The Ruling That Changes Everything for Law Firms
In February 2026, a US federal court made a finding that rippled through every major law firm's risk management team: communications with AI tools like Claude do not carry attorney-client privilege.
In United States v. Heppner (No. 25-cr-00503-JSR, S.D.N.Y.), Judge Jed Rakoff ruled on February 10, 2026 that 31 documents a defendant generated using Claude were not protected by attorney-client privilege or the work product doctrine. Judge Rakoff's written opinion, issued February 17, 2026, characterized the question as one of first impression at the federal level.
The reasoning is direct. The AI is not a lawyer. There is no reasonable expectation of confidentiality when sharing information with a third-party AI provider. The moment a lawyer pastes client information into Claude, ChatGPT, or any external AI tool, the privilege protection that governs the attorney-client relationship does not follow.
This is now established case law.
The Scale of the Problem
79% of lawyers are using AI in their practice — but only 10% of firms have formal AI policies governing how that AI use should work (Clio 2024 Legal Trends Report).
That gap — between adoption and governance — is where privilege waiver risk lives. Lawyers are using AI for tasks that inherently involve client confidential information:
- First-pass contract review (client names, deal terms, financial figures)
- Legal research memos incorporating client facts
- Discovery document summarization (containing case-specific confidential information)
- Deposition preparation with witness background details
- Settlement analysis with client financial positions
In each scenario, the efficiency gain from AI comes at a potential privilege cost. Without technical controls in place, every AI interaction involving client data is a potential privilege waiver.
Why Policy Alone Doesn't Work
The instinctive response from most firms has been policy: update the acceptable use policy to prohibit sharing client information with external AI tools without appropriate safeguards.
The problem is enforcement. A 2025 analysis found that most law firm AI policies exist as documents — they don't exist as technical controls. The lawyer under deadline pressure who pastes a contract into Claude at 11pm does not consult the acceptable use policy before doing so.
Human behavior under time pressure is the primary driver of AI data exposure across all industries, and law firms are not exempt. Policies that are not technically enforced are aspirations, not controls.
What Privilege Waiver Actually Costs
Privilege waiver consequences range from bad to catastrophic, depending on the circumstances:
Inadvertent waiver in discovery: The opposing party learns that privileged communications were shared with a third-party AI provider. Under Federal Rule of Evidence 502, intentional disclosure waives privilege. Courts evaluate whether the disclosure was inadvertent — but "I didn't know AI interactions aren't privileged" is not a reliable defense after the 2026 ruling.
Bar discipline: Multiple state bars have issued guidance on attorney competence requirements in the AI era. Failing to understand the confidentiality implications of AI tool use may constitute a competence violation under Rule 1.1.
Client relationship consequences: A client who learns that their confidential merger strategy was processed through an external AI tool — and potentially retained on that provider's servers — has grounds for a serious conversation about the relationship.
Malpractice exposure: Where privilege waiver causes client harm (e.g., opposing counsel learns about a confidential negotiating position), malpractice liability follows.
The Technical Solution: Anonymize Before You Submit
The February 2026 ruling creates a clear compliance framework when read carefully: the issue is that identifiable client information reaches the AI provider. Remove the identifiable information before it reaches the AI, and the privilege analysis changes fundamentally.
This is exactly what token-based anonymization enables.
Consider an M&A practice group reviewing a merger agreement. The original prompt might be:
"Please review this merger agreement between TechCorp and MegaStartup for the $450M acquisition. Identify any problematic representations and warranties related to intellectual property."
With anonymization running transparently in the background, the prompt that actually reaches Claude becomes:
"Please review this merger agreement between [COMPANY_1] and [COMPANY_2] for the [$AMOUNT_1] acquisition. Identify any problematic representations and warranties related to intellectual property."
Claude analyzes the anonymized version and returns its analysis using the same tokens. The lawyer sees the analysis with the original company names restored — the AI interaction was substantively productive, but no identifiable client information was transmitted to Anthropic's servers.
Practical Application: M&A Contract Review
A mid-size law firm's M&A practice uses Claude for first-pass contract review. Client names ("TechCorp acquiring MegaStartup for $450M") are replaced with tokens ("CompanyA acquiring CompanyB for $[AMOUNT]M") before Claude processes them. Claude's redlined contract comes back with the original names restored.
The mechanics work as follows:
- The lawyer pastes the contract into their workflow (Claude Desktop or the browser interface)
- The anonymization layer intercepts the text before transmission
- Client names, deal values, company identifiers, and other confidential terms are replaced with deterministic tokens
- Claude processes the anonymized version and returns analysis
- With reversible encryption, the response is automatically de-anonymized — the lawyer sees original names in the AI's output
Attorney-client privilege is preserved in its traditional form because no identifiable client information leaves the attorney's control. AI productivity is maintained because the work product is just as useful.
Building a Compliant AI Policy in 2026
Following the February 2026 ruling, law firms need to update their AI governance frameworks around a technical control layer, not just policy statements.
The required elements:
1. Technical anonymization controls — Before any client information reaches an external AI model, it must be anonymized. This applies to all AI touchpoints: browser-based Claude.ai and ChatGPT use, IDE-integrated Cursor and Copilot use, and any API-connected AI workflows.
2. Data minimization by default — The practice of including full client context "so the AI understands the situation" must be replaced with structured prompts that include only the information necessary for the specific task.
3. Client communication updates — Engagement letters and privacy notices should be updated to describe the firm's AI use practices and the technical controls in place to protect confidentiality.
4. Privilege log preparation — When AI-assisted work product is created, document the technical controls that were in place. This becomes relevant if privilege is challenged.
The Reversibility Question
One additional consideration unique to legal workflows: reversibility. Law firms sometimes need to restore original information from anonymized documents — for audit purposes, discovery production, or file review.
Permanent anonymization (where the original text is destroyed) creates its own risk: if the original document is needed for litigation discovery and it no longer exists in original form, that may constitute spoliation. The Federal Rules of Civil Procedure require production of responsive documents in their original form.
Reversible encryption addresses this: the anonymized version of the document is cryptographically linked to the original through a client-held key. Sharing the anonymized version with AI tools preserves privilege; restoring the original when required (with proper authorization) satisfies discovery obligations.
The 10% Problem
Only 10% of law firms have formal AI policies (Clio 2024 Legal Trends Report). After the February 2026 ruling, that number needs to move substantially — and the policies need to include technical controls, not just written guidelines.
The firms that act now — implementing anonymization controls before the next privilege waiver dispute, before the bar inquiry, before the client complaint — will be in a defensible position. The firms that continue relying on aspirational policies will be explaining their AI governance framework to a judge.
anonym.legal's MCP Server and Chrome Extension provide technical anonymization controls for law firms using AI tools. Client names, deal terms, financial figures, and other privileged information are anonymized before reaching AI models and can be restored using client-held encryption keys when required.
Sources:
- United States v. Heppner, No. 25-cr-00503-JSR (S.D.N.Y. Feb. 17, 2026) — Debevoise Data Blog
- AI, Privilege, and the Heppner Ruling — Venable LLP
- Federal Court Rules Some AI Chats Are Not Protected by Legal Privilege — Crowell & Moring
- Clio 2024 Legal Trends Report — AI Adoption Among Lawyers
- Harris Beach Murtha: Court Finds AI Use Ends Attorney-Client Privilege
- Bloomberg Law: Generative AI Poses Threats to Attorney-Client Privilege