Quick Hits

• On January 29, 2026, the First Circuit reversed the dismissal of plaintiffs’ religious discrimination and retaliation claims arising from their employer’s COVID-19 vaccination policy.
• In doing so, the First Circuit made clear that “my-body-is-my-temple arguments rooted in a plaintiff’s religious beliefs are sufficient to plead the existence of a bona fide religious belief.”
• Additionally, although the employees resigned their employment, the court concluded that allegations regarding the investigation of one plaintiff’s alleged failure to wear a mask at an employer-sponsored event and another plaintiff’s removal from eligibility for promotions could, if proven, constitute adverse employment actions.

Background

Two former employees filed suit against their former employer alleging claims of religious discrimination and retaliation under Title VII of the Civil Rights Act of 1964 and Rhode Island state law. Both employees requested exemptions from the company’s COVID-19 vaccination policy based on their religious beliefs. After the employer denied their exemption requests, the employees ultimately resigned from their positions.

The district court dismissed plaintiffs’ claims on three grounds. First, the court held that the plaintiffs’ exemption requests “were not based on religion.” Second, the court found that the plaintiffs failed to plead an adverse employment action. Third, with respect to one plaintiff, the court concluded that the complaint failed to allege a causal nexus between an adverse employment action and the decision to remain unvaccinated.

The First Circuit’s Analysis

In reversing the district court’s decision, the First Circuit expressly reaffirmed its prior holdings regarding what constitutes a sincerely held religious belief under Title VII and Rhode Island state law, which it analyzed together with the employees’ federal claims. The court reiterated that “my-body-is-my-temple arguments rooted in a plaintiff’s religious beliefs are sufficient to plead the existence of a bona fide religious belief for purposes of Title VII.” In doing so, the court demonstrated its continued reluctance to evaluate the veracity of an individual’s professed beliefs.

The First Circuit also considered whether the plaintiffs sufficiently alleged adverse employment actions. The plaintiffs’ allegations included that: they received warnings based on alleged violations of company policy that occurred months earlier; these warnings precluded advancement within the company, including one plaintiff becoming disqualified from a previously promised promotion; assignment to events requiring vaccination; removal from internal organizational charts while on leave; dissemination of the plaintiffs’ medical information to coworkers; and the company’s practice of reviewing the plaintiffs’ vacation requests.

The First Circuit acknowledged that certain of these allegations, standing alone, might constitute mere “petty slights” insufficient to support a Title VII claim. Nevertheless, the court found that other allegations—particularly the investigations of one plaintiff’s failure to wear masks at a charity event and subsequent removal of another plaintiff from eligibility for promotions—were sufficient to survive dismissal.

The Takeaway

COVID-19 policy cases are still winding their way through the courts. As they are adjudicated, they offer important lessons for employers in considering religious accommodation requests from their employees outside of the COVID-19 context.

Ogletree Deakins’ Employment Law Practice Group will continue to monitor developments and will post updates on the Employment Law, Healthcare, and State Developments blogs as additional information becomes available.

In addition, information on religious accommodation laws is available on the Ogletree Deakins Client Portal. Snapshots and updates are available for all registered client users. Premium and Advanced subscribers have access to the full state and federal Religious Accommodation Law Summaries, as well as a step-by-step guide on handling Religious Accommodation Requests and related templates. For more information on the Client Portal or a Client Portal subscription, please reach out to clientportal@ogletree.com.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• New Jersey Senate Bill S3452 aims to enhance employment protections for registered medical marijuana patients by preventing employers from taking adverse employment action against them based solely on their status as medical marijuana cardholders or their having tested positive for cannabis.
• If enacted as proposed, the bill would prevent an employer from taking adverse employment action against such an employee unless the employer can establish by a preponderance of the evidence that the lawful use of medical marijuana has impaired the employee’s ability to perform the employee’s job responsibilities.
• The legislation would permit an employer to treat an employee as impaired if the employee exhibits specific, articulable symptoms while working that diminish the ability to perform the duties of the employee’s position.

Introduced on February 9, 2026, Senate Bill (S) 3452 would strengthen employment protections for registered medical marijuana users in New Jersey. While the bill’s stated purpose is to reinforce the protections for medical marijuana users already in place under the Honig Act, the bill would seemingly expand those protections in two key ways: (1) S3452 would make it explicitly unlawful for an employer to take adverse employment action, based solely on a failed drug test, against an employee who is a registered medical marijuana patient; and (2) the bill would create a “preponderance of the evidence” standard by which the employer would have to establish that “the lawful use of medical cannabis has impaired the employee’s ability to perform the employee’s job responsibilities” before taking adverse employment action against the employee who is lawfully using marijuana for medicinal reasons.

New Jersey Marijuana Regulation

In July 2019, New Jersey enacted the Honig Act, which prohibits an employer from taking an adverse employment action, such as a discharge, against an employee who is a medical marijuana user if that adverse employment action is “based solely on the employee’s status” as a medical marijuana patient. Under the Honig Act, when an employee or job applicant tests positive for marijuana, an employer must provide the employee or applicant with written notice of the positive test result and allow the employee or applicant an opportunity to provide a “legitimate medical explanation for the positive test result,” which can include authorization for medical marijuana use by a health care practitioner, proof of registration for medical marijuana use, or both.

Notably, the Honig Act explicitly stated that it did not “restrict an employer’s ability to prohibit, or take adverse employment action for, the possession or use of intoxicating substances during work hours or on the premises of the workplace outside of work hours.”

Subsequently, in February 2021, New Jersey legalized recreational marijuana use for individuals twenty-one years of age and older with the Cannabis Regulatory, Enforcement Assistance, and Marketplace Modernization Act (CREAMMA). That law had implications for employers, prohibiting them from discriminating against employees based solely on the fact that the employees used marijuana recreationally.

