Research paper : Computer Science

66 UCLA L. Rev. 1242 (2019)

U.C.L.A. Law Review Start With Trust: Utilizing Blockchain to Resolve the Third-Party Data Breach Problem

Phillip Shaverdian

ABSTRACT

The current cybersecurity landscape is unsustainable. Companies are increasingly relying on third parties for conducting services, yet these third-parties continue to be targets of attack due to their weak cybersecurity measures. The problem stems back to the responsibility of contracting companies to ensure the adequate cybersecurity of third parties. This oversight mechanism has proven to be inadequate, and third parties remain untrustable as the weakest link. Moreover, the Federal Trade Commission’s (FTC) inconsistent enforcement of reasonable cybersecurity measures continues this vicious cycle. Until now, the FTC has brought enforcement actions only against larger companies who contract out services to third parties, even in instances where the third party was breached due to their own inadequate security. As a result, third parties lack the major incentive to maintain reasonable cybersecurity measures created by FTC enforcement actions and they operate in a de facto unenforced cybersecurity realm.

Blockchain technology should be implemented as part of a large company’s comprehensive cybersecurity plan. The technology offers a myriad of cybersecurity benefits as it ensures confidentiality, integrity, availability, and resilience. Moreover, the technology, even in its current nascent state, comports with the FTC’s cybersecurity guidelines—found in their 2015 guidebook titled “Start with Security.” Recognizing that the FTC’s reasonableness analysis is done on a case- by-case basis, the absence of blockchain-based data storage by a large company—with adequate means and who collects sensitive information from many people—can be deemed unreasonable. Doing so will limit cybersecurity risk and legal risk. The trust that the blockchain offers, along with the cybersecurity benefits, makes this technology a unique and unparalleled solution to the third-party data breach problem. Large companies handling sensitive and confidential data should start with trust and include blockchain technology as part of their comprehensive cybersecurity plan.

AUTHOR

J.D., UCLA School of Law, 2019; B.A., University of California, Los Angeles, 2015. The opinions expressed in this Comment reflect the author’s personal views only. A special thank you to Professor Kristen Eichensehr for her guidance, insight, and pushback and the entire UCLA Law Review board and staff for their tireless work and thoughtful edits.

1243

TABLE OF CONTENTS

Introduction................................................................................................................................................1244 I. Current Cybersecurity Landscape .................................................................................................1246

A. What is Cybersecurity?....................................................................................................................1246 B. Breadth and Scope of the Problem.................................................................................................1249

II. Cybersecurity Enforcement in the United States ..................................................................1255 A. What is “Unreasonable”?.................................................................................................................1257

1. Failing to Adopt Readily Available Technology...................................................................1259 2. Leaving Gaps in Encryption/Security in the Storage-Transmission Chain ....................1260 3. Responding and Recovering Too Slowly From Breaches ...................................................1261 4. Inadequately Policing the Security of Third-Party Service Providers ..............................1261

B. Cybersecurity of Third Parties and Inconsistent Enforcement.................................................1262 III. What is Blockchain? ..........................................................................................................................1263

A. Blockchain Technology ...................................................................................................................1263 B. Public, Consortium, and Private Blockchains..............................................................................1267 C. Applications.......................................................................................................................................1269

IV. Blockchain and Cybersecurity......................................................................................................1273 A. How Blockchain Can Enhance Cybersecurity ............................................................................1273

1. Confidentiality...........................................................................................................................1275 2. Integrity ......................................................................................................................................1277 3. Availability..................................................................................................................................1278 4. Resilience....................................................................................................................................1278

B. Absence of Blockchain as Unreasonable in the Data Storage Context ....................................1279 1. Adopting Readily Available Technology ...............................................................................1280 2. Filling Gaps in Encryption/Security in the Storage-Transmission Chain.......................1282 3. Responding and Recovering Quickly From Breaches ........................................................1284 4. Ensuring the Security of Third-Parties: The Trust Machine..............................................1284

C. Concerns About Market Adoption, Job Killing, and the “Right to be Forgotten”.................1286 Conclusion ....................................................................................................................................................1288

1244 66 UCLA L. REV. 1242 (2019)

INTRODUCTION

Data breaches have been the topic of headlines more often than not in recent memory. With breaches ranging from Sony,1 to the Democratic National Committee (DNC),2 to the U.S. Navy and its industry partners,3 to Equifax,4 no industry or sector remains impervious to cyberattacks. And this trend will likely get worse. In fact, there was a record high of 1,579 breaches in 2017—a 45 percent increase from 2016.5 What is even more frightening is that in 516 of the 584 reported company breaches, the number of total records compromised is unknown.6 This data might make someone reconsider his or her nomenclature. Is this cybersecurity or cyberinsecurity?

Yet the so-called third-party problem, which arises from large companies’ use of smaller third-party companies to store sensitive data, is even more shocking. In 2017, 56 percent of companies had a third-party breach. That number is projected to rise because companies are increasingly relying on third parties, yet they often do not know exactly what information the third party carries.7 Moreover, the current cybersecurity enforcement regime forces companies to conduct their own oversight of third parties—as evinced through the Federal Trade Commission’s (FTC) 2015 guidebook titled “Start with Security”—which has proven inadequate.8 This is because the FTC continues to bring cybersecurity enforcement actions against the larger companies even

1. See David E. Sanger & Nicole Perlroth, U.S. Said to Find North Korea Ordered Cyberattack on Sony, N.Y. TIMES (Dec. 17, 2014), https://www.nytimes.com/2014/12/18/world/ asia/us-links-north-korea-to-sony-hacking.html [https://perma.cc/DP5X-ME7D].

2. See Raphael Satter, Inside Story: How Russians Hacked the Democrats’ Emails, ASSOCIATED PRESS (Nov. 4, 2017), https://www.apnews.com /dea73efc01594839957c3c9a6c962b8a [https://perma.cc/57VB-CW65].

3. See Gordon Lubold & Duston Volz, Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts, WALL ST. J. (Mar. 12, 2019, 2:32 PM), https://www.wsj.com/ articles/navy-industry-partners-are-under-cyber-siege-review- asserts-11552415553 [https://perma.cc/3PZX-BXVQ].

4. See Donna Borak & Kathryn Vasel, The Equifax Hack Could Be Worse Than We Thought, CNN (Feb. 10, 2018, 10:43 AM), https://money.cnn.com/2018/02/09/pf/equifax-hack- senate-disclosure/index.html [https://perma.cc/3W28-W5QK].

5. IDENTITY THEFT RES. CTR., 2017 ANNUAL DATA BREACH YEAR-END REVIEW (2018), https://www.idtheftcenter.org/images/breach/2017Breaches/2017AnnualDataBreachYe arEndReview.pdf [https://perma.cc/5WZ8-BNZK].

6. See , e . g . , Gret e l Egan , Scary Data Breach Stat i s t i c s o f 2 017 , W O M B A T S E C U R I T Y (Oct . 27 , 2017), https://www.wombatsecurity.com/blog/scary-data- breach-statistics-of-2017 [https://perma.cc/M8F6-JSQV].

7. See infra notes 62–67 and accompanying text. 8. See infra notes 50–58, 66, 141, 148, and accompanying text.

Start With Trust 1245

when it was the third party that was breached.9 These third parties often handle the same highly sensitive and confidential information as the larger company, but escape FTC enforcement, and therefore live in a realm outside cybersecurity enforcement. Under the current structure, these so-called trusted third parties are often practically untrustable and continue to remain the weakest link in a landscape plagued with cyber-insecurity.

This Comment argues that utilizing blockchain-based data storage instead of third-party storage providers will not only reduce cybersecurity risk but will also reduce legal risk in the eyes of the FTC. The FTC brings enforcement actions against companies’ unfair practices, and has defined unfair practices to include reasonable cybersecurity protocols.10 Large companies can ensure their protocols are reasonable only by somehow establishing trust in third-party service providers that have up until now been insecure and untrustable. When it comes to third-party service providers, large companies should start with trust by using blockchain technology as part of their comprehensive cybersecurity plan. The absence of this “technological genie [that] has been unleashed from its bottle”11 might well be deemed unreasonable by the FTC.

Part I reviews what cybersecurity is and what it attempts to accomplish, particularly its four dimensions of confidentiality, integrity, availability, and resilience. It also gives an overview of the current cybersecurity landscape by examining the breadth and scope of attacks in general and on third parties in particular.

Part II examines the cybersecurity enforcement regime in the United States and explores some guidelines that would be relevant to incorporating blockchain into the FTC’s understanding of reasonableness. These FTC guidelines include (1) using readily available technology, (2) protecting data during storage and transmission, (3) responding and recovering from cyber attacks, and (4) ensuring the security of third parties. An analysis of why the current enforcement regime is inadequate to address the third-party problem follows.

Part III dissects blockchain technology and its components and lists various potential and actual applications. While a relatively new concept, blockchain’s genius lies in its unique combination of two breakthroughs in

9. See infra notes 147–148 and accompanying text. 10. See infra Part II.A. 11. DON TAPSCOTT & ALEX TAPSCOTT, BLOCKCHAIN REVOLUTION: HOW THE TECHNOLOGY

BEHIND BITCOIN IS CHANGING MONEY, BUSINESS, AND THE WORLD 3 (2016).

1246 66 UCLA L. REV. 1242 (2019)

computer science—both of which, standing alone, are widely used throughout many industries to strengthen the security of networks.

Finally, Part IV analyzes how blockchain can enhance cybersecurity by looking at its effects on cybersecurity’s four dimensions. It then looks at how blockchain fits into the current cybersecurity guidelines discussed in Part II. Part IV also addresses some concerns that may come up in trying to implement blockchain technology to enhance cybersecurity.

I. CURRENT CYBERSECURITY LANDSCAPE A. What is Cybersecurity?

Cybersecurity is “[t]he process of protecting information by preventing, detecting, and responding to attacks.”12 An old joke in the security industry about the best way to keep a computer secure is to “[j]ust unplug it.”13 But the evolving “Information Age”14 has rendered this punch line solution more and more impractical. Moreover, the increasing connectivity of electronic devices to the internet and to other devices, as embodied in the “Internet of Things,”15 creates nearly infinite potential vulnerabilities for these devices and their connections. As a result, there is now an unprecedented need for information security.16

12. NAT’L INST. OF STANDARDS & TECH., FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 45 (2018), https://nvlpubs.nist.gov/nistpubs/CSWP /NIST.CSWP.04162018.pdf [https://perma.cc/6NSZ-89B6].

13. P.W. SINGER & ALLAN FRIEDMAN, CYBERSECURITY AND CYBERWAR: WHAT EVERYONE NEEDS TO KNOW 34 (2014).

14. See, e.g., MANUEL CASTELLS, THE INFORMATION AGE: ECONOMY, SOCIETY AND CULTURE, VOLUME III: END OF MILLENNIUM (Wiley-Blackwell 2d ed. 2010).

15. The “internet of things” is “the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of.” Jacob Morgan, A Simple Explanation of ‘The Internet of Things’, FORBES (May 13, 2014, 12:05 AM), https://www.forbes.com/sites /jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can- understand/#2b658d711d09 [https://perma.cc/6R9P-4QMS]. There is tension within the U.S. government on what office or agency should police the potential vulnerabilities presented by the internet of things. See, e.g., Kristen Eichensehr, Security and the Internet of Things, JUST SECURITY (Feb. 11, 2016), https://www.justsecurity.org/29258/security- internet-of-things [https://perma.cc/D4W8-ASSZ].

16. Information security is “[t]he protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.” MICHAEL NIELES ET AL., U.S. DEP’T OF COMMERCE NAT’L INST. OF STANDARDS & TECH., AN INTRODUCTION TO INFORMATION SECURITY 2 (2017), https://nvlpubs.nist.gov/nistpubs/Special Publications/NIST.SP.800- 12r1.pdf [https://perma.cc/Z4V9-PMHS].

Start With Trust 1247

A system’s ability to protect its information17 from “unauthorized access, use, disclosure, disruption, modification, or destruction”18 is assessed through the three properties, or goals, of cybersecurity: confidentiality, integrity, and availability—also known as the “CIA triad”.19

Confidentiality is the idea of “keeping data private.”20 It is defined as “[p]reserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”21 Confidentiality aims to ensure that only authorized individuals or entities have access to a certain computer, system, or network.

Integrity is the idea that “the system and the data in it have not been improperly altered or changed without authorization.”22 It assures that sensitive data is consistent, accurate, and trustworthy throughout its life cycle.23 There are two types of integrity: data integrity and system integrity. Data integrity is “[t]he property that data has not been altered in an unauthorized manner” and it “covers data in storage, during processing, and while in transit.”24 System integrity is “[t]he quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system.”25 Integrity is the most important part of the CIA triad because unauthorized alteration can be more subtle than outright theft or deletion of data, and thus is often the target of the most sophisticated attackers.26

17. Information includes “(1) Facts or ideas, which can be represented (encoded) as various forms of data; (2) Knowledge (e.g., data, instructions) in any medium or form that can be communicated between system entities.” Id.

18. Id. 19. SINGER & FRIEDMAN, supra note 13, at 35. 20. Id. 21. AN INTRODUCTION TO INFORMATION SECURITY, supra note 16, at 2–3. 22. SINGER & FRIEDMAN, supra note 13, at 35. 23. See NIELES ET AL., supra note 16, at 3. 24. Id. 25. Id. 26. See SINGER & FRIEDMAN, supra note 13, at 35; More Than 2.5 Billion Records Stolen or

Compromised in 2017, GEMALTO (Apr. 11, 2018), https://www.gemalto.com/press/pages /more-than-2-5-billion-records-stolen-or-compromised-in-2017.aspx [https://perma.cc /96JX-YPM3] (“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organizations to combat than simple data theft” because “data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact.” (quoting Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto)).

1248 66 UCLA L. REV. 1242 (2019)

Availability is the idea of “being able to use the system as anticipated.”27 It ensures the “timely and reliable access to and use of information.”28 Availability applies to both data, such as the availability of data in a system, and a system itself, such as the ability of an administrator to access the system more generally.

Along with the CIA triad, experts also refer to a fourth property of cybersecurity: resilience.29 Resilience “allows a system to endure security threats instead of critically failing.”30 It includes the ability to operate and maintain essential capabilities while under attack, as well as the ability to ultimately recover and restore normal operations.31 This property stems from the idea that cyber attacks are inevitable and therefore it is vital to ensure that systems are resilient in the face of such attacks.32

Cybersecurity concerns can arise when there are vulnerabilities or threats to these properties. A vulnerability is a weakness in a system and is akin to an unlocked door. The proverbial unlocked door is not a threat unless someone wants to enter.33 An actor that tries to access, use, or alter a system or data in a system without authorization is a threat.34 Because an actor can exploit these weaknesses, a vulnerability increases the likelihood that a threat will be successful.35 Moreover, a breach is “an incident in which an individual name plus a Social Security Number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk.”36

27. SINGER & FRIEDMAN, supra note 13, at 35. 28. NIELES ET AL., supra note 16, at 3. 29. See, e.g., SINGER & FRIEDMAN, supra note 13, at 36 (“Beyond this classic CIA triangle of

security . . . it is important to add another property: resilience.”). 30. Id. 31. RICHARD KISSEL, NAT’L INST. OF STANDARDS & TECH., U.S. DEP’T OF COMMERCE, GLOSSARY

OF KEY INFORMATION SECURITY TERMS 160 (2013), https://nvlpubs.nist.gov/nistpubs/ir/2013/nist.ir.7298r2.pdf [https://perma.cc/86P M- UNGU]; SINGER & FRIEDMAN, supra note 13, at 36.

