OpenAI's human-like chatbot, ChatGPT, which had garnered significant attention, appears to have experienced its first public data breach. On March 24, the company disclosed that a software bug had caused certain users' information to be exposed to others who were active at the time. The company's investigation revealed that the glitch allowed some users to view the chat history titles of another active user and unintentionally displayed payment-related information of 1.2% of ChatGPT Plus subscribers during a specific nine-hour window. The exposed data included a user's first and last name, email address, payment address, the last four digits of a credit card number, and credit card expiration date. OpenAI stated in a blog post that it took users' privacy and data security seriously and apologized for falling short of its commitment and the users' expectations. Legal professionals who spoke to Legaltech News were not surprised by the flaw, given the unprecedented adoption of the tool. This incident highlights the data security risks associated with using new technologies and the need for governance strategies when using or deploying any new technology.
Although ChatGPT's capabilities are novel, the associated data security and governance risks are not. LexFusion's co-founder and chief strategy officer, Casey Flaherty, pointed out that there have always been security concerns with any technology that puts confidential information in the public space. This trend is not new, as evidenced by inadvertent e-discovery disclosures in 2022 and the long-standing practice of sending files to personal email accounts for work. The risks associated with using a free chatbot like ChatGPT for confidential information are similar to forwarding files to personal email accounts, using personal Dropbox folders for privileged information, or downloading files to a separate device. Danielle Benecke, the founder of Baker McKenzie's machine learning practice, emphasizes that each deployment has its risks, and it is up to the law firm to make appropriate decisions to mitigate the risks and meet obligations to clients, legal industry rules, data governance rules, insurance, and other considerations.
Although discussions about the importance of having robust data governance strategies may appear repetitive, it remains to be seen if these strategies have kept pace with emerging technologies, according to Benecke. She noted that while technology has matured and the market conversation around use cases has become more refined, the conversation around governance still needs to catch up. Organizations have different approaches to such discussions. While some have prohibited the use of ChatGPT for professional purposes altogether, others have adopted more nuanced strategies, such as Saul Ewing Arnstein & Lehr, which follow the guidelines offered by the American Bar Association. Going forward, Benecke advised that companies should consider how such technologies fit into their governance strategies, not just in terms of policies for individual applications like ChatGPT, but across multiple layers of the commercial and technology stack, with a broader strategy and governance approach for the use of large foundation models and applications powered by those models.
