Cloud-based software services and AI tools have become routine in modern law practice. Lawyers use them to draft documents, send and receive communications, manage cases, store files, and analyze information. Lawyers often use these tools without giving much thought to what happens to confidential client data once it leaves the lawyer’s computer. Do third parties have a right to access, review or share the confidential data? If so, has the lawyer breached the duty of confidentiality?

Rule 1.6 prohibits a lawyer from revealing information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized, or another exception applies. When a lawyer uploads or inputs client information into a software platform governed by terms and conditions, the lawyer is not merely storing data. The lawyer is agreeing on behalf of the client to whatever access rights the provider reserves for itself. If those terms permit the provider to access, review, or share the information, the lawyer has effectively authorized a third party to receive confidential client information. Whether the provider ever exercises that right is beside the point. Ethics analysis turns on the permission granted, not the frequency of its use.

I suspect that many North Carolina lawyers are using software services and AI tools that give the provider the right to review, access, or share information entered by the lawyer. Based on my discussions with a number of lawyers, I would also guess that most lawyers using these services and tools have not read the terms and conditions to determine what the provider’s rights are with respect to the confidential information.

So, I asked the State Bar for guidance on this issue in the context of AI platforms. In the absence of informed consent or some exception under Rule 1.6(b) to the duty of confidentiality, does a lawyer breach the duty of confidentiality by entering confidential information on an AI provider’s platform where that provider has the right under the terms and conditions of the user agreement to access, review or share the information entered. Here is the response I received:

[I]t constitutes a breach of confidentiality for a lawyer to input confidential client information into an AI tool if the lawyer knows that the AI provider may access, review, or share that information. The potential for sharing such information is particularly concerning.

However, with the client’s informed consent, a lawyer may enter confidential information into an AI platform. Informed consent requires explaining to the client the provider’s terms of service and use—specifically, that any information entered may be accessed, reviewed, stored, and possibly shared with others, including potentially the opposing party and counsel.

I assume that this rule is not limited to AI tools. It would apply to any software platform where confidential client information is stored. If a lawyer knows that a software or AI provider may access, review, or share confidential client information, entering that information without the client’s informed consent constitutes a breach of confidentiality under Rule 1.6.

This guidance underscores a critical point: lawyers cannot ignore the data-access provisions buried in software terms of service. Clicking “I agree” has ethical consequences.

According to the State Bar, informed consent requires more than a generic statement that a firm uses technology or cloud-based tools. The lawyer must explain, in a manner the client can understand, that information entered into the platform may be accessed or reviewed by the provider, that the information will be stored on third-party servers, that the information may be shared, potentially even with opposing parties or counsel, and the nature of the risks associated with that access. Only after receiving that explanation and disclosure can a client meaningfully decide whether to consent. 

For lawyers navigating cloud-based platforms and AI tools, several practical lessons emerge:

1. Read the data-use provisions of software terms and conditions, particularly clauses addressing access, review, and sharing.
   
2. Do not assume vendors are agents of the client or lawyer for confidentiality purposes.
   
3. Avoid platforms that reserve broad rights inconsistent with the duty of confidentiality.
   
4. Obtain informed client consent when confidential information may be accessible to third-party providers.

The ethics rules do not prohibit lawyers from using cloud-based software or generative AI. But they do require lawyers to understand what they are authorizing, to explain material risks to clients, and to choose tools that respect the profession’s core obligation of confidentiality. Confidentiality does not disappear in the cloud. It simply becomes more visible and more dependent on the lawyer’s judgment.