Client confidentiality in the artificial intelligence context is the application of the attorney's professional obligation to protect client information — codified in ABA Model Rule 1.6 and its state equivalents — to the specific risks that arise when client data is processed by AI tools. The Rule prohibits attorneys from "reveal[ing] information relating to the representation of a client" without the client's informed consent, and Rule 1.6(c) adds that attorneys must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
The key phrase is "reasonable efforts." The Rule does not require perfection — it requires that attorneys make proactive, informed, documented efforts to prevent unauthorized disclosure. When AI tools are involved, these reasonable efforts must specifically address the confidentiality risks that AI systems create, which are qualitatively different from the confidentiality risks of traditional document storage.
The specific AI confidentiality risks that attorneys must address include:
Training data exposure. AI vendors that train or fine-tune their models on customer data embed client information — potentially permanently — in model weights. This information cannot be deleted once the model has been trained on it. If a vendor uses client documents in model training without adequate legal authorization, this constitutes both a violation of the client's confidentiality and a potential GDPR or CCPA violation.
Subprocessor access. Most AI platforms rely on third-party subprocessors — cloud infrastructure providers, inference API providers, analytics tools. Each subprocessor represents an additional party with access to client data. The DPA chain must ensure that each subprocessor is bound by equivalent confidentiality obligations.
Inference logging. Some AI inference infrastructure logs the inputs and outputs of API calls as part of normal operations — for debugging, safety monitoring, or other purposes. If client data appears in inference inputs, these logs may contain client-confidential information. Attorneys should confirm that the vendor's inference infrastructure operates in a zero-retention or minimal-retention mode for their data.
Breach exposure. A breach at the AI vendor or any of its subprocessors may expose client data. While breaches are not preventable with certainty, reasonable efforts to prevent them include selecting vendors with robust security controls and appropriate certifications.
Inadequate deletion. If client data remains in vendor systems after the attorney-client relationship ends or after the vendor contract terminates, the attorney's confidentiality obligation continues but their control over the data does not. Clear data deletion commitments and timelines in the DPA address this risk.
Client confidentiality is not just a professional obligation — it is the foundation of the attorney-client relationship. Clients disclose sensitive, often embarrassing, commercially valuable, or legally significant information to their attorneys precisely because the law guarantees that this information will not be disclosed without their consent. Violations of this guarantee damage not just the individual attorney-client relationship but the public's trust in the legal profession.
In the AI context, the confidentiality stakes are high because the failure modes are novel and the harms can be difficult to detect or remediate. Traditional confidentiality breaches — a lost briefcase, a misdirected fax, an overheard conversation — were typically visible events with identifiable causes. AI confidentiality breaches may be invisible: client information embedded in a model's training data cannot be seen or extracted; subprocessor data access may not generate visible logs accessible to the client or attorney; inference logs may exist without the attorney's knowledge.
Multiple bar associations have addressed AI confidentiality specifically. California's State Bar issued Practical Guidance for the Use of Generative AI (2024), including a specific section on confidentiality obligations. New York's NYSBA issued a report with AI ethics recommendations. ABA Formal Opinion 512 (2023) identified confidentiality as one of the five core professional responsibility obligations implicated by generative AI use. These authorities consistently require attorneys to investigate vendor data handling practices before entrusting client data to any AI system.
The GDPR layer adds regulatory consequences for EU-connected matters. Law firms processing EU client personal data through AI tools must comply with GDPR Article 28 (DPA requirements) and Article 5 (data protection principles) — requirements that largely parallel the professional responsibility confidentiality analysis but with regulatory enforcement consequences including substantial fines.
How It Works
Pre-use investigation. Before submitting any client data to an AI tool, the attorney (or the firm's AI governance process) must investigate the vendor's data handling practices. The investigation must cover: whether the vendor trains on customer data (and whether this can be contractually prohibited); who the vendor's subprocessors are and what access they have to customer data; where data is stored and processed; what security certifications the vendor holds; and what the vendor's data deletion practices are.
This investigation should result in documented findings — a vendor risk assessment or AI diligence questionnaire — that is maintained in the firm's AI governance records. The documentation is the attorney's evidence of reasonable efforts if a confidentiality issue later arises.
