How to Negotiate an AI Contract to Maximize Value, Reduce Risk
By Curtis Capeling and Wesley McCulloch
October 3, 2023
Curtis Capeling is a member at Bass, Berry & Sims in its Nashville, Tennessee office. He focuses on helping clients protect and strategically commercialize their intellectual property assets and rights, including representing vendors and consumers of AI services. CCapeling@bassberry.com
Wesley McCulloch is an associate at Bass, Berry & Sims in its Nashville, Tennessee office. He advises companies on data privacy and security matters and counsels clients on compliance with international, national and state privacy laws, including the impact of AI. McCulloch@bassberry.com
Originally published in Today’s General Counsel, October 2023
Your company needs AI. To spot business and legal issues related to AI: learn how it works, what data it uses for training and production, and what it will do for you.
Consider the following when you negotiate for AI services:
Legal Liability
What decisions will AI help you make? If a decision is wrong or biased, what liability might result? Will AI integrate with your products or services and affect your products liability exposure?
Errors in AI output may not be apparent, and problems can compound quickly.
Training and production data that under-represents a gender or ethnicity or that is otherwise prejudiced can cause AI bias. Allocate the risk of AI errors, bias and products liability between you and your vendor. Define the outcomes you expect from AI, and tailor warranties and remedies accordingly. Nuanced risk allocation may be necessary.
Are your insurance types and limits adequate for the perceived risks?
Confidential Information
Who will provide and own the AI training data? Who will conduct the training? What production data will you use when operating AI?
Will AI aggregate your data with data of others? Should you de-identify the data? What limits should apply to disclosure and use of your data?
AI improves as it processes information, but consider whether competitors and third parties also use the AI, and may benefit from your (or your customers’) confidential information.
If AI processes personal, healthcare, financial or other sensitive information, how will you and your AI vendor comply with current and pending privacy law? This includes any duty to delete or account for use and disclosure of personal information.
Know whether AI will transmit your data cross-border. Does the data use comply with applicable law and any requirements of the data source? Do you have the right to permit the expected use? Are notices to individuals required under privacy law, and do you need a data protection addendum, business associate agreement, or similar arrangement? Consider the consequences of an unauthorized use or disclosure, and allocate duties to protect information.
Compliance
Decisions supported or made by AI must comply with any laws applicable to your company. Determine any compliance risks inherent in AI — especially in highly regulated industries like healthcare and financial services — and allocate compliance duties in your agreement. Consider what laws to require your vendor to satisfy.
More AI law is coming. Consider whether AI use is (or may become) restricted or prohibited. Some laws may prohibit automated tools in hiring decisions, mandate audits for bias, or require explanation of AI decisions; agencies will promulgate AI rules in regulated industries; the EU Artificial Intelligence Act may ban certain AI uses. What termination rights and economic remedies might you need if new law impairs or prohibits future use?
IP Rights in Output
What IP and proprietary rights do you expect to own or grant in data, AI output, and (if the AI is not static) AI evolutions? Make sure to allocate those rights in your agreement. If you grant rights to data or AI output, consider whether you have adequate rights to do so.
Generative AI produces works, from text and images to audio and source code. Generally, an individual must create the work for IP rights to exist. Works generated entirely by AI likely do not meet that requirement. If your business exploits IP, consider this challenge.
IP Infringement
Your AI vendor may not always have clear rights to training data. AI output can be derivative of training data and your use of AI or its output may violate a data owner’s IP and other rights.
Allocate infringement risk for the training, operation and output of AI. Typical risk allocation and exceptions to IP indemnity may not be appropriate because using AI and your data can result in modifications, combinations, and evolution.
Other Issues
What are the typical SaaS, software, and technology service issues that should be negotiated in your agreement?
Consider adopting AI risk management policies. Train personnel to use AI only when appropriate, not share sensitive information without adequate protection, and avoid inadvertently subjecting you to an online contract.
Considering these issues as you adopt AI will help make the most of this emerging technology and help manage your company’s risk.
Must read intelligence for general counsel
Subscribe to the Daily Updates newsletter to be at the forefront of best practices and the latest legal news.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.