Shaverdian Final Article Pages - Final

U.C.L.A.
Law Review
Start With Trust: Utilizing Blockchain to Resolve
the Third-Party Data Breach Problem
Phillip Shaverdian
ABSTRACT
The current cybersecurity landscape is unsustainable. Companies are increasingly relying on

third parties for conducting services, yet these third-parties continue to be targets of attack due to
their weak cybersecurity measures. The problem stems back to the responsibility of contracting
companies to ensure the adequate cybersecurity of third parties. This oversight mechanism has
proven to be inadequate, and third parties remain untrustable as the weakest link. Moreover,
the Federal Trade Commission’s (FTC) inconsistent enforcement of reasonable cybersecurity
measures continues this vicious cycle. Until now, the FTC has brought enforcement actions
only against larger companies who contract out services to third parties, even in instances
where the third party was breached due to their own inadequate security. As a result, third
parties lack the major incentive to maintain reasonable cybersecurity measures created by
FTC enforcement actions and they operate in a de facto unenforced cybersecurity realm.
Blockchain technology should be implemented as part of a large company’s comprehensive

cybersecurity plan. The technology offers a myriad of cybersecurity benefits as it ensures
confidentiality, integrity, availability, and resilience. Moreover, the technology, even in its current
nascent state, comports with the FTC’s cybersecurity guidelines—found in their 2015 guidebook
titled “Start with Security.” Recognizing that the FTC’s reasonableness analysis is done on a case-
by-case basis, the absence of blockchain-based data storage by a large company—with adequate
means and who collects sensitive information from many people—can be deemed unreasonable.
Doing so will limit cybersecurity risk and legal risk. The trust that the blockchain offers, along
with the cybersecurity benefits, makes this technology a unique and unparalleled solution to the
third-party data breach problem. Large companies handling sensitive and confidential data should
start with trust and include blockchain technology as part of their comprehensive cybersecurity
plan.
AUTHOR
J.D., UCLA School of Law, 2019; B.A., University of California, Los Angeles, 2015. The opinions
expressed in this Comment reflect the author’s personal views only. A special thank you to Professor
Kristen Eichensehr for her guidance, insight, and pushback and the entire UCLA Law Review board
and staff for their tireless work and thoughtful edits.
66 UCLA L. Rev. 1242 (2019)

TABLE OF CONTENTS
Introduction................................................................................................................................................ 1244
I. Current Cybersecurity Landscape ................................................................................................. 1246
A. What is Cybersecurity?.................................................................................................................... 1246
B. Breadth and Scope of the Problem................................................................................................. 1249
II. Cybersecurity Enforcement in the United States .................................................................. 1255
A. What is “Unreasonable”? ................................................................................................................. 1257
1. Failing to Adopt Readily Available Technology ................................................................... 1259
2. Leaving Gaps in Encryption/Security in the Storage-Transmission Chain .................... 1260
3. Responding and Recovering Too Slowly From Breaches ................................................... 1261
4. Inadequately Policing the Security of Third-Party Service Providers .............................. 1261
B. Cybersecurity of Third Parties and Inconsistent Enforcement ................................................. 1262
III. What is Blockchain? .......................................................................................................................... 1263
A. Blockchain Technology ................................................................................................................... 1263
B. Public, Consortium, and Private Blockchains.............................................................................. 1267
C. Applications ....................................................................................................................................... 1269
IV. Blockchain and Cybersecurity...................................................................................................... 1273
A. How Blockchain Can Enhance Cybersecurity ............................................................................ 1273
1. Confidentiality ........................................................................................................................... 1275
2. Integrity ...................................................................................................................................... 1277
3. Availability.................................................................................................................................. 1278
4. Resilience .................................................................................................................................... 1278
B. Absence of Blockchain as Unreasonable in the Data Storage Context .................................... 1279
1. Adopting Readily Available Technology ............................................................................... 1280
2. Filling Gaps in Encryption/Security in the Storage-Transmission Chain ....................... 1282
3. Responding and Recovering Quickly From Breaches ........................................................ 1284
4. Ensuring the Security of Third-Parties: The Trust Machine .............................................. 1284
C. Concerns About Market Adoption, Job Killing, and the “Right to be Forgotten” ................. 1286
Conclusion .................................................................................................................................................... 1288
1243
1244 66 UCLA L. R EV. 1242 (2019)
INTRODUCTION
Data breaches have been the topic of headlines more often than not in
recent memory. With breaches ranging from Sony,1 to the Democratic
National Committee (DNC),2 to the U.S. Navy and its industry partners,3 to
Equifax,4 no industry or sector remains impervious to cyberattacks. And this
trend will likely get worse. In fact, there was a record high of 1,579 breaches in
2017—a 45 percent increase from 2016.5 What is even more frightening is that
in 516 of the 584 reported company breaches, the number of total records
compromised is unknown.6 This data might make someone reconsider his or
her nomenclature. Is this cybersecurity or cyberinsecurity?
Yet the so-called third-party problem, which arises from large companies’
use of smaller third-party companies to store sensitive data, is even more
shocking. In 2017, 56 percent of companies had a third-party breach. That
number is projected to rise because companies are increasingly relying on third
parties, yet they often do not know exactly what information the third party
carries.7 Moreover, the current cybersecurity enforcement regime forces
companies to conduct their own oversight of third parties—as evinced through
the Federal Trade Commission’s (FTC) 2015 guidebook titled “Start with
Security”—which has proven inadequate.8 This is because the FTC continues
to bring cybersecurity enforcement actions against the larger companies even
1. See David E. Sanger & Nicole Perlroth, U.S. Said to Find North Korea Ordered Cyberattack
on Sony, N.Y. TIMES (Dec. 17, 2014), https://www.nytimes.com/2014/12/18/world/
asia/us-links-north-korea-to-sony-hacking.html [https://perma.cc/DP5X-ME7D].
2. See Raphael Satter, Inside Story: How Russians Hacked the Democrats’ Emails,
ASSOCIATED PRESS (Nov. 4, 2017), https://www.apnews.com
/dea73efc01594839957c3c9a6c962b8a [https://perma.cc/57VB-CW65].
3. See Gordon Lubold & Duston Volz, Navy, Industry Partners Are ‘Under Cyber Siege’ by
Chinese Hackers, Review Asserts, WALL ST. J. (Mar. 12, 2019, 2:32 PM),
https://www.wsj.com/ articles/navy-industry-partners-are-under-cyber-siege-review-
asserts-11552415553 [https://perma.cc/3PZX-BXVQ].
4. See Donna Borak & Kathryn Vasel, The Equifax Hack Could Be Worse Than We Thought,
CNN (Feb. 10, 2018, 10:43 AM), https://money.cnn.com/2018/02/09/pf/equifax-hack-
senate-disclosure/index.html [https://perma.cc/3W28-W5QK].
5. IDENTITY THEFT RES. CTR., 2017 ANNUAL DATA BREACH YEAR-END REVIEW (2018),
https://www.idtheftcenter.org/images/breach/2017Breaches/2017AnnualDataBreachYe
arEndReview.pdf [https://perma.cc/5WZ8-BNZK].
6. See, e.g., Gretel Egan, Scary Data Breach Statistics of 2017, WOMBAT
S E C U R I T Y ( O c t . 2 7 , 2017), https://www.wombatsecurity.com/blog/scary-data-
breach-statistics-of-2017 [https://perma.cc/M8F6-JSQV].
7. See infra notes 62–67 and accompanying text.
8. See infra notes 50–58, 66, 141, 148, and accompanying text.
Start With Trust 1245
when it was the third party that was breached.9 These third parties often handle
the same highly sensitive and confidential information as the larger company,
but escape FTC enforcement, and therefore live in a realm outside
cybersecurity enforcement. Under the current structure, these so-called
trusted third parties are often practically untrustable and continue to remain
the weakest link in a landscape plagued with cyber-insecurity.
This Comment argues that utilizing blockchain-based data storage
instead of third-party storage providers will not only reduce cybersecurity risk
but will also reduce legal risk in the eyes of the FTC. The FTC brings
enforcement actions against companies’ unfair practices, and has defined
unfair practices to include reasonable cybersecurity protocols.10 Large
companies can ensure their protocols are reasonable only by somehow
establishing trust in third-party service providers that have up until now been
insecure and untrustable. When it comes to third-party service providers,
large companies should start with trust by using blockchain technology as part
of their comprehensive cybersecurity plan. The absence of this “technological
genie [that] has been unleashed from its bottle”11 might well be deemed
unreasonable by the FTC.
Part I reviews what cybersecurity is and what it attempts to accomplish,
particularly its four dimensions of confidentiality, integrity, availability, and
resilience. It also gives an overview of the current cybersecurity landscape by
examining the breadth and scope of attacks in general and on third parties in
particular.
Part II examines the cybersecurity enforcement regime in the United
States and explores some guidelines that would be relevant to incorporating
blockchain into the FTC’s understanding of reasonableness. These FTC
guidelines include (1) using readily available technology, (2) protecting data
during storage and transmission, (3) responding and recovering from cyber
attacks, and (4) ensuring the security of third parties. An analysis of why the
current enforcement regime is inadequate to address the third-party problem
follows.
Part III dissects blockchain technology and its components and lists
various potential and actual applications. While a relatively new concept,
blockchain’s genius lies in its unique combination of two breakthroughs in

10. See infra Part II.A.
11. DON TAPSCOTT & ALEX TAPSCOTT, BLOCKCHAIN REVOLUTION: HOW THE TECHNOLOGY
BEHIND BITCOIN IS CHANGING MONEY, BUSINESS, AND THE WORLD 3 (2016).
1246 66 UCLA L. R EV. 1242 (2019)
computer science—both of which, standing alone, are widely used throughout

many industries to strengthen the security of networks.
Finally, Part IV analyzes how blockchain can enhance cybersecurity by
looking at its effects on cybersecurity’s four dimensions. It then looks at how
blockchain fits into the current cybersecurity guidelines discussed in Part II.
Part IV also addresses some concerns that may come up in trying to implement
blockchain technology to enhance cybersecurity.
I. CURRENT CYBERSECURITY LANDSCAPE

