How to Avoid Privacy and Data Security Risks Associated with AI

Chances are you've heard about tools like ChatGPT and Bard lately — the world has been buzzing with the potential of these AI tools for higher production and potentially putting jobs at risk. Many people, including employees, have been experimenting with these generative tools.

Organizations are recognizing the risk factors judging by the upsurge of company policies relating to the use of generative AI within workplaces, from outright bans to allowing full access. Ironically, Google warned its employees about using its own AI tool, Bard.

Employers are understandably confused. They are also concerned about data security and privacy risks.

What are the opportunities and risks and how should you weigh your options when creating policies for employees?

Basics of Generative AI

Generative AI (GenAI) is a type of artificial intelligence that has been designed to generate content, including text, images, audio, and video. What has generated a lot of the excitement around these tools is the ability to create new data built upon the input data it was trained on. It has a broad range of applications in industries and jobs of all kinds.

But, as with any new technological advancement, there are risks associated with GenAI, ranging from the potential for the spread of misinformation to data security risks.

In fact, CIO placed "operationalizing artificial intelligence" in the number two position on its list of the 12 biggest issues facing IT today.

Data Security Risks

GenAI tools work based on data inputs that have been provided to generate responses. If sensitive or confidential information is shared during interactions with these tools, there is a risk of data privacy breaches.

For instance, suppose the VP of HR is interested in exploring employee promotions based on various aspects of employee diversity. Inputting workforce data into a GenAI tool could readily do that, reporting in seconds on the percentage of employees in certain classes that have moved into higher-level positions. But, unless the GenAI tool being used is proprietary to the business, the data entered could become accessible to anyone interacting with these tools.

Another risk is related to potential intellectual property (IP) infringement. When creating a prompt, if an employee were to input copyrighted content owned by the organization and the output substantially resembled that original copyrighted work, it could be considered an infringement of the copyright holder's IP rights.

When using external tools, it's important to carefully review the data storage and retention policies of the tool's provider and the data protection measures related to encryption and anonymization.

As we've seen, even proprietary tools like Google Bard could potentially pose some risk — hence their concern about employee use.

There may also be risks related to certain data protection regulations that employers are required to follow. For instance, the European Union's General Data Protection Regulation and the California Consumer Privacy Act. Employers must be sure their use of these tools aligns with these legal frameworks.

Minimizing Risk

There are a number of steps organizations can take to help educate employees and minimize privacy and data security risks. These include:

• Clear usage policies. Work with legal counsel and data security and IT leaders to develop security policies about the appropriate use of GenAI tools, outlining expectations, guidelines, and consequences for misuse.

• Access controls. Not all employees will need access to these tools, so it's important to establish controls to limit access only to authorized users.

• Detection and response. Monitor for any unauthorized use or suspicious activity. Have an incident response plan in place to detect and promptly address any security incidents or breaches.

• Employee communication, training, and awareness. Communicate with employees about expectations and guidelines and why you've established them. As with all security training, make sure communication is ongoing and provide guidance on where employees should report their concerns or ask questions about the use of GenAI.

• Audits and assessments. Regularly conduct audits and security assessments to ensure compliance with data protection regulations and to identify any potential vulnerabilities.

Despite the risks posed by generative AI in its various emerging forms and applications, the productivity these tools provide is becoming increasingly apparent. It's not likely that organizations can sustain a blanket prohibition on GenAI use. It's important, though, to consider how these tools should be used, the type of education and security guidance employees will need to be provided, and how best to protect business interests while recognizing the benefits these platforms can offer.