32. See, e.g., Fredrik Björck, Martin Henkel, Janis Stirna & Jelena Zdravkovic, Cyber Resilience—Fundamentals for a Definition, in NEW CONTRIBUTIONS IN INFORMATION SYSTEMS AND TECHNOLOGIES: ADVANCES IN INTELLIGENT SYSTEMS AND COMPUTING 311– 16 (Álvaro Rocha et al. eds., 2015).

33. SINGER & FRIEDMAN, supra note 13, at 37; NIELES ET AL., supra note 16, at 20. 34. See NIELES ET AL., supra note 16, at 20. Threats also include “natural disasters or erroneous

actions taken by individuals in the course of executing their everyday responsibilities.” Id.

35. See id. 36. IDENTITY THEFT RES. CTR., DATA BREACH REPORTS 2 (2015), https://www.idtheft

center.org/images/breach/DataBreachReports_2015.pdf [https://perma.cc/T96PY3 FQ].

Start With Trust 1249

B. Breadth and Scope of the Problem

Data breaches occur almost every day in nearly every industry, and in too many places across the country and globe to keep a precise count. The following examples are intended to illustrate the breadth and scope of data breaches and cyber attacks. This is by no means a comprehensive list.

The account information of three billion Yahoo! users was compromised after the company suffered a data breach in 2013.37 A cyber attack suffered by eBay in 2014 exposed the names, addresses, dates of birth, and passwords of 145 million users.38 The personal information of 412 million people, including twenty years of historical customer data, was exposed when AdultFriendFinder was hacked in 2016.39 A data breach at Equifax, one of the largest credit bureaus in the United States, exposed the personal information of 145.5 million people, including Social Security numbers, dates of birth, and in some cases drivers’ license numbers and credit card data.40 Moreover, in a study conducted in the United Kingdom, nearly half of the businesses in the nation reported cybersecurity breaches within a twelve-month period.41

But cybersecurity breaches are not limited to the private sector. The Federal Reserve Bank of Cleveland was the victim of a cyberhack in 2010.42 Personal information, including Social Security numbers, of 22.1 million people was stolen when the Office of Personnel Management was hacked in 2015.43 In the same year, the European Union Central Bank’s database—which

37. Selena Larson, Every Single Yahoo Account Was Hacked—3 Billion In All, CNN (Oct. 4, 2017, 6:36 AM), https://money.cnn.com/2017/10/03/technology/business/yahoo- breach-3-billion-accounts/index.html [https://perma.cc/H5LG-JNJQ].

38. Jim Finkle, Soham Chatterjee & Lehar Maan, EBay Asks 145 Million Users to Change Passwords After Cyber Attack, REUTERS (May 21, 2014, 4:21 AM), https://www.reuters. com/article/us-ebay-password/ebay-asks-145-million-users-to-change-passwords- after-cyber-attack-idUSBREA4K0B420140521 [https://perma.cc/3RS4-BHUE].

39. Steve Ragan, 412 Million FriendFinder Accounts Exposed by Hackers, CSO (Nov. 13, 2016, 8:00 AM), https://www.csoonline.com/article/3139311/security/412-million-friend finder-accounts-exposed-by-hackers.html [https://perma.cc/7S5N-DZPE].

40. Borak & Vasel, supra note 4. 41. DEP’T FOR DIG., CULTURE, MEDIA & SPORT, CYBER SECURITY BREACHES SURVEY 2018 (2018)

https://assets.publishing.service.gov.uk/government/uploads/system/ uploads/attachment_data/file/702074/Cyber_Security_Breaches_Survey_2018_- _Main_Report.pdf [https://perma.cc/PY67-4VJY].

42. Jonathan Dienst, Hacker Breaks Into Federal Reserve, NBC N.Y. (Nov. 18, 2010, 1:33 PM), https://www.nbcnewyork.com/news/local/Feds-Hacker-Exploits-Federal-Reserve- Bank-In-Cleveland-108985059.html [https://perma.cc/FC6V-E8GZ].

43. Patricia Zengerle & Megan Cassella, Millions More Americans Hit by Government Personnel Data Hack, REUTERS (July 9, 2015, 12:51 PM), https://www.reuters.com/article/us-cybersecurity-usa/millions-more-americans-hit-by-

1250 66 UCLA L. REV. 1242 (2019)

includes information such as email addresses, phone numbers, and addresses—was hacked, affecting 20,000 people.44 In 2016, the corporate filing system of the Securities and Exchange Commission was breached, and it is believed that the private information could have been exploited for trading.45

State actors also conduct cyber attacks, for various reasons. The 2016 breach of the Federal Reserve Bank of New York, in which $81 million was stolen, has been linked to the North Korean government.46 North Korea has also been blamed for the 2017 “WannaCry” ransomware cyberattack,47 and was said to be “centrally involved” in the 2014 Sony Pictures hack.48 The 2016 hack of DNC emails, phone calls, and more, has been attributed, in part, to Russia and has led to the DNC’s filing of a lawsuit against the country of Russia, among other defendants.49

It is estimated that there were 1,765 data breach incidents in 2017, in which 2.6 billion records were stolen, lost, or exposed—an increase of 88 percent from 2016.50 A Kaspersky Lab study found that the impact of a data breach in North America now amounts to an average of $1.3 million for large businesses and $117,000 per incident for small and midsize businesses.51 According to a study by the Ponemon Institute in 2017, the average size of data

government-personnel-data-hack-idUSKCN0PJ2M420150709 [https://perma.cc/ZLM8-ER3J].

44. Brian Honan, European Central Bank Hacked, CSO (July 31, 2015, 8:22 AM), https://www.csoonline.com/article/2955278/data-breach/european-central-bank- hacked.html [https://perma.cc/2YVE-RPBP].

45. Alexandra Stevenson & Carlos Tejada, S.E.C. Says It Was a Victim of Computer Hacking Last Year, N.Y. TIMES (Sept. 20, 2017), https://www.nytimes.com/2017/09/20/business/ sec-hacking-attack.html [https://perma.cc/NAJ3-4ZG9].

46. See, e.g., North Korea Likely Behind $81M Hack at the Federal Reserve, Report Says, FOX NEWS (Apr. 5, 2017), www.foxnews.com/tech/2017/04/05/north-korea-likely-behind- 81m-hack-at-federal-reserve-report-says.html [https://perma.cc/V6EZ-RUH6].

47. Kristen Eichensehr, Three Questions on the WannaCry Attribution to North Korea, JUST SECURITY (Dec. 20, 2017), https://www.justsecurity.org/49889/questions-wannacry- attribution-north-korea [https://perma.cc/79D9-9NVD]; see also infra notes 57–58 and accompanying text.

48. Sanger & Perlroth, supra note 1. 49. Tom Hamburger, Rosalind S. Helderman & Ellen Nakashima, Democratic Party Sues

Russia, Trump Campaign and WikiLeaks Alleging 2016 Campaign Conspiracy, WASH. POST (Apr. 20, 2018), https://www.washingtonpost.com/politics/democratic-party-files- lawsuit-alleging-russia-the-trump-campaign-and-wikileaks-conspired-to-disrupt-the- 2016-campaign/2018/04/20/befe8364-4418-11e8-8569-26fda6b404c7_story.html? utm_term=.588f72a3d3ce [https://perma.cc/TN9M-ZGBJ].

50. More Than 2.5 Billion Records Stolen or Compromised in 2017, supra note 26. 51. Kaspersky Lab Survey: Cyberattacks Cost Large Businesses in North America an Average of

$1.3M, KASPERSKY LAB (Sept. 19, 2017), https://usa.kaspersky.com/about/press-releases/ 2017_kaspersky-lab-survey-cost-of-cyberattacks-for-large-businesses-in-north-america [https://perma.cc/LVP6-AHW5].

Start With Trust 1251

breaches around the world increased in 2017 to more than 24,000 records per breach, with the United States standing at an average of more than 28,000 records per breach.52 This study also estimated “an average probability of 27.7 percent that organizations in this study will have a material data breach in the next 24 months.”53

While security appears to be receiving a larger percentage of large companies’ overall Information Technology (IT) budget, the budget itself is getting smaller.54 The average IT budget for large businesses dropped from $25.5 million in 2016 to $13.7 million in 2017.55 This is troubling because, according to experts, “[t]hings are bad and they’re going to get worse.”56 This is not only because hackers are exploiting sophisticated government hacking tools,57 but also because companies and government agencies frequently fail to patch holes in their systems in a timely manner.58

52. PONEMON INST., 2017 COST OF DATA BREACH STUDY: GLOBAL OVERVIEW 11 (2017), https://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Pape rs/2017_Global_CODB_Report_Final.pdf.

53. Id. at 1. 54. KASPERSKY LAB, supra note 51. 55. Id. 56. Selena Larson, Why Hacks Like Equifax Will Keep Happening, CNN (Sept. 29, 2017, 8:49

AM), money.cnn.com/2017/09/29/technology/business/equifax-hack-2017-cyberatt acks/index.html?iid=EL [https://perma.cc/6JQY-FSYA].

57. In 2017, a group of hackers released a collection of spy tools allegedly used by the National Security Agency (NSA) that could be used to exploit vulnerabilities in Microsoft Windows computers and servers. See, e.g., Selena Larson, NSA’s Powerful Windows Hacking Tools Leaked Online, CNN (Apr. 15, 2017, 12:13 PM), money.cnn. com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html?iid=EL [https://perma.cc/RK34-D3PZ]. The leaked NSA exploit exposed a vulnerability in the Microsoft Windows operating system that hackers used to create ransomware called “WannaCry,” which infected over 300,000 computers around the globe in May 2017. See Danny Palmer, Your Failure to Apply Critical Cybersecurity Updates Is Putting Your Company at Risk From the Next WannaCry or Petya, ZDNET (Aug. 21, 2017), https://www. zdnet.com/article/your-failure-to-apply-critical-cyber-security-updates- puts-your-comp any-at-risk-from-the-next [https://perma.cc/R4AR-W3TD].

58. A recent study conducted by the cybersecurity ratings company BitSight revealed that more than 50 percent of computers in over 2000 organizations run an outdated version of Microsoft Windows and more than 8500 companies have failed to update their web browsers on more than half of their machines. Joel Alcon, Latest BitSight Insights Explores A Growing Risk Frequently Ignored: Critical Updates, BITSIGHT (June, 8, 2017), https:// www.bitsighttech.com/blog/latest-bitsight-insights-explores-growing-risk-frequently- ig nored-critical-updates [https://perma.cc/DR2Z-QF7N]. Although Microsoft released an emergency patch for their operating system in response to the WannaCry ransomware, many companies, including the multinational electronics company LG, failed to apply the security patches. LG Hit by WannaCry Ransomware After IT Staff Fail to Apply Security Patches, COMPUTING (Aug. 18, 2017), https://www.computing.co. uk/ctg/news/3015875/lg-hit-by-wannacry-ransomware-after-it-staff-fail-to-apply-sec urity-patches [https://perma.cc/G349-9QEW].

1252 66 UCLA L. REV. 1242 (2019)

More importantly, the future of cybersecurity breaches seems bleak if the status quo remains because of companies’ increasing reliance on third parties.59 Companies often outsource tasks to a third party such as transporting and distributing goods, processing orders and collecting payments, managing inventory, and managing stored data.60 These third parties market themselves as being able to leverage their global partnerships and established infrastructure in order to deliver flexible service options, allowing a business to focus on its own core competencies to drive down costs.61

A study conducted by Armstrong & Associates, a supply chain management consultancy, found that 90 percent of Fortune 500 companies operating within the United States have sought assistance from one or more third parties.62 The report also predicted a continued increase in third-party usage.63

So why is this consequential to cybersecurity breaches? The Ponemon Institute study found that 56 percent of businesses have had a third-party data breach—an increase from 2016—and 57 percent lack an inventory of all third parties with which they share sensitive information.64 Meanwhile, the average number of third parties with access to confidential or sensitive information increased from 2016.65 Moreover, less than half of the respondents said that managing outsourced relationship risks is a priority in their organization, and only 17 percent of respondents rated their companies’ effectiveness in mitigating third-party risk as “highly effective.”66 Importantly, data breaches

59. See DELOITTE, OVERCOMING THE THREATS AND UNCERTAINTY: THIRD-PARTY GOVERNANCE AND RISK MANAGEMENT 5 (2017), https://www2.deloitte.com/content/ dam/Deloitte/ch/Documents/risk/ch-en-third-party-gov-risk-management-2017-inter active.pdf [https://perma.cc/UJZ7-AJLP] (finding that “strategic dependence on [third parties] continues to increase”).

60. Contract Logistics, INVESTOPEDIA, https://www.investopedia.com/terms/c/contract-log istics.asp [https://perma.cc/L2HN-EB8S].

61. See, e.g., The Evolution of 3PL and How It Can Solve Your Business’ Supply Chain Challenges, LEGACY SUPPLY CHAIN SERVS., https://legacyscs.com/evolution-of-3pl- supply-chain-challenges [https://perma.cc/R49H-LEK3].

62. Jeff Berman, Armstrong Report Points to Continued Increase in 3PL Usage by Shippers, LOGISTICS MGMT. (May 24, 2017), https://www.logisticsmgmt.com/article/armstrong_ report_points_to_continued_increase_in_3pl_usage_by_shippers [https://perma.cc/W LD7-CF7R].

63. Id. 64. PONEMON INST., DATA RISK IN THE THIRD-PARTY ECOSYSTEM: SECOND ANNUAL STUDY 3

(2017). 65. Id. 66. Id. at 6.

Start With Trust 1253

involving third parties are the most expensive type of cybsersecurity incidents.67

A third-party attack occurs when someone “infiltrates [a] system through an outside partner or provider with access to . . . systems and data.”68 Because many companies have vast supplier and partner networks that are made up of many smaller partners, these third parties are easier targets for attackers.69 In fact, “[t]he larger the company, the more likely it will have at least one relationship with a [third party].”70 Thus, “most financial institutions have tens of thousands of supplier relationships.”71 The former superintendent of the New York State Department of Financial Services, Benjamin M. Lawsky, astutely noted that “[i]n many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.”72

Smaller companies contracting with Fortune 500 or other large companies often do not have the same level of security measures as the larger company, even though they carry much of the larger company’s sensitive and confidential information.73 This is often the case because the larger company’s focus is “always on the [third party’s] service being rendered, and making sure the service is of the highest quality, performance, and uptime,”74 rather than on the third party’s security measures—indeed, a third party’s quick response, cheaper service costs, and high quality are sometimes achieved at the expense

67. KASPERSKY LAB, DAMAGE CONTROL: THE COST OF SECURITY BREACHES 5 (2015), https://media.kaspersky.com/pdf/it-risks-survey-report-cost-of-security-breaches.pdf [https://perma.cc/6J3W-MUZ3].

68. Maria Korolov, What is a Supply Chain Attack? Why You Should Be Wary of Third-Party Providers, CSO (Apr. 4, 2018, 8:15 AM), https://www.csoonline.com/article/3191947 /data-breach/what-is-a-supply-chain-attack-why-you-should-be-wary-of-third-party- providers.html [https://perma.cc/C624-FG9Q].