A. What is Cybersecurity?
Cybersecurity is “[t]he process of protecting information by preventing,

detecting, and responding to attacks.”12 An old joke in the security industry
about the best way to keep a computer secure is to “[j]ust unplug it.”13 But the
evolving “Information Age”14 has rendered this punch line solution more and
more impractical. Moreover, the increasing connectivity of electronic devices
to the internet and to other devices, as embodied in the “Internet of Things,”15
creates nearly infinite potential vulnerabilities for these devices and their
connections. As a result, there is now an unprecedented need for information
security.16
12. NAT’L INST. OF STANDARDS & TECH., FRAMEWORK FOR IMPROVING CRITICAL
INFRASTRUCTURE CYBERSECURITY 45 (2018), https://nvlpubs.nist.gov/nistpubs/CSWP
/NIST.CSWP.04162018.pdf [https://perma.cc/6NSZ-89B6].
13. P.W. SINGER & ALLAN FRIEDMAN, CYBERSECURITY AND CYBERWAR: WHAT EVERYONE
NEEDS TO KNOW 34 (2014).
14. See, e.g., MANUEL CASTELLS, THE INFORMATION AGE: ECONOMY, SOCIETY AND CULTURE,
VOLUME III: END OF MILLENNIUM (Wiley-Blackwell 2d ed. 2010).
15. The “internet of things” is “the concept of basically connecting any device with an on and
off switch to the Internet (and/or to each other). This includes everything from
cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and
almost anything else you can think of.” Jacob Morgan, A Simple Explanation of ‘The
Internet of Things’, FORBES (May 13, 2014, 12:05 AM), https://www.forbes.com/sites
/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-
understand/#2b658d711d09 [https://perma.cc/6R9P-4QMS]. There is tension within the
U.S. government on what office or agency should police the potential vulnerabilities
presented by the internet of things. See, e.g., Kristen Eichensehr, Security and the Internet
of Things, JUST SECURITY (Feb. 11, 2016), https://www.justsecurity.org/29258/security-
internet-of-things [https://perma.cc/D4W8-ASSZ].
16. Information security is “[t]he protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order to
ensure confidentiality, integrity, and availability.” MICHAEL NIELES ET AL., U.S. DEP’T OF
COMMERCE NAT’L INST. OF STANDARDS & TECH., AN INTRODUCTION TO INFORMATION
SECURITY 2 (2017), https://nvlpubs.nist.gov/nistpubs/Special Publications/NIST.SP.800-
12r1.pdf [https://perma.cc/Z4V9-PMHS].
A system’s ability to protect its information17 from “unauthorized access,

use, disclosure, disruption, modification, or destruction”18 is assessed through
the three properties, or goals, of cybersecurity: confidentiality, integrity, and
availability—also known as the “CIA triad”.19
Confidentiality is the idea of “keeping data private.”20 It is defined as
“[p]reserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary
information.”21 Confidentiality aims to ensure that only authorized
individuals or entities have access to a certain computer, system, or network.
Integrity is the idea that “the system and the data in it have not been
improperly altered or changed without authorization.”22 It assures that
sensitive data is consistent, accurate, and trustworthy throughout its life
cycle.23 There are two types of integrity: data integrity and system integrity.
Data integrity is “[t]he property that data has not been altered in an
unauthorized manner” and it “covers data in storage, during processing, and
while in transit.”24 System integrity is “[t]he quality that a system has when it
performs its intended function in an unimpaired manner, free from
unauthorized manipulation of the system.”25 Integrity is the most important
part of the CIA triad because unauthorized alteration can be more subtle than
outright theft or deletion of data, and thus is often the target of the most
sophisticated attackers.26
17. Information includes “(1) Facts or ideas, which can be represented (encoded) as various
forms of data; (2) Knowledge (e.g., data, instructions) in any medium or form that can be
communicated between system entities.” Id.
18. Id.
19. SINGER & FRIEDMAN, supra note 13, at 35.
20. Id.
21. AN INTRODUCTION TO INFORMATION SECURITY, supra note 16, at 2–3.
23. See NIELES ET AL., supra note 16, at 3.
24. Id.
25. Id.
26. See SINGER & FRIEDMAN, supra note 13, at 35; More Than 2.5 Billion Records Stolen or
Compromised in 2017, GEMALTO (Apr. 11, 2018), https://www.gemalto.com/press/pages
/more-than-2-5-billion-records-stolen-or-compromised-in-2017.aspx [https://perma.cc
/96JX-YPM3] (“The manipulation of data or data integrity attacks pose an arguably more
unknown threat for organizations to combat than simple data theft” because “data
integrity breaches are often difficult to identify and in many cases, where this type of
attack has occurred, we have yet to see the real impact.” (quoting Jason Hart, Vice
President and Chief Technology Officer for Data Protection at Gemalto)).
1248 66 UCLA L. R EV. 1242 (2019)
Availability is the idea of “being able to use the system as anticipated.”27 It

ensures the “timely and reliable access to and use of information.”28
Availability applies to both data, such as the availability of data in a system, and
a system itself, such as the ability of an administrator to access the system more
generally.
Along with the CIA triad, experts also refer to a fourth property of
cybersecurity: resilience.29 Resilience “allows a system to endure security
threats instead of critically failing.”30 It includes the ability to operate and
maintain essential capabilities while under attack, as well as the ability to
ultimately recover and restore normal operations.31 This property stems from
the idea that cyber attacks are inevitable and therefore it is vital to ensure that
systems are resilient in the face of such attacks.32
Cybersecurity concerns can arise when there are vulnerabilities or threats
to these properties. A vulnerability is a weakness in a system and is akin to an
unlocked door. The proverbial unlocked door is not a threat unless someone
wants to enter.33 An actor that tries to access, use, or alter a system or data in a
system without authorization is a threat.34 Because an actor can exploit these
weaknesses, a vulnerability increases the likelihood that a threat will be
successful.35 Moreover, a breach is “an incident in which an individual name
plus a Social Security Number, driver’s license number, medical record or
financial record (credit/debit cards included) is potentially put at risk.”36

28. NIELES ET AL., supra note 16, at 3.
29. See, e.g., SINGER & FRIEDMAN, supra note 13, at 36 (“Beyond this classic CIA triangle of
security . . . it is important to add another property: resilience.”).
30. Id.
31. RICHARD KISSEL, NAT’L INST. OF STANDARDS & TECH., U.S. DEP’T OF COMMERCE, GLOSSARY
OF KEY INFORMATION SECURITY TERMS 160 (2013),
https://nvlpubs.nist.gov/nistpubs/ir/2013/nist.ir.7298r2.pdf [https://perma.cc/86P M-
UNGU]; SINGER & FRIEDMAN, supra note 13, at 36.
32. See, e.g., Fredrik Björck, Martin Henkel, Janis Stirna & Jelena Zdravkovic, Cyber
Resilience—Fundamentals for a Definition, in NEW CONTRIBUTIONS IN INFORMATION
SYSTEMS AND TECHNOLOGIES: ADVANCES IN INTELLIGENT SYSTEMS AND COMPUTING 311–
16 (Álvaro Rocha et al. eds., 2015).
33. SINGER & FRIEDMAN, supra note 13, at 37; NIELES ET AL., supra note 16, at 20.
34. See NIELES ET AL., supra note 16, at 20. Threats also include “natural disasters or erroneous
actions taken by individuals in the course of executing their everyday responsibilities.”
Id.
35. See id.
36. IDENTITY THEFT RES. CTR., DATA BREACH REPORTS 2 (2015), https://www.idtheft
center.org/images/breach/DataBreachReports_2015.pdf [https://perma.cc/T96PY3 FQ].
B. Breadth and Scope of the Problem
Data breaches occur almost every day in nearly every industry, and in too
many places across the country and globe to keep a precise count. The
following examples are intended to illustrate the breadth and scope of data
breaches and cyber attacks. This is by no means a comprehensive list.
The account information of three billion Yahoo! users was compromised
after the company suffered a data breach in 2013.37 A cyber attack suffered by
eBay in 2014 exposed the names, addresses, dates of birth, and passwords of
145 million users.38 The personal information of 412 million people, including
twenty years of historical customer data, was exposed when
AdultFriendFinder was hacked in 2016.39 A data breach at Equifax, one of the
largest credit bureaus in the United States, exposed the personal information
of 145.5 million people, including Social Security numbers, dates of birth, and
in some cases drivers’ license numbers and credit card data.40 Moreover, in a
study conducted in the United Kingdom, nearly half of the businesses in the
nation reported cybersecurity breaches within a twelve-month period.41
But cybersecurity breaches are not limited to the private sector. The
Federal Reserve Bank of Cleveland was the victim of a cyberhack in 2010.42
Personal information, including Social Security numbers, of 22.1 million
people was stolen when the Office of Personnel Management was hacked in
2015.43 In the same year, the European Union Central Bank’s database—which
37. Selena Larson, Every Single Yahoo Account Was Hacked—3 Billion In All, CNN (Oct. 4,
2017, 6:36 AM), https://money.cnn.com/2017/10/03/technology/business/yahoo-
breach-3-billion-accounts/index.html [https://perma.cc/H5LG-JNJQ].
38. Jim Finkle, Soham Chatterjee & Lehar Maan, EBay Asks 145 Million Users to Change
Passwords After Cyber Attack, REUTERS (May 21, 2014, 4:21 AM), https://www.reuters.
com/article/us-ebay-password/ebay-asks-145-million-users-to-change-passwords-
after-cyber-attack-idUSBREA4K0B420140521 [https://perma.cc/3RS4-BHUE].
39. Steve Ragan, 412 Million FriendFinder Accounts Exposed by Hackers, CSO (Nov. 13, 2016,
8:00 AM), https://www.csoonline.com/article/3139311/security/412-million-friend
finder-accounts-exposed-by-hackers.html [https://perma.cc/7S5N-DZPE].
40. Borak & Vasel, supra note 4.
41. DEP’T FOR DIG., CULTURE, MEDIA & SPORT, CYBER SECURITY BREACHES SURVEY 2018 (2018)
https://assets.publishing.service.gov.uk/government/uploads/system/
uploads/attachment_data/file/702074/Cyber_Security_Breaches_Survey_2018_-
_Main_Report.pdf [https://perma.cc/PY67-4VJY].
42. Jonathan Dienst, Hacker Breaks Into Federal Reserve, NBC N.Y. (Nov. 18, 2010, 1:33 PM),
https://www.nbcnewyork.com/news/local/Feds-Hacker-Exploits-Federal-Reserve-
Bank-In-Cleveland-108985059.html [https://perma.cc/FC6V-E8GZ].
43. Patricia Zengerle & Megan Cassella, Millions More Americans Hit by Government
Personnel Data Hack, REUTERS (July 9, 2015, 12:51 PM),
https://www.reuters.com/article/us-cybersecurity-usa/millions-more-americans-hit-by-
1250 66 UCLA L. R EV. 1242 (2019)
includes information such as email addresses, phone numbers, and

