News

WMHW Alert: AI, Emails, and Attorney-Client Privilege

By Daniel J. Chirlin and Sarah G. DeYoung

When an attorney represents an employee whose company is under investigation, the attorney will often direct the client to email counsel from the client’s personal email, not the client’s company email address.  Lawyers are habitually mindful of avoiding possible waiver of the attorney-client privilege; a genuine risk due to many company email monitoring policies.[1]  But, as generative artificial intelligence (“AI”) tools increasingly occupy every aspect of our world, a new potential risk arises:  inadvertent waiver of privileged communications by allowing AI tools to access personal emails.  This Alert discusses this risk and how to mitigate it.

Attorney-Client Privilege and Email

An individual who uses a monitored company email account may waive the attorney-client privilege even if she subjectively intends for the emails to remain confidential, if that intent is not objectively reasonable.[2]  In In re Asia Global Crossing, Ltd., the United States Bankruptcy Court for the Southern District of New York formulated a widely adopted test to determine when an employee’s expectation of privacy in his company email is objectively reasonable:

(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?[3]

While courts are largely silent on whether granting an AI tool access to attorney-client emails would waive privilege, applying the Asia Global Crossing test, a court would examine whether the client’s expectation of confidentiality was objectively reasonable.[4]  As discussed below, a court may find it unreasonable to expect information shared with an AI platform to remain confidential.

AI, Privacy, and Email Platforms

AI tools analyze and learn from large volumes of data to generate new text and media.  By design, AI tools regurgitate information gathered from their data sources, which—if one is not careful—can include otherwise privileged and confidential information.[5]  Although businesses and law firms have begun using private AI tools—where data fed into the models remains private—popular publicly available AI tools maintain data in their common knowledge libraries and may expose that information to other users.[6]

In November 2025, several reputable news sources began reporting that a popular search engine had begun to allow its AI tool to learn from its users’ personal email accounts and chat messages.[7]  That is, the tool would ingest these emails and chats into its knowledge library to assist the tool with generating more responsive answers to search queries.  The search engine company denied the reports, asserting that its AI program does not train itself with emails and that users must select email as a source from the AI model’s menu to incorporate emails into the AI research function.[8]

But even if the reports were wrong, the day that emails begin to be swept into the voracious maws of these AI tools quickly approaches.  And this specter means that attorneys and clients need to begin thinking now about how to mitigate disclosure risks.  The Asia Global Crossing framework guidance suggests that courts will be influenced by whether the client knew or should have known that her emails were being incorporated into an AI tool’s public library.[9]  Given the popular media coverage of the privacy risks inherent in using public AI platforms, a court may find that it would be objectively unreasonable to expect to maintain confidentiality over emails that were shared with a public AI tool.

Thankfully, there are several practical ways to mitigate this risk:  (1) do not grant public AI tools access to your personal emails when communicating with counsel; (2) ensure that your personal email account does not require you to opt out of sharing emails and chats with an AI tool; (3) if possible, use a personal email account that has no relationship or affiliation with an AI tool; and (4) think very carefully before uploading any emails with counsel into a public AI tool (to, for example, create a summary of the communication).  And finally, always be mindful that your subjective expectation of privacy is insufficient for a court to find that the attorney-client privilege applies, as the expectation must be objectively reasonable.

Contact:  Daniel J. Chirlin; dchirlin@wmhwlaw.com | Sarah G. DeYoung; sdeyoung@wmhwlaw.com

Disclaimer:

These materials contain attorney advertising.  Prior results do not guarantee a similar outcome and results depend upon a variety of factors unique to each circumstance.  WMHW provides this information as a service to clients and other friends for educational purposes only.  It should not be construed or relied on as legal advice, or to create a lawyer-client relationship.  Readers should not act upon this information without seeking advice from professional advisers.

[1] United States v. Finazzo, 682 F. App’x 6, at *16 (2d Cir. 2017) (defendant waived attorney-client privilege as to email sent using company email address when defendant signed acknowledgment that he was familiar with company’s policies, which stated that employees had no expectation of privacy in company email and that company may monitor and access company email).

