Safety, AI and Tech Stack - Safer VRs
===
[00:00:00] You're listening to this week's episode of the Vacation Rental Business in Today's World Podcast. You're about to start transforming your business and life with the information found here. We interview some of the greatest and most influential minds in the vacation, short term rental industry, and supporting businesses.
The information found here is a combination of brain science, You're listening to this week's episode of the Vacation Rental Business in Today's World Podcast. short term Transformational thinking, safety and loss prevention, and vacation, short term rental knowledge and experiences all rolled into one to help you and your business to achieve levels you never thought possible.
I am glad you are here. And now please welcome your host, Eric Thibodeau. Hello everyone. And welcome back to Safer VRs. I'm Eric Thibodeau, I'm your host and we're kicking off 2025 with Safer VRs. Probably something we've never talked about in SaferVRs, and I think it's going to be a good subject, and, you know, we're [00:01:00] going to roll some safety in there.
I have Catherine here with me, and she brought this idea to us, and, I think it's a really good one. Joe, I'll let them introduce themselves, are here as well. Look forward to this discussion today about, I call it the AI safety and litigation. Oh, my. Thanks so much, Eric. I'm Katherine Ratcliffe with STR Benefits and Lost Together Stays, and I'm delighted to be back on Safer VRs and was really excited to talk to Eric and my good friend Joe Lazzarotti, who I'll let him introduce himself, from Jackson Lewis.
Thank you, Catherine. Joe Lazzarotti here, principal with Jackson Lewis, in our Tampa office, recently, transplant from New Jersey and New York, head up our cybersecurity and AI practice groups. Good to be with you. Great. Yeah. So, uh, Catherine, let's kick off and give us some ideas of what led you to say, Hey, let's talk about this because it's something that the vacation rental industry [00:02:00] needs to learn about.
Yeah, absolutely. Well, thank you. So I come from a large employee benefits background and so stock auditing, data breaches, HIPAA compliance, all of those things are sort of always roaming around in the background of everything that I do. And then as I transitioned to having my own property management, business where I manage my own properties and looking at the Text stack that I have, that was always a concern that I had because it wasn't a topic that anybody really talked about.
It was, you know, cost and which PMS is, is best suited for what size of operation that you are. And I'm a smaller property manager. I only manage my four, but it's still four opportunities where as I look at it, I've got personal information. And as guests were sharing more things freely via inboxes and that sort of thing.
I, I, Was one of those creeping concerns that I had that I chatted with [00:03:00] Joe a little bit about because I started to get, you know, dates of birth and now I'm verifying driver's licenses and people are sharing medical information. And I started to just get a little bit concerned about within my tech stack, who has what sort of safeguards.
To make sure that if there is a breach, that I'm protected. And so that's when I reached out to Joe and asked him for his thoughts on this. And it seemed like it was a good opportunity for us to have some discussions. Yeah, great. Good. Yeah. You know, it's interesting, Catherine. One of the things we see a lot of smaller businesses, smaller midsize businesses often think, you know, we're not a target.
The bad guys aren't looking at us. We don't have a lot of data. They're not interested in us. And that can't be further from the truth. A lot of times it's a bot or some type of social engineering that finds you and they find it an attractive target. So it's certainly something to be thinking about for small and midsize businesses.
Yeah, I mean, we experienced some, cyber, I don't know, it was [00:04:00] hacking mostly people with credit cards and trying to come in through our website, is where they did it. And we had a different payroll processor at the time, in current tide. So, We quickly shut it down, involved the police and through some, Facebook engineering, we were able to find the culprits locally who were doing it.
Just something we weren't prepared for. Websites, Eric is really an interesting place, particularly for this business, because a lot of your business comes through your website. And one of the things that we find just from a compliance perspective, just a couple of things.
One is that most states have. Statutes that say, as a business, large or small, you have a statutory obligation to protect personal information you collect. Some states, like Delaware and California, Nevada, even have specific statutes that require certain language on your website about how you handle information.
And, you know, if you're trying to market your business and you're using tracking technologies or pixels on [00:05:00] your site, how you get consent and what your policies say on your website can really, be important in trying to manage that risk. So there's been quite a bit of litigation about that, but just having some basic, good disclosures on your website, that can also help to protect you and the data and the proprietary information on your website.
