Co-written by Madison Lightfoot-Kunitake, Law Clerk
Have you ever noticed during a videoconference that a participant is using an AI notetaker or that the meeting is being transcribed? Do you already use these technologies, or would you like to? People who use these tools effectively know that they can generate highly value outputs, including meeting summaries and direct inputs into business tools, like customer relationship management (CRM) and enterprise resources planning (ERP) applications.
While enticing and exciting, AI notetakers and transcribers are too often implemented (such as by eager employees) without businesses first ensuring that their use complies with cybersecurity, privacy, and other laws and industry regulations and standards. There are three key factors that a business must address to do so: (1) consent; (2) security; and (3) confidentiality.
Consent. Certain laws require consent before any collection and use of certain information. For example, wiretap statutes in eleven states, including New Hampshire and Massachusetts, require consent from every person participating in an audio communication to lawfully record the conversation. Since AI notetakers and transcribers record audio, use of them must comply with the wiretap statute of each participant’s state.
Similarly, privacy laws in twenty states (and many other jurisdictions, including the European Union and Canada) require consent before collecting and using sensitive personal information. That includes information about race, national origin, religious beliefs, political affiliation, sexual orientation, children, health, biometrics, and geolocation. Because the content of some meetings could capture such information, and because the recording of a person’s face or voice itself could reveal some such information, requiring all-participant consent before using an AI notetaker or transcriber ensures compliance with privacy laws.
Videoconference platforms often have a setting to deliver a consent request before a meeting can be recorded. However, AI notetakers and transcribers often do not, even when embedded in a videoconference application. While developers of videoconference platforms and AI notetakers and transcribers hopefully will fix that soon, until then consent must be obtained through other means, such as when a meeting invitation is accepted or orally at the start of a meeting.
Security. Cybersecurity laws and standards require businesses to implement reasonable measures to ensure the safety of certain information. That includes ensuring that the business possesses or has appropriate control over information, that only authorized individuals can access and use the information, and that sensitive information is encrypted. When an unlicensed AI notetaker or transcriber is used, the meeting recording and output from the technology are often retained in the AI’s own cloud environment, and used by developers to further train the AI engine.
To ensure appropriate security, a business should purchase a licensed AI application, and ensure that meeting recordings and AI outputs are retained in the business’s own AI cloud instance, are used to train the AI only for the business’s use of it, and are encrypted during transmission and at rest. Additionally, the business should structure its relationship with the AI provider pursuant to an appropriate data processing agreement, which ensures compliance with cybersecurity and privacy laws and outlines the parties respective roles and liabilities to each other.
Confidentiality. Trade secrets laws, non-disclosure agreements, and other obligations require businesses to maintain the confidentiality of certain information. Ethics codes and industry regulations impose even stricter such duties, particularly for professionals engaged in privileged communications, like medical providers, counselors, social workers, lawyers, etc. Thus, the use of AI notetakers and transcribers by businesses and professionals presents risks of disclosure of confidential and privileged information to third party AI providers.
To comply with confidentiality obligations, businesses and professionals should ensure that the inputs and outputs of AI notetakers and transcribers are retained on their own devices or clouds, such as through the AI licensing discussed above. Similarly, businesses and professionals should ensure that their public privacy policies disclose their use of AI, and that they obtain consent to use AI in contracts with customers, vendors, business partners, and clients.
AI notetakers and transcribers are exciting new tools with the potential to generate real value for businesses. Just like any other technology, before using an AI notetaker or transcriber, a business must ensure that the use of it will comply with all applicable cybersecurity, privacy, and other laws and industry regulations and standards.