Category Archives: Technology Law

B2 – B1 < (P x H)1 – (P x H)2

On February 16, 2021, The Sedona Conference (TSC) – a nonpartisan, nonprofit research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released its final “Commentary on a Reasonable Security Test“.  TSC is well known for previously helping Courts around the country determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology domains, TSC sought a reasonableness test that would help bridge that divide.  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.” The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 358 (forthcoming 2021).  To that end, this test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

The Sedona Conference Reasonable Security Test consists of “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  22 SEDONA CONF. J. at 360.  

TSC’s Commentary should be carefully studied for numerous reasons, including the fact TSC applies it to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than its highly cited e-discovery initiatives, this new TSC approach may very well be relied on by courts tackling the important question of what constitutes reasonable security in the context of a data breach litigation or enforcement action.

The DeFi End Game

A skilled chess player will tell you the best way to study chess at a high level is to first study endgames and truly learn the power of each piece.  Memorizing book openings generally comes last.  If one wants to learn about the insurance industry, first take a job in the claims department.  In a similar way, students of disruptive technologies benefit from first learning their “end game”.  

Blockchain is one disruptive technology that still has not fully discovered its business sea legs.  The purported proxy for blockchain – Bitcoin, recently hit all-time highs so naturally on January 3, 2021 a forecaster placed a ten-year target of $1 million on this speculative asset.   Every good bubble requires inflating and the very speculative Bitcoin bubble currently being massively inflated by hedge fund money is no different.   

Bitcoin’s bubble ascension does not mean, however, the seismic blockchain and distributed ledger technology (DLT) shifts taking place over the past five years in the financial industry have been illusory or should be ignored.  As previously recognized, “acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry.” 

Over the past several years, financial titans have reluctantly come out swinging in favor of convertible virtual currency (CVC) transactions.  For example, most US PayPal customers now have the ability to buy, sell and hold four different cryptocurrencies – Bitcoin, Ethereum, Litecoin, and Bitcoin Cash, and use them as a funding source with the company’s 26 million merchants.  Presently, PayPal’s maximum dollar amount for weekly CVC purchases is $20,000 but even that relatively high consumer amount will likely change upwards as Paypal moves up the financial transaction food chain – with Paypal’s Venmo next in line.

The largest bank in the United States – J.P. Morgan Chase, launched its JPM Coin in 2019, and in October 2020 set up an entirely new business, Onyx, as an umbrella for its blockchain and CVC initiatives – including JPM Coin.  According to Jamie Dimon, Chairman and CEO of J.P. Morgan:  “Onyx is at the forefront of a major shift in the financial services industry. This new business unit reflects J.P. Morgan’s commitment to innovation as we continue to build cutting-edge technology that delivers a better, faster and more inclusive financial system.” On December 10, 2020, J.P. Morgan announced it completed a live, blockchain-based intraday repo transaction using JPM Coin.  And, Visa has filed a patent application for what may seem perfunctory, namely recording digital currencies on a blockchain.

Apart from these blockchain-based efforts, there is a whole category of blockchain initiatives that will forever fundamentally alter the broader financial sector – to the likely chagrin of PayPal, J.P. Morgan, and Visa. The banner name for these new blockchain and DLT initiatives is “DeFi”, or decentralized finance.

In December 2019, the entire Total Value Locked (TVL) in the DeFi market was worth less than $700 million, by the end of December 2020 it grew to $14 billion, and as of January 5, 2021 the total TVL in DeFi was at over $19 billion and growing – representing a staggering growth trajectory.  The TVL in the DeFi market represents all DeFi projects but is largely driven by the lending platform MakerDAO – a decentralized credit platform supporting Dai, a stablecoin pegged to the US dollar.  Decentralized exchanges (DEXes) such as Uniswap largely make up the remaining bulk of projects.  DEXes enforce trading rules and execute trades without charging the high fees normally associated with alternative investment trades.   

A commitment of $19 billion to DeFi initiatives may seem miniscule compared to, for example, the over $6 trillion in foreign exchange trades conducted each day.   On the other hand, each DeFi transaction potentially empowers individuals while at the same time weakening the grip over the monetary system currently held by central banks and finance intermediaries – a true game changer by any measure.