Preponderance of the Evidence Standard

S2452 would make it unlawful for an employer “to take any adverse employment action against an employee who is a qualified registered patient using medical cannabis” based on the employee’s holding a medical marijuana registry identification card or having tested positive for “cannabis components or metabolites” unless “the employer establishes by a preponderance of the evidence that the lawful use of medical cannabis has impaired the employee’s ability to perform the employee’s job responsibilities.”

The bill states that when assessing impairment, an employer would be able to consider an employee’s ability to perform the job “when the employee manifests specific articulable symptoms while working that decrease or lessen the employee’s performance of the duties or tasks of the employee’s job position.” What that means remains uncertain at this time, but possibilities might include uncharacteristic lethargy or withdrawal from work during active work periods, difficulty expressing coherent thoughts, or a significant drop in productivity.

Under CREAMMA, employers are required to use a workplace impairment recognition expert (WIRE) to conduct a “physical evaluation” of an individual who is drug tested for marijuana. CREAMMA directed New Jersey’s Cannabis Regulatory Commission (CRC) to establish standards for a WIRE to meet the qualifications for “detecting and identifying an employee’s usage of, or impairment from, a cannabis item or other intoxicating substance, and for assisting in the investigation of workplace accidents.” However, to date, the CRC has not promulgated the requirements for a WIRE under CREAMMA.

Positive Drug Tests for Marijuana

S2452 reiterates what the Honig Act requires following a medical marijuana patient’s positive drug test. If an employee or job applicant receives a positive test result, an employer must “provide written notice” to the employee or applicant on the right to “explain” the result, and “offer the employee or job applicant an opportunity to present a legitimate medical explanation for the positive test result.”

After receiving notice, the employee or applicant would then have three working days “to submit information to the employer to explain the positive test result, or request a confirmatory retest of the original sample at the employee’s or job applicant’s own expense.” The explanation of the positive result could include a health care practitioner’s recommendation for medical cannabis, a registry identification card, or both.

Drug-Free Workplace Policies

S2452 repeats the provision from the Honig Act that allows employers to prohibit or take adverse employment action for “the possession or use of intoxicating substances during work hours,” though it does not repeat or reiterate such provision from the Honig Act as applied to “the possession or use of intoxicating substances … on the premises of the workplace outside of work hours.” (Emphasis added.) It is believed that the latter provision from the Honig Act, allowing employers to prohibit the use or possession of marijuana “on the premises of the workplace outside of work hours,” would remain in effect if S2452 is enacted.

Next Steps

If enacted, S3452 would have significant implications for employers, particularly those wishing to maintain drug-free workplace policies, as it not only reinforces the nondiscrimination protections for medical marijuana users in the Honig Act, but arguably expands those protections by prohibiting the discharge of a registered medical marijuana user after a positive drug test for “cannabis components or metabolites,” unless the employer can establish impairment on the job by a “preponderance of evidence”—a legal standard typically used in civil cases.

Currently, the bill has only been introduced and remains under consideration. It appears that prior versions of the bill have not passed the New Jersey Legislature, and the chances of this bill passing are unclear at this time.

Ogletree Deakins’ Morristown office and Drug Testing Practice Group will continue to monitor developments and will provide updates on the Drug Testing, Employment Law, and New Jersey blogs as additional information becomes available.

Additional information on state and federal marijuana laws, as well as drug testing requirements, is available on the Ogletree Deakins Client Portal. As new laws are enacted, the Client Portal will provide updates on the New Jersey Medical Marijuana Law Summary, the New Jersey Recreational Marijuana Law Summary, the New Jersey Drug Testing Marijuana Law Summary, and the New Jersey Lawful Off-Duty Conduct Law Summary. Template policies and full law summaries are available for Premium and Advanced subscribers. Snapshots and updates are available for all registered client users. For more information on the Client Portal or a Client Portal subscription, please reach out to clientportal@ogletree.com.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• Sleeping malware delays the cyber attack making it difficult for organisations to pinpoint where the threat has come from, and often can remain undetected making it too late to stop the attack.
• Attacks can result in business disruption, loss of personal data, and reputational damage.
• Organisations cannot entirely eliminate risk, but they can take precautions to reduce exposure and increase the likelihood of early detection and effective response.

Sleeping malware, such as Warp Panda and Brickstorm, are typically placed through subtle techniques, for instance, through phishing emails, supply chain compromise, infected external hard drives, or misuse of some internet webpages that may be embedded with malware. Once the malware becomes implanted in the organisation’s system it can self-modify to survive system reboots and routine maintenance checks. The malware then lies dormant in the system to avoid detection, often by leveraging native system tools rather than “typical” malicious software characteristics. This can mean that it remains in the system, sometimes for periods of two or more years, before an attack occurs.

Extended dormancy raises significant legal questions, including when breach notification obligations are triggered, whether cyber insurance policies with retroactive date limitations will respond, and the extent of regulatory exposure for the period during which the malware was active but undetected. While the malware is dormant insofar as causing disruption, it is often collecting information, including personal data and confidential business information, and scanning the system for weaknesses such as loopholes in security measures and unpatched systems while it waits for an activation date.

Activation dates are frequently aligned with moments of peak distraction or reduced staffing to maximise impact. Attacks can often occur during public holidays such as bank holidays, or preplanned maintenance downtime. For an organisation, the attacks can have serious consequences such as service outages, data breaches, destruction of data, and reputational damage.

