ChatGPT Is Not Your Lawyer: What the Heppner-vs-Assini Court Split Means for Your Privacy

Within 24 hours of each other in early June 2026, a Texas business court and a New York trial court reached opposite conclusions from a February federal ruling on whether your AI chat logs deserve legal protection. The privacy implications are not theoretical. If you typed litigation strategy, financial details, or trade secrets into a consumer chatbot this year, courts are now actively disagreeing about whether opposing counsel can read every word of it. Here is what happened, what it means, and what — if anything — you can do about it right now.

Key Takeaways

What Did the Heppner Ruling Actually Say?

It said your chatbot conversations can be handed to prosecutors. On February 10, 2026, Judge Jed S. Rakoff of the Southern District of New York ruled — for the first time in a U.S. court — that documents a criminal defendant created by typing prompts into a consumer AI chatbot were neither protected by attorney-client privilege nor shielded as work product. The government's motion to compel production succeeded.

The defendant, Bradley Heppner, was charged with securities and wire fraud. He had used Anthropic's consumer chatbot to create 31 AI-generated documents and later shared them with his attorneys. That sharing prompted the government to argue the documents were discoverable.

Rakoff's reasoning was narrower than the headlines suggested. The court did not hold that AI-generated text can never be privileged. It focused on confidentiality — specifically, the platform's terms of service. Those terms reserved rights to log prompts and outputs, use them for model training, and disclose information to regulators or third parties. Submitting information under those conditions, the court found, was inconsistent with a reasonable expectation of privacy.

In other words: the platform's own legal documents became the prosecution's best exhibit.

How Did Texas and New York Break with Heppner?

They rejected its framework — explicitly. On June 3, 2026, Judge Grant Dorfman of the Texas Business Court held in Tate Group Automotive, LLC v. Legacy Automotive Capital, LLC that a litigant's chatbot conversations were protected attorney work product and that using a consumer AI tool did not waive that protection. The Texas decision expressly sided with two federal courts that found no waiver and split from the federal court that reached the opposite conclusion.

One day later — June 4 — Justice Rhonda Fischer of the New York Supreme Court, Nassau County, quashed a subpoena seeking a litigant's entire chatbot account in Assini v. Hayward, holding that interacting with an AI tool neither surrenders confidentiality nor waives work-product protection.

Judge Dorfman's opinion leaned on the text of Texas procedural rules, which define protectable work product to include material or mental impressions developed in anticipation of litigation "by or for a party" — language that on its face extends to chatbot conversations. The New York court took a different statutory path but landed in the same place.

Did the Courts Agree on Everything?

No. Both Texas and New York imposed meaningful limits even as they broke with Heppner. The Texas ruling protects a non-lawyer principal's chatbot conversations as work product but still requires disclosure of which discovery materials were shared with the tool. You get to keep your prompts and outputs — but you have to tell the other side what you fed into the system.

In New York, Justice Fischer quashed the subpoena but warned the pro se defendant that his AI usage could "frustrate[] the litigation and cannot go unfettered," pointing him to New York's new AI practice rule — 22 NYCRR Part 161, which took effect June 1, 2026. That rule does not prohibit AI use and does not require disclosure of usage, but it requires anyone using an AI tool to carefully review filings and independently verify that they contain no fabricated citations.

Protection with strings attached. Not a blank check.

Why Does This Split Matter If You Are Not a Lawyer?

Because courts are now functionally auditing your vendor's privacy policy — and using it to decide whether your data gets turned over in discovery. The split across Heppner, Tate, and Assini is not really about jurisdiction. It is about confidentiality architecture.

Legal commentators have noted that early AI discovery cases tended to frame the question poorly — asking whether a chatbot is like a lawyer (it is not) rather than asking whether sharing work product with a tool waives protection. The better framing separates two questions: (1) Is the material work product in the first place? (2) Does using this particular tool waive that protection?

The answer to question two increasingly depends on the tool's retention policies, training defaults, and contractual commitments. Judge Rakoff did not rule that all AI chats are unprotected. He ruled that these chats, on this platform, with these terms of service, did not support a reasonable expectation of confidentiality. The Texas and New York courts reached different conclusions partly because they applied different procedural standards — but also because they assessed the confidentiality question differently.

If you run a company or work at one, the practical takeaway is this: your AI vendor's terms of service are now a variable in your litigation risk model. Not abstractly. Concretely.

Is Any of This Settled Law?

