We Get AI for Work™: Analyzing "Brewer v. Otter.ai" — A Case Study of the Legal Risks of AI Note Takers

Transcript

Eric Felsberg
Principal, Long Island

Hello everyone, and welcome to our latest episode of We get AI for work™. My name is Eric Felsberg, and I'm joined by my colleague Joe Lazzarotti. Joe and I lead our AI Group here at the firm, and that team really gets involved in all aspects of AI, from bias testing to policy drafting to the privacy considerations associated with AI and a host of other issues.

We have a great episode today. We're excited to talk about the Otter AI case that some of you may have heard about in the news. Joe, imagine this for a moment. You get an appointment for a business call. The time for the call comes along. You dial into the call. There's one of the meeting platforms that we're all very familiar with at this point. You log in, you get started with the meeting, and you notice, or maybe you don't notice, that there is a note taker there. There's an AI note taker on the call with you, but you don't think much about it, and you go on to have the discussion with the other folks on the call. Maybe during that call, you're discussing some sensitive issues, maybe even some proprietary issues or confidential information. Because you're on the phone with trusted colleagues, you are having that discussion because you're trying to solve a business problem. Then, after the call, you hang up, and later on, you get a recording email sent to you and maybe even a transcript of everything that was discussed during that call. Then, lo and behold, you find out maybe later on that some of the content of that call, including the content that you contributed to the call, is being used to train an algorithm or a model by a third-party provider who is providing the note-taker for your call. Now, you're not really sure where the information you discussed is. You just know that it's out there and may find itself in a model that you had no idea about. No one said they were turning this on. No one asked if it would be okay for them to do that. 

What do you think? If something like that happens to you, where are you going? What's the first thing you're thinking about?

Joe Lazzarotti
Principal, Tampa

Well, it definitely would give me a little pause. We're very sensitive at the firm to attorney-client privilege and that sort of thing. I know we tend to try to watch for that, but most folks aren't thinking about that all the time. They're just jumping on a call and, like you said, trying to solve a business problem. What brought us here today was this Otter case in California that was filed in August. Interestingly, the plaintiff in that case was not a subscriber to ATA and just happened to be on a call that they're alleging was recorded. They're alleging a number of things that the call was recorded, and information was accessed and used without their consent. They're alleging that the information being recorded was used to train their ATA's algorithm, and citing a bunch of laws like the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and a whole host of California laws that they feel are implicated by this. We'll see how that case plays out. 

The way that you frame this really makes a lot of sense because there are a number of issues that come up with that in terms of, was it appropriate to record the call, did the process for recording the call make sense and comply, what was recorded, and who has access to it? What happens to that data, how long is it retained, and who is it shared with? All these questions come up that not only impact the particular process of recording the call, but they may also have unintended consequences. You may have shared information with the third party, in this case, Otter, or any other vendor. It doesn't have to be Otter, but that might violate some confidentiality clause that you signed off on in an agreement. 

There was another story. There were like six or seven people getting on the call. One person doesn't make the call, but everyone is on the invite, and a few people remain after everybody leaves, and maybe they have some not-so-complimentary words about the person who missed the call. Of course, lo and behold, everybody on the invite gets a transcript of that call, including the comments that the two or three people who remained wish never got sent. The person who didn't make the call now sees that, and that creates a pretty significant dispute in the workplace. These are all issues that companies have to contend with as they deploy or, again, maybe they’re not aware of employees using those tools or are not sensitive to it. It's a significant issue.

Felsberg

You alluded to this, but there are legal ramifications. You mentioned that, as attorneys, we're always concerned with the applicability of privilege and being able to speak with our clients freely. If that information is out there, is that privileged on how violated? I mentioned some of them before, the legal issues that apply to this, but it is also an employee relations concern. We've all been on conference calls, and usually, you get on a conference call at the beginning of the call, and there may be some chit-chat going around. There's no expectation that that chit chat is going to be made public in any sort of way. Now, you would hope that the participants are going to keep it businesslike, but sometimes, they may say something in shorthand off the cuff. Now, suddenly, that's out there, and to the point you were making could result in an employee relations concern. 

Joe, just kind of thinking this through though, how do we mitigate this? mean, short of saying to whoever's bringing that note taker on, or even if it's a note taker arriving at the call, but it's not, you know, tied to any one person, at least that's on the call, and us being able to maybe delete them from the call on the back end, you know, what else can we do, right? would it be if we had a window pop up and say, hey, do you consent, right, to the use of this note taker? And, you know, if you have, you know, a half dozen people on the call, what if four of them say okay and two of them say no? How do you move forward? you know, John, I don't know if you have any perspective on that. I imagine that's not an easy answer from a, just from a logistic perspective.

Lazzarotti

Well, it does get difficult, you're right. I mean, I think for the most part, people follow that rule of like implied consent. If you get that pop-up and someone stays on the call, they're consenting. I think some platforms you have to actually click that you accept the recording and that click is captured and retained. But there's also the issue of as a technical matter, suppose you're on a call with a patient and they're now going to be, in effect, disclosing information to the other person on the call, maybe their physician, maybe their healthcare provider, or their employer who's helping to manage claims and there's a third party note taker that's a third party. And is that person a business associate who's now saving that data on their servers? You have to go through that analysis and figure out, is that just having a consent to the recording sufficient? We've talked a bunch over the course of many episodes about different compliance obligations. Another is the CCPA, right? Does somebody, because you're talking to, let's say, a consumer, and it could be an employee, that you're collecting their information, did you give them a notice? Is there a proper privacy policy on your website that contemplates the kind of data that you're going to now collect and record and transmit to a third party. And I think those are some of the questions. So it kind of goes back, think, in my mind, Eric, to some of the governance things that we talked about that you really want to, and I think you said this in a prior episode, is you really want to sit back and think about, you know, what is this tool? What is it that we're doing? And and kind of play out the scenarios, play out the use cases and try to anticipate as best you can what is going to happen, what data is going to be collected, what notices or consents or policies need to be in place to ensure that you're minimizing your risk profile, your risk platform when dealing with these technologies. Because the funny thing about this is that this technology can be used for any conversation in an organization. And that could be employment, could be legal, could be finance, it could be at the board level. And all those different conversations that are recorded come with a different framework of law and obligations that has to be thought through to figure out, is this a good idea?

Felsberg

Yeah, no, I think that makes sense. But for now, I think the takeaway here is, and we talked about one case that's out there right now, I think the takeaway here is that if nothing else, know that there are risks that attach to the use of note takers presently, whether that can be mitigated fully by consent. You know, I think it's somewhat of an open question right now. And exactly, you know, kind of understanding, you know, where some of this information is being stored is also going to be a critical component. I know for now, you know, a lot of times if I'm on a call and I know it's something sensitive that needs to be discussed, I have that conversation right up front with the participants on the call to say, hey, here are some of the concerns that I have. Do we want to go ahead and leave that technology operating or let's not? difficult issue. I'm not sure that we're necessarily going to solve it on this particular call, just so long as people know what's out there is an issue.

Lazzarotti

No, I think it's a great discussion and maybe it's a good place to conclude this one. We'll see how the audit case plays out and the other ones that follow it. I'm sure there will be something, but hope everyone who's listening found this helpful. If you have any questions or any thoughts about topics you'd like us to cover, please reach out anytime. You can contact us at AI at JacksonLewis.com.