Heppner v. United States: Why Your Firm's AI Infrastructure Now Determines Privilege

The SDNY ruling that changes how every law firm should think about AI

On February 10, 2026, Judge Jed Rakoff of the Southern District of New York handed down a ruling that will reshape how every law firm in America evaluates its AI tools. In United States v. Heppner, No. 25-cr-00503-JSR, the court held that documents generated using Anthropic's consumer Claude chatbot are protected by neither attorney-client privilege nor the work product doctrine — because the AI provider's own terms destroyed any expectation of confidentiality.

The decision is the first of its kind. Judge Rakoff acknowledged as much from the bench, calling the question one of "first impression."

But the reasoning he applied is entirely conventional: if you share privileged material with a third party that makes no promise of confidentiality, the privilege is waived. The novelty is only in the third party — an AI chatbot.

For law firms that have adopted or are evaluating AI tools, the implications are immediate and concrete. The question is no longer whether to use AI, but how — and specifically, where your data goes when you do.

What Happened

Bradley Heppner, a former finance executive, was charged with securities fraud and wire fraud in the Southern District of New York. After learning that he was a target of the federal investigation, Heppner turned to Anthropic's Claude — the free, consumer-facing version — to prepare for his defense.

Over a series of sessions, Heppner generated 31 documents using the chatbot: strategy memos, factual summaries, legal arguments, and outlines he intended to share with his attorneys at Quinn Emanuel Urquhart & Sullivan.

When the FBI subsequently seized his electronic devices, prosecutors sought to introduce these documents as evidence.

Quinn Emanuel moved to exclude the documents, arguing two theories of protection:

• Attorney-client privilege: that the Claude-generated documents constituted communications prepared for the purpose of obtaining legal advice.
• Work product doctrine: that they qualified as materials prepared in anticipation of litigation.

Judge Rakoff rejected both.

The Court's Reasoning

On attorney-client privilege: The court found no attorney-client relationship between Heppner and Claude. Privilege requires a confidential communication between a client and an attorney (or the attorney's agent) for the purpose of obtaining legal advice.

Claude is not an attorney, not an agent of an attorney, and not bound by any duty of confidentiality.

More critically, Anthropic's consumer terms of service explicitly stated that user inputs could be used to train models and could be disclosed to third parties. By submitting his defense strategy into that system, Heppner had voluntarily disclosed it to a third party with no confidentiality obligation.

"[The defendant] disclosed it to a third-party, in effect, AI, which had an express provision that what was submitted was not confidential." — Judge Jed S. Rakoff, United States v. Heppner (S.D.N.Y. Feb. 10, 2026)

On work product protection: The work product doctrine protects materials prepared by or for a party "in anticipation of litigation." The court held that Heppner prepared the documents on his own initiative — not at the direction of counsel.

The ruling is narrow in its facts but broad in its logic: the dispositive factor was not the use of AI per se — it was the terms of service under which the AI was accessed. A tool that retains data, trains on inputs, or permits third-party disclosure is a tool that waives privilege.

Consumer AI vs. Enterprise AI vs. On-Infrastructure AI

The Heppner ruling draws a bright line, but the line is not between "AI" and "no AI." It is between AI deployments that maintain confidentiality and those that do not.

The crucial insight from Judge Rakoff's reasoning is structural: privilege turns on whether a communication was made in confidence.

A consumer AI tool that reserves the right to read, retain, and reuse your input is not a confidential channel — period.

An enterprise API with zero data retention and contractual confidentiality is far stronger, but it still involves transmitting data to a third-party server.

Only on-infrastructure deployment eliminates the third party entirely.

What This Means for Your Firm

1. Audit every AI tool your attorneys use — today. After Heppner, any use of consumer AI on privileged or work-product material creates a waiver risk. This includes informal use on personal devices.
2. Terms of service are now a privilege issue. If the ToS permits training on inputs or third-party disclosure, using that tool on client data is functionally equivalent to publishing it.
3. Enterprise contracts help, but architecture is better. Contractual zero-retention and no-training clauses are a strong starting point. But a court will ask: did the data leave your control?
4. "Shadow AI" is now a malpractice risk. Associates and partners using consumer AI on their own are creating privilege waiver risks the firm may not discover until litigation.
5. This ruling will be cited nationwide. Judge Rakoff is among the most influential trial judges in the federal system. Firms should treat this as the new baseline, not an outlier.

The RAGbase Approach: Privilege by Architecture

RAGbase deploys entirely within your firm's infrastructure — on-premise servers or your own private cloud tenant. The AI models, the vector databases, the document processing pipelines — everything runs inside your network perimeter.

• No third-party transmission: Client data never leaves your network.
• No training exposure: Models run locally. Inputs are never used to train any external system.
• No third-party ToS: No terms of service that could be construed as a waiver of confidentiality.
• Full audit control: Your firm controls all logs, access records, and data retention policies.
• Ethics compliance by design: ABA Model Rules 1.6 (confidentiality) and 1.1 (competence) are addressed architecturally.

Under Judge Rakoff's framework, the privilege analysis for an on-infrastructure AI tool is identical to the analysis for any other internal firm system. The AI component does not change the privilege calculus because no third party is involved.

Conclusion

United States v. Heppner is not an anti-AI ruling. It is a pro-confidentiality ruling that applies centuries-old privilege doctrine to a new technology.

The court did not say lawyers cannot use AI. It said that lawyers cannot use AI tools that are structurally incapable of maintaining confidentiality and then claim the communications were privileged.

The distinction is clear. The path forward is clear. The only question is whether your firm's AI infrastructure is on the right side of that line.

Sources & Further Reading

1. United States v. Heppner, No. 25-cr-00503-JSR (S.D.N.Y. Feb. 10, 2026), Order on Motion to Suppress.
2. Debevoise & Plimpton, "Data Blog: AI-Generated Documents and Attorney-Client Privilege After Heppner," Feb. 2026.
3. Gibson, Dunn & Crutcher, "Client Alert: Privilege Implications of AI Use in Litigation Preparation," Feb. 2026.
4. ABA Model Rules of Professional Conduct, Rules 1.1 (Competence), 1.6 (Confidentiality of Information).
5. Anthropic, "Claude Terms of Service — Consumer," effective Jan. 2026.