1. You Can Outsource Work, but You Cannot Outsource Responsibility

This is the ethics rule firms forget most often.

If a vendor:

  • mishandles data,
  • loses files,
  • misconfigures access,
  • introduces a security hole, or
  • uses your information in ways you didn’t anticipate…

…the bar doesn’t ask the vendor what happened.
It asks you, because the ethical duties—confidentiality, supervision, competence—sit squarely on the lawyer’s shoulders.

Vendors are helpers.
You are the regulated entity.

It’s like hiring a babysitter:
If your kid draws on the wall, you don’t get to say, “Well, the sitter was in charge, so I’m absolved.”

Ethically speaking, no one cares.
It’s still your wall.

2. Vendor Vetting: The Step Most Firms Skip, Gloss Over, or Pretend Happened

Lawyers rely on more software than ever, yet many firms select tools the way people pick restaurants:

  • “It looks nice.”
  • “Someone said good things about it.”
  • “It was on sale.”
  • “Everyone else uses it; how bad could it be?”
  • “There was a webinar. I think.”

But real vendor vetting should look more like due diligence on a counterparty to a deal:

Ask how the product handles:

  • encryption (in transit + at rest)
  • data storage location
  • retention and deletion
  • data segregation between clients
  • subcontractors and fourth-party vendors
  • breaches (and how fast you’ll be notified)
  • AI model usage and training
  • access controls for their staff
  • uptime and redundancy

If a vendor can’t answer these questions clearly, you don’t have a tech provider.
You have a liability with a login screen.

3. Cloud Storage: Not All Clouds Are Created Equal

Cloud platforms are now unavoidable. They’re convenient, secure when configured correctly, and dramatically better than the “USB stick in the partner’s desk” era.

But cloud storage also creates ethical pressure points:

  • Who at the vendor can access your client files?
  • Are your files encrypted before upload?
  • Does the vendor use your data to “improve services”?
  • Is AI analyzing your documents behind the scenes?
  • Does deletion actually delete anything?
  • What happens if you terminate service?

A lot of firms assume the cloud vendor handles all of this.
But vendors handle their obligations.
Lawyers must handle their ethical obligations.

The two circles overlap but are not identical, and the gap is where trouble lives.

4. Offshoring and Cross-Border Data: Great for Efficiency, Risky for Ethics

Many vendors use distributed teams.
Developers in Europe.
BPO staff in Asia.
Support centers wherever labor is affordable.

None of this is inherently unethical.
But it triggers additional responsibilities:

  • Are client files being accessed offshore?
  • Does the client need to consent?
  • Do you know the privacy and security laws in the other jurisdiction?
  • Has the vendor conducted background checks on overseas staff?
  • Do you have contractual assurances that mirror your ethical duties?

If you don’t know the answers, then your firm is playing a global game of “Where in the world is our client data?”
That’s not a good game for regulated professionals.

5. AI Vendors: The Wild West of Legal Tech

AI Vendors - WildwestTraditional vendors are complicated.
AI vendors are complicated and unpredictable.

Key questions lawyers forget to ask AI providers:

  • Does the model train on your inputs?
  • Are prompts stored? For how long?
  • Who can view user activity?
  • Does the tool rely on third-party AI behind the scenes?
  • Is the model deterministic or probabilistic? (Translation: will it do the same thing twice?)
  • What happens if the AI produces harmful or inaccurate results?
  • Who is liable?

AI vendors often disclaim everything short of telling you to “use at your own risk.”
Ethically, lawyers cannot operate on that basis.

AI amplifies efficiency.
It also amplifies mistakes.
And unlike a junior associate, AI never apologizes.

6. Contracting with Vendors: The Most Important Document Lawyers Never Read

Here’s an uncomfortable truth:
The majority of firms accept vendor Terms of Service without negotiating or even skimming them.

And those contracts often say things like:

  • “We may share anonymized data with third parties.”
  • “We are not responsible for any data loss.”
  • “You must indemnify us for problems you cause, but we will not indemnify you for problems we cause.”
  • “Data may be deleted after termination.”
  • “We can change these terms at any time.”

Every one of those lines impacts your ethical duties.

The legal profession loves redlining 53-page commercial contracts.
But hand them a SaaS agreement, and suddenly the attitude is, “Yeah, sure, click Accept.”

Your ethics obligations don’t disappear because the contract is short.

7. Monitoring Vendors: Choosing Is Not the End—It’s the Beginning

AI Vendor StepsSelecting a vendor is step one.
Step two is ongoing supervision.

That includes:

  • annual vendor review
  • breach monitoring
  • verifying who has access
  • requiring updated certifications (SOC 2, ISO 27001, etc.)
  • ensuring staff training stays current
  • checking that offboarding processes actually remove your data

The vendor relationship isn’t “install and relax.”
It’s more like taking on a very quiet employee whose mistakes can be spectacular.

The Ethical Bottom Line

Lawyers can’t pretend technology is separate from ethics.
If a vendor touches client data, the vendor becomes part of your ethical universe.

And in a digital-first practice, vendors touch everything:
files, communications, billing, intake, calendars, workflows, research, analysis.

The modern lawyer’s risk isn’t just misconduct.
It’s misplaced trust.

Your choice of vendor is a choice about your ethical posture—whether you recognize it or not.

Coming Up Next: Post 4 — The Risks Inside the WallsAustralian 2b1 Inc.

In our next post, we turn inward.
Because while vendors get the headlines, the truth is:

Most confidentiality breaches don’t come from outsiders.
They come from inside the firm

More Posts
Share Post