Cracking the Legal Code for AI

Episode Notes

Transcript

Rocky Dhir:

Welcome to the podcast everyone. He’s back and by he, I mean Shawn Tuma. He’s no stranger to us. He’s been a frequent guest educating us on all things technology so that we can become more tech savvy lawyers. Well, spoiler alert guys, his tricks don’t work on me. I still know nothing about technology, but we’re going to try to fix that here today with some interesting discussions. So those of you who don’t remember, Shawn is the managing partner of Spencer Fe’s Collin County office where he co-chairs his firm’s cyber data and AI practice. He also wants chaired the state bar’s computer and technology section. So he allegedly knows a thing or two about technology. So he tells me, and so he tells everybody else, but he actually does know a few things. You’re going to learn something here. As many of you know, the Texas legislature met in 2025 and passed a few things. There were some bills and more than bills. There were fireworks on display apparently in Austin. But Shawn is here to discuss the technology law bills that went in through the legislature. His article on those bills co-authored with Christine Chase appears in the September, 2025 issue of the Texas Bar Journal, but here’s our chance to ask some questions and see if this guy actually knows anything. Shawn, welcome back. Do you know anything?

Shawn Tuma:

I don’t know, Rocky, from day to day, I never know what I know because it could be changing.

Rocky Dhir:

I asked you once if you knew my friend, but it turns out you don’t know Jack. Alright, so you walked right into that man. You walked

Shawn Tuma:

Right into that. I did, I did.

Rocky Dhir:

So we got all these technology bills that you’ve written about and that we’re going to talk about. Was any of this bipartisan or was this the subject of a lot of fighting

Shawn Tuma:

Rocky? It’s interesting, especially with your introduction there about the fireworks that we’ve seen in the legislature this year. I don’t know if it was by design or by accident, but our legislature took a very wise approach in my opinion with how they approached the technology legislation this year in that there weren’t a lot of fireworks and most of what we saw was fairly bipartisan, at least in purpose and overall design. One of the interesting things about a lot of this technology is many of us have our own pet projects or ideas or issues that we get really hung up on and we feel like, oh, this is the most important thing in the world. Advocates or activists or whatnot. And then there are people on the other side that view that completely different and then they could spend all their time fighting about those nuances where there’s something in the middle that everybody tends to all kind of agree on. And what our legislature, at least from my opinion has done is they have found a balance for right now with enacting laws that tend to be the things that most people would agree on. I mean, the lead off for this year is the Texas Responsible Artificial Intelligence Governance Act.

Yeah,

Rocky Dhir:

Sounds cool.

Shawn Tuma:

It is. It sounds cool, and in my opinion, it’s really one of the most important bills that we saw this year.

Rocky Dhir:

So can you dumb it down and talk to me about it because half of this stuff I don’t understand when we talk about AI and just all the intricacy. So what does this really mean?

Shawn Tuma:

I can tell you this, Rocky, back to the intro about technology. If you’re not embracing ai, just like if I’m not embracing AI and everyone listening to this, we’re going to probably be out of a job in a few years.

Rocky Dhir:

It bears mentioning that there is an ethical rule now that we as Texas lawyers, all jokes aside, we do have to be tech savvy. We have to understand how these tools work,

Shawn Tuma:

Duty of tech competence, and we do have that. And so from a practical standpoint as well though, AI is an incredibly powerful tool. It has the capability of deducing salient points from vast amounts of data within a matter of seconds. So it can really help us to narrow down sometimes a lot of what we’re looking for or find what we’re looking for more than traditional searches.

Rocky Dhir:

Here’s a quick question, and I don’t mean to interrupt, but when you say that, I’ve heard the other side of it, which is that AI is really just taking what’s already out there and it’s taking data that’s in existence and it’s distilling it for us. So can AI create something new or is it simply taking what’s out there and compiling it for us?

Shawn Tuma:

Well, that’s really the revolutionary part that we’ve seen for the last couple of years. Ultimately, if you get down to the deepest level, it’s always pulling from what’s out there. It’s pulling from what it’s been learned from what it’s been trained on, what it has learned from. But the practical aspects of how we use it is it’s no longer using it as a tool to just summarize or to add and subtract or find a needle in the haystack. It’s now being used to generate to create something new. Now, at the end of the day, just like us as humans, we’re not born knowing everything we have to learn.

