The Consequences of Ignoring Confidentiality and Privacy When Lawyers Use AI

TL;DR

A lawyer's duty of confidentiality does not pause when a browser tab opens. Pasting client facts, draft pleadings, deposition transcripts, or due diligence files into a consumer-grade AI chat is now—per the Southern District of New York's ruling in United States v. Heppner—an act that can defeat both attorney-client privilege and the work-product doctrine, even when the same material would have been privileged in any other channel. Morrison Foerster's analysis of the decision is the clearest practitioner-facing summary to date.

State bar associations have begun to make the contractual side of that duty explicit. The New York City Bar's Formal Opinion 2024-5 reads, in practice, like a requirement to either (a) obtain informed client consent for any AI use that touches confidential information, (b) sign a Zero Data Retention (ZDR) amendment with the AI provider, or (c) ensure that no confidential information is actually shared—the third path the Opinion explicitly endorses through anonymization.

For solo and small/midsize firms, signing a ZDR amendment with OpenAI, Anthropic, Google, or Microsoft is rarely realistic. Local pre-transmission anonymization—e.g. CamoText's approach described in "Legal Ethics and AI"—is the mitigating control most firms can actually deploy, and it maps directly onto the language Opinion 2024-5 uses to describe a compliant posture.

The Duty in Plain Terms

Every U.S. jurisdiction has adopted some version of ABA Model Rule 1.6, which obligates a lawyer to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The duty is not limited to deliberate leaks: forwarding a contract to a personal email account, leaving a brief on a printer, or pasting deal terms into a public AI chat can all constitute unauthorized disclosure even if no one actively reads the resulting copy.

The 2012 ABA "technology competence" amendment to Comment 8 of Model Rule 1.1 layered an additional duty on top: lawyers must keep current with "the benefits and risks associated with relevant technology." After ABA Formal Opinion 512 (2024), that competence duty squarely includes generative AI: a lawyer who does not understand how a chosen AI tool stores, transmits, and reuses prompts cannot meet the "reasonable efforts" standard of Rule 1.6.

The result is a layered obligation: know what the tool does, prevent unauthorized disclosure, and document the safeguards. Each layer is independently enforceable through discipline, malpractice exposure, and, as the Heppner case now shows, evidentiary consequences in litigation.

What Goes Wrong: The Four Failure Modes

Articles on legal ethics and AI often catalog risks abstractly. The framework below is adapted from CamoText's "Legal Ethics and AI" essay and grouped by what actually happens in practice when safeguards are skipped.

1. Privilege waiver

As discussed in detail below, United States v. Heppner establishes that submissions to a consumer AI platform can be treated as third-party disclosures that break the confidentiality necessary for attorney-client privilege, and that materials generated through such a workflow may not qualify as work product. The exposure is asymmetric: privilege, once waived, is hard to reclaim—often across the entire subject matter.

2. Bar discipline and malpractice

Multiple state bars have issued advisory opinions describing AI use without safeguards as a potential Rule 1.6 violation. The NYSBA Task Force on Artificial Intelligence, the State Bar of California, and the Florida Bar (Opinion 24-1) all caution that using generative AI with client data is a regulated activity. Carriers have begun asking about AI usage on professional liability renewal questionnaires, and at least some are tying premium credits to documented safeguards.

3. Client harm and reputational loss

Even when no formal discipline follows, inadvertent disclosure damages the attorney-client relationship in ways that cannot be undone. A leaked deal name in a training corpus, a competitor scraping cached outputs, or a vendor's downstream breach can all materially harm clients and the firm. Unlike a misdirected fax, an AI prompt may be permanently embedded in vendor logs, sub-processor systems, or, in the worst case, model weights.

4. Evidentiary and forensic exposure

Prompts and outputs sit on a server with someone else's retention policy and someone else's subpoena counsel. As Heppner illustrates, that surface is now routinely targeted in discovery. Even where privilege survives, the existence of AI-generated drafts can become a battleground for spoliation, authenticity, and Federal Rule of Evidence 502 arguments.

