You Blocked ChatGPT. They Are Using It Anyway. (The “Shadow AI” Trap)
Is ChatGPT secure for business? Here is a statistic that should scare every business owner in Las Vegas: 68% of employees admit to using ChatGPT for work, even if their company has officially banned it.
They aren’t doing it to be malicious. They are doing it to be productive. They are pasting client emails into ChatGPT to write faster replies. They are uploading messy Excel spreadsheets to get quick formulas. They are summarizing meeting notes that contain sensitive financial data.
This phenomenon is called “Shadow AI.” And in Nevada, where we have some of the strictest data privacy laws in the country, it is a ticking time bomb.
The “Nevada Privacy” Nightmare (SB 370 & NRS 603A)
Most Las Vegas business owners know about HIPAA. But many are completely unaware of Senate Bill 370 (Consumer Health Data), which took effect in 2024.
The Trap: SB 370 defines “Consumer Health Data” extremely broadly. It isn’t just medical records. If you run a gym, a spa, or even an HR department, and your employee pastes a client’s health preference into a free, public AI tool like ChatGPT, you may have just broken the law.
Why? Because the free version of ChatGPT trains on your data. That means you technically “shared” or “sold” private data to a third party (OpenAI) without the consumer’s consent. Under Nevada law, that is a violation.
The 3 Most Dangerous Things Employees Paste into AI
Based on our monitoring of Las Vegas networks, here is what employees are leaking right now:
1. “Fix This Code” (Intellectual Property Leak)
Developers and web designers often paste proprietary code into AI to debug it. Samsung famously banned ChatGPT after engineers leaked top-secret source code this way. If your code is on the public AI server, it’s no longer your trade secret.
2. “Summarize This Meeting” (Client Confidentiality Breach)
Employees love transcribing Zoom meetings and asking AI to “summarize the action items.” If that meeting discussed a lawsuit, a merger, or a patient’s diagnosis, you just handed that transcript to a public model.
3. “Write an Email to [Client Name]” (PII Leak)
Even a simple email draft often contains Names, Addresses, and Phone Numbers (PII). Under Nevada NRS 603A, failing to protect this PII can trigger notification requirements and fines.
The Solution: Don’t Ban It. Govern It.
Blocking ChatGPT on your firewall doesn’t work. Employees will just switch to their personal 5G on their phones (bypassing your security) to get the job done. That makes the problem invisible.
The solution is an “Acceptable Use Policy” (AUP) for AI.
You need to give your team a safe, “Enterprise” sandbox where their data is private (not used for training), or clearly define what data is allowed in public tools.
Get Your Free “AI Acceptable Use Policy” Template
Don’t let your employees guess the rules. We have created a standard AI Policy Template specifically for Nevada businesses. It defines what data is “Safe,” “Restricted,” and “Prohibited.”
Download the AI Policy Template
More Resources for Las Vegas Business Security
- Worried about scams? Read our guide on 3 Phishing Scams Targeting Las Vegas Businesses.
- Need an audit? See how to Pass Your SOC 2 Audit Without Overpaying a CPA.