How to protect your business from Artificial Intelligence risks

If you or your employees are leveraging AI in your business, it's crucial to stay on top of New Zealand’s Privacy Act 2020.

The Act’s Information Privacy Principles (IPPs) set out clear guidelines for how personal information should be collected, used, and shared - and these principles apply at every stage of designing and utilising AI tools. Their purpose is to safeguard individuals' privacy and ensure that personal data is handled with care and responsibility.

To remain compliant, it's important to fully understand how AI systems function and ensure they align with the IPPs. Failing to uphold these principles can result in serious consequences, including fines, penalties, reputational harm, and potential investigations by the privacy commissioner. The stakes are high, so protecting both your business and your customers' privacy should be a top priority when integrating AI.

• Conduct regular privacy impact assessments. Regularly assess how AI processes personal data and ensure compliance with the IPPs.

• Develop procedures about accuracy and access by individuals to their information.

• Be transparent and communicative. Tell people how, when, and why the tool is being used. Engage with Māori if AI impacts Māori communities or culture.

• Train employees. Educate staff on data privacy laws, the IPPs, and how to handle personal information responsibly.

• Ensure human review and verification prior to acting on outputs. This can help mitigate the risk of acting on inaccurate or biased information.

• Implement strong security measures: Use encryption, access controls, and other security measures to protect personal data processed by AI systems.

• Ensure that personal or confidential information is not retained or disclosed by the generative AI tool.

In New Zealand, businesses that fail to comply with the Privacy Act and face prosecution may not have direct coverage for legal penalties under standard business insurance policies. However, there are a few types of insurance that could potentially help cover the costs associated with non-compliance, including:

• Professional Indemnity Insurance. This insurance can cover legal costs, damages, and compensation if a business is found liable for negligence, including failing to protect personal data in accordance with the Privacy Act. While it's primarily designed for professional advice or services, it may extend to situations where data mishandling leads to legal action.

• Directors and Officers Insurance. This type of insurance provides coverage for the directors and officers of a company in case they are personally sued for breaches of duty, which may include failure to comply with privacy regulations. It can cover legal defence costs and settlements arising from allegations of improper handling of personal data.

• Management Liability Insurance. Often offered as a package this insurance that may combine elements of D&O insurance and other protections for business leaders. It can cover legal costs related to breaches of regulations such as the Privacy Act, especially if the business or its leadership is sued or investigated.

Aside from data breach risks from using AI, the growth of AI technology also means cyber warfare is more accessible than ever, increasing the risk of cyber-attacks. Between April and September 2024, one in three small and medium-sized businesses reported experiencing cyber-attacks, highlighting the critical need for Cyber cover now more than ever *.

• Cyber Liability Insurance. Helps businesses cover the costs associated with data breaches or cyberattacks, which may include legal costs, public relations expenses, and notification costs for affected individuals. Some policies may also cover costs associated with defending against claims related to a breach of the Privacy Act, such as legal fees.