You know, you often see a privacy policy and a terms of use on a website. Those are really important statements to have when you do a lot of business on your website, both in terms of level setting with your customers about how you handle their data, maybe getting their consent if you need it, depending on the technology, and then again, protecting the data that you have on your site from scraping and other.
access that third parties can make of that data.
Yeah, we definitely have the privacy policy in the terms on our website, and I also have an own safer VR site, but before I started the businesses, it wasn't something that [00:06:00] was just intuitive for me to do. No, that's right. I mean, you know, I still see a lot of sites that do not have any kind of privacy statement, or they do, and they say, you know, we will ensure the protection of your personal data.
And, you know, from an FTC perspective, that's a contract. They're going to view that as you're promising basically a hundred percent to secure that data. And you want to maybe soften that language a little bit. You want to say, look, we'll do our best. We have reasonable safeguards, but you know, information, is on the internet is risky, right?
So you want to come up with that language that, you know, gives your customers some assurances, but doesn't bind you into things. Or say, for example, you'll never disclose their personal information. You may very well have to disclose their personal information. So, you know, thinking about how you word those statements, that privacy statement in terms of use, can be, can be really important.
Including, you know, we were talking [00:07:00] before this call about, um, you know, dealing with vendors. And again, many of the vacation rental businesses that I've learned about, um, and work with, they rely so much on third party vendors. And so again, you don't want to be saying on your privacy statement, we will not share your information with third parties because vendors are third parties.
Yeah. I think that's a really good point, Joe, because when you think about, Even from an insurance perspective. So we've got different forms of insurance within the industry, right? You've got trip insurance, and you've got damage insurance and liability insurance, and depending which vendor you're talking about, whether it's, Red Sky, for example, on the trip insurance, you may have to disclose some of that information.
And in some of that agreement, you're talking about best practices to, you know, help them subrogate a claim if somebody has an issue, say, due to the hurricane. And then you've got [00:08:00] people that, you know, like, safely or, any one of the other vendors where there's damage that takes place within your unit and you're then disclosing, well, here's the camera footage of them smoking pot on the balcony or whatever they're doing.
And at that point, your relationship with your customer may be a little bit more adversarial than it is if you're talking about, trip cancellation insurance. And then you've got that, you know, Third element of potentially a liability claim if you've got proper or something like that, where a guest falls or there's some kind of damage and they're emailing you information that maybe they don't want disclosed to the insurance company.
And how do you know what you share, when to share it, what hat you're putting on? Cause we all worry so much about that five star review and what can happen to us if we're taken off of an OTA. But that's probably a lot less of a concern than what can happen to us from a liability perspective if we're disclosing [00:09:00] information that we're not allowed to.
I think that's exactly right. One of the things you mentioned is, reputational harm and, there's a whole range of situations where you may have shared information that customers may not be happy about. In those situations, one example might be one of your third parties has some kind of an exfiltration or a breach.
of data and it involves your customers. We handle hundreds of data breaches and when that happens, when a vendor causes a breach, sometimes the vendor, unless there's some provisions in the services agreement, will go ahead and notify all the people who are affected. And they may do that without telling the owners of that data, or in this case, the vacation rental company or the property management company, And so now you have people getting notified and they make the connection that that incident relates to you as the vacation rental business.
And they call and say, Hey, what happened here? I don't even, [00:10:00] why didn't you tell us? How do you not know this happened? And so it puts you in a bad light, obviously. So, you know, you could try to deal with that by, you know, where you can negotiating provisions in your agreement that say, Hey, if you have an incident, you have to tell us first.
Now the law does require that, but it doesn't always happen. And so, you know, again, these, you're right. These kinds of incidents can certainly lead to. Situations where your customers will get upset, they may, you know, affect your ratings, and, you know, ultimately take all the steps. But, trying to do the best you can to minimize that is really, really critical.
Yeah. And I mean, it'll definitely impact your business. But then, you know, right before the call, we were talking about where I was working with some companies that don't even have general liability insurance. Which kind of I'm really just shocked. So if you don't have journal liability insurance, or if you do, how does it impact you?
Uh [00:11:00] for these particular claims that are coming so Oh, go ahead. Catherine. I was just gonna say I think what's interesting is sort of the insurance Fluency too, because a lot of general liability insurance policies have carved out the cyber element, and so you might have general liability but not cyber and not realize that you're not protected on some of those.