Many organisations are already implementing a range of technical measures to protect against attacks such as the use of sandboxes, multifactor authentication systems, penetration testing, firewalls, and vulnerability management systems. However, as malware becomes more sophisticated and attacks become more frequent, these measures may not be offering complete protection. Often state of the art measures, which require heavy investment, are required to identify and protect from sleeping malware.

Commonly an organisation’s third-party service providers can be first to detect irregularities in the system. This may include suspicious update requests, unexpected coding patterns, or unusual service activity. Such activity can trigger notifications and investigations that reveal sleeping malware, requiring systems to be taken offline for periods of time to reset and contain the malware, resulting in negative impacts on business operations.

To mitigate the risks from sleeping malware, organisations may consider measures such as:

• Regular review of technical measures to secure systems and implementing up-to-date and proportionate improvements, such as restricted system access and isolating IT networks to limit malware movement
• Undertaking due diligence of third-party service providers relied on to deliver services
• Establishing a cyber incident response plan and undertaking simulations
• Providing regular staff training on phishing attacks and awareness of security threats
• Providing clarity on how staff will manage communications regarding cyber incidents
• Considering procuring cyber insurance, paying particular attention to retroactive date provisions and whether the policy responds to threats that were implanted before the policy period but discovered during it
• Complying with applicable data protection laws and remaining current with legal timeframes for communicating cyber incidents to relevant authorities and individuals

More information on cybersecurity risks and prevention can be found in our previous articles: “Healthcare Employers Must Be Vigilant in 2026 Against More Sophisticated Cyberattacks,” and our “Cybersecurity Awareness Month” series.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to provide updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.

Nicola McCrudden is of counsel in the London office of Ogletree Deakins.

Benjamin W. Perry is a shareholder in the Nashville office of Ogletree Deakins, and he is co-chair of the firm’s Cybersecurity and Privacy Practice Group.

Lorraine Matthews, a data privacy and cybersecurity practice assistant in the London office of Ogletree Deakins, contributed to this article.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• The Department of Education found that San José State University’s policies allowing student-athletes assigned male at birth to compete in women’s sports and access the corresponding facilities “deny women equal educational opportunities and benefits.”
• This finding follows a directed investigation pursuant to President Donald Trump’s February 2025 executive order barring transgender athletes from competing in women’s sports.
• The executive order—which takes the position that allowing transgender student-athletes’ participation in women’s sports undermines fairness and opportunities for women and girls—threatens federal funding for, and Title IX enforcement actions against, educational programs that do not comply with the policy established in the order.

On January 28, 2026, the U.S. Department of Education’s Office for Civil Rights (OCR) announced its finding that San José State University’s (SJSU) policies allowing student-athletes assigned male at birth to compete in women’s sports and access the corresponding facilities violated Title IX of the Education Amendments of 1972, which prohibits discrimination on the basis of sex in education programs or activities receiving federal financial assistance.

The finding follows OCR’s directed Title IX investigation into SJSU, announced in February 2025, pursuant to President Trump’s Executive Order (EO) 14201, titled, “Keeping Men Out of Women’s Sports.” The EO states that allowing transgender athletes to compete in women’s sports “is demeaning, unfair, and dangerous to women and girls, and denies women and girls the equal opportunity to participate and excel in competitive sports.”

OCR found that SJSU had recruited and allowed a transgender student-athlete to compete on SJSU’s women’s indoor and beach volleyball teams. In its findings, OCR cited privacy concerns, safety concerns, and concerns related to an unfair physical advantage over opposing teams as a result of SJSU’s decision.

OCR also concluded that SJSU had violated Title IX by not promptly and equitably investigating Title IX complaints filed by other SJSU student-athletes related to the transgender student-athlete and by taking actions that discouraged other student-athletes from participating in the Title IX process.

OCR issued a proposed Resolution Agreement to SJSU to voluntarily resolve the Title IX noncompliance violations. The proposed Resolution Agreement requires SJSU to take the following actions:

• “Issue a public statement to the SJSU community that SJSU will adopt biology-based definitions of the words ‘male’ and ‘female’ and acknowledge that the sex of a human—male or female—is unchangeable”;
• “Specify that SJSU will follow Title IX by separating sports and intimate facilities based on biological sex”;
• “State that SJSU will not delegate its obligation to comply with Title IX to any external association or entity and will not contract with any entity that discriminates on the basis of sex”;
• “Restore to individual female athletes all individual athletic records and titles misappropriated by male athletes competing in women’s categories, and issue a personalized letter of apology on behalf of SJSU to each female athlete for allowing her participation in athletics to be marred by sex discrimination”; and
• “Send a personalized apology to every woman who played on SJSU’s women’s indoor volleyball (2022–2024), and 2023 beach volleyball, and to any woman on a team that forfeited rather than compete against SJSU while a male student was on the roster—expressing sincere regret for placing female athletes in that position.”

Key Takeaways

OCR’s noncompliance finding and proposed Resolution Agreement will have significant implications for educational institutions receiving federal financial assistance, particularly in states with conflicting laws. Though the finding does not indicate a withholding of federal funding, educational institutions should note that such withholding is a remedy within OCR’s purview and that the Trump administration will likely continue to focus on transgender student-athletes’ participation in interscholastic athletics.

The SJSU decision is likely not the end of the road. OCR has also launched investigations into other educational institutions based on alleged Title IX violations related to transgender student-athletes, the results of which have not yet been finalized. Additionally, whether the Supreme Court of the United States follows in OCR’s footsteps will be seen when it rules on two cases expected to be decided in June 2026. On January 13, 2026, the Supreme Court heard oral argument in Little v. Hecox and West Virginia v. B.P.J., cases involving transgender student-athletes challenging state laws restricting participation in girls’ and women’s sports to athletes assigned female at birth.