The Heppner Decision: AI Chats Are Not Privileged

On February 17, 2026, Judge Jed S. Rakoff of the U.S. District Court for the Southern District of New York issued the first significant written opinion on whether material a defendant generated by interacting with a consumer AI service was protected from discovery. The case is United States v. Heppner, No. 1:25-cr-00503-JSR (S.D.N.Y. Feb. 17, 2026), Dkt. No. 27. The defendant had run "Claude searches" on his own, then forwarded the resulting documents to counsel. The Government moved for a ruling that those documents ("the AI Documents") were unprotected; the Court granted the motion.

What the court actually held

Judge Rakoff applied the orthodox elements of attorney-client privilege and work-product protection and concluded that neither shielded the AI Documents:

• No attorney-client relationship. The AI tool is not a lawyer; the defendant's conversations with Claude were not communications with counsel.
• No reasonable expectation of confidentiality. Anthropic's then-current consumer privacy policy permitted retention of inputs and outputs, use of the data for training, and disclosure to a broad list of third parties including governmental authorities. A user with notice of those terms could not have reasonably expected confidentiality.
• Work-product doctrine inapplicable. The materials were not prepared by counsel or "at the direction of counsel," and they did not reflect the lawyer's mental impressions or strategy. Defense counsel had not directed the Claude queries, and the outputs reflected the client's and the model's theories rather than counsel's.

Why it matters beyond pro se defendants

The opinion is not binding outside the SDNY, and its facts involve a self-directed defendant rather than a law firm's deliberate workflow. But practitioners are reading it as a precedent on three points that travel well:

• Consumer-grade AI providers will be treated as third parties for privilege purposes, with vendor terms of service driving the confidentiality analysis. (See Harris Beach Murtha's analysis.)
• Even materials that a lawyer later "blesses" by forwarding to counsel may not become privileged retroactively—pre-existing documents do not become privileged merely by being shared with an attorney. (See Torys LLP's commentary.)
• Feeding privileged communications back into a consumer AI tool may waive privilege over the underlying communications themselves, because the client has voluntarily disclosed them to a third party.

What State Bars Are Now Demanding

The Heppner ruling reads against a backdrop of state ethics guidance that has been tightening for two years. New York is the clearest example.

New York City Bar Formal Opinion 2024-5

The NYC Bar's Formal Opinion 2024-5 is the most operational of the major U.S. opinions on generative AI. It applies NY Rule of Professional Conduct 1.6 and concludes that a lawyer:

• Must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure" of confidential information when using AI.
• "Must not input confidential client information into any Generative AI system that will share the inputted confidential information with third parties" without informed client consent—a requirement that, in practice, means either negotiating contractual non-sharing terms with the vendor or avoiding the disclosure entirely.
• Need not obtain consent "if no confidential client information is shared, for example through anonymization of client information."

Reading those clauses together, the Opinion offers three compliant paths. The first (broad informed-consent disclosure to every client) is administratively painful and tends to surface client concerns that lawyers would rather not raise. The second (vendor-side contractual non-sharing—the practical proxy for a ZDR amendment) is the path large firms have taken. The third (anonymization so that no confidential information is actually shared) is the path that scales down to solos and small firms.

NYSBA Task Force report

In April 2024, the New York State Bar Association issued its Task Force on Artificial Intelligence report, warning that "AI must not compromise attorney-client privilege" and recommending that firms enter into contracts with AI providers that prohibit retention and training on firm data. The Task Force did not use the term "Zero Data Retention," but the contract terms it described are functionally equivalent.

Other jurisdictions

• California — The State Bar's Practical Guidance for the Use of Generative Artificial Intelligence requires that a lawyer "not input any confidential information of the client into any generative AI solution that lacks adequate confidentiality and security protections."
• Florida — Florida Bar Ethics Opinion 24-1 similarly requires "due diligence" on the AI tool and ties confidentiality obligations to the chosen vendor's data practices.
• ABA — ABA Formal Opinion 512 (July 2024) lays out the same combination of competence, confidentiality, and supervision obligations at the national level.