I think it's really important to evaluate the policies first, to find out who's covering what and under what circumstances. Yeah, that's a great point. There is certainly a lot of carving out of different coverages and I don't know if anybody uses any kind of biometrics, but there's a law in Illinois that has caused a whole wave of litigation, and a lot of carriers have carved those claims out, right?
Just as an example. But, you know, for cyber coverage, certainly, you want to think about cyber and you also want to think about this crime coverage, if there's some type of extortion and. Where payments are redirected once [00:12:00] a threat actor gets into your environment, but just typical cyber coverage first, you obviously want to talk to an informed broker about what they're doing.
You know what the, key issues to consider are with regard to that coverage. But when we talk to clients generally who want to understand, well, what is this cyber all about? How much do I need or whatnot? You know, we kind of just say, look, if you have a breach on your system, somebody clicks on a phishing email, which is a very popular way that it happens.
You probably need to have some kind of forensic. review to understand what exactly did happen. Did bad guys get into your systems? What did they get, if anything? The cyber policies will often cover that expense. We get involved as lawyers because we want to do that investigation of the privilege.
And also if notifications are required both to the individuals or to the state, we would help the insured provide those notices. You might want to call center. to help answer calls [00:13:00] from customers. There are experienced call centers that can help minimize the impact on your business. You might want to provide or have to provide, depending, there's about five or six states that require credit monitoring services to be provided.
There's a cost there. And then, There might be, if you have a significant number of people, you might even think about public relations, right? So these are all what are called first party costs because they affect you directly without anybody suing or making a demand. But then of course, there are those third party costs in case of litigation or inquiry from a governmental entity arises.
And so All of those things, in our experience, again, depending on policy terms, of course, and the situation of the incident, often are covered by, various cyber insurance policies. So, in a situation like that, it's certainly good to have that in your back pocket. Plus, what the carriers do is they form panels where they'll bring together certain vendors, certain law firms, certain forensic firms, different providers in [00:14:00] these categories
you don't have to go and search for, a law firm to help you. Um, you, they usually are, I mean, you, if you have a trusted advisor, they will consider that, but, it also will help you because in a breach situation, you have to act pretty quickly. So you don't want to start. Reinventing the wheel, and finding vendors.
It's a good way to have that set up already. Um, you know, if you're thinking about that, Joe, you said something that I think maybe some of our listeners may not really have ever had the opportunity to deal with or fully understand. But let's. Like two minutes, what is, what is, having an attorney bring an incident or review under privilege?
And how did, how would, uh, how would one of our, listeners, initiate that? That's a great question. What often happens is, we'll get a call from a company that says, Hey, we're looking at cyber insurance. We wanna understand and, and get some help at the beginning, before we have a breach.
We wanna have [00:15:00] somebody evaluate our policies. We wanna have an incident response plan so we know what to do when something happens. And then if the breach happens, we wanna be able to call that attorney and then get the ball rolling. 'cause we typically are the first stop on this process because to your point, Derek, what we would do is once a client calls us and says, Hey.
You've been working with us, our IT guy just called us and told us that there's been a compromise. At that point, we might have an initial call with the incident response team at the company, find out what happened, and then we would reach out to a forensic firm. And we would say, hey, one of our clients has an incident.
We want to engage you, the forensic firm, on behalf of our client. To help us understand what happened so that as a lawyer, we can provide legal advice or we can prepare for any potential litigation. In that situation, the information that we [00:16:00] get, we would take the position. Not every court would agree, right?
It's an issue that does get litigated, but we would take the position that that information we get that relationship that work is privileged and the resulting, report or information or summary that we get from the forensic firm about what happened. would be privileged. And that could be helpful because first, facts are not privileged, right?
Just, you know, basic facts about what happened are not privileged. But if in the course of an investigation, there's certain information that comes up that may be unrelated, or if we're going back and forth on trying to understand what happened and whether something is or isn't a breach, those exchanges, that advice, can be helpful.
in that process would be privileged. So it really can help to, conduct an investigation in a way that allows those communications to be privileged and protected from disclosure in the case of litigation. Good. Very important. And you said some of my favorite words, being [00:17:00] proactive and, getting prepared for, whether we're talking about a safety Incident or a cyber incident.
