Best practices: Securing law firm data in the era of AI

The introduction of AI into law firms has created tension for legal practices. On the one hand, law firms want to be innovative, efficient, and seen to be using the latest technology. On the other hand, AI raises some concern that certain key tasks are no longer managed by actual people. After all, clients want a trained legal mind to solve their legal challenges, not a chat bot.

Yet the other alarm bell that tends to sound at the mention of AI is perhaps even more germane for legal practitioners: data security. How can lawyers make use of AI while keeping a firm grip on the confidential and privileged information they hold about their clients? How can the firm protect against the risk of a security breach, which could lead to the loss of clients, legal sanction, and considerable damage to the firm’s reputation?

In this blog, we look at how law firms are using AI securely and ethically to protect their firms and how IT can implement safeguards to protect themselves against the risk of data security non-compliance.

How law firms are using AI

Increasingly, law firms are using AI to speed up time-intensive tasks like disclosure and document reviews. Large language models (LLMs) can be trained on seed data sets to identify the most relevant material first so that reviewers can find key documentation more quickly.

Other tools can prepare a first draft of a lease report by scanning the document and extracting the key information. Some tools help predict legal costs with a few simple inputs.

In these situations, AI improves a firm’s workflow efficiency and cost-effectiveness for the client. It also enhances the human element of a firm’s workforce by empowering professionals to commit more of their efforts toward higher-value tasks that demand their expertise.

When it comes to data security, AI can play a big role in detecting, analyzing, containing, and recovering after an incident. iManage Threat Manager can help detect any unusual behavior at the DMS level, where all the sensitive content is stored. AI-based rules can reduce the risk of false positives, reduce the burden on the security team, and enable the integration of DMS monitoring into their overall security operations.

General risks of using AI in law firms

There is no doubt that AI presents tremendous promise for the legal profession. Yet integrating AI into common legal workflows demands a measured approach to sidestep the potential risks it can pose for law firms.

For example, using a free version of ChatGPT can open a can of worms in a legal setting. By design, the technology is continually trained on the input it is given, which includes input from users. If firm employees input confidential, sensitive, or privileged information, there is no limitation on how the free version of ChatGPT may use this information—it could even offer confidential client information as part of its response to another firm or external party.

Other embarrassing examples include lawyers or litigants in person who have relied on ChatGPT to draft pleadings. ChatGPT and other AI-powered chat bots are known to ‘hallucinate’ and reference non-existent case law. These invented cases have made it into pleadings, only to be challenged and uncovered as inauthentic by the judge.

Of course, not all AI solutions are cut from the same cloth. For example, the AI-powered assistant Ask iManage gives legal professionals the power to extract, summarize, and analyze key information from across documents and emails, referencing only an organization’s own data. And, because it provides citations for the responses it provides, Ask iManage users can be confident that its outputs are accurate. 

This means that law firms must have policies on AI usage for all employees to ensure no confidential data is uploaded to free AI tools. They must also ensure that proper training for appropriate AI usage is offered. And they need a company-approved tool for employee use.

For as much change as AI introduces, the need to ensure the maintenance of security protocols remains constant. New technology can introduce gaps within an existing solid foundation you may maintain, but if you have a strong set of processes and procedures to safeguard your data, adopting new technology can remain relatively painless.

Any new technology should adhere to the existing policies around how data is processed and stored, as well as how long it is retained. As is often the case with securing data, governance is key.

Standards to evidence compliance

Many law firms adopt ISO standards to maintain compliance across their business and demonstrate the highest levels of reliability to their clients. Some of the most common standards include ISO 27001 for IT security and ISO 90001 for quality.

Joining those standards, the recently established ISO 42001 has quickly become a similarly integral part of forward-thinking organizations’ compliance efforts. On AI management systems, ISO 42001 provides guidelines for the governance and management of AI technologies.

This accreditation may give clients confidence that law firms have robust compliance measures in place to use AI efficiently, effectively, and, most importantly, safely.

How iManage can help

The iManage platform gives your law firm comprehensive security to protect your content. End-to-end security supports robust data protection, and 24/7 system monitoring helps detect abnormal activity. The default document encryption is applied automatically to all content uploaded to iManage, protecting data from unauthorized access. iManage is a trusted partner with decades of experience helping knowledge-based organizations securely manage their data. We proudly hold relevant certifications to ensure compliance across your data managed on our platform.

Whether you are introducing AI into the business for the first time or looking to enhance your current environment, iManage can help you adopt the right solution with the proper security procedures to keep your data safe.

Find out more here.