The Oklahoma Bar Journal December 2024

of the transfer methods the attorney will employ to share their personal data in all instances. In addition to more traditional methods of transferring and shar ing client data, lawyers should also exercise caution when using artifi cial intelligence tools. In particular, there are a number of ethical pitfalls associated with the use of genera tive artificial intelligence – a subset of artificial intelligence focused on creating new, original content or data using advanced algorithms and learning techniques. Commonly used forms of generative artificial intelligence include ChatGPT and DALL-E2. Artificial intelligence tools specific to the practice of law are, likewise, coming into broader use. Because these tools use large data sets (including, in some instances, data inputted by users) to train and develop their models, lawyers must understand that any information they submit to artificial intelligence tools is likely not private or confi dential and may be visible to others, incorporated into responses that are generated for others or even used to train the model itself. Moreover, they should assume that any data, regard less of its nature, that is inputted into an artificial intelligence tool cannot be deleted or otherwise removed from the tool. As such, lawyers should decline to input confiden tial or proprietary data, including client data, into outside artificial intelligence tools that have not been thoroughly vetted to ensure they meet legal and ethical privacy and confidentiality standards. CONCLUSION The rapid evolution of technolo gies available to aid lawyers in their practices is a boon to both individ ual lawyers and the legal field as a whole. Nevertheless, capability

All subsequent findings should be promptly and completely addressed. Additionally, lawyers should consider taking steps to ensure client data is encrypted both in transit and at rest. Back up data according to a regular schedule to ensure systems can be restored and operations resumed in the event of a data incident or other disaster. At least one frequently backed-up set of data should be stored offline, and lawyers should evaluate ways to confirm that the backed-up data can be restored. Once client data is no longer needed (such as when the retention period applicable to the client file has passed), securely and completely delete the data, including from backups. APPROPRIATE SAFEGUARDS WHEN USING AND TRANSFERRING CLIENT DATA When it comes to transferring client data, lawyers must balance the convenience and efficiency of electronic communication and data transfer methods with their para mount duty to protect client confi dentiality. Lawyers should carefully assess the sensitivity of client data transferred and always err on the side of caution. Where the data being transferred by a lawyer is sensitive, they should even more carefully evaluate the security of the com munication channels they intend to use to ensure any data transferred is sufficiently protected. To protect client data and minimize the risk of interception or inadvertent disclo sure, lawyers can do things like use encrypted emails and secure file transfer protocols and virtual private networks (VPNs) as appropriate. Public Wi-Fi networks and other unsecured communication chan nels should be avoided, and clients should be appropriately advised

comes with duty, and as the tools available to lawyers increase, so too do lawyers’ obligations to protect the confidentiality and security of their clients’ confidential data. Lawyers who: 1) develop and imple ment comprehensive data protection policies – including privacy policies, information security policies and incident response plans – to codify appropriate data security and con fidentiality practices as discussed herein; 2) clearly communicate their data protection policies and practices to employees and train them on the same; and 3) stay cur rent with technological advance ments and legal requirements, then evaluate and revise their data protection policies and practices accordingly, will be well positioned to meet their legal and ethical obli gations to their clients.

ABOUT THE AUTHOR

Lauren Watson is a cybersecurity and privacy attorney at Ogletree Deakins. She dedicates her practice to assisting

clients with matters including data security incident and data breach response, preparation of privacy policies and notices, negotiation of data protection agreements and other aspects of compliance with privacy and cybersecurity laws and regulations, such as comprehensive state privacy laws, sectoral privacy laws and laws regulating biometric data and employee monitoring activities across the country.

ENDNOTES

1. ABA Formal Opinion 477R: Securing Communication of Protected Client Information, aba_formal_opinion_477.pdf (americanbar.org). 2. ABA Formal Opinion 483: Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, https://bit.ly/3AjhxOY.

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.

DECEMBER 2024 | 35

THE OKLAHOMA BAR JOURNAL