Category Archives: Risk Management

Will Proposed NY and NJ Data Privacy Laws Lead to Federal Preemption?

On June 5, 2019, the NY State Senate passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to beef up its data breach notification law whereas a month earlier the New Jersey Governor signed into law an amendment to the New Jersey data breach notification law.  This is the first act in what may lead to significant new privacy laws emerging from these sister states.

New York now is now moving on a bill, S5642, that is even more protective than the California Consumer Privacy Act while New Jersey is in the process of merging two proposed bills that may lead in the same direction. There has been opposition to these proposed laws by those companies who have the most to lose by stringent data privacy controls.  

If passed, however, these new laws may actually prod Congress to finally move on a comprehensive privacy framework – one that might preempt aggressive laws such as the ones proposed by New York and New Jersey and the one already passed in California, in favor of a much more tempered approach.  

In other words, the Internet Association and its lobbying partners may actually win the war if these bills are enacted and it can just get Congress to act in a preemptive manner.  Thankfully, the momentum has been consistently on the side of consumer protection and any hope of bipartisan action on the part of Congress remains a long-shot given the current political environment.

OCR Snags $3 Million HIPAA Settlement For Insecure Web Server

On May 6, 2019, the Office for Civil Rights (OCR) announced that Tennessee-based Touchstone Medical Imaging agreed to pay $3,000,000 and adopt a corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and additional comprehensive policies and procedures applying HIPAA Rules. Touchstone – which provides diagnostic medical imaging services, was notified in May 2014 by the FBI that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access “permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”

During OCR’s investigation, Touchstone acknowledged that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach”.  As a result, Touchstone’s notification to individuals affected by the breach was considered untimely.   

Given last year’s summary judgment win by OCR and the facts presented by the Touchstone incident, it is not surprising that this significant settlement – which was one of the largest to date, was reached.  FTP servers have long been a threat vector – even if set up and run properly, so not unlike the clarion calls initiated for encryption and social engineering training, back office IT support should be sophisticated enough to adopt a means of file transfer that applies state of the art security.

Vermont Steps in Front of California with New Privacy Law Aimed at Brokers


Earlier this year, Vermont became the first state to enact a privacy law specifically targeting data brokers. This law, which will become fully effective on January 1, 2019, requires state registration of any business “that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”.

According to Guidance provided earlier this month by the Attorney General’s Office, the type of consumer information subject to this new law includes: “People with incomes over $100,000,” “People who like to play billiards,” or “People preparing for a wedding.” 

Data broker registrations must include information regarding how consumers can opt out of data collection and sales as well as disclosure regarding the number of “data broker security breaches” sustained in the prior year.   This beach notification requirement exists in addition to the one created by Vermont’s data breach law.

In addition to an annual registration, data brokers must also maintain certain protective measures involving those administrative, technical and physical safeguards appropriate for the scope and size of the business or face a potential unfair or deceptive practice claim under the state’s consumer protection law.   

The statutory civil penalties of this new law are actually quite limited given that a data broker required to register who fails to do so will be subject to a penalty of $50 for each day it fails to register, beginning February 1, 2019, up to a maximum of $10,000 per year.  The real bite is found in the potential civil action that may be brought under Vermont’s Consumer Protection Law, namely potential treble damages and reasonable attorneys’ fees. By linking privacy violations with an established consumer protection law, the Vermont statute nicely meshes existing law – and related interpretative rulings, into an effective privacy battle axe.   

While Vermont may never become a real challenger to California when it comes to privacy laws or regulations, this new law could have a ripple effect with other states eventually providing similar protections.  And, given the call for a federal privacy law to harmonize patchwork state laws, the statute can also very easily be a model for certain provisions in a new federal omnibus privacy law.  Combined with other laws that will be vigorously enforced regarding consumer consent, the coming year is shaping up as a strong one for consumer privacy rights.

AT&T crypto theft case may hasten new insurance exclusions

On August 15, 2018, crypto-enthusiast Michael Terpin filed a 69-page Complaint against AT&T in the Central District of California.  This federal action – a fifteen-count missive from Greenberg Glusker, seeks compensation of $24,000,000 for stolen cryptocurrencies as well as punitive damages in the amount of $200,000,000.  Terpin’s counsel seeks to get around standard contractual limitations and arbitration language by claiming that AT&T violated every possible California consumer statute on the books.

