✱ Claude for Legal ✱

It can be — but only with the right subscription and configuration. Not every Claude account is appropriate for confidential or privileged material. Here's how it breaks down:

The biggest oversights when implementing Claude:

• On consumer accounts, disable model training. Since Anthropic's September 2025 consumer terms update, Free, Pro, and Max chats are used for model training unless the user opts out — and training-enabled data can be retained up to five years.
• Disable feedback on Team & Enterprise. Anthropic says thumbs up/down feedback stores the entire related conversation for up to five years and may be used for research, service analysis, user-behavior study, and model training as permitted by law.
• Don't confuse "no model training" with "zero data retention." Team/Enterprise chats are still stored by Anthropic to power the product; API inputs/outputs are generally deleted within 30 days unless an exception applies. Platforms like Harvey negotiate ZDR agreements with model providers that exempt their traffic from default retention.
• The newest Claude models carry mandatory safety retention that overrides ZDR. Anthropic designates its Mythos-class models — including the generally available Claude Fable 5 — as "Covered Models": prompts and outputs are retained for 30 days for trust-and-safety purposes on every platform where the models are offered, even where a zero data retention agreement would otherwise apply, and content flagged by safety classifiers can be held up to two years (TechCrunch, PYMNTS). Anthropic says the data is not used for training and human access is logged. It doesn't mean you can't use these models — but apply the same discretion you'd apply to abuse-monitoring retention in any AI tool.
• Review before approving connectors, Cowork, Claude Code, Claude in Chrome, or custom MCP servers. Once Claude can reach your systems, files, browsers, or shell, the risk goes beyond chat privacy to data loss and infiltration. All integrated access — including which tools require per-use approval — must be governed centrally (see Q7–Q8).

Bottom line Free, Pro, and Max may work for some attorney tasks but should not be the default for client-confidential work — they require careful configuration and give IT no governance. Team can support a firm if approved and configured correctly. Enterprise gives the best protection: stronger governance plus the door to ZDR agreements and BAAs. The API offers similar protections and can also be served through partners like AWS Bedrock.

Competence, confidentiality, supervision, communication, candor, and independent judgment — the same duties, applied to a new tool.

ABA Formal Opinion 512 (July 2024) ties these together as the ABA's first formal generative-AI guidance.

Key guidance and cases, by jurisdiction:

1. Always check outputs and citations before filing (New York). The early warning was Mata v. Avianca, Inc., 678 F. Supp. 3d 443 (S.D.N.Y. 2023), where attorneys were sanctioned for filing fabricated case law and quotes generated by ChatGPT. The problem wasn't using AI — it was failing to verify it and lacking candor. The NYSBA Task Force on AI's April 2024 guidance responded by stressing the "careless speech" risks of LLMs: AI is a starting point, never to be trusted blindly.

2. Enforce human review, and know your court's rules (Texas). Judge Brantley Starr (N.D. Tex.) was the first to issue a mandatory standing order on AI. According to the order, Attorneys must certify either that no portion of a filing was AI-drafted, or that all AI-generated language was rigorously verified by a human. Since then, more orders have been released across the United States (AI court guidance examples from Fredrikson & Byron, P.A.). Check your jurisdiction's rules and enforce human-review steps before work product is finalized.

3. AI assistants need supervision like nonlawyer staff (Florida). Florida Bar Ethics Opinion 24-1 says lawyers may use generative AI but must protect confidentiality, verify outputs, avoid improper billing, comply with advertising rules, and retain legal judgment — explicitly tying AI supervision to the nonlawyer-assistant standard. AI cannot be left unattended or deliver work product autonomously.

4. Agents demand more supervision, not less — and full candor when errors occur (California / Ninth Circuit). The California State Bar's Practical Guidance on generative AI warns that the more autonomous and connected a tool becomes, the more the lawyer must supervise, verify, restrict access, and control the workflow. The Ninth Circuit reinforced this in Lnu v. Blanche, No. 24-4790 (9th Cir. June 3, 2026), sanctioning and suspending two attorneys for AI hallucinations and for falsely denying the AI origin of the errors. The panel held that when an attorney learns of any error in a filing — including AI hallucinations — they must immediately alert the court and opposing counsel and disclose its source.

