BizTech Law Blog

After the United States of America v. Bradley Heppner decision in February of this year, businesses have been forced to reconsider their use of generative artificial intelligence (“AI”) in the workplace. Though the Heppner case before the United States District Court of the Southern District of New York (the “Court”) was in a criminal law context, the Court’s decision has created uncertainty regarding confidentiality and privilege expectations in a corporate setting, as well. For a deeper dive into the Heppner case, please see our previous article summarizing the case and discussing its implications at a high level: AI-Generated Documents | Why Public GenAI Use May Waive Attorney-Client Privilege | Foster Swift

What were the limitations of the Heppner decision?

The Court did not address whether a paid-for, enterprise-level, or non-public version of AI tools similar to OpenAI’s ChatGPT, Google’s Gemini, or Anthropic’s Claude would change the Court’s analysis in Heppner. In the case, the Court solely focused on the attorney-client privilege issue related to the defendant’s use of a consumer grade, publicly available AI platform that lacked express confidentiality covenants or contractual obligations to protect user communications. It remains an open question regarding whether the Court’s decision would be different if a person or business used an enterprise AI service that expressly agreed to preserve the confidentiality of user inputs and outputs.

Additionally, the Court found that the work product doctrine did not apply in the Heppner case because the AI documents that were deemed discoverable were ultimately not generated by or at the request of the defendant’s attorneys, nor did the contents of the materials reflect the defendant’s counsel’s strategy. Thus, the defendant was not acting as his counsel’s agent when he communicated with the relevant AI platform. Post-Heppner, it is uncertain whether the Court’s assessment of the work product doctrine issue would differ if the defendant’s attorney would have requested the defendant use an AI tool to generate documents in furtherance of a litigation strategy, essentially acting as the lawyer’s agent.

How can businesses fill the gaps in a risk-adverse way post-Heppner?

The Heppner decision underscores the need for caution when using AI, particularly for large organizations that may lack the capacity to closely monitor employee interactions with AI tools. The case further serves as a reminder that AI tools should not be relied upon to evaluate legal questions or to supplement or replace legal advice. However, in the wake of Heppner, businesses can take proactive measures to address these uncertainties and consider AI use in a new light. We discuss such options below.

(1) Should you use more caution with AI-automated meeting notes and summaries?

It has become an increasingly common practice for an AI note-taking app to join a Teams or Google Meet virtual meeting, or for a built-in AI tool to automatically take notes during a Zoom conference. Common AI transcription and note-taking tools you may be familiar with include Zoom’s AI Companion, Evernote’s AI Assistant, Fireflies.ai’s Fred, and Otter.ai’s OtterPilot, just to name a few.

Prior to the Heppner decision, you may not have considered automatic meeting notes and summaries to be considered legal work product, but after the Court’s decision in the Heppner case, it is worth evaluating both the confidentiality provisions of these AI tools and features, as well as the nature of the meetings conducted using them. For example, if high‑level employees participate in a Zoom call to discuss a complaint filed against the company and to propose potential strategies or next steps, notes generated by an AI tool such as Zoom’s AI Companion may create discoverable records that are not protected by the attorney‑client privilege or work‑product doctrine – even if those notes are later shared with company counsel.

In addition, automatic meeting notes and transcripts may not align with how organizations traditionally document meetings. Demonstratively, formal meeting minutes are often prepared with deliberation, precise language, context, and legal sensitivity in mind, while AI‑generated summaries may capture incomplete discussions, tentative statements, inaccuracies, or off‑the‑cuff remarks that were never intended to be memorialized. In some cases, automated notes may conflict with or undermine official minutes, creating multiple, inconsistent records of the same meeting and increasing the risk of confusion or adverse interpretation if those materials are later reviewed in litigation or an investigation.

As a result, businesses should give careful consideration to the risks associated with automated meeting transcription tools. Automatic meeting notes and summaries may create unintended records or records that conflict with official meeting minutes, internal memoranda, or counsel‑prepared work product, increasing the risk of confusion, inconsistency, or discovery exposure in the event of litigation or regulatory scrutiny.