Rocky Dhir:

Think for yourself, man, come on.

Shawn Tuma:

But all knowledge is based on prior experience and learning and education and all that. We’re not learning from thin air. We’re not creating even as humans from thin air. I mean I don’t think, I don’t know a hundred percent, but generally speaking, AI is no different. It is learning from information that is already in existence out in the world, and that’s how the models are being developed and trained. But much like how our brains create new ideas and thoughts based upon associations with prior experience and knowledge and information and all that stuff, that’s how the Aiop models work now. So they do replicate that creativity and that’s why if you talk to a guru like Ron Chichester, Ron’s brilliant, he’d tell you, look, AI has been around since the fifties, or Peter vocal Peter would say, AI has been around since the fifties. It’s the essence of an Excel table adding up all these numbers.

True. What is new is the generative part that really has been what’s changed the world in the last couple of years, and that’s the ability to create new ideas seemingly. And so that’s where it’s so powerful for us as attorneys is if you don’t have a draft of something and you wish I had a first year lawyer to go task with this project, have them prepare me a basic draft, find a form and modify it, and then I’ll take it from there and work with it and fine tune it. That’s what AI now does. You go to chat GPT and say, I need a form of a judgment for X, Y, Z, and it’ll give you a decent starting point. It is not a final answer, but it’s a starting point.

Rocky Dhir:

It’s a framework. So that kind of gives us an overview of ai, how it can work, and in very broad strokes what it does when you talk about some of these bills, including trago. Before we get there, we need to hear from one of our sponsors. So Shawn, sit tight and you guys stay tuned. We’re going to be right back with Shawn TMA in just a couple of seconds and we’re back with Shawn tma. So we talked a little bit about ai, how it works and sort of what it’s doing. It looks like it’s actually able to create things that didn’t exist before, which a lot of us might find a little surprising. So now let’s talk about the Texas legislature. So there’s the Texas Responsible Artificial Intelligence Governance Act, thank goodness for acronyms. Alright, so what is doing? What does it mean?

Shawn Tuma:

The basic point of this was to establish a baseline law that really prohibits intentionally creating AI that’s going to or creating AI tools or deploying them or using them that will create an unreasonable risk of harm or unreasonable harm. That’s really the key focus is that we’re trying to protect against foreseeable risks. So to force people that are creating or deploying these, which deploying is the term we use for using these tools to do so in a manner that isn’t going to cause harm, intentionally cause harm to people.

Rocky Dhir:

Intent is a mental state.

Shawn Tuma:

Intent is part of the statutory language to intentionally, there’s actually a very specific word that it uses. It says developing or deploying an AI system with the intentional aim of inciting or encouraging a person to commit self-harm, criminal activity or discrimination against protected classes. So what we’re really doing instead of trying to create a very detailed code that covers every nuance and detail and idea is just set some very broad baseline look, these are the things we don’t want you doing. Don’t cause people to commit cause it to commit criminal activity or discrimination against protected classes of people. That’s one key factor.

Rocky Dhir:

There’s so much in there that is probably subject to litigation. I mean, did somebody intend to do something? How do you prove that? Did this AI tool that was deployed, did that actually cause these effects? There’s going to be all these same questions we get in so many other lawsuits, is this really revolutionizing what already existed in the law in any way?

Shawn Tuma:

It’s a good place to start. It starts with principles that we can all agree about. So we’re starting there. Then there’s some other components obviously. I mean it’s a decent sized bill that gives consumers the right to know when they’re interacting with an AI chat bot.

Rocky Dhir:

Okay?

Shawn Tuma:

So if someone’s interacting with ai, they need to know about it and you need to a call center if it’s a call center or you go to the chat and you think you’ve got a human being on the other side and you really don’t. Well, this has to disclose to you that you are dealing with AI and then using AI for if the AI tool is being used for something that affects a basic human, that you have an alternative appeal process. So if you can’t get a satisfactory response from the AI tool that you can then go and get a human being to come in and to help intervene. So you don’t get in that the call center of death where press zero to go here and it’s that kind of thing. So those are some of the basic principles. We’re also prohibiting governments, so the government from using AI for social scoring or biometric surveillance without Oh,

Rocky Dhir:

Interesting.

