With artificial intelligence (AI) technology becoming global, every information technology (IT) contract your organization enters into without appropriate data use restrictions can lead to your data and information being used for the purposes of training AI without your knowledge and for the sole benefit of the vendor. Software vendors are increasingly seeking broad rights to data (or de-identified data) to “improve their services.” This language, while seemingly harmless, can quietly give the vendor the right to broadly use your data unless appropriate restrictions are included in the underlying contract. The resulting business consequences of failing to restrict the use of your entity’s data can be broad, unintended, and far-reaching. Among other things, the failure to properly restrict a vendor’s use of your data could allow the vendor to use that data to develop technologies or insights that provide competitive advantages to your competitors. In addition, if the vendor fails to properly de-identify sensitive data, including PHI, such misuse could expose your organization to regulatory scrutiny, enforcement actions, and potential liability.
Before signing any IT contract, you should require written disclosures of how the vendor intends to use your data and AI. Based on that information, you can include appropriate data use provisions in the contract to align with your organization’s risk management policies and data use standards. Most vendors’ standard data use restrictions and provisions are rarely intended as a “one-size-fits-all” approach as different entities generally have varying standards, and risk tolerance, and may even have distinct standards for various types of data.
Also critical is the interplay between the use of your data and other pertinent contractual provisions such as the:
- limitation of liability;
- representations and warranties;
- indemnification provision;
- return or destruction of data provisions; and
- data security provisions.
Understanding how these provisions work together—and where gaps, inconsistencies, or unintended risks may arise—is essential to ensuring your organization is adequately protected and that the agreement appropriately allocates risk between the parties. With adequate knowledge and appropriate due diligence and negotiations, you can move forward with IT contracts without putting your patients, your reputation, or your balance sheet at risk.
Our Technology and Cybersecurity team is here to assist you with any IT Contract needs. If you any questions or would like assistance with IT Contracts, please reach out to the author, the Garfunkel Wild attorney with whom you regularly work, or email us at [email protected].