Submit to Digest

AI, Confidentiality, and the Stratified Legal Profession

Artificial Intelligence Commentary

Steve Leben is the Douglas R. Stripp Distinguished Professor of Law and Associate Dean for Faculty at the University of Missouri-Kansas City School of Law, where his courses include Professional Responsibility. He served as a state trial and appellate judge for more than two decades, including on the Kansas Court of Appeals from 2007 to 2020.


I. The New Fairness Problem

In March 2026, a federal court in Colorado ordered both sides in an employment lawsuit to stop uploading confidential information into consumer AI platforms. [1] The defendant in Morgan v. V2X, Inc. wanted a protective order barring AI tools from receiving confidential information unless the provider was contractually barred from using inputs for training and required to allow their deletion. [2] The self-represented plaintiff objected that the proposed restrictions would create an unfair “technological gap” by barring him from modern analytical aids while the defendant’s lawyers retained the ability to use proprietary AI and cloud-based systems. [3]

Magistrate Judge Maritza Dominguez Braswell granted much of the defendant’s request, but she did not pretend the result was cost-free. The court acknowledged that its order would disadvantage self-represented litigants by barring the use of most mainstream consumer AI tools, as enterprise-tier accounts offering the strongest contractual confidentiality safeguards may be available only through organizational procurement or at costs the self-represented are unlikely to bear. [4] This raised a question the justice system has not answered: as large firms pour resources into enterprise-grade AI, how will a self-represented litigant keep up? [5]

That question extends beyond self-represented litigants. Solo and small-firm lawyers face the same stratified market—and a legal-ethics guidance gap. They are expected to comply with confidentiality duties, yet the most concrete guidance is easiest to satisfy in contractually constrained environments that many smaller practices cannot reach.

Existing ethics rules, properly read, already permit substantially more AI use than current professional discourse admits. [6] Rule 1.6 is a reasonableness rule, not a zero-risk prohibition. Rule 1.6(a)’s implied-authorization principle, together with the ABA’s longstanding treatment of bounded third-party technology vendors, supports the use of appropriately constrained AI tools in many representations without requiring specific client consent for each use. [7] The unfinished work is how to assess residual confidentiality risk across unequal product tiers and unequal practice economics.

Ethics guidance should not treat the most secure commercial product as the minimum product every lawyer must use. A confidentiality rule that quietly assumes enterprise procurement will put the lawyers and litigants least able to obtain it at a significant disadvantage.

II. Existing Law Already Permits Bounded Technology Use

Let’s start with the text of Rule 1.6(a). It says “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation,” or a listed exception applies. [8] The rule is broad, but its exceptions are deliberate. Not every disclosure requires informed consent. Some disclosures are impliedly authorized because they are appropriate—and sometimes necessary—in carrying out the representation. AI guidance that overemphasizes consent and underemphasizes implied authorization risks discouraging lawful uses of AI tools. [9]

That principle has deep roots in the ABA’s technology opinions. In 1999, ABA Formal Opinion 99-413 addressed whether lawyers could use unencrypted email for client matters. [10] The committee concluded that they could. Email posed no greater risk of interception or disclosure than other communication methods lawyers already used, and lawyers had a reasonable expectation of privacy in email. [11] Thus, for ordinary use, lawyers can use email without express client consent. If the material is so highly sensitive that extraordinary measures are needed, the client should be consulted. [12]

The reasoning matters more than the medium. The committee examined online service providers—the cloud platforms of their era—and recognized that system administrators could access email for administrative and compliance purposes. [13] Federal law limited that access, and providers had formal policies narrowing inspection. [14] Those constraints were enough. The opinion even noted that commercial mail services reserve the right to inspect all packages and letters they handle, yet nobody suggests that this diminishes the user’s expectation of privacy. [15]

The lesson of Opinion 99-413 is that provider-side access does not automatically make technology use ethically unavailable. What matters is whether access is bounded, legally or contractually constrained, and incidental to the service. Opinion 99-413 reinforces that the framework for highly sensitive information is tiered, not binary: ordinary use of a reasonably constrained medium may be acceptable, while heightened sensitivity requires stronger safeguards or client consultation. [16] Although Opinion 99-413 spoke of a reasonable expectation of privacy rather than implied authorization, its practical holding—that lawyers may use technology that lets them do their work, without express client consent—is consistent with Rule 1.6(a)’s implied-authorization clause. The two rationales operate independently: if bounded provider access does not amount to revealing client information at all, Rule 1.6(a) is never triggered. And if it does, the disclosure is the kind impliedly authorized when appropriate to carrying out the representation.

