Many insurance companies and the businesses they underwrite are viewing AI risks as cyber issues in new garb. Early lawsuits are quietly explaining why this is a category error, and the companies that understand the difference first will be first when the market corrects.
You can feel the instinct in every boardroom conversation. Artificial intelligence looks like the web. It echoes the web. Underwriting muscle memory extends to the web.
This muscle memory is about to get expensive.
See where the case actually occurred. No violation. Not ransomware. Not a leak. The exposure stemmed from a common customer call, a chatbot interaction, a healthcare consultation, a meeting note and hidden default settings in a vendor contract that someone clicked on eighteen months ago.
exist Valencia v SummonsA federal court in California declined to dismiss claims that an artificial intelligence call analytics vendor was actually a third-party eavesdropper, silently listening in on customer calls, transcribing, analyzing sentiment and feeding the results back to the businesses that purchased the tool. This behavior is not hacking, but rather the product works exactly as it did when purchased.
Something that is food for thought is to note that these cases often trigger decisions that businesses have not considered. Defaults left in place, or notices drafted three years before the feature existed, may be vendor permissions granted on procurement forms by people who don’t understand how the data will be used later. This model is not omission in the traditional sense. This is the gap between what an organization thinks it is doing and what its systems actually do on its behalf. Once you identify this gap, you stop looking for AI risks in the obvious places and start looking for risks in the gaps between people, processes, and procurement.
This is something worth keeping in mind. It’s not whether companies use artificial intelligence. Almost everyone does this, or will soon do so. The question is where AI changes the legal character of the relationship between businesses and those affected by them.
Consider agreeing. This Call May Be Recorded has been working quietly and reliably for two decades. This is very familiar. It was accepted. Most customers accepted the offer without a second thought. GenAI breaks this sentence down.
Are calls just recorded, or are they transcribed in real time by a third-party model? Have sentiments been analyzed? Are records retained and used to improve the supplier’s underlying systems? Are the customer’s voice, words, emotions, or intentions handled in a manner that exceeds ordinary expectations generated by the notification?
this call Courts have adopted a so-called “capabilities only” approach to California’s Invasion of Privacy Act (CIPA). At the pleading stage, it is sufficient that the provider can use the content of the call for its own purposes. The plaintiff does not have to prove that the supplier did so. This is a meaningful lowering of the threshold and should be read carefully by anyone who owns a prospective property involving a California resident.
In AI exposure, consent architecture becomes as important as access control.
This does not mean that every notice has to read like a legal article. This means that the words presented to customers, patients, employees, and users must truly match what the AI system is doing behind the scenes. The problem is not corporate intentions. The question is what the system does.
This brings us to suppliers, and this is where online comparisons most notably fail.
Most businesses don’t have a basic model in place. They buy the tools, enable features, integrate with the platform, and accept the defaults. The artificial intelligence industry of a typical enterprise is not so much a designed structure as it is an accumulation of procurement decisions made by different teams, in different quarters, and under different business pressures.
In the cyber domain, vendor risk is built around dependencies, aggregation, disruption, security controls, and breach paths. These questions remain important in artificial intelligence. But AI vendor risk adds a dimension that cyber underwriting has never been able to address.
The same goes for legal features. Does the vendor just provide tools for your business? Or does the vendor independently receive, analyze, retain, enrich or use the data flowing through the tool? This distinction can change whether notice is sufficient, whether consent is meaningful, whether a business understands the risks it is taking, and whether the ultimate claim is one of cyber, technical errors and omissions, privacy, media, professional liability, regulatory defense, or management liability. Claim only to find a home.
Forums are also important. exist Lisota v. Heartland Dental, Inc.an Illinois federal court rejected a similar claim based solely on federal wiretap laws, applying a “normal course of business” exception to a call platform where AI-powered transcription and analysis is considered core to its services. Federal regulations have escape routes that CIPA does not. The lawsuits will focus on jurisdictions where state wiretap laws provide plaintiffs with a foothold but where federal statutes deny them.
We all need to know where AI is changing this relationship. Customer service chatbots are not the same as in-house mapping tools. A call center analytics platform is not the same as a marketing copywriting assistant. Environmental healthcare transcription tools are different from backend summary products. A model trained on public information is different from a model fine-tuned on customer content.
This pattern is already visible in the new files. The plaintiffs are challenging Google over Gemini smart features that it says are turned on by default in Gmail, chat and meetings. They challenged Figma’s terms change that allows customers to choose default content training. They are challenging healthcare providers with ambient artificial intelligence tools that allegedly record clinical conversations and generate notes that falsely indicate patients have given consent. The products are different and the industries are different, but the structural problems are the same.
The use case for artificial intelligence tells you almost everything in this example.
You also need evidence. It is no longer enough to simply say that notifications exist, that the vendor does not plan to educate customers on customer data, and that tools are configured in a compliant manner. Can you prove it? Can you show what the customer saw on the relevant date? Can you show which version of the Supplier Terms applies? Can you show whether the model training permission is on or off?
Regulators are taking similar action. The vocabulary of the EU, UK and US is different, but the direction is the same. Transparency, accountability, legal data use, explainability, governance, oversight, evidence. None of this requires panic, just some precision.
Leaders who bring AI into their networks may only discover gaps when they receive claims that don’t match the policies they purchased. Leaders who view AI as transformative in business conduct, relationships, governance and evidence disciplines will ask better questions of their vendors, lawyers, brokers and boards of directors.
In underwriting and business, better questions are often the first competitive advantage.
More difficult questions lie ahead. How much of this risk truly falls into insurance categories that already exist, and how much requires something that the market has yet to establish.
This is a conversation worth starting as early as possible.
theme
Insurtech data-driven artificial intelligence network
