Introduction
The prolific use of artificial intelligence (“AI”) to increase efficiency, optimize processes, and identify novel solutions has many businesses turning to third-party vendors to harness its potential in an increasingly competitive market. With the rapid technological development of AI, the law has developed into patchwork regulatory regimes,1 with the federal government also signaling a desire to legislate AI development.2 Businesses are left to piece together the regulatory landscape surrounding AI and identify best practices for engaging with vendors using AI.
Before diving into vendor contracts involving the use of AI, a business should coordinate a standardized approach internally to ensure both commercial suitability and regulatory compliance. Such a standardized approach may include (a) performing due diligence on potential vendors, and (b) determining the requisite contractual protections needed.
A. Due diligence of AI vendors
Due diligence considerations can help drive the contract negotiation process with AI vendors to protect certain business interests:
i. On the vendor.
Preliminary due diligence on vendors may help assess risks (including data privacy concerns) and the reliability of a particular vendor. References, reviews, and past solutions may all help indicate whether a vendor will be a suitable business partner. A thorough due diligence process can identify issues (e.g., pending or threatened intellectual property infringement claims, past data breaches, bad publicity, etc.) that guide the contract negotiation process.
ii. On the AI model.
Businesses have a responsibility to understand the mechanisms of any implemented AI solution (which includes those developed and implemented by a vendor on behalf of the business) – particularly in light of the Federal Trade Commission’s increased willingness to pursue remedies, such as algorithmic disgorgement, for businesses that improperly access or use AI-based data.
AI solutions are generally comprised of:
(a) the AI solution (the “Solution”);
(b) the data used to train the AI solution (“Training Data”);
(c) the data entered into the Solution (“Production Data”);
(d) the outcome after the Production Data is entered into the Solution (the “Output”); and
(e) the iterations of the Solution that evolves during training and use (the “Evolution”).
When assessing a new potential Solution, businesses should understand the ownership of such Solution, including whether the model is (a) proprietary, (b) licensed/built upon a model from another company, or (c) open-source. A vendor’s use of third-party Solutions may implicate additional concerns, including whether the third-party’s terms and conditions will govern the use of the Solution and related Outputs.
Solutions often rely on vast amounts of Training Data, and a business should have a clear understanding as to whether such Training Data is being scraped from third-party sources to feed the Solution, and if so, from which sources. Data scraping can sometimes involve copyrighted or personal data, which may prove to be a source of liability for a business should the vendor face any allegations of copyright infringement or suffer a data breach.
Solutions, particularly in the generative AI space, contain a multitude of risks, such as false positives, hallucinations and implicit biases, for example. A vendor should demonstrate to the business thorough testing, training, and validation methods, that the Solution or underlying algorithm is free of bias or can recognize bias and flag any biased outputs for human oversight. A trustworthy vendor will have internal policies to ensure quality control over its Solutions and should be willing to stand by its Solution.
B. Contracting points
A standardized approach to contractual provisions and protections can be strategically used for both continued due diligence purposes and alignment with internal goals and strategies:
1. Scope of Services and Definitions. Vendor agreements should explicitly define the scope of Production Data and Outputs, as well as the ownership of the Solution. In negotiations and drafting, the parties should consider the following:
a. Production Data. Whether (i) the business will need to retain ownership of the Input; and (ii) the business should grant any rights in the Inputs to the vendor, and if so the scope of such rights.
b. Outputs. The parties must negotiate who owns the Outputs. The business may want to own the Outputs from the AI model outright while the vendor may take the position it only licenses the right to use the Outputs to the business.
c. Third-Party Solutions. If the vendor uses a third-party to provide any part of the Solution, the parties should discuss whether there are any third-party terms and conditions applicable to the Solutions and use of Outputs.