Ogletree Deakins’ Diversity, Equity, and Inclusion Practice Group, the Higher Education Practice Group, and the Sports and Entertainment Industry Group will continue to monitor developments and will provide updates on the Diversity, Equity, and Inclusion Compliance, Higher Education, and Sports and Entertainment blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• EB-1 advances for China and India.
• All EB-2 categories advance, except China.
• EB-3 advances except China and India.

Final Action Dates

The final action dates chart show the following movement in the March 2026 Visa Bulletin:

• EB-1: Advances one month for China and India; all other countries continue to be current.

• EB-2: No movement for China, India advances two months to September 15, 2013; all other countries advance to October 15, 2024.
• EB-3: All countries advance except for China-mainland (which remains at May 1, 2021) and India (which remains at November 15, 2013). The Philippines advances two months to August 1, 2023. All other countries advance by four months to October 1, 2023.
• EB-4: All countries advance to July 15, 2021.
• EB‑4 Certain Religious Workers: July 15, 2021.
• EB-5: No movement is shown.

Source: U.S. Department of State, March 2026 Visa Bulletin, Final Action Dates Chart

Dates for Filing

The dates for filing advance significantly almost across the board. Additionally, the EB-4 Certain Religious Workers subcategory was Unavailable (U) for all countries in February 2026, and is now available for January 1, 2023, for all countries.

• EB-1: China and India advance four months to December 1, 2023. All other countries remain current.
• EB-2: No movement is shown for China. India advances eleven months to November 1, 2014. All other countries become current.
• EB-3: No movement for China-mainland and India. Philippines advances to January 1, 2024, and Mexico advances to January 15, 2024. All other countries advance by more than three months to January 15, 2024.
• EB-4: All countries advance to January 1, 2023.
• EB‑4 Certain Religious Workers: January 1, 2023.
• EB-5: China advances to October 1, 2016, for 5th unreserved. No other movement is shown.

Source: U.S. Department of State, March 2026 Visa Bulletin, Dates for Filing Chart

The State Department notes that this advancement is in part due to the immigrant visa processing pause on certain nationalities and if the administration’s policies shift, retrogression may be necessary later in the fiscal year to bring the issuance of immigrant visas within the annual limits.

Key Takeaways

The significant advancement of most categories in the Dates for Filing Chart will allow more applicants to file adjustment of status applications starting March 1, 2026.

Ogletree Deakins’ Immigration Practice Group will continue to monitor developments and will post updates on the Immigration blog as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• The Supreme Court of Nova Scotia confirmed that accepting a unionized position makes an individual an employee under the collective bargaining agreement, even if the employee never worked a single day.
• The court ruled that the plaintiff’s dispute over her rescinded job offer falls within the exclusive jurisdiction of labour arbitration, not the court.
• Employers may want to note that the employment relationship and associated rights under a collective agreement may commence as soon as an offer for a unionized position is accepted.

The Offer and the Withdrawal

Beverly Margaret Gentleman had been offered a full-time permanent position as a planner with the Municipality of the County of Kings, with a start date of January 18, 2023. An email was sent to all municipality staff and the union president, announcing that Ms. Gentleman would be joining the team.

Then, just two days before she was set to begin, the municipality rescinded the offer on January 16, 2023, citing that the “match was not appropriate” due to a “different planning approach.” The municipality pointed to a clause in the offer letter stating that

“Offer of employment is conditional upon the completion of all applicable background checks and confirmation of credentials, the results of which must be satisfactory to the employer or will result in termination of your employment.” (Emphasis in the original.)

The Battle Over Jurisdiction

Ms. Gentleman brought a claim against the municipality for wrongful dismissal, breach of contract, breach of the duty of honest and good faith contractual performance, and negligent misrepresentation. She wanted her case to be heard at court and not through a labour arbitrator. Ms. Gentleman argued that the grievance and arbitration process would not provide her with an effective remedy because she was out of time to file a grievance.

The municipality filed a motion to dismiss, arguing the dispute belonged in the exclusive jurisdiction of a labour arbitration, not court.

The court was left to decide the correct avenue for Ms. Gentleman and zeroed in on the language of the collective agreement:

• Article 4.1 defines “Employee” as an employee in the bargaining unit and covered by the collective agreement.
• Article 4.5 defines a probationary employee as “an Employee who has been hired but has not completed the six-month probationary period.” (Emphasis in the original.) Article 4.5 goes on to state that a probationary employee may be dismissed at any time during the probationary period without the employer having to establish just cause, and that a probationary employee is covered by the collective agreement but for certain exceptions.
• Article 7.3 states that “[a] Probationary Employee may be dismissed during the Probationary period without the Employer having to prove just cause, and in such cases, the Probationary Employee may access the grievance and arbitration procedure, but arbitral review shall be restricted to whether the Employer has complied with Article 5 (No Discrimination) of this Agreement.” (Emphasis in the original.)

The Verdict

That language proved decisive. The collective agreement draws a clear distinction between being hired and actually commencing work, suggesting that employment status can exist before the first day on the job.

The court concluded that the essential character of the dispute, the municipality’s decision to terminate Ms. Gentleman’s employment and the manner of termination, falls within the dispute resolution regime.

Ms. Gentleman was hired for the full-time permanent position of planner. The position of planner is in the bargaining unit and is covered by the collective agreement. Ms. Gentleman was an “Employee” within the meaning of the collective agreement as she fell within the definition of “Probationary Employee.”

Once Ms. Gentleman accepted the offer for a unionized position, she became an employee under the collective agreement. Since the collective agreement allowed probationary employees to access grievance and arbitration procedures, the dispute belonged in labour arbitration, not court.