addresses—was hacked, affecting 20,000 people.44 In 2016, the corporate filing
system of the Securities and Exchange Commission was breached, and it is
believed that the private information could have been exploited for trading.45
State actors also conduct cyber attacks, for various reasons. The 2016
breach of the Federal Reserve Bank of New York, in which $81 million was
stolen, has been linked to the North Korean government.46 North Korea has
also been blamed for the 2017 “WannaCry” ransomware cyberattack,47 and
was said to be “centrally involved” in the 2014 Sony Pictures hack.48 The 2016
hack of DNC emails, phone calls, and more, has been attributed, in part, to
Russia and has led to the DNC’s filing of a lawsuit against the country of Russia,
among other defendants.49
It is estimated that there were 1,765 data breach incidents in 2017, in
which 2.6 billion records were stolen, lost, or exposed—an increase of 88
percent from 2016.50 A Kaspersky Lab study found that the impact of a data
breach in North America now amounts to an average of $1.3 million for large
businesses and $117,000 per incident for small and midsize businesses.51
According to a study by the Ponemon Institute in 2017, the average size of data
government-personnel-data-hack-idUSKCN0PJ2M420150709
[https://perma.cc/ZLM8-ER3J].
44. Brian Honan, European Central Bank Hacked, CSO (July 31, 2015, 8:22 AM),
https://www.csoonline.com/article/2955278/data-breach/european-central-bank-
hacked.html [https://perma.cc/2YVE-RPBP].
45. Alexandra Stevenson & Carlos Tejada, S.E.C. Says It Was a Victim of Computer Hacking
Last Year, N.Y. TIMES (Sept. 20, 2017), https://www.nytimes.com/2017/09/20/business/
sec-hacking-attack.html [https://perma.cc/NAJ3-4ZG9].
46. See, e.g., North Korea Likely Behind $81M Hack at the Federal Reserve, Report Says, FOX
NEWS (Apr. 5, 2017), www.foxnews.com/tech/2017/04/05/north-korea-likely-behind-
81m-hack-at-federal-reserve-report-says.html [https://perma.cc/V6EZ-RUH6].
47. Kristen Eichensehr, Three Questions on the WannaCry Attribution to North Korea, JUST
SECURITY (Dec. 20, 2017), https://www.justsecurity.org/49889/questions-wannacry-
attribution-north-korea [https://perma.cc/79D9-9NVD]; see also infra notes 57–58 and
accompanying text.
48. Sanger & Perlroth, supra note 1.
49. Tom Hamburger, Rosalind S. Helderman & Ellen Nakashima, Democratic Party Sues
Russia, Trump Campaign and WikiLeaks Alleging 2016 Campaign Conspiracy, WASH.
POST (Apr. 20, 2018), https://www.washingtonpost.com/politics/democratic-party-files-
lawsuit-alleging-russia-the-trump-campaign-and-wikileaks-conspired-to-disrupt-the-
2016-campaign/2018/04/20/befe8364-4418-11e8-8569-26fda6b404c7_story.html?
utm_term=.588f72a3d3ce [https://perma.cc/TN9M-ZGBJ].
50. More Than 2.5 Billion Records Stolen or Compromised in 2017, supra note 26.
51. Kaspersky Lab Survey: Cyberattacks Cost Large Businesses in North America an Average of
$1.3M, KASPERSKY LAB (Sept. 19, 2017), https://usa.kaspersky.com/about/press-releases/
2017_kaspersky-lab-survey-cost-of-cyberattacks-for-large-businesses-in-north-america
[https://perma.cc/LVP6-AHW5].
breaches around the world increased in 2017 to more than 24,000 records per
breach, with the United States standing at an average of more than 28,000
records per breach.52 This study also estimated “an average probability of 27.7
percent that organizations in this study will have a material data breach in the
next 24 months.”53
While security appears to be receiving a larger percentage of large
companies’ overall Information Technology (IT) budget, the budget itself is
getting smaller.54 The average IT budget for large businesses dropped from
$25.5 million in 2016 to $13.7 million in 2017.55 This is troubling because,
according to experts, “[t]hings are bad and they’re going to get worse.”56 This
is not only because hackers are exploiting sophisticated government hacking
tools,57 but also because companies and government agencies frequently fail to
patch holes in their systems in a timely manner.58
52. PONEMON INST., 2017 COST OF DATA BREACH STUDY: GLOBAL OVERVIEW 11 (2017),
https://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Pape
rs/2017_Global_CODB_Report_Final.pdf.
53. Id. at 1.
54. KASPERSKY LAB, supra note 51.
55. Id.
56. Selena Larson, Why Hacks Like Equifax Will Keep Happening, CNN (Sept. 29, 2017, 8:49
AM), money.cnn.com/2017/09/29/technology/business/equifax-hack-2017-cyberatt
acks/index.html?iid=EL [https://perma.cc/6JQY-FSYA].
57. In 2017, a group of hackers released a collection of spy tools allegedly used by the National
Security Agency (NSA) that could be used to exploit vulnerabilities in Microsoft
Windows computers and servers. See, e.g., Selena Larson, NSA’s Powerful Windows
Hacking Tools Leaked Online, CNN (Apr. 15, 2017, 12:13 PM), money.cnn.
com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html?iid=EL
[https://perma.cc/RK34-D3PZ]. The leaked NSA exploit exposed a vulnerability in the
Microsoft Windows operating system that hackers used to create ransomware called
“WannaCry,” which infected over 300,000 computers around the globe in May 2017. See
Danny Palmer, Your Failure to Apply Critical Cybersecurity Updates Is Putting Your
Company at Risk From the Next WannaCry or Petya, ZDNET (Aug. 21, 2017),
https://www. zdnet.com/article/your-failure-to-apply-critical-cyber-security-updates-
puts-your-comp any-at-risk-from-the-next [https://perma.cc/R4AR-W3TD].
58. A recent study conducted by the cybersecurity ratings company BitSight revealed that
more than 50 percent of computers in over 2000 organizations run an outdated version
of Microsoft Windows and more than 8500 companies have failed to update their web
browsers on more than half of their machines. Joel Alcon, Latest BitSight Insights Explores
A Growing Risk Frequently Ignored: Critical Updates, BITSIGHT (June, 8, 2017), https://
www.bitsighttech.com/blog/latest-bitsight-insights-explores-growing-risk-frequently-
ig nored-critical-updates [https://perma.cc/DR2Z-QF7N]. Although Microsoft released
an emergency patch for their operating system in response to the WannaCry
ransomware, many companies, including the multinational electronics company LG,
failed to apply the security patches. LG Hit by WannaCry Ransomware After IT Staff Fail
to Apply Security Patches, COMPUTING (Aug. 18, 2017), https://www.computing.co.
uk/ctg/news/3015875/lg-hit-by-wannacry-ransomware-after-it-staff-fail-to-apply-sec
urity-patches [https://perma.cc/G349-9QEW].
1252 66 UCLA L. R EV. 1242 (2019)
More importantly, the future of cybersecurity breaches seems bleak if the

status quo remains because of companies’ increasing reliance on third
parties.59 Companies often outsource tasks to a third party such as
transporting and distributing goods, processing orders and collecting
payments, managing inventory, and managing stored data.60 These third
parties market themselves as being able to leverage their global partnerships
and established infrastructure in order to deliver flexible service options,
allowing a business to focus on its own core competencies to drive down
costs.61
A study conducted by Armstrong & Associates, a supply chain
management consultancy, found that 90 percent of Fortune 500 companies
operating within the United States have sought assistance from one or more
third parties.62 The report also predicted a continued increase in third-party
usage.63
So why is this consequential to cybersecurity breaches? The Ponemon
Institute study found that 56 percent of businesses have had a third-party data
breach—an increase from 2016—and 57 percent lack an inventory of all third
parties with which they share sensitive information.64 Meanwhile, the average
number of third parties with access to confidential or sensitive information
increased from 2016.65 Moreover, less than half of the respondents said that
managing outsourced relationship risks is a priority in their organization, and
only 17 percent of respondents rated their companies’ effectiveness in
mitigating third-party risk as “highly effective.”66 Importantly, data breaches
59. See DELOITTE, OVERCOMING THE THREATS AND UNCERTAINTY: THIRD-PARTY

GOVERNANCE AND RISK MANAGEMENT 5 (2017), https://www2.deloitte.com/content/
dam/Deloitte/ch/Documents/risk/ch-en-third-party-gov-risk-management-2017-inter
active.pdf [https://perma.cc/UJZ7-AJLP] (finding that “strategic dependence on [third
parties] continues to increase”).
60. Contract Logistics, INVESTOPEDIA, https://www.investopedia.com/terms/c/contract-log
istics.asp [https://perma.cc/L2HN-EB8S].
61. See, e.g., The Evolution of 3PL and How It Can Solve Your Business’ Supply Chain
Challenges, LEGACY SUPPLY CHAIN SERVS., https://legacyscs.com/evolution-of-3pl-
supply-chain-challenges [https://perma.cc/R49H-LEK3].
62. Jeff Berman, Armstrong Report Points to Continued Increase in 3PL Usage by Shippers,
LOGISTICS MGMT. (May 24, 2017), https://www.logisticsmgmt.com/article/armstrong_
report_points_to_continued_increase_in_3pl_usage_by_shippers [https://perma.cc/W
LD7-CF7R].
63. Id.
64. PONEMON INST., DATA RISK IN THE THIRD-PARTY ECOSYSTEM: SECOND ANNUAL STUDY 3
(2017).
65. Id.
66. Id. at 6.
involving third parties are the most expensive type of cybsersecurity

