Privacy and Legal Concerns

Privacy and Legal Concerns

Suppose you want to utilize a GenAI tool on a client or internal project. In that case, you must obtain approval from your delivery manager to ensure you have permission to use it for any project-related tasks. This should be done even if you have a license issued by EPAM to use the product.

Data Privacy Concerns

It is crucial to remember that LLMs are not safe for sending sensitive data. You must avoid sending it to any LLM and take the necessary precautions to avoid unintentional exposure of sensitive data, which can lead to breaches and privacy regulation violations.
As a user, you are responsible for what you input into the AI tool and how you use the output.

The following prohibitions apply to inputs and outputs when using any Generative AI tools:

Sensitive Information

Never disclose personal identifiable information (PII), proprietary, sensitive, financial, and company confidential data to mitigate privacy and security risks.

NDA and IP Rights

Avoid disclosing NDA-protected information unless permitted by the relevant client contract and authorized by the respective BU Head, refrain from sharing information that would infringe upon someone's intellectual property rights, and never utilize or submit information or intellectual property that has been replicated from another source that could potentially violate others' rights. Material Non-Public Information (MNPI) should not be disclosed.

Company and Client Confidential Information

Do not disclose company, client, or other confidential or proprietary information except where it is permissible under the relevant client contract, and you are authorized by the relevant BU Head to do so.

Financial Information

Do not disclose market share data, revenue, profitability margins, or other sensitive, proprietary, or confidential financial information.

Client Names

Do not share specific client names, trademarks, or similar identifying information.

Legal Information

Do not share EPAM Legal communications or advice.

Legal Advice Generated by AI Tools

AI is fundamentally inaccurate and often hallucinates when providing content on legal matters, such as law or compliance. Do not rely on or distribute any so-called "legal advice" AI tools generate.

Follow the Code and the Law

Do not share any information or make any comments that would violate the principles of our Code of Ethical Conduct (this includes but is not limited to comments that would discriminate against, harass, defame, intimidate, or retaliate against others). Do not use Generative AI to violate the law.

Before you start using any AI tool other than EPAM Dial, remember that it must be configured so that the data inputs, prompts, and outputs are not utilized by the AI providers for improvements or disclosed further. In addition, users must enable any content filters and other safety systems built into the AI product.

For example, to use ChatGPT by OpenAI, you must opt out of providing data for OpenAI model education. When logged in to the ChatGPT website, go to Settings → Data Controls → Toggle off 'Improve the model for everyone' → Done.

Compliance with Existing Data Regulations

While generative AI seems to align with ethical guidelines, it may not comply with all existing data regulations, like GDPR, CCPA, NDA, or PCI DSS.

Data regulations are established rules and guidelines that dictate how entities can collect, share, and use personal data.

Data regulations aim to protect individuals' privacy and rights by handling their personal data appropriately and securely.

Different regulations govern various contexts and regions:

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is an EU regulation that dictates how the personal data of EU citizens is processed and transferred. It highlights transparency, security, and the responsibility of data controllers.

The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA), which applies within California, USA, provides residents the right to know what personal data about them is collected and shared and to whom it's sold.

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection in the U.S. It applies to healthcare providers, insurance providers, and other entities that handle healthcare data.

In terms of standards, below are examples that guide how specific data should be managed:

The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that specifies guidelines for handling cardholder information to reduce credit card fraud.

A Non-Disclosure Agreement (NDA)

A Non-Disclosure Agreement (NDA) is not a regulation, but a global legal contract. It outlines confidential material or information that parties wish to exchange but want to restrict access to or wider use.

Engage the GenAI-X Innovation Hub's legal group to ensure the solution you offer the customer complies with all regulations. This is especially important now because many governments are still in the early stages of developing specific regulations for AI, and updates are published regularly.

Copyright Concerns

While the output of generative AI tools is not typically considered eligible for copyright protection because it is not created by a human author, this is an evolving area of law. For instance, the US Copyright Office recently announced that works created with the assistance of AI may be copyrightable, provided they involve sufficient human authorship. Even with this evolving stance, the definition of "sufficient human authorship" remains unclear, introducing uncertainty and potential risk.

Contact the GenAI-X Innovation Hub's legal group for guidance if you have any copyright concerns.

Before you start using any GenAI tool, please read EPAM's guidelines and Acceptable Use of Generative AI policy to acknowledge the mandatory process for the acceptable use of generative AI.