I mean, everything is about being prepared. And that's part of what this conversation we want to have today, or we are having, I think it's interesting, Eric, when you talk about the preparedness, like I always think of contacts, right? So, let's say, because I got a data breach notification personally, from target, and I got a data breach notification from a target.
I think it was Spectrum the other day. So let's say I got a data breach notification from somebody on my tech stack. I think one of the things that, you know, obviously there's been a lot of, churn within the industry, people going from, you know, one organization to another, there's lots of M& A activity.
I think first of the year, one of the things that's always a really good idea is to evaluate who's the contact that's listed for all of your tech stack. Who's going to get that notification. If there is a breach, whether it's Airbnb, Vrbo, you know, I know you're with a track I'm with owner [00:18:00] res, who's the person that's going to get that notification because if that person isn't there anymore, that's, that's your first problem, I think from a due diligence perspective, you need to make sure Of that, but then the secondary thing is then what right?
So if I get a notification from my PMS system that they've had a data breach and that I and or my clients are impacted, there's like, it's not enough to just file that right now. Now I've got an obligation because I've been notified. I need to turn around and do something with that. Right, Joe? Yeah, no, exactly.
If you're the business and you're collecting the information from your customers. As the vacation rental business owner or the property manager, that's your data. If you then turn it over to or channel that information directly to a vendor who's acting on your behalf and they're storing that data and then they have an incident, you're exactly right.
The obligation really rests with you ultimately. Now the vendor may take the lead on it [00:19:00] and that's something to really look at as I mentioned earlier in the contract What what is the obligation? But the law says that the vendor has to report it to the owner In this case the vacation rental business and then it's up to the vacation rental business to decide what it's going to do But it could delegate by contract to the vendor To provide that notice.
And so, you know, you have to also be careful with that because you don't shed the liability for that. So you want to be sure that the vendor knows and is going to follow all the requirements to make sure that notice is provided properly. and to all the places it needs to be provided.
Sometimes, the vacation rental business may feel like a couple of things. A couple of things we see as a practical matter is one, the small business will say, they're big companies, they know what they're doing. And the answer to that is no, they don't always, you have to do your due diligence.
You have to make sure that You're holding their feet [00:20:00] to the fire There are some companies that are very good and going to take care of business and going to do the right thing But that's just not always the case and the obligation rests with you So it's important to follow up and to make sure and to trust but verify right?
but don't make the assumption that because it's a big company with a nice website and Has a lot of customers that it has all the expertise that it needs in this space and the second thing is organization, going back to what you were saying, Eric, about preparedness, is You know, understanding how to spot these things and how to know where to report them and who's going to take the lead in your organization.
There are, you know, we've developed incident response plans for clients, some that are very robust because it's a larger organization with multiple divisions and layers of management, but also some that are very simple for a solo practitioner who's subject to HIPAA, right?
Where it's just a small doctor's office and, they still need to have some basic understanding of [00:21:00] what steps should we take, who should we call, what are our requirements, what does a notice look like, so that they can act quickly because In Florida, for example, when you discover a data breach, you have 30 days to provide notice.
That may sound like a lot of time, but when you have to engage vendors and do the analysis and get advice and put in place credit monitoring, it can take some time. So having that kind of high level plan can really be helpful. With what you have to do, but also on following up with your vendor and making sure they're doing what they have to do.
It's interesting. Cause I think, you know, Casiola shared on LinkedIn, last month, I think that they had an issue where somebody had fraudulently taken their logo, their information, and put properties onto Airbnb. And so I think that's a great example of where you're not talking about a mom and pop business.
Organization. You're talking about somebody that takes it very seriously and Airbnb is not a small [00:22:00] player, but I think one thing that. Sometimes you have the larger players that don't know what they're doing other times they know exactly what they're doing, and that may not be in your best interest.
So there are a lot of times the contract says, here's our responsibility. It's your responsibility, right? And so that's the mistake that I think when people don't read the fine print, data breaches are so common. Now you get the letters in the mail, you open it up and it says, Airbnb had a breach.
Okay, great. And I think the missing component is exactly that. We think Airbnb is taking care of it. And in the contract, it might say that it's now my responsibility to notify any of my impacted guests. And so I've got to turn around and put things into motion there. And then I have to figure out who all is involved.
What's the language that to me is the biggest piece that I think people don't understand is just because it was. Airbnb and that Airbnb sent me a notice or and not trying to shed any light on or shade on Airbnb. It could [00:23:00] be anybody. It could be your credit card processor. But you should pick up the phone and call somebody and say, what do I do with this?
