On February 17, 2026, a federal judge in the Southern District of New York ruled that conversations with consumer AI chatbots are not protected by attorney-client privilege or the work product doctrine. The case, United States v. Heppner, was decided by Judge Jed Rakoff. As far as anyone has tracked, this is the first federal ruling directly addressing the question.
The legal commentary on Heppner has mostly focused on individuals who use AI tools for personal legal matters. That coverage is correct as far as it goes, but it misses the bigger story. The same logic that strips privilege from a defendant’s Claude transcript also strips privilege and work product protection from any conversation your employees are having with ChatGPT, Claude, Gemini, or any other consumer AI tool right now. Those conversations are discoverable. They are sitting on a provider’s servers. And in at least one major case, a federal court has already ordered an AI provider to hand over 20 million conversation logs.
If your employees are pasting company data into consumer AI tools, the legal exposure your company carries from that activity just changed. Most security teams have not caught up to this yet. They need to.
The Heppner Ruling and Why Security Teams Should Care
According to a recent analysis by Pennsylvania employment attorney Steven Auerbach in Don’t Tell ChatGPT Anything You Wouldn’t Tell a Judge, the Heppner facts are almost a parable for what is happening inside enterprises right now. Bradley Heppner, a corporate executive facing federal fraud charges, hired defense counsel and then independently used Claude to work through his case. He fed in facts. Materials from his own attorneys went into Claude too. Out came strategy-focused reports analyzing his legal arguments. Heppner then shared those AI-generated documents with his lawyers, figuring that if his lawyers had the reports, the reports would be covered by privilege.
Judge Rakoff rejected the privilege claim on three independent grounds. There was no attorney-client relationship between Heppner and the AI provider, so the underlying privilege never attached in the first place. The provider’s terms of service expressly allow content disclosure to third parties, which waives any reasonable expectation of confidentiality. And forwarding non-privileged material to your lawyer does not retroactively make it privileged. Each of those grounds matters because they apply far beyond the criminal defense context.
For the security team at a Fortune 500 company, the legal nuance of attorney-client privilege is interesting but secondary. The real takeaway is much more direct. Every conversation your employees have with a consumer AI tool is potentially discoverable evidence in litigation involving your company. That includes regulatory investigations, employment lawsuits, IP disputes, breach response, and any other matter where the other side gets to ask for relevant electronically stored information.
The Preservation Order Problem
Heppner is one ruling. The bigger shift happened earlier and most security teams missed it entirely.
In May 2025, a federal magistrate judge in the consolidated copyright litigation against OpenAI ordered the company to preserve all consumer ChatGPT logs indefinitely. That order overrode OpenAI’s normal deletion policies and applied even to chats users had already deleted. Six months later, in November 2025, the same court ordered OpenAI to produce 20 million de-identified ChatGPT conversation logs to the plaintiffs. By January 2026, the district judge affirmed the order, reasoning that users voluntarily submitted their communications to OpenAI and therefore had limited privacy interests.
Read that again. A federal court ordered an AI provider to preserve and produce conversation logs over the company’s objection and against its stated deletion policies. The case was about copyright, but the legal mechanism is general. AI conversation logs are now established as discoverable electronically stored information, and the platform’s privacy promises do not override a court order.
What this means for your data classification program: if an employee pastes anything into ChatGPT, Claude, Gemini, or any other consumer AI tool, you should assume that data is now sitting on a provider’s servers, retained indefinitely, and potentially producible to opposing counsel in any future litigation. That data lives there even if the employee deleted the chat. It also lives there even if your company subscribes to a paid plan that promised deletion.
What Your Employees Are Already Pasting In
Shadow AI usage in enterprise environments has exploded in the last 18 months. The pattern I see across client environments is consistent: official policy says employees should not paste confidential data into consumer AI tools, but enforcement is inconsistent and visibility is limited. Meanwhile employees are pasting things in constantly because the tools save them time and the work pressure does not pause for governance.
Common categories of data I have seen end up in consumer AI conversations during security assessments include the following.