The court emphasized that the fact that a claimant may be out of time to file a grievance does not give jurisdiction to a court to hear a civil claim that would otherwise have been within the exclusive jurisdiction of an arbitrator. Arbitrators do have the ability to extend deadlines when there are reasonable grounds and no substantial prejudice to the parties.

The Takeaway

Employers may want to note that the moment an offer for a unionized position is accepted, the employment relationship and all the rights and obligations under the collective agreement may begin.

Ogletree Deakins’ Canada offices will continue to monitor developments and provide updates on the Cross-Border and Traditional Labor Relations blogs as additional information becomes available.

Perry Yung is an associate in the Toronto office of Ogletree Deakins.

Michelle Do, a law clerk in the Toronto office of Ogletree Deakins, contributed to this article.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• A federal judge in New York ruled that documents generated using a publicly available AI tool are not protected by attorney-client privilege or the work product doctrine.
• The court found that the defendant’s use of a consumer-grade AI platform to draft legal documents compromised confidentiality, thus failing to meet the requirements for attorney-client privilege.
• The court’s decision highlights the risks of using consumer AI tools in legal contexts and underscores the importance of secure, attorney-directed AI platforms to maintain privilege protections.

Case Background

Bradley Heppner, the defendant, was indicted on October 28, 2025, on charges of securities fraud, wire fraud, and related offenses, including conspiracy, obstruction, and making false statements. Following a grand jury subpoena and after Heppner became aware he was the target of a federal investigation, he engaged legal counsel.

In the critical period after learning he was under investigation but before his indictment, Heppner independently used a publicly available generative AI platform to draft approximately thirty-one documents. These documents outlined potential defense strategies, legal arguments, and factual analyses related to the investigation. In his prompts to the AI, Heppner discussed the government’s likely case theory, his potential criminal exposure, and anticipated defenses. Critically, he created these materials entirely on his own initiative—without direction from his attorneys—and only later shared them with counsel to inform strategy discussions.

During the execution of a search warrant on Heppner’s property, federal agents seized electronic devices containing both the AI-generated documents and the underlying interaction logs showing Heppner’s prompts to the AI platform. Heppner’s defense team asserted privilege over the materials, describing them in a privilege log as “artificial intelligence-generated analysis conveying facts to counsel for the purpose of obtaining legal advice.” The government moved for a ruling that the documents were not privileged, arguing they lacked the confidentiality essential to privilege and were not prepared in connection with obtaining legal advice from an attorney.

The Court’s Decision

Judge Jed S. Rakoff, presiding over the case, ruled from the bench during a pretrial conference on February 10, 2026, granting the government’s motion in full. He held that neither attorney-client privilege nor the work product doctrine protected the AI-generated documents from disclosure. His subsequent written opinion, issued February 17, 2026, characterized the question as one of first impression at the federal level and provided a detailed roadmap for analyzing privilege claims involving AI-generated materials.

Attorney-Client Privilege Analysis

Attorney-client privilege protects confidential communications between a client and an attorney made for the purpose of obtaining or providing legal advice. The privilege belongs to the client, but its protections depend on maintaining confidentiality. The court found that Heppner’s interactions with the AI platform failed this framework on multiple grounds.

First, Judge Rakoff emphasized that confidentiality—the cornerstone of the privilege—was fatally compromised. By inputting sensitive information into a consumer AI platform operated by a third party, Heppner voluntarily disclosed that information outside the attorney-client relationship. The court examined the AI company’s terms of service and privacy policy, which explicitly permit data collection, retention, and use for model training purposes, and found that these terms negated any reasonable expectation of confidentiality.

Second, the court rejected the defense’s creative argument that the AI platform functioned as a privileged intermediary under the Kovel doctrine. Under United States v. Kovel, 296 F.2d 918 (2d Cir. 1961), privilege may extend to communications with third parties—such as accountants, translators, or experts—when their involvement is necessary for effective legal representation. Judge Rakoff found this doctrine inapplicable for two reasons: the AI was not “necessary” for counsel to understand the client’s communications, and more fundamentally, Heppner engaged the AI entirely on his own initiative rather than at counsel’s direction.

Third, the court rejected the notion that privilege could attach retroactively. Although Heppner eventually shared the AI-generated documents with his attorneys, this subsequent disclosure to counsel could not cure the earlier waiver. The privilege, the court explained, must exist at the time of the communication; it cannot be manufactured after the fact by routing previously disclosed materials through an attorney.

Work Product Doctrine Analysis

The work product doctrine, rooted in Hickman v. Taylor, 329 U.S. 495 (1947), and codified in Federal Rules of Civil Procedure 26(b)(3), shields materials prepared in anticipation of litigation by a party or their representative. The doctrine applies in criminal cases through Federal Rules of Criminal Procedure 16(b)(2). Its core purpose is to create a zone of privacy in which attorneys can develop legal theories and strategies without fear of disclosure to adversaries.

Judge Rakoff held that the documents failed to qualify as protected work product for several reasons. Although Heppner undoubtedly prepared them in anticipation of litigation—he knew he was under investigation—the materials reflected his own thinking rather than the mental impressions or legal strategies of his attorneys. The court emphasized that the doctrine’s animating purpose is to protect attorney work product, and while client-prepared materials can qualify in some circumstances, the protection is strongest when materials are prepared by or at the direction of counsel. Here, Heppner acted entirely independently. Moreover, even if the documents could otherwise qualify, Judge Rakoff found that disclosure to the third-party AI platform effected a waiver by destroying the confidentiality that work product protection presupposes.

