Your employees are already using AI. A 2025 Microsoft survey found that 75% of knowledge workers use generative AI tools at work, and more than half brought their own tools without telling their employer. For New York businesses, this creates a confidentiality problem that most companies have not addressed.
When an employee pastes a client email into ChatGPT to draft a response, uploads a financial spreadsheet to an AI analysis tool, or feeds a draft contract into an AI assistant for review, they may be disclosing confidential business information to a third-party platform with no contractual obligation to protect it.
The Confidentiality Gap
Most businesses protect confidential information through nondisclosure agreements, employment agreements, and internal policies that restrict sharing proprietary information with third parties. The problem is that these protections were written before generative AI existed. They typically define “disclosure” in terms of sharing information with people or organizations — not uploading it to an AI model.
An employee who would never email a trade secret to a competitor may think nothing of pasting it into an AI tool to get a summary or analysis. From a legal standpoint, the effect can be the same: once information enters a third-party AI system, the business loses control over how it is stored, processed, and potentially used.
Trade Secret Implications Under New York Law
New York protects trade secrets under both common law and the Defend Trade Secrets Act (DTSA) at the federal level. A critical element of trade secret protection is that the owner must take “reasonable measures” to keep the information secret. If a business allows employees to routinely input proprietary information into consumer AI tools without restriction, a court could find that the business failed to maintain reasonable secrecy — potentially destroying trade secret status entirely.
This is not a theoretical risk. Companies that lose trade secret protection in litigation often point to the moment their internal controls broke down. Unrestricted AI use is becoming one of those moments.
Client and Customer Data Risks
For businesses that handle client data — financial services firms, healthcare providers, professional services companies — the stakes are even higher. Inputting client information into an AI tool may violate contractual confidentiality obligations, data processing agreements, HIPAA (for health information), the Gramm-Leach-Bliley Act (for financial data), and New York’s SHIELD Act requirements for reasonable data safeguards.
A single employee using an unapproved AI tool to process client data can trigger breach notification obligations, regulatory investigations, and civil liability.
What New York Businesses Should Do Now
The solution is not to ban AI — that is neither practical nor advisable in a competitive market. The solution is to establish clear policies and approved tools that allow employees to use AI productively while protecting confidential information.
Effective AI governance for a New York business should include a written AI acceptable use policy that specifies which tools are approved and what types of information may and may not be inputted. It should also include updates to employment agreements and NDAs to explicitly address AI tool usage, selection of enterprise AI tools with contractual data protections (no training on your data, data deletion, encryption), employee training on the confidentiality risks of generative AI, and regular audits of AI tool usage across the organization.
Getting Ahead of the Problem
Most businesses will not address AI confidentiality until something goes wrong. The companies that protect themselves are the ones that build governance frameworks before an incident forces their hand.
At Travis & DeBlase PLLC, our AI Enhanced General Counsel practice helps New York businesses develop AI policies, update their confidentiality protections, and select AI tools that align with their legal obligations. If your business has not yet addressed how employees use AI, contact us before the problem finds you.