A federal judge in the Southern District of New York ruled in February 2026 that using consumer AI without attorney direction can waive attorney-client privilege. The defendant in that case, United States v. Heppner, was convicted in May. For any solo or small-firm attorney still using ChatGPT or Claude on a personal account for client work, this decision is worth reading carefully.
I want to walk through what the court actually held, where the reasoning stops, and what it practically means for how you use AI today. Because there's real signal here, and also some real noise.
The facts are fairly stark. The defendant used a consumer-tier AI tool, specifically a consumer Claude subscription, to work with documents connected to his legal matter. His attorney was not directing that AI use. When prosecutors sought those documents, the court found they were not protected by attorney-client privilege.
Judge Rakoff's opinion, issued February 17, 2026, identified three reasons privilege did not attach. Gibson Dunn's analysis of the ruling walks through the logic in detail, and it's worth reading if you handle privilege questions regularly.
In short:
The defendant was convicted May 7, 2026. The ruling is real, the conviction is real, and the legal community has been paying attention.
Here's the part that matters most for practicing attorneys: the court's reasoning actually opens a door, not just closes one.
The analysis draws on the Kovel doctrine, which holds that communications with third parties can remain privileged if those third parties are engaged by the attorney to assist with legal advice. The classic example is an accountant hired by a law firm to help understand financial records in connection with legal representation. The third party's work is in service of the attorney's legal work, under the attorney's direction.
Applied to AI: if an attorney is directing the AI use, that's a different factual posture than a client independently pasting documents into a consumer chatbot. This is not a safe harbor, and it depends heavily on facts and jurisdiction. But it is the distinction the court drew, and it matters for how you structure your AI workflow.
Using AI as a tool in your legal work, under your direction as counsel, is a different analysis than what happened in Heppner. ABA Formal Opinion 512 (2024) had already addressed the competence and confidentiality obligations around cloud AI tools, and the Heppner ruling sharpens the factual questions that opinion raised.
Two important limits on what you can take from this ruling.
First, it is a leading cautionary case, not settled law. Later courts are already diverging toward a fact-specific approach. The S.D.N.Y. is influential, and Rakoff is a well-respected judge, but one district court opinion does not bind other circuits or states. Your jurisdiction may handle the privilege analysis differently. The trend of the reasoning matters; the specific holding's reach is still developing.
Second, enterprise-tier tools are factually different from consumer tiers in ways the privilege analysis cares about. A consumer subscription to Claude or ChatGPT comes with training defaults that have changed over time, and with privacy terms that describe data retention and use in ways that complicate a confidentiality claim. Enterprise and zero-retention tiers have different contractual postures. That factual difference is relevant, though it does not automatically resolve the privilege question. The core issue is still whether the communication was maintained in confidence and whether an attorney directed the AI use.
So Heppner is not a blanket ban on AI in legal work. It is a sharp illustration of the worst-case scenario: consumer tier, no attorney direction, no confidentiality maintained. It draws the line in a useful place.
The obvious first move: stop using consumer-tier AI subscriptions for anything touching client matters. The consumer tiers of ChatGPT and Claude both train on inputs by default (you have to opt out), and their privacy terms describe your data reaching and being used by the provider in ways that a court can and apparently will use against a privilege claim.
If you're using AI for client work, the factual record you want to build looks something like this:
That last point is where the architecture of the tool matters beyond just the contractual terms. "No training on your data" is a promise. "Nothing leaves your machine" is a fact. Only a local model, running on your own hardware, makes the second claim true. With a local model, there is no third-party platform receiving the communication, which removes the confidentiality problem the Heppner court identified at its root.
BYOK (bring your own key) tools that route requests to the cloud are better than consumer subscriptions, but they still send your prompt to a model provider. The provider receives the data. The question of whether that constitutes a disclosure sufficient to affect privilege is not resolved by the tool vendor's contractual terms alone. It is a facts-and-circumstances question.
For the most sensitive client work, a local model removes the question entirely. For lower-stakes drafting and research, a properly structured enterprise-tier or BYOK setup, used under attorney direction, is a significant improvement over a personal Claude Pro subscription.
What this looks like in practice:
The work product itself, a privilege log, a deposition outline, a contract draft, needs to exist somewhere you control. Chat histories in a SaaS tool are not a good answer for client files. Markdown files on your drive, in a folder you own, are.
Advisor Prep Hero is built for exactly this workflow: you bring your own API key (your requests go directly from your machine to Anthropic or OpenAI, with Advisor Prep Hero never in the data path), or you run a local model and route nothing to any external server. Everything you produce is a real file in a real folder you own. The legal workflow templates were built with input from practicing attorneys and include privilege logs, deposition prep outlines, and engagement letters. The local model setup guide walks through connecting Ollama so nothing leaves your machine. If you're comparing options, here's how Advisor Prep Hero compares to Clio Duo for the drafting work that needs to stay off vendor servers.
Heppner is not the last word on AI and privilege. But it is a clear warning about the specific combination of consumer tiers, no attorney direction, and third-party data sharing. The attorneys who take that warning seriously, and structure their AI use accordingly, are in a better position than the ones who keep using the same personal subscriptions they've always used.
This is informational, not legal or compliance advice. Verify any privilege or confidentiality question with your own counsel or bar association. The Heppner ruling is an evolving leading case; later courts are diverging to a fact-specific approach, and your jurisdiction may reach a different result.