Tech Toolbox: Implications of Generative AI for Law Departments, Part 2

Banner artwork by Beautrium / Shutterstock.com

All right. So, is GenAI just a fancy computerized parrot that has been trained to mimic the way humans write (but with access to pretty much all the information on the World Wide Web)? If so, what's the big deal? What could it do for you or your law department, and what legal considerations are there when your clients inevitably begin using it?

Side note: I began writing this column last month, and I am not usually so slow to get a draft to my editor. But every time I sit down to wrap it up, I realize that the GenAI playing field has evolved dramatically, to the point where some of what I have already written has become outdated or irrelevant. I now realize that an article on this topic at this time cannot avoid that problem, but I want to make sure you realize it too. So, take all of this with a large nugget of salt, and use it as a starting, not a finishing, point.

Scrutinize for accuracy

I want to begin by repeating some cautions from my prior column. We know that GenAI is already transforming search. Google’s CEO Sundar Pichai has said that it will replace or at least supplement all current search engines within the next few years — so it is a very big deal. But GenAI has specifically been trained to mimic human writing to sound more like a human, not necessarily to become more “accurate.” What it really emphasizes, in a way, is providing plausible, human-like responses. As lawyers, we know that plausibility and accuracy are not the same things. So at least during this early, pioneering period in GenAI, human agents need to scrutinize anything it produces to determine whether it's “plausible” responses are sufficiently accurate or complete.

Another thing GenAI can do fairly well is take plain language instructions to create computer code. This is fantastic, in the sense that you will one day be able to ask GenAI to write a helpful program for your laptop (right now, you would have to limit your code generation requests to simple bits and pieces; for example, you might ask ChatGPT for a program to put a menu on the menu bar in a particular app you are building, and then you could paste that into the larger project). It is worrisome, however, in the sense that a disgruntled employee might soon be able to ask ChatGPT to generate code that will lock your company out of its own computer network, a la ransomware, or steal trade secret information, etc. But that is not a worry for today or tomorrow. Maybe next month.

Mitigate misuse

What it can also do, all too well, is help criminals create more effective phishing campaigns that use social engineering to hack into your company. One of the things we have come to rely upon to identify phishing emails was their awkward phraseology and syntax, but ChatGPT does a very good job at writing polished email content. And it is already being used to generate disinformation campaigns, which can be effective against companies as well as countries. Lawyers should probably get involved in discussions with senior management about how to respond to these risks.

As noted above, this is a rapidly evolving situation. You will have to keep a close eye on it, because there will be more and more risks to which your company will have to respond. But I believe there is a great deal of good news to balance out the bad.

Balancing automation and human oversight

Right now, GenAI can already be very helpful in several ways, and these are improving by the day. It is good at answering questions in ways that provide a synthesis of what would otherwise be multiple and often conflicting search engine results.

For example, I asked it to summarize US law relating to data breaches. It responded:

US law relating to data breaches can be summarized as follows:

1. Notification Requirements: All 50 states have passed data breach notification laws that require entities that suffer a data breach to notify affected individuals in a reasonable time frame. In addition, certain industries, such as healthcare and financial services, are subject to additional federal legislation, such as HIPAA and GLBA, that have similar notification requirements.

2. Security Requirements: Entities that collect and store personal information are required to take reasonable measures to protect that information from unauthorized access, destruction, or disclosure. Failure to do so can result in legal liability under state and federal laws, depending on the circumstances of the breach.

3. Enforcement: Both state and federal regulators have the authority to enforce data breach notification and security requirements. Violations of these laws can result in significant penalties, including fines and other sanctions.

Overall, US law relating to data breaches is complex, and varies by state and industry, but generally focuses on protecting personal information and ensuring that entities take reasonable measures to prevent, detect, and respond to data breaches.