incidents.67
A third-party attack occurs when someone “infiltrates [a] system through
an outside partner or provider with access to . . . systems and data.”68 Because
many companies have vast supplier and partner networks that are made up of
many smaller partners, these third parties are easier targets for attackers.69 In
fact, “[t]he larger the company, the more likely it will have at least one
relationship with a [third party].”70 Thus, “most financial institutions have
tens of thousands of supplier relationships.”71 The former superintendent of
the New York State Department of Financial Services, Benjamin M. Lawsky,
astutely noted that “[i]n many ways, a company’s cyber security is only as
strong as the cyber security of its third-party vendors.”72
Smaller companies contracting with Fortune 500 or other large
companies often do not have the same level of security measures as the larger
company, even though they carry much of the larger company’s sensitive and
confidential information.73 This is often the case because the larger company’s
focus is “always on the [third party’s] service being rendered, and making sure
the service is of the highest quality, performance, and uptime,”74 rather than on
the third party’s security measures—indeed, a third party’s quick response,
cheaper service costs, and high quality are sometimes achieved at the expense
67. KASPERSKY LAB, DAMAGE CONTROL: THE COST OF SECURITY BREACHES 5 (2015),
https://media.kaspersky.com/pdf/it-risks-survey-report-cost-of-security-breaches.pdf
[https://perma.cc/6J3W-MUZ3].
68. Maria Korolov, What is a Supply Chain Attack? Why You Should Be Wary of Third-Party
Providers, CSO (Apr. 4, 2018, 8:15 AM), https://www.csoonline.com/article/3191947
/data-breach/what-is-a-supply-chain-attack-why-you-should-be-wary-of-third-party-
providers.html [https://perma.cc/C624-FG9Q].
69. See SECURITYSCORECARD, WHY THIRD PARTY SECURITY BREACHES ARE ON THE RISE 1
(2016) (“The insecure entry points of third party systems are being heavily targeted,
especially when third parties are smaller organizations with limited security resources
and are connected to larger organizations with employee data, customer records, and
credit card information.”).
70. Berman, supra note 62.
71. SECURITYSCORECARD, supra note 69, at 1.
72. Michelle Drolet, The Challenges of Third-Party Risk Management, CSO (Nov. 17, 2015,
11:40 AM), https://www.csoonline.com/article/3005320/application-security/the-
challenge s-of-third-party-risk-management.html [https://perma.cc/YV3W-GWFC].
73. SECURITYSCORECARD, supra note 69, at 2 (“In over 60% of [third-party] breaches,
attackers were able to infiltrate the target within minutes,” as smaller companies do not
always have “sophisticated protocols in place to ensure that all data is secure in their own
data—and partners’ data.”).
74. Id.
1254 66 UCLA L. R EV. 1242 (2019)
of security.75 Thus a hacker can attack the weakest link in the chain and gain
access to a larger and more secured company’s data.76
A third party was the attack vector77 in the 2013–2014 Target data
breach.78 Fazio Mechanical Services, a ventilation and air conditioning
(HVAC) subcontractor, worked at a number of Target locations and had
external network access.79 It is common for large retail operations to give this
type of access to their HVAC servicers because these “vendors need to be able
to remote into the system in order to do maintenance (updates, patches, etc.)
or to troubleshoot glitches and connectivity issues with the software.”80
Hackers stole Fazio’s network credentials and gained access to Target’s
systems, uploading credit-card stealing software to a number of cash registers
within Target stores.81 This breach exposed forty million Target credit and
debit card numbers as well as sixty million personal information records of
customers.82
A third party was also the weakest link in the 2015 cyberattack on CVS
Photo, in which hackers breached the servers of PNI Digital Media, a company
that handled the credit card transactions for the photo-uploading site.83
Similarly, in 2014 Goodwill Industries was breached through C&K Systems
Inc., their third-party payment vendor.84 Many other large organizations have
had their servers breached because of poor third-party security: Philips (2012),
Cogent Healthcare (2013), Lowe’s (2014), Dairy Queen and TacoTime (2014),
Home Depot (2014), Department of Veterans Affairs (2014), Zoup (2015),
75. Id.
76. See infra note 148 and accompanying text.
77. “An attack vector is a path or means by which a hacker . . . can gain access to a computer
or network server. . . . ” Margaret Rouse, Attack Vector, SEARCHSECURITY,
https://searchsecurity.techtarget.com/definition/attack-vector [https://perma.cc/2RLC-
A7XN].
78. Brian Krebs, Target Hackers Broke in Via HVAC Company, KREBSONSECURITY (Feb. 5,
2014, 1:52 PM), https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-
company [https://perma.cc/9TJD-BJ99].
79. Id.
80. Id.
81. Id.
82. Robert Bond, Poor Third-Party Vendor Security Can Lead to Data Breach, HITACHI SYS.
SECURITY (Oct. 31, 2017), https://www.hitachi-systems-security.com/blog/poor-third-
party-vendor-security-can-lead-to-data-breach [https://perma.cc/2HD4-2VBH].
83. Brian Krebs, CVS Probes Card Breach at Online Photo Unit, KREBSONSECURITY (July 17,
2015, 10:15 AM), https://krebsonsecurity.com/2015/07/cvs-probes-card-breach-at-
online-photo-unit [https://perma.cc/V3TN-LDAA].
84. Brian Krebs, Breach at Goodwill Vendor Lasted 18 Months, KREBSONSECURITY (Sept. 16,
2014, 3:21 PM), https://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-
lasted-18-months [https://perma.cc/6RT2-NJNM].
AT&T Services, Inc. (2015), Harbortouch (2015), Clif Family Wineries (2015),
Louisville Metro Government (2015), Detroit Zoo (2015), California State
University (2015), Jimmy John’s (2015), Netflix (2015), Sonic Drive-In (2017),
and Whole Foods (2017).85
A company is responsible for ensuring that third-party contractors
implement reasonable security measures.86 This is problematic because
building trust between a company and a third party can be difficult,87 and third
parties often evade FTC enforcement actions.88
Breaches of third-party service providers are not limited to the private
sector. More recently, in 2018 the Secretary of the Navy released a
“Cybersecurity Review” that directed, among other things, a “[r]eview [of] the
appropriateness of the Navy’s organizational culture and that of its supporting
contractors.”89 This Review came in light of an “increase[] in both the severity
and sophistication” of “attempts to steal critical information” that resulted in
“several significant compromises of classified information.”90 Additionally,
hackers gained access to the personal information and credit card numbers of
Department of Defense personnel through a system maintained by a third-
party contractor.91
II. CYBERSECURITY ENFORCEMENT IN THE UNITED STATES
Despite the growing threat and cost of cybersecurity breaches, there is no

consensus on how best to address the issue. Congress has yet to pass a
comprehensive law, and has instead decided to target individual industries.92
A partnership between the private and public sectors may be one solution, but
drawing proper lines of authority and responsibility between the two sectors
85. See, e.g., PROSKAUER, PRIVACY AND DATA SECURITY, RECENT DATA SECURITY BREACHES
INVOLVING THIRD-PARTY VENDORS (2017), https://www.privacyand securityforum.com
/wp-content/uploads/2015/10/25092-Privacy-and-Data-Security-Breach.pdf
[https://perma.cc/4UFQ-W4UW]; Bond, supra note 82.
86. See infra Part II.A.4.
88. See infra Part II.B.
89. Memorandum from Richard V. Spencer, Sec’y of the Navy on Cybersecurity Review (Oct.
12, 2018), https://www.wsj.com/public/resources/documents/NavyMemo10-12-
2018.pdf?mod=article_inline [https://perma.cc/2HTU-3Z9K].
90. Id.
91. See Lee Mathews, Department of Defense Data Breach Exposes 30,000 Employees, FORBES
(Oct. 14, 2018, 11:48 AM),
https://www.forbes.com/sites/leemathews/2018/10/14/department-of-defense-data-
breach-exposes-30000-employees/#715db06f1a6b [https://perma.cc/TC8W-J9VR].
1256 66 UCLA L. R EV. 1242 (2019)
can pose a challenge.93 Recommendations for international coordination to

harmonize cybersecurity policies and practices have also been made.94
However, there is often tension within the government regarding who should
be responsible for enforcing cybersecurity.95 Moreover, there are
disagreements about whether cybersecurity should be regulated through
policy, standards, guidelines, or a combination thereof.96 This gap in
enforcement has been filled by the FTC, which has redefined the “unfair
practices” in its purview to include inadequate cybersecurity.
Since 2002, the FTC has extended its oversight of reasonable security
measures over all companies operating in the United States by assuming the
role of “cybersecurity police.” Section 5 of the FTC Act prohibits “unfair or
deceptive business practices in or affecting commerce.”97 Even though the Act,
which dates back to 1914, does not mention cybersecurity, the FTC has long
maintained that Congress intended the word “unfair” to be interpreted
broadly and flexibly “to allow the agency to protect consumers as technology
changes.”98 The FTC has brought over sixty enforcement actions “against
companies that have engaged in unfair or deceptive practices that failed to
adequately protect consumers’ personal data.”99 From 2002 to 2012, all
cybersecurity enforcement actions brought under the FTC resulted in
negotiated settlements and no company tested the FTC’s authority to regulate
93. See, e.g., Kristen E. Eichensehr, Public-Private Cybersecurity, 95 TEX. L. REV. 467, 473
(2017) (“[T]he system is complicated and will require context-dependent solutions to
novel relationships that will continue to evolve as both the government and the private
sector attempt to improve cybersecurity.”).
94. See, e.g., COMM’N ON ENHANCING NAT’L CYBERSECURITY, REPORT ON SECURING AND
GROWING THE DIGITAL ECONOMY (2016), https://www.nist.gov/sites/default/files
/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf
[https://perma.cc/977U-MEJS].
95. See, e.g., Eichensehr, supra note 15 (highlighting the tension between consumer
protection and law enforcement/intelligence agencies).
96. See, e.g., FIN. SECTOR ADVISORY CTR., WORLD BANK GRP., FINANCIAL SECTOR’S
CYBERSECURITY: A REGULATORY DIGEST (2017), pubdocs.worldbank.org/en/524
901513362019919/FinSAC-CybersecDigestOct-2017-Dec2017.pdf [https://perma.cc
/B3RA-HEF8].
97. Federal Trade Commission Act of 1914, 15 U.S.C. § 45(a) (2012).
98. William R. Denny, Cybersecurity as an Unfair Practice: FTC Enforcement Under Section 5
of the FTC Act, BUS. L. TODAY, June 2016, at 1.
99. FED. TRADE COMM’N, PRIVACY & DATA SECURITY UPDATE: 2017 4 (2017),
https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-
2017-overview-commissions-enforcement-policy-initiatives-
consumer/privacy_and_data_security_update_2017.pdf [https://perma.cc/X3V6-BG
PD] [hereinafter FTC PRIVACY & DATA SECURITY UPDATE].
cybersecurity.100 That changed when the FTC sued Wyndham Worldwide

Corp. in 2012.
In 2012, the FTC sued Wyndham Worldwide Corp. for engaging in unfair
cybersecurity practices that “unreasonably and unnecessarily exposed
consumers’ personal data to unauthorized access and theft” after the company
suffered three breaches between 2008 and 2009.101 Wyndham argued that the
FTC did not have the authority to regulate cybersecurity under the Act and that
there was no “fair notice of the specific cybersecurity standards the company
was required to follow.”102 The Third Circuit rejected both of these arguments
and held for the first time that the FTC had authority to regulate companies’
cybersecurity standards and that these companies are on notice.103 FTC
Chairwoman Edith Ramirez welcomed the decision and stated that “[i]t is not
only appropriate, but critical, that the FTC has the ability to take action on
behalf of consumers when companies fail to take reasonable steps to secure
sensitive consumer information.”104
A. What is “Unreasonable”?
The FTC brings enforcement actions against companies whose security is