The 2012 technology amendments strengthened that logic. They added Rule 1.6(c), requiring reasonable efforts to prevent inadvertent or unauthorized disclosure or access to client information, and Comment [18], which states that unauthorized access or inadvertent disclosure is not itself a violation if reasonable efforts were made. [17] ABA Formal Opinion 477R then applied those principles to electronic communication and cybersecurity. It endorsed a fact-specific process for reasonable efforts and recognized that cost matters: a lawyer may need to obtain the client’s informed consent regarding enhanced security measures, their costs, and their effect on the expense of representation when nonstandard security methods are not easily available or affordable. [18]

The same reasonableness tradition appears in cloud-computing guidance. New Hampshire’s ethics committee, for example, adopted the consensus that lawyers may use cloud computing if they take reasonable steps to keep sensitive client information confidential, and it treated cost, difficulty, sensitivity, and client impact as part of the analysis. [19] That framework accepted a simple practical fact: modern law practice often requires third-party technology. Ethics compliance depends on whether the lawyer has used reasonable professional judgment in selecting and using the service.

ABA Formal Opinion 512, issued in 2024 for generative AI, should be read as the next step in that progression, not as a repudiation of it. Opinion 512 begins by reciting Rule 1.6(a)’s full structure, including implied authorization. [20] It then identifies the specific risk posed by many current self-learning generative AI tools: their outputs could directly or indirectly disclose information relating to a client representation. For those tools, the opinion concludes, “informed consent is required” before entering client information. [21] But the opinion also recognizes uses for which informed consent is unnecessary because the lawyer is not inputting client information, and also cabins its analysis to the risks and capabilities of the tools as of publication. [22]

Although its language is broad, Opinion 512 does not transform Rule 1.6 into one that requires informed consent for all AI use. Its consent requirement is conditioned on tool design: the opinion requires informed consent before inputting client information into a tool “designed so that” its output “could lead directly or indirectly to the disclosure” of that information. [23] The trigger is the specific tool’s actual risk profile—its design, training behavior, and terms—not its mere categorization as an AI tool. Opinion 512’s separate warning about boilerplate engagement-letter provisions addresses the quality of consent, not the necessity of consent in every case. [24] Engagement letters remain a sensible place to disclose AI use, but transparency in the client relationship is different from a rule that consent is always required.

State guidance generally presents a balanced view. Texas Opinion 705 warns that lawyers should not unnecessarily retreat from technology that may save clients significant time and money, while emphasizing confidentiality and output verification. [25] A North Carolina opinion states that AI may be used competently and securely, with reasonable efforts to protect confidential information. [26] On the other hand, a Washington opinion distinguishes consumer AI from tools with contractual assurances of confidentiality and cautions against consumer tools where protection cannot reasonably be assured. [27] Overall, though, these opinions confirm the core point: AI is not prohibited; the task is to understand the tool, the information, the client relationship, and the safeguards. Professional commentary has often pushed the other way, reading Opinion 512 as requiring broader consent than the rule’s text and Opinion 512 together support. [28]

This more-permissive reading better fits the competence and fee obligations that make AI attractive in the first place. Lawyers are not presently required to use generative AI for any particular task, but they are expected to understand technologies that may materially affect the cost and quality of representation. [29] A confidentiality rule that effectively requires abstention unless a lawyer can afford enterprise procurement would sit uneasily beside that cost-conscious competence principle.

III. Reasonable Efforts Means Risk Management, Not Zero Risk

Comment [18] to Rule 1.6 supplies the analysis that current guidance often recites but rarely applies. It lists five factors for determining reasonable efforts: the sensitivity of the information; the likelihood of disclosure if additional safeguards are not used; the cost of those safeguards; the difficulty of implementing them; and the extent to which they adversely affect the lawyer’s ability to represent clients. [30] Two features of this framework deserve special attention.

