The seismic impact of the Artificial Intelligence (AI) rollout reverberates across all sectors, as AI companies promise that their tools will assume the drudge work, allowing workers to focus on higher level tasks, while saving time and creating efficiencies leading to cost savings, productivity, and profits.
The legal profession is no exception and has seen widespread adoption of these tools into the legal landscape, by practicing attorneys, pro se litigants, and the judiciary itself. As utilization increases, there is an exponential increase in factors that now must be considered.
High-profile cases involve the output of these tools: legal errors and factual inaccuracies asserted in court filings as true. Myriad decisions now contemplate the sanctions appropriate in such cases. However, we must also consider how AI technology impacts the doctrines of attorney-client privilege and protected work product. If sanctions and monetary fines do not persuade attorneys from exercising rigorous oversight of AI output, then perhaps waiver of privilege will. However, if broad waiver of protection is found via use of AI tools, such precedent could arguably be applied to all uses of commercial internet services, potentially undermining decades of legal precedent regarding the expectation of privacy online.
The attorney-client privilege protects confidential communications between client and attorney, made for the purpose of ultimately conveying legal advice. The privilege is intended to promote open communication between client and counsel. None of the cases below found an attorney-client relationship to exist where a party shares information with an AI. A third-party AI tool is definitively not an attorney and thus fails to satisfy the first prong of the privilege test. Separately, the work-product doctrine protects confidential materials prepared in anticipation of litigation and is intended to ensure that a party’s legal strategies, legal analysis, and initial impressions are not later used against that party. A key requirement of both the work-product and the attorney-client privilege doctrines is that the material in question be confidential.
A primary concern among attorneys at the outset of the AI rollout was whether the use of such tools could be considered confidential, given that they involve sharing data over the internet, and that data may be used to train the AI model going forward. An important distinction arose early on between “open” AI models and “closed” AI models, where open models were free to use online, with the understanding that data fed to the model would be used to train the model, but closed models segregated user data from training data and provided greater privacy, usually at the cost of a subscription or enterprise contract.
Recent cases in the Southern District of New York, the District of Colorado, and the Eastern District of Michigan all considered whether AI generated documents are protected work product.
United States v. Heppner is a criminal case from the Southern District of New York. The defendant was charged with securities fraud and, prior to his arrest and after obtaining counsel, queried the AI platform Claude regarding the government’s investigation. Defendant asserted privilege claims over the generated documents, and the government moved to compel production, asserting that the material could not be privileged.
The court found that the queries did not constitute work-product, focusing on the fact that defendant had used the tool without telling his attorney and noting that the Second Circuit consistently emphasized that the work-product doctrine is intended to protect the mental processes and impressions of counsel. Therefore, it may not have mattered to the court that the queries were made on a free to use “open” AI tool, only that the queries were not made under the direction of counsel. The court could have reached the same conclusion based on the Claude user agreement language plainly stating that tool input would be both disclosed to third parties and used for training. The input was not confidential; therefore, it could not be confidential work-product. However, the next cases illustrate how that argument may be viewed with skepticism going forward.
In the civil case Warner v. Gilbarco, the Eastern District of Michigan considered the application of work production doctrine to a pro se plaintiff’s use of generative AI tools, finding that the input and output were protected work-product in anticipation of litigation As a pro se plaintiff, the question of whether or not the AI queries were made at the direction of counsel was moot, and while plaintiff did employ the free-to-use commercial non-enterprise version of the ChatGPT tool for the queries, the court noted that any disclosure of confidential information in this case was made to a third party, the AI provider, and not to an adversarial party. The court emphasized the distinction between work product and attorney-client privilege in this regard; where the “mere showing of a voluntary disclosure” to an unrelated third party, while sufficient to waive attorney-client privilege, does not rise to waiver of work-product.
Morgan v. V2X, another civil case involving a pro se plaintiff in the District of Colorado, again considered whether work-product protections apply to AI tools generally.
Finding that under the Federal Rules of Civil Procedure 26(b), a pro se litigant’s work product was clearly protected because the rule language contemplates “work-product” of both counsel and party, the court distinguished Heppner on the basis that, as a criminal case, the Federal Rules of Civil Procedure were inapplicable, and because in Heppner, the defendant was represented by counsel but chose to work separately and apart from them. The court also referenced the Warner v. Gilbarco case and reiterated that the use of free commercial AI platforms, which collect user data and train their models from that data, does not preclude the expectation of privacy or waive work product protections. The court acknowledged that AI tools are distinct from other online tools, a unique concern being “training data”, and entered a revised confidentiality stipulation addressing those issues. Specifically, an AI tool must not 1) store or use inputs to train the model, 2) disclose inputs to any third party, and 3) the tool must allow the user to delete all data from the platform upon request.
Taken together, these cases appear to support the idea that use of AI tools does not necessarily waive work product protection, whether they are closed or open systems, so long as the queries to the AI tool are done at the direction of counsel, and certain safeguards are considered.
Attorneys need to be aware of how their clients are using these tools and provide guidance accordingly.