Limitations of the Decision

While United States v. Heppner represents an important early judicial statement on attorney-client privilege and work product protections in the context of generative AI tools, it has several notable limitations in scope, precedential value, and applicability.

Fact-Specific Nature of the Ruling

The decision is tightly tied to its particular facts. Heppner used a consumer-grade, public version of the AI tool entirely on his own initiative, without any direction, supervision, or involvement from his attorneys. He created the documents before or outside structured attorney guidance and only later shared them with counsel. Moreover, the tool’s terms of service explicitly disclaimed confidentiality, permitted data use for model training, and allowed disclosure to third parties, including regulators.

In his decision, Judge Rakoff acknowledged that the outcome might well differ under alternative circumstances—for example, if defense counsel had directed or supervised the AI use as part of a deliberate legal strategy, if an enterprise-grade or secure version of the AI tool had been employed (one with contractual confidentiality protections, prohibitions on data training from inputs, or zero-retention policies), or if the AI had functioned more like a necessary third-party aide under the Kovel doctrine, such as a translator or technical expert retained by counsel. The court did not broadly prohibit AI use in legal work; it rejected privilege only under these specific unsupervised, nonconfidential conditions.

Limited Precedential Weight

It is important to recognize that Heppner is a single district court decision from the Southern District of New York. While it carries persuasive weight—particularly given Judge Rakoff’s prominence—it is not binding on other judges within the Southern District of New York, other federal districts, state courts, or appellate courts. No appeal has yet addressed the ruling. As a matter of first impression nationwide, future courts could distinguish, narrow, expand, or reject its reasoning based on different facts or evolving technology.

Not a Blanket Rule Against AI

Critically, the decision does not hold that all communications involving generative AI are inherently unprivileged, that privilege is automatically waived merely by using any AI tool, or that enterprise, confidential, or attorney-supervised AI platforms cannot preserve protections. Many legal commentators stress that the ruling reinforces traditional privilege principles—confidentiality, attorney involvement, and the purpose of obtaining legal advice—rather than creating new anti-AI doctrine. If AI is used under attorney direction with secure tools designed for confidentiality, such as private instances with data isolation, privilege arguments remain viable.

Questions About Cloud-Based Legal Technology

The opinion may also reflect an incomplete view of how contemporary cloud-based legal tools operate. Document management systems, email platforms, and legal research databases all involve third-party servers, yet they do not typically destroy privilege when confidentiality is reasonably maintained through appropriate contractual and technical safeguards. The court’s heavy reliance on the platform provider’s specific privacy policy and disclaimers may not translate perfectly to every AI platform or to future iterations with stronger privacy protections.

As more courts confront AI-related privilege disputes—particularly those involving enterprise tools, attorney-directed workflows, or platforms with evolving privacy policies—these principles will likely be refined or clarified. In essence, Heppner represents a cautionary, fact-specific application of longstanding privilege rules to consumer AI misuse rather than a sweeping prohibition. It highlights real risks but leaves room for privilege-preserving AI practices when confidentiality and attorney involvement are properly maintained. Attorneys and litigants may want to treat it as persuasive authority urging careful tool selection and supervision rather than an absolute bar on AI use in legal contexts.

Practical Implications for Attorneys and Clients

The Heppner decision carries immediate and practical consequences for legal practitioners and their clients.

For individual and corporate clients: The ruling sends an unambiguous message: sensitive legal matters discussed with consumer-facing AI platforms will likely not be protected under the Kovel doctrine. Information shared with publicly available AI platforms may be discoverable, subpoenaed, or seized, and Heppner suggests courts will not extend privilege to shield it. Opposing counsels certainly will seek information in discovery about litigants’ use of consumer-facing AI platforms.

For law firms and in-house legal departments: Attorneys may want to proactively inform clients about the risks of AI use during representation. Engagement letters and litigation hold notices may need to be updated to address AI platforms explicitly. Firms may want to also evaluate their own AI usage: consumer-grade tools used for legal research, drafting, or case analysis may implicate similar concerns. Enterprise AI solutions with contractual confidentiality protections, data isolation, and compliance certifications offer a more defensible path forward.

The Evolving Legal Landscape

Judge Rakoff acknowledged that Heppner represents an early judicial foray into uncharted territory. As AI adoption accelerates—generative AI tools are now used in a majority of U.S. households and an increasing number of businesses—courts will inevitably confront more disputes at the intersection of AI and privilege. Future cases may test whether enterprise AI platforms with robust confidentiality agreements receive different treatment, whether AI tools directed by counsel qualify for Kovel protection, or whether work product doctrine analysis changes when attorneys actively supervise AI-assisted preparation. For now, Heppner establishes a cautious baseline: consumer AI platforms are third parties, and disclosure to them carries the same privilege consequences as disclosure to any other outside party.

Conclusion

United States v. Heppner delivers a clear warning: the convenience of AI does not come without legal risk. For clients, the instinct to use powerful AI tools to understand legal exposure is understandable—but acting on that instinct without attorney guidance may create discoverable evidence and waive protections that would otherwise apply. For attorneys, the decision underscores the importance of early and explicit conversations with clients about technology use, as well as careful evaluation of the AI tools employed within the practice itself. As generative AI becomes ubiquitous, maintaining privilege will require not only legal sophistication but technological vigilance.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group and Technology Practice Group will continue to monitor developments and will post updates on the Cybersecurity and Privacy and Technology blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• The U.S. District Court for the Western District of Washington recently granted summary judgment to an employer, holding that the plaintiff’s FLSA and Washington state wage claims were barred by a valid separation agreement and release.
• The court rejected the argument that FLSA rights can never be waived by contract, finding no binding authority or statutory text to support a categorical prohibition on waiver.
• The court also held that U.S. Department of Labor supervision or court approval is not required for a private FLSA settlement to be valid, provided a bona fide dispute exists.
• The ruling has significant implications for employers and employees in Washington, particularly regarding the enforceability of severance agreements containing broad releases of wage-and-hour claims.