69. See SECURITYSCORECARD, WHY THIRD PARTY SECURITY BREACHES ARE ON THE RISE 1 (2016) (“The insecure entry points of third party systems are being heavily targeted, especially when third parties are smaller organizations with limited security resources and are connected to larger organizations with employee data, customer records, and credit card information.”).

70. Berman, supra note 62. 71. SECURITYSCORECARD, supra note 69, at 1. 72. Michelle Drolet, The Challenges of Third-Party Risk Management, CSO (Nov. 17, 2015,

11:40 AM), https://www.csoonline.com/article/3005320/application-security/the- challenge s-of-third-party-risk-management.html [https://perma.cc/YV3W-GWFC].

73. SECURITYSCORECARD, supra note 69, at 2 (“In over 60% of [third-party] breaches, attackers were able to infiltrate the target within minutes,” as smaller companies do not always have “sophisticated protocols in place to ensure that all data is secure in their own data—and partners’ data.”).

74. Id.

1254 66 UCLA L. REV. 1242 (2019)

of security.75 Thus a hacker can attack the weakest link in the chain and gain access to a larger and more secured company’s data.76

A third party was the attack vector77 in the 2013–2014 Target data breach.78 Fazio Mechanical Services, a ventilation and air conditioning (HVAC) subcontractor, worked at a number of Target locations and had external network access.79 It is common for large retail operations to give this type of access to their HVAC servicers because these “vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software.”80 Hackers stole Fazio’s network credentials and gained access to Target’s systems, uploading credit-card stealing software to a number of cash registers within Target stores.81 This breach exposed forty million Target credit and debit card numbers as well as sixty million personal information records of customers.82

A third party was also the weakest link in the 2015 cyberattack on CVS Photo, in which hackers breached the servers of PNI Digital Media, a company that handled the credit card transactions for the photo-uploading site.83 Similarly, in 2014 Goodwill Industries was breached through C&K Systems Inc., their third-party payment vendor.84 Many other large organizations have had their servers breached because of poor third-party security: Philips (2012), Cogent Healthcare (2013), Lowe’s (2014), Dairy Queen and TacoTime (2014), Home Depot (2014), Department of Veterans Affairs (2014), Zoup (2015),

75. Id. 76. See infra note 148 and accompanying text. 77. “An attack vector is a path or means by which a hacker . . . can gain access to a computer

or network server. . . . ” Margaret Rouse, Attack Vector, SEARCHSECURITY, https://searchsecurity.techtarget.com/definition/attack-vector [https://perma.cc/2RLC- A7XN].

78. Brian Krebs, Target Hackers Broke in Via HVAC Company, KREBSONSECURITY (Feb. 5, 2014, 1:52 PM), https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac- company [https://perma.cc/9TJD-BJ99].

79. Id. 80. Id. 81. Id. 82. Robert Bond, Poor Third-Party Vendor Security Can Lead to Data Breach, HITACHI SYS.

SECURITY (Oct. 31, 2017), https://www.hitachi-systems-security.com/blog/poor-third- party-vendor-security-can-lead-to-data-breach [https://perma.cc/2HD4-2VBH].

83. Brian Krebs, CVS Probes Card Breach at Online Photo Unit, KREBSONSECURITY (July 17, 2015, 10:15 AM), https://krebsonsecurity.com/2015/07/cvs-probes-card-breach-at- online-photo-unit [https://perma.cc/V3TN-LDAA].

84. Brian Krebs, Breach at Goodwill Vendor Lasted 18 Months, KREBSONSECURITY (Sept. 16, 2014, 3:21 PM), https://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor- lasted-18-months [https://perma.cc/6RT2-NJNM].

Start With Trust 1255

AT&T Services, Inc. (2015), Harbortouch (2015), Clif Family Wineries (2015), Louisville Metro Government (2015), Detroit Zoo (2015), California State University (2015), Jimmy John’s (2015), Netflix (2015), Sonic Drive-In (2017), and Whole Foods (2017).85

A company is responsible for ensuring that third-party contractors implement reasonable security measures.86 This is problematic because building trust between a company and a third party can be difficult,87 and third parties often evade FTC enforcement actions.88

Breaches of third-party service providers are not limited to the private sector. More recently, in 2018 the Secretary of the Navy released a “Cybersecurity Review” that directed, among other things, a “[r]eview [of] the appropriateness of the Navy’s organizational culture and that of its supporting contractors.”89 This Review came in light of an “increase[] in both the severity and sophistication” of “attempts to steal critical information” that resulted in “several significant compromises of classified information.”90 Additionally, hackers gained access to the personal information and credit card numbers of Department of Defense personnel through a system maintained by a third- party contractor.91

II. CYBERSECURITY ENFORCEMENT IN THE UNITED STATES

Despite the growing threat and cost of cybersecurity breaches, there is no consensus on how best to address the issue. Congress has yet to pass a comprehensive law, and has instead decided to target individual industries.92 A partnership between the private and public sectors may be one solution, but drawing proper lines of authority and responsibility between the two sectors

85. See, e.g., PROSKAUER, PRIVACY AND DATA SECURITY, RECENT DATA SECURITY BREACHES INVOLVING THIRD-PARTY VENDORS (2017), https://www.privacyand securityforum.com /wp-content/uploads/2015/10/25092-Privacy-and-Data-Security-Breach.pdf [https://perma.cc/4UFQ-W4UW]; Bond, supra note 82.

86. See infra Part II.A.4. 87. See infra notes 144–146 and accompanying text. 88. See infra Part II.B. 89. Memorandum from Richard V. Spencer, Sec’y of the Navy on Cybersecurity Review (Oct.

12, 2018), https://www.wsj.com/public/resources/documents/NavyMemo10-12- 2018.pdf?mod=article_inline [https://perma.cc/2HTU-3Z9K].

90. Id. 91. See Lee Mathews, Department of Defense Data Breach Exposes 30,000 Employees, FORBES

(Oct. 14, 2018, 11:48 AM), https://www.forbes.com/sites/leemathews/2018/10/14/department-of-defense-data- breach-exposes-30000-employees/#715db06f1a6b [https://perma.cc/TC8W-J9VR].

92. See infra note 105 and accompanying text.

1256 66 UCLA L. REV. 1242 (2019)

can pose a challenge.93 Recommendations for international coordination to harmonize cybersecurity policies and practices have also been made.94 However, there is often tension within the government regarding who should be responsible for enforcing cybersecurity.95 Moreover, there are disagreements about whether cybersecurity should be regulated through policy, standards, guidelines, or a combination thereof.96 This gap in enforcement has been filled by the FTC, which has redefined the “unfair practices” in its purview to include inadequate cybersecurity.

Since 2002, the FTC has extended its oversight of reasonable security measures over all companies operating in the United States by assuming the role of “cybersecurity police.” Section 5 of the FTC Act prohibits “unfair or deceptive business practices in or affecting commerce.”97 Even though the Act, which dates back to 1914, does not mention cybersecurity, the FTC has long maintained that Congress intended the word “unfair” to be interpreted broadly and flexibly “to allow the agency to protect consumers as technology changes.”98 The FTC has brought over sixty enforcement actions “against companies that have engaged in unfair or deceptive practices that failed to adequately protect consumers’ personal data.”99 From 2002 to 2012, all cybersecurity enforcement actions brought under the FTC resulted in negotiated settlements and no company tested the FTC’s authority to regulate

93. See, e.g., Kristen E. Eichensehr, Public-Private Cybersecurity, 95 TEX. L. REV. 467, 473 (2017) (“[T]he system is complicated and will require context-dependent solutions to novel relationships that will continue to evolve as both the government and the private sector attempt to improve cybersecurity.”).

94. See, e.g., COMM’N ON ENHANCING NAT’L CYBERSECURITY, REPORT ON SECURING AND GROWING THE DIGITAL ECONOMY (2016), https://www.nist.gov/sites/default/files /documents/2016/12/02/cybersecurity-commission-report-final-post.pdf [https://perma.cc/977U-MEJS].

95. See, e.g., Eichensehr, supra note 15 (highlighting the tension between consumer protection and law enforcement/intelligence agencies).

96. See, e.g., FIN. SECTOR ADVISORY CTR., WORLD BANK GRP., FINANCIAL SECTOR’S CYBERSECURITY: A REGULATORY DIGEST (2017), pubdocs.worldbank.org/en/524 901513362019919/FinSAC-CybersecDigestOct-2017-Dec2017.pdf [https://perma.cc /B3RA-HEF8].

97. Federal Trade Commission Act of 1914, 15 U.S.C. § 45(a) (2012). 98. William R. Denny, Cybersecurity as an Unfair Practice: FTC Enforcement Under Section 5

of the FTC Act, BUS. L. TODAY, June 2016, at 1. 99. FED. TRADE COMM’N, PRIVACY & DATA SECURITY UPDATE: 2017 4 (2017),

https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update- 2017-overview-commissions-enforcement-policy-initiatives- consumer/privacy_and_data_security_update_2017.pdf [https://perma.cc/X3V6-BG PD] [hereinafter FTC PRIVACY & DATA SECURITY UPDATE].

Start With Trust 1257

cybersecurity.100 That changed when the FTC sued Wyndham Worldwide Corp. in 2012.

In 2012, the FTC sued Wyndham Worldwide Corp. for engaging in unfair cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft” after the company suffered three breaches between 2008 and 2009.101 Wyndham argued that the FTC did not have the authority to regulate cybersecurity under the Act and that there was no “fair notice of the specific cybersecurity standards the company was required to follow.”102 The Third Circuit rejected both of these arguments and held for the first time that the FTC had authority to regulate companies’ cybersecurity standards and that these companies are on notice.103 FTC Chairwoman Edith Ramirez welcomed the decision and stated that “[i]t is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”104

A. What is “Unreasonable”?

The FTC brings enforcement actions against companies whose security is “unreasonable.”105 This intentional legal ambiguity is appropriate for

100. See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 243–45 (3d Cir. 2015); Denny, supra note 98.

101. Wyndham Worldwide Corp., 799 F.3d at 240. 102. Id. at 249. 103. Id. at 255. 104. Statement from FTC Chairwoman Edith Ramirez on Appellate Ruling in the Wyndham

Hotels and Resorts Matter, FED. TRADE COMM’N (Aug. 24, 2015), https://www.ftc.gov/news-events/press-releases/2015/08/statement-ftc-chairwoman- edith-ramirez-appellate-ruling-wyndham [https://perma.cc/5BCZ-4TZK].

105. See, e.g., FTC PRIVACY & DATA SECURITY UPDATE, supra note 99, at 4 (“Since 2002, the FTC has brought over 60 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk.”). The main cybersecurity statutes also require a “reasonable” level of security. See Financial Services Modernization Act of 1999, Pub. L. No. 106–102, 113 Stat. 1338 (1999) (requires reasonable data security measures for nonbank financial institutions); Children’s Online Privacy Protection Act of 1998, Pub. L. No. 105–277, 112 Stat. 2681–728 (1998) (requires reasonable security measures for data about children collected online); Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104–191, 110 Stat. 1936 (1996) (requires reasonable safeguards for personal health information); Fair Credit Reporting Act, Pub. L. No. 91–508, 84 Stat. 1128 (1970) (requires credit reporting agencies to use reasonable procedures to ensure proper disclosure of consumer information).

1258 66 UCLA L. REV. 1242 (2019)

cybersecurity procedures because it gives regulators flexibility to update their interpretation as technology changes.106

In 2015 the FTC released a guidebook on cybersecurity best practices, titled “Start with Security: A Guide for Business,” to clarify some of the “lessons learned from FTC cases.”107 It is worth noting that the published FTC enforcement actions “are settlements—no findings have been made by a court—and the specifics of the orders apply just to those companies.”108 Along with the FTC guidelines, the National Institute of Technology and Standards (NIST) has also published guidelines to help companies understand what is and is not reasonable.109 According to the FTC, “NIST’s Cybersecurity Framework is consistent with the process-based approach that the FTC has followed.”110 These guidelines are important because they allow companies to gauge when the absence of a certain technology would be considered unreasonable and thus merit an enforcement action by the FTC.

Since the settlement with Microsoft in 2002, the FTC has made it clear that companies handling consumer information must implement a security program that contains “technical . . . safeguards appropriate to [the company’s] size and complexity, the nature and scope of [its] activities, and the sensitivity of the personal information collected from or about consumers.”111 The NIST Framework also recommends that a company look at the costs, benefits, and risks, and the company’s ability to fund and implement a certain procedure or technology.112 The FTC requires that data security procedures be

106. See FTC PRIVACY & DATA SECURITY UPDATE, supra note 99, at 1 (“This broad authority allows the Commission to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies . . . .”).

107. FED. TRADE COMM’N, START WITH SECURITY: A GUIDE FOR BUSINESS (2015), https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsec urity.pdf [https://perma.cc/UC3F-Y2MW] [hereinafter START WITH SECURITY].

108. Id. at 1. 109. See NAT’L INST. OF STANDARDS & TECH., supra note 12. 110. Andrea Arias, The NIST Cybersecurity Framework and the FTC, FED. TRADE COMM’N

(Aug. 31, 2016, 2:34 PM), https://www.ftc.gov/news-events/blogs/business- blog/2016/08/ nist-cybersecurity-framework-ftc [https://perma.cc/4HRA-JP8C] (“In February 2013, President Obama issued Executive Order 13636, ‘Improving Critical Infrastructure Cybersecurity,’ which called on the Department of Commerce’s National Institute of Standards and Technology (NIST) to develop a voluntary risk-based Cybersecurity Framework for the nation’s critical infrastructure—that is, a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks.”) The NIST Framework is a compilation of guidelines and “does not introduce new standards or concepts.” Id.

111. Microsoft Corp., Docket No. C-4069 (Fed. Trade Comm’n Dec. 20, 2002) (decision and order).

112. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 14–15.

Start With Trust 1259

“reasonably designed to protect the security, confidentiality, and integrity” of information.113 The following are some guidelines that would be relevant to the incorporation of blockchain technology into the FTC’s understanding of reasonableness. By applying these guidelines, the FTC can find that it is unreasonable for certain companies to not incorporate blockchain technology as part of their comprehensive cybersecurity plan.

1. Failing to Adopt Readily Available Technology

A company should keep their security “current”114 and employ readily available technology,115 including “protective technologies” that “ensure the security and resilience of systems and assets.”116 Specifically, companies should “incorporat[e] advanced cybersecurity technologies” to ensure that they “actively adapt[] to a changing threat and technology landscape and respond[] in a timely and effective manner to evolving, sophisticated threats.”117 A software system that is generally accepted by the industry “can be considered reasonable even if it is imperfect.”118 Conversely, operating on outdated software that leaves systems especially vulnerable can be unreasonable.119 In the matter of HTC America Inc., the FTC alleged that the company failed to implement “readily available” measures to address vulnerabilities in its systems and thus “plac[ed] sensitive information at risk.”120 According to the FTC, HTC America could have “add[ed] a few lines

113. Microsoft Corp., supra note 111, at 2; EPN, Inc., Docket No. C-4370, at 2 (Fed. Trade Comm’n Oct. 3, 2012) (decision and order); Genelink, Inc., Docket No. 112 3095, at 7 (Fed. Trade Comm’n Aug. 2013) (decision and order).

