Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
With blockchain distributed authentication technology poised to disrupt many industries and possibly remake data security protections for personal information and digital assets, the authors discuss whether states will amend their cybersecurity and other laws to legally recognize blockchain or take other legislative action.
By Jeffrey D. Neuburger and Jonathan P. Mollod
Jeffrey Neuburger is a partner at Proskauer Rose LLP in New York, co-head of the technology, media, and telecommunications group, and a member of the privacy and cybersecurity group.
Jonathan Mollod is the technology and new media legal writer at Proskauer Rose LLP in New York.
By Jeffrey D. Neuburger and Jonathan P. Mollod
The blockchain or “distributed ledger network” was originally conceived as the peer-to-peer technology platform that allows for the transfer of Bitcoin without the need for a trusted intermediary. However, the blockchain protocol is being tested for use across many industries and in many applications beyond digital currencies, such as real estate, healthcare, sports, content distribution, supply chain management, and corporate records management. In addition, blockchain’s decentralized, secure nature might also be the foundation of the next generation of cybersecurity solutions, such as for threat detection, user verification, distributed denial-of-service (DDoS) protection, and protections for internet-connected devices (i.e., the Ledger of Things). This promise has, in recent years, prompted the U.S. Defense Department, for example, to extend research grants for blockchain-related data security projects. Of course, there are questions about the enforceability of blockchain-based transactions and related, self-executing “smart contracts,” including how existing state contract and business laws will have to be re-interpreted or amended to recognize blockchain records and transactions.
In an important enactment that appeared to have started a national trend, Arizona Gov. Doug Ducey (R) signed HB 2417 into law in March 2017. This law clarified some of the enforceability issues associated with the use of blockchain and smart contracts under Arizona law, in particular with respect to transactions relating to the sale of goods, leases, and documents of title governed respectively under UCC Articles 2, 2A and 7. On the heels of the Arizona law, Nevada passed its own blockchain legislation ( SB 398) in June 2017. SB 398, signed by Nevada Gov. Brian Sandoval (R) gave legal recognition to blockchain transaction by including blockchain within the definition of electronic records and prohibit local governments from levying taxes or licensing requirements on the use of blockchain. And most recently in July 2017, Delaware Gov. John Carney (D) signed SB 69 into law. SB 69 amended the Delaware General Corporation Law to explicitly authorize the use of distributed ledger technology in the administration of Delaware corporate records, including stock ledgers.
We will discuss blockchain generally, the recently-passed state laws and other blockchain-related state legislative activity, as well as how the promise of blockchain may affect companies with respect to cybersecurity obligations going forward.
In a “blockchain” or distributed ledger network, individual transactions are grouped into “blocks.” As a block of transactions is verified, the block is distributed to all the participants on the network (often referred to as “nodes”), and is logically and irrevocably linked to the block before it (creating the “chain”). In this way, all of the nodes have a full and complete copy of every transaction ever conducted through that network. Unlike centralized ledger networks, the chain can be updated with a new transaction by any node on the network, with all nodes’ copies of the chain being identical. In short, the principal innovation is a method to digitally send something of value without a trusted intermediary or institution. Moreover, the blockchain allows for the automatic execution and settlement of business rules without human intervention through “smart contracts.” Smart contracts are software applications which run on the blockchain platform, and which automatically execute, verify and enforce the performance of an agreed-upon transaction. In short, a smart contract can be used, for example, to facilitate paperless transactions with strangers across borders in a secure way.
There are public or “permissionless” blockchains (such as that underlying Bitcoin), where the right to be a node on the network and alter/verify the ledger by participating in the consensus mechanism is open to the public. For commercial entities developing fintech applications or participating as parties to a smart contract, the preferred implementation seems to be a private (or “permissioned”) blockchain, where the right to participate in the network is restricted to pre-selected participants or institutions authorized to transact on the network. In both private and public blockchain implementations, no single entity or node controls the ledger—the network itself verifies transactions through a chosen “consensus mechanism” (whether it be “proof of work,” “proof of stake” or another method).
Arizona’s new law, HB 2417, amended the Arizona Electronic Transactions Act (AETA). AETA, among other things, stipulates that records or signatures in electronic form cannot be denied legal effect and enforceability based on the fact they are in electronic form. HB 2417, in pertinent part, clarifies that electronic records, electronic signatures and smart contract terms secured through blockchain technology and governed under UCC Articles 2, 2A and 7 will be considered to be in an electronic form and to be an electronic signature under AETA. The statute also provides that a contract relating to a transaction may not be denied legal effect, validity or enforceability solely because that contract contains a “smart contract term.”
