Skip to main content
RedactifyAI Logo
<- Back To Blog

Your Law Firm's AI Conversations Are Not Privileged. A 2026 Court Ruling Just Proved It.

Neetusha
Neetusha · Founder & CEO of RedactifyAI ·

A criminal defendant used Anthropic's Claude to generate 31 documents outlining his defense strategy. He shared them with his attorneys. The government subpoenaed all 31. A federal judge ordered them produced.

That is United States v. Heppner. February 2026. Southern District of New York.

If your firm uses any consumer AI tool with client materials (typed prompts, uploaded documents, anything), this ruling changes your risk picture.

Quick answer: Do law firms need redaction software? Why the answer is yes, condensed to ~400 words.

What the Heppner case actually ruled

In United States v. Heppner, Judge Jed Rakoff of the Southern District of New York ruled on February 17, 2026, that written communications between a criminal defendant and Anthropic's Claude AI platform were not protected by attorney-client privilege or the work product doctrine. Rakoff called it "a question of first impression nationwide."

Bradley Heppner had already engaged defense counsel when he turned to the consumer version of Claude on his own. He generated 31 documents covering potential defense strategies, factual analyses, and legal arguments, without his attorneys asking him to. He later shared the outputs with his legal team.

The government subpoenaed them. The court ruled they had to be produced.

The full written opinion and legal analysis are available from Harvard Law Review and Proskauer Rose.

The three grounds the court used to deny privilege

Judge Rakoff's ruling rested on three independent bases. Any one of them would have been enough.

1. Claude is not an attorney

Attorney-client privilege protects communications between a client and their lawyer. Claude is not a licensed attorney. That fact alone disposed of the privilege claim. Rakoff wrote it plainly: "Because Claude is not an attorney, that alone disposes of Heppner's claim of privilege."

The defense argued that Claude functioned like a sophisticated word-processing tool, or like an attorney's assistant under the Kovel doctrine. The Kovel doctrine, from United States v. Kovel (2d Cir. 1961), allows privilege to extend to third parties who assist attorneys with client work, but only when the attorney directs that use. Heppner went to Claude on his own. His attorneys did not send him there.

2. No reasonable expectation of confidentiality

Privilege requires confidentiality. Heppner agreed to Anthropic's Terms of Service when he used Claude's consumer product. Those terms allow Anthropic to process and use conversation data in ways users cannot fully control. The court found no reasonable expectation of confidentiality could exist on that basis.

This is not a problem specific to Anthropic. OpenAI's consumer product has similar provisions. Any AI platform where inputs can be retained, processed for training, or shared with third parties under the ToS creates the same exposure. The platform's name matters less than what its terms actually say.

Heppner created the documents without being asked by his attorneys. He used Claude to develop his own thinking about his case, not to communicate with counsel. The court found this did not satisfy the "for the purpose of obtaining legal advice" element of the privilege test.

What the ABA ethics rules add to this

The Heppner ruling is a court decision about privilege. There is a separate professional responsibility problem running alongside it.

ABA Model Rule 1.6 requires lawyers to protect all confidential client information. In July 2024, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 512, its first formal guidance on generative AI. The opinion found that using an AI tool that processes client data under terms permitting the vendor to use that data may violate Rule 1.6, unless the client gives informed consent specific to that use. Boilerplate in engagement letters is not enough.

As of 2026, 47 state bars have issued formal ethics guidance on AI use in legal practice. Most reach the same conclusion on confidentiality. State bar investigators are already treating AI use as part of standard confidentiality complaint reviews. This is not a future concern.

What is actually at stake

Compelled disclosure in proceedings

If a client or anyone at your firm uses a consumer AI tool to work through case strategy without attorney direction, those conversations can be subpoenaed. Courts can order them produced. Heppner proved this. "I was just thinking through the case" is not a defense when the thinking was done in an AI platform with no confidentiality guarantee.

