Article Highlights
- A recent federal court case, United States v. Heppner, established that information entered into AI tools like Claude is considered shared with a third party, meaning it carries no legal protection or confidentiality.
- This precedent has direct implications for nonprofit HR teams, who routinely handle sensitive employee information they are legally required to keep confidential.
- HR professionals who feed sensitive data into AI chatbots, even for routine analytical tasks, may be inadvertently violating confidentiality obligations and creating exposure for costly litigation.
- The widespread integration of AI into major workplace platforms has created a low-friction environment where the risks of oversharing are easy to overlook.
- Nonprofits can reduce their exposure by creating a clear AI usage policy, auditing how their teams currently use these tools, and establishing documentation and reporting processes for ongoing oversight.
AI is an ever-present topic in the modern workplace, and its popularity as an automation, research, coding, and analytical tool is well-documented. To nonprofits and mission-driven orgs, AI offers some hard-to-resist benefits, as it has the potential to greatly reduce the resource and time burdens of repetitive tasks and it can make individual contributors and teams much more productive. This is especially true in HR, where AI has changed the way organizations recruit, support, and retain team members.
The LLM-powered chatbots behind many AI tools and services occupy a new category in workplace tooling and data management, and this can create some potential legal risks for HR professionals or others who handle sensitive or confidential information. A recent New York court case set a new legal precedent for AI use that could significantly impact the way HR professionals and teams utilize these tools. United States v. Heppner called into question whether inputting sensitive data into AI constituted a legally protected use of classified data.
Here’s what happened in the case, how it could impact nonprofit HR teams, and what steps you can take to protect yourself from risk:
No Client-AI Privilege
United States v. Heppner was a fraud case that involved the use of AI prompts as evidence. The defendant, without the advice of his attorney, fed information about his prior grand jury indictment into Claude, Anthropic’s LLM, in order to ask it for legal advice. After his home was raided, investigators used the prompts and information fed into Claude as evidence against him.
The defendant asserted that the prompts and information were protected by attorney-client privilege, which makes them confidential and not permissible as evidence, but the judge disagreed. Because Claude was a 3rd party service and not a legal professional, it was unprotected. The ruling in the case is significant because it sets a precedent that any data which an AI processes can be used as evidence in an investigation or trial. Based on this precedent, anything shared with an AI tool like Claude is being shared with a 3rd party, which waives any right to confidentiality.
What This Means For HR
Although this decision is from a criminal case and could be extended to any use of public AI tools, it is particularly relevant to HR teams because they regularly deal with sensitive information that they are legally bound to keep confidential. They could also inadvertently create risks for costly litigation, as their prompts can be used as evidence of discrimination or a violation of confidentiality.
There has been concerted pressure on workers and managers at every level to identify new uses for AI in their workflows. An HR professional who has been encouraged to use AI as a research and analysis tool might query a chatbot about something sensitive, which would mean that it is being revealed to a third party and thus is no longer confidential.
For example, someone who files a harassment complaint does so with the expectation of confidentiality. If the HR team member who handled the complaint prompts an AI tool with information about it, for example, feeling the details into the tool and asking for a report on the risks, that would constitute a legal violation of that person’s confidentiality.
That the chatbots are present in most large-scale platforms has created a low-friction environment where users feel comfortable disclosing even highly personal and sensitive information. The risk is the same in HR, where the use of certain third party tools is considered identical to sharing that information with a person outside of the organization.
What You Can Do to Avoid These Risks
There are a number of proactive steps you can take to prevent your teams from putting sensitive data and the organization at risk:
Create an AI usage policy that forbids using it with sensitive or legal data
How you do this will depend on the ways your HR team uses AI tools, but generally you can train your team to ask whether a datapoint is sensitive or confidential before they input it into a chatbot or other LLM-powered tool.
Assess what your teams are doing with AI
The huge expansion of AI agents, tools, harnesses, and capabilities means that your HR org might be using it for everything from recruiting and hiring to PTO approval to generating reports on project progress. In order to control the flow of data, you can develop a list of AI tools and encourage your team and managers to report on any new methods or uses for them.
Determine which workflows deal with sensitive data
Once you have a clear idea of what your teams are using, you can break down their various HR tasks and see where they overlap with AI tools. Any overlapping areas should first be assessed in terms of how much value the AI offers. Is it an indispensable tool, and if so, what can you do to support teams handling sensitive data in a compliant way?
Create an AI policy that requires your team to document and report on usage
As you train your team to reconsider their AI usage, you can also create a program to document the various uses of these tools and a reporting mechanism so that your HR team can keep track of any new tools or methods they are experimenting with. This can give you insight into where you might be at risk, and it allows you to coordinate with your legal team and consultants about what is or is not a safe practice.
The legal landscape around AI is still taking shape, but United States v. Heppner makes one thing clear: the way your HR team uses these tools today could have real legal consequences tomorrow. Nonprofits that take the time now to assess their AI workflows, define clear usage boundaries, and build accountability into the process will be far better positioned to take advantage of what AI offers without putting their organization or the people they serve at risk.
About Us
For more than 40 years, 501(c) Services has been a leader in offering solutions for unemployment costs, claims management, and HR support to nonprofit organizations. Two of our most popular programs are the 501(c) Agencies Trust and 501(c) HR Services. We understand the importance of compliance and accuracy and are committed to providing our clients with customized plans that fit their needs.
Contact us today to see if your organization could benefit from our services.
Are you already working with us and need assistance with an HR or unemployment issue? Contact us here.
The information contained in this article is not a substitute for legal advice or counsel and has been pulled from multiple sources.
(Images by User21016237 and EasyEdit1)
