By Kevin P. Kalinich
Law firms and in-house legal counsel are exploring artificial intelligence adoption and educating themselves to provide AI legal advice internally and externally. To better advise AI decisions, lawyers should know the benefits, shortcomings and best practices of incorporating insurance into AI risk management.
Simple AI systems are already deeply integrated into our society and economy, from virtual assistants for users to anti-fraud detection for businesses. Recent advances based on large language models are quickly increasing the pace of integration and the capacity for errors as newer AI systems replace older AI and non-AI systems.
LLMs frequently produce “hallucinations,” a type of error that brings about novel perils, prompting the need for insurance coverage. For example, the New York and Missouri lawyers sanctioned for using fake ChatGPT cases in legal briefs are cases rooted in an LLM system’s hallucinations.
Potential AI perils
Copyright infringement, hallucinations, privacy and bias garner most of the litigation news regarding generative AI, which contains the ability to create material, such as images, music and text. However, some developing AI products, such as AI robots, face perils that are different from content misinformation because such mistakes can cause bodily injury and/or tangible property damage.
How will courts extend or limit existing tort law, caselaw, statutory law and contract law with respect to AI? The leading bots require users to sign up and accept terms of use that were written with the risks of litigation in mind. Initially, ChatGPT’s terms included a provision that required users to indemnify OpenAI and its affiliates against “any claims, losses and expenses (including attorneys’ fees) arising from” use of the service.
Conversely, an expanding number of AI leaders now agree (although to a limited extent) to hold harmless and indemnify business customers of generative AI for copyright infringement from training data (e.g., OpenAI, IBM, Microsoft, Amazon, Getty Images, Shutterstock, Adobe).
Both existing laws and developing legal frameworks are applicable. Insurance companies incorporate regulatory standards in underwriting, such as the EU Artificial Intelligence Act. Consider insurance to assist in providing financial loss protection from some AI perils.
Kevin Kalinich is the founder of Aon’s Cyber Solutions Group. He leads Aon’s global practice to identify exposures and develop insurance solutions related to intangible assets.
AI insurance
Fortunately, lawyers have an advantage in that many of the foregoing AI perils can be addressed by a robust lawyers professional liability policy. An LPL is intended to cover claims of alleged negligence or mistakes causing third-party financial loss. However, most lawyers’ clients will not have an LPL, so it behooves attorneys to have a basic understanding of other insurance that may address AI risks with the following benefits to their clients.
- Protects balance sheets against catastrophic losses
- Independent, third-party underwriters’ review of AI usage (and suggestions for improvements)
- A stamp of insurance carrier risk management verification, which can differentiate organizations to meet customer contract requirements and satisfy regulatory obligations
The applicability of each line of insurance depends on the specific AI usage because most organizations underinsure intangible assets relative to tangible assets.
- Technology errors and omissions: If an organization provides AI products/services or uses third-party vendor AI technologies as part of its provision of products/services, then it should explore errors and omissions insurance, which provides protection against financial loss claims from customers arising from alleged errors, omissions or negligent acts. Coverage endorsements may be necessary to cover traditional media liability perils, such as copyright, trademark and service mark infringement, in addition to historical “advertising injury/personal injury” perils, such as libel, slander, defamation and plagiarism.
- Cyber liability: If not already included within E&O, cyber insurance can cover expenses related to data breaches, hacking incidents, security and privacy violations. Business interruption coverage within cyber policies offer protection against financial losses stemming from computer network disruptions in the supply chain (including ransomware payments, if necessary).
- Intellectual property: While the broadest general liability, media and E&O policies can cover copyright, trademark and service mark infringement, patent infringement and trade secret misappropriation are almost always excluded, unless a stand-alone intellectual property policy is purchased.
- Product/general liability: With respect to tangible property and bodily injury claims arising from defects, malfunctions or errors in AI hardware products (i.e., “internet of things” and robotics), product liability can cover defense and indemnity costs. In addition, AI robotics and other “smart devices” may require “product recall insurance” if entire parts of defective AI systems have to be replaced.
