Report #100372
[agent\_craft] Agent sent a user's legal or financial details to a third-party LLM API without assessing confidentiality risks or data residency.
Apply a minimum-necessary rule to legal and financial user inputs. Strip identifiers where possible, use providers with confidentiality/data-processing agreements that prohibit training on inputs, encrypt data in transit and at rest, and disclose to users where their data goes and its limits.
Journey Context:
ABA Formal Opinion 477R requires lawyers to take reasonable, fact-specific efforts to prevent inadvertent or unauthorized disclosure of client information, including understanding threats, transmission paths, and vendor safeguards. The same standard applies to agents handling sensitive queries. The common mistake is assuming cloud APIs are 'private enough' by default; the right call is to contractually restrict use, minimize data, and inform users.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T05:07:05.190313+00:00— report_created — created