5. AI Chats face conflicting protections across jurisdictions (Colorado, New York). In February, United States v. Heppner, No. 1:25-cr-00503 (S.D.N.Y. Feb. 17, 2026) found that a defendant's consumer AI chats were unprotected, as they had been sent to a third party. However, Morgan v. V2X, Inc. 1:25-cv-01991 (D. Colo. Mar. 30, 2026) held that AI use was protected as work product under Rule 26(b)(3). On June 4th, Judge Rhonda E. Fischer followed Morgan v. V2X, deciding in Assini v. Hayward (Sup. Ct. Nassau County June 4, 2026) that a pro se defendant's litigation preparation work in ChatGPT should still maintain an expectation of privacy and confidentiality, treating ChatGPT as a tool, not a third party person, even though a third party is collecting and storing the data.

Bottom line A lawyer may use AI, but the lawyer remains responsible. AI may draft, summarize, organize, compare, and accelerate legal work. It cannot be the lawyer, the final reviewer, or the source of independent legal judgment.

On commercial plans: no training by default, with defined retention. On consumer plans: training is on unless you turn it off.

• Commercial (Team, Enterprise, API): Anthropic says it will not use commercial inputs or outputs to train its models by default, and its Commercial Terms provide that customers retain rights in inputs and own outputs. API inputs/outputs are deleted from the backend within 30 days unless a longer-retention feature, a different agreement, ZDR, usage-policy enforcement, or law applies. Saved chats persist in-product until deleted; deleted conversations are purged from backend storage within 30 days.
• Consumer (Free, Pro, Max): Chats and coding sessions are used for model training unless the user opts out, and training-enabled data is retained up to five years. Opted-out users keep a shorter standard retention; safety-flagged conversations may still be retained and reviewed on any plan.
• The feedback exception applies everywhere: thumbs up/down feedback stores the entire related conversation for up to five years and may be used for research and training. Team/Enterprise owners can disable the feedback mechanism.
• What about "Incognito": Incognito refers to a specific Claude feature for signed-in users — not your browser's private mode. Anthropic states incognito chats are not used to improve Claude even when "Help improve Claude" is enabled, and they auto-delete within 30 days unless flagged for safety review. Turning off training entirely is a more effective approach for consumer plans, and Team or Enterprise plans remain stronger alternatives by handing data governance to trusted admins.
• "Covered Models" introduce new data concerns: Mythos-class models (e.g., Claude Fable 5) carry mandatory 30-day safety retention on every platform. If you have an existing ZDR agreement cannot access the new models, and workspaces with access to Mythos-class models no longer offer ZDR.

Bottom line Anthropic's commercial posture is favorable but not simplistic. The defaults are good; the exceptions (feedback, safety flags, Covered Models) are exactly what your AI policy should name.

Not through model training on commercial surfaces — but that doesn't mean the vendor can't learn from your work.

Under Anthropic's commercial terms and privacy materials, customer content is not used for training by default. Harvey and Legora make equivalent public commitments. "No training on customer data" is now table stakes across the serious legal AI market.

But a vendor can still learn from how you work without ever touching the substance of a matter. Harvey's privacy policy describes collecting log data, service usage data, feature interactions, and query volume/type, and using personal data to develop and improve services and new functionality. Legora's privacy policy similarly describes usage data — features used, actions taken, time spent, query types and volumes — and use of aggregated data for product development and customer-behavior analysis. This is standard SaaS practice, and Anthropic, OpenAI, Microsoft, and Google operate similarly within their own terms.

With the protections and vendors discussed here, the strategic risk for law firms is no longer that an AI model could memorize a brief or client data, then spit it out to another user later. Instead, the greater risk today is that the platform can learn how attorneys work, which legal workflows have become dependent on AI, and which processes could be further automated and productized. Armed with that knowledge, any AI software provider could build features that commoditize the very work that their law firm customers currently sell by the hour. Claude, Harvey, and Legora are all reaching for in-house legal teams, which could limit outside counsel work. Claude for Legal, Harvey Agents, and many other features are being developed on a roadmap that may place AI providers in direct competition with the firms they serve in the future.

Diligence questions to ask any vendor:

• Does "no training" cover only foundation-model training, or also fine-tuning, evals, classifiers, and product analytics?
• Can the vendor use usage data, telemetry, metadata, or aggregated data to develop new features or benchmarks?
• Can the firm opt out of product-analytics use?
• Does the contract distinguish customer content, usage data, telemetry, and aggregated data?

Bottom line "No model training" is necessary but not the full scope of considerations. Treat workflow-learning as a business-risk issue, not just a privacy issue, and choose your AI provider accordingly.