114. START WITH SECURITY, supra note 107, at 12. 115. See HTC America, Inc., 155 F.T.C. 1617 (2013). The FTC takes it upon itself to stay

current with the most recent technological developments, through studies and workshops, and has even been dubbed the “Federal Technology Commission.” See Neil Chilson, How the FTC Keeps Up on Technology, FTC (Jan. 4, 2018, 11:52 AM), https://www.ftc.gov/news-events/blogs/techftc/2018/01/how-ftc-keeps-technology [https://perma.cc/AN3L-UYZX].

116. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 36. 117. Id. at 10. 118. Paul N. Otto, Reasonableness Meets Requirements: Regulating Security and Privacy in

Software, 59 DUKE L.J. 309, 340 (2009). 119. See Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy & Identity Prot., Fed. Trade

Comm’n, to Dana Rosenfeld, Counsel for Verizon Commc’ns, Inc. (Nov. 12, 2014), https://www.ftc.gov/system/files/documents/closing_letters/verizon-co mmunications-inc./141112verizonclosingletter.pdf [https://perma.cc/F7MX-XJ MC]; TRENDnet, Inc., Docket No. C-4426 (Fed. Trade Comm’n Jan. 16, 2014).

120. HTC America Inc., 155 F.T.C. at *4.

1260 66 UCLA L. REV. 1242 (2019)

of . . . code” to implement “secure communications mechanisms” to address these vulnerabilities.121

A study of past enforcement actions found that the FTC is increasingly shifting their focus to companies’ handling of information and improvement of security procedures.122 Specifically, the FTC has increasingly brought enforcement actions against companies with “vulnerabilities that target specific technological failures with known solutions.”123 It is important for companies to follow this trend because as technology changes, so too does the meaning of “known solutions.” As a result, the reasonableness of a company’s cybersecurity technology constantly evolves.

2. Leaving Gaps in Encryption/Security in the Storage- Transmission Chain

In order to protect information, technology and procedures must be implemented to enable a company to “[s]tore sensitive personal information securely and protect it during transmission.”124 Procedures that increase the risk of breach from a compromise of an employee or third-party service provider’s credentials can be unreasonable.125 Additionally, transporting information in a manner that makes it susceptible to theft or misappropriation can be unreasonable.126

The FTC enforcement action against Superior Mortgage Corp. illustrates the principle that storing and transmitting sensitive information must be done securely, even when done by a third-party service provider. Superior Mortgage Corp. hired a third party to supply maintenance to the servers that stored sensitive personal information.127 The FTC alleged that the sensitive personal information on the servers was originally encrypted, but was decrypted by the third-party service provider before being sent to Superior Mortgage Corp.128

121. Id. at *6. 122. Travis D. Breaux & David L. Baumer, Legally “Reasonable” Security Requirements: A 10-

Year FTC Retrospective, 30 COMPUTERS & SECURITY 178 (2011). 123. Id. at 191. 124. START WITH SECURITY, supra note 107, at 6. 125. See Twitter, Inc., 151 F.T.C. 162, 170 (2011); see also START WITH SECURITY, supra note

107, at 8 (stating that a network is only as secure as the weakest link that is connected to it).

126. See CBR Systems, Inc., 155 F.T.C. 841 (2013); Accretive Health, Inc., Docket No. C-4432, at 3 (Fed. Trade Comm’n Feb. 5, 2014) (decision and order).

127. Complaint at 929, Superior Mortgage Corp., 140 F.T.C. 926 (2005) (No. C-4153), 2005 WL 6241024.

128. Id.

Start With Trust 1261

The FTC made it clear that this risk could have been prevented by ensuring that the data was secure throughout its lifecycle.129 Security procedures and technology must protect the confidentiality, integrity, and availability of data while it is in storage and in transit.130

3. Responding and Recovering Too Slowly From Breaches

According to the FTC, not adequately responding to and recovering from an incident can be unreasonable.131 Companies should implement procedures and technologies that allow them to successfully respond to attempted and successful cyber attacks.132 This includes containing and mitigating these incidents.133 Moreover, procedures and technologies should allow a company to maintain resilience and restore the capabilities or services that were impaired due to an incident.134 Companies must be able to “move quickly to fix” the problem and ensure timely recovery to normal operations.135

4. Inadequately Policing the Security of Third-Party Service Providers

A company is responsible for ensuring that its third-party service providers implement reasonable security measures,136 and failure to do so can

129. Id. at 2–3. 130. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 30–32. 131. See First Amended Complaint for Injunctive and Other Equitable Relief at 11–12, FTC v.

Wyndham Worldwide Corp., No. CV-12-1365-PHX-PGR, 2013 WL 1222491 (D. Ariz. March 25, 2013), 2012 WL 3281910; ASUSTek Computer, Inc., Docket No. C-4587, at 7 (Fed. Trade Comm’n July 18, 2016); Oracle Corp., Docket No. C-4571, at 3–4 (Fed. Trade Comm’n Mar. 28, 2016).

132. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 8. 133. Id. 134. Id. 135. START WITH SECURITY, supra note 107, at 12; see also NAT’L INST. OF STANDARDS & TECH.,

supra note 12, at 8. 136. See, e.g., Standards for Safeguarding Customer Information, 16 C.F.R. § 314 (2018)

(companies are required to ensure that third parties safeguard customer information in their care); START WITH SECURITY, supra note 107, at 11 (the FTC recommends that companies ensure that “service providers implement reasonable security measures”); see also NIELES ET AL., supra note 16, at 69 (recommending that organizations “ensure that third-party providers employ adequate security measures”); NAT’L INST. OF STANDARDS & TECH., supra note 12, at 16 (organizations should determine the cybersecurity requirements for suppliers and enact those requirements through formal agreements); JUDITH H. GERMANO, CTR. FOR CYBERSECURITY, THIRD-PARTY CYBER RISK & CORPORATE RESPONSIBILITY 4 (2017) https://www.lawandsecurity.org/wp-content/ uploads/2017/02/Germano.NYU_.ThirdPartyRiskWhitepaper.Feb2017.pdf [https:// perma.cc/554Y-LQ6Z] (companies must conduct their own due diligence to determine “whether a third party’s security practices pose an unacceptable risk to an organization”).

1262 66 UCLA L. REV. 1242 (2019)

be unreasonable.137 This includes not only “determining” the adequate cybersecurity requirements of third-party services providers, but also “verifying” that the requirements are met.138 Allowing a third party to operate on outdated software poses a security risk and thus can be unreasonable.139 Failing to adequately reduce the risk posed by a third party can also be unreasonable.140 In the case of Dave & Buster’s, the FTC alleged that hackers exploited the security weaknesses in the third-party credit card processing company’s system and intercepted personal information.141 Dave & Buster’s actions were unreasonable because they could have reduced the risk and breadth of data compromise by better monitoring of the third party.142

B. Cybersecurity of Third Parties and Inconsistent Enforcement

The current structure of enforcing reasonable security measures of third parties is problematic because the company outsourcing the service is expected to ensure that the third party has adequate security (i.e., the third party is “trusted”).143 Building trust can be challenging because getting a third party to focus on security and finding the right people who can provide that security can be difficult, time consuming, and expensive.144 Moreover, “the problem is made more challenging due to a lack of standard security practices for evaluating particular scenarios.”145 The oversight programs that are currently in place have been found to be “insufficient to manage third-party risks.”146

This is an important issue because companies are increasingly relying on “trusted” third parties,147 yet the FTC brings enforcement actions against the company contracting out services (the larger company), instead of the party

137. See Complaint for Permanent Injunction and Other Equitable Relief, FTC v. Ruby Corp., No. 1:16-cv-02438 (D.D.C. 2016 Dec. 14, 2016) [hereinafter Ashley Madison Complaint]; GMR Transcription Servs., Inc., Docket No. C-4482 (Fed. Trade Comm’n Aug. 14, 2014) [hereinafter GMR Transcription Complaint].

138. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 16. 139. See TJX Companies, Inc., Docket No. C-4227, at 2–3 (Fed. Trade Comm’n July 29, 2008)

(complaint). 140. START WITH SECURITY, supra note 107, at 9; see also CardSystems Solutions, Inc., Docket

No. C-4168, at 2 (Fed. Trade Comm’n Sept. 5, 2006) [hereinafter CardSystems Solutions Complaint]; Dave & Buster’s, Inc., 149 F.T.C. 1450 (2010) [hereinafter Dave & Buster’s Complaint].

141. Dave & Buster’s Complaint, supra note 140, at 1452. 142. START WITH SECURITY, supra note 107, at 8. 143. See supra note 136 and accompanying text. 144. GERMANO, supra note 136, at 4. 145. Id. 146. PONEMON INST., supra note 64, at 3. 147. See supra notes 59–63 and accompanying text.

Start With Trust 1263

that was initially breached (the third party). For example, in the matters of CardSystems Solutions, Dave & Buster’s, GMR Transcription Services, and Ashley Madison, the FTC brought enforcement actions against the named parties instead of the third parties that had their networks breached due to inadequacies in their own security measures.148 In essence, a third party that handles the same confidential and sensitive information as the larger contracting company escapes FTC enforcement and thus is not required to have reasonable security measures. The FTC’s enforcement of reasonable security measures against the big fish does not deter third parties from having unreasonable security measures. This leaves the regulation of third-party security solely in the hands of a contracting company. Under this framework, third parties will continue to pose security risks and will remain the weakest link, unless the contracting companies know how to assess their cybersecurity.

III. WHAT IS BLOCKCHAIN? A. Blockchain Technology

As a relatively new technology that employs a sophisticated system of cryptographic mathematics, blockchain has been defined in many different ways, and there is not much consensus on the proper definition.149 Some commentators refer to blockchain by analogy and describe it as a massive, immutable, and distributed Google Spreadsheet.150 Others describe it in simple terms as a system that allows you to “validate, with absolute certainty, a source and destination for any transaction”151 and “manufacture trust through clever code.”152

Perhaps the best definition describes blockchain by its central elements: an electronic transaction ledger that is decentralized, immutable, consensus-

148. See CardSystems Solutions Complaint, supra note 140; Dave & Buster’s Complaint, supra note 140; GMR Transcription Complaint, supra note 137; Ashley Madison Complaint, supra note 137.

149. SHAWN S. AMUIAL, JOSIAS N. DEWEY & JEFFREY R. SEUL, THE BLOCKCHAIN: A GUIDE FOR LEGAL AND BUSINESS PROFESSIONALS 2 (2016) [hereinafter LEGAL AND BUSINESS BLOCKCHAIN GUIDE] (“Blockchain may be one of the least understood of the technologies currently thought to be driving a Fourth Industrial Revolution.”) (footnote omitted).

150. See Jonathan Shieber, Colu Aims to Bring Blockchain Technology Everywhere, TECHCRUNCH (Jan. 27, 2015), https://techcrunch.com/2015/01/27/colu-aims-to-bring- blockchain-technology-everywhere [https://perma.cc/T97F-YLUH] (quoting Amos Meiri, the chief executive and cofounder of Colu, a Tel Aviv-based startup company).

151. How to Web, John McAfee: About Blockchain, Bitcoins and Cyber Security, YOUTUBE (Feb. 23, 2017), https://www.youtube.com/watch?v=G5S0bK8mqAM.

152. TAPSCOTT & TAPSCOTT, supra note 11, at 5.

1264 66 UCLA L. REV. 1242 (2019)

driven, and secured by cryptographic verification.153 But just as important as its specific elements is blockchain’s goal—and chief technological breakthrough—which is to establish trust between two parties without the use of a trusted third party.

Most simply, blockchain is a ledger.154 A ledger is a database that can store all sorts of information,155 for example, a complete record of all transactions over the life of a company.156 The ledger maintained by a blockchain tracks the transfer of information from the transferor to the transferee.157 However, unlike a traditional ledger, “a blockchain ledger is considered decentralized because transactions are stored on (several thousand) computers connected to a common network via the Internet.”158 The computers, called nodes, are the

153. VIMI GREWAL-CARR & STEPHEN MARSHALL, DELOITTE, BLOCKCHAIN: ENIGMA. PARADOX. OPPORTUNITY 2–4 (2016), https://www2.deloitte.com/content/dam/ Deloitte/uk/Documents/Innovation/deloitte-uk-blockchain-full-report.pdf [https://perma.cc/KF6A-PU4Y] [hereinafter BLOCKCHAIN: ENIGMA. PARADOX. OPPORTUNITY]; Alistair Dabbs, What Is a Blockchain, and Why Is It Growing in Popularity?, ARS TECHNICA (Nov. 6, 2016, 6:00 AM), https://arstechnica.com/information-technology/2016/11/what-is-blockchain [https://perma.cc/SL8L-UT6S]; Arthur Iinuma, What Is Blockchain And What Can Businesses Benefit From It?, FORBES (Apr. 5, 2018, 7:00 AM), https://www.forbes.com/sites/forbesagencycouncil/2018/04/05/what-is-blockchain- and-what-can-businesses-benefit-from-it/#7a357f8d675f [https://perma.cc /R9AY- PMV9]; Alan Morrison, Blockchain and Smart Contract Automation: An Introduction and Forecast, PWC (Mar. 20, 2016), usblogs.pwc.com/emerging-technology/blockchain- and-smart-contract-automation-an-introduction-and-forecast [https://perma.cc/5QA8-NFLF].

154. See LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3 (“The individual components that make up the blockchain will be easier to understand if we reinforce the basic premise that a blockchain is a ledger.”) (footnote omitted).

155. Id. 156. See, e.g., General Ledger, INVESTOPEDIA, https://www.investopedia.com/terms/g/general

ledger.asp [https://perma.cc/DQH5-PJ3U]; Ledger, BUSINESSDICTIONARY, http:// www.businessdictionary.com/definition/ledger.html [https://perma.cc/UF2M-QMV X]; see also Debits and Credits, ACCOUNTINGTOOLS (Jan. 31, 2018), https://www. accountingtools.com/articles/2017/5/17/debits-and-credits [https://perma.cc/U8SJ- TB29] (“A debit is an accounting entry that either increases an asset or expense account, or decreases a liability or equity account. It is positioned to the left in an accounting entry. A credit is an accounting entry that either increases a liability or equity account, or decreases an asset or expense account. It is positioned to the right in an accounting entry.”).

157. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3. 158. Id. “In other words, there is no single server to which all the [computers] attach.” Id. at

4. These computers are known as “nodes.” See, e.g., Tim Fisher, What Is a Node in a Computer Network, LIFEWIRE (July 28, 2018), https://www.lifewire.com/what-is-a-node- 4155598 [https://perma.cc/DAQ6-ZPW6] (“A node is any physical device within a network of other devices that’s able to send, receive, and/or forward information.”). "Each node contains a complete history of every transaction completed on a particular blockchain beginning with the first transactions that were processed into the first block

Start With Trust 1265

recordkeepers who update the ledger. This peer-to-peer platform ensures that “only information upon which the network reaches consensus will be included in the blockchain.”159

For example, suppose a particular blockchain is tasked with recording a series of transactions. One node initiates the first transaction, A, and all of the nodes process it and reach a consensus—“A.” Another node initiates the second transaction, B, and all of the nodes process it and reach a further consensus—“A+B.” Each node is now storing this same chain of transactions, and the process is infinitely repeatable.

Under the Bitcoin network, for example, a node that successfully validates a transaction and inputs the transaction into the blockchain is rewarded with a certain amount of Bitcoin.160 But it is worth noting that “coins” such as Bitcoin are not necessary. While some kind of reward system is needed to incentivize nodes to correctly validate each transaction, the transaction fees that reward validations can be issued in any medium.

