Editor's note: Reproduced with permission. Published January 22, 2024 on Bloomberg Law. Copyright 2024 Bloomberg Industry Group 800-372-1033. For further use please visit https://www.bloombergindustry.com/copyright-and-usage-guidelines-copyright/

You’ve likely noticed a new presence joining your virtual meetings—artificial intelligence designed to capture the discussion. Transcription services can benefit users by helping them capture notes and allowing for consistent messaging within organizations. Automated notes are also easier to search and distribute quickly.

While these technologies can be advantageous, companies should account for and mitigate potential risks. Below are five such risks and potential mitigation strategies.

Privacy, Security, Confidentiality

Many companies using transcription services have vendors to perform those services. Vendors often have access to proprietary and confidential information disclosed in meetings and store a copy of the recorded meeting and/or generated transcript.

A data breach impacting a transcription vendor could result in competitive harm and regulatory and litigation risk.

Concerns may also arise where transcription vendors seek to use a company’s data for their own purposes, including for training their AI algorithms. Depending on the transcription vendor, data used to train AI models may become embedded to some degree within the model’s algorithm, leading to intellectual property protection and confidentiality concerns.

To help mitigate these risks, companies should consider the following:

• Ensure transcription vendors’ data privacy and protection practices align with applicable laws and industry standards.
• Use walled-garden AI models to prevent a company’s data from being accessed externally.
• Enter agreements with transcription vendors restricting their use of company data.
• Consider alternatives to using personal data for training AI models, such as synthetic data.

Disclosure Issues

US public companies must provide regular disclosure under securities laws to the market and regulators through periodic reports filed with the Securities and Exchange Commission, as well as interim reports filed voluntarily or upon occurrence of certain events, such as entry into material contracts. Public companies must ensure that information required to be disclosed is recorded within SEC-specified time periods.

More written materials means more analysis of whether those materials and their content should be disclosed. From a governance perspective, companies should consider if such transcripts should form part of controls that must be analyzed for disclosure purposes.

This risk is exacerbated by the substance of transcriptions, which would inevitably capture inherent debate among corporate actors. If an organization declines to make certain disclosures after due deliberation, a transcribed record could arm the plaintiff’s bar or regulators for a retrospective reexamination of that judgment, with the ambiguity inherent in any deliberation casting doubt on the company’s ultimate conclusions.

Litigation Risk

Written records on corporate proceedings raise litigation risk by increasing the volume of documentation that could be subject to review and inquiry by third parties, regulators, or the government. Defendants should be careful in their document retention practices. When proceedings are contemplated, parties are required to conserve certain documents related to those proceedings.

Meeting transcription presents the possibility that certain statements, even if not illegal or malicious, could be retrospectively viewed as such in a different context, and could in turn bring legal risk to the company.

• Companies should consider the following to help mitigate this risk:
• Ensure retention policies are neither onerous nor permit excessive deletions.
• Reach contractual agreements or understandings with transcription vendors regarding what will be preserved, and for how long.
• Sync legal and IT departments to ensure execution matches intention.

Wiretapping

US wiretapping laws regulate the interception and recording of electronic communications and require some level of consent from the parties involved. Requirements vary, but several state wiretapping statutes require consent of all parties prior to recording—such as California’s Invasion of Privacy Act.

Because transcription services typically entail the creation and/or storage, even if transiently, of a recording of the meeting being transcribed, companies must consider the applicability of wiretapping laws, providing required notices and ensuring necessary consents for legal compliance.

Biometrics

Several US laws require companies to notify individuals and obtain their consent prior to processing their biometric data.

While there’s no universal definition, most relevant laws view biometric data as unique physical or behavioral characteristics that can be used for automated recognition—see the California Consumer Privacy Act’s definition of “biometric information,” As AI services are better able to measure physiological and behavioral characteristics, the definition is being tested and expanded.

While a mere speech-to-text translation service is less likely to trigger application of these biometric laws, services that go beyond and analyze, for example, sentiment or accent may be in more of a legal gray area. Companies should consider whether collected or derived data could be considered biometric data within the scope of applicable laws, particularly before deploying a service that offers this more robust analysis.

Meeting transcription services offer a host of benefits and conveniences. However, no new technology comes risk-free. Companies that use these technologies must ensure compliance with applicable laws and take steps to minimize risks.