First, Comment [18] is best understood as a residual-risk rule. It does not require the lawyer to eliminate every possibility of unauthorized access. It asks whether the remaining risk exposure is reasonable after considering the sensitivity of the information, the likelihood and consequences of disclosure, the cost and difficulty of added safeguards, and the effect of those safeguards on the representation. Some residual risk is tolerable if the lawyer’s efforts were reasonable. The profession’s emerging AI discourse often implies the opposite—as if any residual confidentiality exposure means the tool is unavailable. Comment [18] rejects that view. [31]

Second, the likelihood-of-disclosure factor is a marginal-risk inquiry. It asks what happens if additional safeguards are not employed. The question is not whether AI carries some risk in the abstract. It is how much incremental risk reduction a proposed safeguard would buy. A bounded AI subscription with no-training commitments, limited retention, and meaningful access restrictions reduces risk from the baseline of a self-learning tool that trains on prompts and redistributes inputs. [32] The next question is whether enterprise procurement would reduce risk enough to justify its cost and practical consequences.

If every incremental security improvement became ethically mandatory simply because it existed, the minimum standard would move whenever a vendor released a higher-priced tier. That is not how Comment [18] is written. It does not require lawyers to buy the maximum safeguard available in the market, regardless of cost.

Information sensitivity changes the calibration, but it should not collapse the analysis into a single answer. At the top of the sensitivity spectrum—classified material, sealed information whose disclosure would itself cause grave harm, or materials governed by a protective order forbidding AI use—enterprise-level protection or no AI at all may be the only defensible result. But most law practice occurs in the broad middle: information is confidential and important but not categorically beyond all technology-mediated handling. For that broad middle, the rules require classification, judgment, and safeguards, not abstinence. [33]

Output reliability and input confidentiality raise different problems. Output reliability is platform-neutral: hallucinated law is a problem whether the tool is free, consumer-grade, or enterprise-grade. Lawyers must verify citations, check legal propositions, and exercise professional judgment. Johnson v. Dunn [34] illustrates that point. Butler Snow avoided entity-level sanctions because it had AI policies, repeated internal warnings, and a verification requirement for its Westlaw CoCounsel platform; however, its individual lawyers were sanctioned because they ignored the safeguards available to them. [35] Institutional infrastructure matters, but enterprise AI alone does not eliminate error.

Input confidentiality is different. Rule 1.6 compliance depends on what the lawyer enters, how the tool is designed, what the terms say about training and retention, whether client consent has been obtained where required, and what safeguards are realistically available at the lawyer’s scale of practice.

Enterprise tools may be safer. But safer is not the same as ethically required. Consider a solo practitioner using a paid consumer AI service whose applicable terms disclaim training on her inputs, limit retention, and restrict third-party access. She disables optional data sharing, enters only information needed for the task, avoids highly sensitive records unless a separate analysis justifies their use, obtains client consent where warranted, and verifies every output. She has adopted substantial safeguards—more, perhaps, than many lawyers adopted when email and cloud storage became routine. Yet current guidance rarely tells her whether those precautions are enough.

This is where the stratified market matters most. Large firms can ask procurement teams, information-security officers, and vendor counsel to negotiate data-processing terms, audit rights, and retention windows. Solo and small-firm lawyers often cannot. They may have only the public-facing terms, the settings available in the product, and their own disciplined practices. Comment [18] does not ignore that difference: factor three asks about cost, factor four about difficulty, and factor five about whether additional safeguards impair representation.

That lawyer should not disappear from the analysis merely because her safeguards were purchased through a subscription screen rather than a procurement office. Comment [18]’s fifth factor—the effect of additional safeguards on the lawyer’s ability to represent clients—requires more. So does Opinion 477R’s recognition that cost and availability matter where enhanced security methods are not easily available or affordable. Read together with the Model Rules’ description of themselves as “rules of reason,” these provisions ask not only how to minimize exposure in the abstract, but how to do so while still permitting competent, timely, and economically realistic representation. [36]

Nor are contractual terms the only variable. Lawyer conduct matters too. A lawyer handling a personal-injury case might need to summarize thousands of pages of medical records quickly enough to meet a deadline. If the lawyer uses AI, she could separate the summarization workspace from other case work, upload only the records needed for that task, instruct the system to create pseudonymized summaries, move only those summaries into the main workspace, and delete the temporary project when the task is complete. These steps would further lower the residual risk from a reasonably bounded AI product. Whether this workflow is allowed in a particular case may depend on a protective order, client instructions, and the tool’s actual terms. But under Rule 1.6, the layered nature of the effort should matter. The analysis should not stop at whether the subscription was enterprise-grade.

