According to a recent Bloomberg Law article [subscription required], in the past year there has been a sharp decline in active civil suits against cryptocurrency exchanges, digital wallet, mobile phone providers and others involving claims related to crypto hacking incidents or cybertheft, due, in part, to increased security protocols and
Cybersecurity
Consumer Law Claims against French Crypto Asset Wallet Provider May Proceed in California Court
Customer lists held by providers and the personal information users enter to obtain digital wallets or set up crypto exchange accounts are enviable targets for hackers. Such data can be used to launch targeted phishing schemes and related scams to trick holders into divulging their private keys or else unknowingly transferring anonymized crypto assets to hackers. One recent case involves a suit brought by customers who purchased a hardware wallet to secure cryptocurrency assets and are seeking redress for harms they allegedly suffered following data breaches that exposed their personal information.
A recent Ninth Circuit decision analyzed whether a federal court had personal jurisdiction over a foreign crypto asset wallet provider, an issue that can be important when litigating in this area, given the boundary-less nature of the world of crypto assets and related services. (Baton v. Ledger SAS, No. 21-17036 (9th Cir. Dec. 1, 2022) (unpublished)).
App Store Protected by CDA Immunity (and Limitation of Liability) for Losses from Fraudulent Crypto Wallet App
Background
The issue of fraudulent crypto-related mobile apps has received much attention of late. Back in July 2022, the FBI issued a notice, warning financial institutions and investors about instances where criminals created spoofed cryptocurrency wallet apps to trick consumers and steal their cryptocurrency. There have also been reports of phishing websites that attempt to trick consumers into entering credentials, thereby enabling hackers to access victims’ crypto wallets. In response to these developments, Senator Sherrod Brown recently sent a letter to Apple, among others, expressing his concern about fraudulent cryptocurrency apps and asking for more information about the particulars of Apple’s process to review and approve crypto apps for inclusion in the App Store.
In a recent ruling, a California district court held that Apple, as operator of that App Store, was protected from liability for losses resulting from that type of fraudulent activity. (Diep v. Apple Inc., No. 21-10063 (N.D. Cal. Sept. 2, 2022)). This case is important in that, in a motion to dismiss, a platform provider was able to use both statutory and contractual protections to avoid liability for the acts of third party cyber criminals.
New York Financial Regulator Brings First AML and Cybersecurity Enforcement Action against Licensed Crypto Trading Entity
In what is the New York Department of Financial Services’ (NYDFS) first enforcement action against a NYDFS-licensed “virtual currency business,” on August 1, 2022, the agency announced $30 million settlement with cryptocurrency investing platform Robinhood Crypto, LLC (“RHC”). The settlement addressed charges stemming from what the NYDFS cited as various deficiencies during 2019-20 of RHC’s Bank Secrecy Act (BSA) and anti-money laundering (AML) program and RHS’ cybersecurity obligations under the agency’s Virtual Currency “BitLicense” regulation (23 NYCRR Part 200) and Cybersecurity Regulation (23 NYCRR Part 500), among other things
NYDFS has been active in crypto regulation for many years. In 2015, New York was the first state to promulgate a comprehensive framework for regulating virtual currency-related businesses. The keystones of the BitLicense regulations are consumer protection, anti-money laundering compliance and cybersecurity rules that are intended to place appropriate “guardrails” around the industry while allowing innovation. In addition, NYDFS’s Cybersecurity Regulation went into effect in March 2017 and generally requires all covered entities, including licensed virtual currency businesses, to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems. Licensed virtual currency companies are subject to the same AML and cybersecurity regulations as traditional financial services companies.
SEC to Hire More Staff in Crypto Assets and Cyber Unit and Ratchet Up Scrutiny of Industry
The Securities and Exchange Commission (SEC) announced today that it would hire 20 additional positions to the Crypto Assets and Cyber Unit (formerly known as the Cyber Unit) within the Division of Enforcement, increasing the number of dedicated positions to 50. The “Crypto Unit” is tasked with protecting investors in crypto markets and from cyber-related threats. With more personnel and resources available, the SEC believes the unit will be “better equipped to police wrongdoing in the crypto markets” while still staying involved in disclosure and controls issues with respect to cybersecurity.
According to the release, the 20 additional hires will include supervisors, investigative staff attorneys and fraud analysts, with a focus on investigating securities law violations in: crypto asset offerings, exchanges, and lending and staking products; decentralized finance (“DeFi”) platforms; non-fungible tokens (“NFTs”); and stablecoins.
As we stated in a recent post, statements and proposals by financial regulators suggest that providers should expect more scrutiny and additional compliance hurdles going forward.
Treasury Department Steps Up Its Counter-Ransomware Efforts and Simultaneously Issues New Sanctions Compliance Guidance for Virtual Currency Industry
Recently, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department, released a report on ransomware trends stating that during the first half of 2021, 68 different ransomware variants extracted approximately $600 million from victims across the country. FinCEN identified Bitcoin as the most common ransomware-related payment method in reported transactions and noted that ransomware incidents requesting Monero (XMR) – what FinCEN refers to as an anonymity-enhanced cryptocurrency – are increasing as hackers seek to reduce the transparency and traceability of such transactions.
Given this environment, the White House and Treasury Department have sought to counter the ransomware threat by taking a number of actions, including holding a virtual two-day multinational summit on ransomware, conducting classified threat briefings for critical infrastructure executives, and establishing some expected cybersecurity thresholds for critical infrastructure providers. Compounding these efforts, the Treasury Department is leveraging existing Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls that already apply to fiat currency and enforcing them more deliberately toward virtual currency to combat ransomware attacks.
Two days after the White House issued its October 13, 2021 Fact Sheet detailing these anti-ransomware efforts, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued its “Sanctions Compliance Guidance for the Virtual Currency Industry” (“Guidance”).
Blockchain 51% Attacks – Lessons Learned for Developers and Trading Platform Operators
Once purely theoretical, “majority” or “51%” attacks on public blockchains have dealt participants a reality check: The fundamental assumption of Satoshi Nakamoto’s 2008 Bitcoin whitepaper (that computing power will remain sufficiently decentralized in blockchain networks that rely on a “proof-of-work” consensus mechanism) can in practice actually be exploited to enable double spending.
“The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes…. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes.” – Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System
These incidents have provided opportunities for developers of both public and private blockchains, as well as operators of blockchain-based digital asset trading platforms, to learn from the first generation of blockchain deployments.
Cover Article: Practical Law – The Journal, June/July Issue | “Supply Chain Management – Implementing Blockchain Technology”
We are happy to report that our recent in-depth Practice Note on Blockchain as applied to Supply Chain Management was selected to appear as the cover story for the June/July issue of Practical Law – The Journal. Read the full text here.