AI ethics are just the beginning for law firms

An excellent article in The Florida Bar News on December 11, 2025, Baker-Barnes Briefs House Panel on AI Ethics, Discipline, and Emerging Safeguards, summarized The Florida Bar’s efforts to address the use of AI among Florida law firms and attorneys. The discussion centered, in particular, around attorneys’ use of generative AI and is a must read. But it is not the end of the story. In addition to ethics requirements, AI use implicates privacy and cybersecurity laws and obligations in ways that may not be obvious at first glance. Lawyers and law firms, as businesses, need to look beyond the rules of professional responsibility to a complex patchwork of laws and business risks flowing from a myriad of AI use cases.

AI presents numerous challenges to the practice of law including inaccurate information appearing in court filings and the potential compromise of the attorney-client privilege when using third-party AI transcription tools. Indeed, these emerging issues underscore the vital importance of the Florida Bar’s Ethics Opinion 24-1 and the Rules Regulating the Florida Bar in guiding attorneys through this rapidly evolving technological landscape. Opinion 24-1 correctly emphasizes duties of competence, confidentiality, supervision, and proper billing practices. However, The Florida Bar’s role is limited to providing authoritative guidance on the Rules of Professional Responsibility. Lawyers and law firms must recognize that their obligations concerning privacy, AI, and cybersecurity extend far beyond those rules.

Lawyers and Law Firms as Businesses

Law firms occupy a unique dual role in the modern economy. While they are professional service providers bound by rules of professional conduct, they often are simultaneously businesses that serve as vendors to their clients and as employers to their employees. This dual identity means that when law firms and attorneys collect and handle personal and confidential information and deploy AI technologies, they must satisfy not only their professional responsibilities to clients, but also a complex web of statutory, regulatory, and contractual obligations applicable to their business and their client’s business. Lawyers who focus exclusively on ethics rules while overlooking these broader obligations do so at their peril.

Compliance Beyond the Rule of Ethics

In most cases, the practice of law will involve data and/or activities that are subject to wide-ranging privacy, AI, and cybersecurity requirements. Those requirements may flow from several sources including (i) an industry-specific, complex regulatory framework, (ii) contractual demands by clients, and (iii) best practices expected in an increasingly competitive environment for providers of legal services (which are not always lawyers).

Generally Applicable Privacy and Security Laws

As with many states, Florida has enacted privacy and security laws that regulate businesses generally, including law firms. These laws often apply to businesses both directly (with respect to data owned by the business, e.g., personal information about its employees) and indirectly (with respect to the business when acting as a service provider to other covered businesses). Consider the Florida Information Privacy Act (FIPA)^[1] which imposes obligations on businesses that maintain certain personal information of Florida residents. In addition to obligations FIPA imposes on law firms concerning their own data, firms using AI tools in connection with their practice need to be aware of their FIPA obligations.

Key points about FIPA:

• Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.^[2]

• A “covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.^[3]

• A “third-party agent” means an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity.^[4]

• Personal information under FIPA includes, for example, an individual’s first and last name in combination with elements such as Social Security number, financial account number, other government ID numbers, medical history, and mental or physical condition.^[5]

• Security safeguards: Reasonable security measures must be implemented to protect personal information from unauthorized access, disclosure, or misuse.

Accordingly, when law firms input employee or client information into AI systems, they are engaging in data processing activities that may trigger FIPA obligations. The fact that the information is being used to provide legal services does not exempt firms from FIPA law compliance. Of course, FIPA is not the only law in Florida establishing privacy and security obligations, and a firm’s clients may be grappling with a number of federal and state laws nationally. These obligations are pushed down to the law firm, often by contract.

Industry-Specific Regulations

Lawyers and firms that represent clients in heavily regulated industries likely face additional compliance obligations than may exist under generally applicable privacy and security laws. In some cases, these regulatory frameworks may require compliance with extensive data privacy and security controls. Practicing lawyers may not be familiar with these requirements, and they likely will require some time to get up to speed.

Consider, for example, the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA)^[6]. Attorneys representing healthcare providers, health plans, and other covered entities under HIPAA must recognize that as counsel for such entities, they may and likely do qualify as “business associates” under HIPAA where their representation requires access to protected health information (PHI). When using AI for this work, in addition to their internal HIPAA obligations, lawyers should be thinking about issues such as:

• Conducting security risk assessments of AI tools to identify and mitigate potential vulnerabilities to electronic PHI.^[7]

• Executing Business Associate Agreements (BAAs) with AI service providers before disclosing any PHI to those providers.^[8]

• Confirm firm attorneys and staff are aware of the HIPAA minimum necessary rule.^[9]

• Implementing breach notification procedures in the event of an unauthorized access to or disclosure of PHI through AI systems.^[10]

The penalties for HIPAA violations can be severe, ranging from civil monetary penalties to criminal prosecution in egregious cases. HIPAA compliance is not optional simply because a lawyer believes their use of AI is permissible under ethics rules.