Why ZDR Agreements Are Often Impractical for Small and Midsize Firms

On paper, the cleanest answer to all of this is to sign a Zero Data Retention amendment with each AI vendor. In practice, ZDR is structured for organizations that look very different from a five-attorney boutique. The friction points compound:

• Sales gating. ZDR is a separate amendment to an enterprise agreement, negotiated through the vendor's sales and security organizations. OpenAI and Anthropic both require an eligibility review; Google requires per-project enablement. Most small firms never reach a named account team.
• Seat minimums and price floors. ChatGPT Enterprise has historically carried a multi-seat minimum and per-seat pricing that prices out firms below roughly 30–50 attorneys. Claude Enterprise has a 50-seat minimum on the sales-assisted plan. (See our Enterprise AI DPAs vs. ZDR guide for current detail.)
• Scope exclusions. ZDR is endpoint-specific. The chat UIs that non-technical lawyers actually use—ChatGPT, Claude.ai, Gemini in Workspace, Copilot in Word—are rarely the surfaces ZDR covers. A firm can sign the amendment and still have its lawyers operating outside its scope every day.
• Per-organization enablement. ZDR does not transfer automatically to new organizations, subsidiaries, or co-counsel relationships, requiring ongoing administrative tracking that a firm without dedicated IT or compliance staff cannot easily maintain.
• Carve-outs that surprise. File uploads, vector stores, persistent threads, grounding integrations, caching, and realtime APIs are commonly excluded from ZDR even when the underlying API is covered.
• It does not extend to the workstation. ZDR addresses storage at rest on the vendor's side. It does not change the fact that confidential content has to cross the network and live in vendor-controlled memory while it is processed.

Anonymization as Mitigating Coverage

Local pre-transmission anonymization is the control that scales down to the firms ZDR leaves behind. The premise is straightforward: replace names, matter numbers, financial identifiers, addresses, and other sensitive entities with deterministic placeholders on the lawyer's workstation, send only the anonymized prompt to the AI service, and re-identify the response locally before it is used.

The CamoText "Legal Ethics and AI" essay walks through the workflow in detail. The core observation is that the AI vendor receives a structurally complete document—the model can still summarize, draft, or analyze—while the identifying content never crosses the trust boundary.

How anonymization maps onto Rule 1.6 and Opinion 2024-5

• "Reasonable efforts to prevent disclosure" — Rule 1.6's core standard. Stripping identifiers before transmission is a concrete, demonstrable, documented effort, not a contractual assertion.
• "No confidential client information is shared" — Opinion 2024-5's safe harbor. When the prompt that reaches the vendor consists of placeholders rather than real client identifiers, the lawyer can credibly say that no client confidential information was disclosed and that informed consent is not required for that interaction.
• Privilege posture — Anonymization does not reconstruct privilege over an AI conversation by itself (the AI is still not the lawyer), but it removes the third-party-disclosure-of-confidential-material element that drove the Heppner court's confidentiality finding. Combined with attorney supervision of the workflow, it materially improves the privilege analysis.
• Technology competence — A workflow that the lawyer can describe, inspect, and audit on their own machine satisfies the Comment 8 duty in a way that black-box vendor assurances do not.

What anonymization does not do

• It does not eliminate the lawyer's duty to supervise AI output, verify accuracy, and avoid the now-familiar hallucinated-citation problems.
• It does not address the separate issue of metadata embedded in documents that are uploaded as files (author fields, revision history, tracked changes). Strong workflows pair anonymization with metadata stripping.
• It does not substitute for the duty to notify clients of an actual breach if one occurs, or for the duty to obtain consent when the matter inherently requires disclosure that anonymization cannot remove.

