Will CISOs Have to Choose Between Getting Rich or Going to Jail?

This episode of the Cyberlaw Podcast delves into a False Claims Act lawsuit against Penn State University by a former CIO to one of its research units. The lawsuit alleges that Penn State faked security documents in filings with the Defense Department. Because it’s a so-called qui tam case, Tyler Evans explains, the plaintiff could recover a portion of any funds repaid by Penn State. If the employee was complicit in a scheme to mislead DoD, the False Claims Act isn’t limited to civil cases like this one; the Justice Department can pursue criminal sanctions too–although Tyler notes that, so far, Justice has been slow to take that step. In other news, Jeffery Atik and I try to make sense of a New York Times story about Chinese bitcoin miners setting up shop near a Microsoft data center and a DoD base. The reporter seems sure that the Chinese miners are doing something suspicious, but it’s not clear exactly what the problem is. California Governor Gavin Newsom (D) is widely believed to be positioning himself for a Presidential run, maybe as early as next year. In that effort, he’s been able to milk the Sacramento Effect, in which California adopts legislation that more or less requires the country to follow its lead. One such law is the DELETE (Data Elimination and Limiting Extensive Tracking and Exchange) Act, which, Jim Dempsey reports, would require all data brokers to delete the personal data of anyone who makes a request to a centralized California agency. This will be bad news for most data brokers, and good news for the biggest digital ad companies like Google and Amazon, since those companies acquire their data directly from their customers and not through purchase.  Another California law that could have similar national impact bans social media from “aiding or abetting” child abuse. This framing is borrowed from FOSTA (Allow States and Victims to Fight Online Sex Trafficking Act)/SESTA (Stop Enabling Sex Traffickers Act), a federal law that prohibited aiding and abetting sex trafficking and led to the demise of sex classified ads and the publications they supported around the country.  I cover the overdetermined collapse of EPA’s effort to impose cybersecurity regulation on the nation’s water systems. I predict we won’t see an improvement in water system cybersecurity without new legislation. Justin lays out how badly the Senate is fracturing over regulation of AI. Jeffery and I puzzle over the Commerce Department’s decision to allow South Korean DRAM makers to keep using U.S. technology in their Chinese foundries.  Jim lays out the unedifying history of Congressional and administration efforts to bring a hammer down on TikTok while Jeffery evaluates the prospects for Utah’s lawsuit against TikTok based on a claim that the  app has a harmful impact on children.  Finally, in what looks like good news about AI transparency, Jeffery covers Anthropic’s research showing that–sometimes–it’s possible to identify the features that an AI model is relying upon, showing how the model weights features like law talk or reliance on spreadsheet data. It’s a long way from there to understanding how the model makes its recommendations, but Anthropic thinks we’ve moved from needing more science to needing more engineering.  Download 477th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.