DPA review and negotiation. Every AI vendor that will receive client data must execute a DPA that meets the professional responsibility and regulatory confidentiality standards. The DPA must: prohibit training on customer data; identify and bind subprocessors; specify data deletion timelines; commit to security standards; and include breach notification obligations. Attorneys should not assume that vendor standard DPA terms satisfy these requirements — many standard DPAs are drafted to minimize vendor obligations and must be negotiated to meet attorney confidentiality standards.
Tools like CoCounsel and Harvey AI have specifically invested in DPA terms that address attorney confidentiality obligations — including zero-training commitments, subprocessor controls, and data deletion provisions. Reviewing their standard enterprise DPA terms is a useful benchmark for what attorney-grade confidentiality commitments look like.
Scope limitation. Even where a vendor has adequate confidentiality protections, attorneys should submit only the client data necessary for the specific AI task — the data minimization principle applies as a confidentiality-reinforcing practice. Client identifying information should be omitted where not necessary for the AI's function. Anonymization or pseudonymization of documents before AI submission reduces confidentiality risk from any residual vendor exposure.
Ongoing monitoring. Vendor data handling practices can change. A no-training commitment made in 2023 may be revised in the vendor's terms of service update in 2025. AI vendor acquisitions may bring new data handling practices. Ongoing monitoring — reviewing vendor communications, monitoring DPA updates, requesting current SOC 2 reports annually — maintains the reasonable efforts standard throughout the vendor relationship.
Matter-specific protocols. Certain matters involve particularly sensitive client information — criminal defense, whistleblower matters, M&A prior to announcement, government investigations, health information. For these matters, attorneys should apply heightened confidentiality protocols: stricter vendor selection criteria, additional anonymization before AI submission, restricted access to AI-generated work product, and enhanced documentation of confidentiality measures.
Key Considerations for Law Firms
Engagement letter disclosure. Proactively disclosing AI tool use in the engagement letter — and obtaining client consent to that use — is becoming standard practice and provides a clear contractual basis for AI-assisted work. The disclosure should describe, at an appropriate level of generality, what AI tools may be used, what safeguards are in place, and what data may be processed. Client consent to AI-assisted work reduces but does not eliminate confidentiality obligations.
The "impliedly authorized" exception has limits. Rule 1.6 permits disclosure of client information that is "impliedly authorized" to carry out the representation. Using a confidential cloud document storage service to store client files is likely impliedly authorized as a normal incident of modern legal practice. Using a novel AI tool with unclear data handling practices may not be impliedly authorized — it may require explicit client consent. The boundary between impliedly authorized AI use and AI use requiring explicit consent is an area of ongoing bar opinion development.
Educate all attorneys, not just partners. Confidentiality obligations apply to every attorney who handles client data. Junior associates, who may be most likely to use AI tools for research and drafting, need specific training on the confidentiality implications of AI tool use. The firm's AI governance training should include clear guidance on which tools are approved for which data types, and what to do when uncertain.
Monitor the vendor's inference API provider. If the AI tool uses a third-party inference API provider (e.g., the AI platform sends your documents to GPT-4 via OpenAI's API), the inference provider's data retention practices are part of the firm's confidentiality risk profile. Most major inference API providers offer zero-retention API modes for enterprise customers — the AI vendor should be using these modes for customer data. Confirm this in the DPA or vendor technical documentation.
Limitations and Risks
Training data cannot be deleted from deployed models. If client data has been used in model training, the resulting model contains patterns derived from that data that cannot be deleted without retraining the model. Discovering that a vendor has trained on client data after the fact may provide grounds for contract termination and legal claims against the vendor, but it does not reverse the training. Pre-use investigation and contractual prohibition of training are therefore preventive controls, not remedial ones.
Technical verification of no-training claims is difficult. An attorney cannot independently verify that a vendor is not training on their data — they depend on the vendor's representation and the SOC 2 audit. This is an inherent limitation of the third-party service relationship. Contractual representations create legal accountability but do not provide technical certainty.
State bar requirements vary. The specific requirements for AI tool use consistent with confidentiality obligations vary by jurisdiction. California's practical guidance and New York's recommendations are more specific than some other states' guidance. Attorneys practicing in multiple jurisdictions must satisfy the requirements of each.