Bar discipline

Violating Rule 1.6 by exposing client confidences to an AI vendor without consent can result in bar complaints. The bar in your state almost certainly has guidance on this by now. Review it.

Malpractice exposure

If a client's confidential information is disclosed through an AI platform's data practices and that disclosure causes harm, a malpractice claim follows. The fact that the platform's terms permitted the disclosure does not protect the attorney who agreed to those terms on behalf of a client who never consented.

What actually puts documents at risk

The Heppner case involved typed conversations in a chat window. The risk extends to anything you upload.

When attorneys upload client documents to a consumer AI tool to summarize, analyze, or draft responses, those documents become inputs into the AI system. Depending on the platform's terms, the content can be retained, used for model training, or accessible to platform staff under certain conditions. A deposition transcript uploaded for summarization carries the same risk as a typed conversation about case strategy. So does a settlement agreement or a client intake form.

The document you upload is the conversation.

That is also why PDF metadata deserves attention in this context. A document's metadata can carry client names, attorney names, revision histories, and firm identifiers even after the visible text has been reviewed. That metadata travels with the file when you upload it.

We have also written on the most common ways law firms inadvertently expose PII in documents they believed were already clean. The categories overlap significantly with what ends up in AI inputs.

What to do before using AI with client materials

The answer is not to stop using AI. It is to control what the AI actually sees.

Before uploading any client document to an external AI tool, redact the identifying information that creates the privilege or confidentiality concern. A deposition transcript with names, case numbers, and identifying facts removed can still be analyzed for structure, argument patterns, and factual gaps. A contract with party names and deal-specific terms removed can be reviewed for clause patterns and standard provisions. The AI does the analytical work. The client's identity stays off the platform.

This is work your firm already does for court production and discovery. Applying the same discipline to AI inputs is an extension of what your team knows.

  1. Identify what makes the document sensitive: client names, matter numbers, case strategy, financial figures, medical information, witness identities
  2. Permanently redact those elements before the document leaves your secure environment
  3. Use the AI tool for the analytical task the sanitized document supports
  4. Keep the unredacted original in your matter management system, not in any external tool

If you use Clio, RedactifyAI integrates directly with it. Pull a document from a matter, run AI-assisted redaction to remove identifying information, and upload the clean version to whatever AI tool you need. The original stays in Clio, unmodified. The full workflow is in our guide on how to redact documents in Clio without overwriting originals.

For a broader picture of what to redact before using any AI tool, see redacting documents before sharing with AI tools, which covers which information categories matter most across different document types.

The exception the court left open

Judge Rakoff specifically noted that the outcome could have been different if Heppner's attorneys had directed him to use Claude. Under the Kovel doctrine, a third party can function as an attorney's agent in ways that preserve privilege, but only when the attorney directs that use and the purpose is facilitating legal representation.

This area is still developing. Several courts outside the Second Circuit have taken more fact-specific approaches in civil cases, and some have extended work-product protection to AI-generated materials in limited contexts. Federal courts are not aligned on this yet.

The lesson from Heppner is specific: undirected AI use, on a consumer platform, without attorney oversight, does not receive privilege protection. Until courts settle the broader question, the safest posture is to treat any consumer AI tool as a third party with no confidentiality guarantee, the same way you would treat any external vendor who asked for access to your client files.

If your firm uses enterprise AI products with explicit data protection agreements that prohibit third-party disclosure and training on your inputs, the analysis changes. Anthropic's Claude API retains inputs for 7 days and does not use them for training. Enterprise agreements can contractually establish the confidentiality that consumer terms lack.

