Home » Security Bloggers Network » An Overview of Connecticut SB 1103 | An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy
An Overview of Connecticut SB 1103 | An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy
Introduction
On June 7, 2023, Connecticut Governor Ned Lamont signed Senate Bill No. 1103 – An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy, a landmark law that will increase the transparency and accountability of the state government’s use of AI and automated decision-making tools.
Sections 1 to 3 of the law will take effect from 1 July 2023, whereas Section 4 will become effective from 1 October 2023, and Section 5 will take effect from the passage of the Act.
Definitions of Key Terms
1. Artificial Intelligence
‘Artificial Intelligence (AI)’ means:
A. an artificial system that:
- performs tasks under varying and unpredictable circumstances without significant human oversight or can learn from experience and improve such performance when exposed to data sets,
- is developed in any context, including, but not limited to, software or physical hardware, and solves tasks requiring human-like perception, cognition, planning, learning, communication or physical action, or
- is designed to:
- think or act like a human, including, but not limited to, a cognitive architecture or neural network, or
- act rationally, including, but not limited to, an intelligent software agent or embodied robot that achieves goals using perception, planning, reasoning, learning, communication, decision-making or action, or
- a set of techniques, including, but not limited to, machine learning, that is designed to approximate a cognitive task.
B. State Agency
‘State Agency’ means each department, board, council, commission, institution or other agency of the Executive Department of the state government, provided each board, council, commission, institution or other agency included by law within any given department shall be deemed a division of that department. The term also includes:
- the offices of the Governor, Lieutenant Governor, Treasurer, Attorney General, Secretary of the State and Comptroller, and
- all operations of an Executive Department agency that are funded by either the General Fund or a special fund.
Obligations of the Department of Administrative Services
Under the law, the Department of Administrative Services (DAS) is required to conduct an inventory of all artificial intelligence-based systems used by any state agency by December 31, 2023, and annually thereafter. For each of these systems, each such inventory must have at least the following details:
- The name of such system and the vendor, if any, that provided such system;
- A description of the general capabilities and uses of such a system;
- Whether such a system was used to independently make, inform or materially support a conclusion, decision, or judgment; and
- Whether such a system underwent an impact assessment before implementation.
The DAS is also required to make every completed inventory publicly accessible on the state’s open data site. Furthermore, from February 1, 2024, the DAS must also perform ongoing assessments of systems that employ AI and are in use by state agencies to ensure that no such system:
- results in any unlawful discrimination against any individual or group of individuals, or
- has any unlawful disparate impact on any individual or group of individuals on the basis of any actual or perceived differentiating characteristic, including, but not limited to, age, genetic information, color, ethnicity, race, creed, religion, national origin, ancestry, sex, gender identity or expression, sexual orientation, marital status, familial status, pregnancy, veteran status, disability or lawful source of income.
The DAS must perform the assessments in accordance with the policies and procedures established by the Office of Policy and Management (OPM).
Obligations of the Office of Policy and Management
Beginning February 1, 2024, the law requires the OPM to develop and establish policies and processes regarding the development, procurement, implementation, utilization, and continuous assessment of AI systems used by state agencies. Such policies and procedures must, at the very least, include policies and procedures that:
- Govern the procurement, implementation and ongoing assessment of such systems by state agencies;
- Are sufficient to ensure that no such system:
- results in any unlawful discrimination against any individual or group of individuals, or
- has any unlawful disparate impact on any individual or group of individuals based on any actual or perceived differentiating characteristic, including, but not limited to, age, genetic information, color, ethnicity, race, creed, religion, national origin, ancestry, sex, gender identity or expression, sexual orientation, marital status, familial status, pregnancy, veteran status, disability or lawful source of income;
- Require a state agency to assess the likely impact of any such system before implementing such system; and
- Provide for the DAS to perform ongoing assessments of such systems to ensure that no such system results in any unlawful discrimination or disparate impact.
