I've spent months trying to answer what seems like a simple question:

Can law firms use AI tools and still stay compliant?

I'm an advisor to several small law firms. I help them grow while also achieving operational excellence.

Over and over, I kept running into the same problem. I'd see tools like Clio, Harvey, and various AI assistants plastered with badges: "256-bit encryption," "SOC 2 compliant," "HIPAA compliant." Sounds safe.

But what does that actually mean? And is it enough?

I searched everywhere — Google, the ABA website, ChatGPT — looking for a definitive checklist. Something that says: "If you're going to use software in a law firm, it must have these characteristics." I couldn't find it.

Then I connected with Allison Mulford, an attorney who specializes in AI governance and data privacy. She literally writes white papers and spends all day working in security and compliance. Our conversation was incredibly clear, thoughtful, efficient, and helpful.

The highlights from our conversation are below. Hopefully, this gives you new clarity and insight that seems to be so rare these days on this topic.

Note: While this post focuses on attorneys, similar practices apply to accountants, financial advisors, and other professional service firms handling sensitive client data.

Part 1: The Mindsets That Actually Matter

Mindset #1: AI Doesn't Get a Free Pass

Anything that is illegal for a human to do will still be illegal if AI does it on your behalf. For example:

  • Humans shouldn't discriminate.
  • Humans shouldn't misrepresent or commit fraud.
  • Humans shouldn't record someone without consent in states that require it.

Neither should your AI.

This sounds obvious, but it's profound when you think about implementation. When we're setting up AI agents — writing prompts, building guardrails — we need to ensure the AI adheres to the same standards we'd hold a human employee to. You wouldn't let a paralegal discriminate in client intake, so make sure your AI chatbot doesn't either.

Mindset #2: Your Existing Policies Are the Foundation

I asked Allison about finding some master list of AI compliance requirements. Her response surprised me: Start with what you already have.

Any guidelines your firm has around client data — confidentiality policies, how you handle records, professional rules of conduct — those apply to AI too. AI governance shouldn't deviate from your existing policies and procedures. It's a tool that allows you to work more efficiently within existing frameworks, not a separate thing.

If your firm requires segregated client portals for document storage, that same principle applies when you're evaluating an AI tool. If you have confidentiality obligations in your engagement letters, those need to carry through to any software touching that data.

Note: if you don't have guidelines yet for your firm's use of client data, contact Allison and she can help pull that together for you. Her contact is at the bottom of this article.

Mindset #3: Badges Aren't Enough — Make Vendors Prove It

When a vendor says they're "HIPAA compliant" or "SOC 2 certified," that's marketing. It's reasonable to ask them to prove it.

Allison gave me a great litmus test: If a tool claims to be HIPAA compliant, they should either provide a Business Associate Agreement (BAA) along with their vendor terms, or be willing to sign one you provide. If they hesitate or don't know what you're talking about, that tells you something.

Side note on SOC 2: Allison mentioned there's commentary in the industry that SOC 2 by itself doesn't carry as much weight as it might seem. It's a starting point, not an ending point. Look for vendors who also do ISO audits or align with NIST frameworks that cover more niche areas relative to your organization. These provide an AI or privacy-related complement to a standard information security audit — something beyond just that one checkbox.

Mindset #4: Training Data Is the Hidden Landmine

This is the AI-specific issue that keeps people up at night: Is the vendor using your client data to train their model?

There's nothing inherently wrong with training AI on your firm's data — if it's the right kind of data. Uploading your own documentation to train a support bot on how to do customer service? Totally fine. That's business data being used for your benefit.

But if the tool is ingesting client health records, case details, or personal information to improve its model for all customers? That's a problem. You need to ensure two things: (1) your data is only used to train your instance, not the broader model, and (2) if personal data is involved, you've disclosed that to clients (including in your Legal Services Agreement) and gotten appropriate consent.

Mindset #5: Connector Tools Need Scrutiny Too

I asked about tools like Zapier — the connectors that bridge your software together. For example, we're looking at a tool called Ion8 that takes call transcripts and logs them into Clio. Supposedly, the data only passes through Ion8 but isn't stored there.