The Discovery Risk in Plain Terms
Picture this scenario. Your company gets sued for wrongful termination. The plaintiff’s attorney serves a discovery request that includes any communications with AI-based tools by the manager who fired the plaintiff, the HR business partner who supported the decision, and the in-house counsel who reviewed it. Under federal rules, your company has to produce responsive material. That manager who pasted the termination letter draft into ChatGPT to make it sound more professional just created a discoverable record that will show up in opposing counsel’s brief.
Worse case scenario: the manager also asked the AI a question like “what’s the strongest version of the case against this employee that we could make if she sues us?” That prompt now reads as the company building a pretextual rationale rather than terminating for legitimate cause. The AI’s response does not matter. What matters is the question your employee asked while logged in on a company device or company network.
Auerbach calls this consciousness of guilt evidence. He is right. Lawyers reading prompts will find the worst-version-of-your-thinking moments and use them. That is what discovery is for.
What Enterprise Security Teams Should Actually Do
This is not a problem you solve with a policy memo. Employees pasting things into AI tools is happening at every company with internet access, and a strongly worded email from compliance will not stop it. You need a layered approach that combines policy, technical controls, and approved alternatives.
Get an enterprise AI agreement in place
Consumer AI tools are the problem. Enterprise AI offerings from OpenAI, Anthropic, Microsoft, and Google generally include data processing agreements with stronger confidentiality, no training on customer data, configurable retention, and contractual indemnification. Get one in place and route employee AI usage through it. This does not eliminate discovery risk, but it shifts the risk profile significantly because the conversations stay inside your contractual perimeter rather than on a consumer provider’s servers.
Build a real AI acceptable use policy
Your existing acceptable use policy probably does not cover this. Update it. Specify which AI tools are approved, what data categories are prohibited from being pasted into AI tools (PII, customer data, source code, legal materials, M&A data), and what the consequences are for violations. Tie the policy to training and require annual acknowledgment. This matters partly for actual behavior change and partly for the litigation defense story your lawyers will tell about your reasonable efforts to control employee conduct.
Implement technical controls
Endpoint DLP, CASB integration, browser-based content inspection, and AI gateway products are all evolving fast in this space. The right combination depends on your environment, but the general direction is the same: block direct access to consumer AI tools from company devices and networks, route approved usage through enterprise gateways with logging and content controls, and surface attempted usage of unapproved tools to the security team. Visibility matters more than blocking because some users will route around blocks, and you want to know who and what.
Train your people on what they cannot see
Most employees who paste sensitive data into consumer AI tools are not malicious. They are trying to do their jobs faster. The disconnect is that they cannot see what happens to the data after it leaves their browser. Training that shows the actual flow (your data goes to a third-party server, may be retained indefinitely, may be subject to a court order, may surface in a future lawsuit your company is involved in) changes behavior more than policy language alone. The AI security knowledge gap is real, and certifications like CompTIA SecAI+ are starting to address the technical side of this for security teams.
What This Means for AI Governance Leadership
For security leaders, the Heppner ruling and the OpenAI preservation order signal that AI governance has moved out of theoretical territory and into active legal exposure. The CISOs I talk to are starting to get pulled into conversations with general counsel, compliance, and HR about who owns the AI use risk inside the company. That is a leadership opportunity if you take it seriously.
If you do not have someone on your team specifically responsible for AI security and governance, this is the moment to identify that person. Certifications can validate the skills, but operational ownership is what matters. ISACA’s Advanced in AI Security Management credential and CompTIA SecAI+ are both designed for this kind of role, and we covered the AAISM specifically in our analysis of the new AI security management certification. What credential matters less than getting somebody named, authorized, and accountable.
The Sam Altman Concession
Worth mentioning that the head of the AI industry has already admitted this is a problem. OpenAI CEO Sam Altman said publicly in 2025 that conversations with ChatGPT do not carry the privilege protections people assume they do, and he called the situation a bad gap that the industry has not solved. This was not buried in fine print. He said it on a podcast that millions of people listened to.
