In February 2026, a federal judge in New York ruled on something courts had never addressed before: whether your conversations with an AI tool are protected by attorney-client privilege.

They are not.

Federal Ruling · United States v. Heppner · No. 25-cr-00503-JSR

Judge Jed Rakoff ordered 31 documents — all generated using Claude by Anthropic — handed directly to federal prosecutors. The defendant, a former corporate executive charged with securities fraud, had used Claude to research his legal defense after receiving a grand jury subpoena. His lawyers argued privilege. The court rejected it on three grounds.

Claude is not a lawyer. There was no attorney directing the work. And Anthropic's own privacy policy makes clear the platform can disclose user data to government authorities. No reasonable expectation of confidentiality. No privilege.

Judge Rakoff called it "a question of first impression nationwide." He was right. No court had ruled on this before. Now one has — and every major law firm in the country took notice.

What Happened Next

The ruling came down February 17. By April, new cases were already citing it.

In Morgan v. V2X, Inc. and Jeffries v. Harcros Chemicals, Inc., courts began issuing protective orders specifically about which AI tools companies can use in active litigation. Judges are no longer just ruling on AI after the fact. They are setting rules before discovery even starts.

There is also a split worth knowing about. In Warner v. Gilbarco, Inc. (E.D. Mich., Feb. 10, 2026), a different federal judge ruled that a plaintiff's use of ChatGPT was protected work product. Same month. Different outcome. The law is not settled — which means your employees are working in a gray zone right now with no guaranteed protection on either side.

What Your Team Is Probably Doing Right Now

Someone on your team is likely doing at least one of these today:

  • Pasting a client proposal into ChatGPT to clean it up
  • Asking Claude to summarize a vendor contract or NDA
  • Using Google Gemini to draft a termination letter
  • Running financials through Microsoft Copilot on a personal account
  • Dropping meeting notes into Grammarly or Notion AI without a second thought

None of it feels like a legal risk. Most of it is not — on the right platform, with the right agreement in place.

On a personal or consumer account, that information sits on a server, can be retained for years, can be reviewed by humans, and — as multiple courts have now confirmed — can be handed to the other side.

For a law firm, that is a state bar problem. For a CPA or financial advisor, that is FINRA or HIPAA exposure. For any business, it is your strategy, your pricing, your client relationships sitting somewhere you did not intend.

The Pro Plan Does Not Fix It

Most business owners assume that paying for a premium subscription means their data is protected.

It does not.

Claude Pro $20/month
Consumer tier terms. Opting out of model training is a separate setting from legal disclosure. Anthropic still reserves the right to share data with government authorities.
ChatGPT Plus / Pro $20–$200/month
OpenAI's privacy policy has the same language. Subscription level does not change disclosure rights.
Google Gemini Advanced Consumer plan
Same exposure — and Gemini now connects to Gmail, Google Drive, and Google Calendar by default for US users. Your emails and files are in the mix without most people realizing it.
Microsoft Copilot Free / Personal
Runs under consumer privacy terms, not the commercial data protection agreements that come with a business license.

A paid consumer plan buys you features. It does not buy you a contract. It does not buy you confidentiality.

Where the Protection Actually Lives

Business and enterprise agreements are a different product entirely — not just a higher tier of the same thing.

Microsoft 365 Copilot Business / Enterprise
Your data stays inside your Microsoft tenant. Not used to train models. Covered under the same commercial data protection framework your email and files already operate under. If your team is already on Microsoft 365, this may be closer than you think.
Google Workspace + Gemini Business / Enterprise
Not used for training. Not reviewed by humans. Governed by Google's commercial terms, not the consumer privacy policy your personal Gmail account lives under.
Claude for Work / Enterprise Business tier
Explicitly outside Anthropic's consumer privacy policy. The disclosure rights the Heppner court relied on do not apply.
ChatGPT Enterprise / Team Business tier
Data is not used for model training and sits under OpenAI's commercial agreements.

The difference is a signed contract with real, enforceable data commitments. That is exactly what Judge Rakoff looked for — and did not find — in the Heppner case.

If You Run a Law Firm, CPA Practice, or Financial Advisory

You already carry obligations most businesses do not. State bar ethics rules, FINRA recordkeeping, HIPAA — all of them assume client data stays where you put it.

Shadow AI — employees using personal accounts for ChatGPT, Claude, Gemini, Grammarly, or other tools outside your managed systems — does not know your obligations exist. It processes whatever it is given.

Your competitors are using AI. The ones doing it right are using it under terms that actually protect them. That is the bar.

Four Things to Do Right Now

  1. Find out what your team is actually using. Most business owners are surprised. Shadow AI on personal accounts is far more common than people expect.
  2. Decide which tools are approved. A personal ChatGPT account and a ChatGPT Enterprise account share a name and almost nothing else. The legal standing is completely different.
  3. Put a written policy in place. It does not have to be long. "Approved tools only — here is the list and here is why" is enough to start. That document matters when something goes wrong.
  4. Get your licensing right. If your team is already on Microsoft 365, Copilot may be available under business-grade protections you are not yet using. If you are on Google Workspace, Gemini enterprise protections are built in — but only if the account is properly configured. The tool is often not the problem. The setup is.

Frequently Asked Questions

Does this apply to businesses, or just criminal cases?

Ballard Spahr, K&L Gates, White & Case, and others have all confirmed the reasoning applies broadly — civil litigation, regulatory investigations, internal compliance reviews. Consumer AI and sensitive business information is a combination with real discovery risk.

The courts seem split. Does that mean we are safe?

A split means unpredictable outcomes. Two cases, same month, opposite results. Operating in that gray zone with sensitive client data is not a strategy.

What if employees opt out of AI training?

Opting out of training is a different setting from legal disclosure rights. All three platforms reserve the right to share data in response to legal process regardless of training preferences.

What is shadow AI?

Employees using personal accounts for ChatGPT, Claude, Gemini, Grammarly, or other tools outside company-managed systems. One of the fastest-growing compliance risks for small businesses right now.

What AMP IT Can Do

No IT company can stop someone from opening ChatGPT on their personal phone and typing in their client's case. That decision happens outside any system we manage. The Heppner defendant made that choice on his own. No policy, no enterprise license, and no MSP reaches that moment.

What we can do is educate your team and put guardrails in place. Right tools. Right contracts. Written policy. That is what we help you put in place.

A documented policy shows the firm took reasonable steps — and could shift the narrative from negligence to an isolated violation. That distinction matters to a bar ethics board, a malpractice insurer, and your clients.

If you want to understand where your business stands today, start with a free assessment. No pressure. No pitch. Just an honest look at what is happening and what makes sense to do about it.

📞 (980) 377-2733 📩 hello@ampitsolutions.com 🌐 ampitsolutions.com/assessment Microsoft Partner · Google Partner · On-Site Available · 919 Berryhill Rd Suite 100A, Charlotte, NC 28208