At its essence, the lawsuit alleges AT&T did not “implement and maintain reasonable security procedures and practices” regarding personal information and protect it “from unauthorized access, destruction, use, modification or disclosure” as evidenced by a “January 7, 2018 SIM swap fraud” conducted by a criminal who was able to convince an AT&T store employee to give him Mr. Terpin’s SIM card.  Complaint ¶ 238.

In order to obtain recovery in federal court, Terpin’s counsel will have to get around standard ADR language and damages limitations typically found in mobile carrier agreements.  More than likely, the valiant efforts of Greenberg Glusker will be to no avail – with the eventual result this case will move down the well-traveled road of arbitration without any punitive damages or massive discovery in sight.  The Supreme Court authority for such a result is quite extensive and may be why the Complaint is written in such flowery and emotional prose.

No matter what forum eventually takes on this case, it raises numerous issues that percolate beyond the four corners of the Complaint.  For example, will AT&T’s insurer eventually defend or pay out on this claim?  If so, which coverage grants will be triggered?  And, if there is coverage, will ISO or major insurance carriers develop a standard insurance exclusion to bar cryptocurrency theft claims in the future?   As it moves through the California federal court system, this case will definitely have consequences for corporations well beyond AT&T.

EU-US Privacy Shield may soon be suspended

The EU-US Privacy Shield may finally be in actual jeopardy.  It was previously thought that given the high stakes, this data transfer accommodation implemented as a replacement for the judicially invalidated Safe Harbor program was too important an agreement to be withdrawn and that only another judicial ruling could render its death knell.  That is no longer the case.   A vote today by the European Parliament made sure of that.

As reported by the IAPP,  on July 5, 2018 the European Parliament passed a non-binding resolution by a vote of 303 to 223 votes and 29 abstentions to have the European Commission suspend the EU-US Privacy Shield “unless the U.S. is fully compliant” by September 1, 2018.    This is the second September review of the EU-US Privacy Shield.

Between the GDPR requirements left out of the EU-US Privacy Shield, the Cambridge Analytica fiasco that still dogs Facebook, the US’s adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – a statute that expressly allows access to trans-border personal data, the US’s pulling out of the Iran deal despite strong pressure from the EU, and the current tariff barbs being sent across the Atlantic, the long-term health of EU-US Privacy Shield can no longer be considered a given.   Companies who have been reliant on this data transfer accommodation should certainly consider alternatives as soon as possible.

New California law provides statutory damages for data incidents

With the June 28, 2018 signing of The California Consumer Privacy Act of 2018, data breach class counsel are rejoicing that they finally have a private right of action backed with statutory damages.  Even though there were previous statutory remedies for privacy violations, the recent California law has gone where no other law has gone before by expressly providing a private right of action for a data breach that also allows for a minimum statutory amount.  Not surprisingly given it was the first state to pass a breach notification law, the California legislature again led the way.

After certain data incidents involving the loss of consumer data, California consumers will have beginning on January 1, 2020 a private right of action that can also be brought on a class-wide basis.   Specifically, any consumer whose unencrypted or nonredacted personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages.”   Section 1798.150(a)(1).

Despite being groundbreaking, there are still numerous hurdles class counsel must surmount before a class can be certified.  For example, the private right of action may not be allowed unless the compromised information is subject to unauthorized use.  Section 1798.150(a)(1).   Accordingly, those incidents where unauthorized use is not in issue are not subject to the statute.

Moreover, the law can only be used against a business with “gross revenues in excess of twenty-five million dollars ($25,000,000)” or one that purchases personal data on “50,000 or more consumers, households, or devices” or one that “derives 50 percent or more of its annual revenues from selling consumers’ personal information.” Section 1798.140(c).

Curiously, the law allows a business to “cure” its security violation; and thereby avoid suit, but leaves to the imagination exactly how that curing process would play out.   Section 1798.150(b)(1).

And finally, this private right of action can be withdrawn if the California Attorney General files its own suit after being provided notice of a consumer’s lawsuit.  Section 1798.150(b)(3).   The AG’s office has 30 days to decide whether or not to file suit after being provided with the consumer’s lawsuit notice.

