You can use AI on real matters without risking privilege. Two quick checks before every paste are the whole habit.
After this, you'll be able to explain attorney-client privilege and the duty of confidentiality in plain words, name the three things about AI tools that can break them, and run a two-part safety check before you paste anything.
Before you start
Complete What AI genuinely does for legal work first; that lesson sets the verify-before-you-trust habit, and this one adds the rule that protects your client before you even hit send.
The idea
You can use AI on real client matters without ever putting privilege at risk. The whole habit is two quick checks before you paste, and this lesson makes them automatic. If your instinct is "my client's data is too sensitive to ever touch one of these tools," that instinct is half right: the wrong tool genuinely can cost a client their privilege, which is exactly why this sounds scary. The fix is not to avoid AI. It is to know which tool is safe and what to strip out, so you get the speed without the exposure.
Start with why the risk is real, because the two checks only make sense once you see what they protect.
Two protections are in play. Attorney-client privilege is the rule that confidential communications between a lawyer and their client, made to get or give legal advice, cannot be forced out of you in court. The separate duty of confidentiality is your broader ethical obligation to keep everything about a client's matter private, not just courtroom-protected communications.
Both rest on the same fragile thing: the information staying private. Work product (your private legal analysis, notes, and strategy prepared for a matter) gets similar protection, and it rests on the same foundation. Hand the information to an uninvolved outsider carelessly, and you can waive the protection, meaning you lose it.
Here is what actually breaks them when you use AI. Three things, and they are all about where your words go after you hit send.
First, third-party disclosure: a consumer AI tool is an outside company. Typing privileged facts into it can count as sharing them with a stranger, which is the classic way privilege is waived. In United States v. Heppner, a court found, among other grounds, that because the tool's privacy policy allowed data retention and disclosure to third parties, putting the information in was a disclosure to an outsider that waived confidentiality, so the chats were not privileged.
Second, training on your data: many free public tools reuse what you type to improve the model. Your client's contract terms could resurface, in pieces, in someone else's answer. Third, retention: even tools that do not train on your input may store it on their servers, where it can be subpoenaed or breached.
Now run the safe-use rules. De-identify first: de-identify means strip out anything that could point to the client (names, addresses, case numbers, account numbers, distinctive facts) so the text cannot be traced back. For anything that has to stay client-identifiable, ABA Formal Opinion 512 requires the client's informed consent before you put it into a self-learning AI tool (one that can reuse your input in a later answer), and that consent has to come from a real explanation of the risk, not a boilerplate line buried in an engagement letter. On tools, keep it simple: treat any consumer tool as unsafe for client data, full stop, because you cannot reliably adjudicate its ambiguous terms; the safe choice is a firm-approved enterprise tool with zero data retention (the vendor deletes your input right after answering and never trains on it) under a signed data processing agreement, and always check your firm's AI policy for which tools are allowed.
| Consumer tool | Approved enterprise tool | |
|---|---|---|
| Your input | May be stored on their servers | Deleted right after answering |
| Trains on it | Often yes, on free tiers | No, never |
| The terms | Ambiguous, you cannot reliably adjudicate them | Written zero data retention under a signed agreement |
| Safe for client data | No, treat it as unsafe, full stop | Yes, if your firm has approved it |
Always check your firm's AI policy. A safe tool fed identifying data still exposes the client, so de-identify too.
The point is not to fear AI. It is to know that a single careless paste can cost a client their privilege, and that two quick checks prevent it. Before you paste anything: confirm your tool's data terms, and confirm nothing client-identifying is going in.
Try it (17 min)
Watch out for
Paste this into Claude
This exercise is a check you run on yourself and your tool, not a prompt you paste client data into. Do NOT paste any real client information during this drill. Step 1, check the tool. Open the AI tool you are most likely to reach for. Find its terms of service or privacy/data settings and answer these in writing: - Does it say it uses your inputs to train its model? (Yes / No / Cannot tell) - Does it retain your inputs, and for how long? (Look for "zero data retention" or "we delete after processing.") - Is this tool on your firm's approved-tool list, or have you never checked? (Approved / Not approved / No policy I know of) Step 2, practice de-identifying. Take a short, made-up matter summary (invent one, no real client) such as: "Acme Corp is suing our client Jane Smith over a $2M unpaid invoice dated March 3." Rewrite it with every identifier removed: "A company is suing an individual over an unpaid invoice in the low seven figures." Step 3, paste only the de-identified version and ask a general legal question about it (for example, "What defenses are commonly raised against this kind of claim?"). Notice that you got a useful answer without revealing who the client is.
What good looks like
Go deeper (8 min)
Paste this into Claude
Write your personal "paste gate," a two-line rule you read before entering anything into an AI tool at work. Fill in the blanks for your own situation: "Before I paste, I confirm: 1. This tool is [approved by my firm / has zero data retention in writing / neither, so I will not paste client data]. 2. Nothing in what I am pasting can identify the client: no names, no case numbers, no account numbers, no distinctive facts. If I cannot remove an identifier and still get a useful answer, I do not paste." Then sanity-check it: ask your AI tool, "Read these two rules and tell me one realistic situation where a busy lawyer might break rule 2 without noticing." Use its answer to tighten your own habit.
What good looks like
When this breaks
You can now
Before entering anything into an AI tool, confirm two things out loud: the tool's data terms (approved or written zero data retention) and that nothing client-identifying is in what you are about to paste. If you can confirm only one of the two, that is the signal to stop: a safe tool fed identifying data still risks the client, and a de-identified paste into an unvetted tool still ships your words to an outside server, so both checks must pass before you paste, and a qualified human still reviews whatever comes back.
Key takeaways
Attorney-client privilege and the duty of confidentiality both depend on client information staying private. Pasting it into the wrong AI tool can waive that protection through disclosure, training, or retention. De-identify, use an approved zero-retention tool, and check your firm's policy before you paste. With that protection locked in, the next lesson stands up your first real AI assistant end to end, so your first genuine win never costs a client.