No. Not even close. All four key rulings are trial-court decisions — persuasive authority at most. The Heppner decision is a single federal district court order. The Michigan federal ruling is a magistrate judge's discovery order. The Texas decision is a minute entry not meant to be final. No court of appeals has weighed in. The first appellate decision could reshuffle every thread described in this post.

This uncertainty is not a footnote. It is the central fact. Anyone designing internal AI policy around the assumption that Tate or Assini will hold up on appeal — or that Heppner won't — is making a bet they cannot size. The prudent posture is to treat the law as genuinely unsettled and build your data practices accordingly.

What Does "Lawyer-in-the-Loop" Mean as a Practical Requirement?

It means the difference between protected and unprotected may come down to who initiated the session. Multiple analyses of Heppner have flagged that the outcome hinged on the client acting "on his own volition" rather than at counsel's direction. Heppner typed his prompts himself, outside of any attorney-supervised workflow. That mattered.

For in-house legal departments and outside counsel, this suggests a structural fix: establish a documented chain showing that AI-assisted research or drafting was conducted under attorney direction, in anticipation of litigation, with data-handling guarantees that a court could examine later. Provenance logging — who initiated a session, under whose instruction, and with what retention settings — turns a legal footnote into an auditable record.

This is a product design problem as much as a policy problem. Tools that do not log provenance make it harder — after the fact — to demonstrate that a session was conducted under privilege. Tools that do log provenance make it easier. Neither guarantees an outcome, because no trial court ruling guarantees anything yet.

How Much Sensitive Data Are People Actually Putting Into Chatbots?

A lot. And more every quarter. Cyberhaven's 2026 AI Adoption & Risk Report found that 39.7% of AI interactions expose sensitive data, with employees inputting sensitive information into AI tools roughly every three days. Over 60% of that sensitive input flows through personal accounts — not enterprise-managed ones.

The scale of the surface area is hard to overstate. Research shows 34.8% of employee inputs now contain sensitive data, up from 11% in 2023. That is a roughly threefold increase in two years. One in five organizations has already reported a breach due to shadow AI, and only 37% have policies to manage it.

These numbers are the backdrop to the court split. Judges are not ruling on a hypothetical behavior. They are ruling on something tens of millions of people do every day — often without thinking about it, and almost always without reading the terms of service that Judge Rakoff found so decisive.

What Should You Actually Do Right Now?

Assume the worst. Not because the worst is certain, but because the law is unsettled and the downside is asymmetric.

Concretely:

Why Does the Platform's Architecture Matter More Than the Jurisdiction?

Because the courts are converging on a functional test — whether the platform's design supports a reasonable expectation of confidentiality — even as they diverge on the legal standard. Rakoff looked at terms of service. Dorfman looked at procedural rules. Fischer looked at the subpoena's scope. But all three courts were, in substance, asking the same question: did this user have a reasonable basis for believing their input would stay private?

That is an engineering question as much as a legal one. A platform that retains prompts indefinitely, trains on user inputs by default, and reserves the right to share content with third parties will have a harder time supporting a reasonable-expectation-of-confidentiality argument in any jurisdiction. A platform that encrypts content at rest, applies a short retention window to operational metadata, and offers contractual no-training commitments will have an easier time — though no guarantee, because no appellate court has spoken yet.

This is why we think about privacy as infrastructure, not as a feature toggle. At Selina, content is encrypted, files and transfers via SelinaSEND are end-to-end encrypted, and we route requests through a stack of frontier models per task. But we are honest about the limits: memory is NOT end-to-end encrypted — a slice of each request reaches a frontier provider at inference. Non-content operational metadata is kept for a short retention window, not discarded instantly. The account is protected, not encrypted in its entirety. These are real architectural constraints. Stating them plainly is part of how we build trust — and, now, part of how a court might evaluate whether a user's expectation of confidentiality was reasonable.

Not entirely. Encryption solves a technical problem — preventing unauthorized access to data at rest and in transit. The legal problem is different: it asks whether the relationship between the user and the platform supports confidentiality. Encryption helps. Contractual commitments help. Short retention windows help. But the legal analysis also considers whether the user took reasonable steps to maintain confidentiality — which includes reading the terms of service, using enterprise rather than personal accounts, and not sharing outputs carelessly.

No single architectural choice is a silver bullet. The courts are looking at the whole picture.

What Happens When an Appellate Court Finally Rules?

It depends on which appellate court and which facts. But the first appellate decision will likely set the terms for every subsequent one — establishing whether the Heppner framework (terms-of-service as confidentiality test) or the Tate/Assini framework (tool-use does not waive work-product protection) becomes the dominant approach.

