technology. Rule 1.6(c) mandates that attorneys “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Rule 1.1 further obligates lawyers to keep abreast of changes in law and its practice, including the benefits and risks associated with relevant technology.

In light of the LexisNexis breach, lawyers must:

  • Assess the security of all third-party vendors, including legal research and data analytics providers.

  • Promptly notify clients if their data may have been compromised, as required by ethical and sometimes statutory obligations.

  • Implement additional safeguards, such as multi-factor authentication and regular vendor risk assessments.

  • Stay informed about ongoing investigations and legal actions stemming from the breach.

What Should Legal Professionals Do Next?

  • Review your firm’s use of LexisNexis and related products.

  • Ask vendors for updated security protocols and breach response plans.

  • Consider offering affected clients identity protection services.

  • Update internal policies to reflect heightened risks associated with third-party platforms.

The Bottom Line

The LexisNexis breach is a wake-up call for the legal profession. Even if your primary Lexis product was not directly affected, the interconnected nature of modern legal technology means your clients’ data could still be at risk. Proactive risk management and ethical vigilance are now more critical than ever.

🚨 BOLO: Android Ad Fraud Malware and Your ABA Ethical Duties – What Every Lawyer Must Know in 2025 🚨

/ The Tech-Savvy Lawyer.Page/

Defend Client Data from Malware!

The discovery of the “Kaleidoscope” ad fraud malware targeting Android devices is a wake-up call for legal professionals. This threat, which bombards users with unskippable ads and exploits app permissions, is not just an annoyance - it is a direct risk to client confidentiality, law firm operations, and compliance with the ABA Model Rules of Professional Conduct. Lawyers must recognize that cybersecurity is not optional; it is an ethical mandate under the ABA Model Rules, including Rules 1.1, 1.3, 1.4, 1.6, 5.1, and 5.3.

Why the ABA Model Rules Matter

  • Rule 1.6 (Confidentiality): Lawyers must make reasonable efforts to prevent unauthorized disclosure of client information. A compromised device can leak confidential data, violating this core duty.

  • Rule 1.1 (Competence): Competence now includes understanding and managing technological risks. Lawyers must stay abreast of threats like Kaleidoscope and take appropriate precautions.

  • Rule 1.3 (Diligence): Prompt action is required to investigate and remediate breaches, protecting client interests.

  • Rule 1.4 (Communication): Lawyers must communicate risks and safeguards to clients, including the potential for data breaches and the steps being taken to secure information.

  • Rules 5.1 & 5.3 (Supervision): Law firm leaders must ensure all personnel, including non-lawyers, adhere to cybersecurity protocols.

Practical Steps for Lawyers – Backed by Ethics and The Tech-Savvy Lawyer.Page

Lawyers: Secure Your Practice Now!

  • Download Only from Trusted Sources: Only install apps from the Google Play Store, leveraging its built-in protections. Avoid third-party stores, the main source of Kaleidoscope infections.

  • Review App Permissions: Be vigilant about apps requesting broad permissions, such as “Display over other apps.” These can enable malware to hijack your device.

  • Secure Devices: Use strong, unique passwords, enable multi-factor authentication, and encrypt devices-simple but essential steps emphasized by our blog posts on VPNs and ABA guidance.

  • Update Regularly: Keep your operating system and apps up to date to patch vulnerabilities.

  • Educate and Audit: Train your team about mobile threats and run regular security audits, as highlighted in Cybersecurity Awareness Month posts on The Tech-Savvy Lawyer.Page.

  • Incident Response: Have a plan for responding to breaches, as required by ABA Formal Opinion 483 and best practices.

  • Communicate with Clients: Discuss with clients how their information is protected and notify them promptly in the event of a breach, as required by Rule 1.4 and ABA opinions.

  • Label Confidential Communications: Mark sensitive communications as “privileged” or “confidential,” per ABA guidance.

Advanced Strategies

Lawyers need to have security measures in place to protect client data!

  • Leverage AI-Powered Security: Use advanced tools for real-time threat detection, as recommended by The Tech-Savvy Lawyer.Page.

  • VPN and Secure Networks: Avoid public Wi-Fi. But if/when you do be sure to use VPNs (see The Tech-Savvy Lawyer.Page articles on VPNs) to protect data in transit.

  • Regular Backups: Back up data to mitigate ransomware and other attacks.

By following these steps, lawyers fulfill their ethical duties, protect client data, and safeguard their practice against evolving threats like Kaleidoscope.