Risk Update

Risk Roundup — Managing AI Risk, Non-adverse Client Identification Not Required, California State Bar Compliance Reviews Underway

Posted Dan Bressler

David Kluft asks: “Do I have to tell my client who my other clients are if there is no conflict?” —

  • “An IL company found out that that a departing employee, who was in the process of starting a competing entity, had been in touch with the company’s outside counsel law firm.”
  • “The company asked the law firm what was up, and the firm stated that it did not represent the departing employee in any matter adverse to the firm, but ‘if you are also asking the broader question of whether we represent [her] on other matters, I cannot answer that.'”
  • “The company later sued the firm on theories of fraudulent misrepresentation (falsely claiming there was no adversity) and fraudulent concealment (not disclosing whether they represented her at all).”
  • “The 7th Cir. Affirmed dismissal of the fraudulent concealment allegation, because there was no duty to disclose the identity of one client to another absent a conflict. The Court also affirmed summary judgment against the fraudulent misrepresentation allegation, because the firm had not been paid any attorneys’ fees after the alleged misrepresentation so there was no harm.”
  • Decision: here.

State Bar Launches Mandatory Client Trust Account Compliance Reviews” —

  • “The State Bar of California launched its mandatory Client Trust Account Protection Program (CTAPP) compliance review today. Beginning September 29 through October 31, 2025, the State Bar will randomly select and notify 100 attorneys representing a cross-section of the attorney population to complete a CTAPP compliance review for reporting year 2024. “
  • “Prior to launching the mandatory program, the State Bar conducted a voluntary compliance review pilot to test procedures and received direct attorney feedback on the voluntary review. The State Bar issued an open call for volunteers in April 2024. Over 300 firms applied to participate, and 21 firms were selected to represent various practice sectors, firm sizes, and trust account recordkeeping methods. Voluntary compliance reviews began in February 2025 and were completed in August 2025. Eighteen firms completed the process. “
  • “‘The voluntary pilot program gave us valuable insights that shaped the compliance review process, making it more effective for both attorneys and the State Bar,’ said Steven Moawad, Special Counsel in the Division of Regulation, which is in charge of CTAPP. ‘By launching the mandatory reviews, we’re taking an important step toward strengthening client trust account practices statewide and deterring public harm before it occurs.'”
  • “For more information, visit CTAPP Compliance.”

Navigating Privilege Risks in the Age of AI: Practical Guidance for Legal Teams” —

  • “As tools using generative artificial intelligence (AI) become more integrated into legal workflows, they introduce new and complex risks to attorney-client privilege, confidentiality, and discoverability. Data retention practices, unclear usage protocols and even routine interactions with AI tools can inadvertently expose confidential communications and compromise critical legal protections.”
    “AI Data Retention and Disclosure Risks: Generative AI platforms often retain user inputs and outputs for training purposes, and if privileged or confidential client information is entered into public or nonsecure AI tools, it may be stored and become discoverable in later litigation. AI platforms that don’t have clear data-handling policies or maintain weak security practices increase the risk.”
    “Mitigation Strategies: Use private, non-training AI tools, which typically do not employ user interactions to train their algorithms or store content beyond the immediate session, thus greatly reducing the risk that privileged information might be accessed… Avoid inputting privileged information into AI platforms. Rigorously evaluate AI tools to ensure they do not retain or share sensitive data. “
  • “Legal teams should carefully assess when and how AI-powered tools are used in situations involving attorney-client privilege. To maintain privilege, four elements must be present: (1) a communication (2) made in confidence (3) between privileged persons (i.e., attorney or client) (4) for the purpose of obtaining or providing legal advice. One of the most common ways that privilege can be lost is if the confidential communication is voluntarily disclosed to a third party outside the attorney-client relationship.”
  • “There are also many ways that attorneys and employees using AI can inadvertently waive attorney-client privilege. For example, companies may upload confidential documents to public-facing chatbots to query the documents and identify key information or use AI-powered notetakers to summarize otherwise privileged meetings, potentially exposing sensitive content to third-party platforms.”
  • “A cautionary example is the Otter.ai litigation in the Northern District of California. This summer, Otter.ai became the subject of a class action complaint alleging that the company violated federal and state privacy laws by using features that automatically joined virtual meetings on platforms like Zoom and Teams to record and transcribe conversations without the participants’ knowledge or consent. It further alleges that Otter.ai used these recordings to train its AI machine learning models.”
  • “The lawsuit underscores the critical need for organizations to fully understand the functionalities of AI-powered tools before deploying them in sensitive contexts. Companies that use automatic notetakers may inadvertently jeopardize attorney-client privilege by allowing privileged conversations to be transcribed and potentially used to further train AI models.”
  • “Courts may view the use of such tools as a voluntary disclosure to a third party, waiving privilege. As the Restatement (Third) of Law Governing Lawyers makes clear (§79 cmt. g (2000)): ‘The disclosing person need not be aware that the communication was privileged, nor specifically intend to waive the privilege.'”
  • “Another area that lawyers should consider is the discoverability of AI prompts, responses and generated content. Courts may not grant privilege to AI-generated content, particularly if the platform is accessible to the public. User prompts that produce such responses are generally considered nonprivileged since the initial communication does not involve an attorney.”
  • “However, lawyers often maintain records of the prompts they use with AI, which may involve work product protection concerns. Courts typically protect work product that reflects a lawyer’s choices about intrinsically unprotected items, such as witnesses selected for interviews or documents chosen for client preparation. For example, a lawyer’s curated set of cases may be exempt from discovery by opposing parties, and stored AI prompts and responses may be treated as legal work product.”
  • “When integrating AI tools into an organization’s workflows, many legal departments lack formal policies and protocols governing AI use in privileged contexts. This creates inconsistency in practice and heightens the risk of inadvertent waivers of attorney-client privilege or work product protections. To reduce this risk, legal teams should develop tailored guidance that reflects the organization’s risk tolerance, regulatory obligations and the specific AI tools in use.”
  • “By staying informed and engaged, legal teams can better anticipate changes, adapt policies and safeguard privileged information in an increasingly complex AI environment”