Privacy and Security in Robotics and AI Systems

I help clients with creating privacy and security programs to protect their AI and robotics systems. Privacy within these systems involves the personal data of individuals and how that data is collected, how it’s used, and with whom it’s shared. It also involves how individuals in the system can access that information to see what's there, to update it as needed, and in resolving disputes that might surround the use of that personal data. But the heart of the matter is personal data and how that information must be secure in order for there to be true privacy.

Privacy is about the use and control of that personal data. Security, on the other hand, may or may not be related to personal data. Security involves making sure that that information is kept confidential, that the integrity of the information is protected, and that the information is available when needed. It’s imperative to ensure that hackers can't breach a system and access private, personal information. It’s also important to make sure that data isn’t going to the wrong place by accident or by poor system design. We want to make sure data isn’t corrupted unintentionally, and prevent attacks intended to block people from accessing their information or those systems.

Compliance with Privacy and Security Laws in Robotics and AI Systems

SVLG’s AI and Robotics group helps companies comply with privacy and security laws, and laws relating to advanced information technologies such as the Internet of Things, artificial intelligence, and robotics. Such companies should understand what kind of data they have, where it's going, and then think about what laws are applicable to what they're doing.

Privacy and security laws may be specific to the type of data. For example, in healthcare, there’s the Health Insurance Portability and Accountability Act (HIPAA) that governs the security and privacy of protected health information. Laws like this are based on the type of information, and can also be based on the type of device that the data is stored on or processed through.

California has a new connected device security law that says that manufacturers have to use reasonable security features to protect data that's processed by those devices. It’s important to meet local standards such as these, but also to look at the broader picture as well. There are benchmarks that companies can use to judge their security and privacy practices. For instance, they could examine different standards from the National Institute of Standards in Technology, or groups like SANS, or one of many other groups that provide frameworks for privacy and security. Companies should not just meet these standards, but strive to go above and beyond them if they can. Anyone seeking to develop a privacy program needs to look outside of themselves. Fortunately, there are resources available and groups like SVLG that are capable of helping.

Should companies neglect to stay in touch with industry practices or what industry-standard frameworks are requiring, they may find that they've fallen below industry standards, and then they have legal risk as a result.

GDPR Compliance

My clients have challenges with a number of cutting edge legal issues. One of them is handling the relatively new European Union General Data Protection Regulation. It's a law that imposes requirements on certain companies that are dealing with the personal data of European residents in the area of privacy and security. Companies that develop related products are asking themselves the question - do I comply with the law? Are there gaps between what I'm doing and what I should be doing? Could I be at risk for having an action taken against me by a government regulator or by individuals who might've been affected by my privacy practices? They are also concerned about making sure that their systems are secure, making sure that they are doing what it takes to prevent data breaches that could cripple their organization. If they ended up incurring a data breach and find themselves on the other end of a lawsuit, it will distract from their business mission and require a lot of money to defend themselves against accusations that they failed to secure personal data.

Staying Up to Date on Compliance and Legal Obligations

There are publications and programs that one can read or view to be able to educate oneself on the compliance obligations that companies have. In-house counsel are going to be focused on what the law says and how it applies to that particular company. It's up to the general counsel or to someone assigned to this issue within the legal department to look at those details and compare those requirements with exactly what the company’s current course of action. Any time a new law comes out, counsel should read the actual law itself and then compare with what the organization is currently doing to meet (or not meet) the new legislation or regulation.

One of the most valuable things that I've done in order to get up to speed on new laws is demonstrated through my involvement with the American Bar Association. I'm a member of the section of science and technology law and various committees within the section like the Artificial Intelligence and Robotics Committee, the Information Security Committee, the Big Data Committee, and the Internet of Things Committee. By talking with other practitioners I can stay abreast on the latest laws, I can advise as to what they actually mean, and I can relay the implications for various kinds of businesses. I would be happy to get in touch with the general counsel on your staff in order to assess your current and future security/privacy program.