As attorneys, we're increasingly hearing about exciting new AI tools that promise to streamline our practice. From document analysis to drafting assistance, these tools offer compelling benefits. However, before we rush to adopt them, we need to ensure they meet the high standards our clients expect and deserve. In this post, I'll share what I've learned about evaluating AI vendors from a security and privacy perspective.
When you're looking at an AI vendor's offerings, there are certain features that should be absolute deal-breakers if they're missing. Let's break these down in plain English.
First and foremost, you need a clear commitment from the vendor that they won't use your clients' information to make their AI smarter. Look for explicit statements in their privacy policy that say they won't use your data to "train" their AI models. Think of it this way: You wouldn't want your clients' sensitive legal documents being used to help the AI company improve their product for other customers. Many vendors use vague language like "we may use customer data to improve our services." That's a red flag. You want to see specific commitments that your clients' information will only be used to provide the service you're paying for.
Legal documents often go through multiple drafts, and sometimes sensitive information needs to be completely removed from a system. Your AI vendor should have clear, specific policies about data deletion. They should tell you exactly how quickly they'll delete data when you ask them to, and how they'll prove to you that it's really gone. Be wary of vendors who say they keep data in backups for extended periods or make it difficult to delete information. Your clients' right to privacy doesn't expire just because their data is in an AI system.
Whether you're handling corporate transactions, litigation documents, or sensitive client communications, this information deserves the highest level of protection available. Look for vendors who use strong encryption (they should mention specific standards like "AES-256" and "TLS 1.3"). If their security sounds less robust than what your online banking uses, it's probably not good enough for legal documents.
While some features are non-negotiable, others fall into the "strongly preferred" category. Here are the key ones:
Ideally, you want your clients' data stored in the United States, where you understand the legal protections that apply. Some vendors process data globally, which can create unnecessary complications. Ask where your data will live and who can access it.
While not absolutely necessary, it's incredibly helpful if the vendor has experience working with law firms. They'll better understand why certain security features matter and how to implement them in ways that work with legal workflows.
Different matters need different levels of protection. A vendor that understands this will let you set up varying security levels for different types of documents - internal drafts might need less stringent protection than final client deliverables or confidential case materials.
Some features aren’t critical but can make your life easier while maintaining security:
Just as important as knowing what to look for is knowing what should send you running in the other direction. Here are some major warning signs:
When evaluating an AI vendor, start with the must-haves. If they don’t meet those requirements, don’t proceed, no matter how impressive their features might be. For vendors that clear that hurdle, look at how well they handle the important-but-flexible features, and use the nice-to-haves as tiebreakers.
Remember: as attorneys, we’re not just protecting documents – we’re protecting our clients’ most sensitive information and maintaining the trust they place in us. Taking the time to properly evaluate AI vendors isn’t just good practice – it’s part of our professional duty.