2. Data Privacy & Security. If Production Data includes sensitive confidential and/or personal information, the business and vendor should proactively address:
a. Training. The business must determine if it is comfortable with permitting the vendor to use its data to train the Solution for other customers. If such usage is acceptable, the business may consider requiring that its data be anonymized and aggregated.
b. Data Security Standards. The vendor agreement may want to address: (i) the security certifications of the vendor; (ii) the vulnerability and penetration testing conducted by the vendor or an independent third-party; (iii) the procedures in place to address a security incident; and (iv) the vendor’s policies and procedures to prevent the introduction of malicious code into the Solution.
c. Confidentiality. A key confidentiality concern is whether the vendor has the right to use the business’s confidential information contained in Product Data or Training Data for the benefit of all of the vendor’s customers, or whether the business restricts the vendor’s use of the business’s confidential information solely to providing the services to the business.
d. Return or Deletion of Confidential Information. The parties need to agree on whether the business’s confidential information will be, and to what extent it is possible to be, returned or destroyed upon the expiration or termination of the relationship between the business and vendor. This may not be feasible if the business permits the vendor to use confidential information to train or improve the Solution.
If the Solution will be deployed in a client-facing manner, the business and vendor should ensure that such Solution requires client consent before use and that clients are able to opt-out of providing personal data to the Solution. The parties should work closely with legal counsel to arrive at clear terms regarding data confidentiality and ensure compliance with federal and state data protection regulations.
3. Intellectual Property Rights. The business and vendor should proactively address ownership of any Output algorithms, models, solutions, or products developed with the assistance of the Solution. Businesses may wish to require that any Outputs created using its Production Data are solely owned by the business, and that the vendor cannot use the shared data or any Outputs to assist any third-party.
Indemnification obligations arising from intellectual property infringement require special consideration when contemplated for AI Solutions. Generally acceptable exceptions to the intellectual property infringement indemnity (e.g., modifications, combinations or use of the software beyond the scope of the agreement) may not cover the AI context appropriately. For example, modifications and combinations occur frequently with AI. Businesses that agree to such exceptions to the intellectual property infringement indemnity may find themselves lacking sufficient protection against third-party intellectual property infringement claims.
4. Transparency and Bias. Transparency between the vendor and the business is crucial to accurately gauge the liability exposure stemming from use of a Solution. Potential methods to increase transparency and allocate the risks arising from bias in the Solution may include:
a. Adding metrics and methods to address inaccurate information and allowing for regular audits to ensure that the Solution is operating free of bias.
b. Requiring the vendor to monitor for bias throughout the Evolutions.
c. Requesting representations and warranties from the vendor that the Output will not be biased and that the Solution was trained using diverse Training Data.
d. Expanding the vendor’s indemnification obligations to include third-party claims alleging bias from the results of the Solution.
Simultaneously, a vendor may seek to shift liability to its clients from inaccuracies in the Training Data and/or Production Data inputted into the Solution by the business. The business should work with counsel to ensure that responsibility for any inaccuracy in Training Data, Production Data or Output is apportioned appropriately between the business and vendor.
5. Scalability and Performance Metrics. Vendor agreements should delineate clear goals that the parties aim to achieve using the Solution. Service level agreements (“SLAs”) may be utilized to clearly delineate the problem to be solved by the business’s use of the Solution. The key performance metrics addressed in the SLAs may include the accuracy of the Solution, the amount of hallucinations, and false positives and other error rates. Traditional software performance warranties requiring the software to perform in accordance with documentation or specifications may not adequately protect the business as the Solution may naturally evolve from its original documentation or specifications. Businesses may therefore be afforded more protection from a performance warranty that guarantees the desired outcomes from use of any iteration of the Solution. Furthermore, businesses may seek guarantees from vendors regarding the scalability of the Solution should demand for the Solution increase. A well-drafted vendor agreement will seek to include provisions pertaining to upgrades, client support and flexibility in response to ever-changing business needs.
Conclusion
AI Solutions are a potent tool for businesses to harness, but also can increase liability for the business. Thorough due diligence, informed contract negotiations and coordinated implementation is crucial when deploying AI Solutions. Businesses should consult with legal counsel to understand the best practices and risks of working with vendors offering AI Solutions.
Author: Dentons