Employers, of course, must understand how AI can be used for Human Resources functions such as hiring, monitoring, and performance evaluations; to assist in maintaining the organization’s competitive edge; and the legal risks associated with AI use. Employees must be aware of the organization’s standards for use of AI and how to avoid creating data security or privacy risks, while also understanding how to use AI in compliance with the employer’s policies and practices.

Regulatory background

As we have reported here and here, AI-specific regulation is relatively limited, even in states such as California, Colorado, and Virginia, which tend to be at the forefront of regulating new technologies. Most of new legislation is directed at amending or supplementing existing laws. Although the majority of legislation is directed at “high-risk systems” and preventing “algorithmic discrimination,” the breadth and complexity of issues have made it exceptionally challenging for policy makers to reach a consensus on how to regulate AI.

At the federal level, Congress has shown no indication that it will pursue sweeping AI regulation. However, just two weeks ago, tucked in the U.S. House of Representatives Energy and Commerce Committee’s markups for budget reconciliation was a provision that would prohibit states from enforcing any law or regulation related to AI for ten years after enactment. This moratorium passed the House on May 22, albeit with slight changes intended to ensure that the provisions focused on interstate commerce. It is not clear that the moratorium will pass in the Senate, but if enacted, it is almost certain to face challenges immediately on both interstate commerce and Tenth Amendment grounds. Thus, it appears that Congress is willing to influence federal policy on AI one way or another, and employers should continue to monitor developments.

in the employment context, much of the regulation that exists concerns the use of AI in recruiting and hiring processes. One of the earliest laws regulating use of AI in employment contexts was New York City’s Local Law 144, and since its enactment in 2023, a number of states have imposed limitations on the use of AI for hiring – most notably, Colorado, Illinois, and Maryland. The state laws generally focus on transparency and avoiding discrimination. Businesses covered by the laws are generally required to provide certain disclosures about their AI use and to obtain prior consent from employees or applicants regarding the use of AI in hiring.

AI challenges unique to employers

The rise of remote work has resulted in new challenges relating primarily to workforce monitoring. Employers who use activity trackers must ensure that they do not violate any AI or data privacy regulations. AI and data privacy issues also arise when physical badge swipes and technology that monitors employee movements are used in preparing performance evaluations and making employment decisions.

In addition to employee privacy, employers must be concerned about their own privacy – in other words, the confidentiality of the company’s proprietary or personnel information, including employee medical information. Employers should train employees about the importance of avoiding inappropriate disclosures when using AI.  

Employers must consider the possibility that use of AI to screen applicants can result in discrimination claims. Algorithms may be based on older data that can perpetuate discriminatory hiring decisions. For example, an algorithm may be based on data from a time when employees in a certain job category were predominantly white, or male. If so, the algorithm may select applicants who are white males based on this historical data, which can result in discrimination claims by female or minority applicants who are screened out before the employer is even aware of their existence. AI applicant screening has also been alleged to eliminate older applicants, and applicants with disabilities.

With current employees, AI monitoring tools may fail to account for reasonable accommodations. For example, an employer may use an AI tool to monitor and track employee productivity, and the tool flags atypical breaks but is not programmed to consider accommodations. As a result, the tool may flag an employee for disciplinary action for taking excessive breaks, even though the employee was given the additional break time as a reasonable accommodation for a disability. As we previously reported, the California Privacy Protection Agency has issued proposed regulations to address this issue. Comments are still being accepted on the proposed regulations.

The above illustrates that employers must ensure that they do not over-rely on AI tool outputs. A human still needs to ensure that AI tools are functioning accurately and to validate outcomes. Otherwise, the employer could face liability under the anti-discrimination or other employment laws. If the employer is using AI tools provided by a vendor, it should understand that both the employer and the vendor can be liable for any violations. Thus, the employer should exercise appropriate oversight and also consider including indemnification provisions in its contract with the vendor.

Suggestions for employers using AI

As employers continue to adopt and integrate AI, there are three foundational elements that they should put into place and maintain:

• Appoint a cross-functional group with authority to oversee all AI issues in the organization – in other words, to comprehensively manage AI for the entire business.
• Set ground rules for AI use, for example, by adopting an enterprise-wide “AI Acceptable Use” policy, or by developing a comprehensive governance framework for managing and assessing AI compliance, perhaps based on the NIST AI Risk Management Framework, and providing ongoing training to employees.
• Create a risk assessment process that evaluates AI uses both pre- and post-deployment, which should be periodically updated to incorporate any changes to the employer’s uses of AI, risk tolerance, or regulatory developments.

The Constangy Cyber Team assists business of all sizes and industries with compliance needs. If you would like additional information, please contact us at cyber@constangy.com.