Artificial intelligence (AI) technology has presented numerous ways to perform tasks more efficiently, including in the workplace. But as AI in the workplace grows, so do potential legal risks for an organization. As more businesses embrace AI, their employees should be taught how to use the technology while being mindful of the potential risks for their employer and its clients. To guide that education, organizations should establish an AI policy that addresses how the technology should (and should not) be used to further the organization's mission. To start, the policy should address the following areas.
Submission of sensitive information
As a general rule, employees should be prohibited from entering their organization's confidential information or trade secrets to an AI platform. The absence of such boundaries can lead to breaches of nondisclosure agreements with clients, compromise of an organization's trade secret status, and violation of data protection laws. It's also helpful to an employee for "confidential information" to be defined in a thoughtful way that describes what cannot be submitted to an AI tool.
Fact-checking and infringement
Employees should fact-check the information they receive from AI tools before using it to inform their work. Employees should also be discouraged from using an AI platform in a way that violates intellectual property rights (for example, instructing an AI platform to create a work that is in a "style similar to" that of an existing third-party work, then using the output as work product). While the law is not yet definitive on where liability would fall for use of an AI tool in this way, use of an existing work to inform a new work generally presents intellectual property infringement risks.
"AI" terminology
A policy's definition of the term "artificial intelligence" may include a variety of tools, as well as elements of popular tools that are already in use at the organization (such as certain AI components of e-mail applications or word-processing programs). Does the term concern these tools, or does it speak only to newer applications, such as chatbots or image-generation services? An organization should consider any AI tools that it already uses or plans to use and decide how the limits outlined in its AI policy apply to those tools.
Enforcement
An organization should consider its broader technology structures when determining how to enforce its AI policies. For example, if an organization encourages employees to use personal devices for work, enforcement of a policy that broadly prohibits use of AI tools for work will be difficult to enforce. An organization likely cannot track how employees are using AI tools on personal devices. On the flip side, if employees only use devices provided by their employer, the organization could more easily determine an employee's compliance with the policy. An organization should consider the systems it has in place to determine the most realistic way to consistently enforce or monitor compliance with its AI use policy.
Compliance with other workplace policies
An organization should inform employees that the introduction of AI tools does not excuse them from compliance with other policies, including those against discrimination, harassment, or other illegal or prohibited activity.
Additional provisions not addressed above may depend on the organization's enforcement approaches, consideration of its current or aspirational uses of AI, and other priorities specific to the organization, its employees, and/or its clients. Additionally, the policy will likely need to be updated over time to account for new technological developments as well as evolving laws and regulations.
If you or your organization would like to talk more about artificial intelligence workplace policies, please contact A.J. Zottola or Channing D. Gatewood. And click here to learn more about Venable's IP Tech services.