Would you risk your license for help with contract management?
Now, would you risk your license for help with contract management if you knew there was a chance your reviewers weren’t licensed to practice in your jurisdiction, or even practice law at all—potentially breaching data privacy regulations, your contract’s confidentiality agreements, and widely accepted legal ethics?
Most lawyers would answer a resounding: “Absolutely not.” But that’s exactly the risk many are taking inadvertently by signing up for contract management software that claims to use AI but actually uses humans to review contracts, even if these humans are lawyers.
If a vendor claims to use AI to automate contract review, put them to the test. Have them upload a contract their platform has never seen before. If the tool doesn’t work as promised in seconds, you have your answer—they may be outsourcing part of the contract review process to humans.
Why Non-Compliant Contract Management Is on the Rise
Outsourcing contract review is not new, and most legal teams go through a rigorous selection process when engaging a law firm or legal service provider. What is new is the explosion of automated contract review software with humans doing part of the review—sometimes to provide quality control, but other times stepping in for the AI when it falls short. In these cases, GCs and attorneys are often unaware that their contracts are being sent to a third party for review or who that party is.
Underhanded third-party doc review is a simmering billion-dollar compliance issue waiting to boil over, with vendor confidentiality clauses, new data residency restrictions, and ethical liabilities only adding to the heat.
Breaching Vendors’ Confidentiality Clauses
When you outsource vendor agreements to a team of contract management contractors, you may be breaching confidentiality clauses within the same documents you’re sending for review.
As a standard practice, many vendor agreements include terms that restrict sharing information to third parties without attorney-client privilege. Some examples include non-disclosure clauses. Under terms like these, a lawyer can’t even share the agreement with a colleague if the colleague at a partner organization isn’t on a need-to-know basis.
Here’s an example of common phrasing of such restrictions: “Each Party shall maintain confidentiality of all such confidential information, and without obtaining the written consent of the other Party, it shall not disclose any relevant confidential information to any third parties.”
Triple-check that your vendor agreements allow you to grant access to third-party contractors beyond your legal counsel before engaging with an outside review team—you may not be permitted to without attorney-client privilege.
Transferring Data to Outside Reviewers Can Violate Data Residency Laws
New data residency and privacy laws (such as the EU’s General Data Protection Regulation, the California Consumer Privacy Act, and the Schrems II case) make data transfer and ownership dramatically more complicated.
For example, per Schrems II, a German company that transfers data to a reviewer in India must still abide by GDPR standards, even though the data has left the EU. If you have clients or customers based in California, there’s a good chance your outsourcing partner would be considered a service provider under the CCPA. You would have to obtain and enforce a data processing addendum before you share any information with them.
Under many of these regulations, a company who transmits sensitive customer data can now be held responsible if the recipient of that data mishandles it, especially in the event of a data breach.
Any legal help you hire becomes an extension of your own legal counsel. This is true for the legal help you hire indirectly by bringing on a contract management provider who works with outside reviewers.
The more distance you have from your contracts, the less you can control the quality and accuracy of the work. When you send a document to an undisclosed human reviewer, you can never be sure that person is trained on the laws applicable to your contracts, physically located and licensed in the right jurisdiction, or even licensed at all.
If you can’t vet and verify the identity, expertise or accuracy standards of your reviewer, trusting them with even a single contract is risky. How can you trust a team of reviewers reading thousands of your contracts?
Legal Profession Needs Clear Standards for Defining, Using AI
The problem here is not the AI. The real problem is the lack of transparency around what is AI and what is human — and which humans are doing what. Attorneys and GCs need to closely examine any human-in-the-loop claims to ensure they’re not putting their company — or their career—at risk.
Consider why law firms and legal outsourcing firms only operate within a specific regulatory framework, and why they have a compelling business model. The next time you hear that a company combines AI with human review at a fraction of the cost of working with a law firm or LPO, it’s prudent to wonder whether it’s actually too good to be true.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Jerry Ting is the CEO and co-founder of Evisort, a company that uses artificial intelligence to help businesses categorize, search, and act on contracts.