Data Privacy and Security

AI systems are data-intensive, making data privacy compliance a critical concern for Texas attorneys. Firms must navigate Texas-specific laws like the Texas Data Privacy and Security Act (TDPSA) and Texas Medical Records Privacy Act (TMRPA), alongside federal laws like the Health Insurance Portability and Accountability Act (HIPAA), when handling client data with AI.

Guidelines for Data Privacy Compliance

• Inventory Data. Understand what types of client data your firm handles (PII, PHI, confidential case details).

• Assess TDPSA/HIPAA/TMRPA Applicability. Determine which laws apply based on your data and activities.

• Update Privacy Notices. Ensure notices disclose AI use and data handling practices.

• Vet Vendors Carefully. Create a mandatory checklist for evaluating AI vendors' data privacy and security.

• Negotiate Contracts. Insist on strong data protection clauses in AI vendor agreements.

• Strengthen Internal Security. Apply robust security measures to all systems interacting with AI, including data at rest and in transit.

• Conduct Privacy Training. Provide specific training on handling sensitive data with AI tools, especially concerning HIPAA and TMRPA requirements if applicable.

• Plan for Incidents. Have a clear incident response plan for data breaches involving AI systems.

Key Data Privacy Considerations for AI Use

Vendor Privacy and Security Vetting

Before using any AI tool, conduct a thorough due diligence process focused on the vendor's data privacy and security practices.

• Inquire specifically:
  • How is data transmitted, stored, and processed? (Encryption?)
  • Who has access to the data? (Vendor employees?)
  • Is data used for vendor model training? (Must be able to disable this for client data).
  • What security certifications do they hold? (SOC 2, ISO 27001, ISO 42001, HIPAA compliance).
  • What are their data retention and deletion policies?
  • What is their incident response plan in case of a data breach?
  • Contractual Protections: Ensure contracts with AI vendors include robust data protection clauses, confidentiality agreements, limitations on data use (especially prohibiting using firm/client data for training), and audit rights.

• Data Minimization and Anonymization:
  • Apply the principle of data minimization: only input the minimum amount of client data necessary for the AI task.
  • Consider de-identifying or anonymizing data before using it with AI tools, where feasible and appropriate, to reduce privacy risks.

• Security Measures for AI Systems:
  • Limit access to AI tools based on user roles and need-to-know.
  • Ensure encryption of data transmitted to and from AI services.
  • Use secure, approved network connections.
  • Monitor AI tool usage for anomalous activity.
  • Integrate AI tool security into an overall firm cybersecurity strategy.

Texas Data Privacy and Security Act (TDPSA)

• Applicability: Determine if the TDPSA applies to your firm based on whether you conduct business in Texas and process or sell the personal data of Texas consumers (unless exempted as a small business or due to handling data covered by HIPAA/GLBA).

• Consumer Rights: If the TDPSA applies, be prepared to ensure clients' rights regarding their personal data processed by AI, including:
  • Confirmation of processing.
  • Access to their data.
  • Correction of inaccuracies.
  • Deletion of data.
  • Opt-out of targeted advertising, data sale, or profiling.
  • Data portability.

• Data Security: Implement reasonable data security practices appropriate to the volume and nature of personal data handled by AI systems, as required by TDPSA.
  • Privacy Notices: Ensure your firm's privacy notice is clear, accessible, and accurately reflects data collection and processing practices, including the use of AI and how consumer rights can be exercised.
  • Risk Assessments: Conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, which may include certain uses of AI.

Health Insurance Portability and Accountability Act (HIPAA) and Texas Medical Records Portability Act (TMRPA)

• Applicability: If your firm handles Protected Health Information (PHI) as defined by HIPAA (e.g., representing healthcare clients, handling medical malpractice cases with access to patient records), both HIPAA and the Texas Medical Records Privacy Act (TMRPA) likely apply.

• PHI Handling with AI: AI tools processing PHI must meet stringent HIPAA and TMRPA security and privacy standards.
  • Ensure any AI vendor processing PHI is a HIPAA Business Associate and has signed a Business Associate Agreement (BAA).
  • Verify the vendor's compliance certifications (e.g., HITRUST, SOC 2 Type II).
  • Implement access controls and encryption for PHI used with AI.
  • TMRPA Training: TMRPA requires formal privacy training for employees handling PHI within 60 days of employment and refresher training every two years. This training should cover specific risks associated with using AI for PHI.
  • Overlap/Differences: While TDPSA may exempt HIPAA-covered data, TMRPA can apply more broadly to entities handling medical records that may not be strictly PHI under HIPAA. Understand which law applies to specific data sets.