“unreasonable.”105 This intentional legal ambiguity is appropriate for
100. See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 243–45 (3d Cir. 2015); Denny,
supra note 98.
101. Wyndham Worldwide Corp., 799 F.3d at 240.
102. Id. at 249.
103. Id. at 255.
104. Statement from FTC Chairwoman Edith Ramirez on Appellate Ruling in the Wyndham
Hotels and Resorts Matter, FED. TRADE COMM’N (Aug. 24, 2015),
https://www.ftc.gov/news-events/press-releases/2015/08/statement-ftc-chairwoman-
edith-ramirez-appellate-ruling-wyndham [https://perma.cc/5BCZ-4TZK].
105. See, e.g., FTC PRIVACY & DATA SECURITY UPDATE, supra note 99, at 4 (“Since 2002, the
FTC has brought over 60 cases against companies that have engaged in unfair or deceptive
practices that put consumers’ personal data at unreasonable risk.”). The main
cybersecurity statutes also require a “reasonable” level of security. See Financial Services
Modernization Act of 1999, Pub. L. No. 106–102, 113 Stat. 1338 (1999) (requires
reasonable data security measures for nonbank financial institutions); Children’s Online
Privacy Protection Act of 1998, Pub. L. No. 105–277, 112 Stat. 2681–728 (1998) (requires
reasonable security measures for data about children collected online); Health Insurance
Portability and Accountability Act of 1996, Pub. L. No. 104–191, 110 Stat. 1936 (1996)
(requires reasonable safeguards for personal health information); Fair Credit Reporting
Act, Pub. L. No. 91–508, 84 Stat. 1128 (1970) (requires credit reporting agencies to use
reasonable procedures to ensure proper disclosure of consumer information).
1258 66 UCLA L. R EV. 1242 (2019)
cybersecurity procedures because it gives regulators flexibility to update their

interpretation as technology changes.106
In 2015 the FTC released a guidebook on cybersecurity best practices,
titled “Start with Security: A Guide for Business,” to clarify some of the “lessons
learned from FTC cases.”107 It is worth noting that the published FTC
enforcement actions “are settlements—no findings have been made by a
court—and the specifics of the orders apply just to those companies.”108 Along
with the FTC guidelines, the National Institute of Technology and Standards
(NIST) has also published guidelines to help companies understand what is
and is not reasonable.109 According to the FTC, “NIST’s Cybersecurity
Framework is consistent with the process-based approach that the FTC has
followed.”110 These guidelines are important because they allow companies to
gauge when the absence of a certain technology would be considered
unreasonable and thus merit an enforcement action by the FTC.
Since the settlement with Microsoft in 2002, the FTC has made it clear
that companies handling consumer information must implement a security
program that contains “technical . . . safeguards appropriate to [the
company’s] size and complexity, the nature and scope of [its] activities, and the
sensitivity of the personal information collected from or about consumers.”111
The NIST Framework also recommends that a company look at the costs,
benefits, and risks, and the company’s ability to fund and implement a certain
procedure or technology.112 The FTC requires that data security procedures be
106. See FTC PRIVACY & DATA SECURITY UPDATE, supra note 99, at 1 (“This broad authority
allows the Commission to address a wide array of practices affecting consumers,
including those that emerge with the development of new technologies . . . .”).
107. FED. TRADE COMM’N, START WITH SECURITY: A GUIDE FOR BUSINESS (2015),
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsec
urity.pdf [https://perma.cc/UC3F-Y2MW] [hereinafter START WITH SECURITY].
108. Id. at 1.
109. See NAT’L INST. OF STANDARDS & TECH., supra note 12.
110. Andrea Arias, The NIST Cybersecurity Framework and the FTC, FED. TRADE COMM’N
(Aug. 31, 2016, 2:34 PM), https://www.ftc.gov/news-events/blogs/business-
blog/2016/08/ nist-cybersecurity-framework-ftc [https://perma.cc/4HRA-JP8C] (“In
February 2013, President Obama issued Executive Order 13636, ‘Improving Critical
Infrastructure Cybersecurity,’ which called on the Department of Commerce’s National
Institute of Standards and Technology (NIST) to develop a voluntary risk-based
Cybersecurity Framework for the nation’s critical infrastructure—that is, a set of industry
standards and best practices to help organizations identify, assess, and manage
cybersecurity risks.”) The NIST Framework is a compilation of guidelines and “does not
introduce new standards or concepts.” Id.
111. Microsoft Corp., Docket No. C-4069 (Fed. Trade Comm’n Dec. 20, 2002) (decision and
order).
112. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 14–15.
“reasonably designed to protect the security, confidentiality, and integrity” of

information.113 The following are some guidelines that would be relevant to
the incorporation of blockchain technology into the FTC’s understanding of
reasonableness. By applying these guidelines, the FTC can find that it is
unreasonable for certain companies to not incorporate blockchain technology
as part of their comprehensive cybersecurity plan.
1. Failing to Adopt Readily Available Technology
A company should keep their security “current”114 and employ readily

available technology,115 including “protective technologies” that “ensure the
security and resilience of systems and assets.”116 Specifically, companies
should “incorporat[e] advanced cybersecurity technologies” to ensure that
they “actively adapt[] to a changing threat and technology landscape and
respond[] in a timely and effective manner to evolving, sophisticated
threats.”117 A software system that is generally accepted by the industry “can
be considered reasonable even if it is imperfect.”118 Conversely, operating on
outdated software that leaves systems especially vulnerable can be
unreasonable.119 In the matter of HTC America Inc., the FTC alleged that the
company failed to implement “readily available” measures to address
vulnerabilities in its systems and thus “plac[ed] sensitive information at
risk.”120 According to the FTC, HTC America could have “add[ed] a few lines
113. Microsoft Corp., supra note 111, at 2; EPN, Inc., Docket No. C-4370, at 2 (Fed. Trade
Comm’n Oct. 3, 2012) (decision and order); Genelink, Inc., Docket No. 112 3095, at 7
(Fed. Trade Comm’n Aug. 2013) (decision and order).
114. START WITH SECURITY, supra note 107, at 12.
115. See HTC America, Inc., 155 F.T.C. 1617 (2013). The FTC takes it upon itself to stay
current with the most recent technological developments, through studies and
workshops, and has even been dubbed the “Federal Technology Commission.” See Neil
Chilson, How the FTC Keeps Up on Technology, FTC (Jan. 4, 2018, 11:52 AM),
https://www.ftc.gov/news-events/blogs/techftc/2018/01/how-ftc-keeps-technology
[https://perma.cc/AN3L-UYZX].
116. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 36.
117. Id. at 10.
118. Paul N. Otto, Reasonableness Meets Requirements: Regulating Security and Privacy in
Software, 59 DUKE L.J. 309, 340 (2009).
119. See Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy & Identity Prot., Fed. Trade
Comm’n, to Dana Rosenfeld, Counsel for Verizon Commc’ns, Inc. (Nov. 12, 2014),
https://www.ftc.gov/system/files/documents/closing_letters/verizon-co
mmunications-inc./141112verizonclosingletter.pdf [https://perma.cc/F7MX-XJ
MC]; TRENDnet, Inc., Docket No. C-4426 (Fed. Trade Comm’n Jan. 16, 2014).
120. HTC America Inc., 155 F.T.C. at *4.
1260 66 UCLA L. R EV. 1242 (2019)
of . . . code” to implement “secure communications mechanisms” to address

these vulnerabilities.121
A study of past enforcement actions found that the FTC is increasingly
shifting their focus to companies’ handling of information and improvement
of security procedures.122 Specifically, the FTC has increasingly brought
enforcement actions against companies with “vulnerabilities that target
specific technological failures with known solutions.”123 It is important for
companies to follow this trend because as technology changes, so too does the
meaning of “known solutions.” As a result, the reasonableness of a company’s
cybersecurity technology constantly evolves.
2. Leaving Gaps in Encryption/Security in the Storage-

Transmission Chain
In order to protect information, technology and procedures must be

implemented to enable a company to “[s]tore sensitive personal information
securely and protect it during transmission.”124 Procedures that increase the
risk of breach from a compromise of an employee or third-party service
provider’s credentials can be unreasonable.125 Additionally, transporting
information in a manner that makes it susceptible to theft or misappropriation
can be unreasonable.126
The FTC enforcement action against Superior Mortgage Corp. illustrates
the principle that storing and transmitting sensitive information must be done
securely, even when done by a third-party service provider. Superior Mortgage
Corp. hired a third party to supply maintenance to the servers that stored
sensitive personal information.127 The FTC alleged that the sensitive personal
information on the servers was originally encrypted, but was decrypted by the
third-party service provider before being sent to Superior Mortgage Corp.128
121. Id. at *6.

122. Travis D. Breaux & David L. Baumer, Legally “Reasonable” Security Requirements: A 10-
Year FTC Retrospective, 30 COMPUTERS & SECURITY 178 (2011).
123. Id. at 191.
125. See Twitter, Inc., 151 F.T.C. 162, 170 (2011); see also START WITH SECURITY, supra note
107, at 8 (stating that a network is only as secure as the weakest link that is connected to
it).
126. See CBR Systems, Inc., 155 F.T.C. 841 (2013); Accretive Health, Inc., Docket No. C-4432,
at 3 (Fed. Trade Comm’n Feb. 5, 2014) (decision and order).
127. Complaint at 929, Superior Mortgage Corp., 140 F.T.C. 926 (2005) (No. C-4153), 2005
WL 6241024.
128. Id.
The FTC made it clear that this risk could have been prevented by ensuring that
the data was secure throughout its lifecycle.129 Security procedures and
technology must protect the confidentiality, integrity, and availability of data
while it is in storage and in transit.130
3. Responding and Recovering Too Slowly From Breaches
According to the FTC, not adequately responding to and recovering from

an incident can be unreasonable.131 Companies should implement procedures
and technologies that allow them to successfully respond to attempted and
successful cyber attacks.132 This includes containing and mitigating these
incidents.133 Moreover, procedures and technologies should allow a company
to maintain resilience and restore the capabilities or services that were
impaired due to an incident.134 Companies must be able to “move quickly to
fix” the problem and ensure timely recovery to normal operations.135
4. Inadequately Policing the Security of Third-Party Service Providers
A company is responsible for ensuring that its third-party service

providers implement reasonable security measures,136 and failure to do so can
129. Id. at 2–3.

130. NAT’L INST. OF STANDARDS & TECH., supra note 12, at 30–32.
131. See First Amended Complaint for Injunctive and Other Equitable Relief at 11–12, FTC v.
Wyndham Worldwide Corp., No. CV-12-1365-PHX-PGR, 2013 WL 1222491 (D. Ariz.
March 25, 2013), 2012 WL 3281910; ASUSTek Computer, Inc., Docket No. C-4587, at 7
(Fed. Trade Comm’n July 18, 2016); Oracle Corp., Docket No. C-4571, at 3–4 (Fed. Trade
Comm’n Mar. 28, 2016).
133. Id.
134. Id.
135. START WITH SECURITY, supra note 107, at 12; see also NAT’L INST. OF STANDARDS & TECH.,
supra note 12, at 8.
136. See, e.g., Standards for Safeguarding Customer Information, 16 C.F.R. § 314 (2018)
(companies are required to ensure that third parties safeguard customer information in
their care); START WITH SECURITY, supra note 107, at 11 (the FTC recommends that
companies ensure that “service providers implement reasonable security measures”); see
also NIELES ET AL., supra note 16, at 69 (recommending that organizations “ensure that
third-party providers employ adequate security measures”); NAT’L INST. OF STANDARDS &
TECH., supra note 12, at 16 (organizations should determine the cybersecurity
requirements for suppliers and enact those requirements through formal agreements);
JUDITH H. GERMANO, CTR. FOR CYBERSECURITY, THIRD-PARTY CYBER RISK & CORPORATE
RESPONSIBILITY 4 (2017) https://www.lawandsecurity.org/wp-content/
uploads/2017/02/Germano.NYU_.ThirdPartyRiskWhitepaper.Feb2017.pdf [https://
perma.cc/554Y-LQ6Z] (companies must conduct their own due diligence to determine
“whether a third party’s security practices pose an unacceptable risk to an organization”).
1262 66 UCLA L. R EV. 1242 (2019)
be unreasonable.137 This includes not only “determining” the adequate

cybersecurity requirements of third-party services providers, but also
“verifying” that the requirements are met.138 Allowing a third party to operate
on outdated software poses a security risk and thus can be unreasonable.139
Failing to adequately reduce the risk posed by a third party can also be
unreasonable.140 In the case of Dave & Buster’s, the FTC alleged that hackers
exploited the security weaknesses in the third-party credit card processing
company’s system and intercepted personal information.141 Dave & Buster’s
actions were unreasonable because they could have reduced the risk and
breadth of data compromise by better monitoring of the third party.142
B. Cybersecurity of Third Parties and Inconsistent Enforcement
The current structure of enforcing reasonable security measures of third

parties is problematic because the company outsourcing the service is expected
to ensure that the third party has adequate security (i.e., the third party is
“trusted”).143 Building trust can be challenging because getting a third party to
focus on security and finding the right people who can provide that security
can be difficult, time consuming, and expensive.144 Moreover, “the problem is
made more challenging due to a lack of standard security practices for
evaluating particular scenarios.”145 The oversight programs that are currently
in place have been found to be “insufficient to manage third-party risks.”146
This is an important issue because companies are increasingly relying on
“trusted” third parties,147 yet the FTC brings enforcement actions against the
company contracting out services (the larger company), instead of the party
137. See Complaint for Permanent Injunction and Other Equitable Relief, FTC v. Ruby Corp.,
No. 1:16-cv-02438 (D.D.C. 2016 Dec. 14, 2016) [hereinafter Ashley Madison Complaint];
GMR Transcription Servs., Inc., Docket No. C-4482 (Fed. Trade Comm’n Aug. 14, 2014)
[hereinafter GMR Transcription Complaint].
139. See TJX Companies, Inc., Docket No. C-4227, at 2–3 (Fed. Trade Comm’n July 29, 2008)
(complaint).
140. START WITH SECURITY, supra note 107, at 9; see also CardSystems Solutions, Inc., Docket
No. C-4168, at 2 (Fed. Trade Comm’n Sept. 5, 2006) [hereinafter CardSystems Solutions
Complaint]; Dave & Buster’s, Inc., 149 F.T.C. 1450 (2010) [hereinafter Dave & Buster’s
Complaint].
141. Dave & Buster’s Complaint, supra note 140, at 1452.
143. See supra note 136 and accompanying text.
144. GERMANO, supra note 136, at 4.
145. Id.
146. PONEMON INST., supra note 64, at 3.
147. See supra notes 59–63 and accompanying text.
that was initially breached (the third party). For example, in the matters of
CardSystems Solutions, Dave & Buster’s, GMR Transcription Services, and
Ashley Madison, the FTC brought enforcement actions against the named
parties instead of the third parties that had their networks breached due to
inadequacies in their own security measures.148 In essence, a third party that
handles the same confidential and sensitive information as the larger
contracting company escapes FTC enforcement and thus is not required to
have reasonable security measures. The FTC’s enforcement of reasonable
security measures against the big fish does not deter third parties from having
unreasonable security measures. This leaves the regulation of third-party
security solely in the hands of a contracting company. Under this framework,
third parties will continue to pose security risks and will remain the weakest
link, unless the contracting companies know how to assess their cybersecurity.
III. WHAT IS BLOCKCHAIN?

A. Blockchain Technology
As a relatively new technology that employs a sophisticated system of

cryptographic mathematics, blockchain has been defined in many different
ways, and there is not much consensus on the proper definition.149 Some
commentators refer to blockchain by analogy and describe it as a massive,
immutable, and distributed Google Spreadsheet.150 Others describe it in
simple terms as a system that allows you to “validate, with absolute certainty, a
source and destination for any transaction”151 and “manufacture trust through
clever code.”152
Perhaps the best definition describes blockchain by its central elements:
an electronic transaction ledger that is decentralized, immutable, consensus-
148. See CardSystems Solutions Complaint, supra note 140; Dave & Buster’s Complaint, supra
note 140; GMR Transcription Complaint, supra note 137; Ashley Madison Complaint,
supra note 137.
149. SHAWN S. AMUIAL, JOSIAS N. DEWEY & JEFFREY R. SEUL, THE BLOCKCHAIN: A GUIDE FOR
LEGAL AND BUSINESS PROFESSIONALS 2 (2016) [hereinafter LEGAL AND BUSINESS
BLOCKCHAIN GUIDE] (“Blockchain may be one of the least understood of the technologies
currently thought to be driving a Fourth Industrial Revolution.”) (footnote omitted).
150. See Jonathan Shieber, Colu Aims to Bring Blockchain Technology Everywhere,
TECHCRUNCH (Jan. 27, 2015), https://techcrunch.com/2015/01/27/colu-aims-to-bring-
blockchain-technology-everywhere [https://perma.cc/T97F-YLUH] (quoting Amos
Meiri, the chief executive and cofounder of Colu, a Tel Aviv-based startup company).
151. How to Web, John McAfee: About Blockchain, Bitcoins and Cyber Security, YOUTUBE
(Feb. 23, 2017), https://www.youtube.com/watch?v=G5S0bK8mqAM.
152. TAPSCOTT & TAPSCOTT, supra note 11, at 5.
1264 66 UCLA L. R EV. 1242 (2019)
driven, and secured by cryptographic verification.153 But just as important as

its specific elements is blockchain’s goal—and chief technological
breakthrough—which is to establish trust between two parties without the use
of a trusted third party.
Most simply, blockchain is a ledger.154 A ledger is a database that can store
all sorts of information,155 for example, a complete record of all transactions
over the life of a company.156 The ledger maintained by a blockchain tracks the
transfer of information from the transferor to the transferee.157 However,
unlike a traditional ledger, “a blockchain ledger is considered decentralized
because transactions are stored on (several thousand) computers connected to
a common network via the Internet.”158 The computers, called nodes, are the
153. VIMI GREWAL-CARR & STEPHEN MARSHALL, DELOITTE, BLOCKCHAIN: ENIGMA. PARADOX.
OPPORTUNITY 2–4 (2016), https://www2.deloitte.com/content/dam/
Deloitte/uk/Documents/Innovation/deloitte-uk-blockchain-full-report.pdf
[https://perma.cc/KF6A-PU4Y] [hereinafter BLOCKCHAIN: ENIGMA. PARADOX.
OPPORTUNITY]; Alistair Dabbs, What Is a Blockchain, and Why Is It Growing in
Popularity?, A RS TECHNICA (Nov. 6, 2016, 6:00 AM),
https://arstechnica.com/information-technology/2016/11/what-is-blockchain
[https://perma.cc/SL8L-UT6S]; Arthur Iinuma, What Is Blockchain And What Can
Businesses Benefit From It?, FORBES (Apr. 5, 2018, 7:00 AM),
https://www.forbes.com/sites/forbesagencycouncil/2018/04/05/what-is-blockchain-
and-what-can-businesses-benefit-from-it/#7a357f8d675f [https://perma.cc /R9AY-
PMV9]; Alan Morrison, Blockchain and Smart Contract Automation: An Introduction
and Forecast, PWC (Mar. 20, 2016), usblogs.pwc.com/emerging-technology/blockchain-
and-smart-contract-automation-an-introduction-and-forecast
[https://perma.cc/5QA8-NFLF].
154. See LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3 (“The individual
components that make up the blockchain will be easier to understand if we reinforce the
basic premise that a blockchain is a ledger.”) (footnote omitted).
155. Id.
156. See, e.g., General Ledger, INVESTOPEDIA, https://www.investopedia.com/terms/g/general
ledger.asp [https://perma.cc/DQH5-PJ3U]; Ledger, BUSINESSDICTIONARY, http://
www.businessdictionary.com/definition/ledger.html [https://perma.cc/UF2M-QMV
X]; see also Debits and Credits, ACCOUNTINGTOOLS (Jan. 31, 2018), https://www.
accountingtools.com/articles/2017/5/17/debits-and-credits [https://perma.cc/U8SJ-
TB29] (“A debit is an accounting entry that either increases an asset or expense account,
or decreases a liability or equity account. It is positioned to the left in an accounting entry.
A credit is an accounting entry that either increases a liability or equity account, or
decreases an asset or expense account. It is positioned to the right in an accounting
entry.”).
157. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3.
158. Id. “In other words, there is no single server to which all the [computers] attach.” Id. at
4. These computers are known as “nodes.” See, e.g., Tim Fisher, What Is a Node in a
Computer Network, LIFEWIRE (July 28, 2018), https://www.lifewire.com/what-is-a-node-
4155598 [https://perma.cc/DAQ6-ZPW6] (“A node is any physical device within a
network of other devices that’s able to send, receive, and/or forward information.”).
"Each node contains a complete history of every transaction completed on a particular
blockchain beginning with the first transactions that were processed into the first block
recordkeepers who update the ledger. This peer-to-peer platform ensures that
“only information upon which the network reaches consensus will be included
in the blockchain.”159
For example, suppose a particular blockchain is tasked with recording a
series of transactions. One node initiates the first transaction, A, and all of the
nodes process it and reach a consensus—“A.” Another node initiates the
second transaction, B, and all of the nodes process it and reach a further
consensus—“A+B.” Each node is now storing this same chain of transactions,
and the process is infinitely repeatable.
Under the Bitcoin network, for example, a node that successfully validates
a transaction and inputs the transaction into the blockchain is rewarded with a
certain amount of Bitcoin.160 But it is worth noting that “coins” such as Bitcoin
are not necessary. While some kind of reward system is needed to incentivize
nodes to correctly validate each transaction, the transaction fees that reward
validations can be issued in any medium.
The genius of blockchain technology is its unique combination of two
breakthroughs in computer science, both of which won Turing Awards.161
“Asymmetric cryptography” allows nodes to validate transactions through
complex cryptographic functions,162 and “distributed systems” create a
network where transactions can be considered valid only if the network
reaches a consensus on the answer to the complex cryptographic function.163
on that blockchain.” LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 3
(footnote omitted). The first block of transactions on a blockchain is called the “genesis
block” because it “represents the beginning of time for that blockchain.” Id.
159. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 4 (footnote omitted); see also
id. at 4 n.5 (“Consensus occurs when the nodes operating on the network (usually at least
a majority of the nodes) agree that the proposed transaction is indeed ‘valid.’”).
160. See SATOSHI NAKAMOTO, BITCOIN: A PEER-TO-PEER ELECTRONIC CASH SYSTEM 4 (2009),
https://bitcoin.org/bitcoin.pdf [https://perma.cc/LF5X-LMYD].
161. The Turing Award is often considered the equivalence of the Nobel Prize in computer
science. Bob Brown, ‘Nobel Prize in Computing’ Goes to Distributed Computing Wrangler
Leslie Lamport, NETWORKWORLD (Mar. 18, 2014, 11:37 AM),
https://www.networkworld. com/article/2175277/data-center/-nobel-prize-in-
computing-goes-to-distributed-com puting-wrangler-leslie-lamport.html
[https://perma.cc/YW5X-F8Y6] (Turing Award for distributed systems); Tia Ghose,
Cryptography Pioneers Snag the ‘Nobel Prize of Computer Science’, L IVE S CI . (Mar. 2,
2016, 1:17 PM), https://www.livescience.com/53911-cryptography-pioneers-earn-
turing-award.html [https://perma.cc/NXN6-5S73] (Turing Award for asymmetric
cryptography).
162. LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149.
163. Id.
1266 66 UCLA L. R EV. 1242 (2019)
In order to validate a transaction,164 a node must trace the history of all of

the transactions on a particular blockchain. It does so by looking at the most
recent block.165 Blocks are groups of transactions that have been validated and
stored on the blockchain around the same time.166 Blocks are linked together
in a chronologically ordered chain, giving rise to the name blockchain. Each
block contains a unique reference point that represents the contents of the
block (i.e., the transactions or information in the block).167 The nodes must use
the unique reference point of the previous block in order to solve the complex
cryptographic function presented by the transaction at hand.168
However, before a transaction can be added to the blockchain, the other
nodes must come to a consensus on the correct answer to the complex
cryptographic function by also using the previous block’s reference point.169
Because all of the nodes’ ledgers are in sync, and thus all nodes are aware of the
valid reference points,170 if one malicious node tries to alter a previous block,
the other nodes would recognize that the malicious node’s attempted
alteration did not use the valid reference point and the network would reject
that transaction. “[T]he information in a particular block cannot be altered
without changing all subsequent blocks in the chain and creating a discrepancy
that other record-keepers in the network would immediately notice.”171
Requiring the use of a common reference point and decentralized consensus
ensures immutability and “eliminates the dangers that come with data being
kept in a central location.”172
To simplify, say each block is numbered with a letter. If someone tried to
alter block D (a combination of blocks A + B + C) by attempting to change
block A into “A + 1”, block D would still be read as A + B + C by all of the other
164. “Transactions” and “information” can be used interchangeably, as the blockchain allows
the storage of all types of data.
165. See Michele D’Aliessi, How Does the Blockchain Work?, MEDIUM (June 1, 2016),
https://medium.com/@micheledaliessi/how-does-the-blockchain-work-98c8cd01d2ae
[https://perma.cc/GZ6Y-BYGQ].
166. See LEGAL AND BUSINESS BLOCKCHAIN GUIDE, supra note 149, at 5 n.8.
167. Id. at 6.
168. See NIST Report on Blockchain Technology Aims to Go Beyond the Hype, NIST (Jan. 24,
2018), https://www.nist.gov/news-events/news/2018/01/nist-report-blockchain-
technology-aims-go-beyond-hype [https://perma.cc/DXY7-END4] [hereinafter NIST
Report on Blockchain Technology].
169. See D’Aliessi, supra note 165.
170. See Praveen Jayachandran, The Difference Between Public and Private Blockchain, IBM
(May 31, 2017), https://www.ibm.com/blogs/blockchain/2017/05/the-difference-
between-public-and-private-blockchain [https://perma.cc/RS9H-6QR2].
171. NIST Report on Blockchain Technology, supra note 168.
172. Id.
nodes in the network. The malicious actor’s attempts to create block D as A +

1 + B + C would not be verified by the other nodes on the network. The
resulting disagreement between the nodes regarding the order of transactions
would prevent consensus in the network and that invalid transaction would
not be added to the blockchain. Thus it would prevent the type of fraud
described above.
B. Public, Consortium, and Private Blockchains
Like many other databases, blockchains can be public, private, or some

combination thereof. All of these versions have important similarities: they are
all decentralized peer-to-peer networks where each participant maintains a
replica of the ledger; they all operate under the consensus model of verifying
transactions that are added to the blockchain; they all provide certain
guarantees of immutability of the ledger even when some participants act
maliciously; and the decentralized nature of all of these versions ensures that
none of them has a single point of failure.173
The most well-known blockchain network, Bitcoin, is public (also known
as “permission-less” or “fully decentralized”) because anyone can operate a
node on this network if they have the appropriate software.174 Under public
blockchains, “the number of participants on the network is unlimited, and no
one needs to get permission from another user in order to take part.”175 Public
blockchains provide a “robust network that ensures efficacy in the system”176
because open access ensures distribution of nodes and prevents any one single
entity or power from possessing majority control over the network.177
However, public blockchains require substantial amounts of computational
power to maintain the distributed ledger because a larger number of nodes
must verify a transaction before it is added to the blockchain.178
173. See Jayachandran, supra note 170.

174. See, e.g., NAKAMOTO, supra note 160.
175. Peter Van Valkenburgh, What Does “Permissionless” Mean?, COIN CTR. (Jan. 31, 2017),
https://coincenter.org/entry/what-does-permissionless-mean [https://perma.cc/39R7 -
KN2E].
177. Ian Worrall, Private vs. Public Blockchains, INST. FOR ETHICS & EMERGING TECHS. (Dec.
29, 2015), https://ieet.org/index.php/IEET2/more/worrall20151228 [https://perma.
cc/A33D-9F8Q].
178. See Public, Private and Consortium Blockchains, DRAGLET,
https://www.draglet.com/block chain-services/private-or-public-blockchain
[hereinafter DRAGLET].
1268 66 UCLA L. R EV. 1242 (2019)
Private (or “permissioned”) blockchains require “an invitation and must

be validated by either the network starter or by a set of rules put in place by the
network starter.”179 Accordingly, “[t]his places restrictions on who is allowed
to participate in the network, and only in certain transactions.”180 An example
of this would be where nodes of a blockchain are kept centralized within one
organization and only company members have access. A private blockchain is
more efficient181 and cheaper182 because transactions need to be verified by
fewer participants. A company running a private blockchain can also easily, if
desired, revert transactions.183 Moreover, they can provide a greater level of
privacy because access can be restricted.184 For example, IBM has created a
private blockchain called the “IBM Blockchain Platform” that allows
businesses to create their own applications that will be run on IBM’s
blockchain.185 JP Morgan also recently created a its own private blockchain
that it plans to use to instantly settle payments between clients.186
There is also a third category known as a consortium or “partially
decentralized” blockchain. These are part public, part private. Under this
model, the consensus process is controlled by a preselected set of nodes.187
Consortium blockchains “do not allow any person with an internet connection
to participate nor do they grant full control to a single entity.”188 They provide
the same benefits as private blockchains—functional, cost efficient, and
private, for example—without consolidating power in one company.189 For
example, JP Morgan has created a consortium blockchain called “Quorum”
179. Jayachandran, supra note 170.