Notwithstanding the last-minute changes made to this last-minute statute, it still provides California consumers with the country’s most expansive statutory privacy rights– rights that will be immediately deployed by class counsel after 2020.   Most analysis on this new law, however, has focused on comparing it to the EU’s GDPR privacy regime – a recently implemented privacy regime that impacts many  US-based companies.    In addition to the privacy requirements, companies processing significant amounts of consumer personal data should also take the class action risk very seriously and if they do not already purchase insurance for that risk, they should at least evaluate transferring some of this liability risk by way of the privacy and data security insurance long been available to most any company.

UPDATE:  September 28, 2018

SB211 was signed into law largely to “technically correct” errors in the law but nevertheless made two significant changes to Section 1798.150 when it removed the prior requirement that consumers notify the Attorney General prior to bringing any action for a data breach and removed the prior requirement that the Attorney General could bar consumer plaintiffs from bringing suit.  These two significant changes will certainly make for a very interesting class action year in 2020.

UPDATE:  February 26, 2019

On February 22, 2019, a proposed amendment to the law was proposed that would do away with a cure provision, expand the statutory damages provision to any violation of the law, and limit the role of the Attorney General in policing violations.  If passed, these changes will significantly alter the reach of the law by making the plaintiff’s bar’s arsenal even wider and the law’s penalties that much stronger.

OCR wins $4.3 million HIPAA Victory against MD Anderson

On June 18, 2018, the the Office for Civil Rights (OCR) posted a press release announcing its summary judgment victory against the University of Texas MD Anderson Cancer Center (MD Anderson) – a ruling that will require MD Anderson to pay $4,348,000 in civil money penalties to OCR.   According to the press release, this is only the second HIPAA summary judgment victory in OCR’s history and the $4.3 million is the fourth largest amount ever awarded to OCR for HIPAA violations.

The June 1, 2018 Administrative Law Judge’s decision ultimately hinged on a stolen unencrypted laptop and several lost unencrypted USB thumb drives containing “identifying information such as patient names, addresses, and Social Security numbers; and clinical information such as diagnoses, assessments, prognoses, and treatment regimes” of a total of 33,500 individuals.  Decision at 2.

The hefty fine was based on the fact MD Anderson knew encryption was an essential risk management tool since 2006 yet did not get around to fully deploying encrypted devices until after the losses in question.  According to the ALJ, MD Anderson before then made only “half-hearted and incomplete efforts at encryption”.  Decision at 5.

According to the ALJ:

The question is whether Respondent took the necessary steps to address the risk that it had identified – the potential for data loss due to the storage of ePHI on unencrypted devices. As I have explained, the failure to address that risk is the sum and substance ofRespondent’s noncompliance. Had it done so, then unauthorized acts by Respondent’s employees might be relevant to the issue of compliance. But, failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.

Decision at 14 (emphasis in original).

This latest OCR action may very well be appealed given the jurisdictional arguments made by MD Anderson.  No matter what the final appellate result, however, the ruling should slam the lid on any covered entity ever questioning again whether encryption is worth the cost of deployment.     Whether it is from a state enforcement action or OCR settlements based on vendor negligence, laptops stolen from a car, or a USB thumb drive improperly taken from an IT department, when it comes to encryption an ounce of prevention is definitely worth at least a pound of cure.

Supreme Court takes Google cy pres fund case

On April 30, 2018, the United States Supreme Court granted certiorari so that it could determine whether a settlement in a privacy class action against Google was “fair, reasonable, and adequate” when the roughly $5 million settlement only went to cy pres recipients rather than actual class members.  Specifically, the Court is to decide:

Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class members must be “fair, reasonable, and adequate.”

As previously recognized, the use of cy pres settlements has been a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to quickly file and resolve class actions before  actual damages can be made readily apparent.  Indeed, attorney generals have objected  to cy pres settlements given the lack of redress available to victims.  Given Justice Roberts prior pronouncement on the topic, it may very well be the case that cy pres funding  – which previously only took place in settlements after plaintiffs were actually compensated, may very well no longer be an acceptable means of quickly ending a privacy class action.

