A loophole in Microsoft’s Azure OpenAI Service terms of use could expose privileged information to third-party review. Lawyers need to undertake reasonable diligent vetting of vendors and their terms. Reliance on vendor assurances alone is not enough. But what is?

Last week, I ran across a good piece of reporting by Cassandre Coyer and Isha Marathe in law.com. The report highlighted an important issue.

Legal tech vendors have aggressively marketed Gen AI products over the last 18 months. To a vendor, they all assure potential customers that the inquiries and responses are protected, that they will not be used to train the system, and that third parties will not have access to confidential materials. In short, trust us. But can lawyers rely on these assurances, and to what extent? Do they need to do more?

Some Red Flags

The law.com article raises some red flags. According to the article, “More than a year after law firms and legal tech companies signed onto Microsoft’s Azure OpenAI Service, which gives users access to OpenAI’s generative artificial intelligence models via the Azure Cloud, many found out that a terms-of-use loophole could make privileged information susceptible to third-party review.”

Under its terms and conditions, Microsoft can retain and then have humans manually review certain materials if its “abuse monitoring” policy is triggered. According to the article, this policy “was tucked in a nexus of terms and conditions,” and many vendors and law firms just missed it. The potential for manual review, of course, could jeoparize the confidentiality of client information.

Is It Just a Matter of Reading the Terms and Conditions?

Well, you say it should be a simple matter: just read the terms and conditions more carefully. But who does that? I agree to app terms and conditions all the time without reading them. Why bother? There’s nothing I could change anyway.

And the fact that it was a Microsoft platform at issue is important. Microsoft is so ingrained and ubiquitous in the legal system that perhaps that led to lessened scurtiny. Indeed, Microsoft was offering programs with at least the implicit understanding of its customers that a) it understands legal needs for confidentiality and b) it would be sure that confidential materials were protected. 

Some vendors whose products integrate with Microsoft may be making confidentiality assurances that aren’t necessarily correct

Microsoft does offer an exemption at least to some customers at the right price. However, the limited availability and cost may mean some vendors are not reading the fine print when using Microsoft tools for their legal customers. Or they are ignoring it. Either way, the lawyer could end up paying the price. I daresay that some vendors whose products integrate with Microsoft may be making confidentiality assurances that aren’t necessarily correct.

A Lawyer’s Duty of Due Diligence

This is a particular problem in legal now. So many vendors are offering Gen AI products that are closely integrated with other vendors like Microsoft. This makes the due diligence required of lawyers when using the products more problematic. While the duty of due diligence is not absolute, a lawyer must make reasonable efforts to ensure client information will be protected. But what is reasonable?

Make no mistake, those vetting requirements, at least under existing ethical opinions, are pretty significant. Most of the requirements grew out of questions concerning the use of the cloud and security concerns for email communications. There, as with Gen AI, lawyers must trust their data and their client’s data to someone else. So, both the extent of confidentiality and the supervisory duties of lawyers come into play.

The ABA Ethical Opinion

Formal Opinion 477R of the American Bar Association addressed these various issues concerning security associated with email communications and the use of vendors. According to the 2017 Opinion, several factors need to be examined by the lawyers when selecting a vendor:

  • The education, experience, and reputation of the vendor;
  • The nature of the services involved;
  • The terms of the arrangement concerning the protection of the client’s information and
  • The legal and ethical environments of the jurisdictions where the services are to be performed.

The ABA cited a previous Opinion for what lawyers should look at and do to satisfy their ethical obligations when selecting a vendor:

  • Undertake feference checks
  • Review vendors security policies and protocols
  • Review vendor hiring practices
  • Use of confidentiality agreements
  • Assess the availability and accessibility of a legal forum for relief should the vendor agreement be breached.

The Opinion further provides that these things need to be periodically reassessed.

A State View

A number of states have also weighed in on a lawyer’s vetting responsibilities in other contexts. My state, Kentucky, for example, issued Opinion E-437 in 2014. Like the ABA Opinion, E-437 states the lawyer should investigate the vendor’s credentials, reputation, and longevity. It also sets out some questions a lawyer should ask:

  • What protections does the provider have to prevent disclosure of confidential client information?
  • Is the provider contractually obligated to protect the security and confidentiality of information stored with it?
  • Does the service agreement state that the provider “owns” the data stored by the provider?
  • What procedures, including notice procedures to the lawyer, does the provider use when responding to governmental or judicial attempts to obtain confidential client information?
  • At the conclusion of the relationship between the lawyer or law firm and the provider, will the provider return all information to the lawyer or law firm? 
  • Where, geographically, is the server used by the provider for long-term or short-term storage or other services located?

Gen AI and Due Diligence: What’s Reasonable?

With Gen AI, the vetting obligations get complicated. The vendor supplying the product often depends on upstream providers, like Microsoft. These upstream providers supply underlying LLM data and the sophisticated tools for the systems to function and perform.

While a lawyer need not guarantee that the client will be protected throughout the ecosystem, the lawyer does have to take reasonable precautions to ensure that client information will be protected

While a lawyer need not guarantee that the client will be protected throughout the ecosystem, the lawyer does have to take reasonable precautions to ensure that client information will be protected. That diligence would seem to extend not only to the vendor but to 3rd parties the vendors uses that may have access to confidential data.

But the limits of what is reasonable in the new Gen AI world have not yet been established. Are the reasonable due diligence duties with Gen AI the same as with the cloud promulgated several years ago? Is the duty more with Gen AI providers? Or less? 

Understandably, Bar Associations and legal ethicists have not yet caught up with the technology. They are only beginning to offer guidance about how and to what extent lawyers need to vet vendors providing Gen AI tools. And to what extent do lawyers need to vet the 3rd party providers that have products that integrate with the Gen AI tools a vendor is offering. Right now, we don’t have much guidance about our reasonableness duties other than those governing the cloud and email use.

