How laws strain to keep pace with AI advances and data theft

It’s a common belief that the law often has to play catchup with technology, and this remains apparent today as the latter continues to evolve at a fast pace. 

With the advent of generative artificial intelligence (Gen AI), for instance, some important legal questions still need to be addressed. 

First, policymakers must decide how to best balance the use of data to train AI models with the need to protect the rights of creators, said Jeth Lee, chief legal officer for Microsoft Singapore. 

Also: Generative AI brings new risks to everyone. Here’s how you can stay safe

Choosing one extreme can stifle or kill innovation in AI, but it’s also not possible to allow free-for-all access to all content and data, Lee said in a video interview. 

There also are legal questions that need to be resolved regarding whether data generated from Gen AI tools have IP (intellectual property) rights, he said. And if they do, who owns those rights? For instance, is there sufficient creativity in content made from the use of a Gen AI application to warrant IP rights for the user or should the Gen AI tool have rights to it? 

Until these issues are addressed, AI players such as Google, OpenAI, and Microsoft have pledged to assume responsibility for the potential legal risks, should customers of their Gen AI products be challenged on copyright grounds. Google’s training data indemnity, for instance, “covers any allegations” that the tech vendor’s use of training data to create its generative models, which is used in a Gen AI service, infringes on a third-party’s IP rights. 

To be covered by the indemnity, customers typically are presumed to not have knowingly used copyright-infringing data and should not have jailbroken the tool or removed its safeguards. 

Asked about common concerns that organizations have about AI, Lee pointed to the foremost need to figure out how to extract value from Gen AI. 

Organizations also are concerned about how to address copyright challenges related to the use of Gen AI as well as data protection, he said. Organizations want to know where their data flows to across the AI systems, how to protect this data, and who should be responsible when there is a breach, such as when an AI system malfunctions, he noted. 

Also: AI scholar Gary Marcus makes a strong case for an AI regulatory agency

“We’ve come a long way since the start of Gen AI rollouts,” he said, adding that increased awareness and education about Gen AI has reduced the number of legal grey areas around the technology.  

Need for stronger deterrence against data theft

In Singapore, meanwhile, there are suggestions that new legislation in other areas may provide stronger deterrence against data theft and offer clear recourse for victims. 

Organizations that experience data theft in the Asian market typically turn to civil claims for breach of confidence as recourse, said a spokesperson from law firm Baker McKenzie Wong & Leow. 

This, however, may not provide data theft victims with the type of justice they seek, she said in an email interview.

“Also, it may struggle to send a clear deterrent message to the public that such misdeeds should not be condoned, especially in today’s digital age and Singapore’s drive to be a smart nation,” she noted. 

“While Singapore has done lots to make good on its goal of becoming an IP (intellectual property) hub, we presently do not have any legislation specific to trade secrets misappropriation or that provide direct criminal penalties for the same,” she said. 

Also: Safety guidelines provide necessary first layer of data protection in AI gold rush

The law firm believes it may be time for Singapore to consider whether such legislation is appropriate; many other countries have equivalent statutes in place. 

Markets that have enacted trade secrets laws include Germany, Japan, China, and the US. 

“This would not only help deter data theft but also assure businesses their confidential commercial data is adequately protected through a robust framework of IP laws,” the spokesperson said. 

One organization, Genk Capital, agrees. The Singapore-based trading firm filed a civil and criminal suit against a former employee for copying Genk’s proprietary data before leaving the company to join a competitor. The employee was found to have copied data that included trading strategy, client details, and transactions. 

Also: Businesses still ready to invest in Gen AI, with risk management a top priority

Filed in 2021, the criminal suit resulted in a conviction, with the judge’s ruling and sentencing issued in October 2023. 

Genk had earlier filed a civil suit against the employee for breach of contract, breach of confidence, and copyright infringement.

“I felt any remedies we could obtain from the civil suit, such as monetary compensation, simply were not commensurate with the gravity of the data theft,” Terence Koh, Genk’s founder and executive director, told ZDNET in an email. 

He decided to settle the suit without financial compensation from the former employee, stating in the settlement agreement that the company aimed to “send a deterrent message” that employees should not copy and exploit confidential information belonging to their employers. 

Also: Gen AI could speed up coding, but businesses should still consider risks

Koh said he then pursued a private criminal prosecution under Singapore’s Computer Misuse Act, adding that a criminal conviction would better reflect the severity of the crime and the value of Genk’s stolen proprietary data. “I am also a firm believer in the rule of law and wanted to see justice done,” he added. 

The two-year process led Koh to question why Genk’s best recourse was “a relatively obscure piece of legislation” that is more often used for traditional computer misuse cases, such as unauthorized access to email accounts and computer systems. 

“It probably is not built for commercial data theft cases like ours,” he said, noting that the former employee was ordered to pay just SG$5,000 ($3,711) despite the court’s ruling that his acts were premeditated and he had deleted incriminating evidence to cover his tracks. 

“Nonetheless, the Act was our best option in the absence of specific legislation for trade secrets theft,” Koh said. “I find it hard to believe that a pro-business IP hub like Singapore does not have a direct criminal penalty for trade secrets theft.”

Also: Train AI models with your own data to mitigate risks

The case suggests the need for specific legislation to address trade secrets theft with criminal penalties, he noted, adding that this would benefit especially small and midsize businesses that may lack resources to prevent such theft. 

In addition, fear of criminal consequences would deter errant employees and encourage a pro-business environment, he said. 

“Having trade-secrets specific legislation is not a novel concept. Many of our neighboring countries, and others globally, have such statutes,” Koh said. “By adopting similar measures, Singapore can better align itself with international standards, enhancing its reputation as a safe and secure place to do business.”

While the country does not have a formal trade secrets law, the Intellectual Property Office of Singapore (IPOS) does offer a Trade Secrets Enterprise Guide to help businesses better protect and manage trade secrets. The document includes examples of available trade secret tools and services that enterprises can tap. 

In a report published in January 2024, the US International Trade Administration (ITA) noted that “Singapore has no specific legislation concerning the protection of trade secrets.” 

Also: Your AI transformation depends on these 5 business tactics

Instead, the Asian market protects investors’ commercially valuable proprietary information under common laws such as the Penal Code and the Computer Misuse Act, the US agency said. 

“United States industry has expressed concern that this provision is inadequate,” ITA said. 

The two countries have a free trade agreement. 

READ MORE HERE