Artificial intelligence (AI), generative AI in particular, has its brilliance on vast amounts of data, thus greatly increasing AI capabilities, insights, and predictions. But with this reliance on data come potential privacy and security risks. It is because AI tools are data-rich by nature that they’re a potential gold mine for cyber criminals prowling for sensitive or proprietary data to develop.

The latest AI tools have served as an accelerant, thus testing the limits of existing laws while raising novel legal questions for courts to adjudicate with little precedent to count on. Who has the ownership of the troves of data fed into generative AI (GenAI) systems, and what safeguards may attach to its use? Who owns the output, and how might output influence individuals? And, last but not least, who’s responsible for guaranteeing that AI tools are being developed and used more responsibly and lawfully—with appropriate data security and privacy safeguards?

This article talks about potential data security and privacy risks associated with AI, applicable laws and regulations, and what companies can do to achieve their goals in a privacy-respecting manner, while promoting cyber resilience as we both embrace and brace ourselves for increasingly sophisticated AI tools.

While AI shows opportunities to achieve business goals in a way not previously conceived, one should also understand and mitigate potential risks that are connected with its development and use. Even AI tools designed with the most robust security protocols may still present some risks including intellectual property theft, privacy concerns when training data and/or output data may contain personally identifiable information (PII) or protected health information (PHI), and security vulnerabilities originating from data breaches and data tampering.

Courts are now fielding an uptick in lawsuits related to unintended and illegal biases in AI outputs and automated AI decision-making and profiling, ranging from employment discrimination and defamation claims to health care access and insurance coverage claims. AI has also been at the center of investigations and enforcement actions undertaken by some agencies.

Compounding the legal risks are the potential reputational risks facing companies when an unintended mistake or violation originating with an AI tool comes to light. It is because examples include lack of human oversight and decision-making, the disclosure of private, confidential, or proprietary information, or unintended biases or other harms that the development and deployment of AI technologies should contain a robust AI governance program where privacy and data security considerations are entrenched at every level.

Data Security and Privacy Regulations Applicable to AI

Privacy and data security in the context of AI are interdependent disciplines frequently requiring simultaneous consideration and action. First and foremost, advanced enterprise AI tools are trained on prodigious amounts of data handled using algorithms that should be—but are not always—designed to have compliance with privacy and security laws and regulations. Those laws, primarily at the state level, are still changing and can vary greatly from one jurisdiction to another. Another concern is whether or not legal requirements, like consent or copyright, may be attached to the underlying training data. Business deals and contracts can likewise be implicated. For instance, a company could be faced with lawsuits and penalties if its use of AI is discovered to breach contractual obligations.

In the meantime, the applicability of the various state privacy and security laws to AI should also be considered. A law need not be specific to AI to apply to development and deployment of an AI system, which calls into play the patchwork of existing and future state-level governance frameworks.

These are only a few examples of what we look forward to seeing in a very busy legislative year across the country. AI’s potential to make worse data security and privacy risks for both individuals and organizations, and the need to apply rigorous data provenance and governance practices, are ubiquitous themes ripe for legislation and are, therefore, the solid foundation of best practices for the development and use of AI.

Promoting Cyber Resilience in the Era of AI

With it pertaining to data security, key cybersecurity measures include: Conducting multi-factor authentication and strict access controls. Maintaining patch discipline and segmented network architecture. Using data anonymization and pseudonymization techniques. Carrying out data masking to protect sensitive information. Deploying continuous monitoring tools to detect anomalies and latent threats. Training AI models to withstand adversarial inputs.

Privacy and Security in Governance Frameworks

Emerging laws and regulations associated with AI are thematically consistent with their emphasis on accountability, fairness, transparency, accuracy, privacy, and security. These principles can act as guideposts when developing AI governance action plans able to make your organization more resilient as developments in AI technology continue to outpace the law.

Good AI governance combines different risk-management frameworks to address an organization’s legal requirements and values while building proper practices to protect privacy and safeguard their information assets, employees, and customers. Essentially, AI governance should be undertaken in collaboration with a company’s data governance, security, and privacy programs.

Developing an AI governance program typically starts with mapping the ways AI technology is being used (and by whom), identifying and quantifying risks, and carrying out controls to effectively deal with those risks. This process can help companies not only stay compliant as they innovate with AI but also defend against litigation and enforcement actions.