Questions Answered from 2024 Professionalism for New Attorneys Program
New bar admittees from around the state gathered to network and learn at the NCBA’s recent Professionalism for New Attorneys program. These tech savvy new attorneys had some great questions during the Technology and Your Responsibility to Clients program. Here are some of their questions and the answers.
Q: What would you say about the firms that switch over to Linux Distributions for all their desktop computing needs as a security measure?
A: A lawyer’s duty of confidentiality extends to deploying best practices for IT security. NC RPC 1.6 Confidentiality of Information in Comment 19 outlines what attorneys need to do to act competently to preserve confidentiality, including a list of factors to be considered in determining the reasonableness of the lawyer’s efforts. The Rule also notes that additional steps to comply with other privacy laws are beyond the scope of the rule.
Deploying a Linux distribution versus more traditional operating systems (Mac, Windows) does not necessarily mean that the computing environment is more secure. Which distro, configuration, and deployment are factors in the levels of security you can attain. No matter which OS you choose, patching and monitoring are important, as well as user permissions. Linux may hamper your ability to use some standard business applications and may require more user training. There is certainly no reason NOT to use a Linux distribution if you have the technical skills and support necessary. It isn’t inherently more secure; it is more obscure and thus less of a target for common threats. From a recent thread in reddit, this user points out “security is not an operating system; security is not a piece of software. Security is a culture. It’s habitual.” Most attacks these days target browsers and email, not operating systems, so end user awareness and training will remain essential no matter what OS you choose for your firm.
Q: Do you know whether using Windows + Shift +S to take a limited screenshot carries metadata that would reveal the entire screenshot when held up to scrutiny? Or is that a safe option to “crop” an image in the same vein as printing to PDF?
A: During the program, it was noted that by using the cropping tool in Microsoft Word to crop an image, the entire image was still in the document. The full image can be revealed by simply selecting the image and in the Picture Format tools in the Ribbon click “Crop” (see this example). The query is, if by using the Windows snip tool or another screen capture tool and cropping it prior to inserting it in the Word document, would this potential exposure be avoided. The answer is yes; by grabbing a screenshot and editing/cropping it in an editor prior to insertion into Word, the inadvertent exposure of the entire image can be avoided.
North Carolina’s 2009 Formal Ethics Opinion 1 Review and Use of Metadata rules that a lawyer must use reasonable care to prevent the disclosure of confidential client information hidden in metadata when transmitting an electronic communication or document. When the opinion was written, metadata that could cause confidentiality issues was typically file properties, track changes, and comments. However, there are other types of metadata in an electronic document. In Excel you may have hidden columns. They are not visible, and easy to reveal. If you copy a chart from Excel into a Word document and link it so that the data is updated in the document if the spreadsheet is changed, a recipient of that document can right click and choose “edit data in Excel” and view the entire spreadsheet and all the workbooks in it (try it here). Macros may expose information, hyperlinks may send someone to poorly protected internal documents, footers can reveal file paths. A speaker’s notes in PowerPoint may provide information that was not intended for viewing.
Q: In regard to confidentiality and A.I., does it make a difference in our obligations if an attorney uses a closed A.I. where they delete the information, and the model does not train on the data input (like Lexis A.I.) vs open A.I. (ChatGPT)?
A: On November 1, 2024 2024 Formal Ethics Opinion 1 Use of Artificial Intelligence in a Law Practice was adopted. Inquiry #2 asks “May a lawyer provide or input a client’s documents, data, or other information to a third-party company’s AI program for assistance in the provision of legal services?”. The answer is “yes, provided the lawyer has satisfied herself that the third-party company’s AI program is sufficiently secure and complies with the lawyer’s obligations to ensure any client information will not be inadvertently disclosed or accessed by unauthorized individuals pursuant to Rule 1.6(c).” The opinion suggests what “reasonable care” might look like, including the reputation and stability of the company, the terms of service and security measures used by the company, data retention and ownership considerations, and use of information provided by the user to train publicly available AI programs. Inquiry #2 summarizes: “Generally, and as of the date of this opinion, lawyers should avoid inputting client-specific information into publicly available AI resources.”
In Inquiry #3 the opinion echoes the query from the PNA attendee. If a lawyer were to have an internal AI tool using law firm servers and infrastructure, does that change the data security requirement in Inquiry #2? The answer is No. Specifically, “AI programs developed for use in-house or by a particular law practice may also be derivatives of a single, publicly available AI program; as such, some of these customized programs may continue to send information inputted into the firm-specific program back to the central program for additional use or training.” No matter whether the GAI product is free, paid, “closed” or “open”, the obligations to understand how and what information (input/output) is stored and for how long, whether it is used to train the model, whether it is reviewed for the purposes of improving the model, and other questions pertaining to the confidentiality of information need to be satisfied. Read the terms of service and the privacy policy. Ask the vendor for a definitive response on the use of information input into their system regarding storage and training of the model. If the investigation indicates that all the security concerns are met, consider sanitizing any input that would reveal reference to a client or party’s name, and any other revelatory confidential information.
Thanks for the great questions during the Professionalism for New Attorneys program. Welcome to the profession – we are glad you are here!