The genius of blockchain technology is its unique combination of two breakthroughs in computer science, both of which won Turing Awards.161 “Asymmetric cryptography” allows nodes to validate transactions through complex cryptographic functions,162 and “distributed systems” create a network where transactions can be considered valid only if the network reaches a consensus on the answer to the complex cryptographic function.163

on that blockchain.” LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3 (footnote omitted). The first block of transactions on a blockchain is called the “genesis block” because it “represents the beginning of time for that blockchain.” Id.

159. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 4 (footnote omitted); see also id. at 4 n.5 (“Consensus occurs when the nodes operating on the network (usually at least a majority of the nodes) agree that the proposed transaction is indeed ‘valid.’”).

160. See SATOSHI NAKAMOTO, BITCOIN: A PEER-TO-PEER ELECTRONIC CASH SYSTEM 4 (2009), https://bitcoin.org/bitcoin.pdf [https://perma.cc/LF5X-LMYD].

161. The Turing Award is often considered the equivalence of the Nobel Prize in computer science. Bob Brown, ‘Nobel Prize in Computing’ Goes to Distributed Computing Wrangler Leslie Lamport, NETWORKWORLD (Mar. 18, 2014, 11:37 AM), https://www.networkworld. com/article/2175277/data-center/-nobel-prize-in- computing-goes-to-distributed-com puting-wrangler-leslie-lamport.html [https://perma.cc/YW5X-F8Y6] (Turing Award for distributed systems); Tia Ghose, Cryptography Pioneers Snag the ‘Nobel Prize of Computer Science’, LIVE SCI. (Mar. 2, 2016, 1:17 PM), https://www.livescience.com/53911-cryptography-pioneers-earn- turing-award.html [https://perma.cc/NXN6-5S73] (Turing Award for asymmetric cryptography).

162. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149. 163. Id.

1266 66 UCLA L. REV. 1242 (2019)

In order to validate a transaction,164 a node must trace the history of all of the transactions on a particular blockchain. It does so by looking at the most recent block.165 Blocks are groups of transactions that have been validated and stored on the blockchain around the same time.166 Blocks are linked together in a chronologically ordered chain, giving rise to the name blockchain. Each block contains a unique reference point that represents the contents of the block (i.e., the transactions or information in the block).167 The nodes must use the unique reference point of the previous block in order to solve the complex cryptographic function presented by the transaction at hand.168

However, before a transaction can be added to the blockchain, the other nodes must come to a consensus on the correct answer to the complex cryptographic function by also using the previous block’s reference point.169 Because all of the nodes’ ledgers are in sync, and thus all nodes are aware of the valid reference points,170 if one malicious node tries to alter a previous block, the other nodes would recognize that the malicious node’s attempted alteration did not use the valid reference point and the network would reject that transaction. “[T]he information in a particular block cannot be altered without changing all subsequent blocks in the chain and creating a discrepancy that other record-keepers in the network would immediately notice.”171 Requiring the use of a common reference point and decentralized consensus ensures immutability and “eliminates the dangers that come with data being kept in a central location.”172

To simplify, say each block is numbered with a letter. If someone tried to alter block D (a combination of blocks A + B + C) by attempting to change block A into “A + 1”, block D would still be read as A + B + C by all of the other

164. “Transactions” and “information” can be used interchangeably, as the blockchain allows the storage of all types of data.

165. See Michele D’Aliessi, How Does the Blockchain Work?, MEDIUM (June 1, 2016), https://medium.com/@micheledaliessi/how-does-the-blockchain-work-98c8cd01d2ae [https://perma.cc/GZ6Y-BYGQ].

166. See LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 5 n.8. 167. Id. at 6. 168. See NIST Report on Blockchain Technology Aims to Go Beyond the Hype, NIST (Jan. 24,

2018), https://www.nist.gov/news-events/news/2018/01/nist-report-blockchain- technology-aims-go-beyond-hype [https://perma.cc/DXY7-END4] [hereinafter NIST Report on Blockchain Technology].

169. See D’Aliessi, supra note 165. 170. See Praveen Jayachandran, The Difference Between Public and Private Blockchain, IBM

(May 31, 2017), https://www.ibm.com/blogs/blockchain/2017/05/the-difference- between-public-and-private-blockchain [https://perma.cc/RS9H-6QR2].

171. NIST Report on Blockchain Technology, supra note 168. 172. Id.

Start With Trust 1267

nodes in the network. The malicious actor’s attempts to create block D as A + 1 + B + C would not be verified by the other nodes on the network. The resulting disagreement between the nodes regarding the order of transactions would prevent consensus in the network and that invalid transaction would not be added to the blockchain. Thus it would prevent the type of fraud described above.

B. Public, Consortium, and Private Blockchains

Like many other databases, blockchains can be public, private, or some combination thereof. All of these versions have important similarities: they are all decentralized peer-to-peer networks where each participant maintains a replica of the ledger; they all operate under the consensus model of verifying transactions that are added to the blockchain; they all provide certain guarantees of immutability of the ledger even when some participants act maliciously; and the decentralized nature of all of these versions ensures that none of them has a single point of failure.173

The most well-known blockchain network, Bitcoin, is public (also known as “permission-less” or “fully decentralized”) because anyone can operate a node on this network if they have the appropriate software.174 Under public blockchains, “the number of participants on the network is unlimited, and no one needs to get permission from another user in order to take part.”175 Public blockchains provide a “robust network that ensures efficacy in the system”176 because open access ensures distribution of nodes and prevents any one single entity or power from possessing majority control over the network.177 However, public blockchains require substantial amounts of computational power to maintain the distributed ledger because a larger number of nodes must verify a transaction before it is added to the blockchain.178

173. See Jayachandran, supra note 170. 174. See, e.g., NAKAMOTO, supra note 160. 175. Peter Van Valkenburgh, What Does “Permissionless” Mean?, COIN CTR. (Jan. 31, 2017),

https://coincenter.org/entry/what-does-permissionless-mean [https://perma.cc/39R7 - KN2E].

176. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 20. 177. Ian Worrall, Private vs. Public Blockchains, INST. FOR ETHICS & EMERGING TECHS. (Dec.

29, 2015), https://ieet.org/index.php/IEET2/more/worrall20151228 [https://perma. cc/A33D-9F8Q].

178. See Public, Private and Consortium Blockchains, DRAGLET, https://www.draglet.com/block chain-services/private-or-public-blockchain [hereinafter DRAGLET].

1268 66 UCLA L. REV. 1242 (2019)

Private (or “permissioned”) blockchains require “an invitation and must be validated by either the network starter or by a set of rules put in place by the network starter.”179 Accordingly, “[t]his places restrictions on who is allowed to participate in the network, and only in certain transactions.”180 An example of this would be where nodes of a blockchain are kept centralized within one organization and only company members have access. A private blockchain is more efficient181 and cheaper182 because transactions need to be verified by fewer participants. A company running a private blockchain can also easily, if desired, revert transactions.183 Moreover, they can provide a greater level of privacy because access can be restricted.184 For example, IBM has created a private blockchain called the “IBM Blockchain Platform” that allows businesses to create their own applications that will be run on IBM’s blockchain.185 JP Morgan also recently created a its own private blockchain that it plans to use to instantly settle payments between clients.186

There is also a third category known as a consortium or “partially decentralized” blockchain. These are part public, part private. Under this model, the consensus process is controlled by a preselected set of nodes.187 Consortium blockchains “do not allow any person with an internet connection to participate nor do they grant full control to a single entity.”188 They provide the same benefits as private blockchains—functional, cost efficient, and private, for example—without consolidating power in one company.189 For example, JP Morgan has created a consortium blockchain called “Quorum”

179. Jayachandran, supra note 170. 180. Id. 181. DRAGLET, supra note 178. 182. Vitalik Buterin, On Public and Private Blockchains, ETHEREUM BLOG (Aug. 6, 2015),

https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains [https:// perma.cc/KP9H-U8MP].

183. Id. 184. Id. 185. IBM Blockchain, IBM, https://www-03.ibm.com/press/us/en/presskit/50610.wss

[https://perma.cc/YJT8-2WFL]. 186. See Hugh Son, JP Morgan is Rolling Out the First US Bank-Backed Cryptocurrency to

Transform Payments Business, CNBC (Feb. 14 2019, 7:13 PM), https://www.cnbc.com/2019/02/13 /jp-morgan-is-rolling-out-the-first-us-bank- backed-cryptocurrency-to-transform-pay ments--.html [https://perma.cc/G4Z9-8YLV].

187. Buterin, supra note 182. 188. What Are Consortium Blockchains?, INFINITY BLOCKCHAIN LABS (Jan. 16, 2018),

https://www.blockchainlabs.asia/news/what-are-consortium-blockchains [https://perma.cc/Z6GP-LLZ5].

189. Collin Thompson, The Difference Between a Private, Public & Consortium Blockchain, BLOCKCHAIN DAILY NEWS (Oct. 26, 2016), https://www.blockchaindailynews.com/ The- difference-between-a-Private-Public-Consortium-Blockchain_a24681.html [https://perma.cc/VN6N-WC62].

Start With Trust 1269

that aims to service the needs of a permissioned group of financial institutions.190 Separately, Ford, Renault, General Motors, BMW, and IBM recently announced that they founded the Mobility Open Blockchain Initiative consortium with the aim of “foster[ing] an ecosystem where businesses and consumers have security and sovereignty over their driving data, manage ride- share and car-share transactions, and store vehicle identity and usage information.”191

C. Applications

Bitcoin is the first and most popular use of blockchain and is one of many “cryptocurrencies.”192 Cryptocurrencies are built on public blockchains and can be bought and sold on various online exchanges that operate much like traditional financial exchanges. The term “cryptocurrency” is frequently used to describe all sorts of public blockchains, but this can be very misleading. While it conveys attributes that define some blockchains, like a means of storing value and exchanging wealth, it fails to capture the nuances and capabilities of others.

As of early April 2019, there are over 2,000 public blockchains.193 A public blockchain can be used to verify a source and destination of a transaction of assets (i.e., cryptocurrencies). But not all public blockchains have currency applications. It is important to understand that currency was just the first application of blockchain and is by no means the only or best use.194 Utility

190. See What Is Quorum?, J.P. MORGAN, https://www.jpmorgan.com/global/Quorum [https://perma.cc/BHF3-VUFB].

191. Chris Middleton, Ford, Renault, GM, BMW, IBM Co-Found MOBI Blockchain Consortium, INTERNET OF BUS. (May 2, 2018), https://internetofbusiness.com/ford- renault-gm-bmw-ibm-co-found-mobi-blockchain-consortium [https://perma.cc/G734- V8QK].

192. The regulation of cryptocurrencies has received the most attention in academic literature, and the solutions proposed by authors often vastly differ. Compare Nareg Essaghoolian, Initial Coin Offerings: Emerging Technology’s Fundraising Innovation, 66 UCLA L. REV. 294 (2019) (proposing a regulatory framework based on current regulations for Special Purpose Acquisition Companies—public corporations formed to seek public funding for a merger or acquisition) with Jonathan Rohr & Aaron Wright, Blockchain-Based Token Sales, Initial Coin Offerings, and the Democratization of Public Capital Markets, 70 HASTINGS L.J. 463 (2019) (arguing that the Securities and Exchange Commission should consider a registration exemption designed specifically for cryptocurrencies).

193. Top 100 Coins by Market Capitalization, COINMARKETCAP, https://coinmarketcap.com /coins [https://perma.cc/4V53-EWDR].

194. “This new digital ledger of economic transactions can be programmed to record virtually everything of value and importance to humankind: birth and death certificates, marriage licenses, deeds and titles of ownership, educational degrees, financial accounts, medical procedures, insurance claims, votes, provenance of food, and anything else that can be

1270 66 UCLA L. REV. 1242 (2019)

blockchains are another type of application and are explored in Subpart IV.B.2. (in particular, data storage). Other blockchains have a platform function. Platform blockchains create an infrastructure on which more specific applications can be built. Ethereum, for example, is an open software platform based on blockchain technology that allows developers to build and deploy decentralized applications.195 Decentralized applications that are created on top of this platform do not need to create their own blockchain, but instead work off of the existing Ethereum blockchain. The “IBM Blockchain Platform”196 is an example of a “private Ethereum,” where businesses can build and use applications on top of IBM’s blockchain. Unlike Ethereum’s fully decentralized and public model, IBM controls the nodes.

The potential of blockchain technology as a whole is largely untapped and the exploration of private blockchains is in especially nascent stages, but things are picking up. Both the private sector and the public sector have started to look closely at the potential of private blockchain technology.

The most significant use of private blockchains in the private sector has been for platform blockchains such as IBM’s Blockchain Platform.197 Unlike Ethereum’s public platform, these private blockchain platforms are more suitable for corporate users198 because transactions are made efficient and confidential by the limited and selective nature of the participants.199 These types of private platform blockchains can be thought of as “blockchain for hire” or “blockchain as a service,” where users leverage and use the blockchain

expressed in code.” TAPSCOTT & TAPSCOTT, supra note 11, at 7; see also Andrew Meola, The Growing List of Applications and Use Cases of Blockchain Technology in Business & Life, BUS. INSIDER (Sept. 28, 2017; 4:46 PM), https://www.businessinsider.com /blockchain-technology-applications-use-cases-2017-9 [https://perma.cc/5GGQ-5T3B] (the use of blockchain technology spans across international payments, capital markets, trade finance, regulatory compliance and audit, money laundering protection, insurance, peer-to-peer transactions, supply chain management, healthcare, real estate, media, energy, record management, identity management, voting, taxes, nonprofit agencies, legislation/compliance/regulatory oversight, financial management/ accounting, shareholder voting, cybersecurity, big data, data storage, and internet of things).

195. ETHEREUM, https://www.ethereum.org [https://perma.cc/3DMS-H9SX] (“blockchain app platform”).

196. See supra note 185 and accompanying text. 197. Id. 198. See Michael del Castillo, MultiChain 1.0: Bitcoin-Compatible Private Blockchain Opens

for Enterprise, COINDESK (Aug. 2, 2017), https://www.coindesk.com/multichain-1-0- bitcoin-compatible-private-blockchain-launches-for-enterprise [https://perma.cc/55 DR-EMUM].

199. See, e.g., GIDEON GREENSPAN, MULTICHAIN PRIVATE BLOCKCHAIN—WHITE PAPER 5–7, https://www.multichain.com/download/MultiChain-White-Paper.pdf [https:// perma.cc/TTY8-4A5T].

