Issue 61

Some surveys report that there are now more lawyers who are using AI in legal practice than those who do not. This rapid rise in AI use is putting pressure on lawyers to figure out how to successfully integrate AI in their practices. However, many lawyers feel conflicted about using AI because of the possible risks.  

Lawyers’ concerns about AI risks are not irrational. There can be serious consequences when AI is used carelessly by a lawyer. There are confidentiality concerns associated with using AI tools that lack adequate privacy and security, and many lawyers have received sanctions and disciplinary action for filing briefs containing hallucinated case citations.

However, avoiding AI altogether also has its own set of risks.  

The Issue Isn’t Whether AI is Risky for Lawyers. It’s Whether You Understand the Risks.  

The current era of AI disruption is not the first time that the legal profession has wrangled with risks associated with technology use. For example, the American Bar Association (“ABA”) has issued guidance over the years in relation to confidentiality and the use of email in the practice of law.  

In 2012, the ABA amended Comment 8 to Rule 1.1 on lawyer competency to explain that lawyers have a duty to keep up with technological changes impacting the practice of law. Risks associated with using AI tools may be the technology risk de rigueur, but it is risk that can be managed in many cases. Developing AI competency is a lawyer’s first step in managing and mitigating AI risk. 

Problems arise with AI use in law firms when lawyers or other personnel:  

• Don’t understand AI’s limitations; 
• Experiment with AI tools that have not been vetted or approved; and 
• Rely on AI output without verifying its accuracy. 

Lawyers who understand AI risks can reduce them, while making confident and informed decisions about whether to use AI for legal work.   

AI Confidentiality and Data Exposure Risks 

As lawyers develop AI competency, they become aware that different AI tools offer a range of different data confidentiality and privacy protections. The data security policies of any specific AI tool should always be verified before use, but in general, consumer-grade versions of general-purpose AI tools like ChatGPT, Gemini, and Claude (which are often free or relatively inexpensive) often lack robust data protection policies. Some consumer-grade AI tools will use the data that you share with the tool to improve their AI models, or may share your data with third parties for commercial purposes.  

On the other end of the spectrum, AI tools that are marketed as enterprise-grade or specifically for lawyers will typically offer greater data privacy and confidentiality protections. Oftentimes, these enhanced data protections are more closely aligned with lawyers’ professional responsibilities.  

As a real-world example of how the data protections offered by an AI tool can differ from consumer-grade to enterprise-grade versions, in The New York Times Company’s ongoing copyright infringement lawsuit against OpenAI and Microsoft, a federal court ordered OpenAI (the maker of ChatGPT) to preserve and segregate all customer output log data that would otherwise be deleted. This meant that the data of some OpenAI customers was ordered to be preserved for purposes of the lawsuit even if the customers intended to have their ChatGPT chat data deleted. OpenAI later clarified that ChatGPT Free, Pro, Plus, and Team subscription user data was subject to the data preservation order, while enterprise customer data was not impacted by the order.  

Knowing what an AI tool might do with your sensitive data is important, because it can be a slippery slope from casually experimenting with a new AI tool to assess its capabilities to sharing confidential data with the AI tool while engaging in substantive work.  

Prior to using an AI tool in legal practice, lawyers need to evaluate the AI tool to understand what the AI company will do with their data, including how the data is secured, how it may be stored, and for what purposes (if any) it could be used by parties outside the organization. Data security of AI tools matters to lawyers because once confidential data is entered into an AI tool that will not keep it secure, it cannot be erased or otherwise undone.  

Some law firms have attempted to take advantage of the relatively low-cost of consumer-grade AI tools like ChatGPT, Claude, and Gemini, by permitting workplace use of these AI tools while prohibiting sharing any confidential client data with the AI tool. Given that such a policy would require human beings to never make an error by accidentally sharing confidential client information with the AI tool, it is highly unlikely to be worth the risk. Instead, AI risk can be reduced by only permitting the workplace use of AI tools with data security and privacy protections that are aligned with lawyers’ professional responsibilities.  

Hallucinations and Overreliance on Inaccurate AI Output 

Lawyers who develop AI competency also learn that all AI tools that produce written output, which can include both general-purpose AI tools and legal-specific AI tools, are subject to the risk of producing inaccurate output, commonly referred to as hallucinations. AI tools can confidently and persuasively provide incorrect output that may appear convincing if viewed superficially, but which would not pass a proper review to confirm accuracy.  

Hallucinations have shown up in briefs filed with courts in the form of incorrect case citations, misstated or improperly attributed quotations of authority, and misleading summaries of cases. Even more sobering, there have been instances of a court order relying upon hallucinated case law. The possibility that a hallucinated case citation could become part of published caselaw should be of concern to all attorneys. 