A Minimum-Viable AI Confidentiality Checklist

1. Inventory tools. Document which AI products attorneys and staff use, on which devices, and under which account terms (personal vs. business vs. enterprise). Heppner's facts started with an untracked personal use of Claude.
2. Read the vendor terms once. Identify retention, training, and third-party disclosure provisions for every tool in use. ABA Opinion 512 frames this as part of the duty of technology competence.
3. Pick a confidentiality posture by tier. Decide which matters or content types are eligible for which workflow: in-house only, anonymized cloud, ZDR-covered API, or no AI at all.
4. Anonymize by default for cloud AI. Strip names, matter numbers, financial identifiers, addresses, and embedded metadata before pasting into ChatGPT, Claude, Gemini, or Copilot. Tools like CamoText automate this on a single workstation.
5. Sign ZDR amendments where available. For firms with the volume to justify it, layer ZDR on top of anonymization. See our Enterprise AI DPAs vs. ZDR guide.
6. Document supervision. Maintain a short, signed protocol for how AI output is reviewed by an attorney before being used in client work. Heppner's work product analysis turned partly on the absence of attorney direction.
7. Address engagement letters. Where the matter type warrants, add a short clause describing AI use and the firm's safeguards. Where a matter exceeds the firm's safeguards, get specific informed consent.
8. Train everyone with copy-paste access. Most leaks are operational: paralegals, summer associates, and clients pasting fact patterns into the wrong window. Train, and audit annually.

Frequently Asked Questions

Does Heppner mean lawyers cannot use ChatGPT or Claude at all?

No. Heppner involves a self-directed defendant using a consumer plan with broad data collection terms. The decision does not bar AI use; it makes clear that uncontrolled AI use defeats privilege. Anonymized workflows, attorney-supervised use of enterprise tiers, and ZDR-covered API use are all consistent with the opinion's reasoning.

Is anonymization a substitute for enterprise contracts and ZDR?

They are layered controls, not substitutes. ZDR is contractual and addresses retention on the vendor side. Anonymization is structural and addresses whether confidential information ever crosses the trust boundary. For firms that cannot realistically contract for ZDR, anonymization is the load-bearing control; for firms that can, combining the two is the most defensible posture.

Does the Opinion 2024-5 "anonymization" language really apply to AI?

Yes—it is explicit. The Opinion states that informed consent is not required "if no confidential client information is shared, for example through anonymization of client information." The example is given in the AI context the Opinion is addressing.

What about deposition transcripts, audio, and metadata?

Audio is a frequent leak point. Transcribing locally and then anonymizing the resulting text gives the same posture as anonymized document workflows. Embedded metadata (authors, edit history, file properties) should be stripped before any file-based or agentic AI sees the document; the CamoText essay walks through audio and metadata as separate failure modes.

Can sharing privileged information with an AI tool waive privilege over the original communications?

The Heppner reasoning, and commentary by Morrison Foerster and others, supports the view that voluntary disclosure of privileged communications to a consumer AI service can constitute waiver. Conservative practice is to treat any consumer-AI submission of privileged material as a potential waiver event and to anonymize or avoid such submissions accordingly.

Further Reading

• CamoText — Legal Ethics and AI: Can Lawyers Use ChatGPT or Claude Ethically?
• United States v. Heppner, No. 1:25-cr-00503-JSR (S.D.N.Y. Feb. 17, 2026), Dkt. No. 27 (PDF)
• Morrison Foerster — Privilege in the Age of AI: SDNY Holds AI-Generated Documents Are Not Privileged
• Harris Beach Murtha — AI Tools May End Attorney-Client Privilege
• Torys LLP — A New Frontier: Publicly Available AI and the Loss of Privilege
• NYC Bar — Formal Opinion 2024-5: Generative AI in the Practice of Law
• NYSBA — Task Force on Artificial Intelligence (April 2024)
• State Bar of California — Practical Guidance for the Use of Generative AI
• Florida Bar — Ethics Opinion 24-1
• ABA — Formal Opinion 512: Generative AI Tools
• AI Privacy Pro — Enterprise AI DPAs vs. Zero Data Retention
• AI Privacy Pro — Best Text Anonymizer 2026