No formal ethics opinion appears yet to apply Comment [18]’s cost-and-impact factors to the consumer-versus-enterprise divide in AI. [37] Opinion 512’s own recitation illustrates the gap: it lists the likelihood of disclosure, the sensitivity of the information, the difficulty of safeguards, and their impact on representation—but not cost, even though it is one of the factors noted in Comment [18]. [38] Ethics committees should take up that work, and they should reach conclusions, not merely list factors. A formal opinion that treats enterprise-grade security as the implicit minimum confuses the floor with the ceiling. The rules define enforceable minimum standards. Aspirational security practices may be wise, but an ethics opinion should not silently convert them into disciplinary requirements.

After all, the Model Rules describe themselves as rules of reason and as a basis for professional discipline, not as a catalogue of best practices. ABA formal opinions can provide guidance, but a best practice is not the same as a minimum condition of ethical compliance. [39]

IV. What This Means for Lawyers Today

For ordinary confidential client information—the material that makes up much of day-to-day legal work—the case for permissible use of bounded AI tools is strong. Rule 1.6(a)’s implied-authorization principle covers disclosures “appropriate in carrying out the representation,” [40] and lawyers have long used contract-bound technology vendors to facilitate that work. Where provider access is materially bounded by law, contract, and service function, the ethics question should turn on the tool’s actual risk profile, not on the mere fact that a third-party system is involved. Informed consent may be unnecessary for many ordinary uses, though disclosure through an engagement letter remains good practice.

But informed consent should not become an automatic requirement. In urgent, low-dollar, or document-heavy matters, clients may be hard to reach precisely when factual complexity and deadlines make AI assistance most useful. That practical reality does not eliminate consent duties; it cautions against treating consent as the universal answer. When consent is required or prudent, the better practice is specific, matter-sensitive communication explaining the intended use, the information involved, and meaningful alternatives—not a blanket engagement-letter sentence saying the lawyer may use AI.

For highly sensitive information, the calculus changes. Greater sensitivity increases the burden of justification and the safeguards required. Informed consent may be necessary. Enterprise procurement or abstention may be required in some matters. And privilege questions remain distinct from Rule 1.6. Even privilege doctrine, stricter than Rule 1.6 in important respects, sometimes protects communications involving third-party agents who facilitate legal advice. [41] United States v. Heppner, Warner v. Gilbarco, Inc., and Morgan show that courts are only beginning to sort out how privilege and work product apply to AI use. [42] Lawyers should not assume that a Rule 1.6 analysis resolves waiver, privilege, work product, or protective-order questions.

This separation matters because lawyers may comply with Rule 1.6 and still lose a privilege argument if the doctrine treats the interaction differently. Judge Jed Rakoff, in Heppner, rejected both attorney-client privilege and work-product protection for a criminal defendant’s independent use of Claude. [43] Warner [44] and Morgan [45] were more receptive to work-product protection in civil litigation. Those cases do not answer the ethics question for lawyers, but they warn against treating AI confidentiality as one problem with one answer. Rule 1.6, privilege, work product, protective orders, and client contracts each ask different questions.

Protective orders and client guidelines may also impose stricter limits than ethics rules. Morgan itself involved an amended protective order—a restriction independent of any ethics rule. [46] Outside-counsel guidelines may require particular tools or forbid certain uses. Those constraints are real. But they should be kept analytically separate. That a court order or client contract may demand more does not mean Rule 1.6 always demands it too.

A workable approach is straightforward: classify the information; read and document the tool’s current terms; use no-training and limited-retention settings where available; enter the minimum information reasonably needed; separate especially sensitive tasks from general workspaces; pseudonymize when useful; obtain client consent when the sensitivity, tool design, or representation warrants it; comply with protective orders and client guidelines; and verify every output. This is within the risk-management framework the rules already provide.

V. Why It Matters Beyond the Bar

The stakes extend beyond lawyers. Self-represented litigants face court rules and protective orders that import lawyer-confidentiality assumptions into contexts where those assumptions do not fit. They also face the same stratified AI market with fewer resources and no Model Rules framework to guide them.

There is already a model for bounded institutional assistance to the self-represented. Courts distinguish legal information from legal advice: staff may provide forms, definitions, procedural information, and neutral explanations, but may not tell a litigant what position to take. [47] That distinction can support AI guidance too. Teaching users to verify citations, compare AI output against official court forms, avoid entering protected information into public tools, and understand that AI output is not a substitute for legal advice is informational support, not individualized legal advice. Recent access-to-justice work likewise emphasizes training, risk management, and affordable deployment rather than prohibition. [48]

That guidance should be practical rather than promotional. Courts need not encourage litigants to rely on general-purpose AI for legal advice. They can instead acknowledge that many litigants already do, then provide warnings and verification guidance that reduce predictable harm. The same principle should govern guidance for lawyers: not enthusiasm, not prohibition, but disciplined risk management.

