What Opinion 24-1 Actually Says
Florida Bar Advisory Opinion 24-1 was approved unanimously by the Florida Bar Board of Governors. The headline is that AI use is permitted. Attorneys may use generative AI tools in the practice of law. But the opinion attaches four conditions that carry real compliance weight.
Informed client consent. If confidential client information will be input into a third-party AI system, the attorney must obtain informed consent from the client before doing so. Not a general technology disclosure buried in your engagement letter — informed consent specific to the fact that client data is being submitted to an external AI platform.
Competence. Attorneys must understand what the tool is doing well enough to supervise its outputs. The opinion aligns with ABA Formal Opinion 512 (2024), which requires lawyers to understand AI tools’ limitations, biases, and confidentiality implications. Using a tool you cannot supervise is not compliance — it’s exposure.
No unethical billing. Attorneys cannot bill for time the AI saved. If a task that previously took four hours now takes 45 minutes because of AI assistance, billing the full four hours is a fee dispute and potentially a Rule 4-1.5 violation. Value billing arguments aside, the opinion makes clear that AI-generated efficiency is not the client’s cost to absorb.
Advertising rules still apply. AI-generated marketing content — website copy, social media posts, newsletters — remains subject to Florida Bar advertising rules. The fact that a tool wrote it does not relieve the attorney of responsibility for what it says.
The Confidentiality Problem Most Firms Aren’t Solving at the IT Layer
“Informed consent before disclosing confidential information to a third-party AI system” sounds like a policy question. It isn’t. It requires knowing exactly which AI tools are connected to which data — and having technical controls that enforce that boundary.
Consider what a typical law firm actually looks like today: attorneys using personal ChatGPT Plus accounts on firm devices, Microsoft Copilot enabled across the tenant without sensitivity labels configured, a paralegal who signed up for Claude.ai with their work email. In each of those scenarios, confidential client data is potentially flowing into a third-party AI system without a Business Associate Agreement, without an audit log, and without a Data Loss Prevention policy to stop it.
That is not an ethics policy problem. The firm may have a perfectly well-written AI use policy sitting in a shared drive. The problem is that the policy has no technical enforcement behind it. Attorneys can route around it with two clicks. The “informed consent” requirement presupposes that the firm knows what tools are touching client data. If the IT layer cannot answer that question, the consent process is built on a fiction.
Enterprise-grade AI deployments — Microsoft Copilot for M365 under an enterprise agreement, Claude for Enterprise, Harvey — are built differently. They do not use your prompts to train future models. They provide contractual confidentiality assurances. They can be scoped to specific data sets with sensitivity controls. Consumer-tier tools do not offer those guarantees by default.
What “Competence” Means Technically
ABA Formal Opinion 512 (2024) is the national framework that Florida Opinion 24-1 is aligned with. It requires lawyers to understand, at minimum: what information the tool retains and for how long, whether the vendor has a BAA or equivalent confidentiality agreement with the firm, and whether the tool is hallucination-prone for the specific task at hand.
That last point deserves unpacking. Generative AI performs very differently depending on the task. Summarizing a deposition transcript is a lower-risk use case — the model is working from a document you can verify. Drafting novel legal arguments or researching unsettled questions of law is a high-risk use case where hallucination rates are meaningfully higher. Competence under Opinion 24-1 means the supervising attorney understands that distinction, not just in the abstract but for the specific tool deployed.
IT’s role here is to deploy only approved tools and block unapproved ones. That means Conditional Access policies that prevent browser-based access to consumer AI platforms from managed devices, application controls that flag unapproved SaaS tools, and a tenant configuration that channels AI activity through the enterprise tools the firm has actually evaluated. The attorney cannot exercise competent supervision over a tool the firm never vetted and IT never locked down.
The Harvey / Casetext / Copilot Deployment Checklist
Whether your firm is deploying Harvey, Casetext Compose, Microsoft Copilot for M365, or Claude for Enterprise, the configuration requirements are the same. Here is what the IT layer must have in place before any of these tools go live with client data:
- Enterprise agreement with BAA in place. No enterprise AI tool should be processing client data without a signed Business Associate Agreement or equivalent contractual confidentiality provision. Verify the agreement explicitly covers attorney-client privileged communications, not just PHI or PII.
- Sensitivity labels on matter files. AI tools must not be able to surface confidential client data in responses to other users. Microsoft Purview sensitivity labels, scoped correctly, prevent Copilot from indexing and surfacing documents tagged as confidential. Without labels, Copilot will happily summarize a confidential settlement agreement in response to a query from an attorney who has no business seeing it.
- DLP policy preventing client names and matter numbers from leaving the tenant. A Data Loss Prevention policy configured to detect client identifiers — matter numbers, client codes, party names flagged in your practice management system — and block or alert on their transmission to external endpoints. This is the technical backstop behind the consent requirement.
- Usage audit log. You cannot demonstrate supervision without a record of what was submitted to an AI tool and what it returned. Copilot interaction logs, Harvey query logs, and any other AI platform your firm uses should be captured and retained in accordance with your document retention policy. If a grievance is filed, that log is what you point to.
- Written Acceptable Use Policy signed by all attorneys. The AUP should identify approved tools by name, specify the consent workflow required before inputting client data, prohibit use of consumer-tier AI on firm matters, and set the billing disclosure requirement in writing. Every attorney and paralegal signs it annually.
The Gap We Actually See in Firm Assessments
When we assess law firms for AI governance readiness, the pattern is consistent. The ethics memo exists. Occasionally there is a draft AI use policy. What is almost never present: sensitivity labels configured correctly, DLP policies scoped to legal data patterns, an audit log that captures AI interactions, or any technical blocking of consumer AI platforms on managed devices.
The firm has done the compliance thinking. It has not done the compliance implementation. Those are two entirely different things, and Opinion 24-1 requires both. The opinion permits AI use. The underlying ethics rules — confidentiality under Rule 4-1.6, competence under Rule 4-1.1, supervision under Rule 4-5.1 — require that the permission be operationalized with actual controls.
A 30-minute call is usually enough to identify the specific gaps. We look at your Microsoft 365 or Google Workspace configuration, the AI tools currently authorized or in use, the DLP posture, and the audit logging setup. From that we can give you a specific list of what needs to change before you have a defensible compliance position under Opinion 24-1.
Laz De La Vega
Laz De La Vega leads Primetime IT Solutions, a managed IT and cybersecurity practice serving South Florida businesses since 2005.
Learn more about Laz →