(2) How can you ensure an AI tool or platform vendor will protect your confidential information?

Providers of AI tools vary regarding their confidentiality practices, how end‑user information is handled, and whether user inputs are retained or used to further develop or train the underlying models that power AI features. Before authorizing any AI tool for use by company personnel, it is critical to perform diligence regarding the provider and thoroughly review the contractual terms governing that relationship.

In particular, businesses should closely examine vendor agreements, terms of service, and privacy policies to understand how data is collected, stored, accessed, shared, and retained. Key considerations include whether user inputs are treated as confidential, how user inputs may be reviewed by the vendor or their third parties service providers, how long data is retained, and whether information submitted through the tool may be used for model training or improvement. These provisions can vary significantly across platforms and may change over time (especially in the case of terms of service or use and privacy policies), making periodic reassessment advisable.

Beyond contract review, performing reasonable diligence on AI vendors is equally important. This may include evaluating the vendor’s stated security practices, data‑segregation commitments, audit rights, incident‑response obligations, and limitations on downstream data use. Without this diligence, companies risk unknowingly exposing sensitive business information, internal deliberations, or legally significant communications to third‑party platforms in ways that may be inconsistent with their confidentiality obligations or litigation‑risk tolerance.

(3) Why is establishing a clear AI Use Policy for your business so imperative after the Heppner case?

An AI Use Policy offers explicit guidance to your organization’s employees regarding AI use, clearly communicating to them how they may utilize public or private third‑party AI tools in the workplace. A written AI Use Policy helps set clear expectations, reduce ambiguity, and demonstrate that your business is taking reasonable steps to govern AI use responsibly, so employees do not expose sensitive company information, undermine confidentiality, or create discoverable records that your business never intended to exist.

At a minimum, an effective AI Use Policy should define the types of work that are prohibited from being performed using AI tools. In light of the Court’s decision in the Heppner case, this may include, for example, analyzing legal claims, drafting or evaluating legal strategy, summarizing communications involving outside counsel, or inputting information related to active disputes, internal investigations, or regulatory matters. An AI Use Policy may also address whether AI-generated meeting notes, summaries, or transcribers may be enabled during sensitive meetings and clarify when such features must be disabled. Equally important, an AI Use Policy may provide organizations with a mechanism to align employee behavior with the company’s contractual commitments, confidentiality obligations, and document‑retention practices.

By drawing these boundaries in advance through an AI Use Policy, businesses can limit inadvertent privilege waivers and reduce the risk of inconsistent or unintended records being created through AI tools.

(4) How can you train your employees on your business’ AI-related policies and procedures?

Even the most carefully drafted policy is only effective if employees understand and follow it. Whether your organization is discussing an AI Use Policy, Cybersecurity Policy, Data Retention Policy, or other technology-related policy, training plays a central role in mitigating AI‑related risks. Employees should be educated not only on what company policies say, but also on why the rules or guidelines for their use exist. In the AI context, discussing the legal and confidentiality implications of using AI tools in connection with sensitive business matters is crucial communication for your organization’s team.

Training programs should explain, in practical terms, how AI tools function, what happens to information entered into them, and how certain features can create permanent company records. Employees should understand that AI‑generated outputs may not be protected as privileged or confidential, and that informal experimentation with AI tools can carry consequences far beyond convenience or efficiency.

Ongoing training is particularly important as AI tools continue to adapt and evolve. Businesses should periodically revisit AI training as part of broader compliance or technology‑use education and clearly communicate any updates to policies or approved tools to their employees.

For more information regarding how you can assess AI‑related legal risks or develop best practices in this rapidly evolving area post-Heppner, please connect with us via the following contact information:

• Taylor Gast...517.371.8238...tgast@fosterswift.com
• Lindsey Mead…517.371.8326...lmead@fosterswift.com