Overview
When your company is sued, litigation often involves producing large volumes of confidential business documents to the other side—internal communications, financial records, personnel files, customer information, contracts, trade secrets, and more. Courts routinely enter protective orders to protect the confidentiality of that material.
Generative AI has created a new and serious gap in that protection. When someone feeds your confidential documents into the public, consumer-tier versions of tools like ChatGPT, Google Gemini, or Claude, those documents may be retained by the platform, used to train its model, and made available to others in ways that are, as a practical matter, impossible to undo. Courts have begun confronting this risk head-on. Recent decisions show that parties that are proactive about negotiating AI provisions in protective orders can obtain important, enforceable safeguards for their confidential information.
Not All AI Tools Are the Same
One distinction is key to understanding recent judicial decisions on AI and protective orders: the difference between “open” and “closed” AI tools.
Open AI tools are the consumer-facing platforms most people are familiar with: the standard, freely available versions of ChatGPT, Google Gemini, Claude, and similar products. When you type or upload something into one of these tools, the platform retains what you submitted. The platform may use that information to train or improve its model, and operates under terms of service that permit broad data use and sharing with third parties. Once information is submitted to one of these platforms, it practically cannot be retrieved or deleted.
Closed AI tools are entirely different. These are AI platforms deployed under separate contractual arrangements, often called “enterprise” agreements, that specifically prohibit the platform from retaining user inputs, training on them, or sharing them with others. Many of the “open” AI brands offer “enterprise” versions with these added protections.
Courts focus on the difference between open and closed AI tools as the key to evaluating risk to confidential information. The distinction is not about which AI company makes the tool, but what the company is allowed to do with the information it receives.
The Risk to Parties Producing Confidential Information
A traditional protective order prohibits the receiving party from disclosing confidential documents to third parties outside the case. Protective orders drafted before generative AI became more widespread do not address—at least expressly—submitting a document to an open AI platform.
To date, courts that examined this issue found the risk of disclosure significant. Open AI tools use submitted inputs to develop and improve their models. Once your company’s confidential information is incorporated into a model’s training data, it effectively cannot be retrieved or deleted, even by court order. The information joins an enormous repository that can be accessed, queried, and surfaced by strangers—a result that protective orders did not previously contemplate.
In Jeffries v. Harcros Chemicals, Inc. (D. Kan. March 25, 2026), a defendant facing a large class action obtained an amended protective order that went further than most. The court prohibited plaintiffs from submitting any discovery material—not just documents designated confidential—into open AI tools.[1] The court found good cause for this requirement on several grounds. Its most significant finding was that open AI tools create an irreversible loss of control. Submitted data is incorporated into the platform’s ongoing model training, making it impossible to retrieve or delete after the fact. The court also found that submitting large volumes of discovery to a public AI repository carries risk even when individual documents are not technically confidential, including potential violations of U.S. and European data privacy laws.
The Jeffries court also observed that limiting discovery information to closed AI tools can encourage broader document productions. When producing parties cannot control where their materials end up, they have an incentive to redact aggressively and produce conservatively. Restricting AI use to secure, closed tools removes that incentive.
In Morgan v. V2X, Inc. (D. Colo. March 30, 2026), a corporate defendant facing employment discrimination claims from a pro se litigant obtained a similar amendment to its protective order. The court required that any AI tool used to process confidential discovery information be contractually prohibited from storing inputs, training on them, or sharing them with third parties, and that the provider afford the ability to delete all inputs on demand.[2] The court recognized that current “mainstream low-to-no-cost AI” open AI tools do not meet those requirements, whereas closed or “enterprise-tier” AI tools generally do.
The Pro Se Plaintiff & Open AI
The Morgan case highlights an emerging dynamic worth noting. The Morgan plaintiff was pro se, representing himself without an attorney. As AI tools become more sophisticated and easier to use, they lower the barrier for individuals to file and prosecute complex litigation on their own. That trend means companies facing suit are increasingly likely to be producing confidential documents to an opponent who lacks law firm infrastructure, enterprise AI tools, and the professional training that governs how lawyers handle discovery materials. A pro se plaintiff armed with a free AI platform and a large production of your company’s documents presents a real confidentiality risk, which a properly formulated protective order must address.
What This Means for Your Company
Not every “enterprise” AI arrangement is guaranteed to qualify as a closed tool for purposes of handling discovery information. What matters is the substance of the contract, not the price tier or the label. The Morgan court was specific: a permissible AI tool must be contractually prohibited from storing inputs, training on them, and disclosing them to third parties—and the user must have the ability to delete all covered materials on demand. A company that assumes its enterprise AI subscription carries these protections without confirming the contract language may be exposed to the same risks as a person using an open platform.
Other considerations for companies and their counsel include:
Review protective orders in current litigation. Counsel and companies should consider amendments to protective orders that do not explicitly address the use of confidential information in AI platforms.
Negotiate AI restrictions at the outset of discovery. Counsel should raise AI-use restrictions as a standard item in early discovery discussions and protective order negotiations before discovery begins. Waiting until an opposing party has already uploaded your documents to an open AI tool is too late.
Frame restrictions around data-handling conduct, not specific tools. Protective orders that name specific AI products can become outdated and may inadvertently restrict legitimate closed tools or fail to capture new ones. Restrictions tied to what the tool actually does with data—whether it retains inputs, trains on them, or discloses them to third parties—are more durable and harder to circumvent.
Require deletion rights. Both Morgan and Jeffries found that retrieving or deleting data from an open AI system is practically impossible once it has been incorporated into a model. Protective order language should require any permissible AI tool to provide the ability to delete all covered materials on demand.
Address your own organization’s AI use. Protective orders cut both ways. Any restrictions you seek apply equally to all parties to the litigation. Before pushing for broad AI restrictions, companies should confirm that their own litigation teams and business units are using only tools that can comply. An AI use policy that draws a clear line between open and closed AI tools, and covers outside counsel as well as internal staff, reduces litigation risk, broader confidentiality exposure, and the prospects of waiver of the attorney-client privilege and/or work product protection.
A Rapidly Developing Area
The decisions discussed here represent some of the earliest judicial guidance on these questions, and courts will continue to refine their approach as AI tools evolve and more disputes are litigated. What is already clear is that the use of AI in litigation is no longer an informal matter left to the parties. It is an active area of court oversight, and the producing party’s ability to protect its confidential information depends increasingly on how well these issues are addressed at the outset of a case.
Barack Ferrazzano’s Litigation Group is monitoring developments in this area closely. We are happy to discuss how these issues may affect your company’s litigation strategy or internal AI policies.
This advisory is provided for informational purposes only and does not constitute legal advice. The legal analysis summarized here is general in nature; results in any particular matter will depend on the specific facts and applicable law. This communication does not create an attorney-client relationship.
[1] See Jeffries v. Harcros Chemicals, Inc., No. 25-2352-KHV-ADM, 2026 WL 820218, at *4 (D. Kan. Mar. 25, 2026).
[2] Morgan v. V2X, Inc., No. 25–CV–01991–SKC–MDB, 2026 WL 864223, at *7 (D. Colo. Mar. 30, 2026).
