Heppner Ruling Meets Project Deal Privilege When Agents Talk

On February 17, 2026, SDNY Judge Jed Rakoff ruled in *United States v. Heppner* that written exchanges between criminal defendant Bradley Heppner and consumer Claude were not protected by attorney-client privilege or work-product doctrine. (read the full Heppner explainer) Two months later, Anthropic ran Project Deal: 69 employees, $100 budgets, 186 completed agent-to-agent transactions. Every one of those transactions generated a written record. Under Heppner's reasoning, none of those records carry privilege. They're discoverable. For corporate principals deploying agents in 2026, that's a documentation explosion in any future litigation. Here's the privilege architecture firms need to draft against the Heppner-meets-Project-Deal gap.

What Heppner held: the doctrinal building blocks

Judge Rakoff's February 17, 2026 ruling addressed two questions: whether written exchanges between Heppner and consumer Claude carried attorney-client privilege, and whether the same exchanges qualified as work product.

On privilege: the court held no. Attorney-client privilege requires communication with an attorney for the purpose of legal advice. Claude is not an attorney. The exchanges therefore fall outside the privilege framework regardless of subject matter or intent.

On work product: the court held no. Work-product doctrine protects materials prepared by an attorney or at an attorney's direction in anticipation of litigation. Heppner generated the materials independently of counsel direction. They were not prepared by an attorney or at counsel's behest. Work product doesn't attach.

The ruling was characterized as a "question of first impression nationwide." Other federal courts will face the same question. The reasoning is reproducible: privilege requires an attorney, work product requires attorney direction, and consumer AI tools satisfy neither when used directly by a lay party.

The second-order point: enterprise deployments via Team plans, the API, AWS Bedrock, Vertex AI, or Microsoft Foundry don't automatically change this analysis. The privilege framework hinges on attorney involvement, not deployment surface. Enterprise tiers carry stronger data-handling commitments (Anthropic doesn't train on Team or Enterprise inputs), but data-handling protections aren't the same as privilege.

How Heppner generalizes to Project Deal

Heppner involved a defendant using consumer Claude to generate defense strategy materials. Project Deal involves principals deploying agents to transact. Different fact patterns. Same doctrinal core.

Under Heppner's reasoning, every Project Deal-style agent transaction generates discoverable written records. The records include: prompts the principal fed the agent (containing strategic preferences, walk-away points, internal cost basis); responses the agent generated (containing reasoning chains and decision rationales); negotiation logs between buyer and seller agents (containing offer-counteroffer history and concession patterns); dispute resolution exchanges (containing counterparty positions and resolution logic).

None of these records carry attorney-client privilege under Heppner's framework, because no attorney was party to the communication. None qualify as work product unless an attorney directed their creation, and most agent transactions happen at scale precisely because attorney direction isn't per-transaction.

The second-order implication: in any litigation arising from agent transactions, plaintiffs will subpoena the full agent transcript. The principal's confidential commercial information sits in those transcripts unprotected. That's a different exposure profile than human-agent representation, where attorney-client privilege provides a shield over strategy discussions.

The third-order implication: insurance carriers writing cyber liability and commercial general liability for agent deployments will start asking about privilege architecture in 2027 underwriting. Firms with documented privilege segregation will pay materially less than firms that wing it.

Privilege architecture: segregating attorney-involved from non-attorney transactions

The defensible privilege architecture for Project Deal-style flows segregates two categories: attorney-involved transactions where privilege might attach, and non-attorney transactions where it cannot.

Attorney-involved category. When the supervising attorney is directly engaged in a transaction (reviewing a high-value deal, advising on a novel counterparty, escalating a dispute), the attorney's role can support privilege over attorney-client communications and work-product protection over attorney-directed materials. The engagement letter should specify which transactions trigger attorney involvement and document the attorney's role contemporaneously.

Non-attorney category. Routine agent-mediated transactions where no attorney is involved. Per Heppner, these generate discoverable records without privilege. The engagement letter should acknowledge this and address: what information the principal feeds the agent (avoid embedding privileged communications), retention policy for non-privileged transcripts, segregation from attorney-involved transcripts, and disclosure obligations to counterparties when applicable.

The segregation requires architecture, not just policy. Audit logs need to identify which transactions involved attorney engagement. Retention policies need to differentiate privileged from non-privileged records. Access controls need to prevent privileged-record commingling.

The practical execution: deployment surface decisions matter. Consumer Claude has limited segregation infrastructure. Enterprise Claude Team admin controls support better segregation but require configuration. AWS Bedrock and Microsoft Foundry inherit cloud-provider audit infrastructure that supports more granular controls. The agent supervision rules deep-dive covers the engagement-letter language for the segregation architecture.

