A court ruling in New York has settled a question that most executives never thought to ask. The answer should worry anyone who has ever pasted something sensitive into Claude or ChatGPT.
On February 10, 2026, Judge Jed S. Rakoff of the Southern District of New York did something unusual: he made case law out of a chatbot conversation. In United States v. Heppner, No. 25 Cr. 503, the judge ruled from the bench that 31 documents a defendant had generated using Anthropic’s Claude were not protected by attorney-client privilege or the work-product doctrine. The defendant, Bradley Heppner, a Dallas finance executive charged with a $150 million fraud, had used the consumer version of Claude to draft reports about his legal strategy after learning he was under investigation. He then emailed the outputs to his lawyers at Quinn Emanuel. Federal agents found the documents on devices seized during a search of his mansion.
Heppner’s defence team argued privilege. Rakoff was unpersuaded. “I’m not seeing remotely any basis for any claim of attorney-client privilege,” he said. The AI tool is not an attorney, owes no duty of confidentiality, and its terms of service explicitly disclaim any expectation of privacy. Anthropic’s privacy policy at the time noted that inputs could be collected, disclosed to authorities, and used for model training. On the work-product argument, Heppner’s own lawyers conceded that he had prepared the documents on his own initiative, not at their direction. The government’s motion put the point plainly: sending unprivileged documents to your lawyer after the fact does not retroactively cloak them in privilege.
Debevoise & Plimpton calls it the first reported case where using a consumer AI tool led to a loss of privilege. The National Law Review calls it a “discovery nightmare.” Lawyers report that in civil proceedings, they are already requesting adversaries’ AI chat logs as a matter of course. It is, as one attorney observed, a whole new category of discoverable information.
The confession booth that records everything
The reasoning in Heppner is not novel. It applies the same logic courts have used for decades about third-party disclosures. If you discuss your case with a friend at a dinner party, that conversation is not privileged either. What makes the ruling significant is its collision with widespread behaviour. Millions of professionals now routinely paste confidential material into AI chatbots. They draft legal memos, analyse clinical data, model financial scenarios, and brainstorm competitive strategy, all inside tools whose providers reserve the right to log, store, and learn from every input.
The intuition that a chatbot conversation is private turns out to be wrong. It feels private, in the same way that whispering into a telephone feels private. But the provider is not bound by any duty of secrecy, and the infrastructure sitting between you and the model is owned and operated by a third party with its own interests and obligations.
Debevoise notes an important nuance: enterprise AI tools with contractual confidentiality commitments and no-training clauses might fare differently. But no court has tested that distinction yet. Rakoff has not issued a written opinion, only the bench ruling transcript. Until another judge draws the line, the prudent assumption is that anything typed into a consumer AI platform is as discoverable as a Google search.
The pharmaceutical problem
Consider what flows through AI tools in a typical pharmaceutical company on a typical day. A medicinal chemist uploads a proprietary molecular structure for quick analysis. A clinical data analyst pastes unpublished trial results into a chatbot to spot patterns. A quality team feeds manufacturing process details into an AI for optimisation suggestions. Each action is well-intentioned. Each creates a permanent exposure that cannot be undone.
The Kiteworks 2025 study found that 83% of pharmaceutical organisations lack basic technical safeguards against AI data leakage. The Varonis 2025 report found that 99% of organisations have sensitive data exposed to AI tools. Stanford’s 2025 AI Index documented a 56.4% year-on-year increase in AI-related security incidents.
What makes AI data leakage different from a conventional breach is its permanence. When a password is stolen, you change the password. When information is absorbed into an AI training dataset, it becomes permanently embedded. The model can memorise fragments. It cannot unlearn them on demand. A single molecular structure can represent a billion-dollar drug programme. An unpublished clinical result can make or break an approval. These are not the kinds of assets you want sitting in someone else’s training pipeline.
Samsung learned this the hard way in 2023, when engineers uploaded confidential source code to ChatGPT without realising it would be stored on OpenAI’s servers. Samsung banned the tool. JPMorgan, Goldman Sachs, and Amazon followed with similar restrictions. After Heppner, the argument for restricting consumer AI usage is no longer just about data hygiene. It is about litigation exposure.
Giving away the alpha
The hedge fund industry arrived at this conclusion slightly earlier, and for a different reason. In quantitative finance, your edge is your data and your models. Sending either through a cloud API is, in a real sense, giving away the alpha.
Resonanz Capital reports that one fund’s internal trial flagged a developer using real client trade data in prompts to debug a pricing tool on an open-access generative AI model. The practice was technically functional but constituted an unacceptable security risk. The firm fast-tracked a firmwide AI use policy and built a private, firewalled environment.
This is not paranoia. It is arithmetic. A prompt containing a trading signal, a position, or a piece of strategy logic is transmitted to and stored by a third party. The risk of model inversion attacks, where adversaries reverse-engineer AI models to extract trade execution patterns, is well documented. And after Heppner, there is a new vector: any AI-generated analysis could be subpoenaed and used against the firm in litigation or regulatory proceedings.
The large quantitative shops have responded accordingly. D.E. Shaw runs prompt cost meters with automatic throttles on each desk. Point72 and Balyasny maintain permanent, uneditable logs of every AI query and response to pre-empt SEC audits. Several funds report that GPU rental and cloud exit costs now rival prime-broker financing as line items. Citadel’s aborted Seattle AI lab illustrated the cultural tension: discretionary portfolio managers worried about IP leakage even within the firm’s own walls.
For a fund running inference on local GPUs, the maths is simple. Signals arrive in microseconds instead of the tens-of-milliseconds round trip to a cloud API. The data stays behind the firewall. The model stays under the firm’s control. The alpha stays proprietary. In the language of the trade, on-premise AI converts proprietary data into intellectual capital without handing that capital over to a hyperscaler in Northern Virginia.
Read the full post
https://www.p05.org/anything-you-say-to-a-chatbot-may-be-used-against-you/