Generally relying on the public Ethereum blockchain platform, most DeFi projects deploy smart contracts to automate what previously required human intervention – obviating the need for central authorities such as banks or intermediaries.  DeFi Pulse nicely showcases the benefits of DeFi by describing it as “money Legos” and giving the following example:

Compound is a money market or, in other words, a lending service on Ethereum. When you supply DAI to Compound, you receive cDAI tokens which represent both your DAI in Compound and any interest you’ve earned from lending. Since cDAI is a token, you can send, receive, or even use cDAI in other smart contracts. Money Legos in action: ETH into MakerDAO to mint DAI tokens, DAI being supplied to Compound, cDAI tokens can be used in other DApps.  For example, you can swap ETH for cDAI on a DEX and instantly start earning interest for just holding cDAI. And because you choose how you interact with smart contracts on the blockchain, you can use a DEX aggregator like DEX.AG to compare and trade at the best prices across all the popular DEXes, all within seconds.

In 2021, crowdfunding will help fund some of the DeFi startups looking to eventually disintermediate the more traditional financial firms these startups would otherwise approach for financing.   As of November 2020, online platforms can raise up to $5 million in seed capital in a State-preempted manner – with previous platforms raising hundreds of millions of dollars using the prior SEC Regulation Crowdfunding cap of $1.07 million.  Even though a typical crowdfunding online platform itself breaks away from traditional centralized banking platforms its success is not relevant for purposes of the DeFi initiatives potentially opened up by Regulation Crowdfunding.  What may be more relevant are the new ideas coming to market without the latent influence of legacy financing.  

Before widespread adoption of any DeFi product is even feasible, however, regulatory scrutiny will be needed to protect consumers onboarding these new DeFi applications.   Given that a CVC wallet is the exit ramp for many DeFi initiatives, it is no surprise that has been an area of regulatory interest.  For example, the US Treasury’s Financial Crimes Enforcement Network (‘‘FinCEN’’) recently proposed a rule that would require banks and money service businesses to file a report with FinCEN containing information related to a customer, their CVC transaction, and counterparty (including name and physical address) “if a counterparty to the transaction is using an unhosted or otherwise covered wallet and the transaction is greater than $10,000.” FinCEN is issuing regulations on transactions using digital currency wallets because the growth of individual CVC transactions will continue unabated.  

While providing a suggested Token Safe Harbor Proposal, SEC Commissioner Hester M. Peirce offered an excellent analysis of the “regulatory Catch 22” faced by decentralized networks looking to comport with SEC regulatory law. In addition to Commissioner Peirce’s forward thinking, the SEC also recently set free its FinHub as a separate office to assist blockchain and DLT innovators.  

Despite these technology-forward initiatives, the SEC continues placing an exclamation point on its regulatory reach. For example, the SEC last month shook the Ripple world by claiming in a lawsuit Ripple’s XRP token –  used by financial institutions around the globe, was an unregistered security.  It also ended the year by filing a Cease and Desist Order against ShipChain on similar grounds. These sort of efforts convey US regulators still corralling the blockchain stallion – albeit primarily through the Howey door. Disruptive DeFi initiatives should remain undeterred.

More urgent concerns for the DeFi community are coding bugs, double-spend exploits, traditional hacks, and any number of faulty implemented software functions caused when smart contracts fail to undergo adequate audits.  Despite only losing $50 million in 2020, malicious actors will certainly begin seeing a larger target over DeFi’s head as its growth continues.  Moreover, given most DeFi projects run on Ethereum, there are future threats not even widely discussed – such as those potentially arising from miners who map out transactions on a blockchain for a fee and who are no longer satisfied with just receiving their fees.

All of these potential risks – whether regulatory, technological, malicious, or competitive, however, remain dwarfed by the potential upside found in a successful, widely-adopted DeFi application or protocol.  One likely key to success is to replicate what companies such as PayPal chose to do – take a widely used existing tool and deploy into it a profitable new way that allows for flexibility with actual autonomy and consumer self-determination.  DeFi will ultimately go nowhere if it only brings into the fold insiders stuck in Moore’s early adopter phase.  