VI. Conclusion

The profession’s instinct to take AI confidentiality seriously is sound. Self-learning tools can create real confidentiality risks, and lawyers who input client information without reviewing terms, understanding retention, and considering consent have not made reasonable efforts under any sensible reading of the rules.

But the opposite error is now emerging. On input confidentiality, the profession has overread the rules. Implied authorization is part of Rule 1.6(a). Bounded third-party access has long been compatible with confidentiality in the ABA’s technology opinions. Comment [18] expressly includes cost, difficulty, and impact on representation. And the Model Rules are rules of reason defining minimum conduct, not aspirational best practices. [49]

A solo practitioner who opts out of data training, scopes inputs carefully, uses bounded tools, obtains consent where required, and complies with protective orders has made the kind of reasonable efforts Rule 1.6 asks for. The profession should say so clearly—through formal ethics guidance, not just academic commentary. If the minimum is interpreted to require security architecture available only to large players, the profession will have converted a rule of reason into a rule of exclusion.


[1] Morgan v. V2X, Inc., No. 25-cv-01991-SKC-MDB, 2026 WL 864223 (D. Colo. Mar. 30, 2026).

[2] Id. at *6.

[3] Id. at *1–2 (quoting plaintiff’s filing).

[4] Id. at *7.

[5] Id. at *7 n.5.

[6] See infra Sections II–III. For a parallel diagnosis, see Jonah E. Perlin, Client Confidentiality and Generative AI, 40 Harv. J.L. & Tech. (forthcoming 2027) (arguing that prevailing discussion has overstated some generative-AI confidentiality risks and that the central question is how lawyers should use such tools, not whether they may).

[7] See infra Section II (developing the implied-authorization pathway and the ABA's bounded-vendor line). No formal opinion yet states this conclusion in so many words, but it follows from the established authorities discussed in Section II. See Model Rules of Pro. Conduct r. 1.6 cmt. [5] (A.B.A. 2023) (providing that a lawyer "is impliedly authorized to make disclosures about a client when appropriate in carrying out the representation"); ABA Comm. on Ethics & Pro. Resp., Formal Op. 95-398 (1995) (noting that a lawyer who gives an outside vendor access to client files must make reasonable efforts, under Rule 5.3, to ensure the vendor protects confidentiality); ABA Formal Op. 99-413, infra note 10; ABA Formal Op. 477R, infra note 18.

[8] Model Rules of Pro. Conduct r. 1.6(a) (A.B.A. 2023).

[9] See, e.g., Cal. Standing Comm. on Pro. Resp. & Conduct, Practical Guidance for the Use of Generative Artificial Intelligence in the Practice of Law 5 (2026) (revising and replacing the committee’s 2023 guidance and directing that, generally, a lawyer “must not input any confidential information of the client into a generative AI solution that may present material risks to confidentiality or security, absent informed client consent”); Fla. Bar, Ethics Op. 24-1, at 7 (2024) (permitting AI use “only to the extent that the lawyer can reasonably guarantee compliance with the lawyer’s ethical obligations”—a standard stricter on its face than Comment [18]’s “reasonable efforts”).

[10] ABA Comm. on Ethics & Pro. Resp., Formal Op. 99-413 (1999) [hereinafter ABA Formal Op. 99-413].

[11] Id. at 2, 11.

[12] Id. at 11–12.

[13] Id. at 8–9.

[14] Id. at 9 (citing 18 U.S.C. § 2511(2)(a)(i)).

[15] Id. at 9 n.32. The opinion observed that commercial mail services routinely reserve the right to inspect all packages and letters, “yet no one suggests this diminishes the user’s expectation of privacy.” Id. The same logic applies to AI providers whose terms reserve bounded safety-review or abuse-prevention access; reserved rights of inspection, legally and contractually constrained, do not automatically destroy confidentiality.

[16] Id. at 11–12.

[17] ABA Comm’n on Ethics 20/20, Resolution 105A Revised 4–5 (adopted Aug. 6, 2012); Model Rules of Pro. Conduct r. 1.6(c) & cmt. [18].