Discoverability: what subpoenas will demand

In any litigation arising from agent transactions, plaintiffs and regulators will subpoena the full transcript stack. Anticipating the subpoena scope helps firms draft retention and access policies that don't expand the discoverable surface unnecessarily.

The expected subpoena categories:

- Per-transaction prompt-response logs. The full conversation between principal and agent, plus agent and counterparty agent. - Authority envelope configuration. The principal's deployment settings: transaction caps, item categories, escalation triggers. - Audit logs. Timestamps, deployment surface metadata, model version, decision rationale flags. - Escalation records. When and why the agent escalated to human review, who reviewed, what action followed. - Counterparty interaction records. The full back-and-forth between agents on opposite sides of transactions.

For a corporate defendant, that's a massive document production. The defensive move is to limit retention to the period required for operational and audit purposes, document a retention-deletion schedule in writing, and follow it consistently. Selective retention triggers spoliation concerns. Consistent retention plus deletion follows established document-retention doctrine.

The second-order issue: cross-border discovery. EU GDPR-compliant deployments require data-subject access rights and erasure rights that conflict with US litigation hold obligations. Firms supervising cross-border agent flows need a documented protocol for handling the conflict. Most firms don't have one yet.

Cross-cluster bridge: enterprise Claude vs consumer Claude post-Heppner

Cluster 10's spoke on Heppner-meets-enterprise-Claude covers the deployment-surface decision for privilege defense generally. For Project Deal-style flows specifically, the analysis converges on the same point: enterprise deployment surfaces support stronger data handling, audit infrastructure, and segregation architecture, but they don't automatically create privilege.

The deployment-surface decision matrix:

- Consumer Claude (Pro, Max). Limited admin controls, limited audit infrastructure. Per Heppner, no privilege over communications. Suitable for low-stakes individual research, not for agent deployments handling commercial transactions. - Claude Team ($25/seat/month per pricing.csv). Admin controls, organization-level data-handling commitments (Anthropic does not train on Team inputs), basic audit infrastructure. Suitable for agent deployments where attorney involvement is segregated and audit logs are maintained. - Claude Enterprise. Custom contract terms, advanced security/compliance, granular admin controls, full audit infrastructure. Suitable for regulated-industry agent deployments where retention, access, and disclosure obligations are stringent. - Claude API. Direct integration, $5/M input + $25/M output token pricing per Anthropic's pricing page, full programmatic audit access. Suitable for firms building internal supervision tooling. - AWS Bedrock, Vertex AI, Microsoft Foundry. Cloud-provider deployment surfaces inheriting the provider's audit infrastructure, data residency, and compliance posture. Suitable for firms with existing cloud commitments and matching audit requirements.

None of these surfaces creates privilege over agent communications. They create varying levels of data-handling protection, audit capability, and segregation infrastructure. The privilege gap survives the surface choice. The engagement letter has to do the privilege work.

What firms should write into engagement letters now

Firms drafting agent-supervision engagement letters in light of Heppner-meets-Project-Deal should specify five privilege-related provisions:

1. Acknowledgment of the privilege gap. The principal acknowledges that agent-mediated transactions generate records without attorney-client privilege under current case law (citing Heppner). Records may be subject to discovery in future litigation.

2. Segregation architecture. The engagement specifies which transactions trigger attorney involvement (creating potential privilege over attorney-involved communications) and which proceed without attorney involvement. Audit logs differentiate. Retention policies differentiate. Access controls prevent commingling.

3. Information-handling protocol. The principal commits to avoiding embedding privileged communications in routine agent prompts. Privileged material flows through attorney-involved channels separately.

4. Retention and deletion schedule. Specified retention period for non-privileged transcripts (typically 90 days for commercial transactions, longer for regulated industries). Deletion follows the schedule consistently. Selective retention is avoided.

5. Cross-border protocol. For multi-jurisdictional flows, the engagement specifies how the principal will handle conflicts between US litigation hold obligations and foreign data-protection rights (GDPR erasure, etc.).

These provisions don't create privilege where Heppner says none exists. They establish a defensible record of the principal's information-handling architecture, which matters in any future spoliation analysis or sanctions inquiry. See the legal frameworks gap analysis for the full template stack.

The Bottom Line: My take: Heppner's reasoning generalizes to every Project Deal-style transaction record. No privilege over agent communications. No work product without attorney direction. Enterprise deployment surfaces strengthen data handling but don't bridge the privilege gap. Firms drafting engagement letters now should segregate attorney-involved from non-attorney transactions, specify retention schedules, and document the architecture. The supervising attorney's defensible record is the engagement letter plus the audit log, not a privilege claim that won't hold.