One Clear Thing

One thing that’s clear, though, is that lawyers can’t just take the word of their vendors that client information will be protected. And you have to read the terms and conditions.

Carefully.

Photo by krakenimages on Unsplash

The lack of lawyers in rural areas has attracted much attention lately. Rural pockets with few or no lawyers living there, the so-called legal deserts, are on the upswing.

According to some surveys, 14% of the population lives in rural areas, but only 2% of lawyers do. A 2020 ABA study found that 40% of all counties in the US have fewer than one lawyer for every 1000 residents. Fifty-two counties have no lawyers, and another 182 have only one or two.

Continue Reading Serving the Underserved: Innovative Solutions Needed to Solve the Rural America’s Lawyer Drought

There can be no higher law in journalism than to tell the truth and to shame the devil. Walter Lippmann

As most of you know, I frequently attend conferences–both legal tech related and those related to technology in general, like CES. I do this because I am interested in the field and because I like to think what I write as a former practicing lawyer is valuable. The latter idea, of course, carries the responsibility to be candid and to “call em as I see em”. I have tried to do that since I started blogging some seven years ago.

Continue Reading Integrity Over Access. Why I Said No Thanks to a Conference’s Demand for Positive Coverage

We best be careful, or we will find ourselves in a closet talking to ourselves too much.

Once upon a time, I had a good client who was fond of saying, “We best be careful, or we will find ourselves in a closet talking to ourselves too much.” Meaning, of course, that you get into trouble if you don’t get diverse viewpoints from people who perhaps see the problem and the world differently than you.

My client’s wisdom was recently brought home to me in connection with the Gen AI hoopla. The last two months have been a whirlwind of conferences for me. During that time, I attended three technology conferences. One was CES, which was generally directed toward consumer electronics and technology. The other two, LegalWeek and ABA TechShow, were both directed at legal technology in particular. 

Continue Reading Gen AI in Law: A Lawyer Reality Check

“If you want to show up and be seen in your life, you’re going to get your ass kicked.”

Brene Brown

I recently finished a book by Jeremy Utley and Perry Klebahn entitled Ideaflow: The Only Business Metric that Matters. The book talks a lot about ideas and their power. The authors go to great lengths to explore ways to nurture ideas, how to work in teams to enhance ideas, and how to turn ideas into reality. They also talk about how organizations and leaders can act to nurture ideas instead of quashing them and the creativity that creates them. It’s that creativity that is essential to a vibrant, innovative enterprise.

Continue Reading ABA TechShow: The Power (and Agony) of Ideas

On our recent LegalTech Week Journalists Roundtable, we went into a discussion about the increased emphasis of late on so-called midsize law firms. In particular, we talked about their needs when it comes to things like technology.

Certainly, more attention has recently been paid to this group of law firms. Clio provided a Survey entitled Legal Trends for Midsize Law Firms that focused on midsized law firms. Clio recently announced it planned to aggressively market to midsize firms in the future. An outfit called Actionstep recently released its 2024 US Midsize Law Firm Priorities Report. Thompson Reuters recently published its State of the Legal Market Report, which deals in part with midsize law firms.

Continue Reading Beyond Size: Navigating the Complexities of Modern Legal Practices

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of light, it was the season of darkness, it was the spring of hope, it was the winter of despair.”
Charles Dickens, A Tale of Two Cities

Two recent studies, one by LexisNexis and one by LawPay-MyCase, looked at the use of AI and Gen AI at two ends of the legal market. The LexisNexis study, entitled 2024 Investing in Legal Innovation Survey, looked at very large law firms and businesses. LexisNexis talked to 266 managing partners and c-suite leaders at AmLaw 200 law firms. LexisNexis also spoke to 50 legal professionals at Fortune 1000 companies and large law firms outside the AmLaw 200. The survey was done between December 6, 2023, and January 9, 2024, so it’s pretty recent.

Continue Reading From Big Law to Small Firms: A Tale of Two Cities in Embracing Legal AI

I just got back from LegalWeek 2024 in New York City. LegalWeek is the annual legal tech conference put on by ALM and directed at big law firms and clients. There were lots of exhibitors, lots of parties, and fancy dinners. It’s glitzy and sales and marketing oriented.

This year, as expected, the educational sessions, discussions, and marketing were dominated by generative AI. There were ample predictions about how it will transform the legal profession. The standard refrain was that Gen AI will enable lawyers to spend more time on high level thinking.

Continue Reading Innovative Vendors at LegalWeek 2024: A Focus on Customer-Centric Solutions

Back in the 1970s, there was a television commercial featuring jazz singer Ella Fitzgerald with a wine glass, a recording studio, and a recordable audio cassette made by a company called Memorex. The pitch was that the audio recording of Ella’s voice could break the wine glass, just like her live voice. The tagline was, “Is it live or Memorex?”

Continue Reading Is it Real or Is It Fake? The Emerging Challenges of Authenticating Digital Evidence in Courtrooms

Every year, Thomson Reuters and the Georgetown Law Center on Ethics and the Legal Profession come with a report on the State of the Legal Market. I have written about the reports before; I find them enlightening and generally well done. The 2024 Report is based on data from some 179 U.S. law firms developed by Thomson Reuters’ Financial Insights platform. Data came from 48 AmLaw 100 firms, 49 AmLaw second 100 firms, and 82 midsize firms.

The 2024 Report came out in early January this year and, as usual, is chock full of interesting findings. The Report used the historical demise of Pan Am Airlines as an example to drive home a point. Law firms may be facing a tipping point, a point at which they need to refine how they do business to survive. 

Continue Reading The Thomson Reuters State of the Legal Market Report: Shifting Tides in Legal Practice?