Legal hold meets GenAI: What CISOs need to know now

The legal implications of generative AI just got more complex. With a landmark preservation order issued against OpenAI, privacy and security leaders are facing new, uncomfortable questions. We asked Betania Allo (Cybersecurity Lawyer and Policy Strategist) what this means for CISOs – and why ‘delete’ no longer means disappear.

What makes the OpenAI vs. The New York Times case such a pivotal moment for cybersecurity and AI governance?

“This case reframes how cybersecurity, privacy, and data governance must evolve in the era of generative AI. For CISOs, CAIOs, DPOs, and legal teams, the message is clear: your AI architecture is no longer just infrastructure. It can become evidence.”

How has the legal landscape shifted as a result of the preservation order?

“The court’s preservation order introduced a new precedent in AI governance. A preservation order requires companies to retain all data that could be relevant to a legal case, overriding normal retention and deletion policies. Discovery allows legal teams to request and inspect logs, prompts, outputs, training data, and more. A legal hold freezes deletion policies and activates enterprise-wide data retention protocols.” 

What are the risks for organisations using generative AI tools without Zero Data Retention (ZDR)?

“Deleted prompts may still be accessible. Experimentation logs may become subpoenaed records. Privacy policies may no longer protect users if legal orders require data retention. While OpenAI continues to appeal the order, the indefinite retention of data from non-enterprise ChatGPT users may leave organisations exposed to regulatory risk under GDPR and similar frameworks.” 

What should CISOs do in response to these developments?

“CISOs should begin with a comprehensive inventory of all AI systems that store logs, ensuring a clear separation between production and experimental environments, and enforcing ZDR where feasible. Existing data deletion policies should be reassessed in light of litigation hold scenarios, as information once considered ephemeral may now be preserved indefinitely.” 

Is this just a legal issue, or a trust issue too?

“OpenAI has assured users that only a ‘vetted legal and security team’ can access the chat data retained under the court order. But what does that really mean? For privacy and security professionals, ‘vetting’ is not a legal standard: it’s an internal designation, with no external audit, regulatory oversight, or independent verification attached.” 

Moving forwards with GenAI

For CISOs, generative AI is no longer just a data privacy concern. It’s a very real legal risk. In Allo’s words: 

“This case is about much more than copyright. It illustrates what happens when highly complex, probabilistic technologies collide with legal systems designed around traceability, accountability, and evidence preservation. 

“We once thought of generative AI as experimental or even ephemeral. Now, it must also be viewed as legally actionable. For CISOs and governance leaders, this shifts the mission. We are no longer just securing systems. We are managing the digital memories of machines – and ensuring those memories can withstand legal scrutiny.” 

Connect with Betania Allo on LinkedIn. Join us at Black Hat MEA 2025 to stay ahead of the security curve.