AI and the loss of privilege: US v Heppner

On February 10, 2026, Judge Jed Rakoff of the Southern District of New York issued a ruling in United States v. Heppner that should fundamentally change how every lawyer thinks about AI and confidentiality.

The defendant used consumer AI to create documents for a criminal investigation. The government moved to compel production; the judge agreed the documents lacked privilege protection under either attorney-client privilege or work product doctrine.

The ruling centered on the AI tool's privacy policy permitting training use and third-party disclosure, destroying the confidentiality requirement essential to both attorney-client privilege and work product protection.

The immediate pushback after the ruling was predictable:

• Enterprise AI tiers don't train on customer data by default
• Consumer plans offer training opt-out checkboxes
• Gmail, Google Drive, and iCloud present identical third-party transmission issues

The Harvard Law Review offered a sharper critique: Judge Rakoff treated "Claude…more like a non-attorney human than a tool."

Three critical problems persist even with training disabled:

1. Server Transmission. Readable text reaches provider servers. Unlike encrypted cloud storage, LLMs must ingest full text: decrypt, tokenize, and process it within provider infrastructure. Your privileged content exists in readable form on someone else's servers.
2. Safety Monitoring. All major providers run safety classifiers on inputs and outputs. Anthropic retains flagged content and safety classifier results even under zero-data-retention agreements. Employees can access flagged content for review.
3. Retention Carve-outs. Enterprise agreements include exceptions for legal compliance, abuse detection, and safety. Anthropic's zero-data-retention offering retains "User Safety classifier results in order to enforce their Usage Policy." Flagged conversations are retained up to two years.

The Google Docs Comparison

Cloud storage has fifteen years of case law establishing that privilege survives third-party hosting when enterprise agreements are in place. Courts developed frameworks; lawyers have settled precedent to rely on.

AI's Unique Exposure

AI has two contradictory rulings from the same month in 2026. The future may treat enterprise AI like cloud storage, but that precedent doesn't exist yet. The present uncertainty is dangerously acute.

On February 17, 2026, just one week after Heppner, Magistrate Judge Anthony Patti in the Eastern District of Michigan held that AI-assisted work product was protected, treating AI as a tool (like a word processor) rather than a third party.

Why the Courts Diverged

The National Law Review observed that these courts adopted "incompatible frameworks." Both may be correct on their specific facts, which is precisely the problem.

Enterprise AI users currently have defensible but not settled privilege arguments. The practical risks:

1. You're asking to be the test case. Enterprise scenarios are untested. No court has ruled on whether a properly configured enterprise AI tier preserves privilege.
2. Opposing counsel knows the arguments. Heppner gives them a template. They may force privilege litigation mid-case, creating cost and distraction at the worst time.
3. The "reasonable efforts" standard evolves. What counts as reasonable today may not satisfy tomorrow's expectations. Courts look at what was available, not just what was standard.

The privilege discussion focuses on client data. But firms upload something equally valuable: their institutional knowledge.

1. Playbooks: Risk frameworks revealing decision thresholds: "For deals under $10M, accept uncapped IP indemnification"
2. Clause libraries: Preferred language refined over years of negotiation
3. Fallback positions: What the firm ultimately accepts: "If counterparty rejects termination for convenience..."
4. Risk scoring frameworks: Expose firm priorities and red lines to anyone with access

Three incidents in a single week demonstrated that every layer of the AI supply chain presents exposure:

If privileged content never reaches the AI provider, the privilege analysis never arises. No third-party disclosure to evaluate. No privacy policy to parse. No framework conflicts between districts.

The question isn't whether enterprise agreements are strong enough. The question is whether the architecture requires them to be.

The industry standard for evaluating legal AI focuses on vendor certification: SOC 2 Type II, ISO 27001, AES-256 encryption. These protect the infrastructure, but not the question of whether privileged information left client control.

In July 2024, the ABA issued Formal Opinion 512: "Generative AI Tools", applying existing Model Rules, particularly Rule 1.6 (Confidentiality), to AI use. The core requirement: lawyers must make "reasonable efforts" to prevent "inadvertent or unauthorized disclosure."

The Four "Reasonable Efforts" Requirements

1. Understand training use: Know whether your client data is used to train the model
2. Understand storage and access: Know how data is stored and who (including third parties) can access it
3. Evaluate information sensitivity: Assess the sensitivity of the specific information being submitted
4. Read terms of service: Actually read and understand the provider's terms

The legal profession knows there's a problem. The data confirms it:

Approach 1: Full-Text Transmission (The Default)

Most legal AI tools send complete documents, party names, deal terms, dollar amounts, to provider servers. Security protects transit and storage; enterprise agreements may restrict training. But the text still reaches the provider in readable form. Heppner ruled against exactly this architecture.

Approach 2: Redaction (The Blunt Instrument)

Removes party names, dollar amounts, and identifying details. Preserves confidentiality but destroys the semantic context AI needs: "[REDACTED] shall indemnify [REDACTED] for losses up to [REDACTED]..." provides insufficient information for meaningful analysis.

Approach 3: Pseudonymization (The Structural Solution)

Replaces sensitive entities with consistent placeholders before transmission: "PARTY_A shall indemnify PARTY_B for losses up to AMOUNT_1." The AI reasons about relationships, obligations, and risk, while the mapping table (PARTY_A = Acme Corp) stays local. Privileged information never leaves the client environment.

Effective pseudonymization requires multi-layer detection. No single method catches everything. The layers cover each other's gaps:

1. Named Entity Recognition (NER): Identifies party names, individuals, organizations, and locations using models trained on legal text. Catches entity variations and co-references.
2. Structured Data Detection: Dollar amounts, dates, email addresses, phone numbers, tax IDs. Regex and pattern matching captures structured identifiers that NER may miss.
3. Organization-Specific Terms: Project codenames, product names, matter IDs, internal references. Custom dictionaries maintained per client, only the organization can identify these.

Four forces are converging:

1. Regulatory Pressure. EU AI Act high-risk system rules take effect August 2, 2026. Penalties: up to €35M or 7% of global revenue. Legal AI processing privileged information likely qualifies as high-risk.
2. Client Awakening. The 60% transparency gap will close. In-house teams will ask: "How does your AI handle our privileged information?" Firms unable to answer architecturally, not contractually, will lose work.
3. Insurance Response. The legal malpractice market is responding to AI risk. Privilege waiver from inadequate AI architecture will trigger coverage restrictions and premium increases.
4. Court Precedent. Heppner's holding is narrow. Warner's is narrow. But the reasoning in both applies broadly. More courts will follow.

If the answer to #1 is "yes" and the answer to #2 is "trust our enterprise agreement," Heppner just showed you how a court assesses that position.