- Employment practices liability: Employment practices liability covers businesses against claims by job applicants, workers and regulators that legal rights as employees and/or applicants of the insured have been violated with respect to AI caused discrimination.
- Crime insurance: Provides coverage to address loss of money, securities and other assets resulting from dishonesty, theft or fraud (including AI computer fraud, such as deepfake social engineering videos that impersonate management to order a wire transfer).
- Directors and officers: In the wake of increased regulatory actions against individual company employees, directors and officers insurance can provide protection for the entity and its executives.
Addressing gaps
There are notable gaps in coverage that lawyers must be aware of, such as political risk, trade credit, antitrust and exclusions, such as “war” clauses and “intentional acts” restrictions.
- Lack of standardization: The evolving nature of AI complicates the establishment of standardized insurance policies. Tailored coverage that aligns with specific AI use cases and risks is crucial.
- Ambiguity in coverage scope: Most traditional insurance policies do not explicitly address AI-related risks. Legal counsel should clarify the scope of coverage and potential exclusions. The “silent cyber” cases, whereby historical property, crime and general liability policies did not affirmatively “cover” or “exclude” cyber perils, resulted in extensive litigation between insurance companies and the insureds. Insurance policies address AI perils in one of three ways.
- Affirmative coverage (AI-specific insurance is being developed)
- Specific exclusions
- Silence, which creates ambiguity
- Exponential nature of AI risks: As AI capabilities rapidly expand, new risks may emerge. Insurance coverage should be regularly reviewed and updated to account for these evolving perils.
- Complex claims assessment: There could be multiple AI providers, users, vendors, distributors, customers and others in the supply chain. How would liability be allocated?
AI risk management best practices
The insureds have been asked the following questions in underwriter meetings with respect to AI risks.
- Do you have an AI governance framework with board/management oversight, which includes specific use cases, restrictions and authorization policies?
- Are you confirming whether key vendors are utilizing AI, and if so, what safeguards are in place to prevent errors? Have you conducted precontract diligence?
- For disclosures, are notices provided to consumers on the use of AI?
- How do you prevent unintended bias when utilizing AI?
- Does a human have to verify accuracy before AI takes action?
- Are AI actions logged, so potential errors can be reviewed and remediated?
- For contracting:
- Who owns and has what rights to use the prompts (inputs) and outputs?
- Are the prompts and outputs subject to confidentiality obligations?
- What is the allocation of liability, including hold harmless and indemnity?
- Are there service level agreements?
- Are there separate agreements for plug-ins and APIs?
- Are there requirements for evidence of insurance, including limits and representations that the insurance adequately covers the AI services/products being provided?
- Is there representation that the AI provider is in compliance with applicable laws?
In conclusion
Risk management typically considers frequency and severity of perils. With respect to AI, we should add velocity of evolving risk profiles. Lawyers should advise their clients to proactively address these risks through tailored insurance policies that align with their unique circumstances.
As the AI landscape continues to evolve, a collaborative effort between stakeholders, led by legal counsel and compliance—and mandated by management—is crucial to ensure that the potential perils of AI are effectively managed and mitigated.
Kevin Kalinich is the founder of Aon’s Cyber Solutions Group. He leads Aon’s global practice to identify exposures and develop insurance solutions related to intangible assets, including intellectual property, technology errors and omissions, miscellaneous professional liability, media liability, and coordination of multiple lines of insurance related to cyber perils and digital assets. Kalinich earned a bachelor of arts degree in economics and mathematics from Yale University in 1984 and a JD from the University of Michigan Law School in 1987.
Mind Your Business is a series of columns written by lawyers, legal professionals and others within the legal industry. The purpose of these columns is to offer practical guidance for attorneys on how to run their practices, provide information about the latest trends in legal technology and how it can help lawyers work more efficiently, and strategies for building a thriving business.
Interested in contributing a column? Send a query to [email protected].
This column reflects the opinions of the author and not necessarily the views of the ABA Journal—or the American Bar Association.