Shawn Tuma:

Which I think that’s really pretty important prohibition right there. We don’t want our government instituting a social credit system on us,

Rocky Dhir:

And this was a bipartisan effort, which means everybody kind of agrees that we don’t want the government doing this. That’s contrary to what we might hear about otherwise,

Shawn Tuma:

And that’s why I think it was very wise to not try to bite off everything at once, but pick some basic principles to start from. Another is a prohibition against anyone using AI to create or distribute AI generated child exploitation materials, child porn, child type materials like that.

Rocky Dhir:

That’s all in trago or is that a separate bill?

Shawn Tuma:

No, that’s all within this same one. Wow. This is huge prohibiting deep fakes, sexually focused, deep fakes. These are basic principles, right? You and I, and most folks would agree or good ideas, it created a Texas Artificial Intelligence Council. So there’s a council of folks that will kind of help study and advance this issue going forward. For businesses in particular, it created a regulatory sandbox program. So let’s say they come up with some revolutionary technology that may border on violating some of these principles, but that’s the nature of what that technology is designed to help with or something like that. There’s a regulatory sandbox program where they can sign up for this program, provide regular reporting and test it if you will, in an environment where if something goes awry, they’re not going to be subject to the same kind of penalties that they would.

Rocky Dhir:

Is this going to be a new state agency then that has its own regulations, kind of like the medical board or,

Shawn Tuma:

So this is going to go to the Texas Department of Information Resources that’s already in existence, and then that’s one other key component for government agencies or quasi government agencies is they already have to do cybersecurity training. Mandatory cybersecurity training passed a couple of years ago. Now AI is being included as part of that, so they’re going to have to do mandatory AI training as well.

Rocky Dhir:

Your article talks about the Texas Cyber Command. Is that separate from all this or is that also part of traga?

Shawn Tuma:

No, that’s separate.

Rocky Dhir:

Okay.

Shawn Tuma:

Yeah, so the cyber command is a separate bill that is apart from that, but we’ll probably end up having some impact. They’ll probably end up working together because under traga, some of those reporting requirements go to the Texas Department of Information Resources. The Texas Cyber Command is actually taking over some of those responsibilities from the DIR, so I could see them working together in the future.

Rocky Dhir:

I could also see conflicts where you get the Texas Artificial Intelligence Council saying one thing and then you got the Texas Cyber Command maybe saying something that’s at odds with it. Could there be litigation or any kind of regulatory issues that come out of that?

Shawn Tuma:

I’m sure there could be, but I have a feeling they’re going to more closely aligned. This whole process is creating a fairly cooperative environment that’s designed to help take the burden off of these agencies when we’re dealing with the government aspect. For example, the Texas Cyber Command, it’s creating a 24 7 cyber incident hotline for state agencies and local governments. And so they’re providing resources in a helpful manner, not necessarily being terribly restrictive on the activities of what these agencies are doing. So I don’t know that there would be that kind of power struggle maybe where you have the two agency or the two, whatever you would call ’em, I guess, agencies fighting each other.

Rocky Dhir:

I’m not even talking about a power struggle. It’s more like just innocently. They each independently promulgates some rule or some regulation or they put out a newsletter and they say two things that might be interpreted in a divergent fashion and then you get litigation over who’s correct and who isn’t and what are our responsibilities.

Shawn Tuma:

Yeah, I mean we’ve certainly seen crazier things happen, right?

Rocky Dhir:

Absolutely.

Shawn Tuma:

I’m not going to ever say no, that can’t happen. I think it certainly could happen. I don’t know that it will. I think part of what we’re going to see, and I’m just forecasting a little bit for the future and the Texas Cyber Command, both were a product of this legislative session. I think as we go forward, just like we see the Texas Cyber Command modifying some of the role of Department of Information resources, I think we may see more refinement in the future of how those fit together. Now that the cyber command is established,

Rocky Dhir:

