2 days ago
It's time to address preservation of generative AI prompts and outputs
June 10, 2025 - Generative artificial intelligence (GAI) tools, which create text and media based upon the data they were trained on, raise legal concerns like data privacy, data security, and privilege considerations. In discovery, GAI prompts and outputs may be considered unique information that must be preserved for litigation. Organizations must consider how to preserve this information and whether and how to incorporate changes to their standard ESI agreement.
It is also imperative for organizations to have information governance policies and trainings in place to account for the use of GAI tools across their business. This includes determining if the GAI-generated prompts and outputs are considered "records" and, if so, updating records retention policies and schedules accordingly. It is essential to have knowledgeable counsel who specialize in the discovery and governance of GAI information to ensure prompts and outputs are retained if/as needed.
Each GAI tool operates uniquely based on its configuration, as well as its data storage setup. Legal professionals must understand both the types of data being created and the locations where the data is stored for each tool. These are rapidly evolving products that may differ greatly from one to the next, and it is incumbent on practitioners to ascertain the form and function of a given tool, including where it stores its prompts and outputs.
For example, an application that creates a bullet-point summary of a meeting typically begins by creating a transcript of that meeting, which it then analyzes to produce a summary. Will these documents be stored in the meeting organizer's online file storage, integrated into a corporate network, or distributed across the participants' storage? How long will these records be retained? The answers will depend on both technical configurations and the organization's applicable retention policies.
While GAI tools have been rapidly proliferating over the past couple of years, courts and litigants are just starting to address their use and output. In the 2024 case Tremblay v. OpenAI in the U.S. District Court for the Northern District of California, a group of authors sued OpenAI for copyright infringement, alleging that it trained ChatGPT using their copyrighted books.
OpenAI sought discovery of the plaintiffs' ChatGPT account information and the prompts used in pre-suit testing, including negative outputs that did not reproduce or summarize the plaintiffs' work. The magistrate judge granted the request, finding that although the account settings and negative test results are fact work product, the plaintiffs waived this by including a substantial set of those facts in their complaint and exhibits.
In ruling on the plaintiffs' motion for relief challenging that order, the district judge found that the magistrate had misapplied the law, as the prompts were queries created by counsel and reflected their mental impressions and strategies for interrogating ChatGPT.
The court granted the plaintiffs' motion for relief, denying the defendant's request to compel the production of negative tests and documentation of the testing process, but ordered the plaintiffs to produce the prompts and accounting settings used to generate the examples used in their complaint.
The parties' ability to effectively advocate their positions in this dispute rested on their having employed a methodical and reproducible workflow, and in turn on having ensured the preservation of the data necessary to do so. As with any matter where these issues are implicated, accounting for these facts ahead of time through the skilled counsel of experts in preservation and information governance is the best practice.
Documents and data created with GAI tools may be relevant to anticipated or ongoing disputes if they pertain to claims and defenses and are proportional to the needs of the case. Legal and information governance professionals must be prepared for this possibility if their clients use these tools. Here are some suggested best practices.
Legal and information governance professionals should be considered essential stakeholders to consult when an organization decides to deploy GAI tools. If legal is notified only after a tool has been adopted — or worse, has been in use for some time — there may be hurdles to ensure that relevant data is preserved, or in advising on critical considerations such as protecting attorney client privilege and confidentiality while using the tool.
Information governance professionals will also provide valuable best practices for retention and data disposition with the use of the tools.
Legal and information governance stakeholders should also be involved in the selection, testing, and deployment of GAI tools to understand where each tool creates and stores the potentially relevant documents and data.
An organization cannot preserve relevant data without understanding where the data is stored and how to preserve and retrieve it for discovery purposes. A thorough investigation of storage locations and an understanding of what is created are essential. In the context of GAI, this is even more crucial as the rapid evolution of these products merits closer attention and analysis than is required with more established tools.
Document retention policies may need to be updated to ensure that GAI-generated documents and data are retained for the appropriate duration based on business need and applicable law.
Similarly, legal hold policies and notices must address the new data types created by AI tools to ensure employees understand the need for preservation. These policies are only effective when compliance is acknowledged and monitored, so processes should be established to ensure proper data retention.
Like any tool, the results and reliability of GAI tools depend heavily upon how they are used. A robust GAI training program that emphasizes not only the features but also the risks presented by the tool should be a perquisite to access by users.
Since AI tools can hallucinate and generate documents and data that may not reflect reality or employee inputs, there is a risk of inadvertently creating discoverable data that is inaccurate. Such data is not only useless for business purposes but also presents a serious risk in litigation if a party relies on the hallucinated facts. For this reason, any AI-generated output must be reviewed and verified before preservation — bullet points, summaries, transcripts, arguments and other GAI outputs must be carefully reviewed and confirmed.
Training should be refreshed as new tools become available and use carefully monitored to ensure appropriate use and mitigate the risk that problematic artifacts are created.
As with any emerging technology, it is essential that the risks and obligations that may attach be assessed in parallel to the benefits of its use. From the broad integration of GAI into a corporate environment by information governance professionals to the careful tweaking of an ESI protocol by outside counsel, the introduction of GAI into corporate environments and legal practice is an essential challenge that requires a thoughtful and comprehensive approach.
Generative AI tools hold transformative potential, but they must be carefully evaluated, tested, configured, and used with attention to the creation of potentially relevant documents and data that must be preserved.
Tara Lawler is a regular contributing columnist on e-discovery for Reuters Legal News and Westlaw Today.
