New Crop of State Blockchain-Related Laws May Prompt Additional Legislative Activity, Further Development of Blockchain and Cybersecurity Solutions

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Blockchain

With blockchain distributed authentication technology poised to disrupt many industries and possibly remake data security protections for personal information and digital assets, the authors discuss whether states will amend their cybersecurity and other laws to legally recognize blockchain or take other legislative action.

Jeffrey Neuburger Jonathan Mollod

By Jeffrey D. Neuburger and Jonathan P. Mollod

Jeffrey Neuburger is a partner at Proskauer Rose LLP in New York, co-head of the technology, media, and telecommunications group, and a member of the privacy and cybersecurity group.

Jonathan Mollod is the technology and new media legal writer at Proskauer Rose LLP in New York.

By Jeffrey D. Neuburger and Jonathan P. Mollod

The blockchain or “distributed ledger network” was originally conceived as the peer-to-peer technology platform that allows for the transfer of Bitcoin without the need for a trusted intermediary. However, the blockchain protocol is being tested for use across many industries and in many applications beyond digital currencies, such as real estate, healthcare, sports, content distribution, supply chain management, and corporate records management. In addition, blockchain’s decentralized, secure nature might also be the foundation of the next generation of cybersecurity solutions, such as for threat detection, user verification, distributed denial-of-service (DDoS) protection, and protections for internet-connected devices (i.e., the Ledger of Things). This promise has, in recent years, prompted the U.S. Defense Department, for example, to extend research grants for blockchain-related data security projects. Of course, there are questions about the enforceability of blockchain-based transactions and related, self-executing “smart contracts,” including how existing state contract and business laws will have to be re-interpreted or amended to recognize blockchain records and transactions.

In an important enactment that appeared to have started a national trend, Arizona Gov. Doug Ducey (R) signed HB 2417 into law in March 2017. This law clarified some of the enforceability issues associated with the use of blockchain and smart contracts under Arizona law, in particular with respect to transactions relating to the sale of goods, leases, and documents of title governed respectively under UCC Articles 2, 2A and 7. On the heels of the Arizona law, Nevada passed its own blockchain legislation ( SB 398) in June 2017. SB 398, signed by Nevada Gov. Brian Sandoval (R) gave legal recognition to blockchain transaction by including blockchain within the definition of electronic records and prohibit local governments from levying taxes or licensing requirements on the use of blockchain. And most recently in July 2017, Delaware Gov. John Carney (D) signed SB 69 into law. SB 69 amended the Delaware General Corporation Law to explicitly authorize the use of distributed ledger technology in the administration of Delaware corporate records, including stock ledgers.

We will discuss blockchain generally, the recently-passed state laws and other blockchain-related state legislative activity, as well as how the promise of blockchain may affect companies with respect to cybersecurity obligations going forward.

What is Blockchain?

In a “blockchain” or distributed ledger network, individual transactions are grouped into “blocks.” As a block of transactions is verified, the block is distributed to all the participants on the network (often referred to as “nodes”), and is logically and irrevocably linked to the block before it (creating the “chain”). In this way, all of the nodes have a full and complete copy of every transaction ever conducted through that network. Unlike centralized ledger networks, the chain can be updated with a new transaction by any node on the network, with all nodes’ copies of the chain being identical. In short, the principal innovation is a method to digitally send something of value without a trusted intermediary or institution. Moreover, the blockchain allows for the automatic execution and settlement of business rules without human intervention through “smart contracts.” Smart contracts are software applications which run on the blockchain platform, and which automatically execute, verify and enforce the performance of an agreed-upon transaction. In short, a smart contract can be used, for example, to facilitate paperless transactions with strangers across borders in a secure way.

There are public or “permissionless” blockchains (such as that underlying Bitcoin), where the right to be a node on the network and alter/verify the ledger by participating in the consensus mechanism is open to the public. For commercial entities developing fintech applications or participating as parties to a smart contract, the preferred implementation seems to be a private (or “permissioned”) blockchain, where the right to participate in the network is restricted to pre-selected participants or institutions authorized to transact on the network. In both private and public blockchain implementations, no single entity or node controls the ledger—the network itself verifies transactions through a chosen “consensus mechanism” (whether it be “proof of work,” “proof of stake” or another method).

