In today’s digital landscape, the rise of generative AI tools has introduced new challenges for businesses regarding the protection of sensitive information. As employees inadvertently share proprietary code, customer data, and strategic plans with platforms like ChatGPT, Claude, and Google Gemini, they may unintentionally undermine the legal safeguards that protect such sensitive information. With courts and regulators just beginning to address this issue, the responsibility to prevent information leakage primarily lies with employers.
The Legal Stakes
According to the federal Defend Trade Secrets Act (“DTSA”) and the Uniform Trade Secrets Act (“UTSA”), which is adopted in most states, a plaintiff must demonstrate that the information in question was protected through reasonable secrecy measures. Traditionally, courts have recognized safeguards such as confidentiality agreements, restricted physical access, and employee training. However, these protections were designed for a time when data leakage was a matter of thumbs drives and disgruntled staff—not for an era where employees can quickly share entire databases with third-party AI platforms that may use these inputs for model training.
This issue is not merely theoretical. Even if a vendor does not use shared information for training, entering trade secrets into a public AI tool could jeopardize their protected status. In a recent ruling, United States v. Heppner, the U.S. District Court for the Southern District of New York ruled that attorney-client privilege did not apply to documents created using Claude, a generative AI platform, which were subsequently shared with an attorney. The ruling noted that Anthropic’s Privacy Policy allows the sharing of user data with third parties, concluding that users of AI tools “do not have substantial privacy interests” in their communications with these platforms.
The implications for trade secrets are significant. Just as individuals cannot claim confidentiality over communications with third parties who have access rights, companies that disclose trade secrets through a public AI tool—especially one that does not guarantee confidentiality—risk losing their right to claim the information as a trade secret. If such a disclosure is established, it could destroy the credibility of any future trade secret claims. The reasoning seen in Heppner applies broadly and could emerge in trade secret litigation, as well. Moreover, companies must also be mindful of labor law considerations when tackling these challenges.
NLRA/NLRB Risks in AI Acceptable Use Policies
While drafting AI acceptable use policies, employers must consider the provisions of the National Labor Relations Act. The NLRB has made it clear that overly broad workplace policies that might discourage employees from discussing their wages, working conditions, or engaging in collective activities are unlawful, regardless of the employer’s intentions.
AI policies must be specifically tailored to protect valid business interests, particularly trade secrets and proprietary information. Legal experts should review any policy before implementation. A blanket prohibition on all AI tool usage or overly broad confidentiality rules capturing AI-generated content could attract scrutiny if employees or unions believe it restricts protected activities. Missteps in this area could transform an effort to safeguard trade secrets into a charge of unfair labor practices.
Building a Defensible Program
While the “reasonable measures” standard does not demand perfection, it requires employers to act reasonably in light of the particular circumstances and the value of the information at stake. Importantly, this standard is assessed at the time of the information breach; measures implemented after the fact can offer no retroactive protection. Employers should consider the following steps, which go beyond simple policy updates and are likely to be recognized by courts in the context of AI:
- Written AI Acceptable Use Policy. Clearly outline the types of information that must not be entered into external AI platforms, such as proprietary source code, customer data, financial forecasts, and merger and acquisition targets. Differentiate between approved enterprise tools and consumer-facing ones. Additionally, ensure written acknowledgment from employees during onboarding and on an annual basis.
- Vendor Audit and Enterprise Agreement Review. Examine the terms of service and data processing agreements for each AI tool in use, focusing on whether the vendor retains rights to use inputs for training, what security protocols are in place, and if the enterprise product provides sufficient data isolation from the consumer version.
- Technical Controls. Policies alone are not enough. Implement Data Loss Prevention (DLP) tools configured to prevent uploads of sensitive data to unauthorized platforms, impose network-level restrictions on access to consumer AI sites from corporate devices, and enable audit logging for AI tool usage.
- Targeted, Documented Training. Standard confidentiality training that predated the era of AI is inadequate. Offer scenario-based training that explicitly illustrates which types of prompts pose risks and why, and ensure this training is documented.
- Updated Employment and IP Agreements. Review and revise confidentiality and intellectual property assignment agreements to specifically address generative AI, ensuring that trade secret obligations apply equally to disclosures made via AI prompts and that AI-generated outputs containing proprietary information remain the company’s intellectual property.
Key Takeaways for Employers
The intention of employees is largely irrelevant; even a well-meaning engineer who uses an unapproved AI tool to debug proprietary code can create significant legal issues. The ruling in United States v. Heppner—which emphasizes that users of public AI platforms hold no substantial privacy rights in their shared information—serves as a warning for courts beyond just privilege matters. Businesses that approach AI governance as an issue of trade secret protection, rather than merely a technology policy, and invest in the appropriate vendor, technical, and training structures will be better positioned to safeguard their most valuable assets and successfully pursue claims under the DTSA in case of security breaches.
