AI systems are only as good as the data behind them, says Norton Rose Fulbright LLP corporate lawyer
As artificial intelligence becomes increasingly employed in a broader range of businesses, those making acquisitions will want to conduct “rigorous due diligence” to evaluate AI system risks before proceeding with a deal, says Liana Di Giorgio of Norton Rose Fulbright LLP.
Companies that use AI can be “a pretty attractive acquisition opportunity,” says Di Giorgio, a senior associate in the firm’s Toronto office who advises on data protection, privacy, and cybersecurity laws and assists with M&A and other transactions. But, she adds, the quality of the AI-based system “is only as good as the data that goes into it.” Therefore, risks associated with the input data used to train the system should be a key consideration when conducting due diligence.
Read more about cybersecurity law of Canada, such as the different statutes governing cybersecurity and how it protects consumers and businesses alike.
The quality of the data can have an impact on the AI model’s ability to generate satisfactory predictive solutions, she says. As well, data “bias” is a crucial risk. Race, gender, age, economic or other input information may skew the data, making the system susceptible to errors or ethical concerns.
Di Giorgio says that to reduce the risk of acquiring problematic data, buyers should ensure that the intended acquisition has systems to identify and eliminate biases in the AI system and that the target prioritizes data ethics. “It is important to see if the workflow incorporates identifying [information] and addressing any bias in the data.”
Another consideration for AI due diligence is to ensure that the target has taken appropriate measures to comply with ever-evolving data privacy laws and prioritized cybersecurity. Accordingly, exploring these issues during the due diligence process is critical.
Data privacy should also be part of the due diligence process, Di Giorgio says. Potential buyers should ensure that the acquired firm complies with legislation relating to storing, disclosing, and protecting personal information.
In Canada, the Personal Information Protection and Electronic Documents Act and similar provincial statutes set out requirements for how private organizations should handle personal information. Di Giorgio also notes that the global trend is towards regulators strengthening privacy rules related to AI and that legislation governing data privacy can change.
For example, the federal government recently introduced Bill C-27, the Digital Charter Implementation Act, 2022, which, if passed, would introduce legislation that essentially replaces PIPEDA. It would also include a framework and rules for regulating AI systems.
Another possible vulnerability when considering an acquisition is cybersecurity. It is a good idea to ask cybersecurity experts to identify potential weaknesses. Acquirers should be mindful of how security issues could impact the integrity of input data. “What protections are in place to ensure the integrity is preserved? That is important,” Di Giorgio says.
Any due diligence on acquiring an asset with an AI component should also look at the “highly specialized talent” that works with the system. “These are the data scientists and engineers who are critical to the model,” she says, “so you don’t want to lose them after the acquisition. If these employees were to leave, your AI model isn’t worth as much as it was. Despite the data, the people-related risks are a huge part of assessing any transaction.”
Finally, any due diligence involving an acquisition with an AI component should also identify the intellectual property rights that may exist, Di Giorgio says. “Is the data owned or licensed? Are there copyright or trade secrets protecting the component of the AI system that may not be registered in the appropriate jurisdictions?”
As an example, Di Giorgio says that if trade secrets protect an AI system, it is important that acquirers confirm that the target has taken precautions to ensure these trade secrets remain confidential, potentially through non-disclosure agreements.
“Has the acquisition target entered into agreements that they would need to with employees, with consultants, with suppliers, and customers to make sure that trade secrets are protected? That it remains confidential.”
While it’s essential to look at AI considerations during the due diligence process for an acquisition, Di Giorgio says its potential buyers must assess how important the AI component is to the entire business. “Sometimes, it plays a critical role. Other times, perhaps not so much.”
Still, Di Giorgio says that AI technologies continue to evolve, and the number of M&A transactions in this space will continue to grow. To mitigate risk, it is critical that acquirers “carefully consider the unique issues associated with acquiring or investing in an AI company” and stay current on due diligence practices in this area.