AXIS Cyber Risk Advisory INCYTE Newsletter

Resiliency in Action

Mullen Coughlin’s Kevin Dolan highlights emerging state, federal and industry-specific artificial intelligence (AI) regulations, and shares tips for organizations to consider.

In the 2024 legislative session, at least 31 states adopted formal resolutions or enacted legislation related to AI.

  • Colorado was the first state to formally enact comprehensive AI legislation with Senate Bill 24-205. This law places affirmative duties on covered organizations, including disclosing the use of AI systems to consumers and establishing policies to avoid algorithmic discrimination with this technology
  • Even in states where no such legislation is enacted or pending, the use of AI may be regulated by state Unfair Trade Practice Acts (UTPAs), state comprehensive consumer data privacy laws, state information security laws, and state anti-discrimination laws

Internationally, the EU AI Act was enacted in 2024.

In addition to breaking down levels of risk into four main categories, the EU AI Act establishes obligations for specific categories of providers, deployers, importers, distributors, and product manufacturers of AI systems with a link to the EU market Industry-specific guidance has also been issued in various sectors. For example rules have already been issued regarding healthcare, insurance underwriting, human resources, and others. These early examples are likely to serve as indicators for future regulations of additional industries.

Key considerations for organizations navigating the use and impact of AI:

  • Understand the organization’s specific regulatory framework in the context of AI – i.e. what applies to us and what are the affirmative obligations we have in light of the AI solution we are investigating/utilizing

  • Consider whether you are required to accurately disclose an AI product or service’s characteristics, uses, benefits or qualities

  • Understand that feeding consumer data into AI models and processing it in connection with those models likely poses heightened risks to consumers

  • Even entities not directly covered by the comprehensive privacy laws may violate them if their actions contradict their publicly stated policies or commitments regarding how they collect, use, or disclose consumer data. In other words, misleading consumers about data practices, even when using AI, could be considered deceptive under the consumer data privacy laws

  • Where consumer rights of data deletion are concerned, businesses must consider how to respect those rights when using AI models

  • Under anti-discrimination laws, violations may occur where AI systems consistently make automated and unfair decisions because they are trained on historically biased data

  • Under information security laws, AI developers and their suppliers must safeguard personal data from security breaches and report such events to consumers and regulators in accordance with applicable laws

This emerging patchwork of regulations can be very challenging to navigate; while the above is not intended as legal advice, Mullen Coughlin offers customers a complimentary consultation to better understand the specific regulatory implications in this space as they pertain to their organization.

Mullen Coughlin – Cybersecurity & Data Privacy

To learn more about the services available from AXIS Cyber Risk Advisory, please contact CyberRM@axiscapital.com

This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. The services and service provider discussed in this document are suggested as risk mitigation and incident response resources. Use of AXIS Incident Commander does not constitute advice of any kind, and use of any service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract or compliance with any law, rule or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any service provider as part of its overall risk management strategy.

Cookies | Terms | Privacy