We Get Privacy for Work: Assessing the Risks of AI Tools

Transcript

INTRO

The widespread adoption of AI tools has the potential to increase efficiency in the workplace but can also create potential pitfalls if proper planning and processes are not in place.  

 On this episode of We get Privacy for work, we discuss how leveraging the seemingly innocuous AI note taker function can present unintended consequences if unlimited access or unprofessional commentary are not kept in check.  

Today's hosts are Damon Silver and Joe Lazzarotti, co-leaders of the firm’s Privacy, Data and Cybersecurity Group and principals, respectively, in the firm's New York City and Tampa offices.  

Damon and Joe, the question on everyone’s mind today is: What can employers do to implement compliant AI technologies that create efficiencies without unintended consequences, and how will this impact my organization?  

CONTENT

Joeseph Lazzarotti
Principal, Tampa

Welcome to the We get Privacy for work podcast. I am Joe Lazzarotti, and I'm joined by my co-host, Damon Silver. Damon and I co-lead the Privacy Data and Cybersecurity Group here at Jackson Lewis. In that role, we get a variety of questions every day from our clients, all of which boil down to a core question. How do we handle our data safely? In other words, how do we leverage all the great things data can do for our organizations, but avoid running into a wall of legal risk? How can we manage that risk without unnecessarily hindering our business operations?

Damon Silver
Principal, New York City

On each episode of the podcast, Joe and I are going to talk through a common question that we're getting from our clients. We're going to talk through it in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What options are available to manage those risks, and what should we be mindful of from an execution perspective? 

Joe, our question for today is: Is it okay for our employees to use AI note-takers? This is a question I know both of us and others in our group have been getting a lot because these note takers are, on their face, extremely helpful technology. No one really likes having to take notes on a Teams or a Zoom meeting, since it's hard to participate in the meeting, especially if you're an active participant while also capturing notes. With these AI note takers, at the end of the meeting, there's a transcript created by a lot of them, and there can be action items created by a lot of them. This seems like a great breakthrough in efficiency. 

Any problems you see with just allowing employees to go ahead and invite these AI meeting assistants to all their meetings?

Lazzarotti 

It's funny, today we had a principal meeting in our office, and one of the attorneys in our office was talking about a case that they have involving one of these note takers. In the process of having a teleconference, one of the individuals who was invited to the call wasn't able to make the call, and the call was about that person. That person wound up getting a transcript about the discussion that was had in that person's absence. Without getting into too much of the details, it just created some angst because they didn't expect that transcript to happen. That issue is one that's come up for me several different times. It's just one of many issues that involves, as you were alluding to, people generally take notes, and they may not capture everything. In my case, you may not be able to read anything, but people take notes, and they only take certain things; it's not everything that's spoken. When that happens, sometimes things that are sensitive don't normally get written down. But if they do, the person understands that and tries to take steps to minimize who gets access to it or where it's saved. Whereas here, one of the issues, and there are many, is how do we handle when the note taker captures everything, including the banter that goes on during the call or before it starts officially. Sometimes people get to the call late, or it's a sensitive call, and there's some information that is personal or certainly business confidential information. Now, that information gets circulated or saved somewhere.

The question becomes, where is it saved? Who has access to it? Is it secure? Is it being disclosed? All the same kinds of questions that organizations face when they are processing sensitive personal data or sensitive company data. That's just to kick it off. It's a key aspect of this because these tools are so new and came on the scene so quickly that people just haven't gotten used to managing the technology and understanding what is actually being done with those transcripts.

Silver 

That's a great point, Joe. The fact that this technology takes a lot of friction out of the process is what is so great about it, but it's also what causes a lot of the problems. If you think about it, if one of your employees or one of your business partners sends you a document that has social security numbers or financial account information, it's very clear that sensitive information is probably, for most of our clients, under protocols in place for where that's going to be saved and what type of access restrictions to place on it and all that type of stuff. 

When you have, it's unlikely to be a Social Security number that's discussed during a meeting, but you could very easily have a discussion of someone's health condition, their upcoming procedure or their family member's condition. You can have a discussion of their religious affiliation, sexual orientation or a discussion of certain legal activities they engage in, like drug use, for example, that might be casually mentioned or going out and getting drunk the night before. There are a lot of things that people would kick around, as you pointed out, before a meeting or during a break in a meeting. No one would ever think to take those down in notes, but here you now have a transcript of all that information, and it needs to be vetted by someone to figure out what needs to be done with it. 

For example, if we are dealing with medical information or sexual orientation or religious information in the same way that if we somehow otherwise learned about an employee's membership in those protected categories. We would want to take, in turn, steps to make sure that we weren't making ourselves more susceptible to a claim that some future employment action was based on those characteristics. We need some way of doing that here. That's a challenge because if you just think about the volume of new documents and data that's being created, it's daunting. If people have to go through and review every one of these transcripts and escalate certain things, you lose some of the efficiency. 

How are you advising clients on how to manage this? Clients obviously don't want to put too much process in place so that they lose efficiency. At the same time, they can't allow this unstructured data collection to just go completely unchecked.

Lazzarotti 

It sometimes depends on the different circumstances. In the healthcare space, some clients are using this to keep notes of patient encounters, and how does that work? In HR, you're seeing this used in different contexts, like sales meetings. You have to think about that, but it starts with understanding what platform you are using.

Are we using an in-house platform that the company has developed and understands? Do we want employees to use some third-party service that can perform a similar function? Once you understand that, you know your business and how you want it to be used, probably some policy or even FAQs because education is a good starting point. Employees whom you want to use it.  Maybe you want to decide some part of the population should use it and can use it and some shouldn't. Some communication, maybe even FAQs, so people really understand what's happening. 