This is a decent, if not comprehensive, answer, but it indicates the ways this could be used instead of a standard search engine to cut to the chase on many topics. You can improve the way it responds, too. For example, you can ask it to cite its sources and it will give you a comprehensive list. Then you could ask it to eliminate certain dubious sources and provide an improved answer, and it will do that, too. And, if it makes a mistake, you can tell it so, and it will improve its answer and even thank you for the feedback! You can also limit its sources to whomever you, or it, identifies as the top experts on a topic, or you can ask it to answer the question in ways those experts likely would have.

This makes it an incredible tool. Try it yourself. Ask it who are the top US experts on privacy law, for example, and then ask it how those experts would summarize the EU privacy laws. That answer will be much better than if you’d just asked ChatGPT to summarize those laws on its own.

Here is an example of another query I gave it:

I live in Pennsylvania. What do I need to do if my company suffers a data breach?

If your company suffers a data breach that affects Pennsylvania residents, you will need to comply with Pennsylvania's data breach notification law, which requires you to take the following steps:

1. Determine the scope of the breach: You will need to investigate the breach to determine the type and amount of data that was accessed, as well as the number of people affected.

2. Notify affected individuals: If the breach involves sensitive personal information, such as Social Security numbers or financial account information, you will need to notify affected individuals as soon as possible. The notification must be made in writing and must include information about what types of information were compromised, and steps the individual can take to protect themselves.

3. Notify the Attorney General: If the breach affects more than 1,000 Pennsylvania residents, you will need to notify the Attorney General's Office.

4. Notify credit reporting agencies: If the breach involves Social Security numbers, you will need to notify the major credit reporting agencies, such as Equifax, Experian, and TransUnion.

5. Implement reasonable security measures: You will need to implement reasonable security measures to prevent future breaches, such as encrypting sensitive data, implementing access controls, and monitoring network activity.

Failure to comply with Pennsylvania's data breach notification law can result in significant penalties and legal liability. If you are unsure about how to comply with these requirements, it is recommended that you seek the advice of legal counsel.

Again, this is actually a good, if rudimentary, summary of what you should do under PA law. It’s like questions I have asked legal interns or paralegals, and this answer is better than most of the first drafts I’ve gotten from them. Will it replace interns, paralegals, experienced lawyers? Probably not. But it could certainly help those folks provide better work product.

Potential applications

GenAI is also incredibly good at summarizing judicial opinion, legal trends, etc. And yes, a lawyer will need to review any such responses for the foreseeable future, but the possibilities are pretty exciting, right?

Have you seen the science fiction movie Her? In it, the main character had an earbud connected to an artificial intelligence that answered questions in a human voice. That is coming to a reality near you, because voice is coming to GenAI in the very near future. Can you imagine what that may mean in terms of business travel alone if you could ask it to recommend nearby restaurants or tourist attractions, translate language on the fly, and so forth? And then, consider the implications of call centers it may be able to replace, clients who might ask it for legal advice instead of asking you, etc.

Here are some other things you could do with it:

Education

Gen AI could provide skills training in a variety of areas. Sal Khan of Khan Academy fame believes it will soon become one of the best personal tutors on the planet. Lawyers could use it to quickly get up to speed on unfamiliar legal topics, or to improve technology skills, e.g., in Excel, Word, or Outlook. You could use it to help put together client training modules (overseen by experienced lawyers, of course).

Checklists

Long-time readers know that I am a big fan of checklists for both lawyers and their clients. They are one of the best ways to ensure that humans react appropriately in an emergency or other stressful situation, but they also help ensure consistency and thoroughness. Gen AI can quickly create checklists.

Test, evaluate, and embrace GenAI's potential

In closing, the best advice I can give you is to play with it yourself to see what it can do and how it can help. Microsoft and Google are both introducing their free versions slowly by invitation, so you may need to pay for a subscription from a third party if you want to test it now, which I highly recommend. Your clients almost certainly are already trying it!

As always, please let me know if you have any questions or comments. I’d especially like to hear feedback from anyone who has already become familiar with it.