Did Facebook close the door to self-regulation?

On April 10, 2018, Facebook’s CEO began his two-day testimony before Senate and House Congressional committees in a quintessential US setting but may have brought with him a groundbreaking privacy regime from across the Atlantic in the process.  Mr. Zuckerberg testified:  “The internet is growing in importance around the world in people’s lives and I think that it is inevitable that there will need to be some regulation.”  The Net Neutrality regulations Zuckerberg  may have had in mind may not be what is ultimately in store for Facebook.

GDPR

By way of background, the EU’s General Data Protection Regulation (679/2016/EU) – which recognizes that the “protection of natural persons in relation to the processing of personal data is a fundamental right”, requires the implementation of an EU-wide regime of country-specific laws effective by May 25, 2018.   Despite its current Brexit status, the UK has also voluntarily implemented GDPR .

The GDPR harmonizes to a great degree the privacy laws of every EU country and broadly controls the use of personal data in connection with either the offering of any goods or services to persons in the EU or the monitoring of EU-based persons.  Companies must ensure that they only collect and process the minimum required personal data for the express use given under an unequivocal affirmative consent.  The new consent requirements found in the GDPR bring this privacy regime to compliance levels never before seen.

Companies that collect and use personal data must now clearly explain to data subjects the exact uses made of such personal data – with evidence maintained that demonstrate related processes are compliant and followed in each individual case. Persons must also be afforded the opportunity to easily withdraw their consent to this use of personal data at any time and without suffering any detriment as a result of their request.  Moreover, persons protected under the GDPR have a right to be forgotten, i.e., all their personal data deleted, and a right to reject any data profiling.

Not unlike rights under 15 U.S.C. § 1681c of the Fair Credit Reporting Act when it comes to credit information, persons will also have the right to have their personal data amended and rectified and the right to be informed as to what personal data is currently being retained or used.  Unfortunately, getting Facebook to comply with these subject-access requests has previously been a difficult task.  Some have argued that the right to be forgotten – which is actually now more properly termed a “right to erasure”, can only work when GDPR becomes a global privacy regime having “globally connected legislation to ensure that information stored outside of the EU also underlies similar strict privacy regulation.”

A “serious breach” of GDPR requirements may result in a fine of up to 4% of the annual worldwide revenue of the impacted company – with the minimum fine set at €20 million. Disregarding the potential lack of enforceability for this extra-jurisdictional law, companies have been prepping for the GDPR privacy regime for years.   Indeed, given the potential downside, multi-national companies based in the US have not surprisingly spent millions of dollars on their GDPR compliance efforts.

Under the GDPR, the EU is for the first time in line with the US as regards data breach notification – but with a uniform and much stricter obligation to notice regulatory authorities within 72 hours of a breach.  Given Alabama has recently enacted its own data breach notification law – one that requires notification within 45 days of a breach if the breach is reasonably likely to cause “substantial harm” to the individual to whom the information relates, all fifty US states now have a data breach notification law.  Nevertheless, the current patchwork standard for breach notice in the US is far from uniform and certainly much less onerous than the blanket one set forth in the GDPR.

GDPR and Facebook

As set forth on its website, “Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. . . Facebook may serve as a data processor.  When Facebook acts as a data processor, businesses are responsible for ensuring data they share with us complies with the GDPR.”  As a data processor who employs more than 250 persons, Facebook is obliged under GDPR to keep detailed records of all of their processing activities.  In other words, GDPR opens up the door to accessing Facebook’s vast data mining activities only hinted at by the recent Cambridge Analytica brouhaha.

On April 11, 2018, Mark Zuckerberg testified before the House Energy and Commerce Committee that GDPR “will be positive” and that requiring companies obtain “affirmative consent” makes sense.  According to Mr. Zuckerberg, there are a few parts of GDPR that are “important and good”.  For example, users should know what data companies have and users should be able to control this data.   When asked if GDPR got anything wrong, however, he could not answer the question and simply said he would have to “think about it”.  He was asked to provide his response to the House Energy and Commerce Committee at a later date.