Who's, who's on point to do that? Well, you know, to that point, Catherine, I think that's exactly right. And, you know, one of the things I see with a lot of smaller businesses is, And I, and this is totally understandable, they have certain trusted advisors, like people's knee jerk reaction with a situation like this is, They may have a local IT person and they rely on them for, you know, sometimes just to get their system set up, maybe to do software updates, maybe to do an integration with a new vendor.
Um, but it's not unusual. In fact, it's more common, at least in my experience, that those smaller IT firms that are servicing smaller businesses are very good at those functions. But they're not used to dealing with sophisticated cyber attacks, but their customers rely on them and they [00:24:00] think, Hey, you're an it, so you do everything in it.
And that's often not the case. So when you look at who you're going to surround yourself with as a trusted advisor for these types of incidents, which be, which could be critical to your business. I ransomware attack and it shuts down your systems, you're not going to be able to access. How to contact your customers you might be locked out of all of your systems and be unable to carry out your business and it's not uncommon It used to be more common, I think it's got a little bit better, but very often some of the smaller businesses that we've dealt with, their backups are tied directly to their system.
So if a ransomware attack happens, the malware not only encrypts their servers, but also the backup server. And so you think you have a backup, but you really don't have a backup. Right. So just again, going back to preparedness, right? Have you ever recovered from [00:25:00] backup? Most companies don't. They just think they have a backup.
They live with this sense of security that there's a backup there. When the end, then try to recover from it. Either it's already encrypted. Or they can't recover the data. So these are the kinds of things that I think happen when, you're relying so much on a whole range of vendors for being able to run your business.
And then the data, which is so important to the running of your business, all of a sudden is not available to you or the systems that you need to carry out your business aren't available. And the people that you have around you to help aren't really prepared to help with that and resolve that situation.
Can we talk a little bit about AI, maybe threats there. And then I'd like us to end with some practical steps That our listeners could then say, Hey, we've talked about quite a bit. And what could they [00:26:00] do going forward? So let's a few minutes on AI. Yeah. Well, I approached Joe about this because I know there's a lot of AI vendors that are out there with the automated responders.
There's lots of opportunities with AI within our industry, and my general concerns, again, going back to, putting on my insurance, brokerage hat is always what happens if I've got PHI. Of course, I spent a lot of time last year, working with Lorraine Woodward with Becoming Rentable, which is a platform that is designed specifically for people that have Disabilities and a lot of times, they're asking for certain things and they're sharing what in other incidents is considered protected health information.
I need ostomy supplies. I need a Hoyer lift and so thinking about somebody who's messaging, as I work to try and become an ambassador for Lorraine or, be certified for that. You've got it. Different entities, you've got behavioral health. If you're trying to have your autism certification that your property [00:27:00] is equipped for that.
And then also the physical component looking at having those AI chatbot responders was the low hanging fruit for me to ask Joe questions of what happens if somebody messages in that and I've got a. Bot responding, and how I should be concerned about what would happen within my tech stack and making sure that I'm doing things the right way.
So Joe, I'll let you, dissect that a little bit. Well, I think that there's so many, AI is really wild because it's in some ways. You know, a solution in search of a problem. Everyone is trying to find, Hey, there's this AI out there. How can we use it? What can we do with it? It's great.
We just want to figure out what to do with it. What I'm talking to clients about are some of the following things. One is, and this ties into what you're saying Catherine is, and this sounds, I think this sounds more ominous than it is, but, It's about governance, risk and compliance, right? You, when you, to the [00:28:00] extent that you use the technology, you want to understand what it is, how it's being trained, what data you're using to train it and kind of look at the results, right?
Cause if you do have a chat bot and it goes haywire, which can happen, or it has a hallucination or it collapses depending on where it's getting its data from, and there's. examples of those things happening. It just upsets your business. So, you know, just basic good governance is not having to hire someone who's your AI person, but just working with the vendors so that you really understand what it is that you're getting, how it works.
And trying to avoid legal risk from that one example of that is, you know, these, a I note takers, right? So, we we've had a lot of clients who get on to meetings and they're fantastic tools because. If you can't make the meeting, it [00:29:00] might dial in and take notes, create a transcript, and send you a copy of that transcript.