The OPM must also post the policies and procedures on the office’s website, including any revisions.
Furthermore, from February 1, 2024, no state agency shall implement any system that employs AI:
- unless the state agency has conducted an impact assessment to ensure that such a system won’t have any adverse impacts or result in unlawful discrimination; and
- if the head of such state agency determines that such a system will result in any unlawful discrimination or disparate impact.
Obligations of the Judicial Department
Beginning December 31, 2023, and annually thereafter, the Judicial Department (JD) is required to conduct an inventory of all its systems that employ AI. Every completed inventory must be made publicly accessible on the department’s website.
From February 1, 2024, the JD must also create policies and practices governing the department’s development, procurement, implementation, utilization, and continuing assessment of its systems that employ AI.
Such policies and procedures must, at the very least,
- Govern the JD’s procurement, implementation and ongoing assessment of such systems;
- Be sufficient to ensure that no such system:
- results in any unlawful discrimination against any individual or group of individuals, or
- has any unlawful disparate impact on any individual or group of individuals based on any actual or perceived differentiating characteristic, including, but not limited to, age, genetic information, color, ethnicity, race, creed, religion, national origin, ancestry, sex, gender identity or expression, sexual orientation, marital status, familial status, pregnancy, veteran status, disability or lawful source of income;
- Require the JD to assess the likely impact of any such system before implementing such system; and
- Provide for the JD to perform ongoing assessments of such systems to ensure that no such system results in any unlawful discrimination or disparate impact.
The JD must also post the policies and procedures, including any revisions, on the office’s internet website.
Furthermore, from February 1, 2024, the JD shall:
- Not implement a system that employs AI unless:
- the state agency has conducted an impact assessment to ensure that such a system won’t have any adverse impacts or result in unlawful discrimination; or
- if the head of such state agency determines that such a system will result in any unlawful discrimination or disparate impact.
- Perform ongoing assessments of its systems that employ AI to ensure that no such system results in unlawful discrimination or adverse impact on any individual or a group of individuals.
General Obligation for State Agencies
No state contracting agency shall engage in any contract with a business on or after October 1, 2023, unless such contract contains a provision requiring the business to comply with all applicable provisions of the Connecticut Data Privacy Law (CTDPA) – Sections 42-515 to 42-525 of the General Statutes of Connecticut.
Establishment of a Working Group
The law establishes a working group to engage stakeholders and experts to:
- Make recommendations concerning and develop best practices for the ethical and equitable use of AI in state government;
- make recommendations concerning the policies and procedures;
- assess the White House Office of Science and Technology Policy’s “Blueprint for an AI Bill of Rights” and similar materials and make recommendations concerning the following:
- regulation of the use of AI in the private sector based, among other things, on the said blueprint, and
- adoption of a Connecticut AI bill of rights based on a said blueprint; and
- make recommendations concerning the adoption of other legislation concerning AI.
The working group must submit a report on its conclusions and suggestions to the joint standing committee of the General Assembly, which is responsible for overseeing general law-related issues, by February 1st, 2024. The working group will cease to exist on the day it submits the report or on February 1, 2024, whichever is later.
Key Takeaways for Businesses
If your organization deals in AI-based solutions and engages or intends to engage in business with the Connecticut state government, it must undertake the following as soon as practicable:
-
- Understand the scope of the CTDPA and make efforts to be in compliance with its provisions;
- Conduct internal or external assessments of your AI solutions to ensure that none of them results in:
- Unlawful discrimination against the consumers under the federal or states laws; and
- An adverse impact on the individuals on actual or perceived differentiating characteristics; and
- Prepare your organization to assist your customers who are government agencies to comply with the impact assessment obligations under the law.
The post An Overview of Connecticut SB 1103 | An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy appeared first on Securiti.
*** This is a Security Bloggers Network syndicated blog from Securiti authored by Securiti Research Team. Read the original post at: https://securiti.ai/blog/connecticut-bill-on-ai-automated-decision/