[18] ABA Comm. on Ethics & Pro. Resp., Formal Op. 477R, at 4–6 (2017) [hereinafter ABA Formal Op. 477R].

[19] N.H. Bar Ass’n Ethics Comm., Advisory Op. 2012-13/04 (2013).

[20] ABA Comm. on Ethics & Pro. Resp., Formal Op. 512, at 6 (2024) [hereinafter ABA Formal Op. 512].

[21] Id. at 6–7.

[22] Id. at 7 & n.34.

[23] Id. at 7.

[24] Id. (stating that “merely adding general, boiler-plate provisions to engagement letters purporting to authorize the lawyer to use GAI is not sufficient” to meet the bar of informed consent).

[25] Pro. Ethics Comm. for the State Bar of Texas, Op. 705, at 5–6 (2025) (quoting Op. 680 (2018)).

[26] N.C. State Bar, 2024 Formal Ethics Op. 1 (Nov. 1, 2024) [hereinafter NC 2024 Formal Ethics Opinion 1].

[27] Wash. State Bar Ass’n, Advisory Op. 2025-05, at 1–4 (2025).

[28] See, e.g., Keith R. Fisher, ABA Ethics Opinion on Generative AI Offers Useful Framework, ABA Bus. L. Today (Oct. 3, 2024) (reading Opinion 512 as recommending that “lawyers secure clients’ informed consent before using client confidences in GAI tools”); Jeanne M. Huey, Generative AI for Lawyers Part 2: Maintaining Confidentiality, ABA Sec. of Litig., Ethics & Prof’lism Newsl. (Oct. 24, 2024) (reading Opinion 512 to mean that lawyers should obtain informed consent “before using any information related to the representation in GAI prompts—even within a firm’s ‘closed system’”). Neither Fisher nor Huey engages Rule 1.6(a)’s implied-authorization principle as a path to permissible use of client information in generative AI tools.

[29] See Model Rules of Pro. Conduct r. 1.1 cmt. [8] (A.B.A. 2020) (“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”); id. at r. 1.5(a) (prohibiting an “unreasonable fee” and listing among the reasonableness factors “the time and labor required” and “the results obtained”). The competence rule frames the duty as understanding the benefits and risks of relevant technology rather than adopting any particular tool; the fee rule ties the cost of representation to the time and skill a matter reasonably requires. Neither rule specifically mandates use of generative AI. See also ABA Formal Op. 512, supra note 20, at 11–12 (applying Rule 1.5 to generative AI and explaining that a lawyer who works more efficiently using such a tool generally may not charge the client for the time saved).

[30] Model Rules of Pro. Conduct r. 1.6 cmt. [18]. For an argument that Comment [18]’s factor-balancing framework should be reframed towards process-and-people-centered harm mitigation, see Jonah E. Perlin, Client Confidentiality as Data Security, 99 Wash. L. Rev. 781, 816–36, 840–41 (2024) (proposing revisions to Rule 1.6(c) and Comments [18] and [19]).

[31] For the most rigorous account of generative AI’s confidentiality risks, and a persuasive demonstration that the profession has overweighted disclosure risk relative to access risk, see Jonah E. Perlin, Client Confidentiality and Generative AI, 40 Harv. J.L. & Tech. (forthcoming 2027). On residual risk, the drafting history of the 2012 amendments is in accord. See ABA Formal Op. 477R, supra note 18, at 4 n.11 (observing that lawyers are not “the guarantors of data safety” and quoting the ABA Commission on Ethics 20/20’s report: “disclosures can occur even if lawyers take all reasonable precautions”).

[32] For examples of such terms on current consumer products, see OpenAI Help Center, Chat and File Retention Policies in ChatGPT, https://help.openai.com/en/art... (deleted chats are “scheduled for permanent deletion from OpenAI systems within 30 days,” subject to de-identification and legal or security exceptions); How Long Do You Store My Data?, Anthropic (updated Mar. 16, 2026), https://privacy.claude.com/en/... (deleted consumer conversations are “[d]eleted from our back-end storage systems within 30 days”; model-improvement training may be disabled in the product’s privacy settings; longer retention applies to chats flagged under specific rules and customer-submitted feedback). Terms change; the lawyer’s task is to know the applicable terms for the specific tool at the time of use.

[33] See ABA Formal Op. 477R, supra note 18, at 4–6.