Don't assume privilege survives consumer-chatbot use — and don't believe any vendor who says their product "solves" privilege.

The case law is developing fast and is not a clean rule:

• In United States v. Heppner (S.D.N.Y. Feb. 2026), Judge Rakoff ruled — in a question of first impression — that a fraud defendant's conversations with consumer Claude were neither privileged nor protected work product: Claude is not a lawyer, the consumer terms (including training and disclosure provisions) defeated any reasonable expectation of confidentiality, and he wasn't acting at counsel's direction. Feeding privileged attorney communications into the chatbot also risked waiving privilege over the originals.
• The same month, a Michigan magistrate in Warner v. Gilbarco reached something closer to the opposite conclusion, one that protected AI chats as work product for a pro se plaintiff. Commentators on Rakoff's earlier ruling have noted that the court's reasoning in Heppner could extend even to some enterprise deployments that let nonlawyers seek legal answers.
• On June 4th, Judge Rhonda E. Fischer followed Morgan v. V2X, Inc. 1:25-cv-01991 (D. Colo. Mar. 30, 2026), deciding in Assini v. Hayward (Sup. Ct. Nassau County June 4, 2026) that a pro se defendant's litigation preparation work in ChatGPT should still maintain an expectation of privacy and confidentiality, treating ChatGPT as a tool, not a third party person, even though a third party is collecting and storing the data.

The risk is highest with personal accounts, consumer tools with training enabled, unclear retention terms, and unapproved platforms. The risk is lower — though never zero — with a commercial account, no-training defaults, confidentiality terms, access controls, audit logs, documented lawyer supervision, and client consent where appropriate.

Bottom line Privilege is a facts-and-circumstances analysis under Rule 1.6 and governing law. Consumer chatbot use is the hardest posture to defend; a governed enterprise deployment with lawyer supervision is more defensible — but build a documented confidentiality story before the dispute, not after.

You can pay and negotiate for each, but they don't come off the shelf.

One internal-governance point firms miss: on Team and Enterprise, the organization's Primary Owner controls the workspace and its data, including exports of conversations and files. Enterprise Claude is safer from a vendor-governance perspective — it is not private from your own firm. Decide internally who can see what.

Bottom line Don't assume ZDR, BAA coverage, or residency are "just there." Verify the exact product surface and contract — "Claude Enterprise" and "HIPAA-ready Claude Enterprise" are not the same thing until configured.

They can be — but they're where much of the real operational risk lives, so govern them like new software and integrations.

A basic chat tool only sees what a user pastes in. A connected Claude can retrieve files, search email, read your DMS, call APIs, and act through MCP servers. These make Claude much more powerful, but they also offer more ways for confidential data to flow outside expected boundaries.

What the controls actually look like:

• Team/Enterprise owners must enable connectors organizationally, and each user still authenticates individually; permissions can be tuned between read-only and write/delete actions.
• The current Microsoft 365 connector is read-only: users can only access data they already have permission to see, SharePoint permissions and DLP policies are respected, and each request is a fresh, cleaned-up data flow (though tool results saved into chats are retained with those chats).
• Enterprise can block users from connecting company identities (Gmail/Slack-style) to personal Claude accounts.
• Admins can distribute curated plugin marketplaces and control exactly which plugins members see and use, and manage which tools load automatically vs. on demand.

Diligence questions: What systems can Claude reach? Does it inherit existing user permissions? Read-only or write? Centrally approved or user-added? Are third-party MCP servers involved, and whose terms govern them? Is connector content captured in feedback, logs, or exports?

Bottom line Start read-only, narrow, and centrally approved. Every connector is a new vendor relationship — treat them as such.

Treat Cowork as a separate, higher-risk decision from Claude chat — it's an agent, not a chat skin.

Per Anthropic's desktop architecture documentation, the Claude Cowork agent loop runs natively on the user's device (conversation handling, file reads/writes in connected folders, web fetches, local plugin MCP servers), while code execution runs in an isolated Linux VM with network egress filtering and per-session isolation. Admins can disable local MCP servers and desktop extensions on managed devices via MDM. That's a lot of technical jargon to say that Cowork significantly expands the security surface:

• Cowork reads and writes files in local desktop folders that the user allows it to access - granting it the power to add, edit, and delete files; scope it to a dedicated working folder, never your whole drive.
• Cowork is a research preview on paid plans; owners can disable it, but the toggle is organization-wide, not role-by-role. It's all or nothing, so choose carefully.
• Cowork activity is not currently captured in audit logs, the Compliance API, or data exports, and conversation history is stored locally on user machines — outside central retention and admin review. If a workflow needs an audit trail, run it in web chat or Claude Code on Enterprise instead.
• Prompt injection is the genuinely novel risk: when an agent reads untrusted content (inbound email, downloaded files, web pages), that content can try to hijack the agent for data extraction or malicious execution. The blast radius is defined by the permissions you grant to Claude.

