Published June 24, 2026 · 11 min read

Are AI Chatbot Conversations Discoverable? What the Heppner Ruling Means for Executives in 2026

Published June 24, 2026

If you are an executive, in-house counsel, or anyone in a regulated industry who has ever pasted sensitive facts into ChatGPT, Claude, or Gemini, the answer as of 2026 is unambiguous: those conversations are almost certainly discoverable in litigation, and they are not protected by attorney-client privilege. That is the bottom line of United States v. Heppner, the first federal ruling on the question, which led directly to the May 2026 conviction of a CEO whose own AI prompts were introduced as evidence against him.

What Judge Rakoff Actually Ruled

On February 10, 2026, Judge Jed S. Rakoff of the Southern District of New York ruled from the bench in United States v. Heppner, No. 25-cr-00503 (S.D.N.Y.), that 31 documents generated by the defendant using the consumer version of Anthropic's Claude were not protected by either the attorney-client privilege or the work product doctrine. He followed with a written opinion on February 17. According to the Harvard Law Review, the court treated it as "a question of first impression nationwide."

The facts mattered. Bradley Heppner, the former chairman of GWG Holdings, was indicted on securities fraud, wire fraud, conspiracy, and falsification of records. As STACK Cybersecurity documented, after receiving a grand jury subpoena and engaging defense counsel, Heppner on his own initiative used the free version of Claude to generate 31 documents outlining potential defense strategies and analysis of the charges he anticipated facing — without attorney direction.

How prosecutors found the prompts is itself a cautionary detail. Defense counsel produced a privilege log describing the materials as "artificial intelligence-generated analysis conveying facts to counsel for the purpose of obtaining legal advice." That description flagged the documents for prosecutors, who immediately moved to compel production.

Three Independent Grounds Why Privilege Failed

Judge Rakoff identified three independent grounds, each sufficient on its own to defeat the privilege claim. Gibson Dunn's analysis walks through each.

1. Claude is not a lawyer

Privilege protects communications between a client and a licensed attorney made for the purpose of obtaining legal advice. The court rejected the analogy to a word processor, holding that all recognized privileges require "a trusting human relationship" with "a licensed professional who owes fiduciary duties and is subject to discipline." Claude's own terms of service, the court noted, expressly disclaim any ability to give legal advice.

2. The communications were not confidential

The court placed heavy weight on Anthropic's consumer privacy policy. As White & Case notes, the policy provides that Anthropic collects both user inputs and Claude's outputs, uses such data to train Claude, and reserves the right to disclose data to a host of third parties. That alone, in the court's view, destroyed any reasonable expectation of confidentiality.

3. No work product protection without attorney direction

The work product doctrine protects materials prepared by or at the direction of counsel in anticipation of litigation. Because Heppner generated the documents on his own initiative — a fact his defense counsel conceded — the court held that retroactively sharing them with his lawyer did not transform them into work product.

The Conviction: AI Prompts Became Evidence

The consequences of the ruling were not theoretical. According to STACK Cybersecurity's updated coverage, on May 7, 2026, Bradley Heppner was found guilty by a federal jury on all counts following a three-week trial. His unprivileged consumer AI prompts were officially introduced by prosecutors as active evidence during the proceedings. The Department of Justice alleged that Heppner misappropriated more than $150 million, with GWG's subsequent bankruptcy causing over $1 billion in losses to retail investors. He faces a maximum of 20 years on each fraud count, with sentencing scheduled for October 7, 2026.

The Emerging Federal Split: Heppner Is Not the Final Word

Within weeks, three other federal courts confronted similar questions and reached different results. The Mintz analysis summarizes the split well.

In Warner v. Gilbarco (E.D. Mich., Feb. 10, 2026) — issued the same day as Heppner's bench ruling — a magistrate judge held that a pro se plaintiff's AI-assisted materials were protected work product, reasoning that "ChatGPT (and other generative AI programs) are tools, not persons." In Morgan v. V2X (D. Colo., Mar. 30, 2026), the court extended work-product protection to pro se litigants but held that the identity of the AI tool used is itself discoverable. And per Akin Gump's Q1 2026 review, courts have begun issuing AI-specific protective orders that flatly prohibit inputting any document produced in discovery into public AI tools.

Consumer AI vs. Enterprise AI vs. On-Device AI: The Architectural Spectrum

The Heppner court expressly noted that enterprise AI platforms "may give rise to a reasonable expectation of confidentiality that consumer tools do not" — but no court has yet confirmed enterprise AI use preserves privilege. The architecture of the tool matters more than ever.

