AI for US Law Firms: State Bar Ethics on AI and What You Must Know Before Deploying
Quick Take / Direct Answer
Multiple state bars — including California, New York, Florida, and the ABA — have issued AI guidance confirming AI-assisted legal work is permissible under existing ethics rules, provided attorneys apply competence, confidentiality, and supervision obligations. No state bar has issued a blanket prohibition. The key obligations: understand the AI tool you are using, supervise its output, and protect client confidentiality in how the tool is deployed.
ABA Formal Opinion 512 (2023) — The Foundation
The American Bar Association's Formal Opinion 512 (2023) addressed generative AI in legal practice and confirmed:
- Competence (Model Rule 1.1): Lawyers must understand the benefits and risks of AI tools they use, including understanding how the tool generates output and what its limitations are.
- Confidentiality (Model Rule 1.6): Lawyers must take reasonable steps to prevent disclosure of client information when using AI tools. This means understanding exactly how the tool handles client data — where it is processed, whether it is used for training, and who can access it.
- Supervision (Model Rules 5.1, 5.3): Supervising attorneys are responsible for ensuring AI output is reviewed before it influences legal advice or client communications.
- Candour (Model Rule 3.3): AI-generated legal research must be verified before citation in court. Never submit AI-generated citations without independent verification.
State-by-State AI Guidance Summary
| State | Guidance Issued | Key Requirements |
|---|---|---|
| California | State Bar AI Task Force Report (2024) | Competence, confidentiality, disclosure in certain contexts |
| New York | NYSBA Task Force Report (2024) | Supervision, client consent for sensitive data |
| Florida | Bar opinion pending as of 2026 | Deferring to ABA 512 in interim |
| Texas | Guidance issued via Committee on Professional Ethics | Competence, data privacy review required |
| Illinois | ISBA guidance (2024) | Confidentiality focus; recommend explicit DPA review |
Check your specific state bar's website for current guidance — this area is evolving.
Confidentiality Requirements: What US Firms Must Do Before Using AI on Client Data
Step 1: Identify every AI tool used by attorneys and staff at your firm. Include Microsoft Copilot, ChatGPT (any version), Harvey, Clio AI features, and any other tool that processes text.
Step 2: For each tool, obtain and review the vendor's Data Processing Agreement. Confirm: (a) client data is not used for model training; (b) data is processed in US or adequately protected jurisdiction; (c) vendor is subject to audit rights.
Step 3: Document your firm's AI policy in writing. This should cover: approved tools, prohibited tools, required review procedures for AI output, and client data handling requirements.
Step 4: Train all fee-earners on the policy. Competence under Model Rule 1.1 includes understanding the tools being used.
Step 5: Review your engagement letters. Many firms now include brief AI use disclosures in their engagement letters as a proactive transparency measure.
FAQs
Q: Can we use ChatGPT at our law firm? A: Consumer ChatGPT (chat.openai.com) should not be used with client data — its default privacy policy permits use of conversations for model training, which would constitute a confidentiality breach under Model Rule 1.6. ChatGPT Enterprise, with a signed DPA, may be used for non-sensitive tasks. For client document work, private AI deployment is the correct architecture.
Q: Does AI-generated research need to be verified? A: Absolutely. ABA Opinion 512 and multiple state bar opinions confirm that citations generated by AI must be independently verified before use in court filings, briefs, or legal opinions. Several high-profile attorney disciplinary matters have resulted from submitting AI-generated citations without verification.