B. Stephanie Siegmann, chair of the International Trade & National Security Group and co-chair of the Cybersecurity, Privacy & Data Protection Group, and Julianna Malogolowkin share recent insights with Law360 on how organizations can reduce or mitigate liability risk when using or deploying AI tools. Read the full text below.
Artificial intelligence systems have quickly become mainstream and their use has rapidly expanded, raising concerns for federal and state agencies within the U.S. about whether such AI tools are being used responsibly, transparently and fairly.
Businesses are feeling immense pressure to deploy generative AI tools to accelerate profits and demonstrate their technological superiority to investors and consumers. The unauthorized, unethical and improper use of generative AI tools, however, exposes organizations to significant liability risks.
For instance, misrepresenting how AI tools are being used, and failing to notify or obtain the requisite consent before deploying AI tools, could result in violations of federal or state law. Generative AI tools have a high error rate and are therefore ill-suited to make final decisions without human oversight, especially in the areas of employment and healthcare.
Class action lawsuits have been brought against United Healthcare and Humana alleging coverage determinations were made using AI and not reviewed by a medical professional.
Most alarming though is that AI has supercharged cybercrime and created a far more dangerous threat landscape where even unsophisticated actors can craft convincing phishing emails, conduct voice cloning attacks, or create malware to launch cyberattacks.[1]
Legal Background
President Joe Biden issued an executive order in October 2023 calling for the safe and trustworthy development and use of AI. Yet, Congress has failed to act. There is currently no comprehensive federal legislation on data privacy or the use of AI.
Federal agencies have taken steps to regulate AI using existing authorities, but those actions lack clear statutory authority from Congress and are susceptible to legal challenges as a result of the U.S. Supreme Court’s landmark decision in Loper Bright Enterprises v. Raimondo overruling Chevron deference.
In the absence of federal action, states have begun introducing and passing AI regulations that will likely result in new and inconsistent laws across jurisdictions that have the potential to drastically increase compliance costs and hamper technological development.
On May 17, Colorado passed the first expansive AI legislation in the U.S., modeled after the EU AI Act. In contrast, on July 16, the California Privacy Protection Agency Board declined to advance the rulemaking process for its AI regulations due to reservations about how broadly to define the term “automated decisionmaking technology.”
AI as an Enforcement Priority for Federal Agencies
Undeterred by the demise of the Chevron doctrine, on July 23, the U.S. Federal Trade Commission issued orders to eight companies to supply data about their targeting pricing surveillance practices, which the FTC believes use advanced algorithms, AI and other technologies to exploit personal data “to charge people higher prices.”[2]
In July, the FTC filed a complaint against NGL Labs LLC, an anonymous messaging app — and its co-founders — in which it alleged, among other things, that NGL falsely claimed in its marketing directed at children and teens that its “world class AI content moderation” program filtered out cyberbullying and other harmful messages.[3]
On Dec. 19, 2023, the FTC settled an enforcement action against Rite Aid for their “reckless use of facial recognition systems.”[4] These actions demonstrate FTC’s intent to aggressively police the use of AI tools and technologies using their existing authorities.
Indeed, the FTC joined several other federal agencies, including the U.S. Department of Justice, in issuing a joint statement in April, pledging that they would “vigorously use” current federal laws “to protect individuals’ rights regardless of whether legal violations occur through traditional means or advanced technologies.”[5]
Deputy Attorney General Lisa Monaco signaled that the DOJ intends to robustly prosecute any offense that involves the misuse of AI and seek longer prison sentences against anyone that uses AI in committing crimes. Such cases are at “the very top” of the DOJ’s “enforcement priority list.”[6] In addition, when evaluating compliance programs, the DOJ will be evaluating how companies are assessing and minimizing AI-related risks.
Similarly, in March, the U.S. Securities and Exchange Commission announced that two investment advisers — Delphia (USA) Inc. and Global Predictions Inc. — had paid $400,000 to settle charges that they made false and misleading statements that misrepresented their use of AI and machine learning in their investment services, a practice the SEC has described as “AI-washing.”[7]
Liability Risks
The use of AI tools requires increased risk management and governance procedures.
Confidentiality and Intellectual Property Concerns
Generative AI systems may infringe on copyrighted or trademarked content, or other licensed content because these types of intellectual property are often part of the training data used for ChatGPT and similar foundational AI models.
In December 2023, The New York Times sued Microsoft and OpenAI for billions of dollars in damages for massive and widespread copyright violations arising from OpenAI’s unauthorized use of published works to train AI chatbots.
In addition, confidential information — including IP-protected data or privileged information — should not be shared with generative AI systems or input as a prompt to a generative AI chatbots, as this may violate contractual obligations or expose trade secrets to public disclosure. Any information input into commercially available generative AI chatbots could be incorporated into third-party training tools.
Vulnerabilities to Attacks
AI systems are highly vulnerable to attacks, raising significant threats to organizations.
In January, the National Institute of Standards and Technology issued a stark warning to industry: “[A]dversaries can deliberately confuse or even ‘poison’ AI systems to make them malfunction — and there’s no foolproof defense that their developers can employ.”[8] Further, the data upon which these systems are based may not be trustworthy and can be easily corrupted or manipulated.
Even when carefully designed prompts and the use of guardrails are used, AI chatbots may “spew out bad or toxic information” if an adversary compromises the training data or obtains unauthorized access to AI models.
Generation of False Information
Generative AI chatbots often generate false information or hallucinate. Lawyers have been sanctioned for using ChatGPT to conduct their legal research, and courts around the country are issuing orders requiring lawyers to verify the accuracy of any AI-generated content in legal pleadings.
Disclosure Obligations
Federal agencies will be closely scrutinizing representations concerning the use of AI tools as well as disclosures on how organizations use or share consumers’ data with third parties, including for AI training purposes.
