Attorney-Client Privilege in the Age of Legal Tech: What Every Lawyer Must Know

The ABA's Four-Pillar Framework for Legal Technology

The American Bar Association has constructed an interconnected ethical framework through four critical formal opinions that every attorney using technology must understand.

ABA Formal Opinion 477R (May 2017) established the foundational principle: lawyers may transmit information electronically where they have undertaken "reasonable efforts" to prevent unauthorized access. The opinion explicitly rejected a strict liability standard, instead articulating seven factors from Model Rule 1.6 Comment [18] that determine reasonableness.

ABA Formal Opinion 483 (October 2018) addressed post-breach obligations, requiring lawyers to monitor for intrusions, stop breaches promptly, investigate incidents, and notify affected clients. The opinion makes clear that a breach itself does not constitute an ethics violation if reasonable efforts were made beforehand.

ABA Formal Opinion 498 (March 2021) confirmed virtual practice is fully permissible, with no brick-and-mortar office requirement, while emphasizing that confidentiality duties extend to videoconferencing platforms, document sharing services, and even smart speakers in remote work environments.

ABA Formal Opinion 512 (July 2024)—the ABA's first formal guidance on generative AI—represents the most significant recent development. It treats AI tools as nonlawyer assistants requiring supervision under Rules 5.1 and 5.3, mandates independent verification of all AI outputs, and specifically warns about "hallucinations" producing "ostensibly plausible responses that are wholly or partially wrong."

State Bar Guidance: Critical Jurisdictional Variations

While all jurisdictions that have addressed cloud computing and AI permit their use with appropriate safeguards, meaningful differences exist that practitioners must navigate.

New York (NYSBA Opinion 842, 2010) was among the first to approve cloud storage, requiring lawyers to ensure providers have enforceable confidentiality obligations.

California's November 2023 Practical Guidance takes a stricter stance, explicitly prohibiting charging for "time saved" by AI and requiring lawyers to anonymize client information before any AI input.

Florida Bar Advisory Opinion 24-1 (January 2024) was the first comprehensive state AI ethics opinion, recommending informed client consent before using third-party AI if confidential information is involved.

When Privilege Meets the Cloud: The Waiver Question

The most consequential question practitioners face is whether sharing privileged information with third-party technology services waives attorney-client privilege. The answer depends heavily on the safeguards employed.

Courts have generally held that storing privileged communications with cloud service providers does not waive privilege when reasonable measures are taken—encryption, access controls, and contractual confidentiality protections. However, consumer AI products present fundamentally different risks.

OpenAI's privacy policy explicitly indicates it collects personal information from "input, file uploads, or feedback" and may use conversations to improve AI models. ChatGPT's terms state chats "may be reviewed by AI trainers." CEO Sam Altman has publicly acknowledged that ChatGPT "does not provide legal privilege."

The critical distinction lies between consumer AI (free ChatGPT, Google Gemini) where data may be used for training with no contractual confidentiality, and enterprise AI solutions (paid ChatGPT Enterprise, legal-specific tools like Harvey or CoCounsel) that offer zero data retention policies, robust contractual protections, and private environments behind firewalls.

The Sanctions Era: 486 Cases and Counting

The judiciary's patience with AI-generated errors has evaporated. Researcher Damien Charlotin's database now documents 486 cases worldwide with AI hallucinations in court filings, including 324 in U.S. courts involving 128 lawyers.

Mata v. Avianca (S.D.N.Y., June 2023) remains the landmark case. Attorneys Steven Schwartz and Peter LoDuca cited six completely fictitious cases generated by ChatGPT, including fabricated opinions from judges who never wrote them. The $5,000 sanction was relatively modest, but the reputational damage was severe.

Consequences have escalated significantly since then. In Johnson v. Dunn (N.D. Ala., July 2025), attorneys were disqualified from representing the client for the remainder of the case, with the court ordering the opinion published in Federal Supplement and bar regulators notified.

More than a dozen federal judges have now issued standing orders addressing AI. Judge Brantley Starr (N.D. Texas) requires certification that no AI was used or that AI content was human-verified. Judge Michael Baylson (E.D. Pennsylvania) requires disclosure of ANY AI use.

Data Breaches at Law Firms: The Malpractice Exposure Is Real

Law firms have become prime targets for cyberattacks, and the resulting litigation establishes clear standards of care.

Orrick, Herrington & Sutcliffe settled a data breach class action for $8 million in April 2024 after hackers accessed systems containing information on 637,620 individuals. The breach went undetected for four months.

Major ransomware incidents have devastated firms financially and reputationally. DLA Piper's June 2017 NotPetya attack required rebuilding the entire Windows environment. Grubman Shire Meiselas & Sacks saw 756GB of celebrity client data stolen by REvil ransomware in 2020.

The 2023 ABA TechReport found 29% of law firms reported security breaches that year. The takeaway: cybersecurity is no longer an IT concern—it is a core ethical obligation with real malpractice exposure.

What "Reasonable Cybersecurity" Means in 2025

Courts and bar associations have converged on a risk-based, process-oriented standard rather than mandating specific technologies. Baseline expectations now include:

• Multi-factor authentication for all remote access and cloud services
• Full disk encryption on laptops and mobile devices
• TLS encryption for email transmission; end-to-end encryption for highly sensitive matters
• Regular security awareness training—phishing remains the primary attack vector
• Incident response plans documented before breaches occur
• Vendor due diligence with contractual security provisions
• Regular backups with secure storage and tested restoration

Technology competence is now an explicit ethical duty in 40 states plus D.C. and Puerto Rico, requiring lawyers to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology."

Practical Compliance Framework for Practitioners

Before using any legal technology:

1. Review Terms of Service for data retention, training use, and confidentiality provisions
2. Assess whether the tool offers enterprise-grade security or is consumer-focused
3. Determine whether client consent is required under applicable state guidance
4. Document your due diligence process

For AI tools specifically:

1. Never input confidential client information into consumer AI products
2. Use enterprise solutions with zero data retention and contractual protections
3. Independently verify ALL AI outputs—citations, legal analysis, factual claims
4. Never ask AI to verify its own output (this has failed spectacularly in court)
5. Check applicable court standing orders before any filing
6. Establish written firm policies on permissible AI uses
7. Bill only for actual time spent; do not inflate hours for AI-assisted work