Using artificial intelligence can pose risks for advisors

Artificial intelligence (AI) is now part of everyday life for many professionals, including those in the insurance industry. Tools such as Microsoft Copilot or OpenAI's ChatGPT are now integrated directly into our work environment, often without us even realizing it.

But even though we hear a lot about them, few people know how these tools actually work... and more importantly, what risks they can pose in a practice like yours.

This column aims to explain simply:

• how these tools work;
• where the data supplied to AI goes;
• what the real risks are;
• and how to use them responsibly and compliantly.

How does generative AI really work? 

Unlike Google, which gives you a list of links, these tools respond to you directly, in natural language. You can ask them a complex question, submit a text for translation or a topic for writing, or even ask them to extract data from an existing table.

These tools analyze what you give them, understand the context and construct an answer. This is what we call conversational AI.

Depending on the version used (free or professional), some of your information may be temporarily withheld. For example, if you have activated this function, ChatGPT Plus may retain certain elements from one session to the next. In Copilot, the tool relies on what's present in your Microsoft 365 environment, without, however, retaining your data autonomously.

This power is useful... but it comes with responsibilities.

Where does your data go, and why might that be a problem?

When you use AI, the data you submit is processed outside your computer, often on servers located in the USA or elsewhere. 

As soon as data leaves your local environment, Quebec's Act to modernize legislative provisions as regards the protection of personal information (Bill 25) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) apply.

These laws require you to:

• protect personal information;
• know where data is hosted;
• assess the security of the external environment;
• obtain informed consent from the customer;
• and, in some cases, carry out a privacy impact assessment (PIA) before processing sensitive data with technology such as AI. 

Simply copying and pasting a Social Insurance Number (SIN), contract number or customer report into a tool like ChatGPT, without anonymization, can put you in breach, even if your intention is good.

The risk isn't just “in the cloud”: it's also at home  

Most advisors think that the danger comes from the outside. In reality, the first source of leakage is often your own Microsoft 365 environment.

Copilot, for example, can access everything you have access to: your Word files, emails, Excel sheets, OneNote notes, Outlook appointments and so on.

It doesn't read your mind... but it does read your files.

So if a confidential document is misfiled, or a folder is shared without restriction, Copilot could bring it out without your explicit request. An assistant typing “show me the customer files” could bring up sensitive information. Not because the tool did anything wrong, but because you didn't configure access properly.

What the law says: full responsibility 

As an independent financial professional, you have the same rights as the big institutions: you can manage your own clients, generate significant income and build a practice in your own image. But that comes with an equivalent responsibility. If institutions are investing hundreds of millions a year in cybersecurity, it's reasonable to expect you to invest a minimum – in time, tools and rigor – to protect your data.

PIPEDA reinforces this requirement at the federal level, imposing principles such as transparency, limited retention, informed consent and right of access.

And beware: even if you use a reputable tool, the responsibility lies with you. The customer won't sue OpenAI or Microsoft. They'll turn to you.

How can you use AI responsibly?  

Here are a few simple rules to follow in your practice. 

1. Never paste personal information (SIN, account numbers, financial goals, etc.) into your queries.
2. Always anonymize your cases: use “customer A”, “contract B”, etc. instead.
3. Regularly check accesses in your Microsoft 365 environment (e.g. SharePoint, OneDrive, shared groups) to ensure they are appropriate.
4. Train your team, including your assistant, on the right reflexes to adopt.
5. Establish a clear policy for AI use, including what the tool can and cannot do, and who can use it. 
6. Check where your data will be hosted. Canada is ideal; if not, clearly inform the customer if it's outside. 

Special attention should also be paid to automated meeting recording or transcription tools. Several inexpensive solutions seem attractive, but their compliance with Bill 25 is often insufficient. Lack of Canadian hosting, lack of explicit consent, or automatic duplication of data can pose significant risks.

Remember: in this field, what justifies the cost is the security. A reliable tool will include encryption mechanisms, controlled access and full traceability. All of which protect your customers... and your liability.

Are you already using AI in your meetings? Do you know where your data is hosted? Have you documented your customers' consent? Have you carried out a privacy impact assessment? These are questions worth thinking about.

Is your environment at risk?  

There are a few easy tests you can do to find out. Here are three examples. 

• Ask Copilot a question like: “What are my sensitive files?” or "What do you know about my customers? If an explicit answer appears, your accesses are too broad.
• Ask your assistant or a colleague to open a confidential file, without a shared link. If this person has access, review the structure.
• Imagine you're in a hurry: would you be tempted to copy and paste a real customer form into ChatGPT to have it summarized? If so, your reflexes need to be revised.

What if it's too late?  

If you realize that confidential data has been sent to an AI, or that there is too much access in your environment, there are a few things you need to do.

1. Immediately revoke or restrict access to sensitive files (on OneDrive, SharePoint or your internal folders). 
2. Consult your privacy officer or legal advisor, especially if customer data has been exposed. 
3. Document what happened: who did what, when, and with what tool. 
4. Monitor affected accounts for misuse. 
5. Assess whether a declaration should be made to their provincial privacy commissioner or the Office of the Privacy Commissioner of Canada. This declaration is required if the leak involves personal information and presents a risk of serious harm to the customer.

In conclusion, AI can be your ally, but only if you understand it

It can really improve your efficiency, clarify your communications and speed up your repetitive tasks. On the other hand, it doesn't sort things out for you, guess your intentions or protect you from poor configuration.

Used intelligently, AI is a lever. Used carelessly, it becomes a risk.

Take the time to understand the tool, train your employees or those around you at work, supervise your accesses and make sure you're always in control.