Updated for 2026
The Ruling That Changed Law Firm AI Use
In February 2026, a US federal court issued a finding that hit every law firm's risk team hard. The ruling: AI tool chats do not carry attorney-client privilege.
In United States v. Heppner (No. 25-cr-00503-JSR, S.D.N.Y.), Judge Jed Rakoff ruled on February 10, 2026. He found that 31 documents a defendant made using Claude were not protected. His written opinion came on February 17, 2026. He called it a first-impression question at the federal level.
The logic is plain. The AI is not a lawyer. There is no right to keep secrets from a third-party AI provider. When a lawyer pastes case details into Claude, ChatGPT, or any external AI tool, privilege does not follow.
This is now set case law.
The Scale of the Problem
79% of lawyers use AI in their work. Yet only 10% of firms have formal AI policies (Clio 2024 Legal Trends Report).
That gap — between use and governance — is where privilege waiver risk sits. Lawyers use AI for tasks that touch private case details:
- First-pass contract review (names, deal terms, dollar figures)
- Research memos that include case facts
- Discovery document summaries with private details
- Deposition prep with witness background
- Settlement analysis with financial positions
In each case, the AI speed gain comes at a possible privilege cost. Without technical controls, every AI chat involving case data is a potential waiver.
Why Policy Alone Fails
Most firms respond with policy: update the rules to ban sharing case details with external AI tools.
The problem is enforcement. A 2025 analysis found that most law firm AI policies exist only as documents — not as technical controls. A lawyer on deadline who pastes a contract into Claude at 11pm does not stop to check the rules first.
Human behavior under time pressure drives AI data exposure in all sectors. Law firms are not exempt. Policies without technical controls are hopes — not safeguards.
What Privilege Waiver Costs
Privilege waiver results range from bad to very bad:
Inadvertent waiver in discovery: The other side learns that protected communications reached a third-party AI provider. Under Federal Rule of Evidence 502, intentional disclosure waives privilege. Courts weigh whether disclosure was accidental. But "I did not know AI chats aren't privileged" is not a strong defense after the 2026 ruling.
Bar discipline: Many state bars have issued guidance on competence in the AI era. Failing to grasp the privacy risks of AI tools may violate Rule 1.1.
Client relationship harm: A customer who finds out that their private merger plan went through an external AI tool has grounds for a hard conversation. That data may be stored on that provider's servers.
Malpractice exposure: Where privilege waiver causes harm, malpractice claims can follow.
The Fix: Anonymize Before You Submit
The February 2026 ruling creates a clear path forward. The core issue is that real case details reach the AI provider. Strip those details before they reach the AI, and the privilege question changes.
This is what token-based anonymization does. See how it works on anonym.legal's security page and in the legal conformance docs.
Consider an M&A group reviewing a merger agreement. The raw prompt might be:
"Please review this merger agreement between TechCorp and MegaStartup for the $450M deal. Identify any problems with the IP reps and warranties."
With anonymization running in the background, the prompt that reaches Claude becomes:
"Please review this merger agreement between [COMPANY_1] and [COMPANY_2] for the [$AMOUNT_1] deal. Identify any problems with the IP reps and warranties."
Claude analyzes the masked version and returns its output. The lawyer sees the result with original names restored. The AI work was useful — but no real details were sent to Anthropic's servers.
Practical Application: M&A Contract Review
A mid-size law firm's M&A team uses Claude for first-pass contract review. Names like "TechCorp acquiring MegaStartup for $450M" get swapped with tokens ("CompanyA acquiring CompanyB for $[AMOUNT]M") before Claude sees them. Claude's redlined contract comes back with the original names restored.
The steps are:
- The lawyer pastes the contract into their tool (Claude Desktop or browser)
- The anonymization layer catches the text before it is sent
- Names, deal values, and private terms get replaced with fixed tokens
- Claude processes the masked version and returns its analysis
- The response is auto-decoded — the lawyer sees original names in the AI output
Privilege is preserved because no real identifiers leave the firm's control. AI value is kept because the work product is just as good.
Learn more in the token system docs and the FAQ hub.
Building a Compliant AI Policy in 2026
After the February 2026 ruling, law firms must build their AI programs around technical controls — not just written rules.
Required elements:
1. Technical anonymization controls — Before any case details reach an external AI model, they must be masked. This applies to all AI use: browser-based Claude.ai and ChatGPT, IDE tools like Cursor and Copilot, and any API-connected AI workflows.
2. Data minimization — The habit of including full context "so the AI gets the picture" must change. Use lean prompts with only the details the task needs.
3. Engagement letter updates — Privacy notices should describe the firm's AI use and the technical controls that protect confidentiality.
4. Privilege log preparation — When AI-assisted work product is created, document the controls that were in place. This matters if privilege is later challenged.
The Reversibility Question
One issue unique to legal work: reversibility. Law firms sometimes need to restore original text from masked documents — for audits, discovery, or file review.
Permanent masking (where the original text is gone) creates its own risk. If the original document is needed for litigation and no longer exists in full, that may be spoliation. The Federal Rules of Civil Procedure require production of responsive documents in their original form.
Reversible encryption solves this. The masked version of the document is cryptographically linked to the original through a key held by the firm. Sharing the masked version with AI tools preserves privilege. Restoring the original when needed — with proper sign-off — meets discovery rules.
The 10% Problem
Only 10% of law firms have formal AI policies (Clio 2024 Legal Trends Report). After the February 2026 ruling, that must change — and the policies need real technical controls, not just words on paper.
Firms that act now — adding anonymization controls before the next privilege dispute, the bar inquiry, or the customer complaint — will be in a strong position. Firms that rely only on written policies will be explaining their AI program to a judge.
anonym.legal's MCP Server and Chrome Extension provide technical anonymization controls for law firms using AI tools. Names, deal terms, dollar figures, and other protected information are masked before reaching AI models. They can be restored using firm-held encryption keys when required. Read the founder statement for background.
Sources
- United States v. Heppner, No. 25-cr-00503-JSR (S.D.N.Y. Feb. 17, 2026) — Debevoise Data Blog
- AI, Privilege, and the Heppner Ruling — Venable LLP
- Federal Court Rules Some AI Chats Are Not Protected by Legal Privilege — Crowell & Moring
- Clio 2024 Legal Trends Report — AI Adoption Among Lawyers
- Harris Beach Murtha: Court Finds AI Use Ends Attorney-Client Privilege
- Bloomberg Law: Generative AI Poses Threats to Attorney-Client Privilege