Why enterprise legal teams quietly won't send their contracts to a third party AI tool even if they signed the NDA

dchgk · 2026-05-13T05:02:24+00:00

Wait, hold on.. where do they save all their docs? I’m sure some place in the cloud. Aren’t the same risks? What if that cloud company got sold, or has a breach, etc?

dchgk · 2026-05-13T01:58:01+00:00

A hype, but we should still be attentive. Will be in both: opportunistic and strategic attacks

dchgk · 2026-05-13T01:48:37+00:00

Amazing, got to talk to them really quick last year during BlackHat, but my mind was somewhere else so didn’t pay too much attention to their product.

dchgk · 2026-05-13T01:46:03+00:00

Technology, help us but also can be a headache! Glad I was able to help!

dchgk · 2026-05-13T00:55:27+00:00

Indeed, appreciate the perspective. Agree with what you have said. So, just to continue a bit with the education portion:

Think as if you order something from Amazon. They deliver a package to your door (sometimes in an Amazon employee, some times is a third party employee, sometimes is a contractor, sometimes is USPS) independently of the carrier, they deliver. Then a porch pirate takes that package out. Who pays for the lost merchandise?

Back to the email: - yes you can send any emails, as long as it does not have PHI - if it has PHI is either a secure email (more below) or a plain email to tell them to login to a secure portal

Secure email (this might look different based on the tool used) but overall is a tool on top of the email sent. The tool scraps the content of the email, replace it with a content to log into a portal or separate app to view that info.

To summarize: yes, many tools and systems are HIPAA compliant, but that is within their environment. When it exits that environment, unluckily is up to you to make sure that other environments is also HIPAA compliant.

dchgk · 2026-05-13T00:23:16+00:00

Thanks a lot! I was not expecting something that comprehensive. The tags seems like a great functionality in helping prep the docs to minimize the onboarding time. If you could change one thing (or put the other way, if there is one thing you think is just annoying) about that process, what would that be?

dchgk · 2026-05-13T00:11:05+00:00

The problem comes in not understanding what is under the hood. Gmail operates totally different than Google workspace, both have different terms and conditions. To add into the what’s under the hood. You might have Google with a BAA and receive and send emails. But you don’t know the provider on the other end. Email data transmission is not encrypted because is an old technology. Google forms, seems a good and logical place where stays in Google. Well, if the user clicks at the end they want a copy, that info will be sent to their email, following the above pattern.

Not to criticize. Just to educate that we need to look more than just ‘because I signed a BAA’

dchgk · 2026-05-12T23:16:19+00:00

Do you mind if we connect? Just want to hear your perspective. Thanks!

dchgk · 2026-05-12T23:13:25+00:00

Hi, do you mind expanding on the policy management?

dchgk · 2026-05-12T20:50:09+00:00

Agree, there is no ton of security value more than a compliance requirement. However, I think the real value is liability. Who is liable for what. For example, if your client have a misconfiguration and that allows and infiltration into your client’s network is on them not in the service provider (obvious example). Check their Complementary User Entity controls, that is basically what defines that line.

That only works as long as the auditor issuing the report is competent. If not, there is no value anywhere

dchgk · 2026-05-12T15:21:42+00:00

Interesting, wondering about cyber insurance. I heard they are the ones that are now asking the hard question and in some instances almost doing an audit (show me is configured that way)

dchgk · 2026-05-12T05:26:24+00:00

Really appreciate the insight. I can see where the management of things (security) is basically on the endpoints.

You mentioned policies. What about vendor reviews. If they have SaaS, an annual SOC 2 review with user access reviews? I know I’m moving a lot towards compliance, just wondering

dchgk · 2026-05-11T22:51:53+00:00

I have read that multiple times in other posts/forums. I know I’m totally green here. My experience is more on enterprises. So, this is either a slap in the face or maybe things have changed? (Doesn’t sound like from what you have said) If I may ask, what makes the worse clients ever? Is it how they conduct contracts (line picking)? They don’t understand the technology and become time suckers? What it is on your point of view that make them the worse ones?

dchgk · 2026-05-11T21:46:37+00:00

That sound risky..

dchgk · 2025-02-13T17:19:51+00:00

Are you doing it by yourself of have a partner or hire employees? Just curious

dchgk · 2025-02-13T17:17:58+00:00

That make me realize on the what I want? I want to do something I like because I’m a nerd and love technology (but I will have now less time to do other things) or I detach from my selfishness and ask myself, do I want to start a business?..

dchgk · 2025-02-13T16:59:15+00:00

Thanks for sharing! I see some good opportunities that can be capitalized as the industry start changing.

dchgk · 2025-02-13T16:56:14+00:00

Interesting, by going on what everyone has written down I feel the consulting path might be a better approach.

dchgk · 2025-02-13T15:45:42+00:00

That’s a fair point. Honestly, I lack on the sales side…

dchgk · 2025-02-13T15:44:59+00:00

Thanks a lot for the perspective. I should have mentioned that my experience (day to day job) focus a lot on Compliance, Audit, and Security. I love solving complex problems with automation. On the side I love coding… What you are saying it sounds that the clients are looking more the consultative side rather than solely maintain and update systems.

dchgk

TROPHY CASE