April 14, 2022

Due Diligence: Privacy & Cybersecurity Risks

Last week, I blogged about ESG due diligence, which has gone from a buzzword to a high priority item in M&A transactions in a short period of time.  Privacy & cybersecurity concerns have followed a similar path. This Sidley memo (p. 10) provides an overview of privacy and cybersecurity diligence issues. This excerpt addresses the emerging issues of artificial intelligence and machine learning:

Artificial intelligence is a hot topic for privacy and cybersecurity laws. One of the biggest diligence risks related to artificial intelligence and machine learning (AI/ML) is not identifying that it’s being used. AI/ML is a technically advanced concept, but its use is far more prevalent than may be immediately understood when looking at the nature of an entity. Anything from assessing weather impacts on crop production to determining who is approved for certain medical benefits can involve AI/ML. The unlimited potential for AI/ML application creates a variety of diligence considerations.

Where AI/ML is trained or used on personal data, there can be significant legal risks. The origin of training data needs to be understood, and diligence should ensure that the legal support for using that data is sound. In fact, the legal ability to use all involved data should be assessed. Companies commonly treat all data as traditional proprietary information. But privacy laws complicate the traditional property-law concepts, and even if laws permit the use of data, contracts may prohibit it.

The memo highlights the magnitude of penalties a company can face for wrongly using data when developing AI/ML. It points out a 2021 FTC action in which the agency alleged that a company had wrongly used photos and videos for training facial recognition AI. As part of the settlement, the FTC ordered that all models and algorithms developed with the use of the photos and videos be deleted. If your company’s primary offering is an AI/ML tool, that kind of order could ruin your whole day.

Since tomorrow’s Good Friday and the first night of Passover, this blog will take the day off.  Happy Easter and Happy Passover to those who celebrate the holidays, and Ramadan Mubarak to those observing the holy month.  Enjoy the weekend and we’ll see you back here on Monday!

John Jenkins