The problem is, with that, not that you shouldn't use it, but you want to understand what exactly is happening. Because if you're on a privileged call, to go back to privilege for a minute, and you have that service, and that service is saving that information on a third party's website, or the transcript is being saved on your environment and it has, You know, anybody can access it.
You may lose privilege because other people can access those communications. You also may have a conversation that has sensitive data in it, to Catherine's point, and now you have a document that's saved with that information and is shared with the third party vendor who provides that notetaker.
so again, you know, it's thinking about how does this, how does this tool work so that we can avoid legal risk? And a lot of times you can really leverage a lot of the benefits. Of the A. I. Tools that you're using and minimize the risks of doing [00:30:00] it. The last thing I'll mention just before continuing to discussion is, you know, the law is emerging in this space.
It's kind of like right now. The Wild West, but little by little, Colorado just passed a statute that's pretty comprehensive. You have until 2026, so it's not right away. You have some time. There's, rules under the California Consumer Privacy Act, some regulations that are being advanced in proposed form right now, but this should be something later this year that really what they're getting at is, you know, especially when you're using with customers.
Are you being transparent? Do people know that they're interacting with any kind of generative AI? There's a law in Utah that's in effect right now that requires some notice to customers if they're interacting with a generative AI application, right? So this idea of transparency is going to be really important.
And the other thing is if you're using a chatbot in certain [00:31:00] industries that, potentially could include the vacation rental business, because I think in Colorado it talks about housing. So I'm not sure how that's going to be interpreted, but if the AI is making the decision or facilitating the decision, it's a substantial component in the decision.
It can be considered a high risk AI, which means that there has to be certain safeguards in place to avoid bias and discrimination that is made by the AI. So for example, if you're reviewing certain people who are vying for a particular week or to stay at your property and you carve out or screen out certain of those people, and it is determined later that the algorithm is disproportionately carving out people who are in a protected class that could raise an issue, in terms of how you're making your properties available.
And that, that's a suspicion on my part at this point. Again, we're not sure how that's going to play out, but it is. conceivable [00:32:00] that at least the Colorado Statute could be read that way. So it's important to be thinking about that when you begin to evaluate tools that would provide those functions.
I think that's a really good point, Joe, because I know you and I have talked about, using AI from an HR perspective where you're going through applicant screening and that sort of thing. And it's a big concern when it comes into that, if you're inadvertently excluding a class. And I think a lot of us have dealt with some of the challenges with the changes on Facebook marketing and that sort of thing, where, we're not as free with some of our terms on the age limits that we want to require.
And we fall back to a state requirement saying you can't rent somebody under 25. And it violates some of the regulations when you get into whether it's Facebook or third party, administrators. And I think people forget about that. Like, we spend so much time trying to figure out who our ideal guest is, and if you ask me to spell out who my ideal guest is, I think that the counter of [00:33:00] that is, are there people that I'm excluding?
Absolutely. There are people that I'm excluding not because I'm trying to be discriminatory, but because they're not my ideal guest profile. I'm not looking for, you know, 19 year olds on spring break to come to one of my properties. That's not my ideal guest.
Using, that information and using the large language, tools to create that and say, this is who it is. These are my past guests. These are the reviews. These are even the areas. Cause I know even with the email marketing, we're tracking zip codes and demographics and that kind of thing. My concern is from an AI perspective, how much trouble am I getting in?
If I'm feeding from a marketing perspective, only my ideal guests. Yeah, you're exactly right. Data is everything, right? What data are you using to train it? And here's an example. Suppose you're in business for five years and you find that 60 percent of your guests come from two or three zip codes.
And you're like, look, this is where I really have to focus because this is the people, these are the people who are [00:34:00] interested. These are the people who want a vacation at my properties. So I'm going to focus my marketing there. What you don't realize, now that seems pretty, not nondiscriminatory, pretty even keeled going by zip code, but it turns out that zip code is, you know, 98 percent white males, right,
and all of a sudden, what you've done is you focused your marketing on a pool, the results are going to be, you know, 90, you could see where I'm headed with that, right? Absolutely. Yeah. Cause I didn't tell it to do that, but it did that based on the zip code. That's right. And another example is. There was a company, well known company, very well known company that years ago used, a recruiting tool.