Moreover, no open-source project can ascend until a large enough market believes the tradeoffs between ease of use, financial benefits, and utility ring strongly in its favor.  For example, despite having a strong web server market position, a Linux desktop will never really threaten Microsoft’s foothold until the relevant commercial and consumer markets believe a Linux desktop truly meets all of their needs. 

Similarly, DeFi will never gain a foothold reaching above the “PayPalJPMVisa” mountain peak until at least one DeFi application checks all the relevant boxes for a sizable enough market.  It may be a decade before a DeFi project reaches that vantage point – with the classic Amazon vs. Sears endgame likely being studied along the way. 

Ransomware Groups Declare War on US Hospitals

A recent phase of the ongoing two-pronged cyber war between Russia/Iran/North Korea and China against the United States has taken an ugly turn.  The Russian faction has launched various sophisticated ransomware attacks against healthcare providers and hospital systems across the United States.  

As stated in an October 28, 2020 Alert from the Cybersecurity & Infrastructure Security Agency (CISA), there is “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”  In addition to the CISA Alert, cybersecurity firms battling this latest threat have shared how these latest attacks are perpetrated.

Our current healthcare cyber battle is further complicated given an October 1, 2020 Advisory from U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) reminding ransomware victims against conducting business with those on the OFAC list – including specific ransomware groups such as the Russia-based group behind the Dridex malware.  The OFAC advisory is likely driven by the FBI – which has long advocated against victims making ransomware payments.  No matter what the motivation, however, OFAC has exacerbated the current crisis given the OFAC Advisory warns the primary civil combatants against making violative ransomware payments, namely companies “providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).”

Over the past several years, the cybersecurity community has seen a tremendous uptick in the deployment of ransomware – even leading to board level scrutiny.   No different from SQL injection exploits that were commonly warned against so many years ago yet still remain an exposure for so many websites, ransomware will not go away anytime soon.  The necessary cyber defensive skillset is far from fully disbursed to potential victims.  For example, indicators of compromise (IOCs) shared with the cybersecurity community would likely be ignored by most IT staff given they do not even have the means of searching internally for IOCs within their network.

Taking into consideration the old adage:  “If you fail to plan, you plan to fail,” healthcare providers and hospital systems should immediately seek out specialized cybersecurity experts who are currently fighting this battle before it is too late.

Our Current Cyber Pandemic Will Also Subside

On April 17, 2020, it was reported that researchers at Finland’s Arctic Security found “the number of networks experiencing malicious activity was more than double in March in the United States and many European countries compared with January, soon after the virus was first reported in China. ”

Lari Huttunen at Arctic Security astutely pointed out why previously safe networks were now exposed: “In many cases, corporate firewalls and security policies had protected machines that had been infected by viruses or targeted malware . . . . Outside of the office, that protection can fall off sharply, allowing the infected machines to communicate again with the original hackers. “

Tom Kellerman – a cybersecurity thought leader, distills it this way: “There is a digitally historic event occurring in the background of this pandemic, and that is there is a cybercrime pandemic that is occurring.”

While there are certain internal ways of addressing cybersecurity threats arising from a viral pandemic, the exposures now faced by corporations become doubly damaging when the outside resources absolutely necessary to combat active threats are considered off-budget or not a critical enough priority. Smart companies generally survive stressful times by prioritizing with some foresight. Network security during a Cyber Pandemic should be a top priority no matter what size business.

During our Cyber Pandemic, companies recognizing and properly addressing the potential damage caused by threat actors will not only survive minor short-term hits to their bottom line caused by paying outside resources, they will likely be the ones coming on top after both Pandemics subside. There is definitely a light at the end of the tunnel for those willing to take the ride – just continue using trusted vehicles to get you there.

Is 2020 The Year Big Business goes all in on Blockchain and DLT?

In December 2017, it was recognized that in “the same way that the World Wide Web was never defined solely by Pets.com, the benefits of blockchain technology should never be defined solely by the latest price of Bitcoin.”  Now that the mid-2018 crypto bloodbath is well in everyone’s rearview window, it is clear that blockchain and DLT technologies have firmly taken corporate root and may actually someday bear some real fruit. 