A practical checklist for law firms using AI

  1. Check the terms of service of every AI tool your team uses. Does it train on user data by default? Can it share inputs with third parties?
  2. Use enterprise or API versions where available. The protections are meaningfully different from consumer accounts.
  3. Get explicit client consent. Update your engagement letter and obtain specific authorization for AI tool use. Boilerplate will not satisfy ABA Formal Opinion 512.
  4. Redact before uploading. Strip client-identifying information from any document before it enters an external AI system.
  5. Keep case strategy internal. Those discussions belong between attorneys and clients, not in a consumer chat window.
  6. Document your AI workflow. If your process is ever questioned, a record of what tools you used and what safeguards you applied is your defense.

Frequently asked questions

Does the Heppner ruling apply to all AI platforms, or only Claude?

The ruling arose from facts specific to Anthropic's consumer Claude product, but Judge Rakoff's reasoning turned on general privilege doctrine: the platform was not an attorney, its terms eliminated confidentiality expectations, and the use was not directed by counsel. The same analysis would apply to any consumer AI platform with similar terms of service. The platform's name matters less than what the ToS actually allows.

Can attorney-client privilege still apply if my attorney directs me to use an AI tool?

Possibly, under the Kovel doctrine. If an attorney instructs a client or staff member to use an AI tool as part of the legal representation, and the output is intended to facilitate legal advice, there is a legitimate argument for privilege. The court in Heppner specifically left this open. But this is unsettled law, and the safer approach is to avoid passing privileged strategy through any consumer platform regardless of who directs it.

Does a paid Claude Pro or ChatGPT Plus subscription make conversations more private?

No. According to Anthropic's terms updated in September 2025, consumer accounts (Free, Pro, and Max) may use conversation data for model training by default unless users actively opt out. Paid consumer subscriptions are not the same as enterprise contracts. Only Claude for Work, the Claude API, or a negotiated enterprise agreement offers the data handling protections that professional use requires.

What should we do about our existing AI use policy?

Review it against ABA Formal Opinion 512 and your state bar's current guidance. At minimum, your policy should specify: which AI tools are approved for client work, what categories of client data may be used as inputs, how client consent is obtained and documented, and what the redaction requirement is before any document goes into an external system.

How does redacting a document before uploading it protect privilege?

Permanent redaction removes identifying information from the file structure itself, not just from what appears on screen. A document that contains no client names, matter numbers, or identifying facts cannot expose privileged information even if the AI platform retains it. The AI tool processes a sanitized file. The original, with all its identifying content, stays in your control. For a full explanation of what permanent redaction means, see what is document redaction.

Summary

In United States v. Heppner, Judge Jed Rakoff of the Southern District of New York ruled on February 17, 2026, that 31 documents a defendant created using Anthropic's Claude were not protected by attorney-client privilege or the work product doctrine. Three grounds: Claude is not an attorney, the platform's ToS eliminated any confidentiality expectation, and the documents were not created at the direction of counsel. ABA Formal Opinion 512 and ethics guidance from 47 state bars impose additional obligations on attorneys who use AI tools with client information.

The response is not to stop using AI. It is to control what the AI sees. Redacting client-identifying information before uploading documents to any external AI tool is the most direct way to limit your firm's exposure.

If you want to see how RedactifyAI handles document redaction before AI sharing, you can try it free at redactifyai.com. The Clio integration is included on all plans and takes about five minutes to set up.

Stop redacting documents manually

RedactifyAI detects PII automatically and redacts it permanently. Not just a black box overlay. Try it free, no credit card required.

Try for free ->See all features ->
Learn more about AI redaction software and how it compares to manual redaction tools.

Related articles

PDF Metadata Is Leaking Your Personal Information: What's Hidden and How to Remove It

Every PDF carries metadata: author names, edit history, software versions, GPS data. What is hiding in your files and why stripping it matters.

Why You Must Redact Documents Before Feeding Them to AI (2026)

Once PII enters an AI model, you cannot reliably remove it. Why pre-processing is the only safe option, what regulators now require, and real cases.

Free Redaction Tools: What They Actually Remove (And What They Don't)

Free PDF redaction tools are tempting, but most only add visual overlays without removing underlying text. Here's what to check before trusting one.