Key Considerations for Professional Service Firms
Class action lawsuits are beginning to target AI transcription services under federal and state privacy laws, highlighting risks for professional services firms that rely on such tools. In the federal class action complaint in California, Brewer v. Otter.ai, Inc.[1], Brewer alleges various federal and state law violations by Otter.ai, Inc. (Otter) related to its AI-powered meeting assistant, Otter Notetaker, which joins Google Meet, Zoom, and Microsoft Teams meetings as a participant with Otter Notebook accountholders and transmits data directly to Otter in real time for processing and transcription purposes. According to the complaint, Otter Notebook is part of a broader and enhanced AI transcription service called OtterPilot, that is not only being used by Otter accountholders, but also by Otter itself — a separate and distinct third-party — to improperly record and transcribe private conversations to which it is not a party without consent from all participants, violating the Electronic Communications Privacy Act (ECPA)[2] and the California Invasion of Privacy Act (CIPA)[3].
Brewer also alleges that Otter Notetaker’s ability to accurately transcribe conversations relies upon its automatic speech recognition (“ASR”) and machine learning models. However, according to the complaint, Otter does not provide adequate notice or seek the required consent from all the meeting participants before intercepting and using audio recordings or conversation transcriptions to train its ASR and machine learning models. Instead, Otter places the burden on Otter accountholders to ensure all the necessary permissions and consents are obtained, thereby attempting to get the benefit of the user data while avoiding any risk or responsibility.
This consolidated class action lawsuit not only highlights many confidentiality and privacy issues implicated by this technology, but also the emerging liability exposures to vendors like Otter and the companies that use their services. While rapid advancement of AI and other emerging technology undeniably has the potential to deliver value through improved business efficiencies, we are beginning to see a trend of class action lawsuits filed by plaintiffs seeking guidance from the courts on the scope and strength of their privacy and confidentiality rights. This is likely due to inconsistent and incomplete federal and state statutes addressing these issues. Given the fact that insurance generally follows legal liability, inconsistency and uncertainty in federal and state laws could easily lead to inconsistency and uncertainty in your insurance risk transfer. With this in mind, we encourage firms to consider the following in connection with the use of AI Transcription tools:
- Understand the legal requirements and limitations of the tool.
- Establish an internal policy governing the use of the tool and enforce the policy.
- Conduct firm-wide awareness trainings to ensure everyone has a general understanding of the way the technology works, the firm’s policy on the tool, as well as the associated risks of use.
- Evaluate the appropriateness of use for each call, considering the expected content of the call and its level of sensitivity and confidentiality. If such calls are transcribed, your firm should be prepared to demonstrate that a human review process exists to verify transcript accuracy, capture appropriate context, address omissions, and identify and mitigate hallucinations.
- Conduct comprehensive due diligence on the vendor providing the tool and ensure your firm has strong protections in the vendor contract.
- Fully evaluate the potential impact the use of an AI transcription tool might have on the firm’s ability to defend liability claims in general. Remember, these tools provide a new source of discoverable information for plaintiff attorneys bringing claims of all kinds.
- Closely review your corporate governance insurance policies (professional liability, cyber, management liability, employment practices, etc.) to ensure you are properly covered in the event a claim is brought against the firm arising out of the use of a transcription tool. In addition, consider whether you have sufficient limits available, given the increased risk.
As cases like Brewer make their way through the court system, we can expect case law and statutes will provide further definition of video conference participants’ privacy rights and related legal notice and consent requirements. In the meantime, professional services firms using AI transcription tools should carefully evaluate their platforms, practices, and insurance to mitigate legal exposure with the foregoing considerations in mind.
[1] Several related class action lawsuits have been consolidated into this case that is now deemed the lead case. See also, class actions in other states are emerging, Cruz v. Fireflies.AI Corp.
[2] Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2520, as well as the Computer Fraud and Abuse Act (CFAA)
[3] California Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 631 and 632, as well as the Comprehensive Computer Data and Fraud Access Act, common law intrusion upon seclusion and conversion, and the Unfair Competition Law (UCL).