Arizona HB 2417: Recognition for Blockchains and Smart Contracts

Arizona’s new law, HB 2417, amended the Arizona Electronic Transactions Act (AETA). AETA, among other things, stipulates that records or signatures in electronic form cannot be denied legal effect and enforceability based on the fact they are in electronic form. HB 2417, in pertinent part, clarifies that electronic records, electronic signatures and smart contract terms secured through blockchain technology and governed under UCC Articles 2, 2A and 7 will be considered to be in an electronic form and to be an electronic signature under AETA. The statute also provides that a contract relating to a transaction may not be denied legal effect, validity or enforceability solely because that contract contains a “smart contract term.”

Seeking to avoid any legal uncertainty surrounding blockchain transactions and smart contracts relating to certain digital assets, HB 2417 includes a number of interesting aspects:

  •  The statute includes a very specific definition of “blockchain technology” as a “distributed, decentralized, shared and replicated ledger, which may be public or private, permissioned or permissionless, or driven by tokenized crypto economics or tokenless” and provides that the “data on the ledger is protected with cryptography, is immutable and auditable and provides an uncensored truth.” It appears that the law’s arguably broad definition seeks to encompass the many “flavors” of decentralized blockchain platforms.
HB 2417 includes a definition of “smart contracts” as an “event driven program, with state, that runs on a distributed, decentralized, shared and replicated ledger that can take custody over and instruct transfer of assets on that ledger.”
  •  The law provides that a person that, in or affecting interstate or foreign commerce, uses blockchain technology to secure information that the person owns or has the right to use retains the same rights of ownership or use with respect to that information as before the person secured the information using blockchain technology.

Nevada SB 398: Recognition of Blockchain for Electronic Signatures and Ban on Fees

Addressing similar terrain to Arizona’s law, Nevada’s new legislation (SB 398) recognizes blockchain technology as a type of electronic record for the purposes of the Uniform Electronic Transactions Act (UETA), which offers legal recognition to contracts and electronic signatures that comply with certain requirements. Under the law, which appears to cover both permissioned and permissionless arrangements, “blockchain” means an “electronic record of transactions or other data which is: (1) Uniformly ordered; (2) Redundantly maintained or processed by one or more computers or machines to guarantee the consistency or nonrepudiation of the recorded transactions or other data; and (3) Validated by the use of cryptography.” In an effort to create a haven for fintech and related blockchain start-ups, the remaining sections of the bill prohibit local and county governments from levying taxes or fees for the use of blockchain or imposing any licensing or certification requirements, or otherwise imposing other requirements relating to the use of a blockchain by any person or entity.

Delaware SB 69: Authorization for Use of Blockchain Technology in the Administration of Corporate Records

In 2016, Delaware launched a Blockchain Initiative to support sophisticated commercial transactions and “distributed ledger shares,” and to provide a regulatory and statutory environment that would foster blockchain development. Building on such momentum, in late July, Gov. John Carney Jr. (D) signed SB 69 into law to amend the Delaware General Corporation Law (DGCL) to expressly authorize Delaware corporations to use distributed ledger technology for the creation and maintenance of corporate records (including stock ledgers). As amended, DGCL §224 provides that corporate records administered by or on behalf of a Delaware corporation may be kept on “one or more electronic networks or databases (including one or more distributed electronic networks or databases).” DGCL §219 extends that authorization specifically to stock ledgers by way of reference to §224. Under DGCL §219(c), “stock ledgers” are one or more ledgers “administered by or on behalf of the corporation” containing certain stockholder information and “recorded in accordance with §224 of this title.” Moreover, under §224, the amended law provides that any corporate records (including stock ledgers, books of account, and minute books) maintained in the regular course of business using distributed electronic networks must be capable of being converted into legible paper form within a reasonable time upon request of any person entitled to inspect such records. As such, when records are so kept, they would be deemed admissible in evidence “to the same extent as an original paper record of the same information,” provided the paper copy accurately portrays the record.