No one can deny 2019 has seen great strides in the implementation and corporate adoption of enterprise DLT solutions as well as proactive growth in the regulatory oversight of blockchain technologies:

As exemplified by current projects emanating from the likes of J.P. Morgan and Fidelity Digital Assets, financial institutions will continue in 2020 taking calculated risks deploying blockchain and DLT technologies. 

Even though it may still may be another year or two before any consumer products hatched from these new technologies ever reach mass markets, 2020 may eventually be known as the year blockchain and DLT went mainstream in corporate America. 

Gilder’s Life after Google

Even though one online reviewer called it “[a] random walk through Silicon Valley without any goal, valuable information, conclusions or anything other than what would fit a gossip magazine”, Gilder’s book provides a grand thesis with very deliberate underpinnings.  There are certainly many other books and articles out there that better inform regarding blockchain.  Nevertheless, Gilder explains exactly why blockchain will in the distant future help cause Google to lose its digital stranglehold.  For that, his book largely stands alone.

Gilder has had close access to the elite tech digerati for decades. There is no denying he knows what and who he is talking about. The writing style, however, will not be everyone’s cup of tea.  For example, applying a straw man style, he often builds up only to take down later in the book. This can easily be frustrating.  Also, an imagined meeting with Satoshi Nakamoto – the pseudonymous founder of Bitcoin, can either be considered a highlight of the book or downright hokey based on one’s literary taste.

To Gilder, Google’s downfall largely rests on its giving away free products without fully understanding how this zero-sum system neglects the value and impact of consumer time on Google’s $30 billion dollar Siren Servers – a Jaron Lanier term used to convey the eventual death spiral of a company blinded by its 75,000 server farm.  Gilder reminds:  “Without prices, all that is left to confine consumption is the scarcity of time”.

Interestingly, Jaron Lanier as well as Peter Thiel feature predominately in this book as the existential fodder for much of Gilder’s musings. The true sparkle, however, remains pure Gilder – including his view that Google’s fall is precipitated on the behemoth’s not fully understanding true wealth can only be a product of knowledge and memories.  As Gilder suggests, “wealth is not a thing or a random sequence. It is inextricably rooted in hard won knowledge over extended time.” How he eventually connects the many dots found in the book is worth the read despite the haphazard approach.  And, despite valid style criticisms, given so few are walking down this exact path, Gilder’s trailblazing can only be lauded.

Using pokes and outright direct digs on failed exercises of socialism and a “World Saving” Artificial Intelligence fealty pursued by Elon Musk, Gilder’s libertarian bent expresses a slightly brighter vision where creativity and humanity win out.  He is on to something – just ask Tim Berners-Lee about his startup, Inrupt to get additional perspective on Google.  And, the decentralized web ecosystems exemplified by Blockstack and Hashgraph are certainly aimed at tearing down the current global ecosystems founded by the Tech Lords of Stanford. Ultimately, in futurist Gilder’s vision, individuals win when they can more easily trust and be secure in their interactions.

Those seeking an actual name for the specific Google killer app will be disappointed. Gilder does not reveal which business vision will launch the “killer app” required to actually break the status quo.  Readers are provided with an abstract roadmap lacking in specific directions because no specific killer app has been publicly announced yet and will likely not be released for several years.

Consensus 2018 blockchain event exceeds expectations

After attending the largest early adopter tech conferences conducted over the past thirty years – from Internet World, VR World, COMDEX, CES, RSA, Game Developers Conference, etc., it is easy to say Coindesk’s recent Consensus 2018 Conference – the foundation for NYC’s “Blockchain Week”, was one of the largest gatherings of early technology adopters and backers ever packed in a single location.  Almost beside the point, Consensus 2018 was also easily the largest blockchain event to date.

Despite exceeding pretty much all expectations, it was not, however, without some controversy.  Noticeably absent from the event was Vitalik Buterin as well as any Ethereum presence other than a scheduled announcement and booth presence for the Enterprise Ethereum Alliance.  The visionary Buterin boycotted the event given disagreements with the sponsor and a purported grievance with the  $2,999 price tag  – despite the fact Mr. Buterin himself could have bought tickets for all 8400+ attendees if he wanted.  Buterin’s thought leadership and insights were certainly missed so hopefully next year there will be some sort of peace accord that brings him back into the fold.

