Know Your Tech

In addition, the company in charge of maintaining the cryptocurrency Zcash revealed that it had acted in secret to fix a software bug that would have given an attacker the means to create “fake” Zcash. According to an article in MIT's Technology Review, what was “shocking” was not so much that Zcash had a flaw — although it serves as a reminder that no technology is perfect — but that it kept the flaw secret for eight months. In a space where blockchain enthusiasts expect everything to be transparent and decentralized, this lack of transparency and likely centralized fix was striking. Id.

Regulators and plaintiffs in litigation may take the view that the obligation to know your tech is already part of the reasonableness requirement in many current cybersecurity laws and regulations. See, 815 Ill. Comp. Stat. Ann. 530/45; Neb. Rev. Stat. Ann. §87-808. After all, regulators recognize that part of prevention is to systematically identify, assess and mitigate vulnerabilities. For example, the New York State Department of Financial Services requires entities and individuals operating under Banking Law, Insurance Law or Financial Services Law to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” 23 NYCRR 500. Massachusetts requires that companies require a written information security program that contains administrative, technical and physical safeguards that are “appropriate” and “consistent” with other relevant applicable regulations. 201 CMR 17.00. The Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. Ann. 14/15 (e)(1), requires companies collecting biometric information to use a “reasonable standard of care within the private entity's industry” to “store, transmit, and protect” biometric information, and California's new Internet of Things of Law, set to go into effect in 2020, requires “reasonable” security measures. Understanding the strengths and weaknesses of technology may also be particularly important for financial institutions and covered healthcare entities that fall under the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C.A. §§6801 – 6809, and the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. §164.300 et seq. Both GLBA and HIPAA require entities to examine their information systems and to provide appropriate protection to personal information.

So, if part of the security is blockchain, companies likely need to make sure they know not only the strengths but also the potential weaknesses of the technology.

Similarly, the Federal Trade Commission (FTC) (and certain states) require companies to implement reasonable and appropriate security measures. See, F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 609 (D.N.J. 2014), aff'd, 799 F.3d 236 (3d Cir. 2015); In the Matter of Bj's Wholesale Club, Inc., 140 F.T.C. 465, 468 (2005). Although the FTC Act does not directly address data security, a company's failure to take reasonable and appropriate steps to protect personal information may result in an elevated risk for an unfair act or practice for FTC purposes. Id. See also, 15 U.S.C. §§41-58. The FTC has also brought deceptive practices claims against companies when their security practices do not meet the level of security claimed in their privacy policies. See, F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 609 (D.N.J. 2014), aff'd, 799 F.3d 236 (3d Cir. 2015).

Fortunately, there is guidance on how businesses can manage cybersecurity-related risk. One of the established techniques to implement information security is to follow the National Institute of Standards and Technology's (NIST) Cybersecurity Framework. The NIST Cybersecurity Framework is a voluntary standard developed through a partnership between the U.S. federal government and the private sector that establishes best practices for the management of cybersecurity-related risk. A key step in the NIST Cybersecurity Framework is to identify cybersecurity risk, which often simply starts by asking the right questions.

NIST is also practicing what it preaches, by working to stay ahead of tech developments amid rapid technological change. Recently, NIST has winnowed a group of advanced encryption algorithms down to the 26 they believe to be strong enough to withstand any advent of a quantum computing, a technological advance which threatens to render most current encryption in use today obsolete. This threat may be in the future, but it emphasizes the point that knowing your tech requires a periodic reassessment of that tech, and the basic knowledge that no tech delivers the last word.

It is also important to understand the potential privacy impacts of new technology. For example, blockchain technology can be open to everyone and can require each person on the blockchain to keep blockchain records. As a result, the details of transactions and the pseudonyms of the parties may no longer be private. This could raise regulatory issues for companies that wish to transfer health, financial or other personal information via blockchain. In addition, once information is uploaded onto the blockchain, removing it may become nearly impossible. For example, Money Button recently discovered that its service had been used to post illegal images on the BSV blockchain. Now everyone on the blockchain has a copy of the illegal images, and there is not a current solution to remove the illicit content from the blockchain. Entities that are required to destroy certain records after a set period of time must carefully consider what types of information should be uploaded into a blockchain.

Ultimately, whether for a legal obligation, a contract clause, a voluntary standard or pragmatic reasons, it is increasingly important for senior decision makers and lawyers to know their tech. In fact, for lawyers, there may be an ethical duty to understand relevant technology because understanding how a technology works may be necessary to appropriately advise on the legal requirements and considerations around that technology. See, The State Bar of California Standing Committee on Professional Responsibility and Conduct Formal Opinion No. 2015-193. (“Legal rules and procedures, when placed alongside ever-changing technology, produce professional challenges that attorneys must meet to remain competent. Maintaining learning and skill consistent with an attorney's duty of competence includes keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, …” ABA Model Rule 1.1, Comment [8].”)

New innovations create new opportunities, but it is vital that senior decision makers and lawyers ask the right questions to identify and then, if possible, mitigate the inevitable risks and costs, from a regulatory and security perspective. The old adage that an ounce of prevention is worth a pound of cure applies to even the newest technologies.

 *****

Michael Bahar, a partner at Eversheds Sutherland (US) LLP, is the co-lead of the Global Cybersecurity and Data Privacy team. He was previously Staff Director and General Counsel for the Minority Staff of the U.S. House Intelligence Committee, and prior Deputy Legal Advisor to the National Security Council. Also contributing to the article are Eversheds Sutherland attorneys Gregory Kaufman, Mary Jane Wilson-Bilik, Mark Thibodeaux, Al Sand and Ali Jessani.