Court: Public AI use can waive privilege Artwork

Crestvale Newsroom

Crestvale Newsroom is a short-form podcast breaking down what’s happening across business, finance, and technology, and why it actually matters. Each episode focuses on signal over noise, helping operators, founders, and decision-makers stay informed without chasing headlines.

All Episodes

Crestvale Newsroom

Court: Public AI use can waive privilege

March 25, 2026 • Crestvale Newsroom

0:00 | 6:51

A new federal ruling confirms that entering sensitive information into a public AI tool can waive privilege and even undermine trade secret status. Courts now treat these systems as third parties, which creates immediate exposure for firms that allow staff to experiment with consumer AI tools. This episode breaks down what changed and why firms need tighter controls.For leaders in professional services, the impact is direct. Privilege waiver cannot be undone, and trade secret protection depends on reasonable steps to maintain confidentiality. Firms that do not update their AI usage rules now risk losing core protections in litigation and transactions.We also cover the real cost drivers behind AI agents, the security implications of the FCC's new router restrictions, and the latest findings from M Trends on attackers targeting backup and identity systems.Learn more at https://crestvale.io

Support the show

SPEAKER_00 0:00

Welcome to the daily audio briefing on AI, automation, and business technology for professional service firm leaders. Today, we're looking at how a new federal ruling treats public AI tools as third parties and what that means for privilege and confidentiality. The shift is simple but sharp. If sensitive information goes into a public AI system, a court may see that as handing it to an outside party. That exposes firms to real risk, and the ruling signals judges are ready to enforce it. Markets closed lower in the previous session. The SP moved down, and the Nasdaq slipped as well. The mood was cautious across equities. The 10-year treasury yield moved up by the close, which added some pressure to growth names. Bitcoin also moved down, reflecting a softer tone across risk assets. Overall, markets ended the day with a defensive posture. The main story this morning is the federal ruling on public AI tools and confidentiality. A judge found that entering sensitive information into a consumer AI system counted as sharing it with a third party. In that case, the system was a public version of Claude, and the court ruled there was no reasonable expectation of privacy. That meant privilege was waived. The court also suggested this behavior could break trade, secret protection. Trade secret law requires reasonable steps to keep information confidential. Uploading it to a public AI tool without strict controls may fail that test. This is not about the model itself. It is about the environment. Public tools log activity. They may send data to internal reviewers. They often have usage data retained for product improvement. Courts see that as exposure. Many firms have rules about sending documents to vendors, but a lot of staff treat public AI tools as harmless helpers. This ruling says a judge may not agree with that view. Now, the practical change becomes clear. Public AI tools are being treated like any unapproved third party. Firms that have not updated their confidentiality and trade secret policies around AI use now face real risk. Blanket blocking of public AI tools is becoming common, but policies without training usually fail. The risk often comes from quick experiments or habit. A single upload can compromise a client matter. Enterprise AI tools with clear contractual controls are the safer path. They offer data isolation, audit rights, and a written bar against training on user inputs. Public tools do not. The signal from the court is direct. If sensitive information touches a public AI tool, expect a judge to treat it as disclosed. Why this matters is simple. Privilege waiver is not fixable. Trade secret protection, once lost, cannot be restored. Firms must move faster than their staff's habits and build real guardrails before a judge forces the issue. Now, another shift worth your attention. Ravenium released a tool registry that exposes what AI agents actually cost. And the finding is blunt. Tokens are the cheap part. The real cost sits in the services and agent calls. Most teams watch model usage, but an agent that checks identity, calls enrichment services, queries internal systems, or sends work to a human reviewer can burn through far more money than the model itself. Some workflows cost dozens of dollars in external checks for every few cents of model activity. Ravenium's system shows each step in the chain, every external service call, every SaaS charge, every internal compute hit, every human review event. It all rolls up into a single cost map tied to the agent decision that triggered it. For firms experimenting with revenue-bearing automations, this matters. Without this mapping, teams are blind to margin. Some workflows will look promising until you see the real cost stack. Others will be easy to optimize once you understand where the money leaks out. Cost attribution at this level becomes a competitive edge. Meanwhile, the Federal Communications Commission halted approvals for most new foreign-made home routers. The agency framed it as a security concern. For any firm with remote workers, this turns the home router into a recognized point of exposure. Attackers have been using cheap home routers for years as entry points into corporate networks. Groups linked to state actors have used them to hide traffic and pivot into enterprise environments. The agency is now treating those devices as part of the national security landscape. The order affects new approvals, not devices already in use. But the message is clear. Home routers are now high-risk infrastructure. Firms need to set standards, offer guidance on what devices are acceptable, and assume older home gear will remain in place longer as supply tightens. The practical reality is straightforward. If your remote staff sits behind compromised routers, you inherit that risk. Firms may need to subsidize secure models, tighten access controls, and treat the home edge as a formal part of security design. Finally, the latest MTrends report shows attackers shifting to industrial scale operations. They now target backup systems, identity systems, and hypervisors before launching destructive action. The goal is to break recovery. If they take out your backups, your identity layer, and your virtualization stack, recovery becomes impossible, even if you detect the attack quickly. Access brokers sell entry within minutes. Ransomware groups act on it almost immediately. Social engineering remains a key method of gaining access, especially for cloud accounts. The message is plain. If your backup and identity systems share the same trust zone as daily operations, you risk losing them both in a single breach. Here is what else is worth knowing today. Citrix patched a flaw in net scalar systems that allowed session hijacking. Edge appliances continue to be high value targets and need active maintenance. The Attorney General of Connecticut said existing laws already cover harmful AI use. Regulators do not need new statutes to pursue discrimination or unfair practices tied to automated decisions. On its security, raise new funding to automate vulnerability triage. Investors are betting that manual cues cannot keep pace with modern exploit speed. Sentinel One is now offering tools to test the security of AI agents themselves. The industry is beginning to treat agent behavior as an attack surface that must be evaluated directly. Here is the takeaway treat every public AI tool as an unvetted third party and block it from handling privileged or proprietary information. If this was useful, follow the Crestvale Newsroom daily podcast so you don't miss tomorrow's briefing. Thanks for listening.