Could Your Paralegal's ChatGPT Habit Lead to an NJ RPC 5.3 Sanction Against You?

In the fast-paced environment of a solo or small New Jersey law firm, a proactive paralegal or legal assistant is invaluable. They are often the first to find a new app or web service that promises to save time and streamline workflow. While this initiative is commendable, their unsupervised adoption of public generative AI tools like ChatGPT presents a significant and often overlooked ethical trap for you, the supervising attorney.

Your duty of confidentiality under NJ RPC 1.6 is well-understood. But when your non-lawyer staff uses AI, a different rule comes into sharp focus: RPC 5.3, Responsibilities Regarding Non-lawyer Assistants. This rule isn't just about ensuring they don't commit the unauthorized practice of law; it's about ensuring all their conduct is compatible with your own professional obligations. And in 2024, their 'conduct' absolutely includes their choice of digital tools.

The Direct Line from Staff AI Use to Your Liability

RPC 5.3(b) states that a lawyer with direct supervisory authority over a non-lawyer "shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer." The key phrases here are "reasonable efforts" and "compatible with... obligations."

Let's map this to a common scenario. Your paralegal, trying to be efficient, pastes excerpts from a client's deposition into the free, public version of ChatGPT to get a quick summary. This act, if you had done it, would be a flagrant violation of RPC 1.6 (Confidentiality of Information). Because your paralegal's conduct must be compatible with your obligations, their action creates a derivative violation. The ethical failure isn't just theirs; it's yours, for failing to make "reasonable efforts" to prevent it.

This is the crux of the problem: what was once an informal office workflow has become a potential data breach and an ethical landmine. The convenience of public AI tools creates a powerful lure for well-intentioned staff, but without guardrails, it exposes the entire firm.

Confronting the 'Shadow IT' in Your Practice

This phenomenon is often called "Shadow IT"—the use of technology and software without the knowledge or approval of the firm's leadership. In a small firm, it's rarely malicious. It’s born from a desire to be productive. An assistant uses a free online PDF converter, a paralegal uses a web-based transcription service, and now, they use a public AI chatbot.

The danger is that the terms of service for these free tools often grant the provider broad rights to use, store, and even train their own models on your inputs. That client deposition summary? It could now be part of the training data for a global AI model. This is the modern equivalent of leaving a client file on a park bench, and the duty to prevent it rests squarely on the supervising attorney's shoulders.

A 4-Step Framework for RPC 5.3 Compliance in the AI Era

Making "reasonable efforts" doesn't require you to become a cybersecurity expert, but it does demand proactive management. Here is a practical framework to get started:

1. Conduct a Workflow Audit. Sit down with your staff and ask them, without judgment, to walk you through their daily tasks. Ask what tools—websites, apps, and software—they use to get their work done. The goal isn't to play 'gotcha' but to get a clear picture of what's actually happening in your firm. You cannot manage what you do not know.

2. Establish a Simple AI Use Policy (AUP). This doesn't need to be a 20-page treatise. For a small firm, a single page will do. The policy should create a bright-line rule: No client or confidential firm information may be entered into any public, non-approved AI tool. List banned tools by name (e.g., free ChatGPT, Google's Gemini public interface) and create a process for requesting a new tool be vetted.

3. Provide a Secure Alternative. The most effective way to stop the use of unsecure tools is to provide a better, safer one. Invest in a business-grade or enterprise AI platform with a robust data privacy agreement (DPA) that guarantees your data remains confidential and is not used for model training. This gives your team the efficiency gains they seek within a secure, firm-controlled environment.

4. Train on the 'Why,' Not Just the 'What'. Don't just email the policy and a login for the new tool. Hold a 30-minute meeting to explain why this matters. Use concrete examples. Explain that using a public AI is a data breach that puts client trust and the firm's reputation at risk. When your team understands the ethical stakes, they become your first line of defense rather than a potential source of liability.

Ultimately, your supervisory duties under RPC 5.3 demand the same diligence for your team's digital tools as you would apply to their handling of physical files or client communications. By taking these proactive steps, you can harness the power of AI to boost your firm's efficiency without compromising your fundamental ethical obligations.