Background

Eufronio Lomibao was an hourly employee of AGC Biologics, Inc., between December 2022 and May 2024. Lomibao filed suit, alleging that AGC Biologics had failed to compensate him and other hourly employees for all hours worked over forty in a workweek, in violation of the FLSA and the Washington Minimum Wage Act (WMWA), willfully withheld earned wages, and failed to provide bona fide meal and rest periods in violation of the Washington Wage Rebate Act (WWRA) and the Washington Industrial Welfare Act (WIWA).

AGC Biologics moved for summary judgment, arguing that Lomibao could not bring his claims because he had signed a separation agreement and release upon the termination of his employment. The agreement provided Lomibao with certain benefits, including a severance payment of $7,140 and job placement services, in exchange for a general release of all claims against the employer, including claims under the FLSA. The agreement explicitly stated that the employee had been “fully paid for all hours worked” and contained a “Knowing and Voluntary Agreement” signature page confirming that Lomibao had read and understood the terms, been advised to consult an attorney, and was signing voluntarily.

Lomibao opposed summary judgment on two primary grounds and contentions: (1) FLSA rights are not waivable by contract, and (2) even if such rights could be waived, a valid FLSA release requires a bona fide dispute and approval by a court or the U.S. Department of Labor (DOL), neither of which occurred in this case.

The Court’s Analysis

The court rejected Lomibao’s argument that FLSA rights can never be waived. While acknowledging that numerous federal court decisions contain language suggesting that FLSA rights are nonwaivable, the court found that many of those cases involved collective bargaining agreements or circumstances materially different from those in a private severance agreement. The court also noted that several of those same cases “either explicitly or implicitly indicate that FLSA rights can be waived by contract, at least in some situations.”

Critically, the court found no binding authority holding that a waiver of FLSA rights via contract is categorically prohibited. The court observed that nothing in the text of the FLSA itself indicates that waiver is impermissible. Without such authority, the court declined to “recognize a categorical ban on waiver of FLSA rights via contract, especially when prudential concerns and other public policies counsel against such a prohibition.”

Having concluded that FLSA rights can be waived, the court turned to whether such a waiver required DOL supervision or court approval. The Eleventh Circuit has held that FLSA claims can be settled only under DOL supervision or through court-approved stipulated judgments, and the Second Circuit similarly requires judicial approval. In contrast, the Fifth Circuit permits private settlements where a bona fide dispute exists.

The U.S. District Court for the Western District of Washington sided with the Fifth Circuit’s approach, holding that DOL supervision or court approval is not required. The court reasoned that this approach is “wholly consistent with the text of the FLSA, its legislative history, and all binding authority on this subject.” Both parties agreed that a valid FLSA release must resolve a “bona fide dispute,” and the court found this requirement had been satisfied because legitimate questions existed regarding the employer’s FLSA liability.

The Lomibao decision is consistent with the recent trend of federal courts questioning whether court approval is truly required for FLSA settlements.

Key Takeaways

The district court in Lomibao held that FLSA rights can be waived through a well-drafted severance agreement—provided the release resolves a bona fide dispute and is executed knowingly and voluntarily. Given the lack of binding authority from the U.S. Court of Appeals for the Ninth Circuit, continued litigation on this issue within the Ninth Circuit’s district courts (located in Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, and Washington) is likely. Employers may want to ensure separation agreements include clear acknowledgment of full payment, adequate consideration, and knowing and voluntary signature provisions, and take into careful consideration the applicable laws in their respective jurisdictions.

Ogletree Deakins’ Seattle office and Wage and Hour Practice Group will continue to monitor developments and will provide updates on the Class Action, State Developments, and Wage and Hour blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• The USPS recently changed a rule so that postmarks may reflect the processing date, rather than the date a post office obtained a letter or package.
• The new rule could lead to fines for employers if mandatory notices concerning employee benefit plans are deemed late.
• Electronically sending mandatory notices can help to meet a legal deadline, if the recipient has agreed to electronic communications.

Under federal laws like the Employee Retirement Income Security Act (ERISA), the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA), the Health Insurance Portability and Accountability Act (HIPAA), and the Affordable Care Act (ACA), employers are required to send a variety of notices to their employees concerning health insurance coverage, retirement benefits, and other employee benefits. For example, depending on the plan type, employers may need to send a summary of benefits and coverage (SBC), a summary plan description (SPD), a list of drugs included in a pharmacy plan formulary, a COBRA coverage notice, a HIPAA privacy notice, a notice of patient protections, a safe harbor notice, an automatic enrollment notice, or a fee disclosure.

In some cases, these notices can be disbursed electronically in a benefits portal or by email, but mailing a paper copy may be legally required if a plan participant has not consented to electronic communications or when there is an obligation to provide the notice to a spouse or dependent, such as in the context of COBRA.

Changing the Postmark Policy

Internal Revenue Code Section 7502, also known as the “mailbox rule,” dictates that if documents or payments are delivered by the USPS after a deadline, they are considered timely filed if the postmark date is on or before the due date. Previously, the USPS postmark date reflected the date when a post office took possession of the letter or package.

In a final rule that took effect December 24, 2025, the USPS changed its policy, indicating that machine-stamped postmarks may reflect the date of automatic processing, rather than the first date the post office obtained possession of the item. Customers can request a manual postmark at a post office if they want to ensure that their letter or package receives a postmark containing a date that aligns with the date when the post office accepted possession.

