AI, Compliance, and Legal Risk With Hal Ostrow
On Legal Marketing Radio, host Chip LaFleur interviews Hal Ostrow, a shareholder at Rhodes McKee who leads the firm's technology transactions, privacy, and cybersecurity practice, about how businesses and law firms can adopt AI responsibly without putting their data, clients, or reputation at risk. Ostrow explains that while there is no single federal law governing AI yet, the existing patchwork of roughly 20 state consumer privacy laws and industry specific rules like HIPAA provide the framework through which AI use policies should be built, with the guiding principle of using the least amount of information for the shortest possible time to get the job done. He walks through the risk differences between consumer AI tools, walled enterprise platforms like LexisNexis Protégé which uses Claude, cloud hosted private instances, and on premises deployments, explaining that the right choice depends on each organization's appetite for risk and the sensitivity of the data involved. The conversation digs into agentic AI as the biggest risk multiplier, where errors compound across tasks without human review, hallucinations become harder to detect and undo the further down a chain they go, and the question shifts from whether a human is in the loop to where in the loop that human actually lives. Ostrow also flags an emerging and underappreciated risk: NDAs are now including clauses prohibiting the use of confidential information to train AI models, meaning organizations running self training agents could unknowingly violate agreements before anyone has a chance to review what was ingested. The episode closes with a look at AI driven dynamic pricing concerns, the importance of updating your insurance broker when your AI use profile changes, and the throughline that responsible AI adoption is not about avoiding the technology but about building the right guardrails before you need them.
00:00 AI Risk and Where It Lives 01:00 Meet Hal Ostrow 02:00 Building Compliant AI Policy 03:00 Privacy Law as the AI Framework 05:00 Consumer Tools vs. Enterprise Platforms 07:00 On Premises Hosting and Cybersecurity Risk 10:00 Agentic AI and the Risk Multiplier 12:00 Hallucinations and Professional Liability 14:00 Human in the Loop and Where It Matters 16:00 AI Slop and Output Accuracy Standards 18:00 Fact Checking as a New Job Function 19:00 Dynamic Pricing and Consumer Profiling 21:00 Updating Insurance for AI Risk 22:00 NDAs and the AI Training Clause 24:00 Agentic Memory and Unwitting NDA Violations 26:00 On Prem as a Privacy Strategy 27:30 Wrap Up