A recent incident involving OpenAI’s ChatGPT platform has sparked renewed concerns around data privacy and the use of AI in the workplace. Thousands of conversations shared by users were inadvertently made accessible via search engines such as Google, many containing personal, sensitive, or commercially confidential information.

These conversations were not stolen or accessed through a security breach. Instead, the exposure occurred due to a feature that allowed users to share links to their AI chats, which were then indexed and displayed in public search results. In many cases, users were unaware their shared content could be found so easily.

The Nature of the Exposure

Among the indexed material were conversations disclosing personal trauma, mental health issues, professional correspondence, legal queries, and even client-specific data. While none of these chats were tied directly to identifiable user accounts, the content itself often contained enough detail to raise concerns about privacy and reputational damage.

This episode highlights the fact that cyber risk is no longer confined to malicious breaches. Human error, poor understanding of digital tools, or subtle user interface choices can all lead to the unintended disclosure of data.

Why This Matters for Your Business

Many organisations now encourage or permit the use of generative AI platforms like ChatGPT for drafting content, summarising documents, exploring ideas, and even communicating with clients. However, without proper safeguards, this reliance on external platforms creates serious data governance risks.

Key issues include:

• Accidental leakage of confidential data through external tools.

• Lack of clarity on data retention and indexing policies for shared content.

• Misunderstanding of what constitutes a “private” interaction online.

These are not theoretical risks, they have real consequences for compliance, client trust, and brand reputation.

The Role of Cyber Insurance in a Changing Risk Landscape

This type of incident demonstrates how the definition of a “cyber event” is evolving. There was no hack, no malware, no hostile actor, yet sensitive information was made publicly available. Incidents like these fall into a growing category of non-malicious cyber exposures, and forward-looking cyber insurance policies are beginning to reflect that shift.

A well-structured cyber insurance policy can:

• Cover liability for accidental disclosure of client or third-party data.

• Fund crisis communications and legal response where reputational damage occurs.

• Assist with forensic investigation and notification obligations, even if there was no external breach.

• Support policyholders in demonstrating due diligence to regulators, clients, and partners.

What W Denis Recommends

At W Denis, we strongly advise businesses to take this moment as a prompt to reassess both their internal policies and their external protections:

• Audit AI usage: Understand where and how AI   platforms are being used across your organisation.

• Implement clear policies: Establish rules around the use of   generative AI, especially when handling sensitive or identifiable data.

• Educate your staff: Ensure all users are aware of how   AI tools function and the potential visibility of shared content.

• Choose a specialist Cyber insurance broker: Ensure you work with a specialist Cyber insurance broker who can guide you on policy wording and cover sufficiency.

If you're unsure whether your cyber insurance responds to incidents like these, or whether your current arrangements reflect the modern risk environment, contact W Denis. We work with clients to assess their cyber exposure, strengthen their risk posture and ensure cover is tailored to today’s rapidly evolving threat environment.

For a quotation please contact:

Eastern Europe

Vida.Jarasiunaite@wdenis.eu

Southern Europe

Christos.Hadjisotiris@wdenis.com

Western Europe &/or elsewhere worldwide

Mark.Dutton@wdenis.com