And they said, look, we've been a successful company. We want to hire more people like the people who made us successful. So they trained the AI based upon their employee base. And what happened was their employee base was white males. And what the AI did, it began [00:35:00] to learn the elements of data in resumes that indicated the person was a female and excluded them from the pool of potential candidates.
Now, of course, when they discovered this, they eliminated the tool. But the point is, the AI does this. The AI doesn't know, about discrimination laws. They, they're being, modified and trying to be designed now to avoid that. But the point is, if you're feeding it with certain data and you're structuring the algorithms in certain ways, you run these risks if you're not careful.
And they can lead to pretty significant, not only litigation, but You know, states may get into investigating these types of situations. People may complain if they feel like that's what's happening. So, yeah, how those tools are designed and deployed can create some pretty significant risk down the road.
Yeah, so we've covered quite a bit. I'd like to give our listeners some practical things to leave with. Here's like three that I came off with right away. I mean, [00:36:00] so my privacy statement, my terms. Or probably at least five years old. I probably want to go back and review those. I want to take a look at cyber insurance and see if that's covered, into my general liability.
And then the fourth piece was, I probably want to reach out to my companies that I'm using in my tech stack to understand how they're using the data in their data protection methods. Right? So, what else, what else could we. Leave with our listeners. Those four things I thought of right there.
I think those are great items. I would add to that. Along with reaching out to your third parties, I would have a set of questions that I would apply to all of them. That way it's easier so that whenever you're doing procurement. And you're getting prices from three different vendors.
You can have a questionnaire that they can all answer and then you can evaluate that. That makes your process maybe a little bit easier by having that kind of questionnaire about, you know, their cybersecurity, how they'd handle a [00:37:00] breach, you know, what kind of certifications do they have? Do they use AI?
You may not even know that they're using AI, right? So having some kind of a questionnaire that you can use in procurement is good. Having an incident response plan. I don't know if you mentioned that, Eric, but I think just it could even be a one pager that kind of gives you a checklist of things that you need to be prepared to do in the event of something like that.
I think training your employees to understand how to spot these issues and where to report them so that you can get notice of something happening as soon as possible. And I think, look, with a lot of this stuff. Um, I think. You want to be prepared, to have a good story to tell if there were some type of a lawsuit or a complaint or an investigation.
And I can tell you that we've handled hundreds of investigations with various state agencies and federal agencies on cyber and various kinds of issues. And what they [00:38:00] always ask for is, send us your policies and procedures. Send us your risk assessment. Send us the evidence of training that you've done with employees,
and it doesn't have to be this elaborate, process. Um, list and everything has to be perfect, but when we're able to show a reasonable history of efforts that the company has made to address security and privacy and AI and whatnot, less so AI obviously because it's newer, we have a much better result and can often close those investigations without much more than that because they know that the company is trying to do something and that's documented.
I often hear people say, well, You know, we do all this stuff. But you can't show that you do it, right? So you have to have some way of showing that you've done it. And I think these are all great points, that this is not a set it, forget it strategy, right?
This isn't like, Fire and water where you can develop a [00:39:00] policy. These things are changing every single day. And I think, from a sales perspective, from a business strategy perspective, we all set our January goals. We all sit down and say, how are we going to do better and do more in the upcoming year?
So did the bad guys. And so we need to constantly be evaluating those practices and going back just because I got sock auditing information from my vendors last year doesn't mean that they didn't have an issue this year. Constantly re evaluating and understanding the legislation changes every day it feels like.
Yeah, I think these are all great tools and tips for people to our listeners and, property managers and owners to take and start chipping away at this. Relatively new iceberg. But, thanks again. I appreciate it. Catherine, Joe, if you just leave your information, say how people could get in touch with you.
If, uh, if you, if they think they, you could help them out. Absolutely. Well, I'm Catherine Ratcliffe and I'm [00:40:00] most active on LinkedIn. You can find me there and I'd love to connect with you. I'm Joe Lazzarotti. Same, as Catherine, I'm on LinkedIn as well. We have a pretty popular blog. It's workplaceprivacyreport.
com and, if there's any questions I can answer, happy to help. Great. I appreciate it. Eric Thibodeau, with SaferVRs and I'm on LinkedIn quite a bit as well. Appreciate, y'all time today covering a topic that. Probably not a lot of people have, thought about and, I appreciate it very much.
Thank you, Eric.