There’s a lot we need to talk about. There’s also some other bills, the cybersecurity safe harbor, there’s some public sector initiatives. We need to get to those things as well, and I want to make sure we have time for those. So here’s what we’re going to do, Shawn. We’re going to take another quick break. We’re going to hear from one of our sponsors and then we’re going to come back. We’re going to tackle some of these other ones. Shawn’s a wealth of information, so stay tuned. We’re going to learn a little bit more about the behind the scenes with some of these other bills that have just come out of the Texas legislature. We’ll be right back. We’re back with Shawn tma and we’ve been hitting it. We’ve been talking a lot about trago. We’ve been talking about the Texas Cyber Command, all these coming out of the Texas legislature in 2025, but it’s not the entire iceberg. I mean, that might not be the tip, but there’s a lot more to that iceberg underneath the ocean. So let’s talk a little bit. There’s a safe harbor in these bills or in these laws that have not passed. It’s a cybersecurity safe harbor for small business. What does that mean? It looks like there’s some requirements to be part of the safe harbor for data breaches. Walk us through that.

Shawn Tuma:

Yeah, so that bill, bill 26 10, and it limits the civil liability of small business in Texas if they have a data breach and they get sued for it and they’ve complied with the requirements of this safe harbor, and we’ve seen this in several other states. By the way, I think Ohio was the first state several years ago that came out with this safe harbor provision, and I think it’s very good. I’m very glad to see it. I’m not saying I don’t think plaintiff’s lawyers might not find a way around it by maybe suing in another state or something like that if they can to get around that safe harbor like California if they could or something of that nature. But I think this is a very good step for us to take here in Texas because anything we can do to encourage small businesses, medium businesses, and large businesses to have effective cybersecurity risk management, if you will, in place is a very good thing for fighting this battle of cyber attacks, cyber attacks, data breaches.

Rocky Dhir:

How easy or hard are these requirements to qualify for the safe harbor?

Shawn Tuma:

It’s not terribly hard. It’s a graduated scale. So what they want to see is they want to see are the businesses, do they implement and maintain a cybersecurity program, which I’ve been advocating for 15 years. Do they do that and does it have specific features that include having administrative, technical and physical safeguards in place to help protect the network and protect the data? Now, that sounds all impressive, right? Administrative, technical and physical safeguards. Do you have a good password policy? Are you using multifactor authentication? Are you verifying your backups? Are you doing things like that? Right? In practice, those things can be much more simple than that overwhelming sounding language. It’s really the important point is they need to conform to recognize cybersecurity frameworks, and there’s several of them out there. I prefer the NIST cybersecurity framework for various reasons, but the whole point is they’re all fairly similar and they all build on the same basic best practices. So we’re trying to encourage really small and mid-size companies to take this serious and to go out and implement a program that is going to have these features of a cybersecurity program of recognized security practices.

Rocky Dhir:

I think we should note too that that’s going to also include law firms, small and mid-size law firms. They have to have these same requirements in place to protect themselves and protect their clients.

Shawn Tuma:

Absolutely. And law firms need to be paying attention to this, and if they don’t have the resources themselves, they really need a good third party managed service provider to come in and help ’em with this.

Rocky Dhir:

They do exist and they’re not hard to find. They’re not terribly expensive. So it’s important for law firms to get out there and shop around.

Shawn Tuma:

Yeah. The other important point of this, Rocky, is that this applies to businesses of 250 employees or less. It is truly your smaller businesses, but the requirements are based on a graduated scale of some very minimal requirements for companies that have one to 20 employees versus those that have a hundred to 250 employees. This is good because the only way you can have an effective cybersecurity programs, it has to be tailored to the needs of your organization. And so you need to make sure what you’re doing is tailored to your risk for it to be effective. And this acknowledges that and really focuses on that. I’m a fan of this. I think this is very good. The key is it prohibits exemplary damages against the organization. It doesn’t make you immune from all liability. It only prohibits exemplary damages.

Rocky Dhir:

You’re paying out only economic damages that have been caused by whatever lapse may have taken place. So again, that’s where having cyber insurance comes into play. There are cyber insurance policies out there that lawyers and non-lawyers alike can avail themselves of, and it probably helps to have these protocols in place and then also have an insurance policy to protect you and your law firm. So

Shawn Tuma:

Absolutely, I highly recommend that.

Rocky Dhir:

Thought I’d throw that in there. Alright, so tell us about the public sector initiatives. We’ve got a few of these and what are those about, I guess public sector employees need to know a bit more about AI and cybersecurity. Is that the gist of it?

