Navigating Generative Artificial Intelligence in the Corporate World: Striking the Right Balance
Since the public release of ChatGPT in November 2022, generative artificial intelligence (GenAI) has quickly emerged as a potentially transformative technology. In the corporate world, GenAI tools have the potential to help companies produce better results faster in a number of areas, such as software development, expertise automation, document management and generation, contract and predictive analytics, marketing and content generation. But these powerful artificial intelligence tools are novel, complex, and rapidly developing, and therefore can present significant risks and uncertainties in their use within organizations. In light of these opportunities and risks, companies are struggling to find the right balance to leverage the technology. At the extremes, some companies have made public GenAI models inaccessible from corporate systems and banned employees from using the technologies entirely, while others are encouraging exploring their use with little regard for the potential risks. Many companies, however, are thoughtfully assessing GenAI and how to foster its use responsibly within their organizations and developing and implementing policies and guardrails to address a number of critical legal, business and reputational considerations for the use of GenAI in their businesses.
As many of us now know through our early experiments with ChatGPT and other models, GenAI systems are artificial intelligence models that permit users to enter input prompts in the form of text, images, audio, video, software code or other data types, which the model then processes using the data it has been trained on to generate an output content response, such as software code, a trip itinerary, or a business process checklist. In the corporate setting, these input prompts and output results, and the training models used within the GenAI models to generate the outputs, each can present a number of potential issues.
Intellectual Property and Confidentiality Concerns
Several such potential issues relate to intellectual property, contracts, and confidential information. For instance, there is the potential that the data an employee inputs into the model could constitute a trade secret of the company and entering that information into a public or third party GenAI model could put the trade secret status of that information at risk. Or the input data may contain confidential information of a company customer, risking the company breaching a customer contract’s nondisclosure obligation when that information is input into the GenAI model. Similarly, since many GenAI models are trained on vast amounts of unvetted data, the output results of input prompts entered into GenAI models may include third party intellectual property that neither the company nor the GenAI model has authorization to use, exposing the company to potential claims and liability for infringement of third-party copyrights. When an employee is using a GenAI model to assist with development of software code, the output results may contain open-source software on which the model was trained, posing the risk to the company that incorporating that output software code into the company’s code could subject the company’s code to the requirements of the applicable open-source license of the output code.
Data Privacy and Industry-Specific Regulations
In addition to addressing these intellectual property, contract and confidential information considerations around potential legal implications of the input prompts, training data and outputs of GenAI models, companies diving into the world of GenAI must also take into account and prioritize data privacy and security considerations as well as compliance with various U.S. and global regulatory frameworks. GenAI tools process and generate vast amounts of data, for example in the form of text, audio, video, speech, software code, business plans or technical formula, and often have the ability to collect significant user data, such as IP address, browser information and settings and user activity data. In addition to collecting, processing, and generating that data, the tools may also share the data with other third parties. To the extent that data may include personally identifiable information, companies will need to ensure their GenAI use is consistent with applicable data protection and privacy laws such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. Some corporate uses of GenAI systems will also need to comply with industry-specific regulations governing the use of certain types of data, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
In addition to these legal risks around intellectual property, confidential information, data privacy, security and regulatory issues, companies using GenAI models should ensure that employees are aware that the generated outputs often contain errors, inaccurate, false, and biased information, and reference sources that are incorrect or that don’t exist. Use of such outputs without appropriate policies and compliance procedures could harm the company’s reputation and brand, in addition to exposing companies to legal and financial risk.
Aligning GenAI Policies with Legal Framework
As with all of their policies regarding technology utilization, corporations must ensure that their GenAI policies align with company contractual obligations and applicable data privacy laws and industry-specific regulations and protect and respect intellectual property rights and confidential information rights. Companies should also have appropriate measures in place to audit and ensure compliance with those policies. In the dynamic landscape of GenAI, corporations must proceed thoughtfully, embracing innovation while maintaining legal and compliance standards. By proactively addressing these legal, business, and reputational considerations, corporations can harness the powerful potential of GenAI technologies while mitigating legal risks and helping ensure responsible GenAI deployment in their organizations.
The blog content should not be construed as legal advice.