{"id":3827,"date":"2024-05-31T09:00:00","date_gmt":"2024-05-31T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cyber-risk\/data-privacy-age-of-genai"},"modified":"2024-05-31T09:00:00","modified_gmt":"2024-05-31T14:00:00","slug":"data-privacy-in-the-age-of-genai","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/31\/data-privacy-in-the-age-of-genai\/","title":{"rendered":"Data Privacy in the Age of GenAI"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/bltf8816ef7dc107548\/6659d2298db0bcf3a40fff3e\/AI%281800%29_Brain_light_Alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">COMMENTARY<\/span><\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The American Privacy Rights Act of 2024 (APRA) is the most comprehensive proposed national legislation defining privacy for Americans to date \u2014 something that historically has meant difficulties in federal approval. We&#8217;re looking at legislation that holds organizations accountable at a level we&#8217;ve not yet seen. With APRA, these companies will need:&nbsp;<\/span><\/p>\n<div data-component=\"basic-list\" class=\"BasicList BasicList_nestedLevel_0 BasicList_variant_unordered BasicList_limited\">\n<ul data-testid=\"basic-list-unordered\" class=\"BasicList-UnorderedList\">\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Annual CEO-signed certification of compliance<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6.5\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"8\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Mandated reporting lines for privacy and security officers (You can&#8217;t have a figurehead chief privacy officer with no reports or budget.)&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">To conduct biennial audits and Privacy Impact Assessments (PIAs)&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6.5\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"8\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">To publish the privacy policies for the past 10 years and deliver annual reports on consumer requests related to privacy&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">There&#8217;s a reason why the United States has not passed any comprehensive data privacy laws in recent history: Companies largely monetize consumer data. Data is profitable, and restricting that cash flow would have economic ripple effects. However, while well-intentioned, APRA does warrant some scrutiny. Notably, its Civil Rights and Algorithm section lacks concern about transparency and ethics.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The dynamic between &#8220;covered entity&#8221; and &#8220;service provider&#8221; is detailed in a way that places responsibility on entities like retailers to have well-defined processes, programs, and procedures to maintain compliance. The onus is not placed on service providers like white-label loyalty programs. This presents a challenge that we&#8217;ve all experienced: Try to delete an embarrassing picture that&#8217;s been put in a third-party platform. It always seems to pop back up.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Another example: APRA requires annual algorithm impact assessments if there is a &#8220;consequential risk of harm to defined groups or outcomes.&#8221; The way to measure the impact and to define the consequential risk of harm is not well defined. If a member of a protected class is denied a loan from a provider using an algorithm, and they lose their car because they needed the loan, is that consequential harm? What if they were denied by one provider but got the loan from another provider? Could the first provider be liable for bias or disparate impact?&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Undoubtedly, the United States needs widespread and comprehensive data privacy regulation. Every consumer is having their personally identifiable information (PII) and&nbsp;<\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/xiphcyber.com\/articles\/social-media-tracking\" rel=\"noopener\">online activities<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&nbsp;gathered up by organizations such as social media giants \u2014 even if the consumer doesn&#8217;t have an account. Those companies are not obligated to define user activity or data collected this way as sensitive data, or to notify individuals that their data is being collected. Their argument is that they don&#8217;t&nbsp;<\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_italic\">actually<\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&nbsp;sell your data. Instead, they sell access to data about you to third parties for targeting.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">There are more gray areas than answers here, especially considering that today&#8217;s technology and our ability to enact enforcement may need improvements to keep up with requirements.&nbsp;<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"Too Much Trust in GenAI?\">Too Much Trust in GenAI?<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The proliferation of proprietary&nbsp;<\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/application-security\/genai-requires-new-intelligent-defenses\" rel=\"noopener\">generative artificial intelligence<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&nbsp;(GenAI) models like ChatGPT opens a new can of worms when considering the data these models are built upon and how it impacts responses.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">We&#8217;ve seen some of the brightest in society fall victim to the false perception that GenAI will produce correct and evidence-based responses. In June 2023, lawyers in New York were documented as having used ChatGPT to generate case briefs after it was revealed that <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/legal\/new-york-lawyers-sanctioned-using-fake-chatgpt-cases-legal-brief-2023-06-22\/\" rel=\"noopener\">GenAI made up fake cases<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&nbsp;in its responses.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Adding to the complexity for businesses and individuals is an inability to detect biases. Different models are likely to produce different results, leading to the issue of transparency and ethics within APRA and how service providers can ensure their GenAI models are providing fair and equitable results across customers.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">For instance, if a customer walks into a physical bank looking for a loan but leaves having been denied, there are likely clear policies set in place that are communicated along with the rejection.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In this scenario, there&#8217;s a clear, policy-backed resolution, but if you replace the banker with a GenAI model, you can&#8217;t see the data or policy upon which it&#8217;s built. How do you know the GenAI wasn&#8217;t built on faulty or biased data?&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">To achieve the results APRA ultimately wants, we need a clearly defined and established policy that GenAI can then ingest and interpret equitably. We are likely many innovation cycles away from this reality. Which is why we need human operators to be responsible for these policies and ensure the model complies with them.&nbsp;<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"A Problem Without a Solution \u2014 Yet&nbsp;\">A Problem Without a Solution \u2014 Yet&nbsp;<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">While APRA is a great start to laying down the foundation for GenAI use, we&#8217;re still far from artificial general intelligence, which can function appropriately without human oversight and intervention. We still need human operators to use AI effectively, and we need to consider these tools as a complementary extension of what humans are already doing rather than a replacement.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Some companies are still adopting a fast and furious approach to integrating AI into their processes, but to get anywhere they still need to place high-value customer data into these GenAI models. After all, high-value data gets high-value results with these tools. The challenge comes in securing sensitive data while leveraging its organizational benefits.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Consumer personal data is still a prime target for threat actors, and organizational consumption of data must be aligned to protecting it from unauthorized access. APRA seeks to do some of that but may still need tweaking to ensure comprehensive coverage for Americans.<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/cyber-risk\/data-privacy-age-of-genai\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>COMMENTARY The American Privacy Rights Act of 2024 (APRA) is<\/p>\n","protected":false},"author":12,"featured_media":3828,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3827","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=1818%2C1025&ssl=1",1818,1025,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=640%2C361&ssl=1",640,361,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=640%2C361&ssl=1",640,361,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=1536%2C866&ssl=1",1536,866,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=1818%2C1025&ssl=1",1818,1025,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=1024%2C577&ssl=1",1024,577,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-privacy-in-the-age-of-genai.jpg?fit=1818%2C1025&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3827"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3827\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3828"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}