AI and Confidentiality: Not Mutually Exclusive (But Be Smart, Too!)

Ever wondered how to harness the power of AI without accidentally spilling your client's secrets all over the internet? If you're a lawyer venturing into the world of artificial intelligence, this question isn't just academic—it's crucial.

In an era where ChatGPT can draft contracts and AI can analyze case law and documents faster than you can say "objection," the legal profession is on the brink of a technological revolution. But with great power comes great responsibility (and potential liability). Here are some hints to help you avoid being the lead story on "Above the Law" for all the wrong reasons.  Before launching into a complete analysis, I wanted to provide a practical perspective. If you aren't smart regarding AI, you can get into a lot of trouble as an attorney. The top ways are (1) not verifying the information is accurate, as AI can “hallucinate” facts such as making up fake case cites -- more on this in a future post, and (2) disclosing confidential information to the world (the topic of this post). 

The good news is that you don't have to get into trouble! Think of AI like a really smart junior associate. Just as no one should trust a first-year's work without review, the same is true of AI. So don't be reckless and have an AI chatbot write your entire brief without triple-checking everything. And don't assume that whatever you put into ChatGPT will be treated as confidential.

The good news is that the large language models (LLMs) and their chatbot interfaces (like ChatGPT, Gemini, Claude, and Grok) are increasingly allowing (paying and sometimes premium) users to safeguard confidentiality by walling off the inquiries from their training playground. Think of it like Google: if something is “free” then you are the product. Further, there are additional ways to safeguard information, including using a fully local LLM model. This requires some technical expertise but is very doable for those who wish to spend the time. Keep in mind that for speedy analysis, you may need to invest in a dedicated GPU-intense computer ranging from a couple of thousand dollars to over $50,000. You can also use SLM (the “S” is for small), which requires less brute power.

If confidentiality is paramount, as it is for attorneys in most cases, here are some ways to protect your data while also taking advantage of the power and efficiency of AI in legal practice.

When using Large Language Models (LLMs) or other AI in legal practice or any field where confidentiality is paramount, here are some surefire ways to protect sensitive information:

𝟭. 𝗗𝗮𝘁𝗮 𝗔𝗻𝗼𝗻𝘆𝗺𝗶𝘇𝗮𝘁𝗶𝗼𝗻

- Mask Personal Information: Before feeding data into an LLM, remove or mask any personal identifiers such as names, addresses, or specific dates. Use generic placeholders or pseudonyms to maintain the context while protecting individual identities.

- Generalization: Instead of using exact details, generalize data. For example, instead of "John Doe from 123 Elm St.," use "a client from a residential area."

𝟮. 𝗦𝗲𝗰𝘂𝗿𝗲 𝗗𝗮𝘁𝗮 𝗛𝗮𝗻𝗱𝗹𝗶𝗻𝗴

- Encryption: Use end-to-end encryption for data in transit and at rest. Ensure all LLM communications are encrypted, and data is stored securely.

- Private Clouds or On-Premise Solutions: Instead of public cloud services, consider using private cloud solutions or hosting the LLM on your own servers where you have full control over data security.

𝟯. 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹

- Need-to-Know Basis: Restrict access to the LLM and the data it processes to only those who need it for their work. Implement strict access controls and authentication measures.

- User Permissions: Define clear roles and permissions within your team. Not everyone should have the same level of access to sensitive information.

𝟰. 𝗖𝘂𝘀𝘁𝗼𝗺𝗶𝘇𝗲𝗱 𝗼𝗿 𝗖𝗹𝗼𝘀𝗲𝗱 𝗠𝗼𝗱𝗲𝗹𝘀

- Private Models: If possible, use or develop custom LLMs trained on your specific datasets that do not connect to external networks or APIs. This reduces the risk of data leakage through third-party services.

- Air-Gapped Systems: For extremely sensitive data, consider using an LLM in an air-gapped environment, where the system is not connected to the internet, thus preventing remote access or external threats.

𝟱. 𝗔𝘂𝗱𝗶𝘁 𝗮𝗻𝗱 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴

- Regular Security Audits: Conduct regular audits to check for vulnerabilities in your LLM usage. This includes software updates, patch management, and security configurations.

- Monitoring Usage: Log and monitor all interactions with the LLM. This can help detect any unusual activities or potential breaches.

𝟲. 𝗟𝗲𝗴𝗮𝗹 𝗮𝗻𝗱 𝗘𝘁𝗵𝗶𝗰𝗮𝗹 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴

- Educate Staff: Ensure all team members understand the importance of confidentiality and how it applies to AI tools. Training should cover both the technical use of LLMs and the ethical handling of data.

- Policy Development: Create and enforce clear policies regarding the use of LLMs, detailing what data can be used, how it should be anonymized, and under what conditions it can be processed.

𝟳. 𝗗𝗮𝘁𝗮 𝗠𝗶𝗻𝗶𝗺𝗶𝘇𝗮𝘁𝗶𝗼𝗻

- Use Only Necessary Data: Feed the LLM only the data necessary for the task at hand. Less data means less risk if there's a security compromise.

𝟴. 𝗢𝘂𝘁𝗽𝘂𝘁 𝗦𝗮𝗻𝗶𝘁𝗶𝘇𝗮𝘁𝗶𝗼𝗻

- Review Outputs: Before using or sharing outputs from an LLM, review them for any accidental disclosures of sensitive information. Implement a process where human eyes check AI-generated content.

𝟵. 𝗡𝗼𝗻-𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲 𝗔𝗴𝗿𝗲𝗲𝗺𝗲𝗻𝘁𝘀 (𝗡𝗗𝗔𝘀)

- With Vendors: If you're using a third-party LLM service, ensure there are NDAs in place that legally bind them to maintain confidentiality. Check your user agreements!

𝟭𝟬. 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗣𝗹𝗮𝗻

Preparedness: Develop a clear incident response plan for data breaches that details the steps to take if confidentiality is compromised, including notification procedures, damage control, and legal steps.

𝗖𝗼𝗻𝗰𝗹𝘂𝘀𝗶𝗼𝗻

By integrating these practices, you can significantly enhance the confidentiality of data when using LLMs, aligning technological innovation with the ethical and legal standards required in handling sensitive information. Remember, the integrity of confidentiality is not just about preventing breaches but also about building trust with clients and maintaining the ethical standards of your profession.