Court filings containing hallucinations have become so pervasive that judicial patience is showing signs of wearing thin. Monetary sanctions for filings containing hallucinations are increasing, and in some cases, attorneys have been referred to their bar associations for AI-related disciplinary actions.   

Filing a document containing hallucinations with the court is entirely preventable. But prevention requires awareness of the risk of hallucinations, and a commitment to always verifying the accuracy of a document before signing and filing it with the court, which is typically already required of lawyers by court rules.  

Alternatively, using AI for legal research and legal writing may not be a top priority for your organization. It’s worth considering that legal research and legal writing are only two of many possible uses for AI in a law practice, and in many other uses for AI the potential for hallucinated output may have much lower stakes.  

AI Risks Created by Others 

As AI competency develops, lawyers also become aware that they can be exposed to AI risks even if they have not themselves begun using AI.  

Shadow AI 

One way that the risk of AI misuse can impact you even if you are not using AI is if other people in your workplace are surreptitiously misusing AI tools that have not been authorized by the organization’s leadership. This issue is often referred to as “shadow AI” use. If your colleagues or staff are attempting to work more efficiently by using AI tools that have not been vetted by the organization, there is a risk that your clients’ and/or your organization’s confidential data could be compromised. Organization leaders should routinely educate all employees about the potential risks associated with AI use, and should set clear policies regulating acceptable use of AI in the workplace.  

AI Use by Collaborators 

Another possible AI risk, even if you are not using AI improperly, is that you could be blindsided by improper AI use by one of your collaborators. Lawyers whose signatures ultimately appear on work product partially or fully prepared by others should be aware of the possibility of improper AI use by their collaborators. There are now many documented instances of attorneys who were not using AI improperly, yet were warned or sanctioned for their involvement in a situation where AI was improperly used by a collaborator. Examples include improper AI use by:  

• An expert witness;   
• A colleague;   
• Co-counsel;   
• A summer law clerk; and   
• A contract attorney.   

This is a key area where AI competency and awareness can help an attorney mitigate their AI risks. Attorneys can reduce the risk of being blindsided by a collaborator’s improper AI use by ensuring that only AI tools that have been properly vetted are used in the workplace, and by requiring disclosure of AI use by collaborators both inside and outside their organization.  

AI use within an organization should be limited to properly evaluated and approved AI tool options. AI use between collaborators should be transparent.   

Overly Casual AI Tool Selection and Implementation 

An AI tool selection process that lacks proper rigor can also carry risks. As discussed above, the potential risk of disclosure of confidential client information is a high-stakes risk of using an AI tool for legal work before properly vetting the tool.  

Lower-stakes risks associated with overly casual experimentation with and adoption of AI tools include ending up with an AI tool that isn’t as useful as it was hyped up to be, wasted money and time, and frustrated users who refuse to use the tool and will be even more resistant to the organization’s next attempt to adopt new technology.   

Rather than experimenting with every new AI tool that makes the news, or deciding you’ll use the same AI tool as your lawyer friend, you could follow a step-by-step process to choose AI tools for your practice, including prioritizing where AI tools could make the biggest impact for your practice, evaluating your options, and making an informed and confident choice.    

AI Risk Does Not Mean Lawyers Should Disregard AI 

Lawyers are often risk-averse by nature, and it is rational for lawyers to be cautious about a topic with as many pitfalls as AI use in legal practice. However, developing AI competency is part of lawyer competency. Most lawyers have a duty to keep up with technological changes impacting the practice of law, and understanding AI risks will help you to mitigate them. Lawyers who ignore or disregard AI due to the risks can be blindsided by the improper AI use of others. Additionally, a lawyer who refuses to consider AI runs the risk of eventually finding themselves at a competitive disadvantage. Thoughtfully engaging with the topic of AI, including evaluating the potential risks and benefits, is ultimately less risky than ignoring AI altogether.   

What Lawyers Should Do Next 

If you want to successfully navigate AI risks, here are some next steps: 

• Develop AI competency so that you can identify and mitigate AI risks as they arise; 
• Regulate which AI tools can be used in your organization; 
• Routinely educate your workforce about AI risks and how to avoid them; and 
• Carefully evaluate AI tools before they are approved for use in legal work.  

If you want help getting started with AI risk mitigation, you can download my free resource: A Lawyer’s First Three Steps to Reduce AI Risk.  

If you're trying to evaluate AI tools responsibly, my CLE walks through a practical framework for assessing and implementing AI tools in legal practice.   

For a more comprehensive resource on AI competency, risk, tool evaluation, and a curated directory of over 250 AI tools for lawyers, you can learn more about A Lawyer’s Practical Guide to AI here.   

Thanks for being here.  

Jennifer Ballard
Good Journey Consulting