Seeking to avoid any legal uncertainty surrounding blockchain transactions and smart contracts relating to certain digital assets, HB 2417 includes a number of interesting aspects:
Addressing similar terrain to Arizona’s law, Nevada’s new legislation (SB 398) recognizes blockchain technology as a type of electronic record for the purposes of the Uniform Electronic Transactions Act (UETA), which offers legal recognition to contracts and electronic signatures that comply with certain requirements. Under the law, which appears to cover both permissioned and permissionless arrangements, “blockchain” means an “electronic record of transactions or other data which is: (1) Uniformly ordered; (2) Redundantly maintained or processed by one or more computers or machines to guarantee the consistency or nonrepudiation of the recorded transactions or other data; and (3) Validated by the use of cryptography.” In an effort to create a haven for fintech and related blockchain start-ups, the remaining sections of the bill prohibit local and county governments from levying taxes or fees for the use of blockchain or imposing any licensing or certification requirements, or otherwise imposing other requirements relating to the use of a blockchain by any person or entity.
In 2016, Delaware launched a Blockchain Initiative to support sophisticated commercial transactions and “distributed ledger shares,” and to provide a regulatory and statutory environment that would foster blockchain development. Building on such momentum, in late July, Gov. John Carney Jr. (D) signed SB 69 into law to amend the Delaware General Corporation Law (DGCL) to expressly authorize Delaware corporations to use distributed ledger technology for the creation and maintenance of corporate records (including stock ledgers). As amended, DGCL §224 provides that corporate records administered by or on behalf of a Delaware corporation may be kept on “one or more electronic networks or databases (including one or more distributed electronic networks or databases).” DGCL §219 extends that authorization specifically to stock ledgers by way of reference to §224. Under DGCL §219(c), “stock ledgers” are one or more ledgers “administered by or on behalf of the corporation” containing certain stockholder information and “recorded in accordance with §224 of this title.” Moreover, under §224, the amended law provides that any corporate records (including stock ledgers, books of account, and minute books) maintained in the regular course of business using distributed electronic networks must be capable of being converted into legible paper form within a reasonable time upon request of any person entitled to inspect such records. As such, when records are so kept, they would be deemed admissible in evidence “to the same extent as an original paper record of the same information,” provided the paper copy accurately portrays the record.
Arizona is not the first state to expressly address blockchain in statutory law. For example, a law enacted in Vermont in 2016, H 868, provides that a blockchain-based digital record will be considered a business record under the Vermont Rules of Evidence. Moreover, in June 2017, Vermont passed S 135, an omnibus bill to spur economic development that professes blockchain’s potential role in the “new e-economy” and requests further study and that a legislative report be produced with recommendations on opportunities, risks and suggested policy directions.
In fact, we anticipate increased state legislative activity over the coming year on blockchain, as evidenced in several pending state bills, including:
The nature of blockchain technology—decentralized, immutable, verifiable and cryptographic – has led developers to consider how it might be used to store, transfer and secure digital assets in the future. In theory, blockchain’s decentralized nature makes it more resilient to cyberattacks than a single centralized database, and the irreversibility of transactions (which, of course, in private blockchains depend the chosen consensus mechanism and rules for rolling back wrongful transactions) can prevent outside data manipulation, reduce fraud and create an auditable electronic record. For companies, blockchain could conceivably allow them to achieve IT-related cost-efficiencies at the same time as strengthening cyber defense and ensuring regulatory compliance. Yet, from a legal perspective, it is uncertain how digital blocks or smart contracts will be considered under current privacy and data security regulations. For example, how will blockchain records meet anti-money laundering statutes, federal privacy laws such as HIPAA, or more granular state data security requirements such as New York’s Department of Finance cybersecurity regulations, the Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00) or Nevada’s similar data security regulations concerning encryption (NRS Chapter 603A)? Moreover, some states, such as California, mandate that companies implement “reasonable security procedures and practices” to protect consumers’ personal information, prompting the question of whether blockchain-related cybersecurity solutions would meet such standards. In addition, it is an open issue on how records stored on an immutable blockchain can be removed to comply with the various state data disposal and secure destruction laws (or for that matter, European Union right to be forgotten removal requests of “inaccurate” or “irrelevant” information).
The passage of Arizona’s HB 2417, Nevada SB 398 and Delaware SB 69 herald the potential for other states to recognize blockchain-created records in the future. Additional state legislation would presumably lead to further blockchain investment and perhaps state laws in the data security context that might answer some of the above questions about blockchain and cybersecurity compliance. Indeed, the passage of additional state legislation and additional federal funding of R&D efforts for blockchain security solutions might eventually make such decentralized security platforms the new industry standard if they prove successful. In fact, such a push to use blockchain beyond financial technology or “fintech” might eventually change what are “reasonable security measures” under the law.
With blockchain perhaps poised to disrupt many industries and possibly remake data security protections for personal information and digital assets, it remains to be seen whether other state legislatures will amend state laws to legally recognize blockchain and smart contracts or otherwise encourage blockchain development.
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)