Recommended firm posture: Keep Cowork off by default and consider whether there are alternative ways to achieve its benefits. Always require IT/security approval and pilot with a small group on non-sensitive files. Restrict connectors and local MCP to admin approvals. Keep PHI and highly sensitive client files out until approved for certain environments. Require human approval (or trusted tools that require human review) before allowing Claude to 'write' to its connectors: Sending emails, filing online, deleting files, or drafting and editing.

Bottom line Cowork is where legal plugins become most powerful and easiest to use — and it's also where governance is currently thinnest. Name that tradeoff honestly and your conversation with IT gets much easier.

Treat it as shadow IT, not a personal-preference question.

Even a paid personal Pro or Max account leaves the firm unable to verify privacy settings, disable training defaults or feedback, control connectors and retention, produce audit logs, enforce legal holds, or recover work product when the lawyer leaves — the account and its history belong to the individual. The firm cannot answer "where did our client data go, and under what terms?" — which is exactly what a client, regulator, or disciplinary board will ask. And after Heppner (Q2 & Q5), consumer-account use is also the weakest privilege posture available.

Recommended firm rules: no client-confidential information in personal AI accounts; firm-approved tools only; restrict verified-domain connectors to the enterprise workspace; train lawyers that "paid account" ≠ "approved legal workspace"; and provide a safe approved alternative so no one feels forced into shadow AI.

It's rarely "Claude vs. the platforms." It's usually "how does going direct through Claude versus using a legal AI platform like Harvey or Legora affect my privacy, data, and feature quality?"

When using Claude with another platform, make sure you're considering the policies of both. If you use Claude Fable directly via Enterprise or Anthropic's API, you analyze Anthropic's retention, training, ZDR, BAA, and review terms. If you use Claude through Harvey, you analyze Harvey's customer agreement and security posture plus Harvey's commitments about what its model providers may do — and per Anthropic's DPA materials, access through a third-party platform is governed by that third party's terms. The same model can have different data-handling implications depending on the path. Using Claude Fable in Harvey or Legora will change the security posture of that platform based on Anthropic's new rules, so pay attention to both platform (Harvey and Legora) and Claude updates.

Choosing: Claude direct gives a direct line to the model provider's own terms and admin controls, more customization and flexibility across legal and non-legal work, and foundation-model pricing. But you have to configure it yourself, connect to trusted systems with security reviews, and govern the platform to make it effective and secure. Harvey and Legora add turnkey, legal-specific operating layers, curated workflows, and vendor-managed guardrails at a premium — but your diligence also needs to cover both their platforms and the model providers. You can also use each platform for its own strengths. Parts of Harvey are now reachable from inside Claude.

A governed pilot with clear intent of use — not an informal rollout for testing.

1. Decide what data can go in. Public research and marketing drafts: low risk, good pilot material. Client-confidential facts: commercial plan + policy + lawyer supervision. Privileged strategy: stricter controls, possible client approval. PHI: only BAA-covered, HIPAA-ready surfaces. Protective-order or outside-counsel-restricted data: check the restrictions first.
2. Do your diligence. from Q4 and Q6: training defaults, feedback controls, retention, human review triggers, ZDR/DPA/BAA availability, audit logs, connector governance, personal-account blocking, and product-analytics rights.
3. Pilot governance, not just use. Team or Enterprise with configurations, never personal accounts, disable feedback, use low/moderate-risk use cases first, police and restrict plugins and connectors, keep Cowork off until the tradeoffs warrant it, enforce attorney review, and document and instruct users on appropriate use.
4. Get a strategy and policy in place. List Approved and prohibited tools; name permitted and prohibited data types; enforce client-consent and court-disclosure requirements; set connector and agentic-AI rules; monitor retention and incident reporting. Make your sign-ins robust and watch for inappropriate use.

Final thoughts Claude is not "safe" because it's AI, and it's not "unsafe" because it's AI. It's safe enough for legal work when you buy the right product surface, turn on the right controls, limit the right features, and train your lawyers not to use it like a personal consumer chatbot.