The postmark date matters for employers to stay legally compliant with their benefit plan notices. For example, general COBRA notices must be sent to new plan participants within ninety days of health coverage starting. COBRA election notices must be sent to an employee within fourteen days after an employer notifies the plan administrator about a qualifying event, such as a layoff, discharge, divorce, or reduction in hours.

Likewise, health plans must send HIPAA notices of privacy practices to enrollees within sixty days of any substantive changes. After a privacy breach, HIPAA-covered entities must notify affected individuals about the breach without unreasonable delay, or no later than sixty calendar days after discovering the breach. 

Employers and health plans may be subject to significant fines and excise taxes if they fail to send the proper notices in a timely manner. In the COBRA context, plan participants can bring claims for civil penalties.

Next Steps

Most plan sponsors outsource the task of providing these notices to third parties. While many vendors may use postal methods that include processing and postmarking mail on-site, others may not have that capacity or may outsource that to postal vendors. This is a good time for employers to raise this question with third-party administrators, recordkeepers, COBRA vendors, and other service providers that they rely on to timely meet benefit plan communication requirements.

Employers and benefit plans that handle mailings themselves may wish to account for the new postmark rule by mailing notices and other plan documents earlier than required, so they can avoid missing a statutory or regulatory deadline. Alternatively, for proof of meeting the deadline, employers and benefit plans can obtain a manual postmark by taking the item to a USPS counter, purchase a certificate of mailing, or use certified or registered mail. 

Because mail in the USPS can be slower, some employers have started relying on private mail couriers to ensure overnight delivery with a receipt; however, that option may be too costly for mass mailings of mandatory notices.

While electronic communications are often permitted for mandatory notices, employers may wish to keep careful records of affirmative consent from plan participants and receipt of the notices, or develop another reasonable compliance strategy for delivery of benefit plan communications that is intended to ensure actual receipt of the information by plan participants and beneficiaries.

Ogletree Deakins’ Employee Benefits and Executive Compensation will continue to monitor developments and will provide updates on the Employee Benefits and Executive Compensation blog as new information becomes available.

Stephanie A. Smithey is a shareholder in Ogletree Deakins’ Indianapolis office.

This article was co-authored by Leah J. Shepherd, who is a writer in Ogletree Deakins’ Washington, D.C., office.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Quick Hits

• In Illinois, a new law requires individual and group health plans to cover treatments for menopause symptoms.
• In Philadelphia, a new law bars employers from discriminating against employees based on menopause, perimenopause, or menstruation, and requires accommodations for employees based on menopause, perimenopause, or menstruation symptoms.
• The Illinois law took effect on January 1, 2026, and the Philadelphia law will take effect on January 1, 2027.

The Illinois law requires that health plans cover menopause therapies that are medically necessary and recommended by a qualified physician. It includes hormonal and non-hormonal treatments that are proven safe and effective in peer-reviewed studies.

The Philadelphia law adds “menstruation, perimenopause, menopause” to the list of protected traits or conditions in the city’s antidiscrimination statute, the Philadelphia Fair Practices Ordinance (PFPO). It requires employers to provide reasonable accommodations to employees for needs related to menstruation, perimenopause, and menopause, if the symptoms substantially interfere with an employee’s ability to perform one or more job functions, as long as the accommodation does not impose an undue hardship on the employer. Philadelphia is the first major American city to include menstruation, perimenopause, and menopause among its list of protected classes.

Likewise, on June 24, 2025, Rhode Island enacted a law barring employers from discriminating against workers because of menopause symptoms. It requires employers to provide reasonable accommodations for workers experiencing menopause symptoms. In August 2024, another law took effect in Louisiana, requiring private insurers to cover treatments for menopause.

Common symptoms of perimenopause and menopause include hot flashes, night sweats, sleep disturbances, mood changes, brain fog, weight gain, bone loss, and fatigue.

In general, the state and local laws regarding menopause aim to prevent sex discrimination and gender disparities in medical coverage. The laws related to menopause are not tied to age because, for various reasons, some women may enter early menopause at a relatively young age.

Next Steps

Employers in Philadelphia may wish to update their written policies and practices to indicate that discrimination based on menstruation, perimenopause, or menopause—or retaliation for requesting accommodations related to menstruation, perimenopause, or menopause—will not be tolerated. They may wish to train managers to understand the new law and how to partake in an interactive process to accommodate employees as needed.

Employers in Illinois may wish to review their health plans to ensure that menopause treatments are covered. They may wish to collaborate with their pharmacy benefit manager to determine whether changes need to be made to the formulary to reflect coverage for pharmaceuticals for menopause.

Ogletree Deakins will continue to monitor developments and will provide updates on the Employment Law, Healthcare, Illinois, Leaves of Absence, and Pennsylvania blogs as new information becomes available.

In addition, the Ogletree Deakins Client Portal covers developments in Protected Characteristics under federal, state, and major locality law, including the recent menopause protections in Rhode Island and the upcoming menstruation, perimenopause, and menopause provisions in Philadelphia, Pennsylvania. All client-users have access to Snapshots and Updates. Premium and Advanced subscribers have access to updated policy templates, including the Rhode Island Accommodations Due to Pregnancy, Childbirth, Menopause, and Related Conditions Handbook Policy template. For more information on the Client Portal or a Client Portal subscription, please reach out to clientportal@ogletree.com.

Jennifer L. Colvin is a shareholder in Ogletree Deakins’ Chicago office.

Rachel I. Feinberg is an associate in Ogletree Deakins’ Philadelphia office.

This article was co-authored by Leah J. Shepherd, who is a writer in Ogletree Deakins’ Washington, D.C., office.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts