Professional Documents
Culture Documents
Law Review
Start With Trust: Utilizing Blockchain to Resolve
the Third-Party Data Breach Problem
Phillip Shaverdian
ABSTRACT
AUTHOR
J.D., UCLA School of Law, 2019; B.A., University of California, Los Angeles, 2015. The opinions
expressed in this Comment reflect the author’s personal views only. A special thank you to Professor
Kristen Eichensehr for her guidance, insight, and pushback and the entire UCLA Law Review board
and staff for their tireless work and thoughtful edits.
Introduction................................................................................................................................................ 1244
I. Current Cybersecurity Landscape ................................................................................................. 1246
A. What is Cybersecurity?.................................................................................................................... 1246
B. Breadth and Scope of the Problem................................................................................................. 1249
II. Cybersecurity Enforcement in the United States .................................................................. 1255
A. What is “Unreasonable”? ................................................................................................................. 1257
1. Failing to Adopt Readily Available Technology ................................................................... 1259
2. Leaving Gaps in Encryption/Security in the Storage-Transmission Chain .................... 1260
3. Responding and Recovering Too Slowly From Breaches ................................................... 1261
4. Inadequately Policing the Security of Third-Party Service Providers .............................. 1261
B. Cybersecurity of Third Parties and Inconsistent Enforcement ................................................. 1262
III. What is Blockchain? .......................................................................................................................... 1263
A. Blockchain Technology ................................................................................................................... 1263
B. Public, Consortium, and Private Blockchains.............................................................................. 1267
C. Applications ....................................................................................................................................... 1269
IV. Blockchain and Cybersecurity...................................................................................................... 1273
A. How Blockchain Can Enhance Cybersecurity ............................................................................ 1273
1. Confidentiality ........................................................................................................................... 1275
2. Integrity ...................................................................................................................................... 1277
3. Availability.................................................................................................................................. 1278
4. Resilience .................................................................................................................................... 1278
B. Absence of Blockchain as Unreasonable in the Data Storage Context .................................... 1279
1. Adopting Readily Available Technology ............................................................................... 1280
2. Filling Gaps in Encryption/Security in the Storage-Transmission Chain ....................... 1282
3. Responding and Recovering Quickly From Breaches ........................................................ 1284
4. Ensuring the Security of Third-Parties: The Trust Machine .............................................. 1284
C. Concerns About Market Adoption, Job Killing, and the “Right to be Forgotten” ................. 1286
Conclusion .................................................................................................................................................... 1288
1243
1244 66 UCLA L. R EV. 1242 (2019)
INTRODUCTION
Data breaches have been the topic of headlines more often than not in
recent memory. With breaches ranging from Sony,1 to the Democratic
National Committee (DNC),2 to the U.S. Navy and its industry partners,3 to
Equifax,4 no industry or sector remains impervious to cyberattacks. And this
trend will likely get worse. In fact, there was a record high of 1,579 breaches in
2017—a 45 percent increase from 2016.5 What is even more frightening is that
in 516 of the 584 reported company breaches, the number of total records
compromised is unknown.6 This data might make someone reconsider his or
her nomenclature. Is this cybersecurity or cyberinsecurity?
Yet the so-called third-party problem, which arises from large companies’
use of smaller third-party companies to store sensitive data, is even more
shocking. In 2017, 56 percent of companies had a third-party breach. That
number is projected to rise because companies are increasingly relying on third
parties, yet they often do not know exactly what information the third party
carries.7 Moreover, the current cybersecurity enforcement regime forces
companies to conduct their own oversight of third parties—as evinced through
the Federal Trade Commission’s (FTC) 2015 guidebook titled “Start with
Security”—which has proven inadequate.8 This is because the FTC continues
to bring cybersecurity enforcement actions against the larger companies even
1. See David E. Sanger & Nicole Perlroth, U.S. Said to Find North Korea Ordered Cyberattack
on Sony, N.Y. TIMES (Dec. 17, 2014), https://www.nytimes.com/2014/12/18/world/
asia/us-links-north-korea-to-sony-hacking.html [https://perma.cc/DP5X-ME7D].
2. See Raphael Satter, Inside Story: How Russians Hacked the Democrats’ Emails,
ASSOCIATED PRESS (Nov. 4, 2017), https://www.apnews.com
/dea73efc01594839957c3c9a6c962b8a [https://perma.cc/57VB-CW65].
3. See Gordon Lubold & Duston Volz, Navy, Industry Partners Are ‘Under Cyber Siege’ by
Chinese Hackers, Review Asserts, WALL ST. J. (Mar. 12, 2019, 2:32 PM),
https://www.wsj.com/ articles/navy-industry-partners-are-under-cyber-siege-review-
asserts-11552415553 [https://perma.cc/3PZX-BXVQ].
4. See Donna Borak & Kathryn Vasel, The Equifax Hack Could Be Worse Than We Thought,
CNN (Feb. 10, 2018, 10:43 AM), https://money.cnn.com/2018/02/09/pf/equifax-hack-
senate-disclosure/index.html [https://perma.cc/3W28-W5QK].
5. IDENTITY THEFT RES. CTR., 2017 ANNUAL DATA BREACH YEAR-END REVIEW (2018),
https://www.idtheftcenter.org/images/breach/2017Breaches/2017AnnualDataBreachYe
arEndReview.pdf [https://perma.cc/5WZ8-BNZK].
6. See, e.g., Gretel Egan, Scary Data Breach Statistics of 2017, WOMBAT
S E C U R I T Y ( O c t . 2 7 , 2017), https://www.wombatsecurity.com/blog/scary-data-
breach-statistics-of-2017 [https://perma.cc/M8F6-JSQV].
7. See infra notes 62–67 and accompanying text.
8. See infra notes 50–58, 66, 141, 148, and accompanying text.
Start With Trust 1245
when it was the third party that was breached.9 These third parties often handle
the same highly sensitive and confidential information as the larger company,
but escape FTC enforcement, and therefore live in a realm outside
cybersecurity enforcement. Under the current structure, these so-called
trusted third parties are often practically untrustable and continue to remain
the weakest link in a landscape plagued with cyber-insecurity.
This Comment argues that utilizing blockchain-based data storage
instead of third-party storage providers will not only reduce cybersecurity risk
but will also reduce legal risk in the eyes of the FTC. The FTC brings
enforcement actions against companies’ unfair practices, and has defined
unfair practices to include reasonable cybersecurity protocols.10 Large
companies can ensure their protocols are reasonable only by somehow
establishing trust in third-party service providers that have up until now been
insecure and untrustable. When it comes to third-party service providers,
large companies should start with trust by using blockchain technology as part
of their comprehensive cybersecurity plan. The absence of this “technological
genie [that] has been unleashed from its bottle”11 might well be deemed
unreasonable by the FTC.
Part I reviews what cybersecurity is and what it attempts to accomplish,
particularly its four dimensions of confidentiality, integrity, availability, and
resilience. It also gives an overview of the current cybersecurity landscape by
examining the breadth and scope of attacks in general and on third parties in
particular.
Part II examines the cybersecurity enforcement regime in the United
States and explores some guidelines that would be relevant to incorporating
blockchain into the FTC’s understanding of reasonableness. These FTC
guidelines include (1) using readily available technology, (2) protecting data
during storage and transmission, (3) responding and recovering from cyber
attacks, and (4) ensuring the security of third parties. An analysis of why the
current enforcement regime is inadequate to address the third-party problem
follows.
Part III dissects blockchain technology and its components and lists
various potential and actual applications. While a relatively new concept,
blockchain’s genius lies in its unique combination of two breakthroughs in
12. NAT’L INST. OF STANDARDS & TECH., FRAMEWORK FOR IMPROVING CRITICAL
INFRASTRUCTURE CYBERSECURITY 45 (2018), https://nvlpubs.nist.gov/nistpubs/CSWP
/NIST.CSWP.04162018.pdf [https://perma.cc/6NSZ-89B6].
13. P.W. SINGER & ALLAN FRIEDMAN, CYBERSECURITY AND CYBERWAR: WHAT EVERYONE
NEEDS TO KNOW 34 (2014).
14. See, e.g., MANUEL CASTELLS, THE INFORMATION AGE: ECONOMY, SOCIETY AND CULTURE,
VOLUME III: END OF MILLENNIUM (Wiley-Blackwell 2d ed. 2010).
15. The “internet of things” is “the concept of basically connecting any device with an on and
off switch to the Internet (and/or to each other). This includes everything from
cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and
almost anything else you can think of.” Jacob Morgan, A Simple Explanation of ‘The
Internet of Things’, FORBES (May 13, 2014, 12:05 AM), https://www.forbes.com/sites
/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-
understand/#2b658d711d09 [https://perma.cc/6R9P-4QMS]. There is tension within the
U.S. government on what office or agency should police the potential vulnerabilities
presented by the internet of things. See, e.g., Kristen Eichensehr, Security and the Internet
of Things, JUST SECURITY (Feb. 11, 2016), https://www.justsecurity.org/29258/security-
internet-of-things [https://perma.cc/D4W8-ASSZ].
16. Information security is “[t]he protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order to
ensure confidentiality, integrity, and availability.” MICHAEL NIELES ET AL., U.S. DEP’T OF
COMMERCE NAT’L INST. OF STANDARDS & TECH., AN INTRODUCTION TO INFORMATION
SECURITY 2 (2017), https://nvlpubs.nist.gov/nistpubs/Special Publications/NIST.SP.800-
12r1.pdf [https://perma.cc/Z4V9-PMHS].
Start With Trust 1247
17. Information includes “(1) Facts or ideas, which can be represented (encoded) as various
forms of data; (2) Knowledge (e.g., data, instructions) in any medium or form that can be
communicated between system entities.” Id.
18. Id.
19. SINGER & FRIEDMAN, supra note 13, at 35.
20. Id.
21. AN INTRODUCTION TO INFORMATION SECURITY, supra note 16, at 2–3.
22. SINGER & FRIEDMAN, supra note 13, at 35.
23. See NIELES ET AL., supra note 16, at 3.
24. Id.
25. Id.
26. See SINGER & FRIEDMAN, supra note 13, at 35; More Than 2.5 Billion Records Stolen or
Compromised in 2017, GEMALTO (Apr. 11, 2018), https://www.gemalto.com/press/pages
/more-than-2-5-billion-records-stolen-or-compromised-in-2017.aspx [https://perma.cc
/96JX-YPM3] (“The manipulation of data or data integrity attacks pose an arguably more
unknown threat for organizations to combat than simple data theft” because “data
integrity breaches are often difficult to identify and in many cases, where this type of
attack has occurred, we have yet to see the real impact.” (quoting Jason Hart, Vice
President and Chief Technology Officer for Data Protection at Gemalto)).
1248 66 UCLA L. R EV. 1242 (2019)
Data breaches occur almost every day in nearly every industry, and in too
many places across the country and globe to keep a precise count. The
following examples are intended to illustrate the breadth and scope of data
breaches and cyber attacks. This is by no means a comprehensive list.
The account information of three billion Yahoo! users was compromised
after the company suffered a data breach in 2013.37 A cyber attack suffered by
eBay in 2014 exposed the names, addresses, dates of birth, and passwords of
145 million users.38 The personal information of 412 million people, including
twenty years of historical customer data, was exposed when
AdultFriendFinder was hacked in 2016.39 A data breach at Equifax, one of the
largest credit bureaus in the United States, exposed the personal information
of 145.5 million people, including Social Security numbers, dates of birth, and
in some cases drivers’ license numbers and credit card data.40 Moreover, in a
study conducted in the United Kingdom, nearly half of the businesses in the
nation reported cybersecurity breaches within a twelve-month period.41
But cybersecurity breaches are not limited to the private sector. The
Federal Reserve Bank of Cleveland was the victim of a cyberhack in 2010.42
Personal information, including Social Security numbers, of 22.1 million
people was stolen when the Office of Personnel Management was hacked in
2015.43 In the same year, the European Union Central Bank’s database—which
37. Selena Larson, Every Single Yahoo Account Was Hacked—3 Billion In All, CNN (Oct. 4,
2017, 6:36 AM), https://money.cnn.com/2017/10/03/technology/business/yahoo-
breach-3-billion-accounts/index.html [https://perma.cc/H5LG-JNJQ].
38. Jim Finkle, Soham Chatterjee & Lehar Maan, EBay Asks 145 Million Users to Change
Passwords After Cyber Attack, REUTERS (May 21, 2014, 4:21 AM), https://www.reuters.
com/article/us-ebay-password/ebay-asks-145-million-users-to-change-passwords-
after-cyber-attack-idUSBREA4K0B420140521 [https://perma.cc/3RS4-BHUE].
39. Steve Ragan, 412 Million FriendFinder Accounts Exposed by Hackers, CSO (Nov. 13, 2016,
8:00 AM), https://www.csoonline.com/article/3139311/security/412-million-friend
finder-accounts-exposed-by-hackers.html [https://perma.cc/7S5N-DZPE].
40. Borak & Vasel, supra note 4.
41. DEP’T FOR DIG., CULTURE, MEDIA & SPORT, CYBER SECURITY BREACHES SURVEY 2018 (2018)
https://assets.publishing.service.gov.uk/government/uploads/system/
uploads/attachment_data/file/702074/Cyber_Security_Breaches_Survey_2018_-
_Main_Report.pdf [https://perma.cc/PY67-4VJY].
42. Jonathan Dienst, Hacker Breaks Into Federal Reserve, NBC N.Y. (Nov. 18, 2010, 1:33 PM),
https://www.nbcnewyork.com/news/local/Feds-Hacker-Exploits-Federal-Reserve-
Bank-In-Cleveland-108985059.html [https://perma.cc/FC6V-E8GZ].
43. Patricia Zengerle & Megan Cassella, Millions More Americans Hit by Government
Personnel Data Hack, REUTERS (July 9, 2015, 12:51 PM),
https://www.reuters.com/article/us-cybersecurity-usa/millions-more-americans-hit-by-
1250 66 UCLA L. R EV. 1242 (2019)
government-personnel-data-hack-idUSKCN0PJ2M420150709
[https://perma.cc/ZLM8-ER3J].
44. Brian Honan, European Central Bank Hacked, CSO (July 31, 2015, 8:22 AM),
https://www.csoonline.com/article/2955278/data-breach/european-central-bank-
hacked.html [https://perma.cc/2YVE-RPBP].
45. Alexandra Stevenson & Carlos Tejada, S.E.C. Says It Was a Victim of Computer Hacking
Last Year, N.Y. TIMES (Sept. 20, 2017), https://www.nytimes.com/2017/09/20/business/
sec-hacking-attack.html [https://perma.cc/NAJ3-4ZG9].
46. See, e.g., North Korea Likely Behind $81M Hack at the Federal Reserve, Report Says, FOX
NEWS (Apr. 5, 2017), www.foxnews.com/tech/2017/04/05/north-korea-likely-behind-
81m-hack-at-federal-reserve-report-says.html [https://perma.cc/V6EZ-RUH6].
47. Kristen Eichensehr, Three Questions on the WannaCry Attribution to North Korea, JUST
SECURITY (Dec. 20, 2017), https://www.justsecurity.org/49889/questions-wannacry-
attribution-north-korea [https://perma.cc/79D9-9NVD]; see also infra notes 57–58 and
accompanying text.
48. Sanger & Perlroth, supra note 1.
49. Tom Hamburger, Rosalind S. Helderman & Ellen Nakashima, Democratic Party Sues
Russia, Trump Campaign and WikiLeaks Alleging 2016 Campaign Conspiracy, WASH.
POST (Apr. 20, 2018), https://www.washingtonpost.com/politics/democratic-party-files-
lawsuit-alleging-russia-the-trump-campaign-and-wikileaks-conspired-to-disrupt-the-
2016-campaign/2018/04/20/befe8364-4418-11e8-8569-26fda6b404c7_story.html?
utm_term=.588f72a3d3ce [https://perma.cc/TN9M-ZGBJ].
50. More Than 2.5 Billion Records Stolen or Compromised in 2017, supra note 26.
51. Kaspersky Lab Survey: Cyberattacks Cost Large Businesses in North America an Average of
$1.3M, KASPERSKY LAB (Sept. 19, 2017), https://usa.kaspersky.com/about/press-releases/
2017_kaspersky-lab-survey-cost-of-cyberattacks-for-large-businesses-in-north-america
[https://perma.cc/LVP6-AHW5].
Start With Trust 1251
breaches around the world increased in 2017 to more than 24,000 records per
breach, with the United States standing at an average of more than 28,000
records per breach.52 This study also estimated “an average probability of 27.7
percent that organizations in this study will have a material data breach in the
next 24 months.”53
While security appears to be receiving a larger percentage of large
companies’ overall Information Technology (IT) budget, the budget itself is
getting smaller.54 The average IT budget for large businesses dropped from
$25.5 million in 2016 to $13.7 million in 2017.55 This is troubling because,
according to experts, “[t]hings are bad and they’re going to get worse.”56 This
is not only because hackers are exploiting sophisticated government hacking
tools,57 but also because companies and government agencies frequently fail to
patch holes in their systems in a timely manner.58
52. PONEMON INST., 2017 COST OF DATA BREACH STUDY: GLOBAL OVERVIEW 11 (2017),
https://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Pape
rs/2017_Global_CODB_Report_Final.pdf.
53. Id. at 1.
54. KASPERSKY LAB, supra note 51.
55. Id.
56. Selena Larson, Why Hacks Like Equifax Will Keep Happening, CNN (Sept. 29, 2017, 8:49
AM), money.cnn.com/2017/09/29/technology/business/equifax-hack-2017-cyberatt
acks/index.html?iid=EL [https://perma.cc/6JQY-FSYA].
57. In 2017, a group of hackers released a collection of spy tools allegedly used by the National
Security Agency (NSA) that could be used to exploit vulnerabilities in Microsoft
Windows computers and servers. See, e.g., Selena Larson, NSA’s Powerful Windows
Hacking Tools Leaked Online, CNN (Apr. 15, 2017, 12:13 PM), money.cnn.
com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html?iid=EL
[https://perma.cc/RK34-D3PZ]. The leaked NSA exploit exposed a vulnerability in the
Microsoft Windows operating system that hackers used to create ransomware called
“WannaCry,” which infected over 300,000 computers around the globe in May 2017. See
Danny Palmer, Your Failure to Apply Critical Cybersecurity Updates Is Putting Your
Company at Risk From the Next WannaCry or Petya, ZDNET (Aug. 21, 2017),
https://www. zdnet.com/article/your-failure-to-apply-critical-cyber-security-updates-
puts-your-comp any-at-risk-from-the-next [https://perma.cc/R4AR-W3TD].
58. A recent study conducted by the cybersecurity ratings company BitSight revealed that
more than 50 percent of computers in over 2000 organizations run an outdated version
of Microsoft Windows and more than 8500 companies have failed to update their web
browsers on more than half of their machines. Joel Alcon, Latest BitSight Insights Explores
A Growing Risk Frequently Ignored: Critical Updates, BITSIGHT (June, 8, 2017), https://
www.bitsighttech.com/blog/latest-bitsight-insights-explores-growing-risk-frequently-
ig nored-critical-updates [https://perma.cc/DR2Z-QF7N]. Although Microsoft released
an emergency patch for their operating system in response to the WannaCry
ransomware, many companies, including the multinational electronics company LG,
failed to apply the security patches. LG Hit by WannaCry Ransomware After IT Staff Fail
to Apply Security Patches, COMPUTING (Aug. 18, 2017), https://www.computing.co.
uk/ctg/news/3015875/lg-hit-by-wannacry-ransomware-after-it-staff-fail-to-apply-sec
urity-patches [https://perma.cc/G349-9QEW].
1252 66 UCLA L. R EV. 1242 (2019)
67. KASPERSKY LAB, DAMAGE CONTROL: THE COST OF SECURITY BREACHES 5 (2015),
https://media.kaspersky.com/pdf/it-risks-survey-report-cost-of-security-breaches.pdf
[https://perma.cc/6J3W-MUZ3].
68. Maria Korolov, What is a Supply Chain Attack? Why You Should Be Wary of Third-Party
Providers, CSO (Apr. 4, 2018, 8:15 AM), https://www.csoonline.com/article/3191947
/data-breach/what-is-a-supply-chain-attack-why-you-should-be-wary-of-third-party-
providers.html [https://perma.cc/C624-FG9Q].
69. See SECURITYSCORECARD, WHY THIRD PARTY SECURITY BREACHES ARE ON THE RISE 1
(2016) (“The insecure entry points of third party systems are being heavily targeted,
especially when third parties are smaller organizations with limited security resources
and are connected to larger organizations with employee data, customer records, and
credit card information.”).
70. Berman, supra note 62.
71. SECURITYSCORECARD, supra note 69, at 1.
72. Michelle Drolet, The Challenges of Third-Party Risk Management, CSO (Nov. 17, 2015,
11:40 AM), https://www.csoonline.com/article/3005320/application-security/the-
challenge s-of-third-party-risk-management.html [https://perma.cc/YV3W-GWFC].
73. SECURITYSCORECARD, supra note 69, at 2 (“In over 60% of [third-party] breaches,
attackers were able to infiltrate the target within minutes,” as smaller companies do not
always have “sophisticated protocols in place to ensure that all data is secure in their own
data—and partners’ data.”).
74. Id.
1254 66 UCLA L. R EV. 1242 (2019)
of security.75 Thus a hacker can attack the weakest link in the chain and gain
access to a larger and more secured company’s data.76
A third party was the attack vector77 in the 2013–2014 Target data
breach.78 Fazio Mechanical Services, a ventilation and air conditioning
(HVAC) subcontractor, worked at a number of Target locations and had
external network access.79 It is common for large retail operations to give this
type of access to their HVAC servicers because these “vendors need to be able
to remote into the system in order to do maintenance (updates, patches, etc.)
or to troubleshoot glitches and connectivity issues with the software.”80
Hackers stole Fazio’s network credentials and gained access to Target’s
systems, uploading credit-card stealing software to a number of cash registers
within Target stores.81 This breach exposed forty million Target credit and
debit card numbers as well as sixty million personal information records of
customers.82
A third party was also the weakest link in the 2015 cyberattack on CVS
Photo, in which hackers breached the servers of PNI Digital Media, a company
that handled the credit card transactions for the photo-uploading site.83
Similarly, in 2014 Goodwill Industries was breached through C&K Systems
Inc., their third-party payment vendor.84 Many other large organizations have
had their servers breached because of poor third-party security: Philips (2012),
Cogent Healthcare (2013), Lowe’s (2014), Dairy Queen and TacoTime (2014),
Home Depot (2014), Department of Veterans Affairs (2014), Zoup (2015),
75. Id.
76. See infra note 148 and accompanying text.
77. “An attack vector is a path or means by which a hacker . . . can gain access to a computer
or network server. . . . ” Margaret Rouse, Attack Vector, SEARCHSECURITY,
https://searchsecurity.techtarget.com/definition/attack-vector [https://perma.cc/2RLC-
A7XN].
78. Brian Krebs, Target Hackers Broke in Via HVAC Company, KREBSONSECURITY (Feb. 5,
2014, 1:52 PM), https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-
company [https://perma.cc/9TJD-BJ99].
79. Id.
80. Id.
81. Id.
82. Robert Bond, Poor Third-Party Vendor Security Can Lead to Data Breach, HITACHI SYS.
SECURITY (Oct. 31, 2017), https://www.hitachi-systems-security.com/blog/poor-third-
party-vendor-security-can-lead-to-data-breach [https://perma.cc/2HD4-2VBH].
83. Brian Krebs, CVS Probes Card Breach at Online Photo Unit, KREBSONSECURITY (July 17,
2015, 10:15 AM), https://krebsonsecurity.com/2015/07/cvs-probes-card-breach-at-
online-photo-unit [https://perma.cc/V3TN-LDAA].
84. Brian Krebs, Breach at Goodwill Vendor Lasted 18 Months, KREBSONSECURITY (Sept. 16,
2014, 3:21 PM), https://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-
lasted-18-months [https://perma.cc/6RT2-NJNM].
Start With Trust 1255
AT&T Services, Inc. (2015), Harbortouch (2015), Clif Family Wineries (2015),
Louisville Metro Government (2015), Detroit Zoo (2015), California State
University (2015), Jimmy John’s (2015), Netflix (2015), Sonic Drive-In (2017),
and Whole Foods (2017).85
A company is responsible for ensuring that third-party contractors
implement reasonable security measures.86 This is problematic because
building trust between a company and a third party can be difficult,87 and third
parties often evade FTC enforcement actions.88
Breaches of third-party service providers are not limited to the private
sector. More recently, in 2018 the Secretary of the Navy released a
“Cybersecurity Review” that directed, among other things, a “[r]eview [of] the
appropriateness of the Navy’s organizational culture and that of its supporting
contractors.”89 This Review came in light of an “increase[] in both the severity
and sophistication” of “attempts to steal critical information” that resulted in
“several significant compromises of classified information.”90 Additionally,
hackers gained access to the personal information and credit card numbers of
Department of Defense personnel through a system maintained by a third-
party contractor.91
85. See, e.g., PROSKAUER, PRIVACY AND DATA SECURITY, RECENT DATA SECURITY BREACHES
INVOLVING THIRD-PARTY VENDORS (2017), https://www.privacyand securityforum.com
/wp-content/uploads/2015/10/25092-Privacy-and-Data-Security-Breach.pdf
[https://perma.cc/4UFQ-W4UW]; Bond, supra note 82.
86. See infra Part II.A.4.
87. See infra notes 144–146 and accompanying text.
88. See infra Part II.B.
89. Memorandum from Richard V. Spencer, Sec’y of the Navy on Cybersecurity Review (Oct.
12, 2018), https://www.wsj.com/public/resources/documents/NavyMemo10-12-
2018.pdf?mod=article_inline [https://perma.cc/2HTU-3Z9K].
90. Id.
91. See Lee Mathews, Department of Defense Data Breach Exposes 30,000 Employees, FORBES
(Oct. 14, 2018, 11:48 AM),
https://www.forbes.com/sites/leemathews/2018/10/14/department-of-defense-data-
breach-exposes-30000-employees/#715db06f1a6b [https://perma.cc/TC8W-J9VR].
92. See infra note 105 and accompanying text.
1256 66 UCLA L. R EV. 1242 (2019)
93. See, e.g., Kristen E. Eichensehr, Public-Private Cybersecurity, 95 TEX. L. REV. 467, 473
(2017) (“[T]he system is complicated and will require context-dependent solutions to
novel relationships that will continue to evolve as both the government and the private
sector attempt to improve cybersecurity.”).
94. See, e.g., COMM’N ON ENHANCING NAT’L CYBERSECURITY, REPORT ON SECURING AND
GROWING THE DIGITAL ECONOMY (2016), https://www.nist.gov/sites/default/files
/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf
[https://perma.cc/977U-MEJS].
95. See, e.g., Eichensehr, supra note 15 (highlighting the tension between consumer
protection and law enforcement/intelligence agencies).
96. See, e.g., FIN. SECTOR ADVISORY CTR., WORLD BANK GRP., FINANCIAL SECTOR’S
CYBERSECURITY: A REGULATORY DIGEST (2017), pubdocs.worldbank.org/en/524
901513362019919/FinSAC-CybersecDigestOct-2017-Dec2017.pdf [https://perma.cc
/B3RA-HEF8].
97. Federal Trade Commission Act of 1914, 15 U.S.C. § 45(a) (2012).
98. William R. Denny, Cybersecurity as an Unfair Practice: FTC Enforcement Under Section 5
of the FTC Act, BUS. L. TODAY, June 2016, at 1.
99. FED. TRADE COMM’N, PRIVACY & DATA SECURITY UPDATE: 2017 4 (2017),
https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-
2017-overview-commissions-enforcement-policy-initiatives-
consumer/privacy_and_data_security_update_2017.pdf [https://perma.cc/X3V6-BG
PD] [hereinafter FTC PRIVACY & DATA SECURITY UPDATE].
Start With Trust 1257
A. What is “Unreasonable”?
100. See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 243–45 (3d Cir. 2015); Denny,
supra note 98.
101. Wyndham Worldwide Corp., 799 F.3d at 240.
102. Id. at 249.
103. Id. at 255.
104. Statement from FTC Chairwoman Edith Ramirez on Appellate Ruling in the Wyndham
Hotels and Resorts Matter, FED. TRADE COMM’N (Aug. 24, 2015),
https://www.ftc.gov/news-events/press-releases/2015/08/statement-ftc-chairwoman-
edith-ramirez-appellate-ruling-wyndham [https://perma.cc/5BCZ-4TZK].
105. See, e.g., FTC PRIVACY & DATA SECURITY UPDATE, supra note 99, at 4 (“Since 2002, the
FTC has brought over 60 cases against companies that have engaged in unfair or deceptive
practices that put consumers’ personal data at unreasonable risk.”). The main
cybersecurity statutes also require a “reasonable” level of security. See Financial Services
Modernization Act of 1999, Pub. L. No. 106–102, 113 Stat. 1338 (1999) (requires
reasonable data security measures for nonbank financial institutions); Children’s Online
Privacy Protection Act of 1998, Pub. L. No. 105–277, 112 Stat. 2681–728 (1998) (requires
reasonable security measures for data about children collected online); Health Insurance
Portability and Accountability Act of 1996, Pub. L. No. 104–191, 110 Stat. 1936 (1996)
(requires reasonable safeguards for personal health information); Fair Credit Reporting
Act, Pub. L. No. 91–508, 84 Stat. 1128 (1970) (requires credit reporting agencies to use
reasonable procedures to ensure proper disclosure of consumer information).
1258 66 UCLA L. R EV. 1242 (2019)
106. See FTC PRIVACY & DATA SECURITY UPDATE, supra note 99, at 1 (“This broad authority
allows the Commission to address a wide array of practices affecting consumers,
including those that emerge with the development of new technologies . . . .”).
107. FED. TRADE COMM’N, START WITH SECURITY: A GUIDE FOR BUSINESS (2015),
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsec
urity.pdf [https://perma.cc/UC3F-Y2MW] [hereinafter START WITH SECURITY].
108. Id. at 1.
109. See NAT’L INST. OF STANDARDS & TECH., supra note 12.
110. Andrea Arias, The NIST Cybersecurity Framework and the FTC, FED. TRADE COMM’N
(Aug. 31, 2016, 2:34 PM), https://www.ftc.gov/news-events/blogs/business-
blog/2016/08/ nist-cybersecurity-framework-ftc [https://perma.cc/4HRA-JP8C] (“In
February 2013, President Obama issued Executive Order 13636, ‘Improving Critical
Infrastructure Cybersecurity,’ which called on the Department of Commerce’s National
Institute of Standards and Technology (NIST) to develop a voluntary risk-based
Cybersecurity Framework for the nation’s critical infrastructure—that is, a set of industry
standards and best practices to help organizations identify, assess, and manage
cybersecurity risks.”) The NIST Framework is a compilation of guidelines and “does not
introduce new standards or concepts.” Id.
111. Microsoft Corp., Docket No. C-4069 (Fed. Trade Comm’n Dec. 20, 2002) (decision and
order).
112. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 14–15.
Start With Trust 1259
113. Microsoft Corp., supra note 111, at 2; EPN, Inc., Docket No. C-4370, at 2 (Fed. Trade
Comm’n Oct. 3, 2012) (decision and order); Genelink, Inc., Docket No. 112 3095, at 7
(Fed. Trade Comm’n Aug. 2013) (decision and order).
114. START WITH SECURITY, supra note 107, at 12.
115. See HTC America, Inc., 155 F.T.C. 1617 (2013). The FTC takes it upon itself to stay
current with the most recent technological developments, through studies and
workshops, and has even been dubbed the “Federal Technology Commission.” See Neil
Chilson, How the FTC Keeps Up on Technology, FTC (Jan. 4, 2018, 11:52 AM),
https://www.ftc.gov/news-events/blogs/techftc/2018/01/how-ftc-keeps-technology
[https://perma.cc/AN3L-UYZX].
116. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 36.
117. Id. at 10.
118. Paul N. Otto, Reasonableness Meets Requirements: Regulating Security and Privacy in
Software, 59 DUKE L.J. 309, 340 (2009).
119. See Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy & Identity Prot., Fed. Trade
Comm’n, to Dana Rosenfeld, Counsel for Verizon Commc’ns, Inc. (Nov. 12, 2014),
https://www.ftc.gov/system/files/documents/closing_letters/verizon-co
mmunications-inc./141112verizonclosingletter.pdf [https://perma.cc/F7MX-XJ
MC]; TRENDnet, Inc., Docket No. C-4426 (Fed. Trade Comm’n Jan. 16, 2014).
120. HTC America Inc., 155 F.T.C. at *4.
1260 66 UCLA L. R EV. 1242 (2019)
The FTC made it clear that this risk could have been prevented by ensuring that
the data was secure throughout its lifecycle.129 Security procedures and
technology must protect the confidentiality, integrity, and availability of data
while it is in storage and in transit.130
137. See Complaint for Permanent Injunction and Other Equitable Relief, FTC v. Ruby Corp.,
No. 1:16-cv-02438 (D.D.C. 2016 Dec. 14, 2016) [hereinafter Ashley Madison Complaint];
GMR Transcription Servs., Inc., Docket No. C-4482 (Fed. Trade Comm’n Aug. 14, 2014)
[hereinafter GMR Transcription Complaint].
138. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 16.
139. See TJX Companies, Inc., Docket No. C-4227, at 2–3 (Fed. Trade Comm’n July 29, 2008)
(complaint).
140. START WITH SECURITY, supra note 107, at 9; see also CardSystems Solutions, Inc., Docket
No. C-4168, at 2 (Fed. Trade Comm’n Sept. 5, 2006) [hereinafter CardSystems Solutions
Complaint]; Dave & Buster’s, Inc., 149 F.T.C. 1450 (2010) [hereinafter Dave & Buster’s
Complaint].
141. Dave & Buster’s Complaint, supra note 140, at 1452.
142. START WITH SECURITY, supra note 107, at 8.
143. See supra note 136 and accompanying text.
144. GERMANO, supra note 136, at 4.
145. Id.
146. PONEMON INST., supra note 64, at 3.
147. See supra notes 59–63 and accompanying text.
Start With Trust 1263
that was initially breached (the third party). For example, in the matters of
CardSystems Solutions, Dave & Buster’s, GMR Transcription Services, and
Ashley Madison, the FTC brought enforcement actions against the named
parties instead of the third parties that had their networks breached due to
inadequacies in their own security measures.148 In essence, a third party that
handles the same confidential and sensitive information as the larger
contracting company escapes FTC enforcement and thus is not required to
have reasonable security measures. The FTC’s enforcement of reasonable
security measures against the big fish does not deter third parties from having
unreasonable security measures. This leaves the regulation of third-party
security solely in the hands of a contracting company. Under this framework,
third parties will continue to pose security risks and will remain the weakest
link, unless the contracting companies know how to assess their cybersecurity.
148. See CardSystems Solutions Complaint, supra note 140; Dave & Buster’s Complaint, supra
note 140; GMR Transcription Complaint, supra note 137; Ashley Madison Complaint,
supra note 137.
149. SHAWN S. AMUIAL, JOSIAS N. DEWEY & JEFFREY R. SEUL, THE BLOCKCHAIN: A GUIDE FOR
LEGAL AND BUSINESS PROFESSIONALS 2 (2016) [hereinafter LEGAL AND BUSINESS
BLOCKCHAIN GUIDE] (“Blockchain may be one of the least understood of the technologies
currently thought to be driving a Fourth Industrial Revolution.”) (footnote omitted).
150. See Jonathan Shieber, Colu Aims to Bring Blockchain Technology Everywhere,
TECHCRUNCH (Jan. 27, 2015), https://techcrunch.com/2015/01/27/colu-aims-to-bring-
blockchain-technology-everywhere [https://perma.cc/T97F-YLUH] (quoting Amos
Meiri, the chief executive and cofounder of Colu, a Tel Aviv-based startup company).
151. How to Web, John McAfee: About Blockchain, Bitcoins and Cyber Security, YOUTUBE
(Feb. 23, 2017), https://www.youtube.com/watch?v=G5S0bK8mqAM.
152. TAPSCOTT & TAPSCOTT, supra note 11, at 5.
1264 66 UCLA L. R EV. 1242 (2019)
153. VIMI GREWAL-CARR & STEPHEN MARSHALL, DELOITTE, BLOCKCHAIN: ENIGMA. PARADOX.
OPPORTUNITY 2–4 (2016), https://www2.deloitte.com/content/dam/
Deloitte/uk/Documents/Innovation/deloitte-uk-blockchain-full-report.pdf
[https://perma.cc/KF6A-PU4Y] [hereinafter BLOCKCHAIN: ENIGMA. PARADOX.
OPPORTUNITY]; Alistair Dabbs, What Is a Blockchain, and Why Is It Growing in
Popularity?, A RS TECHNICA (Nov. 6, 2016, 6:00 AM),
https://arstechnica.com/information-technology/2016/11/what-is-blockchain
[https://perma.cc/SL8L-UT6S]; Arthur Iinuma, What Is Blockchain And What Can
Businesses Benefit From It?, FORBES (Apr. 5, 2018, 7:00 AM),
https://www.forbes.com/sites/forbesagencycouncil/2018/04/05/what-is-blockchain-
and-what-can-businesses-benefit-from-it/#7a357f8d675f [https://perma.cc /R9AY-
PMV9]; Alan Morrison, Blockchain and Smart Contract Automation: An Introduction
and Forecast, PWC (Mar. 20, 2016), usblogs.pwc.com/emerging-technology/blockchain-
and-smart-contract-automation-an-introduction-and-forecast
[https://perma.cc/5QA8-NFLF].
154. See LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3 (“The individual
components that make up the blockchain will be easier to understand if we reinforce the
basic premise that a blockchain is a ledger.”) (footnote omitted).
155. Id.
156. See, e.g., General Ledger, INVESTOPEDIA, https://www.investopedia.com/terms/g/general
ledger.asp [https://perma.cc/DQH5-PJ3U]; Ledger, BUSINESSDICTIONARY, http://
www.businessdictionary.com/definition/ledger.html [https://perma.cc/UF2M-QMV
X]; see also Debits and Credits, ACCOUNTINGTOOLS (Jan. 31, 2018), https://www.
accountingtools.com/articles/2017/5/17/debits-and-credits [https://perma.cc/U8SJ-
TB29] (“A debit is an accounting entry that either increases an asset or expense account,
or decreases a liability or equity account. It is positioned to the left in an accounting entry.
A credit is an accounting entry that either increases a liability or equity account, or
decreases an asset or expense account. It is positioned to the right in an accounting
entry.”).
157. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3.
158. Id. “In other words, there is no single server to which all the [computers] attach.” Id. at
4. These computers are known as “nodes.” See, e.g., Tim Fisher, What Is a Node in a
Computer Network, LIFEWIRE (July 28, 2018), https://www.lifewire.com/what-is-a-node-
4155598 [https://perma.cc/DAQ6-ZPW6] (“A node is any physical device within a
network of other devices that’s able to send, receive, and/or forward information.”).
"Each node contains a complete history of every transaction completed on a particular
blockchain beginning with the first transactions that were processed into the first block
Start With Trust 1265
recordkeepers who update the ledger. This peer-to-peer platform ensures that
“only information upon which the network reaches consensus will be included
in the blockchain.”159
For example, suppose a particular blockchain is tasked with recording a
series of transactions. One node initiates the first transaction, A, and all of the
nodes process it and reach a consensus—“A.” Another node initiates the
second transaction, B, and all of the nodes process it and reach a further
consensus—“A+B.” Each node is now storing this same chain of transactions,
and the process is infinitely repeatable.
Under the Bitcoin network, for example, a node that successfully validates
a transaction and inputs the transaction into the blockchain is rewarded with a
certain amount of Bitcoin.160 But it is worth noting that “coins” such as Bitcoin
are not necessary. While some kind of reward system is needed to incentivize
nodes to correctly validate each transaction, the transaction fees that reward
validations can be issued in any medium.
The genius of blockchain technology is its unique combination of two
breakthroughs in computer science, both of which won Turing Awards.161
“Asymmetric cryptography” allows nodes to validate transactions through
complex cryptographic functions,162 and “distributed systems” create a
network where transactions can be considered valid only if the network
reaches a consensus on the answer to the complex cryptographic function.163
on that blockchain.” LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3
(footnote omitted). The first block of transactions on a blockchain is called the “genesis
block” because it “represents the beginning of time for that blockchain.” Id.
159. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 4 (footnote omitted); see also
id. at 4 n.5 (“Consensus occurs when the nodes operating on the network (usually at least
a majority of the nodes) agree that the proposed transaction is indeed ‘valid.’”).
160. See SATOSHI NAKAMOTO, BITCOIN: A PEER-TO-PEER ELECTRONIC CASH SYSTEM 4 (2009),
https://bitcoin.org/bitcoin.pdf [https://perma.cc/LF5X-LMYD].
161. The Turing Award is often considered the equivalence of the Nobel Prize in computer
science. Bob Brown, ‘Nobel Prize in Computing’ Goes to Distributed Computing Wrangler
Leslie Lamport, NETWORKWORLD (Mar. 18, 2014, 11:37 AM),
https://www.networkworld. com/article/2175277/data-center/-nobel-prize-in-
computing-goes-to-distributed-com puting-wrangler-leslie-lamport.html
[https://perma.cc/YW5X-F8Y6] (Turing Award for distributed systems); Tia Ghose,
Cryptography Pioneers Snag the ‘Nobel Prize of Computer Science’, L IVE S CI . (Mar. 2,
2016, 1:17 PM), https://www.livescience.com/53911-cryptography-pioneers-earn-
turing-award.html [https://perma.cc/NXN6-5S73] (Turing Award for asymmetric
cryptography).
162. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149.
163. Id.
1266 66 UCLA L. R EV. 1242 (2019)
164. “Transactions” and “information” can be used interchangeably, as the blockchain allows
the storage of all types of data.
165. See Michele D’Aliessi, How Does the Blockchain Work?, MEDIUM (June 1, 2016),
https://medium.com/@micheledaliessi/how-does-the-blockchain-work-98c8cd01d2ae
[https://perma.cc/GZ6Y-BYGQ].
166. See LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 5 n.8.
167. Id. at 6.
168. See NIST Report on Blockchain Technology Aims to Go Beyond the Hype, NIST (Jan. 24,
2018), https://www.nist.gov/news-events/news/2018/01/nist-report-blockchain-
technology-aims-go-beyond-hype [https://perma.cc/DXY7-END4] [hereinafter NIST
Report on Blockchain Technology].
169. See D’Aliessi, supra note 165.
170. See Praveen Jayachandran, The Difference Between Public and Private Blockchain, IBM
(May 31, 2017), https://www.ibm.com/blogs/blockchain/2017/05/the-difference-
between-public-and-private-blockchain [https://perma.cc/RS9H-6QR2].
171. NIST Report on Blockchain Technology, supra note 168.
172. Id.
Start With Trust 1267
C. Applications
Bitcoin is the first and most popular use of blockchain and is one of many
“cryptocurrencies.”192 Cryptocurrencies are built on public blockchains and
can be bought and sold on various online exchanges that operate much like
traditional financial exchanges. The term “cryptocurrency” is frequently used
to describe all sorts of public blockchains, but this can be very misleading.
While it conveys attributes that define some blockchains, like a means of
storing value and exchanging wealth, it fails to capture the nuances and
capabilities of others.
As of early April 2019, there are over 2,000 public blockchains.193 A public
blockchain can be used to verify a source and destination of a transaction of
assets (i.e., cryptocurrencies). But not all public blockchains have currency
applications. It is important to understand that currency was just the first
application of blockchain and is by no means the only or best use.194 Utility
blockchains are another type of application and are explored in Subpart IV.B.2.
(in particular, data storage). Other blockchains have a platform function.
Platform blockchains create an infrastructure on which more specific
applications can be built. Ethereum, for example, is an open software platform
based on blockchain technology that allows developers to build and deploy
decentralized applications.195 Decentralized applications that are created on
top of this platform do not need to create their own blockchain, but instead
work off of the existing Ethereum blockchain. The “IBM Blockchain
Platform”196 is an example of a “private Ethereum,” where businesses can build
and use applications on top of IBM’s blockchain. Unlike Ethereum’s fully
decentralized and public model, IBM controls the nodes.
The potential of blockchain technology as a whole is largely untapped and
the exploration of private blockchains is in especially nascent stages, but things
are picking up. Both the private sector and the public sector have started to
look closely at the potential of private blockchain technology.
The most significant use of private blockchains in the private sector has
been for platform blockchains such as IBM’s Blockchain Platform.197 Unlike
Ethereum’s public platform, these private blockchain platforms are more
suitable for corporate users198 because transactions are made efficient and
confidential by the limited and selective nature of the participants.199 These
types of private platform blockchains can be thought of as “blockchain for hire”
or “blockchain as a service,” where users leverage and use the blockchain
expressed in code.” TAPSCOTT & TAPSCOTT, supra note 11, at 7; see also Andrew Meola,
The Growing List of Applications and Use Cases of Blockchain Technology in Business &
Life, BUS. INSIDER (Sept. 28, 2017; 4:46 PM), https://www.businessinsider.com
/blockchain-technology-applications-use-cases-2017-9 [https://perma.cc/5GGQ-5T3B]
(the use of blockchain technology spans across international payments, capital markets,
trade finance, regulatory compliance and audit, money laundering protection, insurance,
peer-to-peer transactions, supply chain management, healthcare, real estate, media,
energy, record management, identity management, voting, taxes, nonprofit agencies,
legislation/compliance/regulatory oversight, financial management/ accounting,
shareholder voting, cybersecurity, big data, data storage, and internet of things).
195. E THEREUM , https://www.ethereum.org [https://perma.cc/3DMS-H9SX]
(“blockchain app platform”).
196. See supra note 185 and accompanying text.
197. Id.
198. See Michael del Castillo, MultiChain 1.0: Bitcoin-Compatible Private Blockchain Opens
for Enterprise, COINDESK (Aug. 2, 2017), https://www.coindesk.com/multichain-1-0-
bitcoin-compatible-private-blockchain-launches-for-enterprise [https://perma.cc/55
DR-EMUM].
199. See, e.g., GIDEON GREENSPAN, MULTICHAIN PRIVATE BLOCKCHAIN—WHITE PAPER 5–7,
https://www.multichain.com/download/MultiChain-White-Paper.pdf [https://
perma.cc/TTY8-4A5T].
Start With Trust 1271
platform created by a company that has the resources and expertise to design,
create, and service a private blockchain. For example, Helzberg Diamonds and
jewelry manufacturer Richline Group are already working with IBM to track
and authenticate diamonds and precious metals on IBM’s blockchain.200
Walmart and Sam’s Club sent a letter to its suppliers of fresh leafy greens asking
them to track their products on Walmart’s IBM-powered blockchain.201 But
new and unestablished players are also entering the market. Coin Sciences Ltd.
allows users to utilize their blockchain infrastructure for various uses, such as
messaging, decentralized exchanges, database synchronization, currency
settlement, bond issuance, and consumer reward schemes.202 In 2017, the
blockchain company Chain struck a deal with Nasdaq and Citi where these two
companies would use Chain’s platform to create “a new integrated payment
solution that enables straight through payment processing and automates
reconciliation by using a distributed ledger to record and transmit payment
instructions.”203
The public sector has started to look into a different type of private
blockchains. These private blockchains would be created for one entity’s
exclusive use, as opposed to many different companies using the same
platform. Private companies could also create this type of blockchain, but it
may be more expensive and resource intensive to invest in this technology
from the ground up rather than using a preexisting blockchain.204 Thus far, the
U.S. government’s interest has largely been in how blockchain can bolster
national defense. In September 2016, the Defense Advanced Research Projects
Agency (DARPA) awarded a $1.8 million contract to two companies to
“advance the state of formal verification tools and all blockchain-based
200. Anna Irrera, Jewelry Companies Team Up With IBM on Blockchain Platform, REUTERS
(Apr. 26, 2018, 3:10 AM), https://www.reuters.com/article/us-blockchain-
diamonds/jewel ry-companies-team-up-with-ibm-on-blockchain-platform-
idUSKBN1HX1BD [https:// perma.cc/6WUR-7GFM].
201. Letter from Walmart Execs. to Leafy Greens Suppliers (Sept. 24, 2018),
https://corporate.walmart.com/media-library/document/blockchain-supplier-letter-
september-2018/_proxyDocument?id=00000166-088d-dc77-a7ff-4dff689f0001
[https://perma.cc/X469-3RYR].
202. Id. at 12–16.
203. Nasdaq and Citi Announce Pioneering Blockchain and Global Banking Integration,
NASDAQ (May 22, 2017, 9:48 AM), https://www.nasdaq.com/article/nasdaq-and-citi-
announce-pioneering-blockchain-and-global-banking-integration-cm792544
[https://perma.cc/9 BTW-H7YC].
204. For example, Amazon offers a blockchain service that “eliminates the overhead required
to create the network, and automatically scales to meet the demands of thousands of
applications running millions of transactions.” Blockchain on AWS, AWS, https://aws.
amazon.com/blockchain [https://perma.cc/4LR9-Y5KM].
1272 66 UCLA L. R EV. 1242 (2019)
205. Martin Ruubel, Guardtime Federal and Galois Awarded DARPA Contract to Formally
Verify Blockchain-Based Integrity Monitoring System, GUARDTIME: BLOG & NEWS (Sept.
13, 2016), https://guardtime.com/blog/galois-and-guardtime-federal-awarded-1-8m-
darpa-con tract-to-formally-verify-blockchain-based-inte [https://perma.cc/Y526-
RGAV].
206. ITAMCO to Develop Blockchain-Based Secure Messaging App for U.S. Military, CISION
(May 25, 2017, 12:43 PM), https://www.prnewswire.com/news-releases/itamco-to-
develop-blockchain-based-secure-messaging-app-for-us-military-300464063.html
[https://per ma.cc/K3FA-E62J].
207. Id.
208. Id.
209. 163 Cong. Rec. S5794 (daily ed. Sept. 18, 2017).
210. Bureau of the Fiscal Service Launches Two Innovative Pilot Projects, BUREAU OF THE
FISCAL SERV.,
https://www.publicdebt.treas.gov/fsservices/gov/fit/fit_launches_innovative_ pilot.htm
[https://perma.cc/NW5J-25YG].
211. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Joint Hearing Before
the H. Subcomm. on Oversight, H. Subcomm. on Research and Tech., and H. Comm. on
Sci., Space, & Tech., 115th Cong. 4–5 (2018) (statement of Ralph Abraham, Chairman, H.
Subcomm. on Oversight).
Start With Trust 1273
212. See, e.g., JARED R. BUTCHER ET AL., CYBERSECURITY TECH BASICS: BLOCKCHAIN
TECHNOLOGY CYBER RISKS AND ISSUES: OVERVIEW (2019), https://www.steptoe.
com/images/content/1/8/v2/189187/Cybersecurity-Tech-Basics-Blockchain-Techno
logy-Cyber-Risks-and.pdf [https://perma.cc/6HCY-FUGN] (“Blockchain technology
offers important cybersecurity benefits” by “provid[ing] a strong method for securing
networked ledgers.”); Naveen Joshi, The Anatomy of a Cyber Attack: Dissecting the Science
Behind Virtual Crime, BBN TIMES (Mar. 4, 2019), https://www.bbntimes.com/
en/technology/the-anatomy-of-a-cyber-attack-dissecting-the-science-behind-virtual-
crime [https://perma.cc/Y6CC-8HXX] (“Blockchain can effectively detect a data breach,
and disrupt the process that forms the anatomy of a cyber attack.”).
213. See, e.g., Andrew Arnold, Here’s Why More Enterprises Are Considering Blockchain as
Data Privacy Solution, FORBES (Jan. 2, 2019, 1:07 PM), https://www.forbes.com/
sites/andrewarnold/2019/01/02/heres-why-more-enterprises-are-considering-block
chain-as-data-privacy-solution/#203f40abcb73 [https://perma.cc/S929-R95C];
Andrew Arnold, 4 Promising Use Cases of Blockchain in Cybersecurity, FORBES (Jan. 30,
2019, 4:30 AM), https://www.forbes.com/sites/andrewarnold/2019/01/30/4-promising-
use-cases-of-blockchain-in-cybersecurity/#22e4cd443ac3 [https://perma.cc/6EEZ-
6VS8]; Reinhardt Krause, How Cybersecurity Firms Palo Alto, Okta Can Capitalize on
Blockchain, INVESTOR’S BUS. DAILY (Apr. 13, 2018), https://www.investors.com/
news/technology/how-cybersecurity-firms-could-capitalize-on-blockchain-technology
[https://perma.cc/UVL3-XSDR].
214. ENISA Report on Blockchain Technology and Security, ENISA (Jan. 18, 2017),
https://www.enisa.europa.eu/news/enisa-news/enisa-report-on-blockchain-
technology-and-security [https://perma.cc/E3NE-BN9N].
215. Jamie Holmes, Blockchain for Cybersecurity: Protecting Infrastructure, Data
Telecommunications, BTCMANAGER.COM (Jan. 7, 2016),
https://btcmanager.com/blockchain-for-cyber-security-protecting-infrastructure-data-
telecommunications [https://perma.cc/HYM3-ZUCP]; Daniel Palmer, Blockchain
Startup to Secure 1 Million e-Health Records in Estonia, COINDESK (Mar. 3, 2016, 10:51
PM), https://www.coindesk.com/blockchain-startup-aims-to-secure-1-million-
estonian-health-records [https://perma.cc/V49B-KVAX].
216. U.S. Patent No. 20180270244 (filed Sept. 20, 2018).
1274 66 UCLA L. R EV. 1242 (2019)
217. RONALD J. REISMAN, NASA AMES RESEARCH CENTER, AIR TRAFFIC MANAGEMENT
BLOCKCHAIN INFRASTRUCTURE FOR SECURITY, AUTHENTICATION, AND PRIVACY 1 (2019),
https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20190000022.pdf [https:
//perma.cc/Q867-X2KB]. NASA’s report also demonstrated how their prototype
blockchain represents a “scalable architecture and illustrates how [this technology] may
be rapidly deployed and economically maintained.” Id.
218. See WORLD ECONOMIC FORUM, CENTRAL BANKS AND DISTRIBUTED LEDGER TECHNOLOGY:
HOW ARE CENTRAL BANKS EXPLORING BLOCKCHAIN TODAY? (2019),
www3.weforum.org/docs/WEF_Central_Bank_Activity_in_Blockchain_DLT.pdf
[https://perma.cc/8WWV-NV4N].
219. Joseph Young, Homeland Security to Use Blockchain in Tracking Goods & People
Globally, COINTELEGRAPH (Jan. 15, 2017), https://cointelegraph.com/news
/homeland-security-to-use-blockchain-in-tracking-goods-people-globally
[https://perma.cc/6 MQ6-U9YC].
220. COLO. REV. STAT. § 24-37.5-501 (2018).
221. Ben Dickson, How Blockchain Can Help Fight Cyberattacks, TECHCRUNCH (Dec. 5, 2016,
1:38 PM), https://techcrunch.com/2016/12/05/how-blockchain-can-help-fight-cyber
attacks [https://perma.cc/34DU-LVJT].
222. BLOCKCHAIN: ENIGMA. PARADOX. OPPORTUNITY, supra note 153, at 12; see also TAPSCOTT
& TAPSCOTT, supra note 11, at 7 (hacking the blockchain is “practically impossible” to do);
Dante Disparte, IBM X-Force Red Launches Blockchain Cybersecurity Service, FORBES
(Mar. 5, 2019, 6:00 AM), https://www.forbes.com/sites/dantedisparte/ 2019/03/05/ibm-
x-force-red-launches-blockchain-cybersecurity-service/#767c543d1 602
[https://perma.cc/KF3S-ED86] (“[T]he public blockchain underpinning bitcoin
transactions has not been hacked at the protocol level since its launch in 2008.”).
223. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 9.
Start With Trust 1275
1. Confidentiality
practices to manage their encryption keys. See, e.g., VIRTRU, THE SIMPLE GUIDE TO
ENCRYPTION KEY MANAGEMENT, https://www.virtru.com/wp-content/themes/virtru
/files/pdf/The%20Simple%20Guide%20to%20Encryption%20Key%20Management.pdf
[https://perma.cc/8K8Q-CMDG].
231. See Allison Berke, How Safe Are Blockchains? It Depends., HARV. BUS. REV. (Mar. 7, 2017),
https://hbr.org/2017/03/how-safe-are-blockchains-it-depends [https://perma.cc/B3TQ-
BMWG]. Access controls should also be managed according to best practices. See, e.g.,
ONE IDENTITY, 8 BEST PRACTICES FOR IDENTITY AND ACCESS MANAGEMENT (2017),
https://www.cbronline.com/wp-content/uploads/dlm_up loads/2018/02/Identity-
Gov-8-best-practices-for-identity-and-access-manage ment-white-paper-13721.pdf
[https://perma.cc/E3MB-5H9N].
232. See Dickson, supra note 221.
233. Id.
234. For an example of a public blockchain employing this method, see PROTOCOL LABS,
FILECOIN: A DECENTRALIZED STORAGE NETWORK (2017), https://filecoin.io/filecoin. pdf
[https://perma.cc/T3EV-M47W].
235. See supra Part III.B.
236. See Gonzalez-Orozco, supra note 230.
237. Id.
Start With Trust 1277
participants are privy to data, but are more likely to be breached because they
are less centralized.
2. Integrity
238. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Hearing Before the
Subcomm. on Oversight & Subcomm. on Research & Tech. of the H. Comm. On Sci., Space,
& Tech., 115th Cong. 2 (2018) (statement of Charles H. Romine, Director, Information
Technology Laboratory, National Institute of Standards and Technology).
239. Júlio Santos, Forever on the Chain, HACKERNOON (Nov. 14, 2017), https://hackernoon.
com/forever-on-the-chain-c755838dfc79 [https://perma.cc/XWA5-TAX7].
240. See infra note 287 and accompanying text.
241. See 51% Attack, LEARN CRYPTOGRAPHY, https://learncryptography.com/cryptocurr
ency/51-attack [https://perma.cc/W34N-EQW8].
242. Id.
243. Id.
244. See, e.g., Lunn, supra note 226 (discussing centralization within banking context).
1278 66 UCLA L. R EV. 1242 (2019)
3. Availability
4. Resilience
The most common type of cyberattack that would affect the resilience of
a network is the distributed denial of service (DDoS). DDoS attacks flood a
server with superfluous requests in an attempt to overload the system and
personal information that the organization collects from users.254 They should
also look at a technology’s costs, benefits, and risks, and their ability to fund
and implement it.255 Understanding that the analysis of cybersecurity
reasonableness is always done case-by-case, this Subpart applies the FTC and
NIST cybersecurity guidelines to blockchain and argues that the FTC ought to
view failure to use blockchain as unreasonable. As a reminder, the guidelines
that would be relevant to incorporating blockchain technology into the FTC’s
understanding of reasonable cybersecurity measures are (1) using readily
available technology, (2) protecting data during storage and transmission, (3)
responding and recovering from cyber attacks, and (4) ensuring the security of
third parties.
254. See Microsoft Corp., Docket No. C-4069, at 2 (Fed. Trade Comm’n Dec. 20, 2002)
(decision and order).
255. See NAT’L INST. OF STANDARDS & TECH., supra note 12, at 14–15.
256. See, e.g., NAKAMOTO, supra note 160.
257. See Otto, supra note 118, at 340.
258. See SINGER & FRIEDMAN, supra note 13, at 45–50.
259. See Ghose, supra note 161; Patrick Sawer, The Unsung Genius Who Secured Britain’s
Computer Defences and Paved the Way for Safe Online Shopping, TELEGRAPH (Mar. 11,
2016, 9:00 PM), https://www.telegraph.co.uk/history/12191473/The-unsung-genius-
who-secured-Britains-computer-defences-and-paved-the-way-for-safe-online-
shopping.html [https:// perma.cc/J2HQ-5YDE].
260. See, e.g., Industry Specific Encryption, ANSI WEBSTORE, https://webstore.ansi.org/
software/Industry-Specific.aspx [https://perma.cc/A649-3PX3].
261. See ELAINE BARKER, NAT’L INST. OF STANDARDS AND TECH., GUIDELINE FOR USING
CRYPTOGRAPHIC STANDARDS IN THE FEDERAL GOVERNMENT: CRYPTOGRAPHIC
Start With Trust 1281
news/articles/2018-01-16/bofa-tops-ibm-and-payments-firms-with-most-blockchain-
patents.
271. See Breaux & Baumer, supra note 122, at 191.
272. See supra note 121 and accompanying text.
273. START WITH SECURITY, supra note 107, at 6.
274. See supra Part IV.A.1.
275. See supra Part IV.A.2–IV.A.4.
276. See PROTOCOL LABS, supra note 234.
277. See DAVID VORICK & LUKE CHAMPINE, SIA: SIMPLE DECENTRALIZED STORAGE (2014),
https://www.sia.tech/whitepaper.pdf [https://perma.cc/TA2M-T63R].
278. See STORJ LABS, STORJ: A DECENTRALIZED CLOUD STORAGE NETWORK FRAMEWORK (2018),
https://storj.io/storj.pdf.
279. See Where Does Dropbox Store My Data?, DROPBOX, https://www.dropbox.com/help/
security/physical-location-data-storage [https://perma.cc/N5FG-4X98] (files added to
Dropbox are stored in Dropbox’s data centers across the United States).
280. Dropbox servers were breached in 2012 and account information of sixty-eight million
users was compromised and put up for sale on the dark web. See Karen Turner, Hacked
Dropbox Login Data of 68 Million Users Is Now for Sale on the Dark Web, WASH. POST
Start With Trust 1283
According to the FTC and NIST, companies are responsible for ensuring
that third-party contractors implement reasonable security measures.292
Companies must determine what requirements are necessary and must verify
that they are met by the third party.293 Blockchain provides the opportunity for
companies to streamline this effort of building trust.
Blockchain has been dubbed “the trust machine” because it allows parties
who have no particular confidence in each other to collaborate without having
to go through a neutral party.294 This technology can “be applied in any context
in which trust is essential.”295
Although it may seem like an insurmountable task to replace for example
traditional third-party storage services with blockchain-based storage, the
current system is unsustainable and change is necessary. Companies, and in
particular large companies that collect tremendous amounts of consumer
information, overwhelmingly rely on third parties for data storage.296 Third
parties have increasingly been the targets of cyber attacks, which are
considered to be the most expensive type of incident.297 Yet the amount of
sensitive and confidential information that these third parties possess
continues to grow.298 The current cybersecurity landscape is problematic
because the contracting party is expected to ensure the security of the third
party’s networks299 and this oversight has been found to be insufficient.300
Moreover, the FTC continues to target the “big fish” companies even when the
third-party service provider lacked reasonable security measures and was the
one who was breached.301 Under the status quo, third parties will continue to
pose security risks and will remain the “weakest link.” Incorporating
blockchain technology can resolve this problem.
Replacing traditional third-party data storage providers with data storage
providers operating on the blockchain has tremendous benefits. Companies
would have a guaranteed way of ensuring the security of the service provider
because data center standards can be codified into the blockchain302 and thus
293. See NAT’L INST. OF STANDARDS & TECH., supra note 12, at 16.
294. See The Trust Machine, ECONOMIST (Oct. 31, 2015), https://www.economist.com/news
/leaders/21677198-technology-behind-bitcoin-could-transform-how-economy-works-
trust-machine [https://perma.cc/54QG-7XHQ].
295. Shackelford & Myers, supra note 265, at 357.
296. See supra notes 62, 70 and accompanying text.
297. See supra notes 67, 69 and accompanying text.
298. See supra note 65 and accompanying text.
299. See supra note 136 and accompanying text.
300. See supra note 146 and accompanying text.
301. See supra note 148 and accompanying text.
302. See Mike Klein, SAS 70, SSAE 16, SOC and Data Center Standards, DATA CTR.
KNOWLEDGE (Mar. 3, 2011), www.datacenterknowledge.com/archives/2011/03/03/ sas-
70-ssae-16-soc-and-data-center-standards [https://perma.cc/TZM2-DM55].
1286 66 UCLA L. R EV. 1242 (2019)
trust can be regulated through code (i.e., “code is law”).303 This would solve the
current problem of “insufficient” oversight.304 Moreover, a blockchain-based
decentralized storage network offers more security than traditional cloud
storage. This would minimize a company’s risk of facing an enforcement
action by “reducing the risk posed by a third-party.” Blockchain could remove
the “weakest link” third party but still retain the service provider. This can also
be more cost-efficient than the traditional third-party data storage structure
because storage on the blockchain is up to ninety percent cheaper than storage
on traditional servers.305
303. See Lawrence Lessig, Code Is Law, HARV. MAG. (Jan. 1, 2000), https://harvard
magazine.com/2000/01/code-is-law-html [https://perma.cc/P8B5-K9VV] (arguing that
code should be the regulator of cyberspace).
304. See PONEMON INST., supra note 64, at 3.
305. See, e.g., VORICK & CHAMPINE, supra note 277.
306. TIERION, BLOCKCHAIN HEALTHCARE 2016 REPORT: PROMISE & PITFALLS (2016),
https://blog.tierion.com/blockchain-healthcare-2016-report.
307. The Trust Machine, supra note 294.
308. See Marco Iansiti & Karim R. Lakhani, The Truth About Blockchain, HARV. BUS. REV.,
Jan.–Feb. 2017, https://hbr.org/2017/01/the-truth-about-blockchain [https://perma.
cc/B735-B4TW].
309. Rita Gunther McGrath, The Pace of Technology Adoption Is Speeding Up, HARV. BUS. REV.
(Nov. 25, 2013), https://hbr.org/2013/11/the-pace-of-technology-adoption-is-speed ing-
up [https://perma.cc/R4BM-Z6JE].
310. Id.
311. Lunn, supra note 226.
Start With Trust 1287
312. See, e.g., Joichi Ito et al., The Blockchain Will Do to the Financial System What the Internet
Did to Media, HARV. BUS. REV. (Mar. 8, 2017), https://hbr.org/2017/03/the-blockchain-
will-do-to-banks-and-law-firms-what-the-internet-did-to-media
[https://perma.cc/33FM-KPEY].
313. See, e.g., TAPSCOTT & TAPSCOTT, supra note 11, at 270–71.
314. See, e.g., Andries Van Humbeeck, The Blockchain-GDPR Paradox, MEDIUM (Nov. 21,
2017), https://medium.com/wearetheledger/the-blockchain-gdpr-paradox-fc51e663d
047 [https://perma.cc/6M9S-QLQB].
315. START WITH SECURITY, supra note 107, at 2.
316. Blockchain From a Perspective of Data Protection Law, DELOITTE,
https://www2.deloitte.com/ dl/en/pages/legal/articles/blockchain-
datenschutzrecht.html [https://perma.cc/3D HA-MUPK].
317. Id.
318. See When the Right to be Forgotten Becomes Possible on the Ethereum Blockchain, NEWS
BTC (Nov. 18, 2017, 11:43 PM), https://www.newsbtc.com/press-releases/bcdiploma-
right-to-be-forgotten-ethereum-blockchain [https://perma.cc/2L4D-4YMY].
319. See Buterin, supra note 182.
1288 66 UCLA L. R EV. 1242 (2019)
CONCLUSION