[2] 1 Attorney-Client Privilege in the U.S. § 5:20.

[3] 322 B.R. 247, 257 (Bankr. S.D.N.Y. 2005).

[4] Courts have considered when AI prompts and documents prepared by AI are protected by the attorney work product doctrine and the attorney-client privilege.  In Tremblay v. OpenAI, Inc., Plaintiffs’ counsel used ChatGPT prompts to test whether OpenAI incorporated Plaintiffs’ copyrighted works into ChatGPT’s language learning model.  The Court ruled that the ChatGPT prompts were opinion attorney work product, and thus protected from disclosure, as the prompts were “queries crafted by counsel and contain[ed] counsel’s mental impressions and opinions.”  No. 23-CV-03223, 2024 WL 3748003, at *2 (N.D. Cal. Aug. 8, 2024).  Conversely, in United States v. Heppner, No. 25-CR-00503 (S.D.N.Y.), Judge Rakoff ruled from the bench that documents that a defendant prepared using an AI tool and then shared with his counsel were not protected by the attorney-client privilege or the work product doctrine.  See Pete Brush, AI Docs Sent By Exec To Attys Not Privileged, Judge Says, Law360 (Feb. 10, 2026), https://www.law360.com/articles/2440082?e_id=cdf75ea0-b3da-40f0-b962-24cc1453ae9e&utm_source=engagement-alerts&utm_medium=email&utm_campaign=recommended_articles&utm_content=2026-02-11&utm_marketing_tactic=5&utm_creative_format=8&read_main=1&nlsidx=0&nlaidx=2.

[5] Microsoft, How Does Generative AI Work?, Microsoft.com (last accessed, Feb. 13, 2025), https://www.microsoft.com/en-us/ai/ai-101/how-does-generative-ai-work; Lauren Leffer, Your Personal Information Is Probably Being Used to Train Generative AI Models, Scientific American (Oct. 19, 2023), https://www.scientificamerican.com/article/your-personal-information-is-probably-being-used-to-train-generative-ai-models/.

[6] Oliver Roberts, Legal AI Unfiltered: Legal Tech Execs Speak on Privacy and Security, Nat’l L. Rev. (Mar. 31, 2025), https://natlawreview.com/article/legal-ai-unfiltered-legal-tech-execs-speak-privacy-and-security; Siladitya Ray, Samsung Bans ChatGPT Among Employees After Sensitive Code Leak, Forbes (May 2, 2023), https://www.forbes.com/sites/siladityaray/2023/05/02/samsung-bans-chatgpt-and-other-chatbots-for-employees-after-sensitive-code-leak/.

[7] Anna Rascouët-Paz, Google AI Can Access Some Content from Gmail and Chats. Here’s How to Opt Uut, Snopes (Nov. 21, 2025), https://www.snopes.com/news/2025/11/21/google-ai-emails-chats/; Pieter Arntz, [Correction] Gmail Can Read Your Emails and Attachments to Power “Smart Features,” Malwarebytes.com (Nov. 20, 2025), https://www.malwarebytes.com/blog/news/2025/11/gmail-is-reading-your-emails-and-attachments-to-train-its-ai-unless-you-turn-it-off; see also Google, Gemini Deep Research Can Now Connect to Your Gmail, Docs, Drive and even Chat, Blog.Google.com (Nov. 5, 2025), https://blog.google/products/gemini/deep-research-workspace-app-integration/.

[8] Jay Peters, Google Denies “Misleading” Reports of Gmail Using Your Emails to Train AI, The Verge (Nov. 21, 2025), https://www.theverge.com/news/826902/gmail-ai-training-data-opt-out.

[9] While the Federal Rules of Evidence provide that an “inadvertent” disclosure does not waive the attorney-client privilege (so long as the client or potential client “took reasonable steps” to prevent the disclosure and “promptly took reasonable steps to rectify the error”), affirmatively uploading attorney-client communications to a public AI model would likely not qualify as an inadvertent disclosure.  Fed. R. Evid. 502(b).