Transformation of Threat Landscape
Deepfake images, videos and voice cloning will continue to proliferate and get harder to detect. AI can be used to generate phishing emails, create malware, identify targets and vulnerabilities, and launch attacks on a massive scale.
Increased Scrutiny of AI and the Implementation of Acceptable Use Polices
While generative AI tools bring tremendous potential benefits, they also carry numerous risks for employers such as IP violations, breach of contract, inadvertent use or disclosure of confidential information resulting in a data breach, creating and disseminating misinformation, errors and inaccuracies in work product, bias in employment decisions, and other possible violations of employment, privacy, and consumer protection laws.
Therefore, employers need to be proactive and adopt an acceptable use policy to govern the responsible and effective use of generative AI tools in the workplace. Failing to take this step will inevitably result in a shadow AI problem.
There is no one-size-fits-all AI acceptable use policy that will meet the needs of all companies. Rather, each policy will be different and should reflect the company’s business needs, values and culture as well as the company’s level of risk tolerance, which will be dependent upon its industry and the applicable legal and regulatory environment.
Thus, in designing an appropriate acceptable use policy, companies should engage a wide range of stakeholders from across the organization that are knowledgeable about the full scope of the business, its priorities and culture, the potential business applications for AI, and the sophistication or skill sets of its employees.
While organizations will want to adopt an acceptable use policy that is flexible to adapt to rapidly evolving AI applications, it is vital to perform a comprehensive risk assessment, which identifies the potential risks associated with the use of AI for the business. Possible risks include inaccuracy, contractual obligations, IP infringement and protections, algorithmic bias, regulatory noncompliance, data privacy and security, legal requirements and ethical considerations.
Some uses of AI tools are inherently riskier than others. Thus, companies should determine what AI uses will be permitted, which ones will be restricted or subject to oversight, and which ones will be banned. For example, some companies might decide to allow AI for low-risk, internal tasks such as content creation or generating simple cover letters while banning its use for external presentations or financial forecasts, while other companies that are in heavily regulated industries may ban the use of AI tools altogether.
An acceptable use policy should clearly set forth guidelines for the proper and acceptable use of AI tools to ensure compliance with all applicable laws and regulations.
To limit liability risks, acceptable use policies should include human oversight requirements for permitted AI tools, including the review of AI-generated output. Such policies should also, at a minimum, indicate that employees are required to comply with all other company policies, including codes of ethics, anti-harassment and anti-discrimination policies, information technology and written information security policies, and data privacy and confidentiality policies.
Finally, the policy should clearly set out the company’s right to monitor all employee use of AI tools on the company’s IT systems, that employees should have no expectation of privacy in such use, and that violations of the policy can result in discipline up to and including termination.
Best Practices
The rapid expansion of AI systems brings with it the possibility of widespread dangers from the proliferation of false information and manipulation to mass surveillance and repression of vulnerable groups as well as liability risks.
With the upcoming 2024 presidential election, increases in privacy violations and cybercrime, and the potential for unfair and deceptive practices, there will be increased AI scrutiny and enforcement actions in the U.S. As a result, organizations need to implement policies and risk mitigation procedures to reduce their liability risks.
Organizations can take steps when using or deploying AI tools to reduce or mitigate their liability risks:
- Establish a risk management and governance procedure for AI tools. For instance, overreliance on outputs from AI tools could lead to the issuance of inaccurate financial statements or conclusion. AI-generated materials should be subject to human oversight, validation and audits.
- Create a clear acceptable use policy that educates employees about privacy risks and ensures the protection of confidential information and compliance with all applicable U.S. laws and regulations.
- Conduct a full risk assessment of any AI tool before implementation.
- Accurately disclose how your organization is using AI tools. As the SEC and FTC have made clear through their enforcement actions, organizations need to ensure that representations about how it uses AI are not false or misleading.
- Be transparent and obtain consent from consumers before using their personal data in any generative AI system. As new regulations are enacted and go into effect, businesses will likely be required to label AI-generated content. This is a requirement under the EU AI Act. Similarly, businesses should provide notification to consumers when they are interacting with a chatbot or other AI system if it is not obvious to a reasonable person. This is a requirement of the new Colorado AI Law, which goes into effect in February 2026. Transparency in this regard will also avoid allegations of engaging in unfair and deceptive practices by the FTC and state attorneys general.
[1]See FBI Warns of Increasing Threat of Cyber Criminals Utilizing Artificial Intelligence, May 8, 2024, press release available at https://www.fbi.gov/contact-us/field-offices/sanfrancisco/news/fbi-warns-of-increasing-threat-of-cyber-criminals-utilizing-artificial-intelligence.
[2]See FTC Press Release, Jul. 23, 2024, FTC Issues Orders to Eight Companies Seeking Information on Surveillance Pricing | Federal Trade Commission.
[3] See FTC and State of California v. NGL Labs, LLC, Case No. 2:24-cv-5753 (C.D.C.A.), Complaint for Permanent Injunction, Monetary Judgment, Civil Penalty Judgment, and Other Relief (ftc.gov).
[4]See FTC Press Release, Dec. 19, 2023, Rite Aid Banned from Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards | Federal Trade Commission.
[6]See DOJ Press Release, Feb. 14, 2024, Office of Public Affairs | Deputy Attorney General Lisa O. Monaco Delivers Remarks at the University of Oxford on the Promise and Peril of AI | United States Department of Justice.
[7]See SEC Press Release, Mar. 18, 2024, SEC.gov | SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence.
[8] NIST Identifies Types of Cyberattacks That Manipulate Behavior of AI Systems, Jan. 4, 2024, available at NIST Identifies Types of Cyberattacks That Manipulate Behavior of AI Systems | NIST.