Then, some clear instructions about how it is you want that data, assuming you anticipate that there might be some sensitive data that needs to be protected. How do you manage that? 

Then, certain context. We didn't talk about this, but suppose you have a call that you intend to be privileged, and you don't want third parties to get access to that. You may need contextually to say, okay, in this situation, we need to do this, and in that situation, we need to do that. To ensure people understand not just that we have to keep it confidential and secure, but also that we have to limit access in a way that preserves privilege. 

In short, educating about how to use it to avoid these risks. You raise a really good point, you don't want the safeguards to destroy the utility of the tool. That's where I would start. 

What other things do you think can be done to help with this?

Silver

I want to flesh out one of the points you made, which I think is a really important one. This is true for AI note-takers, but also lots of other AI-powered tools and technologies, whether AI-powered or not. It is really valuable to get an understanding of what the use cases are going to be. A lot of the risks we're talking about are much more relevant to certain types of use cases than others. You mentioned a couple of the higher-risk ones, such as if this is being used for patient encounters, attorney-client privilege communications or HR or finance meetings. There are certain types of meetings where some of the risks that we're talking about are heightened. It probably makes sense to have more rigorous protocols. 

Then, there are other meetings that are related to planning upcoming events or high-level sales tactics. Stuff that is unlikely to involve discussion of any personal information or anything that's sensitive from a business standpoint. In those types of use cases, it probably makes sense to push towards the end of the spectrum of favoring efficiency. There are good opportunities for efficiency, and you're really not assuming a whole lot of additional risk. There is a lot of value in starting with the use cases and having protocols, policies and procedures that are tailored to specific use cases or certain buckets of use cases that are defined based on the risks that they pose. 

Then, one other thing that is valuable is thinking about what your defaults are going to be. For example, a lot of tools provide different options in terms of how the tool functions. Are you going to have as a default that these tools for certain users are just going to join every meeting that they're invited to by default? I certainly see that I sometimes join a meeting with a client, and their AI bot is part of the meeting. I say, hey, I don't think that's a great idea for this conversation, and the person I'm speaking with on the client's end will say, sorry, that just happens automatically for all my calls. Then, somebody kicks the bot out of the meeting, since that's just what happens by default. That's probably not a great idea in most instances. It's probably better to have this be a manual process so that someone is required to think about whether, for this particular meeting, you want a transcript of the meeting. 

Along similar lines, you raised the issue, and I've seen this in a number of contexts as well, of a transcript being sent to everyone who was invited to the meeting. This happens regardless of whether they actually attended or whether they attended certain portions. Again, that could be a place where building a manual component into the process can be valuable. Maybe the tool doesn't start recording and transcribing until someone directs it to, rather than starting the transcription right at the beginning of the meeting. Oftentimes, that beginning of the meeting is not part of the official meeting, but it will still be part of the transcript. 

Then, one other consideration more in the back end is record retention. For a variety of reasons, if these transcripts are being kept for long periods of time, you do run into the issues we were discussing around how to safeguard that information, who should have access to it and there are data minimization issues. Is it really justifiable to have this much information, especially assuming there's some personal information included in those transcripts? Then, also think about it from a litigation perspective. Are you going to explode your ESI costs, if all of a sudden, the transcripts from all these meetings are potentially relevant to a subpoena or to a discovery quest, and now you have to have somebody review them? You also are probably going to potentially find some surprises because there may be things that, again, someone wouldn't have taken down in notes that they took manually, but it is captured in the transcript. It may be that the tone of voice doesn't come across, so someone was joking, but now it's written in the transcript. That tone is gone, and you now have this challenging document that you have to deal with unexpectedly in your litigation.

Lazzarotti

The one thing that is clear is that there are certainly a lot of issues with these applications. One thing I would also add is we’ve moved to all these communications platforms really in a big way, right, with COVID. One of the things I'm encountering, I mean, we're talking about AI note takers, but the whole idea of how to manage Zoom, Teams and all of these platforms, it's still an issue to some degree. What I'm getting at is these meetings are recorded sometimes, so there's still the issue of, whether this something that is subject to the notice requirements and particularly all-party consent states. 

What I found is when speaking to clients about this, and what it turns into is you ask, well, what are some things you can do? It turns into a policy, but it turns into a communication platform policy. The AI note taker is really a slice of that. It's a big slice now because people find it very useful. How do you organize these calls, who do you invite and what are the best practices? Even if you're not using a note taker, you still may have to think about if we're recording the call, do we have to get consent. 

You really want to think about how employees are using these electronic tools, devices and applications for all of this technology, because the other thing is there are AI components being embedded into so many different things. Really understanding where that is and how it applies can really be useful to try to make sure that you're not having an unintended consequence down the road, which I think in a lot of cases, these note takers did. Like the issue that I raised and some of the things that you were raising, certainly about the ESI stuff and where that can lead to problems.

Silver

That's a great place to wrap. We want to thank everyone for joining us on the We get privacy podcast. If you have any questions based on what we talked about today or any ideas for future episodes, you can email us at privacy@JacksonLewis.com. Thanks, Joe and everyone.

OUTRO

Thank you for joining us on We get work®. Please tune into our next program where we will continue to tell you not only what’s legal, but what is effective. We get work® is available to stream and subscribe to on Apple Podcasts, Spotify and YouTube. For more information on today’s topic, our presenters and other Jackson Lewis resources, visit jacksonlewis.com.