Posts

Why Blockchain Matters to In-House Lawyers

Today, news reports, academic articles, and corporate reports are flush with mentions of “blockchain,” “Bitcoin,” and “distributed ledger technology.” At first glance, many readers see the discussion as hype, generating a great deal of actionless attention, curiosity, and investment opportunities. However, on another level, some of the conversation regards developments in technology that may specifically shape or impact a company’s contract or legal risk profile – even for those companies that don’t have or deal in Bitcoin.

Blockchain technology is expected to have a broad and sweeping impact across industries worldwide, with one commentator identifying a financial impact of over $176 billion in the next several years. It is envisioned that countless companies (whether suspecting or unsuspecting) will deploy or utilize the technology in their businesses. This may happen in the form of an internally developed or deployed technology or system, through dealings with governments or government agencies, or by way of transactions with technology vendors or service providers, among others.

At a very high and general level, blockchain is a recently developed distributed ledger (or database) technology that facilitates secure records of transactions over time by electronically distributing and maintaining tens, hundreds, or thousands of identical, immutable, highly secure digital copies of the transaction record. Each of these copies is distributed to and held by a different computer node or site participating in the ledger. Blockchain is one kind of distributed ledger technology, and there are many different platforms for blockchain. Bitcoin is a form of cryptocurrency whose foundation is based on one of the blockchain platforms. (Numerous detailed explanations of blockchain and distributed ledger technology are available online, including the video, Ever wonder how Bitcoin (and other cryptocurrencies) actually work?, and a UK Government report on distributed ledger technology.)

Many sets of records that are maintained in an Excel spreadsheet, a company or vendor database, or government files, whether or not currently stored or maintained in the cloud, may be suitable for blockchain. A few examples include real estate purchase and sale transactions, shipping records, banking and financial transactions, inventory management, consumer auto-pay and auto-withdrawal transactions, product manufacturing, and customer subscription transactions.

Attorneys and contract professionals supporting companies’ encounters with blockchain technology should consider the following, among others:

  • Open Source Software. Currently, numerous distributed ledger technologies (including blockchain) are built using open source software. The Bitcoin program is distributed under the MIT License, aspects of Ethereum (another blockchain-based cryptocurrency) use the GNU General Public License, and OpenChain (another distributed ledger technology) is based on the Apache 2.0 license. Open source software licenses include many unique terms (and omit many standard commercial software licensing terms), and may, for example, dictate subsequent use and distribution of the software, as well as of company proprietary code related to the open source software.
  • New Software. Because distributed ledger technology like blockchain is new, in many cases the software underpinning the technology is not as well-tested and presents a notable possibility of serious errors and glitches. Consequently, traditional contractual recourses and remedies for software errors and bugs may not be wholly meaningful, when applied to blockchain, and typical software project deployment schedules and timelines may be difficult to adhere to.
  • Privacy. While one of the potential benefits of blockchain is stronger data security safeguards against loss, destruction, and unauthorized alteration of data and records, the nature of a distributed ledger is that the tens, hundreds, or thousands of ledger participants will have exact duplicates of the digital data and records. Even if the parties to a particular transaction do not consider the transaction record in the ledger to be confidential, it is possible that the underlying record data (especially if health, medical, or financial data) may be a material concern.
  • Technology Contracting. Blockchain is a technology, with its own open (as noted above) or proprietary platforms, software, and systems. Contracts for, or to use, blockchain technology, just as other company contracts for technology, are key vehicles to establish critical rights and obligations regarding representations and warranties, indemnities, limitations of liability, and intellectual property.
  • Bitcoin. Many companies will not typically have or deal in Bitcoin or other cryptocurrencies. The legal and regulatory landscape applicable to cryptocurrency is nascent and exceptionally dynamic and varies across U.S. and non-U.S. jurisdictions (and is beyond the scope of this post). Even for companies that merely or only occasionally transact business in cryptocurrency (and don’t issue, exchange, or administer cryptocurrency), potential issues can include how cryptocurrencies are treated and taxed (different legal authorities consider them to be “currencies,” “commodities,” or “property”), whether corporate insurance provides coverage or protection for cryptocurrency transactions, and whether the use of cryptocurrency is even legal.

Blockchain is an algorithm-intensive, complex technology that may provide great benefits, efficiencies, and cost savings to its users. While this post does not speak to many of its features, including smart contracts, permissioned versus unpermissioned ledgers, and cryptocurrency mining, hopefully it provides a “bit” of useful information.

 

Anti Anti-Virus

In July 2017, Bloomberg reported that the anti-virus and security company Kaspersky Lab has been cooperating with the Russian Federal Security Service (FSB), the name of the Russian counterintelligence agency and successor of the KGB, since 2009.   On September 13, 2017, the US federal government mandated that all software made by Kaspersky Lab be removed from government computer systems.  Retailers such as Best Buy are also taking steps to remove Kaspersky Lab’s products from their retail offerings.

Kaspersky Lab issued a response, claiming that it has done nothing wrong and is merely a pawn in a political game between the US and Russia.  Russia responded to the report by urging Russian companies to only use Russian software.

Although it’s unlikely we will ever have a definitive answer about whether Kaspersky Lab is gathering data for the Russian FSB, this incident highlights a growing concern that foreign governments might be collaborating with software and hardware companies to spy on other governments, corporate enterprises, and consumers.   How can companies protect themselves in this environment?  Consider five things:

  1. A company should have a plan in place to quickly install a replacement if it discovers that software or hardware in its environment has been compromised.  Often this means maintaining a list of alternative providers and, when possible, having a contact at those alternative providers in case a purchase needs to be made quickly.
  2. Prior to making a purchase, conduct a search of news and industry reports on the brand and product to find any stories that might raise a red flag.
  3. After making a purchase, set an online news alert with the product name and “spy,” “spyware,” “malware,” “security issue” and similar terms in the search field (however, this doesn’t work well for network security or anti-virus products, since nearly every news story about those products contain these terms).
  4. Subscribe to security sites, such as SecureList.com or KrebsOnSecurity.com, that track potential security issues affecting enterprises and consumers.
  5. In particularly egregious circumstances, unplug the software or hardware so it stops collecting and transmitting information, but first be aware of how that will impact your other systems.

While there is no surefire way to identify a software or hardware vendor intent on stealing information, these steps can help mitigate damages by notifying companies of any known or suspected issues.  In the end, staying current on security risks is one important factor in defending your company, and yourself, against cyber-mischief.