Other Blockchain-Related State Developments

Arizona is not the first state to expressly address blockchain in statutory law. For example, a law enacted in Vermont in 2016, H 868, provides that a blockchain-based digital record will be considered a business record under the Vermont Rules of Evidence. Moreover, in June 2017, Vermont passed S 135, an omnibus bill to spur economic development that professes blockchain’s potential role in the “new e-economy” and requests further study and that a legislative report be produced with recommendations on opportunities, risks and suggested policy directions.

In fact, we anticipate increased state legislative activity over the coming year on blockchain, as evidenced in several pending state bills, including:

  •  Hawaii: Recognizing blockchain’s “vast potential” to “drastically change and improve public sector operations and private industry capabilities,” HB 1481 would establish a working group comprised of public and private sector representatives to examine and promote smart regulations and best practices for enabling the technology to blossom in the state.
  •  Illinois: Illinois created the Illinois Blockchain Initiative, a consortium of state and county agencies to explore innovative opportunities for blockchain technology. Also, HR 0120, would create the Illinois Legislative Blockchain and Distributed Ledger Task Force to study opportunities and risks associated with using blockchain and distributed ledger technology, including both public and private blockchains and different consensus mechanisms. The task force would also study, among other things, how and if government can benefit from a transition to a blockchain-based recordkeeping and service delivery system and was also tasked with outlining how existing law should be changed to accommodate such changes.
What will the potential rise in state-level regulation mean? As law is typically a lagging indicator to technology and technology-based business models, will these statutes quickly become obsolete? Or, to the extent relevant, will companies be faced with a patchwork of inconsistent and sometimes conflicting regulatory requirements to grapple with? Or will the state initiatives be deemed to be preempted by federal statutory law in the area? To the extent preemption is ambiguous, will the states’ activities give the impetus to Congress to pass enabling law to preempt state conflicts and inconsistencies, similar to the way E-Sign was enacted in 2000 to address inconsistent and conflicting digital signature laws? Will a newly formed Congressional Blockchain Caucus step in to attempt to enact clarifying legislation?

Looking Ahead: Effect on Cybersecurity

The nature of blockchain technology—decentralized, immutable, verifiable and cryptographic – has led developers to consider how it might be used to store, transfer and secure digital assets in the future. In theory, blockchain’s decentralized nature makes it more resilient to cyberattacks than a single centralized database, and the irreversibility of transactions (which, of course, in private blockchains depend the chosen consensus mechanism and rules for rolling back wrongful transactions) can prevent outside data manipulation, reduce fraud and create an auditable electronic record. For companies, blockchain could conceivably allow them to achieve IT-related cost-efficiencies at the same time as strengthening cyber defense and ensuring regulatory compliance. Yet, from a legal perspective, it is uncertain how digital blocks or smart contracts will be considered under current privacy and data security regulations. For example, how will blockchain records meet anti-money laundering statutes, federal privacy laws such as HIPAA, or more granular state data security requirements such as New York’s Department of Finance cybersecurity regulations, the Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00) or Nevada’s similar data security regulations concerning encryption (NRS Chapter 603A)? Moreover, some states, such as California, mandate that companies implement “reasonable security procedures and practices” to protect consumers’ personal information, prompting the question of whether blockchain-related cybersecurity solutions would meet such standards. In addition, it is an open issue on how records stored on an immutable blockchain can be removed to comply with the various state data disposal and secure destruction laws (or for that matter, European Union right to be forgotten removal requests of “inaccurate” or “irrelevant” information).

The passage of Arizona’s HB 2417, Nevada SB 398 and Delaware SB 69 herald the potential for other states to recognize blockchain-created records in the future. Additional state legislation would presumably lead to further blockchain investment and perhaps state laws in the data security context that might answer some of the above questions about blockchain and cybersecurity compliance. Indeed, the passage of additional state legislation and additional federal funding of R&D efforts for blockchain security solutions might eventually make such decentralized security platforms the new industry standard if they prove successful. In fact, such a push to use blockchain beyond financial technology or “fintech” might eventually change what are “reasonable security measures” under the law.

With blockchain perhaps poised to disrupt many industries and possibly remake data security protections for personal information and digital assets, it remains to be seen whether other state legislatures will amend state laws to legally recognize blockchain and smart contracts or otherwise encourage blockchain development.

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security