According to the emcee for the event – a Brit anxiously pacing up and down with the obligatory iPad seemingly issued to all tech conference emcees, half of the attendees hailed from outside the United States.  In fact, meals and private meetings were enjoyed with folks visiting from South Korea, Australia, Finland, Switzerland, Portugal, Brazil, Berlin, Hong Kong, Vancouver, and Toronto – and that was only on the first of two attendance days.  Unlike what was shown by the early days of the web ecosystem, this gathering more than anything concretely demonstrates that any decentralized ledger future will be shaped by those outside the United States as much as by persons located within its borders.

The caliber of the audience – more so than the speakers, also demonstrates that the financial and professional institutions who missed out on the web ecosystem’s early brick laying are avoiding past mistakes.  Sensing just how disruptive things may soon get, they were out in full force – with Deloitte leading the Big Four charge and the purported naysayer JP Morgan having a sophisticated presence from New York and London.   Notwithstanding the fact the exhibit hall was stacked with ICO and ICO-wannabee companies that will likely go away in a few years, foundational companies were front and center promoting the tools and business models needed before blockchain can be digested by the masses in any meaningful way.

While companies wait to “cross the chasm”, investors are taking sides by investing in token economies and novel ramp up technologies.   And, after the speculative sheen has faded, the lasting result will be efficiencies in commerce one could only have dreamt about a few years ago.    Simply put, the “trust protocol” that will eventually be layered on top of our current digital ecosystem will create new opportunities for pretty much any company willing to listen and adapt.

Regulatory and Judicial Enforcement of “Reasonable Security”

On April 12, 2010, Brokerage firm D.A. Davidson & Co. was hit by The Financial Industry Regulatory Authority (FINRA) with a $375,000 fine due to a 2007 data breach.    The breach potentially impacted 192,000 customers and involved social security numbers, dates of birth and other confidential information.  In what has been for years now a fairly  common occurrence, the firm was exploited by a SQL injection vulnerability that allowed hackers to break into a database server holding the data.

Davidson learned of the breach after it received an extortion note from one of the hackers seeking money to keep silent.  According to FINRA, the breach was caused by Davidson’s failure to implement “well-known and recommended security measures for protecting customer data.”   It said that Davidson had failed to encrypt sensitive customer data, and had kept its customer database on a Web server with a default vendor password and a “constant open Internet connection.”

This case should not be looked upon in isolation.  A failure to implement reasonable security is giving rise to a  growing regulatory risk.   For example, on March 25, 2010, the FTC settled a case claiming that the Dave & Busters restaurant and arcade chain failed to inadequately protect consumer information.  The FTC alleged in its complaint that a hacker exploited vulnerabilities in Dave & Buster’s systems to install unauthorized software and access approximately 130,000 credit and debit cards. 

Negligence claims based on the lack of “reasonble security” has also been gaining ground in the courts.  For example, last year the U.S. District Court for the Northern District of Illinois allowed suit to proceed against Citizens Financial Bank given that plaintiffs’ home equity loan was depleted to the tune of $26,500 by an online thief who transferred the money to a bank in Austria.  The negligence claim against Citizens Financial Bank was allowed to proceed given there was a factual issue as to whether the bank utilized adequate security controls.  There are other pending cases where the court has reasoned that the lack of reasonable security can be the underpining of a negligence claim.   The moving target in all of these cases is determining what exactly constitutes “reasonable security”.

UPDATE:  February 22, 2021

The Sedona Conference (TSC) – a nonpartisan, nonprofit charitable research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released in February 2022 what it perceived to be the proper definition of “reasonable security”.  As a reminder, TSC famously previously helped Courts determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology issues, the Technology Resource Panel of TSC recognized that a reasonableness test would help to bridge that divide.  The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 355 (forthcoming 2021).  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.”  Id. at 358.

The Sedona Conference Commentary on a Reasonable Security Test consists of the following formula:  “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  Id. at 360.  This test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

TSC’s Commentary should be studied for numerous reasons, including the fact it is applied to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than the highly cited TSC e-discovery initiatives, this new TSC reasonable security test may very well be relied on by future courts tackling this important question.