Hogan Lovells Team presents to elite group of general counsels at National Retail Federation’s Annual Big Show in New York City

AI in the Retail Sector

“AI” broadly refers to the field within computer science concerned with developing computer systems that perform specific functions or tasks which would normally require human intelligence.    “Generative AI,” a subset of artificial intelligence, focuses on creating data, content, or even entire products, autonomously. With its ability to amalgamate and analyze virtually limitless sources, generative AI has the potential to transform the retail industry, how consumers shop, and how retailers compete. 

During the presentation, Meryl Bernstein and MK Barker highlighted the importance of AI in the retail industry, both in terms of enabling greater personalization for consumers and driving revenue, and outlined key ways in which retailers are adopting AI. On the customer support front, generative AI is increasingly being used to power customer service chatbots, AI-powered shopping assistants, and personalized product recommendations. Generative AI is also being deployed to optimize supply chains and can be a key driver of internal cost savings by automating certain internal processes.  Finally, AI tools are also being used to detect anomalies and suspicious patterns in purchasing behavior, allowing retailers to respond to fraud threats in real-time.

While the potential applications of generative AI in the retail sector are plentiful (as are their prospective benefits), there are many associated legal considerations. Our team discussed various IP, cybersecurity and other legal compliance risks that retailers should consider when deploying AI in their businesses. As our team explained, the U.S. Copyright Office has issued a bright-line policy requiring human authorship for copyright eligibility, stating that AI-generated works do not meet this requirement in most cases. Retailers should keep such policy in mind when assessing whether to use AI tools to prepare content they may ultimately want to protect, like product page copy, product images, and marketing content. Further, using AI-generated content may also give rise to allegations of copyright infringement, among other potential legal claims. 

Roshni Patel then provided an overview of privacy and other risks associated with AI adoption, which risks include the possibility of discriminatory outcomes caused by biased training data, as well as security threats to systems arising from the use of third-party AI tools. Roshni also touched on the risks associated with the use of personal data for training, in addition to the potential for overreliance on fully automated decisions without appropriate human oversight. When adopting AI tools, retailers are well-advised to implement protections for personal data and ensure that individuals’ information is handled responsibly, securely, and transparently throughout its lifecycle.

In terms of legal and regulatory compliance, our team emphasized that there is currently no comprehensive federal AI legislation or regulation in the United States. Developers and users of AI thus have to comply with a patchwork of state and local laws – in additional to international laws, in the case of global companies – which makes compliance challenging. Meryl and MK provided an overview of key international laws, such as the European Union’s AI Act, as well as pending federal legislation in the U.S., President Biden’s Executive Order on AI, and AI laws at the state level, and noted that an internal AI governance committee can be helpful in tracking compliance obligations.

Finally, our team provided the general counsels with a set of clear and practicable steps that they can take internally within their companies to mitigate the risks associated with using AI tools. Such steps include:

• Adopting an internal AI use policy;

• Forming a committee specifically tasked with AI governance, which includes representatives from the company’s legal, business, and technical teams, to monitor (i) compliance with the company’s AI use policy, and (ii) updates in applicable laws and regulations;

• Specifically designating which company data, content, and materials can be ingested into AI tools;

• Monitoring and placing guardrails on the use of AI output;

• Engaging in best practices when licensing AI tools from third parties; and

• Ensuring that the company’s use of AI is consistent with its overall policy and strategic goals.

Cybersecurity and the Retail Industry

Nathan Salminen provided an overview of the cybersecurity threat landscape, ranging from hacktivists who use computer networks to advance their political or social causes to actors engaging in espionage, terrorism or warfare on cyber systems. Nathan reported that, according to the Ponemon Institute and IBM’s 2023 Cost of a Data Breach Report, average data breach costs rose from $4.35 million in 2022 to $4.45 million in 2023, reaching an all-time high. 

Retail companies in particular are increasingly being targeted in cybersecurity attacks, with 8.6% of all cyber investigations involving retailers. These attacks are frequently taking the form of ransomware, with the ransomware-as-a-service model becoming increasingly common (in which affiliates engage in attacks in a professional and “business-like” manner). Threat actors are also engaging in “SIM swapping,” whereby a threat actor assumes control of a victim’s phone number by tricking wireless carriers into connecting the victim’s number to a SIM card in the threat actor’s possession. Finally, threat actors are using AI to conduct increasingly sophisticated and targeted social engineering attacks, including by using deepfake audio and video recordings to impersonate family, friends and coworkers. 

Nathan then presented a hypothetical case study (based on real-world cybersecurity threats) and invited the audience to brainstorm potential responses. This thought exercise spurred a lively discussion, with several general counsels weighing in with best practices adopted within their own businesses. 

Conclusion

With both the use of AI tools and cybersecurity threats on the rise, retailers must find ways to harness the power of new technologies without sacrificing the security of their systems. Retailers are thus well-advised to not only adopt best practices with respect to AI and cybersecurity, but also continually reevaluate and update such practices, as the risk landscape is ever-changing. Should you have questions or require assistance with your company’s AI and/or cybersecurity practices, please contact our team.

Authored by Meryl Bernstein and MK Barker.