GDPR, Facebook and Congress

Free-market Republicans who typically shy away from regulatory intervention gave more than passing nods to potential legislative intervention as regards Facebook.  Sen. John Kennedy (R., La.) bluntly recognized that Facebook’s “user agreement sucks.”  And, Senate Commerce Committee Chairman John Thune (R., S.D.) said:  “I’m not convinced that Facebook’s users have the information they need to make meaningful choices.” He also said that while Washington has “been wiling to defer to tech companies effort to regulate themselves. . . this may be changing.”  Mr. Kennedy was again more blunt: “There’s some impurities in the Facebook punch bowl. . . I don’t want to have to vote to regulate Facebook.  But by god, I will. That depends on you.”

Not waiting for Senators Kennedy and Thune to act, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) – two longtime privacy advocates, announced on April 10, 2018 their Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act – proposed legislation requiring the Federal Trade Commission (FTC) to establish specific privacy protections “for customers of online edge providers like Facebook and Google.”  Among other things, the CONSENT Act would require that these “edge providers” obtain opt-in consent from users “to use, share, or sell users’ personal information” as well as notify users about “all collection, use, and sharing of users’ personal information.”  Although on its face the proposed law is not nearly as onerous as the GDPR privacy regime, there is nothing stopping the FTC from promulgating future regulations that not only include opt-in consent and use disclosures but also GDPR requirements that would never had been on the table before Mr. Zuckerberg began his unsworn testimony before Congress.

In a prior interview with the Washington Post, Senator Markey said:  “I think that this [Facebook] privacy spill is politically the equivalent of the oil spill in the Gulf of Mexico.  Because it involves our very democracy, I think [it] is going to draw more attention of the American public to this issue.”

GDPR, Facebook, Congress and the Monetization of Consumer Data

On the heels of recent comments from Facebook’s COO regarding the possibility Facebook might one day charge users a fee, Zuckerberg left the door open to the possibility of charging consumers for use of its social media platform.  During his April 11, 2018 House testimony, Zuckerberg again denied that Facebook sells its user data, saying: “That’s not how advertising works.”  A day earlier Zuckerberg repeated numerous times that Facebook did not sell consumer data – prodding Sen. John Cornyn (R-Texas) to exclaim:   “You clearly rent it!”  No matter how Mr. Zuckerberg perceives advertising as working or whether or not Facebook actually “sells” consumer data, one takeaway from these hearings is that perception can quickly morph into reality.

Not surprisingly, California is not waiting for the federal government to act and has percolating its own mini-GDPR.  The proposed California Consumer Privacy Act of 2018 ballot initiative would give consumers the right to ask businesses what of their personal data is collected and how it’s being used.   It will be voted on in November 2018 and already faces opposition from Facebook and other California companies standing to lose significant revenue because there is a private right of action under the proposed law.  Given there is no “opt-in” requirement in this ballot initiative, GDPR will remain the gold standard when it comes to protecting consumer data from unregulated monetization.

Apple’s Tim Cook jumped for higher ground during Zuckerberg’s testimony and publicly said Apple – unlike Facebook, does not monetize its customers and would welcome legislative solutions.  Specifically, Cook said:  “The truth is, we could make a ton of money if we monetized our customer — if our customer was our product. We’ve elected not to do that.”

Apple’s perspective is either surprisingly narrow or deliberately pinched.  Obviously, the smartphones that are the backbone of Apple’s success thrive in a social media environment where Facebook does exactly what it wants, namely provide “free” services that are habitually accessed throughout the day.  Accordingly if Facebook loses revenue due to legislative intervention, Apple will likely not be far behind.

There is hope for both platform providers and device manufacturers even if that happens.  As recognized by the Project Director at the Georgetown Center for Business and Public Policy, “If the [internet’s] grand bargain unravels, entrepreneurs will no doubt innovate new ways to make money and continue developing disruptive products and services.”

Unbridled data consumption and privacy protection can successfully coexist when immutable and transparent data is bound by a secure and continuous unequivocal affirmative consent.  In essence, user data must be treated like a protected commodity that can actually benefit the owner.   Indeed, Congresswoman Debbi Dingell (R., Mi.) ended her April 11, 2018 questioning of Zuckerberg by opining that data protection was no less important than having “clean air and clear water”.   A company that is able to keep “pure” a user’s data while feeding such data into various digital media ecosystems and compensating the data owner in the process will have found the middle ground previously consciously avoided by existing billion-dollar platforms.