Start With Trust 1271

platform created by a company that has the resources and expertise to design, create, and service a private blockchain. For example, Helzberg Diamonds and jewelry manufacturer Richline Group are already working with IBM to track and authenticate diamonds and precious metals on IBM’s blockchain.200 Walmart and Sam’s Club sent a letter to its suppliers of fresh leafy greens asking them to track their products on Walmart’s IBM-powered blockchain.201 But new and unestablished players are also entering the market. Coin Sciences Ltd. allows users to utilize their blockchain infrastructure for various uses, such as messaging, decentralized exchanges, database synchronization, currency settlement, bond issuance, and consumer reward schemes.202 In 2017, the blockchain company Chain struck a deal with Nasdaq and Citi where these two companies would use Chain’s platform to create “a new integrated payment solution that enables straight through payment processing and automates reconciliation by using a distributed ledger to record and transmit payment instructions.”203

The public sector has started to look into a different type of private blockchains. These private blockchains would be created for one entity’s exclusive use, as opposed to many different companies using the same platform. Private companies could also create this type of blockchain, but it may be more expensive and resource intensive to invest in this technology from the ground up rather than using a preexisting blockchain.204 Thus far, the U.S. government’s interest has largely been in how blockchain can bolster national defense. In September 2016, the Defense Advanced Research Projects Agency (DARPA) awarded a $1.8 million contract to two companies to “advance the state of formal verification tools and all blockchain-based

200. Anna Irrera, Jewelry Companies Team Up With IBM on Blockchain Platform, REUTERS (Apr. 26, 2018, 3:10 AM), https://www.reuters.com/article/us-blockchain- diamonds/jewel ry-companies-team-up-with-ibm-on-blockchain-platform- idUSKBN1HX1BD [https:// perma.cc/6WUR-7GFM].

201. Letter from Walmart Execs. to Leafy Greens Suppliers (Sept. 24, 2018), https://corporate.walmart.com/media-library/document/blockchain-supplier-letter- september-2018/_proxyDocument?id=00000166-088d-dc77-a7ff-4dff689f0001 [https://perma.cc/X469-3RYR].

202. Id. at 12–16. 203. Nasdaq and Citi Announce Pioneering Blockchain and Global Banking Integration,

NASDAQ (May 22, 2017, 9:48 AM), https://www.nasdaq.com/article/nasdaq-and-citi- announce-pioneering-blockchain-and-global-banking-integration-cm792544 [https://perma.cc/9 BTW-H7YC].

204. For example, Amazon offers a blockchain service that “eliminates the overhead required to create the network, and automatically scales to meet the demands of thousands of applications running millions of transactions.” Blockchain on AWS, AWS, https://aws. amazon.com/blockchain [https://perma.cc/4LR9-Y5KM].

1272 66 UCLA L. REV. 1242 (2019)

integrity monitoring systems.”205 In May 2017, ITAMCO, a developer of the advanced privacy application called “Crypto-Chat,” was awarded a Phase 1 grant from DARPA to “develop a secure, non-hackable messaging and transaction platform for the U.S. military.”206 Joel Neidig, Director of Research and Development at ITAMCO, stated that they aim “to develop the latest in military-grade encryption software using blockchain technology.”207 The uses of this new messaging platform include “the communication of troops on the ground with HQ, or sending information between intelligence officers and the Pentagon.”208 A $700 billion defense bill passed by the U.S. Senate in 2017 included an amendment that would require “a report on the potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies and an assessment of efforts by foreign powers, extremist organizations, and criminal networks to utilize these technologies.”209 The U.S. Treasury also hired a contractor “to develop a prototype using blockchain, or distributed ledger technology, to track and manage physical assets.”210 In 2018, a hearing was held by the U.S. House of Representatives Committee on Science, Space, and Technology titled “Beyond Bitcoin: Emerging Applications for Blockchain Technology” with the aim of addressing how blockchain technology could “potentially bolster private companies’ and the federal government’s cybersecurity weaknesses.”211

205. Martin Ruubel, Guardtime Federal and Galois Awarded DARPA Contract to Formally Verify Blockchain-Based Integrity Monitoring System, GUARDTIME: BLOG & NEWS (Sept. 13, 2016), https://guardtime.com/blog/galois-and-guardtime-federal-awarded-1-8m- darpa-con tract-to-formally-verify-blockchain-based-inte [https://perma.cc/Y526- RGAV].

206. ITAMCO to Develop Blockchain-Based Secure Messaging App for U.S. Military, CISION (May 25, 2017, 12:43 PM), https://www.prnewswire.com/news-releases/itamco-to- develop-blockchain-based-secure-messaging-app-for-us-military-300464063.html [https://per ma.cc/K3FA-E62J].

207. Id. 208. Id. 209. 163 Cong. Rec. S5794 (daily ed. Sept. 18, 2017). 210. Bureau of the Fiscal Service Launches Two Innovative Pilot Projects, BUREAU OF THE

FISCAL SERV., https://www.publicdebt.treas.gov/fsservices/gov/fit/fit_launches_innovative_ pilot.htm [https://perma.cc/NW5J-25YG].

211. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Joint Hearing Before the H. Subcomm. on Oversight, H. Subcomm. on Research and Tech., and H. Comm. on Sci., Space, & Tech., 115th Cong. 4–5 (2018) (statement of Ralph Abraham, Chairman, H. Subcomm. on Oversight).

Start With Trust 1273

IV. BLOCKCHAIN AND CYBERSECURITY A. How Blockchain Can Enhance Cybersecurity

Blockchain technology has the potential to tremendously improve cybersecurity212 and many industries and enterprises are increasingly considering its use.213 The Executive Director of the European Union Agency for Network and Information Security agrees that “cyber security should be considered as a key element in the Blockchain implementation.”214 The technology has already been deployed in Estonia to protect the confidentiality, integrity, and availability of marriage registrations, health records, and other sensitive information.215 IBM has applied for a patent that would use blockchain to increase the security and privacy of storing and managing data associated with unmanned aerial vehicles.216 The National Aeronautics and Space Administration (NASA) also proposed the use of a permissioned

212. See, e.g., JARED R. BUTCHER ET AL., CYBERSECURITY TECH BASICS: BLOCKCHAIN TECHNOLOGY CYBER RISKS AND ISSUES: OVERVIEW (2019), https://www.steptoe. com/images/content/1/8/v2/189187/Cybersecurity-Tech-Basics-Blockchain-Techno logy-Cyber-Risks-and.pdf [https://perma.cc/6HCY-FUGN] (“Blockchain technology offers important cybersecurity benefits” by “provid[ing] a strong method for securing networked ledgers.”); Naveen Joshi, The Anatomy of a Cyber Attack: Dissecting the Science Behind Virtual Crime, BBN TIMES (Mar. 4, 2019), https://www.bbntimes.com/ en/technology/the-anatomy-of-a-cyber-attack-dissecting-the-science-behind-virtual- crime [https://perma.cc/Y6CC-8HXX] (“Blockchain can effectively detect a data breach, and disrupt the process that forms the anatomy of a cyber attack.”).

213. See, e.g., Andrew Arnold, Here’s Why More Enterprises Are Considering Blockchain as Data Privacy Solution, FORBES (Jan. 2, 2019, 1:07 PM), https://www.forbes.com/ sites/andrewarnold/2019/01/02/heres-why-more-enterprises-are-considering-block chain-as-data-privacy-solution/#203f40abcb73 [https://perma.cc/S929-R95C]; Andrew Arnold, 4 Promising Use Cases of Blockchain in Cybersecurity, FORBES (Jan. 30, 2019, 4:30 AM), https://www.forbes.com/sites/andrewarnold/2019/01/30/4-promising- use-cases-of-blockchain-in-cybersecurity/#22e4cd443ac3 [https://perma.cc/6EEZ- 6VS8]; Reinhardt Krause, How Cybersecurity Firms Palo Alto, Okta Can Capitalize on Blockchain, INVESTOR’S BUS. DAILY (Apr. 13, 2018), https://www.investors.com/ news/technology/how-cybersecurity-firms-could-capitalize-on-blockchain-technology [https://perma.cc/UVL3-XSDR].

214. ENISA Report on Blockchain Technology and Security, ENISA (Jan. 18, 2017), https://www.enisa.europa.eu/news/enisa-news/enisa-report-on-blockchain- technology-and-security [https://perma.cc/E3NE-BN9N].

215. Jamie Holmes, Blockchain for Cybersecurity: Protecting Infrastructure, Data Telecommunications, BTCMANAGER.COM (Jan. 7, 2016), https://btcmanager.com/blockchain-for-cyber-security-protecting-infrastructure-data- telecommunications [https://perma.cc/HYM3-ZUCP]; Daniel Palmer, Blockchain Startup to Secure 1 Million e-Health Records in Estonia, COINDESK (Mar. 3, 2016, 10:51 PM), https://www.coindesk.com/blockchain-startup-aims-to-secure-1-million- estonian-health-records [https://perma.cc/V49B-KVAX].

216. U.S. Patent No. 20180270244 (filed Sept. 20, 2018).

1274 66 UCLA L. REV. 1242 (2019)

blockchain to boost cybersecurity by “enabl[ing] aircraft privacy and anonymity while providing a secure and efficient method for communication with . . . authorized entities.”217 Dozens of central banks around the world are also experimenting with blockchain technology with the aim of addressing cybersecurity concerns, among other things.218 The Department of Homeland Security is getting ready to use blockchain technology to secure the storage and transmission of data collected by security cameras, sensors, and other internal databases.219 Additionally, the Colorado Senate recently passed a bill that would require state departments to “annually assess the data systems of each public agency for the benefits and costs of adopting and applying” blockchain technology.220

Blockchain’s breakthrough is in its “culmination of decades of research and breakthroughs in cryptography and security.”221 This combination makes blockchain secure to the point where “no one has yet managed to break the . . . decentrali[z]ed architecture” of it.222 Even the National Security Agency and Federal Bureau of Investigation lack the ability to circumvent the technology behind blockchain.223 Contrast this impenetrable nature with the current state of cyber-insecurity, where even the largest companies get hacked regularly, no matter how much money they spend on their own security

217. RONALD J. REISMAN, NASA AMES RESEARCH CENTER, AIR TRAFFIC MANAGEMENT BLOCKCHAIN INFRASTRUCTURE FOR SECURITY, AUTHENTICATION, AND PRIVACY 1 (2019), https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20190000022.pdf [https: //perma.cc/Q867-X2KB]. NASA’s report also demonstrated how their prototype blockchain represents a “scalable architecture and illustrates how [this technology] may be rapidly deployed and economically maintained.” Id.

218. See WORLD ECONOMIC FORUM, CENTRAL BANKS AND DISTRIBUTED LEDGER TECHNOLOGY: HOW ARE CENTRAL BANKS EXPLORING BLOCKCHAIN TODAY? (2019), www3.weforum.org/docs/WEF_Central_Bank_Activity_in_Blockchain_DLT.pdf [https://perma.cc/8WWV-NV4N].

219. Joseph Young, Homeland Security to Use Blockchain in Tracking Goods & People Globally, COINTELEGRAPH (Jan. 15, 2017), https://cointelegraph.com/news /homeland-security-to-use-blockchain-in-tracking-goods-people-globally [https://perma.cc/6 MQ6-U9YC].

220. COLO. REV. STAT. § 24-37.5-501 (2018). 221. Ben Dickson, How Blockchain Can Help Fight Cyberattacks, TECHCRUNCH (Dec. 5, 2016,

1:38 PM), https://techcrunch.com/2016/12/05/how-blockchain-can-help-fight-cyber attacks [https://perma.cc/34DU-LVJT].

222. BLOCKCHAIN: ENIGMA. PARADOX. OPPORTUNITY, supra note 153, at 12; see also TAPSCOTT & TAPSCOTT, supra note 11, at 7 (hacking the blockchain is “practically impossible” to do); Dante Disparte, IBM X-Force Red Launches Blockchain Cybersecurity Service, FORBES (Mar. 5, 2019, 6:00 AM), https://www.forbes.com/sites/dantedisparte/ 2019/03/05/ibm- x-force-red-launches-blockchain-cybersecurity-service/#767c543d1 602 [https://perma.cc/KF3S-ED86] (“[T]he public blockchain underpinning bitcoin transactions has not been hacked at the protocol level since its launch in 2008.”).

223. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 9.

Start With Trust 1275

infrastructure.224 Moreover, the security offered by blockchain is needed now more than ever in order to heed cybersecurity experts’ warning that “the new paradigm has to stop the hacker[s] getting in” before they can do damage.225 The key to solving the current “systemic” cybersecurity crisis lies in blockchain’s ability to maximize decentralization and distribution of computers, and thus create more fault-tolerant and unhackable networks.226

Although not a panacea,227 incorporating blockchain into a company’s comprehensive cybersecurity plan can increase the confidentiality, integrity, and availability of data, and better ensure the resilience of networks.

1. Confidentiality

Encryption methods and access controls, when combined with blockchain, can ensure confidentiality of data.228 While public blockchains do not provide confidentiality of data, on a private blockchain, a company can decide to encrypt information end-to-end before storing it.229 Thus a hacker who gains access to a node on a private blockchain’s network could not access the information so long as the hacker does not possess the encryption key.230

224. See supra Part I.A. 225. The Cryptolife of John McAfee, BITMEDIA (Apr. 5, 2018), https://bit-media.org/

bitcoin/the-cryptolife-of-john-mcafee [https://perma.cc/A8YX-RH5U] (quoting John McAfee); see also Steven Russo, A Guide for Understanding the New Paradigm, CERTAINSAFE, https://certainsafe.com/a-guide-for-understanding-the-new-paradigm [https://perma. cc/XXK8-UXR6].

226. See Bernard Lunn, Bitcoin Blockchain Could Solve the Cyber Security Challenge for Banks, DAILY FINTECH (Oct. 30, 2015), https://dailyfintech.com/2015/10/30/Bitcoin- blockchain-could-solve-the-cyber-security-challenge-for-banks [https://perma.cc/2EXS-F27V].

227. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Hearing Before the Subcomm. on Oversight & Subcomm. on Research & Tech. of the H. Comm. on Sci., Space & Tech., 115th Cong. 5 (2018) (testimony of Chris Jaikaran, analyst in cybersecurity policy) [hereinafter Jaikaran Testimony].

228. Encryption and access control technologies are readily available widely used. See, e.g., Encryption Methods, IBM KNOWLEDGE CTR., https://www.ibm.com/support/knowledge center/en/SSEQTP_9.0.0/com.ibm.websphere.base.doc/ae/rwbs_wssencryptalgorithms. html; DEP’T OF HOMELAND SECURITY, ACCESS CONTROL TECHNOLOGIES HANDBOOK (2015), https://www.dhs.gov/sites/default/files/publications/ACT-HB_ 0915-508.pdf [https://perma.cc/F43Q-6DTF].

229. See ERIC PISCINI ET AL., DELOITTE, BLOCKCHAIN & CYBER SECURITY. LET’S DISCUSS 6 (2017), https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Technolo gy/IE_C_BlockchainandCyberPOV_0417.pdf [https://perma.cc/67GX-NBWT].

230. See, e.g., Jorge Gonzalez-Orozco, The Linux Foundation’s Hyperledger Fabric Enables Confidentiality in Blockchain for Business, IBM (Apr. 17, 2018), https://www.ibm. com/blogs/blockchain/2018/04/hyperledger-fabric-enables-confidentiality-in-block chain-for-business [https://perma.cc/9Y7V-928P]. Businesses are encouraged to use best

1276 66 UCLA L. REV. 1242 (2019)

Moreover, a private blockchain can be designed to implement access controls and thus ensure that data is restricted to authorized personnel. Access controls can determine who can read the data, who can submit transactions, and who can validate them.231 The cryptographic validation process can even be spread out among multiple computers,232 where each party only has partial access to the information, and thus “[t]he parties are trusted as a whole, decentralized unit, but not individually.”233 This is similar to the idea of a data storage blockchain splitting up data into shards where one piece of information is split into many different pieces and distributed throughout the network.234

Access to data on a private blockchain can even be limited to as little as two parties. IBM’s private blockchain235 allows the sharing of data through channels with only those organizations that need to have access to it.236 For example, in a medical information context, all organizations in the network can see that an individual has health insurance, but only those in a particular channel can see the coverage details.237

Employing encryption and access controls in a blockchain ensures the confidentiality of data even when computers on the network are compromised. Companies must assess their own risk tolerance in deciding what type of blockchain to implement. Larger blockchain networks (with, for example, more participants) make it more difficult for a hacker to know exactly which participant has access to the data that they are looking for. Smaller blockchain networks allow for more confidentiality because only a small number of

practices to manage their encryption keys. See, e.g., VIRTRU, THE SIMPLE GUIDE TO ENCRYPTION KEY MANAGEMENT, https://www.virtru.com/wp-content/themes/virtru /files/pdf/The%20Simple%20Guide%20to%20Encryption%20Key%20Management.pdf [https://perma.cc/8K8Q-CMDG].

