Harris Beach attorney Brendan Palfreyman notes “Tate Group Automotive v. Legacy Automotive Capital” —

• “To my knowledge this is the fifth decision in the US to address issues regarding attorney-client privilege and work product in relation to a parties ‘conversations’ with generative AI programs. This one comes to us from Texas state court. “
• “In Tate Group Automotive v. Legacy Automotive Capital, the plaintiff’s principal uploaded a zip file of confidential discovery materials to ChatGPT and used it to analyze litigation strategy, including prompting the AI to roleplay as defense counsel and predict how they’d think about the case. Defendants discovered this through a privilege log entry, and the dispute landed before Judge Grant Dorfman in the Texas Business Court.”
• “Judge Dorfman ruled in plaintiff’s favor, citing Warner v. Gilbarco (E.D. Mich. 2026) and Morgan v. V2X (D. Colo. 2026). The Judge found that work product waiver requires disclosure to an adversary, or in circumstances that substantially increase the likelihood of adversary access. Uploading to ChatGPT didn’t clear that bar, at least under Texas Rule 192.5(a)(1), which extends work product protection to materials prepared ‘by or for a party.’”
• “But the court still ordered the plaintiff to disclose by Bates number every discovery document that was shared with ChatGPT in relation to the question of whether uploading confidential materials to ChatGPT violates a standard protective order. Most protective orders say nothing about AI at all – something to think about when negotiating a protective order at the outset of a case. “

And David Kluft notes this example of AI protective order restrictions:

• “From an SDNY case yesterday. I think this is the shortest and simplest AI provision in a protective order that I have seen. Basically, it just says that confidential information must stay confidential when put into AI, so don’t use an AI platform that can’t do that. Simpler and shorter is probably a good idea in most cases:”
• “’10. Absent the prior written consent of the producing Party or an order of the Court, no receiving Party shall upload, submit, disclose, quote, feed, or otherwise provide any Confidential Material to any artificial intelligence, machine learning, language model, generative text, or similar technology or service (collectively, ‘AI Tool’) unless that AI Tool:”
  • “(a) is an enterprise-grade platform that the receiving Party (or its counsel) has licensed;”
  • “(b) is subject to a binding written agreement that (1) requires the provider to keep all user-supplied data strictly confidential, and (2) expressly prohibits the provider from using such data for training, fine-tuning, product improvement, or any purpose other than providing the contracted-for services; and”
  • “(c) employs technical and organizational security measures reasonably designed to prevent any unauthorized access, disclosure, or use of Confidential Material. The obligations and restrictions of this paragraph apply even where the data or the Confidential Material has been anonymized.’”
• Order: here.

“Firm Says Assistant Stole, Passed On Client Communications” —

• “A Houston law firm on Thursday told a Texas state court that an erstwhile legal assistant stole heaps of attorney-client communications that she subsequently misused, including by relaying sensitive emails to a lawyer representing the wife of a firm attorney in the middle of a divorce.”
• “The Watts Law Firm PC claimed that former legal assistant Kisanet Mogos had access to firm documents, communications, emails and calendar information, and while working at the firm, she surreptitiously downloaded the documents onto her personal iCloud. Those documents ended up in the hands of parties who should not have been able to access them, the firm said.”
• “‘The only means to have possession of these emails was either Mogos forwarded the emails to herself from [Joseph Watts]’ firm email or she printed out copies without authorization from [the firm or Watts],’ Watts Law told the court in its complaint.”
• “In April, she filed a bar grievance against Watts that contained communications between him and a client. That same month, an attorney representing Watts’ wife in a divorce produced a printed copy of an internal firm email that confirmed a financial transaction during a deposition.”
• “‘The only possible source of the documents was Mogos,’ Watts said, adding that she seemingly worked in concert with his wife and her attorney.”
• “Watts Law asked the court to find that Mogos stole the documents, breached her fiduciary duty, and engaged in a conspiracy. It also asked the court to award exemplary damages for fraud and attorney fees.”

“Law firm Fox Rothschild hit with class action over data breach” —

• “U.S. law firm Fox Rothschild was sued on Tuesday in a proposed class action ​lawsuit for allegedly failing to safeguard sensitive personal data ‌and allowing hackers to access people’s names and Social Security numbers in a data breach in May.”
• “The lawsuit alleges that the ​data breach was carried out by Silent Ransom Group. ​The group has been targeting law firms since 2023, according ⁠to the FBI.”
• “The lawsuit was brought by Jasmine Trotter, a ​Georgia resident who said Fox Rothschild possessed her personal information in ​connection with an unspecified legal case. Trotter estimated there are thousands of potential class members.”
• “Trotter alleged that Fox Rothschild did not issue a notice about ​the data breach and failed to use reasonable procedures to ​keep her data secure.”
• “Mark McCreary, Fox Rothschild’s chief AI & information security officer, in ‌a ⁠statement said they’re continuing to investigate the breach ‘and will provide notice as required by applicable law.’”
• “McCreary said one attorney at the firm was ‘the victim of a sophisticated social engineering event’ and that ​the breach was ​limited to ⁠a single device.”
• “The firm’s data security practices ‘limited the potential scope of this event,’ McCreary said.”
• “Law ​firms ⁠have faced mounting lawsuits stemming from hacking incidents. Some, including Gunster Yoakley & Stewart, Orrick Herrington & Sutcliffe, and Bryan Cave Leighton Paisner, have reached settlements in recent ⁠years.”

“Lewis Brisbois Cyberattack Shows Shift in Big Law Threat” —

• “A cyberattack on Lewis Brisbois illustrates how hackers target large law firms by cold-calling remote employees. Hackers earlier this month tried to gain access to Lewis Brisbois employees’ accounts by posing as firm IT workers in phone calls. The attack showed some of the hallmarks of recent attacks on other large firms, in which cybercriminals pivoted away from phishing emails in favor of pressuring employees to act over the phone.”
• “Several Lewis Brisbois support staff members work remotely or on hybrid schedules, signing into the Lewis Brisbois computer network from their personal devices. That set up, while not uncommon for firms post-COVID, made the firm vulnerable to threat actors posing as tech experts seeking remote control of a device already accessing the firm’s virtual network, cybersecurity professionals say.”
• “‘Large law firms remain attractive targets because they maintain large swaths of juicy information,’ said Jesse Lemon, a cybersecurity lawyer with The Beckage Firm. ‘It makes them a one-stop shop for threat actors.’”
• “It’s not clear who was behind the Lewis Brisbois attack and whether they were able to infiltrate the firm’s network. Representatives for the firm, which has some 1,600 lawyers nationwide, did not respond to comment requests.”
• “Some hacker groups look for the law firms’ cyber insurance policies and request policy limits as ransom, said Melissa Ventrone, a Clark Hill partner who advises clients on data security and privacy. Ventrone said she has heard of one law firm, which she declined to name, paying $10 million to avoid the release of hacked data.”
• “‘This threat group understands the value of the data to the law firm,’ she said.”