Your lawyers use AI every day. Do you know what client data they're sharing?
Associates draft contracts with ChatGPT, paralegals summarise discovery with Claude, partners polish advice letters with Gemini. Vireo Sentinel gives law firms visibility into AI usage and catches sensitive material before it reaches external platforms.
What's actually happening
Contract review
An associate pastes a 40-page share purchase agreement into ChatGPT for a clause summary. Party names, commercial terms, IP provisions. Every detail of that deal now sits on OpenAI's servers.
Family law affidavit
A solicitor types a client's account of the marriage breakdown into Claude to structure affidavit material. Financial positions, parenting arrangements, personal allegations on a third-party service.
Discovery bundle
A litigation partner uploads 200 pages of discovery documents into Gemini. Witness statements, internal emails, documents subject to confidentiality orders. All potentially privilege-waiving.
Client confidentiality can't survive on trust alone
Only 28% of lawyers say their organisation has a clear, usable AI policy (LexisNexis, 2025). Everyone else is relying on good intentions.
The data at risk in every matter
Every file in your firm carries an obligation. Here's what flows into these tools unchecked.
Privileged communications
Legal advice, litigation strategy, settlement discussions, counsel opinions, lawyer-client correspondence.
Discovery and litigation
Witness statements, affidavits, expert reports, internal corporate documents, emails under confidentiality orders.
Commercial and transactional
M&A documentation, due diligence reports, share purchase agreements, financing terms, IP schedules.
Client personal data
Family law financial disclosures, property settlements, wills, estate plans, powers of attorney.
Financial records
Trust accounts, settlement figures, cost agreements, billing data, third-party payment details.
Internal firm data
HR records, partnership agreements, staff performance reviews, internal communications, business strategy.
Your professional duties already apply
Lawyers don't need to wait for AI-specific legislation. Existing professional conduct rules and privacy laws already cover this.
Australian Solicitors' Conduct Rules
Client confidentiality (Rule 9)
In effect now
Requires lawyers to maintain confidentiality. Pasting privileged material into a public AI service is a potential breach regardless of intent. This obligation extends to how lawyers use technology with client information.
Legal professional privilege
In effect now
May be waived if confidential communications are disclosed to a third party. When a lawyer inputs privileged material into a platform like ChatGPT, that material is transmitted to the provider's servers. Whether this constitutes waiver is untested in Australian courts, but the risk is growing.
Privacy Act 1988 (POLA Act 2024)
Statutory tort from 10 June 2025
Individuals can pursue damages of up to $478,550 for serious privacy invasions. Corporate penalties reach $50 million. OAIC enforcement priorities for 2025-26 specifically include AI scrutiny.
NSW Supreme Court Practice Note SC GEN 23
In effect from February 2025
Includes specific rules for AI use in litigation. Confidential or restricted material must not be input into generative AI platforms unless confidentiality and training safeguards exist. Other jurisdictions are expected to follow.
SRA Standards and Regulations
Solicitor accountability for AI use
In effect now
Solicitors remain personally responsible for confidentiality when using technology. If an AI system compromises client information, the solicitor is liable, not the provider. COLPs are expected to own regulatory compliance when new technology is introduced.
SRA guidance on AI (developing)
Expected 2026
In February 2026, the SRA delivered a webinar outlining its developing framework for AI in legal practice, with further guidance and research due later in the year. Firms should be documenting all AI use and conducting regular risk assessments now.
UK GDPR and Data Protection Act 2018
In effect now
DPIAs required before deploying new technology processing personal data. Sharing matter information with third-party AI providers requires a lawful basis. ICO fines up to 17.5 million GBP or 4% of global turnover.
Confidentiality and privilege risk
In effect now
Solicitors should ensure clients are thoroughly briefed on privilege risks before any AI system is used. Information entered into public tools may be used to train future model iterations, creating ongoing exposure.
EU AI Act and GDPR
GDPR data minimisation
In effect now
Sending personal information to generative AI services beyond what's strictly necessary is a data minimisation violation. GDPR fines up to 20 million EUR or 4% of global turnover.
AI Literacy requirements
February 2025
Organisations must ensure staff have sufficient AI literacy. Law firms need to demonstrate their people understand the risks of sharing sensitive information with these systems.
CCBE Code of Conduct
In effect now
Designates confidentiality as a fundamental and primary right and duty of the lawyer, with no time limit. Extends to all documents and communications.
EU AI Act penalties
August 2026 for high-risk systems
Up to 15 million EUR or 3% of global turnover for non-compliance with high-risk requirements. Documentation, logging, human oversight, and risk assessments apply.
ABA Model Rules and state ethics
ABA Model Rule 1.6 (Confidentiality)
In effect now
Requires lawyers to make reasonable efforts to prevent unauthorised disclosure. ABA Formal Opinion 512 specifically addresses generative AI, warning lawyers must understand whether AI systems send confidential information as feedback to the system's database.
ABA Model Rule 1.1 (Competence)
In effect now
Includes a duty to understand the technology being used in practice. Over 30 states have issued AI-specific guidance or ethics opinions.
Court standing orders on AI
Active enforcement
Courts in multiple states have standing orders requiring disclosure of AI-assisted filings. In December 2025, the Arkansas Supreme Court adopted a rule warning that disclosing confidential or sealed information to generative AI may violate professional conduct rules, with potential disciplinary consequences.
State privacy laws
Varies by state
California CCPA/CPRA, Colorado AI Act (effective June 2026), and other state-level frameworks create additional obligations for handling personal information through generative AI services.
How Vireo Sentinel helps law firms
See what's happening
Which platforms your people use, how often, and what type of work goes in. Spot the associate who lives in ChatGPT and the paralegal team using Claude for summaries before a regulator does.
Catch privileged data before it leaves
Real-time detection of names, case references, and sensitive terms before they leave the browser. Warns the lawyer and gives them options: cancel, redact, edit, or override with a documented justification.
Prove governance works
Compliance reports with sections mapped to relevant frameworks. When someone asks how you protect their information, or the law society asks about your AI governance, show them evidence instead of a policy PDF.
What this looks like in practice
The employment dispute brief
A litigation associate pastes unfair dismissal instructions into ChatGPT, including performance reviews, salary, and medical certificates. Before it sends, the extension picks up the employee's name and health information, warns the associate, and offers to redact.
Family law financial disclosure
A family lawyer types a client's financial position and parenting concerns into Claude. The extension catches names, children's details, and financial figures across multiple categories, and offers to redact before submission. The lawyer strips the identifiers and still gets structured output.
When discovery gets pasted
A paralegal starts pasting key documents from a 150-page discovery batch into Claude. Vireo flags party names, corporate references, and financial figures in each paste. Every interaction is logged with the option to redact or override.
The partner who should know better
A senior partner drops an entire advice letter into Gemini to tighten the drafting. Full name, matter details, legal strategy. Same intervention as a graduate would get. Seniority doesn't override protection.
Built for law firms
Warns, doesn't block
Associates keep working on their matters. Choices, not roadblocks.
Deploys in minutes
Browser extension. No agents, no proxies, no IT project required.
Privacy by design
Sensitive content detected and redacted in the browser, before it reaches our servers.
Affordable
Enterprise governance without the enterprise price tag. Built for firms that don't have a six-figure DLP budget.
Explainable detection
Deterministic pattern matching. When the law society asks how it works, you can give them a straight answer.
See how your firm uses AI
Start freeVireo Sentinel supports your compliance efforts but does not provide legal advice. You remain responsible for your organisation's compliance obligations.