231. See Allison Berke, How Safe Are Blockchains? It Depends., HARV. BUS. REV. (Mar. 7, 2017), https://hbr.org/2017/03/how-safe-are-blockchains-it-depends [https://perma.cc/B3TQ- BMWG]. Access controls should also be managed according to best practices. See, e.g., ONE IDENTITY, 8 BEST PRACTICES FOR IDENTITY AND ACCESS MANAGEMENT (2017), https://www.cbronline.com/wp-content/uploads/dlm_up loads/2018/02/Identity- Gov-8-best-practices-for-identity-and-access-manage ment-white-paper-13721.pdf [https://perma.cc/E3MB-5H9N].

232. See Dickson, supra note 221. 233. Id. 234. For an example of a public blockchain employing this method, see PROTOCOL LABS,

FILECOIN: A DECENTRALIZED STORAGE NETWORK (2017), https://filecoin.io/filecoin. pdf [https://perma.cc/T3EV-M47W].

235. See supra Part III.B. 236. See Gonzalez-Orozco, supra note 230. 237. Id.

Start With Trust 1277

participants are privy to data, but are more likely to be breached because they are less centralized.

2. Integrity

Blockchain’s innate characteristics of immutability and decentralization ensure data integrity. Once data is inputted on a blockchain it is “usually there forever.”238 It is so immutable that it has been dubbed a “digital tattoo.”239

The cryptographic validation mechanism, consensus model, and decentralized nature make it very challenging for any party to tamper with the data stored on a blockchain. Data can only be added on the blockchain if a majority of nodes agree that the data should be added. Once added on the blockchain, that data becomes a reference point which ensures that before any new data can be added, the nodes must agree that the reference point (i.e., existing data) has not been altered. This structure ensures that once information is on a blockchain, it will remain unaltered. Moreover, mechanisms similar to those applied in data storage blockchains can periodically verify the integrity of information.240

It should be noted that if hackers were to gain access to a majority of the computers on a blockchain’s network, they would potentially be able to tamper with the data.241 But a hacker’s successful control of a majority of computers does not guarantee success.242 Rather, “an attacker would only be able to modify transactions within the past few blocks” because “[t]he farther back in the blockchain transactions are, the more secured they are against this kind of attack.”243 Moreover, it is significantly more difficult for hackers to gain control of an entire network where computers are distributed than for them to gain control over a network that is centralized, which is often the model in today’s cybersecurity landscape.244 In a manner parallel to confidentiality, the larger the blockchain network, the more difficult it will be to corrupt the

238. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Hearing Before the Subcomm. on Oversight & Subcomm. on Research & Tech. of the H. Comm. On Sci., Space, & Tech., 115th Cong. 2 (2018) (statement of Charles H. Romine, Director, Information Technology Laboratory, National Institute of Standards and Technology).

239. Júlio Santos, Forever on the Chain, HACKERNOON (Nov. 14, 2017), https://hackernoon. com/forever-on-the-chain-c755838dfc79 [https://perma.cc/XWA5-TAX7].

240. See infra note 287 and accompanying text. 241. See 51% Attack, LEARN CRYPTOGRAPHY, https://learncryptography.com/cryptocurr

ency/51-attack [https://perma.cc/W34N-EQW8]. 242. Id. 243. Id. 244. See, e.g., Lunn, supra note 226 (discussing centralization within banking context).

1278 66 UCLA L. REV. 1242 (2019)

integrity of the data. Private blockchains operating with a lower number of nodes should ensure that their network is sufficiently distributed with no single points of attack.

Blockchain’s ability to ensure the immutability of data is especially important for cybersecurity because the subtlety of altering data, rather than stealing it or deleting it, makes this a particularly insidious form of attack.245 Implementing blockchain as part of a company’s comprehensive cybersecurity plan can ensure the integrity of data far better than other methods.

3. Availability

Decentralization and immutability ensure that the data stored on a blockchain and the system itself will remain available in the face of an attack. The decentralized nature of blockchain guarantees that there is no single point of failure.246 This means that if a node is taken down, data is still accessible through other nodes since all of them maintain a full copy of the data—unless access controls are set in place that would limit a certain node’s access. Moreover, compromised nodes can be dropped from the blockchain network.247 Even if a part of the network is compromised, distribution guarantees that the blockchain network will be operational through the remaining nodes. Immutability of information added on a blockchain also ensures that a hacker cannot erase the data even if part of the network is compromised.

Although the risk of a networkwide breach remains, that risk proportionally decreases with greater distribution of nodes. As with maintaining integrity, smaller private blockchains must ensure that their network is sufficiently distributed so that there can be no single point of failure. Similarly, proper access controls should be implemented as part of a comprehensive cybersecurity plan to ensure that blockchain’s potential to ensure availability can be realized.

4. Resilience

The most common type of cyberattack that would affect the resilience of a network is the distributed denial of service (DDoS). DDoS attacks flood a server with superfluous requests in an attempt to overload the system and

245. See SINGER & FRIEDMAN, supra note 13, at 35. 246. See supra Part III.A. 247. See PISCINI ET AL., supra note 229, at 10.

Start With Trust 1279

prevent legitimate use of a system.248 These requests often originate from thousands of sources, which makes them effectively impossible to stop.249 They have been successful thus far because of the pervasive use of centralized servers.250 DDoS attacks have been taking place for twenty years and are growing more prevalent and stronger.251 Recently, Twitter, SoundCloud, Spotify, and Shopify were the targets of DDoS attacks that caused their websites to go offline temporarily.252 On the other hand, the Bitcoin blockchain has remained operational in the face of regular and “massive” DDoS attacks since its inception over ten years ago.253

Blockchain offers resilience against these types of attacks and others through its decentralized structure. Even if a major part of a blockchain network is under attack or compromised, it will remain fully operational through the other nodes. Ensuring that nodes are sufficiently distributed will increase the resilience of a network. As above, this may be more challenging with smaller private blockchains because of the smaller number of nodes. Therefore, blockchain technology should always be implemented as part of a larger cybersecurity plan.

B. Absence of Blockchain as Unreasonable in the Data Storage Context

Companies handling consumer information must implement a security program that contains technical safeguards that are appropriate to the organization’s size, complexity, and activities, and to the sensitivity of the

248. Security Tip ST04-015: Understanding Denial-of-Service Attacks, US-CERT (Nov. 4, 2009), https://www.us-cert.gov/ncas/tips/ST04-015 [https://perma.cc/GGY3-7587].

249. Id. 250. See Jon Buck, Why Blockchain Technology Is Perfect for Fighting DDoS Attacks,

COINTELEGRAPH (Sept. 30, 2017), https://cointelegraph.com/news/why-blockchain- technology-is-perfect-for-fighting-ddos-attacks [https://perma.cc/FVM8-NV9H].

251. See George V. Hulme, DDoS Explained: How Distributed Denial of Service Attacks Are Evolving, CSO (Mar. 12, 2018, 5:32 AM), https://www.csoonline.com/article/3222095/net work-security/ddos-explained-how- denial-of-service-attacks-are-evolving.html [https:// perma.cc/MN24-3KMS].

252. See Darrel Etherington & Kate Conger, Large DDoS Attacks Cause Outages at Twitter, Spotify, and Other Sites, TECHCRUNCH (Oct. 21, 2016), https://beta.techcrunch.com/2016 /10/21/many-sites-including-twitter-and-spotify-suffering-outage/?_ga=2.188934251. 1781959609.1525825710-1659847444.1525206072 [https://perma.cc/TY4M-T4FU].

253. See, e.g., Leo King, Bitcoin Hit By ‘Massive’ DDoS Attack As Tensions Rise, FORBES (Feb. 12, 2014, 7:27 AM), https://www.forbes.com/sites/leoking/2014/02/12/bitcoin-hit- by-massive-ddos-attack-as-tensions-rise/#4a60100246ad [https://perma.cc/25W7 - BM76].

1280 66 UCLA L. REV. 1242 (2019)

personal information that the organization collects from users.254 They should also look at a technology’s costs, benefits, and risks, and their ability to fund and implement it.255 Understanding that the analysis of cybersecurity reasonableness is always done case-by-case, this Subpart applies the FTC and NIST cybersecurity guidelines to blockchain and argues that the FTC ought to view failure to use blockchain as unreasonable. As a reminder, the guidelines that would be relevant to incorporating blockchain technology into the FTC’s understanding of reasonable cybersecurity measures are (1) using readily available technology, (2) protecting data during storage and transmission, (3) responding and recovering from cyber attacks, and (4) ensuring the security of third parties.

1. Adopting Readily Available Technology

Blockchain is a current and state-of-the art technology that was created about ten years ago.256 But importantly, new technology can still be considered readily available in the FTC’s eyes. Readily available is understood to mean adopted by the relevant industry, with allowance for imperfection in cases of software.257 In fact, much of the technology behind blockchain is already in widespread use,258 most importantly the Turing Award-winning technologies of asymmetric cryptography and distributed systems. Asymmetric cryptography was first conceived of in 1970 by a British cryptographer working for the United Kingdom’s Government Communications Headquarters and later made public in 1976.259 Since then it has been in wide use in the financial and telecommunications industries among others.260 It is even required by the NIST for use in the U.S. Federal Government.261 The FTC also recommends

254. See Microsoft Corp., Docket No. C-4069, at 2 (Fed. Trade Comm’n Dec. 20, 2002) (decision and order).

255. See NAT’L INST. OF STANDARDS & TECH., supra note 12, at 14–15. 256. See, e.g., NAKAMOTO, supra note 160. 257. See Otto, supra note 118, at 340. 258. See SINGER & FRIEDMAN, supra note 13, at 45–50. 259. See Ghose, supra note 161; Patrick Sawer, The Unsung Genius Who Secured Britain’s

Computer Defences and Paved the Way for Safe Online Shopping, TELEGRAPH (Mar. 11, 2016, 9:00 PM), https://www.telegraph.co.uk/history/12191473/The-unsung-genius- who-secured-Britains-computer-defences-and-paved-the-way-for-safe-online- shopping.html [https:// perma.cc/J2HQ-5YDE].

260. See, e.g., Industry Specific Encryption, ANSI WEBSTORE, https://webstore.ansi.org/ software/Industry-Specific.aspx [https://perma.cc/A649-3PX3].

261. See ELAINE BARKER, NAT’L INST. OF STANDARDS AND TECH., GUIDELINE FOR USING CRYPTOGRAPHIC STANDARDS IN THE FEDERAL GOVERNMENT: CRYPTOGRAPHIC

Start With Trust 1281

that companies “[u]se strong cryptography to secure confidential material during storage and transmission.”262 Moreover, the entire architecture of the current World Wide Web is based on the distributed systems model.263 Essentially, blockchain’s innovation was its combination of existing technologies.264

Additionally, blockchain technology is open-source code that can be downloaded and run by anyone for free.265 The barriers of entry are exceedingly low and should not inhibit a company from adopting this technology. In fact, there are already a number of fully-functional and market- ready blockchain-based data storage applications.266 Moreover, there are a number companies that offer blockchain services that are directly aimed at enhancing cybersecurity267 and some companies are already adopting the technology for this purpose.268 Also, across nearly every sector, billions of dollars are being spent on blockchain funding269 and Fortune 500 companies have filed hundreds of blockchain patents.270 A large company with adequate

MECHANISMS 1 (2016), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. SP.800-175b.pdf [https://perma.cc/9S4W-DFVW].

262. START WITH SECURITY, supra note 107, at 6. 263. See, e.g., ANDREA OMICINI, UNIVERSIT`A DI BOLOGNA A CESENA, THE ARCHITECTURE OF THE

WORLD WIDE WEB: DISTRIBUTED SYSTEMS (2013), campus.unibo.it/104219/ 1/3-SD- rest.pdf [https://perma.cc/2BX2-5G57].

264. See Jaikaran Testimony, supra note 227, at 1. 265. See Scott J. Shackelford & Steve Myers, Block-By-Block: Leveraging the Power of

Blockchain Technology to Build Trust and Promote Cyber Peace, 19 YALE J.L. & TECH. 334, 355 (2017).

266. See infra Part IV.B.2. 267. See PolySwarm Launches VirusTotal Replacement, Invites Companies To Try Free,

CISION (Mar. 4, 2019), https://www.prweb.com/releases/polyswarm_launches_virustotal_replace ment_invites_companies_to_try_free/prweb16141923.htm [https://perma.cc/X3WB- EF2R]; IBM X-Force Red Launches New Service for Blockchain Security Testing, IBM NEWS ROOM (Mar. 5, 2019), https://newsroom.ibm.com/2019-03-050-IBM-X-Force- Red-Launches-New-Service-for-Blockchain-Security-Testing [https://perma.cc/5Z54- P5 AZ]; Acronis Blockchain Technology Initiative, ACRONIS, https://www.acronis.com/en-us/ business/blockchain-notary [https://perma.cc/E2HC- 9EKP].

268. See Vilija Simkiene, Telefonica, Rivetz and PeerStream Join for Blockchain-Powered Cybersecurity, VOIP REV. (Mar. 19, 2019), https://voip.review/2019/03/19/telefonica- rivetz-peerstream-join-blockchain-powered-cybersecurity [https://perma.cc/ZHL6- FYZ9].

269. See Jonathan Ponciano, Blockchain Tops $4.5 Billion in Private Funding This Year, But Deal Growth Stalls, FORBES (Sept. 22, 2017, 9:00 AM), https://www.forbes.com/sites/jon athanponciano/2017/09/22/blockchain-tops-4-5-billion-in-private-funding-this-year- but-deal-growth-stalls/#4de6e82374c6 [https://perma.cc/553R-GKN7].

270. See, e.g., Susan Decker & Jennifer Surane, BofA Tops IBM, Payments Firms With Most Blockchain Patents, BLOOMBERG (Jan. 16, 2018, 2:00 AM), https://www.bloomberg.com/

1282 66 UCLA L. REV. 1242 (2019)

capital that collects sensitive information from numerous individuals would be remiss to not adopt this technology because its cybersecurity benefits greatly outweigh its costs. From the perspective of a reasonable company, blockchain in the cybersecurity and data storage context is a known solution271 to data breaches and thus its absence will lead to FTC enforcement actions sooner rather than later. Not using blockchain is akin to running outdated software, where adding a few lines of code can address critical vulnerabilities.272

2. Filling Gaps in Encryption/Security in the Storage- Transmission Chain

Companies must implement technology that protects data during its storage and transmission.273 Blockchain technology is capable of achieving this exact result throughout the lifecycle of the stored data.