Shawn Tuma:

That’s the gist of it. So it’s much like we saw the cybersecurity training come about a couple of years ago. Now we’re going to have some basic AI training that talks about how do you use AI effectively, prompt engineering, things of that nature, learning how to use it effectively, and then what are the key risks that we’re trying to be cautious of sharing, compromising data, using it for unethical or discriminatory purposes, things like that. That’s what that training’s going to cover.

Rocky Dhir:

Before we close out, I wanted to talk about a couple of interesting pieces that most people might not have expected to come out of this legislature, but there’s some bills addressing emerging cyber crimes that I guess folks don’t know about. So tell us what is doxing? What is phishing and online impersonation? What do these mean?

Shawn Tuma:

These are just refining some of the existing laws that are out there to now incorporate this AI as a part of it. But the doxing certainly is the way that gets done in an exemplary manner now. But I think the one really focused on the AI aspect is the phishing using AI for phishing and fraud. So it’s putting some enhanced penalties out there for that. And we saw this with ransomware about 10 years ago. The laws probably already made it illegal to do it anyway, but they wanted to make it like a big yellow highlighter. We really take this serious, and so they created a anti ransomware law. Same here, powered phishing and fraud is subject to these enhanced penalties for doing that. The online impersonation, we’ve had that for a few years, but it’s applicability was pretty narrow. And so we’ve now brought the applicability of online impersonation, which we see a lot of people creating these fake social media accounts, things like that. So that’s what we’re really looking at on that.

Rocky Dhir:

We’ve even seen it in elections too. We’ve seen it where they’ll put in AI generated stuff of the other candidate and make fun of them.

Shawn Tuma:

That’s what this is really coming down to. So that I think in my own personal belief, Shawn, as an individual, I think that it was the doxing, which is where you’re disclosing private information or quasi private information about an individual publicly or their address, their phone number, things like that about them. You’re basically exposing them. And so this happened to several candidates in the last election cycle.

Rocky Dhir:

Supreme Court justices too, US Supreme Court justices have had that happen.

Shawn Tuma:

And so this is a product of that as is that when we talked about using AI for generating deep fakes, we’ve seen it with the pornography area, we’ve seen it with the child pornography, and we’ve seen a lot of it with politicians creating image or a video of a candidate that really isn’t them saying something, they really wouldn’t say

Rocky Dhir:

That’s what that’s about. Now there’s more that we could cover, but this is so fascinating. We can never cover everything when we’re talking about stuff because it’s always interesting. But I wanted to close out with, I thought this was both interesting and entertaining at a certain level, but our state is investing in cryptocurrencies, specifically Bitcoin. Talk to us about this and what is it? I guess Bitcoin is now, it’s here to stay if state governments are going to invest in it.

Shawn Tuma:

Yeah, I mean, I guess the best analogy I have for it, do you know how we have a strategic oil or strategic petroleum reserve is now we’re going to have this strategic Bitcoin reserve.

Rocky Dhir:

That’s huge. It means that it’s now being recognized. I mean, it’s not on the fringes anymore.

Shawn Tuma:

Absolutely. I mean, I think it is forward thinking. Look, a Bitcoin is the currency of criminals. Every ransomware case I deal with, cyber attack, data theft, the threat actors are getting paid with Bitcoin. As long as they’re using Bitcoin, this much, Bitcoin’s not going away. I think Bitcoin is here to stay. I think this is some forward thinking of saying, Hey, you know what? If it’s not going away, let’s embrace it. Let’s be prepared. If we have to pay Bitcoin to get maybe one of our local governments back online and running, we have the Bitcoin to do it if there’s a run on Bitcoin somewhere. So we have this strategic reserve of it, and then we’re also going to invest it and make money off of it.

Rocky Dhir:

Very interesting. There’s so much more we could cover, but we are out of time for now. So Shawn, thank you so much for coming out as always, to educate us, to entertain us, and of course to let me pick on you a little bit.

Shawn Tuma:

It’s always fun, Rocky. Always enjoy our time together and thank y’all for having me on.

Rocky Dhir:

Absolutely. And of course, I want to thank y’all for tuning in. I want to encourage you to stay safe, continue to be well, and if you like what you heard today, please rate and review us wherever you get your podcast. Until next time, remember, life’s a journey, folks. I’m Rocky Deer. Signing off for now.