If the CEO of the company building the tool says your conversations are not protected, you should take that at face value. Companies that build AI products know more about the data flow than their users do. When they tell you something is risky, believe them.
Bottom Line for Security Teams
Three things to take away from this. First, consumer AI conversations are not private, not privileged, and now established as discoverable in federal court. Second, your employees are almost certainly pasting sensitive data into these tools right now, regardless of what your policy says. Third, the gap between what your company says about AI use and what your employees actually do with AI tools is creating real legal exposure that will start showing up in litigation discovery this year and next.
For more on the legal framework specifically, the original analysis from Auerbach’s firm is a clear plain-language read worth sharing with your general counsel and HR team. On the technical side, expect this to be one of the dominant security conversations of 2026 as more rulings work through the courts. The companies that get ahead of this through enterprise AI agreements, real policies, and proper training will be in a much better position than the ones figuring it out in deposition.
For the official federal guidance on managing electronically stored information in litigation, the Federal Rules of Civil Procedure outline the discovery obligations that now extend to AI conversation logs.
Frequently Asked Questions
Are ChatGPT conversations private?
No. Consumer ChatGPT conversations are stored on OpenAI servers, may be used for model training under standard terms, and have now been established as discoverable in federal litigation. A federal court ordered OpenAI in 2025 to preserve all consumer ChatGPT logs indefinitely, including conversations users had already deleted. Enterprise versions of ChatGPT operate under different contractual terms with stronger confidentiality protections.
Can my AI conversations be subpoenaed?
Yes. AI conversation logs qualify as electronically stored information under federal civil procedure rules. They can be subpoenaed directly from the AI provider, requested in discovery from a party to litigation, and ordered preserved by a court. The OpenAI copyright litigation established direct precedent for this kind of order overriding the provider’s normal deletion policies.
Are ChatGPT conversations protected by attorney-client privilege?
No. Attorney-client privilege protects confidential communications with a licensed attorney for the purpose of obtaining legal advice. An AI chatbot is not a licensed attorney. In United States v. Heppner, a federal court ruled in February 2026 that conversations with a consumer AI tool are not privileged, even when the user later shared the AI-generated content with their actual attorney.
What sensitive data should employees never paste into consumer AI tools?
The high-risk categories include personally identifiable information about customers or employees, proprietary source code, contract drafts and other legal materials, financial data, HR records like performance reviews and termination decisions, M&A diligence materials, and any information covered by third-party NDAs. These categories carry the highest combination of regulatory, contractual, and litigation risk if disclosed through AI provider records.
Does turning off chat history protect my AI conversations?
Not reliably. Most AI providers retain content for some period regardless of user-facing history settings, often for abuse monitoring or safety review. More importantly, court preservation orders can override the platform’s normal deletion policies. The federal court order requiring OpenAI to preserve all consumer ChatGPT logs applied even to conversations users had affirmatively deleted from their accounts.
What is the difference between consumer and enterprise AI for data privacy?
Enterprise AI products (like ChatGPT Enterprise, Claude for Work, Microsoft Copilot, and Gemini for Workspace) operate under negotiated data processing agreements that typically prohibit training on customer data, provide configurable retention controls, and include contractual confidentiality protections. Consumer tools operate under standard terms that allow training on inputs and broader use of conversation content. The legal exposure profile is meaningfully different.
What should our company do about employees using ChatGPT for work?
Get an enterprise AI agreement in place so approved usage is contractually protected. Update your acceptable use policy to specifically address AI tools and prohibited data categories. Implement technical controls through endpoint DLP, CASB, and AI gateway products. Train employees on what actually happens to data after they paste it into consumer AI tools. The combination of policy, technical control, and training is more effective than any one of them alone.
CMO & Certification Guru | Training Camp
Mike McNelis is the CMO at Training Camp, where he combines a passion for technology with a hands-on approach to leadership. Beyond overseeing marketing strategy, Mike is actively involved in the technical side of the business — collaborating with clients, shaping learning solutions, and staying connected to the fast-changing world of IT and cybersecurity. He works closely with companies, government agencies, and individuals to help them achieve meaningful certification and workforce development goals.