Blockchain can ensure confidentiality of data with the addition of encryption and access control mechanisms.274 This is similar to other technologies that the absence of which would be considered unreasonable. And blockchain’s immutability and decentralization ensure data integrity, data and network availability, and network resilience.275

The potential of blockchain to protect data while stored and in transit is already being realized through various blockchain-based data storage networks. Filecoin,276 Siacoin,277 and STORJ278 are examples of blockchains that aim to revolutionize data storage by creating a platform for decentralized cloud storage. Instead of renting storage from a centralized provider, such as Dropbox,279 with one or a few points of attack,280 these blockchain-based

news/articles/2018-01-16/bofa-tops-ibm-and-payments-firms-with-most-blockchain- patents.

271. See Breaux & Baumer, supra note 122, at 191. 272. See supra note 121 and accompanying text. 273. START WITH SECURITY, supra note 107, at 6. 274. See supra Part IV.A.1. 275. See supra Part IV.A.2–IV.A.4. 276. See PROTOCOL LABS, supra note 234. 277. See DAVID VORICK & LUKE CHAMPINE, SIA: SIMPLE DECENTRALIZED STORAGE (2014),

https://www.sia.tech/whitepaper.pdf [https://perma.cc/TA2M-T63R]. 278. See STORJ LABS, STORJ: A DECENTRALIZED CLOUD STORAGE NETWORK FRAMEWORK (2018),

https://storj.io/storj.pdf. 279. See Where Does Dropbox Store My Data?, DROPBOX, https://www.dropbox.com/help/

security/physical-location-data-storage [https://perma.cc/N5FG-4X98] (files added to Dropbox are stored in Dropbox’s data centers across the United States).

280. Dropbox servers were breached in 2012 and account information of sixty-eight million users was compromised and put up for sale on the dark web. See Karen Turner, Hacked Dropbox Login Data of 68 Million Users Is Now for Sale on the Dark Web, WASH. POST

Start With Trust 1283

decentralized cloud storage services create distributed networks that enable the formation and execution of storage contracts between peers.281 By forming a contract, a storage provider (the host) agrees to store a client’s data and to periodically submit proof of their continued storage until the contract expires.282 The process works in much the same way that Airbnb lets people utilize their home to make money when it would have otherwise sat idle and empty. The consensus network of the blockchain can be used to automatically enforce storage contracts, which means that clients do not need to personally verify storage; “they can simply upload their file and let the network do the rest.”283 Data that is submitted by a client is encrypted end-to-end and hosts do not have access to decryption keys.284 The data is then split into multiple parts (shards).285 This is important because no one host has access to all of the data stored by a client. Prior to being sent to the various hosts, the encrypted shards are duplicated.286 This aspect safeguards against a host going offline or having their system compromised. The splitting, duplication, and decentralization of data also eliminate the risk of single points of attack. The encrypted data shards are inputted into the blockchain, and a host must periodically verify, by solving a cryptographic function, that the information is still being stored and has not been altered.287 This creates an incentive system where a host can add a new transaction to the blockchain, and thus receive payment, only if they verify the integrity and availability of the data.288

To simplify this structure, say that a client was to store “ABC” on one of these three networks. The client would upload “ABC,” after which the data would be encrypted (“XYZ”, for example). Then the network would split

(Sept. 7, 2016), https://www.washingtonpost.com/news/the- switch/wp/2016/09/07/hacked-dropbox-data-of-68-million-users-is-now-or-sale-on- the-dark-web/?noredirect=on&ut m_term=.ad4ed0b60307 [https://perma.cc/B7H2- 3EP3].

281. See PROTOCOL LABS, supra note 234; VORICK & CHAMPINE, supra note 277; SHAWN WILKINSON ET AL., STORJ: A PEER-TO-PEER CLOUD STORAGE NETWORK (2016), https://storj.io/storj.pdf [https://perma.cc/CHW2-7BNH].

282. VORICK & CHAMPINE, supra note 277, at 1. 283. Id. 284. PROTOCOL LABS, supra note 234, at 21. 285. WILKINSON ET AL., supra note 281, at 2. The ability to fragment/split data has been

available well before the creation of blockchain. See Peter M. Chen et al., RAID: High- Performance, Reliable Secondary Storage, 26 ACM COMPUTING SURVEYS 145 (1994).

286. VORICK & CHAMPINE, supra note 277, at 5. 287. Id. at 3. 288. As mentioned in Part III.A, transactions on a blockchain are immutable. In the case of

utility blockchains used for data storage, past transactions are the uploads of data from client to host. Thus, data uploaded to a host cannot be altered.

1284 66 UCLA L. REV. 1242 (2019)

(“X/Y/Z”) and duplicate it, creating multiple copies of X, Y, and Z. The multiple copies of X, Y, and Z are then sent to various servers across the network (where, for example: hosts 1, 2, 3, would each have X; 4, 5, 6, would each have Y; and 7, 8, 9, would each have Z). This model of data storage creates higher levels of data security by increasing confidentiality (end-to-end encryption, splitting of data, and distributing across network), integrity (blockchain’s inherent element of immutability and periodic verification of the integrity of the data), availability (duplicating the encrypted data shards, distributing them across the network, and requiring periodic verification and availability of that data), and resilience (distributed networks are more fault- tolerant because they are not easily susceptible to networkwide crashes or hacks).

3. Responding and Recovering Quickly From Breaches

A comprehensive cybersecurity plan must ensure that a company can adequately respond to and recover from an incident; a plan that fails to do so may be considered unreasonable.289 When included as part of a comprehensive cybersecurity plan, blockchain technology offers unparalleled opportunities for companies to contain and mitigate incidents.

Any attempted alteration of data on the blockchain creates a discrepancy that other recordkeepers in the network immediately notice.290 This allows the network to quickly respond by shutting down the compromised node and removing it from the network. Blockchain technology also allows a company to recover from an incident because of its decentralized structure. Even if a major part of a blockchain network is under attack or compromised, the network will continue to be fully operational through the other nodes. The resilience of blockchain is evinced through the technology’s ability to withstand numerous DDoS attacks.291

4. Ensuring the Security of Third-Parties: The Trust Machine

According to the FTC and NIST, companies are responsible for ensuring that third-party contractors implement reasonable security measures.292 Companies must determine what requirements are necessary and must verify

289. See supra Part II.A.3. 290. Jayachandran, supra note 170. 291. See supra Part IV.A.4. 292. See supra note 136 and accompanying text.

Start With Trust 1285

that they are met by the third party.293 Blockchain provides the opportunity for companies to streamline this effort of building trust.

Blockchain has been dubbed “the trust machine” because it allows parties who have no particular confidence in each other to collaborate without having to go through a neutral party.294 This technology can “be applied in any context in which trust is essential.”295

Although it may seem like an insurmountable task to replace for example traditional third-party storage services with blockchain-based storage, the current system is unsustainable and change is necessary. Companies, and in particular large companies that collect tremendous amounts of consumer information, overwhelmingly rely on third parties for data storage.296 Third parties have increasingly been the targets of cyber attacks, which are considered to be the most expensive type of incident.297 Yet the amount of sensitive and confidential information that these third parties possess continues to grow.298 The current cybersecurity landscape is problematic because the contracting party is expected to ensure the security of the third party’s networks299 and this oversight has been found to be insufficient.300 Moreover, the FTC continues to target the “big fish” companies even when the third-party service provider lacked reasonable security measures and was the one who was breached.301 Under the status quo, third parties will continue to pose security risks and will remain the “weakest link.” Incorporating blockchain technology can resolve this problem.

Replacing traditional third-party data storage providers with data storage providers operating on the blockchain has tremendous benefits. Companies would have a guaranteed way of ensuring the security of the service provider because data center standards can be codified into the blockchain302 and thus

293. See NAT’L INST. OF STANDARDS & TECH., supra note 12, at 16. 294. See The Trust Machine, ECONOMIST (Oct. 31, 2015), https://www.economist.com/news

/leaders/21677198-technology-behind-bitcoin-could-transform-how-economy-works- trust-machine [https://perma.cc/54QG-7XHQ].

295. Shackelford & Myers, supra note 265, at 357. 296. See supra notes 62, 70 and accompanying text. 297. See supra notes 67, 69 and accompanying text. 298. See supra note 65 and accompanying text. 299. See supra note 136 and accompanying text. 300. See supra note 146 and accompanying text. 301. See supra note 148 and accompanying text. 302. See Mike Klein, SAS 70, SSAE 16, SOC and Data Center Standards, DATA CTR.

KNOWLEDGE (Mar. 3, 2011), www.datacenterknowledge.com/archives/2011/03/03/ sas- 70-ssae-16-soc-and-data-center-standards [https://perma.cc/TZM2-DM55].

1286 66 UCLA L. REV. 1242 (2019)

trust can be regulated through code (i.e., “code is law”).303 This would solve the current problem of “insufficient” oversight.304 Moreover, a blockchain-based decentralized storage network offers more security than traditional cloud storage. This would minimize a company’s risk of facing an enforcement action by “reducing the risk posed by a third-party.” Blockchain could remove the “weakest link” third party but still retain the service provider. This can also be more cost-efficient than the traditional third-party data storage structure because storage on the blockchain is up to ninety percent cheaper than storage on traditional servers.305

C. Concerns About Market Adoption, Job Killing, and the “Right to be Forgotten”

Some commentators argue that blockchain technology is “not ready for mainstream deployment”306 and that companies should consider switching to blockchain-based service providers only several years from now, when “the technology’s full potential becomes clear.”307 These commentators compare blockchain’s adoption to “patterns of technology adoption” in the past.308

But the rate of technology adoption is speeding up across the board and innovations introduced more recently are being adopted more quickly.309 For example, it took decades for the telephone to reach fifty percent of U.S. households but only took five years for the cellphone to accomplish the same penetration.310 Companies who move faster to capture opportunities that present themselves have a competitive advantage. Moreover, “[c]hange happens at the enterprise level when new technology solves an A list challenge,” and “cybersecurity is an A list challenge.”311 The combination of

303. See Lawrence Lessig, Code Is Law, HARV. MAG. (Jan. 1, 2000), https://harvard magazine.com/2000/01/code-is-law-html [https://perma.cc/P8B5-K9VV] (arguing that code should be the regulator of cyberspace).

304. See PONEMON INST., supra note 64, at 3. 305. See, e.g., VORICK & CHAMPINE, supra note 277. 306. TIERION, BLOCKCHAIN HEALTHCARE 2016 REPORT: PROMISE & PITFALLS (2016),

https://blog.tierion.com/blockchain-healthcare-2016-report. 307. The Trust Machine, supra note 294. 308. See Marco Iansiti & Karim R. Lakhani, The Truth About Blockchain, HARV. BUS. REV.,

Jan.–Feb. 2017, https://hbr.org/2017/01/the-truth-about-blockchain [https://perma. cc/B735-B4TW].

309. Rita Gunther McGrath, The Pace of Technology Adoption Is Speeding Up, HARV. BUS. REV. (Nov. 25, 2013), https://hbr.org/2013/11/the-pace-of-technology-adoption-is-speed ing- up [https://perma.cc/R4BM-Z6JE].

310. Id. 311. Lunn, supra note 226.

Start With Trust 1287

market incentives and cybersecurity benefits that blockchain offers ensures that its adoption will happen sooner rather than later.

Others argue that blockchain technology is a “job killer.”312 They contend that if companies switch from traditional third-party storage to blockchain- based storage providers, traditional workers would be displaced. But this is a trend that has been seen before. And each time, embracing the benefits of technology has won out in spite of its job-killing effect. New technologies disrupt the labor market temporarily, but ultimately generate new and incrementally more jobs.313 Lost jobs are reincarnated in new form. Why should blockchain be any different?

Lastly, there are those that argue that blockchain’s immutable nature conflicts with the European Union’s “right to be forgotten” laws314 and the FTC’s recommendation of disposing of information once a company no longer has any legitimate business need for it.315 Two solutions have been offered to solve this problem. First, prototype blockchains have already been developed in line with the needs of large banks.316 But the ability to edit data on a blockchain while maintaining their authenticity requires the nomination of trustworthy administrators who are authorized to alter the ledger.317 Therefore, some of the essential characteristics of a decentralized database may not be retained. Second, some commentators suggest that instead of having the ability to erase the data off of a blockchain, it should be sufficient to destroy the decryption keys and thus render the data unreadable.318 However, the data is technically still on the blockchain. It is worth noting that a company running a private blockchain can also easily, if desired, revert transactions.319

312. See, e.g., Joichi Ito et al., The Blockchain Will Do to the Financial System What the Internet Did to Media, HARV. BUS. REV. (Mar. 8, 2017), https://hbr.org/2017/03/the-blockchain- will-do-to-banks-and-law-firms-what-the-internet-did-to-media [https://perma.cc/33FM-KPEY].

313. See, e.g., TAPSCOTT & TAPSCOTT, supra note 11, at 270–71. 314. See, e.g., Andries Van Humbeeck, The Blockchain-GDPR Paradox, MEDIUM (Nov. 21,

2017), https://medium.com/wearetheledger/the-blockchain-gdpr-paradox-fc51e663d 047 [https://perma.cc/6M9S-QLQB].

315. START WITH SECURITY, supra note 107, at 2. 316. Blockchain From a Perspective of Data Protection Law, DELOITTE,

https://www2.deloitte.com/ dl/en/pages/legal/articles/blockchain- datenschutzrecht.html [https://perma.cc/3D HA-MUPK].

317. Id. 318. See When the Right to be Forgotten Becomes Possible on the Ethereum Blockchain, NEWS

BTC (Nov. 18, 2017, 11:43 PM), https://www.newsbtc.com/press-releases/bcdiploma- right-to-be-forgotten-ethereum-blockchain [https://perma.cc/2L4D-4YMY].

319. See Buterin, supra note 182.

1288 66 UCLA L. REV. 1242 (2019)

While these problems make blockchain an imperfect substitute for third- party data storage providers, the existence of potential solutions to these problems, coupled with the blockchain’s significant cybersecurity benefits—so desperately needed in an insecure landscape—ensure that blockchain’s adoption will come sooner than anticipated. As noted above, software like blockchain can be considered a reasonable security measure by the FTC even if it is imperfect.320

CONCLUSION

The current cybersecurity landscape is unsustainable. Companies are increasingly relying on third parties for conducting services, yet these third parties continue to be targets of attack due to their weak cybersecurity measures. The problem arises because contracting companies bear the responsibility of ensuring the adequate cybersecurity of third parties: the FTC only goes after the “big fish” companies for unreasonable security measures, even when the third party was the one who was breached due to their own inadequate security. Enforcement actions thus have no direct effect on third parties, and they operate outside cybersecurity enforcement. This oversight mechanism has proven to be inadequate, and third parties remain the untrustable “weakest link.”

Blockchain technology ensures confidentiality, integrity, availability, and resilience—the core components of good cybersecurity. Moreover, the technology, even in its current nascent state, comports with the FTC’s cybersecurity guidelines on reasonableness. The absence of blockchain-based data storage by a large company—with adequate means and who collects sensitive information from many people—can thus be unreasonable. The myriad cybersecurity benefits that blockchain offers make this technology a unique and unparalleled solution to the third-party data breach problem. Large companies handling sensitive and confidential data should start with trust and include blockchain technology as part of their comprehensive cybersecurity plan.

320. See Otto, supra note 118, at 340.

Copyright of UCLA Law Review is the property of UCLA Law Review and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.