April 9, 2025 – You decide it’s time to start using generative artificial intelligence (GAI). How secure does information on the GAI platform need to be?

Question

My law firm is looking at options for a GAI platform. I recently heard that even if we create our own internal platform or pay for a commercial product that provides robust security protocols, we still need to have practices in place to guard against internal inadvertent disclosure or unauthorized access to confidential client information.

I’m a little confused. My firm has always kept an electronic brief bank with copies of briefs, motions, samples, and templates from prior client representations. It prevents us from having to reinvent the wheel with every representation, which benefits our clients.

Isn’t storing information on a GAI platform the same thing?

Answer

Before addressing the question, let’s review the scope of confidentiality. SCR 20:1.6(a) prohibits a lawyer from disclosing “information relating to the representation,” absent informed consent from the client or implied authorization. SCR 20:1.6(b) and (c) delineate other exceptions to the otherwise broad prohibition of SCR 20:1.6(a).

The term “all information relating to the representation” casts a very wide net. It applies to all information, regardless of its source, regardless of whether the information has otherwise been made public. It applies to disclosures by a lawyer that do not in themselves reveal protected information but could reasonably lead to the discovery of such information, such as client identity, by a third person.¹

To get back to the question: Yes, storing confidential client information on a GAI platform is the same as maintaining a brief bank. In both situations, regardless of how or where the information is stored, the firm must have in place “reasonable efforts to prevent inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” SCR 20:1.6(d). This includes preventing against disclosure to other clients of the firm.

An Example Case

A 2023 discipline case out of Arkansas² illustrates the pitfalls of using the internally stored confidential information of one client in the representation of another client. In that case, the information was stored on a file-sharing app. Company A hired the lawyer to represent them in obtaining a medical marijuana cultivation license. The lawyer was later hired by another company, Company B, that was a direct competitor of Company A. The lawyer filed applications for medical marijuana cultivation licenses for both clients. Only Company B received a license.

Shortly after Company A learned they had not been awarded a license, they learned from several sources that Company B’s application mirrored their application in several sections, suggesting that the information contained in Company B’s application had allowed others to deduce the identity of Company A. Company B’s application also contained Company A’s proprietary information.

A newspaper article cited in the disciplinary matter stated, “Electronic fingerprints on [Company B]’s internal documents and company emails … show how the contents of [Company A]’s application funnel in [Company B]’s hands through accounts linked to its previous attorney.” The article explained that someone signed into a file-sharing program as the attorney replaced Company A’s name and biographical information with the information for Company B, and that Company A’s information was deleted within the section detailing the business plan while the wording of the plan itself stayed roughly the same.”

The attorney was found to have violated SCR 20:1.6(a) for failing to get Company A’s informed consent to share proprietary information with any competitor, including Company B.³

Careful Consideration Is Needed

While this case is an extreme example of at least negligent, and perhaps intentional, misconduct by the attorney, it demonstrates the need for lawyers to carefully consider how information relating to the representation of a client is stored and used internally.

This includes taking steps to prevent protected information relating to the representation of one client from being disclosed to another client of the firm.

It also includes taking steps to prevent disclosure to lawyers who have been screened off from participation in a matter for conflict or other reasons.⁴ This does not mean that a lawyer may never use documents prepared for former clients as models for future clients – reuse of portions of such documents is permissible as long as there is no reasonable prospect that a third party could identify the original client.

For example, a lawyer may use the same legal argument in support of a legal proposition in every motion for a change in custody and placement in a family matter, although the specific facts of each matter are protected. A lawyer may also usually copy standard contract clauses from one client’s contract to another.

What is required is that the lawyer not include information that would allow a third party to identify the client or secret or proprietary information belonging to a client.

Closely Review GAI Output

While it is obvious that a lawyer needs to keep client information such as names, contact information, and financial and medical records confidential, it may be less obvious that business plans, strategy, negotiated contract terms, property division details, and all other “information relating to the representation” also needs to be protected.

As a reminder, SCR 20:1.6(a) protects information otherwise made public (in, for example, a public application filing) and information that could lead to the discovery of protected information (such as specific details of a business that could lead to the discovery of your client’s identity). Thus, prior to sharing a GAI output with another client or filing it with a court, lawyers need to carefully review GAI outputs to ensure protected information relating to the representation of another client is not contained therein.

As with hallucinations and false answers, the problem is not created by GAI output itself but rather is created when the output is not carefully reviewed by someone with actual intelligence.

Keep Clients Informed

The use of a secure platform may obviate the need for informed consent prior to the use of GAI in a client’s case.⁵ However, because of novelty of its use (which is, of course, wearing off) it is advisable that you inform clients of that fact that you will be using GAI and how you will be using it.⁶

While some clients will expect that you use it to provide more efficient legal services, other clients might be wary of its use.

The increased use of GAI in the practice of law is bringing the topic of confidentiality to the forefront. While the rule and a lawyer’s duties remain the same, it is good to consider how those duties might be carried out in a different environment.

Endnotes

¹ See SCR 20:1.6 and ABA Comments [3] and [4]; Wisconsin Formal Ethics Opinion EF-17-02; and Disciplinary Proceedings against Merry, 2024 WI 16.

² In re: Michael W. Langley, Supreme Court Committee on Professional Conduct, CPC Docket No. 2022-035.

³ The lawyer was also found to have violated the equivalent of SCR 20:1.4(a)(2) and (3) and SCR 20:1.7(a) in relation to his representation of Company A and received a 6-month license suspension, followed by 18 months of probation.

⁴ SCR 20:1.0 (n) defines "screened" as, “the isolation of a lawyer from any participation in a matter through the timely imposition of procedures within a firm that are reasonably adequate under the circumstances to protect information that the isolated lawyer is obligated to protect under these rules or other law.” See Wisconsin Formal Ethics Opinion EF_22-01 for a discussion of what an effective screen looks like.

⁵ See ABA Formal Opinion 512 for a discussion of what factors to consider when determining whether informed consent to the use of GAI is required.

⁶ SCR 20:1.4(b) requires that a lawyer “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”