Why This Matters Beyond Criminal Defense

It is tempting to read Heppner as a story about a criminal defendant making a panicked decision. But Orrick's client alert explains why every corporate executive should care: "Executives may be tempted to use AI to analyze regulatory exposure, prepare for board discussions, or develop strategic responses to government inquiries." Each of those prompts, under Heppner, is discoverable.

The risk is not limited to executives at the top of the org chart. Covington's Inside Privacy warns in-house counsel that any employee using consumer AI to summarize a privileged meeting, draft an HR investigation memo, or analyze a contract dispute may be creating discoverable evidence that opposing counsel will absolutely seek.

The AI Notetaker Problem: A Quieter Version of the Same Risk

Heppner involved typed prompts. The same architectural problem applies — arguably worse — to AI meeting notetakers like Otter, Fireflies, and Zoom AI Companion. These tools record audio, transmit it to vendor servers, and store transcripts under terms of service that, like Anthropic's, permit retention and analytics. As the American Arbitration Association bluntly puts it, "Recording platforms that rely on AI can jeopardize attorney–client privilege if conversations are stored, shared, or used for model training by third-party vendors."

A quick look at Otter.ai's privacy policy and Fireflies' privacy policy confirms the architectural reality: audio is uploaded to vendor infrastructure, transcripts are processed in the cloud, and the vendor reserves broad rights to use the data. Zoom's privacy statement describes similar processing for AI Companion features. None of these are positioned to survive a Heppner-style privilege challenge.

What Regulators Add to the Picture

Privilege is only one layer. Under Article 5 of the GDPR, controllers must apply data minimization and storage limitation principles — feeding sensitive personal data into a consumer AI that retains it indefinitely is hard to square with those obligations. For healthcare organizations, the HHS HIPAA Privacy Rule requires Business Associate Agreements with any vendor that processes PHI — agreements consumer AI platforms typically do not offer. The ABA's Formal Opinion 512 on generative AI and Model Rule 1.6 demands the same vendor scrutiny from lawyers.

For an in-depth look at how cloud notetakers create privilege problems specifically in the legal context, see our companion analysis of AI notetakers and privilege waiver. For board-level governance implications, our piece on AI meeting transcripts as discoverable ESI walks through litigation hold and preservation obligations.

Practical Steps for Corporate Teams in 2026

Define a written AI acceptable-use policy

Covington and Venable's post-Heppner guidance both recommend that companies explicitly limit AI use to approved enterprise tools, set retention limits on prompts and outputs, and require attorney involvement before AI is used on anything that could become evidence.

Document attorney direction

If AI is used in anticipation of litigation, the directive from counsel must be contemporaneous and documented. Morgan Lewis emphasizes that retroactive ratification will not save privilege.

Audit your meeting capture stack

For every board meeting, internal investigation, or sensitive negotiation, ask: where does the audio go, who can read the transcript, and is the vendor under a contract that survives a litigation hold? Where the answer is uncertain, on-device capture is the cleanest fix.

Revise Upjohn warnings and privilege logs

Per the New York State Bar Association, employees subject to internal investigations should be expressly instructed not to process investigation materials through public AI tools — and privilege logs should clearly identify counsel's direction and the confidentiality expectation under which any AI was used.

How Basil AI Solves This

Heppner turned on a single architectural fact: the defendant disclosed information to a third party. Every category of risk in this article — privilege waiver, GDPR exposure, HIPAA non-compliance, vendor subpoenas, training-data leakage — flows from that one moment of transmission to a cloud service.

Basil AI is built so that moment never happens. All transcription runs on-device using Apple's Speech Recognition framework, accelerated by the Apple Neural Engine. Summaries and action items are generated locally. Notes sync only through the user's own iCloud, under Apple's privacy architecture. There is no vendor server holding your audio, no terms of service granting training rights, no third party to subpoena. The 8-hour continuous recording capability means a full board meeting or all-day strategy session can be captured without ever leaving your device.

That does not magically make AI-assisted analysis privileged — privilege still depends on attorney direction and the substantive elements Judge Rakoff laid out. But it removes the third-party disclosure that was fatal to Heppner's claim, and it aligns with the architectural standard the Boston Bar, ABA, and New York City Bar have begun pointing to as the only model that satisfies vendor due diligence under Model Rule 1.6.

The Bottom Line

The Heppner ruling did not invent new law. As Venable notes, it applied technology-neutral privilege doctrine to a new fact pattern and reached the result the underlying doctrine has always demanded: voluntarily disclosing your strategy to a third party that retains it, trains on it, and may share it with others destroys confidentiality. Consumer AI conversations are discoverable. Cloud notetaker transcripts are discoverable. The only way to keep something out of opposing counsel's hands is to keep it out of the cloud in the first place.