AI confidentiality breaches are an avoidable risk

A lack of understanding around everyday use is accounting for most incidents, but mistakes can be costly, one legal expert has warned.

The flow-on effects within a workplace resemble early challenges associated with social media, according to practice leader at national law firm LegalVision, Lauren McKee.

Adapting to new technology is often an exciting time for businesses, she said, especially with everything AI promises: increased efficiency, decreased administrative burden, and productivity boosts – but many businesses are exposing themselves to all sorts of risks by not governing as fast as they are adopting.

McKee said: “Most employees simply fail to understand the implications of submitting data to AI software. The issue is rarely deliberate misuse, but a lack of awareness about how these tools handle and retain sensitive data.”

The operations themselves are often as simple as writing emails, summarising documents, and analysing data, but when client contracts, internal reports, or employee and customer data are fed into public AI platforms, employees often don’t see the future implications.

“When this information gets input into public AI software, it may be saved by the provider, sent offshore, or used to train AI models,” McKee said, adding: “While some AI outputs are completely wrong or misleading, they may appear credible enough to use in your client work or inform decision-making processes.”

“Data incidents may trigger privacy breach notifications, which can attract regulators’ attention and result in costly investigations.”

Incorrect practices can be replicated within and across teams, “making it harder to demonstrate that the business took reasonable steps to manage risk if something goes wrong”.

In the same vein, inconsistent approaches to policy across teams compound the issue.

McKee said: “The early stage of AI implementation is usually marked by internal issues that gradually escalate into official disputes and employee claims.”

Moreover, data incidents can trigger privacy breach notifications, potentially bringing regulatory attention, costly investigations, contract claims, financial loss, and reputational risks.

“Without a clear statement of expected practices, it will be difficult for a business to hold its employees accountable for improper use of AI,” McKee said.

As such, the answer is simple: setting and communicating clear parameters for AI use in the workplace. At minimum, businesses need to define which tools are permitted and which are prohibited, and clearly restrict, as McKeee identified, “the input of confidential, personal or commercially sensitive information into external tools”.

An effective AI policy, she continued, “also addresses data security, intellectual property ownership, record keeping, and alignment with current privacy and IT policies”.

McKee said: “While claims are not yet widespread, the volume is increasing as adoption grows. The trend is similar to early social media issues in the workplace, where misuse initially led to internal disputes before becoming a more common feature of formal employment claims.”

“The underlying theme is balancing efficiency gains with clear guardrails.”

Want to see more stories from trusted news sources?
Make HR Leader a preferred news source on Google.