Sometimes all it takes is one door to close for another one to open.

Utility tokens are not a “bad idea”

In his February 8, 2018 opinion piece, Santander’s Julio Faura suggests that “utility tokens are a bad idea” because it would be a “lie to ourselves” to suggest ICOs were not actually selling securities.  Rather, in Mr. Faura’s opinion “we should collectively work on a framework to build a clearly defined scheme for ICOs, recognizing from the very beginning that they are securities.”  And, this “ICO process should be designed in collaboration with regulators to comply with securities law.”  Mr. Faura’s opinion piece does not exist in a vacuum.  In a report dated February 5, 2018, Goldman Sachs Group Inc.’s global head of investment research suggests that investors in ICOs could possibly lose their entire investments – which ties to Mr. Faura’s underlying premise that ICOs should be regulated “to protect investors”.

It is not clear how his proposed hybrid solution would ever get implemented given it requires complete buy-in from capital markets and regulators so would be a non-starter from day one – why would existing financial institutions and regulators scuttle existing methods of raising capital or attempt to squeeze ICOs under traditional securities law even if considered a sale of securities?  Answer:  They would not.  Ripple – a company partially funded by Santander InnoVentures, offers a glimpse on how traditional financial markets will compete using blockchain technology.

Mr. Faura paints all sales of cryptocurrencies with the same brush by claiming each one of them actually offers securities subject to SEC scrutiny.   That is simply not the case.  Indeed, does Mr. Faura wonder why the SEC has not knocked on Ripple’s XRP “digital asset” door even though it trades on numerous exchanges?  Even though there was no formal ICO to launch that centralized token, it now trades on 18 platforms where “individual purchases” of the XRP coin can be made.  Indeed, after raising over $93 million by September 2016, no ICO was needed.

One ICO left untouched by the SEC was “gate keeped” by Perkins Coie and involves an ICO for a utility token that raised $35 million in under a minute’s time.   This “BAT utility token” creates a digital advertising ecosystem tied to consumer attention – which is why it is the “Basic Attention Token”.  Such ecosystem would certainly be an upgrade from the current digital advertising scheme wedded to the Web ecosystem of 1995.

All told, it seems that the SEC and other regulatory bodies have actually taken a very measured approach in this area – aggressively focusing on obvious fraudsters first in order to deter subsequent fraudsters while letting the technology play out a bit in the wild.  Not surprisingly, the plaintiff’s bar has been doing a good job picking up the slack in those instances when the SEC has not yet moved.   See Davy v. Paragon Coin, Inc., et al., Case No. 18-cv-00671 (N.D. Cal. January 30, 2018) and Paige v. Bitconnect Intern. PLC, et al., Case No. 3:18-CV-58-JHM (W.D. Ky. January 29, 2018).

Recent public SEC statements seem to back this interpretation of their ICO position. On February 6, 2018, SEC Chairman Jay Clayton recently testified that the potential derived from blockchain was “very significant” – his co-witness, CFTC Chairman Christopher Giancarlo, went so far as to say there was “enormous potential” that “seems extraordinary” for blockchain-based businesses.  Yet, during his testimony, Chairman Clayton said the SEC would continue to “crack down hard” on fraud and manipulation involving ICOs offering an unregistered security.  This is consistent with prior messaging given that Chairman Clayton requested on December 11, 2017 that the SEC’s Enforcement Division “vigorously” enforce and recommend action against ICOs that may be in violation of the federal securities laws.  The fact some 2017 ICOs raising hundreds of millions of dollars were not addressed by the SEC, however, provides a clear “nudge wink” that not all ICOs come under SEC regulatory control.

As with BAT, in the future, there will likely be many more utility tokens built on disruptive blockchain initiatives that escape SEC scrutiny given they are not perceived as securities.  The fact that the SEC has not yet moved on them – despite moving against Munchee, Inc. weeks after the Munchee MUN offering, signals the SEC will temper its enforcement activities when faced with a disruptive blockchain initiative that begets true intrinsic value.   In other words, utility tokens may very well be a good idea after all.