Legal commentators have cautioned that the first appellate decision could reshuffle all existing threads. It could also narrow the question — for example, holding that work-product protection applies but only when the user can demonstrate specific contractual privacy guarantees from the platform. That kind of holding would make the platform's terms of service even more central to the analysis.

We do not know when this will happen. It could be months. It could be a year. In the meantime, every company using AI tools for litigation-adjacent work is operating in a genuine legal gray zone.

What Is the Emerging Consensus — If There Is One?

The emerging consensus is that the question was framed wrong from the start. Early AI discovery cases asked whether a chatbot is like a lawyer — whether attorney-client privilege attaches to a conversation with software. That framing mistakes a tool for a person. The better question, which the Texas and New York courts have now articulated, is whether sharing work product with a tool waives the protection that already existed.

This reframing matters. It shifts the analysis from "is the chatbot your attorney?" (no, obviously) to "did you do something that destroyed the confidentiality of your own work product?" (maybe, depending on how the tool handles your data). The second question is one that engineers and product designers can actually influence — by building systems where data handling supports, rather than undermines, a confidentiality argument.

This is now a multi-jurisdiction trend rather than an isolated split: federal courts in Michigan and Colorado, the Texas Business Court, and a New York trial court have all held that AI-assisted work product is not automatically waived. But Heppner still stands. And none of these decisions binds any appellate court.

What Does This Mean for Product Builders?

It means privacy engineering is now legal risk infrastructure — not a compliance checkbox. If courts are functionally auditing your platform's retention policies, training defaults, and contractual guarantees to decide whether a user's expectation of confidentiality was reasonable, then every product decision about data handling has downstream legal consequences for your users.

That includes:

None of this guarantees a favorable legal outcome for your users. But it shifts the odds. And in an environment where the law is genuinely unsettled, shifting the odds is what you have.

The Only Durable Protection

We will say it plainly: the only strategy that works regardless of how courts eventually rule is minimizing what sensitive data reaches a public model in the first place. If privileged information never enters a system whose terms of service allow logging, training, and disclosure, then the Heppner analysis never applies — because there is nothing for the court to compel.

This is not a call to stop using AI. It is a call to use it with the same care you would apply to any system that handles sensitive data. Read the terms. Check the retention policy. Use enterprise accounts, not personal ones. Document who directed the session and why. And choose tools whose architecture you can defend in front of a judge — even if you hope you never have to.

If you want an AI assistant built around these constraints — content encrypted at rest, files and transfers end-to-end encrypted via SelinaSEND, a short retention window for operational metadata, no training on your inputs, and routing through a stack of frontier models per task — start a free 7-day trial — no card required.

Frequently Asked Questions

What did Judge Rakoff rule in the Heppner case?

In February 2026, Judge Rakoff ruled that 31 documents a defendant created using a consumer AI chatbot were not protected by attorney-client privilege or work product, largely because the platform's terms of service allowed logging, training on inputs, and third-party disclosure. As a result, the documents were turned over to prosecutors.

How did the Texas and New York courts differ from the Heppner ruling?

On June 3 and 4, 2026, Texas and New York courts held that using a consumer AI chatbot does not automatically waive work-product protection, directly breaking with Heppner's framework. However, both courts still imposed limits, such as requiring disclosure of what materials were shared with the tool or warning about proper verification of AI-assisted filings.

Is this legal question now settled?

No, all four key rulings (Heppner, Tate, Assini, and a Michigan federal case) are trial-court decisions with no appellate authority behind them. The law remains genuinely unsettled, and an appellate ruling could reshape the entire landscape.

What is the key factor courts are actually focusing on across these cases?

The real variable is not jurisdiction but the platform's confidentiality architecture—its terms of service, retention policies, and training defaults—which determines whether a user had a reasonable expectation of privacy. This means a vendor's privacy policy has effectively become a litigation input.

What practical steps can reduce risk when using AI chatbots for legal or sensitive work?

The article suggests minimizing sensitive data sent to public models regardless of how courts rule, and establishing a 'lawyer-in-the-loop' process where AI use is documented as attorney-directed rather than initiated independently by a client. Provenance logging—tracking who initiated a session and under what data-handling terms—can help demonstrate that work was conducted under privilege.

Sources & References

Michael C.

Michael C.

Founder & Principal Engineer, Selina Labs

Michael builds Selina, a privacy-first AI that remembers you across conversations. He ships security-sensitive AI in production — real attacks, real fixes, measured in minutes and dollars — and writes about privacy, security, and LLMs from that seat. Top Rated Plus and expert-verified on Upwork.