[34] 792 F. Supp. 3d 1241 (N.D. Ala. 2025).

[35] Id. at 1261–68 (releasing Butler Snow from sanctions because it had policies and infrastructure; sanctioning three individual attorneys who ignored them).

[36] Model Rules of Pro. Conduct, Scope ¶ 14; ABA Formal Op. 477R, supra note 18, at 5.

[37] The closest analogs include Illinois State Bar Opinion 18-01 (Jan. 2018) (applying Comment [18]’s cost and difficulty factors to tracking software and noting that “few, if any, solo or small firm lawyers” could reasonably keep pace); NYC Bar Formal Opinion 2017-5 (July 2017) (stating that reasonableness standards depend on “the availability, costs, and challenges associated with implementing additional safeguards”); and NC 2024 Formal Ethics Opinion 1, supra note 26. In the AI context, Washington Advisory Opinion 2025-05 recognizes the consumer/enterprise distinction but does not address whether requiring the enterprise tier is itself reasonable for lawyers who cannot afford it. See supra note 26.

[38] ABA Formal Op. 512, supra note 20, at 6 (stating that lawyers “must assess the likelihood of disclosure and unauthorized access, the sensitivity of the information, the difficulty of implementing safeguards, and the extent to which safeguards negatively impact the lawyer’s ability to represent the client”—noting only four of Comment [18]’s five factors; cost appears in Opinion 512 only in its discussion of fees).

[39] Model Rules of Pro. Conduct, Scope ¶¶ 14, 20–21.

[40] Id. at r. 1.6 cmt. [5].

[41] See United States v. Kovel, 296 F.2d 918, 921–22 (2d Cir. 1961) (Friendly, J.) (recognizing privilege for third-party assistance—there, an accountant, with the opinion analogizing to an interpreter—when needed to facilitate attorney-client communication). The analogy is not exact: Kovel is a privilege case, not a Rule 1.6 case. But it establishes the principle that third-party involvement in the delivery of legal services does not automatically destroy confidentiality when the third party operates under appropriate constraints.

[42] United States v. Heppner, 820 F. Supp. 3d 292 (S.D.N.Y. 2026); Warner v. Gilbarco, Inc., 820 F. Supp. 3d 629 (E.D. Mich. 2026); Morgan, 2026 WL 864223; see also Assini v. Hayward, 2026 WL 1677232 (N.Y. Sup. Ct. 2026) (granting a self-represented defendant’s motion to quash a subpoena to an AI provider and treating his AI-assisted litigation preparation as protected work product, following Warner and Morgan). Heppner drew immediate criticism. See Bridget McCormack & Shlomo Klapper, A Judge Mistakes the Claude Chatbot for a Person, Wall St. J. (Apr. 6, 2026, at 12:58 ET), https://www.wsj.com/opinion/a-... (arguing that, if generalized, Judge Rakoff’s reasoning would unsettle routine cloud-based legal work by treating ordinary platform processing as equivalent to disclosure to a third party).

[43] Heppner, 820 F. Supp. 3d at 296–99.

[44] Warner, 820 F. Supp. 3d at 636–37 (denying the defendants’ request to overrule the plaintiff’s work-product objections to producing AI materials, in part because defendants’ theory would “nullify work-product protection in nearly every modern drafting environment, a result no court has endorsed”).

[45] Morgan, 2026 WL 864223, at *4 (explaining that work-product protections can be asserted in connection with AI use and distinguishing Heppner based on the case’s civil posture and the litigant’s pro se status).

[46] Id. at *6–8.

[47] See John M. Greacen, Legal Information vs. Legal Advice: A 25-Year Retrospective, 106 Judicature 48, 50, 52–54 (2022); Model Code of Jud. Conduct r. 2.2 cmt. [4] (A.B.A. 2020) (a judge may make reasonable accommodations for self-represented litigants).

[48] Colleen V. Chien & Miriam Kim, Generative AI and Legal Aid: Results from a Field Study and 100 Use Cases to Bridge the Access to Justice Gap, 57 Loy. L.A. L. Rev. 903, 938–40 (2024); ABA Task Force on Law and Artificial Intelligence, Year 2 Report on the Impact of AI on the Practice of Law 24–26 (Dec. 2025).

[49] Model Rules of Pro. Conduct, Scope ¶¶ 14, 20–21.


Note regarding AI Usage: Claude and ChatGPT were used to assist with drafting, structural critique, shortening, source analysis, and editing.