Of course, HIPAA is not the only framework that requires similar obligations to flow from clients to their legal representatives. In the financial services industry, it might be banking regulations and the Gramm-Leach-Bliley Act (GLBA); in the education sector, the Family Educational Rights and Privacy Act (FERPA). The point is that attorneys and firms need to be sensitive to these obligations when leveraging AI to provide legal services.

Contractual Obligations

Beyond traditional engagement letters, clients are demanding additional terms and conditions on their providers of legal services. These include outside counsel guidelines, data privacy agreements, and data security risk assessments which are focused on, among other things, mandates for minimizing data risks. As it relates to AI, these mandates might include:

• Technology approval requirements: Clients may require prior written approval before law firms use specific AI tools or cloud-based services.

• Data security standards: Client guidelines may specify minimum security controls, encryption requirements, or certification standards (such as SOC 2 Type II compliance).

• Prohibition on certain tools: Some clients explicitly prohibit certain AI platforms and providers or require that only enterprise-grade, legally-specific AI solutions be used.

• Data residency requirements: Clients may mandate that their data remain within specific geographic boundaries or be stored only in approved data centers.

Violating these contractual provisions could expose law firms to breach of contract claims, even if the firm has complied with all applicable ethics rules. Law firms must carefully review their existing client agreements before deploying AI tools in their practice.

The Path Forward

Law firms contemplating or currently using AI technologies should implement a comprehensive compliance framework that embraces The Florida Bar Rules, but also addresses the compliance obligations of the business of law practice. Below are several steps lawyers and law firms should consider as they consider leveraging AI (and other technologies) in their business.

1. Know your clients and your firm. Before thinking about how much an AI tool can save in time and spend, think about your clients and your firm. In many cases, clients are not completely aware of their own regulatory obligations, including what obligations they need to pass down to their outside counsel. In some cases, such as under HIPAA, those obligations will apply regardless of an agreement. Also, track the nature, extent, sensitivity, format, location, and context of the personal and confidential business information the firm maintains. A matrix of laws and contract obligations may apply.
2. Conduct a risk assessment. Evaluate AI tools not only for ethics compliance but also for privacy law compliance, contractual obligations, and industry-specific regulations. Carefully review the terms and conditions.
3. Implement written policies. Develop firm-wide policies governing AI use that address all relevant compliance frameworks.
4. Review client agreements. Ensure all personnel at the firm understand their obligations when performing work for certain clients. When making technology decisions, it is important to check whether the firm agreed to check with a client first.
5. Vendor due diligence. Thoroughly vet AI service providers for their security practices, data handling policies, regulatory compliance, and contractual protections.
6. Training and oversight. Provide comprehensive training to attorneys and staff on all compliance obligations related to AI use.
7. Review compliance. Periodically review AI tool usage to ensure ongoing compliance with all applicable obligations.
8. Document compliance. Maintain records of compliance efforts, vendor assessments, client consents, and internal reviews.

Conclusion

The Florida Bar’s guidance on AI ethics is invaluable and represents essential reading for all Florida attorneys. However, lawyers and law firms must not make the mistake of believing that compliance with professional responsibility rules is sufficient.

As businesses and vendors to their clients, law firms using AI technologies must simultaneously navigate ethics rules, privacy laws, contractual obligations, and industry-specific regulations. The failure to do so creates legal, financial, and reputational risks that can far exceed the consequences of ethics violations alone.

The prudent approach is to recognize that responsible AI adoption requires a holistic compliance strategy that extends well beyond the professional responsibility rules — comprehensive, multi-faceted, and continuously updated as both technology and legal requirements evolve.

^[1] Florida Statutes § 501.171.

^[2] Florida Statutes § 501.171(2).

^[3] Florida Statutes § 501.171(1)(b).

^[4] Florida Statutes § 501.171(1)(h).

^[5] Florida Statutes § 501.171(1)(g).

^[6] 45 CFR Parts 160-164.

^[7] 45 CFR 164.308(a)(1)(i).

^[8] 45 CFR 164.504(e)(2)(ii)(D).

^[9] 45 CFR 164.502(b).

^[10] 45 CFR 164.410(a).

Joseph J. Lazzarotti is a principal in the Tampa office of Jackson Lewis and a member of the Bar's Cybersecurity & Privacy Law Committee. He founded and currently co-leads the firm's Privacy, AI & Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. This column is presented by The Florida Bar Cybersecurity & Privacy Law Committee. The information provided is for general informational purposes only and does not constitute legal advice. Attorneys should conduct their own analysis and consider all relevant facts and circumstances for their clients’ specific situations.