Allison's take: Even "pass-through" tools need vetting. Look for zero-day data retention policies — meaning they don't hold onto your data after processing. They should also have data processing agreements that address what happens when personal data passes through their system.

Just because data isn't stored doesn't mean it isn't seen or incapable of infiltration.

Mindset #6: Not All Data Is Created Equal

I asked about the difference between someone filling out a contact form on a law firm's website versus handling their medical records.

Contact information from someone who reaches out to you is "business contact information." They initiated the relationship; they've implicitly consented to be contacted for that purpose. The privacy laws treat this differently than, say, protected health information.

What matters more is what happens after. If someone says "stop contacting me," do you have a mechanism to honor that? That's where firms get in trouble — not with the initial intake, but with failing to respect opt-outs.

Part 2: Your Software Evaluation Checklist

Based on my conversation with Allison, here's a practical checklist for evaluating any software or AI tool. I've broken it into two categories: what you can do yourself, and when you probably need professional help.

DIY Due Diligence

Before purchasing any tool, verify:

  • Does the vendor provide documentation of their security certifications? (Not just badges — actual audit reports or certifications.)
  • If you handle medical records/PHI, will they sign a Business Associate Agreement (BAA)?
  • Do they have ISO certification in addition to (or instead of) SOC 2?
  • Do they audit against NIST or another recognized framework?
  • Is the tool/subscription provided direct to the law firm by the vendor under contract (not a third-party model the vendor licenses)?

For AI-specific tools, confirm:

  • Is there an explicit "no training" clause for client/personal data?
  • If training does occur, is it segregated to your instance and for your benefit only?
  • Do you retain ownership rights over all input and output data?
  • For chatbots/agentic AI: Is there disclosure to users that they're interacting with AI?
  • Have you updated your client engagement letter (LSA) to reflect AI use and data handling?

For connector/API tools (Zapier, Ion8, etc.):

  • Do they have a zero-day data retention policy?
  • Is there a data processing/protection agreement in their terms?
  • Do they guarantee no training on pass-through data?

For any tool that stores data:

  • Are there industry-standard technical security measures (encryption, access controls)?
  • Are there organizational security measures (employee training, incident response)?
  • Is there appropriate client-to-client data segregation?

When to Get Professional Help

The DIY checklist will get you 70% of the way there. But some situations warrant bringing in someone like Allison:

  • Comprehensive terms review: When you need a detailed analysis of a vendor's terms and conditions, identifying risks and non-standard clauses.
  • Policy development: If your firm doesn't have existing policies on client data handling, AI use, or vendor procurement, you need those foundations in place.
  • Complex AI implementations: Building custom AI agents or workflows that touch sensitive data.
  • Multi-jurisdictional considerations: If you serve clients in states with different privacy laws, or internationally (hello, GDPR).
  • When personal data is involved: Disclosure obligations, consent requirements, and privacy policy updates get complicated fast.

The Bottom Line

There's no single "AI compliance checklist" because AI compliance isn't separate from your existing obligations. It's an extension of them.

Start with your current policies. Apply them to new tools. Verify vendor claims. Pay special attention to training data and data retention. And when things get complicated, get professional help.

The firms that get this right won't just avoid compliance problems — they'll be able to adopt new technology faster and with more confidence than their competitors.

Onwards and upwards,
Tim

Tim Francis is an advisor to multiple law firms. He helps attorneys grow their law firms and achieve operational excellence. Tim has been a guest lecturer at Yale, NYU, and the University of Texas. He's also appeared on the websites of Forbes and Inc. Magazine.

Resources Mentioned

Advisor — Tim Francis

Attorney — Allison Mulford

Allison Mulford is an attorney specializing in AI governance, data privacy, and technology law. She advises organizations on vendor procurement, compliance frameworks, and AI implementation.

She's open to project-specific engagements with capped hours, and offers discounts for firms supporting nonprofits.

Disclaimer: This post summarizes a general conversation about the legal landscape around AI and data privacy. It is not legal advice. Tim Francis is not an attorney or other credentialed professional in this area. Consult with a qualified attorney for guidance specific to your firm's situation.