180. Id.
181. DRAGLET, supra note 178.
182. Vitalik Buterin, On Public and Private Blockchains, ETHEREUM BLOG (Aug. 6, 2015),
https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains [https://
perma.cc/KP9H-U8MP].
183. Id.
184. Id.
185. IBM Blockchain, IBM, https://www-03.ibm.com/press/us/en/presskit/50610.wss
[https://perma.cc/YJT8-2WFL].
186. See Hugh Son, JP Morgan is Rolling Out the First US Bank-Backed Cryptocurrency to
Transform Payments Business, CNBC (Feb. 14 2019, 7:13 PM),
https://www.cnbc.com/2019/02/13 /jp-morgan-is-rolling-out-the-first-us-bank-
backed-cryptocurrency-to-transform-pay ments--.html [https://perma.cc/G4Z9-8YLV].
187. Buterin, supra note 182.
188. What Are Consortium Blockchains?, I NFINITY B LOCKCHAIN L ABS (Jan. 16, 2018),
https://www.blockchainlabs.asia/news/what-are-consortium-blockchains
[https://perma.cc/Z6GP-LLZ5].
189. Collin Thompson, The Difference Between a Private, Public & Consortium Blockchain,
BLOCKCHAIN DAILY NEWS (Oct. 26, 2016), https://www.blockchaindailynews.com/ The-
difference-between-a-Private-Public-Consortium-Blockchain_a24681.html
[https://perma.cc/VN6N-WC62].
that aims to service the needs of a permissioned group of financial

institutions.190 Separately, Ford, Renault, General Motors, BMW, and IBM
recently announced that they founded the Mobility Open Blockchain Initiative
consortium with the aim of “foster[ing] an ecosystem where businesses and
consumers have security and sovereignty over their driving data, manage ride-
share and car-share transactions, and store vehicle identity and usage
information.”191
C. Applications
Bitcoin is the first and most popular use of blockchain and is one of many
“cryptocurrencies.”192 Cryptocurrencies are built on public blockchains and
can be bought and sold on various online exchanges that operate much like
traditional financial exchanges. The term “cryptocurrency” is frequently used
to describe all sorts of public blockchains, but this can be very misleading.
While it conveys attributes that define some blockchains, like a means of
storing value and exchanging wealth, it fails to capture the nuances and
capabilities of others.
As of early April 2019, there are over 2,000 public blockchains.193 A public
blockchain can be used to verify a source and destination of a transaction of
assets (i.e., cryptocurrencies). But not all public blockchains have currency
applications. It is important to understand that currency was just the first
application of blockchain and is by no means the only or best use.194 Utility
190. See What Is Quorum?, J.P. MORGAN, https://www.jpmorgan.com/global/Quorum

[https://perma.cc/BHF3-VUFB].
191. Chris Middleton, Ford, Renault, GM, BMW, IBM Co-Found MOBI Blockchain
Consortium, INTERNET OF BUS. (May 2, 2018), https://internetofbusiness.com/ford-
renault-gm-bmw-ibm-co-found-mobi-blockchain-consortium [https://perma.cc/G734-
V8QK].
192. The regulation of cryptocurrencies has received the most attention in academic literature,
and the solutions proposed by authors often vastly differ. Compare Nareg Essaghoolian,
Initial Coin Offerings: Emerging Technology’s Fundraising Innovation, 66 UCLA L. REV.
294 (2019) (proposing a regulatory framework based on current regulations for Special
Purpose Acquisition Companies—public corporations formed to seek public funding for
a merger or acquisition) with Jonathan Rohr & Aaron Wright, Blockchain-Based Token
Sales, Initial Coin Offerings, and the Democratization of Public Capital Markets, 70
HASTINGS L.J. 463 (2019) (arguing that the Securities and Exchange Commission should
consider a registration exemption designed specifically for cryptocurrencies).
193. Top 100 Coins by Market Capitalization, COINMARKETCAP, https://coinmarketcap.com
/coins [https://perma.cc/4V53-EWDR].
194. “This new digital ledger of economic transactions can be programmed to record virtually
everything of value and importance to humankind: birth and death certificates, marriage
licenses, deeds and titles of ownership, educational degrees, financial accounts, medical
procedures, insurance claims, votes, provenance of food, and anything else that can be
1270 66 UCLA L. R EV. 1242 (2019)
blockchains are another type of application and are explored in Subpart IV.B.2.
(in particular, data storage). Other blockchains have a platform function.
Platform blockchains create an infrastructure on which more specific
applications can be built. Ethereum, for example, is an open software platform
based on blockchain technology that allows developers to build and deploy
decentralized applications.195 Decentralized applications that are created on
top of this platform do not need to create their own blockchain, but instead
work off of the existing Ethereum blockchain. The “IBM Blockchain
Platform”196 is an example of a “private Ethereum,” where businesses can build
and use applications on top of IBM’s blockchain. Unlike Ethereum’s fully
decentralized and public model, IBM controls the nodes.
The potential of blockchain technology as a whole is largely untapped and
the exploration of private blockchains is in especially nascent stages, but things
are picking up. Both the private sector and the public sector have started to
look closely at the potential of private blockchain technology.
The most significant use of private blockchains in the private sector has
been for platform blockchains such as IBM’s Blockchain Platform.197 Unlike
Ethereum’s public platform, these private blockchain platforms are more
suitable for corporate users198 because transactions are made efficient and
confidential by the limited and selective nature of the participants.199 These
types of private platform blockchains can be thought of as “blockchain for hire”
or “blockchain as a service,” where users leverage and use the blockchain
expressed in code.” TAPSCOTT & TAPSCOTT, supra note 11, at 7; see also Andrew Meola,
The Growing List of Applications and Use Cases of Blockchain Technology in Business &
Life, BUS. INSIDER (Sept. 28, 2017; 4:46 PM), https://www.businessinsider.com
/blockchain-technology-applications-use-cases-2017-9 [https://perma.cc/5GGQ-5T3B]
(the use of blockchain technology spans across international payments, capital markets,
trade finance, regulatory compliance and audit, money laundering protection, insurance,
peer-to-peer transactions, supply chain management, healthcare, real estate, media,
energy, record management, identity management, voting, taxes, nonprofit agencies,
legislation/compliance/regulatory oversight, financial management/ accounting,
shareholder voting, cybersecurity, big data, data storage, and internet of things).
195. E THEREUM , https://www.ethereum.org [https://perma.cc/3DMS-H9SX]
(“blockchain app platform”).
197. Id.
198. See Michael del Castillo, MultiChain 1.0: Bitcoin-Compatible Private Blockchain Opens
for Enterprise, COINDESK (Aug. 2, 2017), https://www.coindesk.com/multichain-1-0-
bitcoin-compatible-private-blockchain-launches-for-enterprise [https://perma.cc/55
DR-EMUM].
199. See, e.g., GIDEON GREENSPAN, MULTICHAIN PRIVATE BLOCKCHAIN—WHITE PAPER 5–7,
https://www.multichain.com/download/MultiChain-White-Paper.pdf [https://
perma.cc/TTY8-4A5T].
platform created by a company that has the resources and expertise to design,
create, and service a private blockchain. For example, Helzberg Diamonds and
jewelry manufacturer Richline Group are already working with IBM to track
and authenticate diamonds and precious metals on IBM’s blockchain.200
Walmart and Sam’s Club sent a letter to its suppliers of fresh leafy greens asking
them to track their products on Walmart’s IBM-powered blockchain.201 But
new and unestablished players are also entering the market. Coin Sciences Ltd.
allows users to utilize their blockchain infrastructure for various uses, such as
messaging, decentralized exchanges, database synchronization, currency
settlement, bond issuance, and consumer reward schemes.202 In 2017, the
blockchain company Chain struck a deal with Nasdaq and Citi where these two
companies would use Chain’s platform to create “a new integrated payment
solution that enables straight through payment processing and automates
reconciliation by using a distributed ledger to record and transmit payment
instructions.”203
The public sector has started to look into a different type of private
blockchains. These private blockchains would be created for one entity’s
exclusive use, as opposed to many different companies using the same
platform. Private companies could also create this type of blockchain, but it
may be more expensive and resource intensive to invest in this technology
from the ground up rather than using a preexisting blockchain.204 Thus far, the
U.S. government’s interest has largely been in how blockchain can bolster
national defense. In September 2016, the Defense Advanced Research Projects
Agency (DARPA) awarded a $1.8 million contract to two companies to
“advance the state of formal verification tools and all blockchain-based
200. Anna Irrera, Jewelry Companies Team Up With IBM on Blockchain Platform, REUTERS
(Apr. 26, 2018, 3:10 AM), https://www.reuters.com/article/us-blockchain-
diamonds/jewel ry-companies-team-up-with-ibm-on-blockchain-platform-
idUSKBN1HX1BD [https:// perma.cc/6WUR-7GFM].
201. Letter from Walmart Execs. to Leafy Greens Suppliers (Sept. 24, 2018),
https://corporate.walmart.com/media-library/document/blockchain-supplier-letter-
september-2018/_proxyDocument?id=00000166-088d-dc77-a7ff-4dff689f0001
[https://perma.cc/X469-3RYR].
202. Id. at 12–16.
203. Nasdaq and Citi Announce Pioneering Blockchain and Global Banking Integration,
NASDAQ (May 22, 2017, 9:48 AM), https://www.nasdaq.com/article/nasdaq-and-citi-
announce-pioneering-blockchain-and-global-banking-integration-cm792544
[https://perma.cc/9 BTW-H7YC].
204. For example, Amazon offers a blockchain service that “eliminates the overhead required
to create the network, and automatically scales to meet the demands of thousands of
applications running millions of transactions.” Blockchain on AWS, AWS, https://aws.
amazon.com/blockchain [https://perma.cc/4LR9-Y5KM].
1272 66 UCLA L. R EV. 1242 (2019)
integrity monitoring systems.”205 In May 2017, ITAMCO, a developer of the

advanced privacy application called “Crypto-Chat,” was awarded a Phase 1
grant from DARPA to “develop a secure, non-hackable messaging and
transaction platform for the U.S. military.”206 Joel Neidig, Director of Research
and Development at ITAMCO, stated that they aim “to develop the latest in
military-grade encryption software using blockchain technology.”207 The uses
of this new messaging platform include “the communication of troops on the
ground with HQ, or sending information between intelligence officers and the
Pentagon.”208 A $700 billion defense bill passed by the U.S. Senate in 2017
included an amendment that would require “a report on the potential offensive
and defensive cyber applications of blockchain technology and other
distributed database technologies and an assessment of efforts by foreign
powers, extremist organizations, and criminal networks to utilize these
technologies.”209 The U.S. Treasury also hired a contractor “to develop a
prototype using blockchain, or distributed ledger technology, to track and
manage physical assets.”210 In 2018, a hearing was held by the U.S. House of
Representatives Committee on Science, Space, and Technology titled “Beyond
Bitcoin: Emerging Applications for Blockchain Technology” with the aim of
addressing how blockchain technology could “potentially bolster private
companies’ and the federal government’s cybersecurity weaknesses.”211
205. Martin Ruubel, Guardtime Federal and Galois Awarded DARPA Contract to Formally
Verify Blockchain-Based Integrity Monitoring System, GUARDTIME: BLOG & NEWS (Sept.
13, 2016), https://guardtime.com/blog/galois-and-guardtime-federal-awarded-1-8m-
darpa-con tract-to-formally-verify-blockchain-based-inte [https://perma.cc/Y526-
RGAV].
206. ITAMCO to Develop Blockchain-Based Secure Messaging App for U.S. Military, CISION
(May 25, 2017, 12:43 PM), https://www.prnewswire.com/news-releases/itamco-to-
develop-blockchain-based-secure-messaging-app-for-us-military-300464063.html
[https://per ma.cc/K3FA-E62J].
207. Id.
208. Id.
209. 163 Cong. Rec. S5794 (daily ed. Sept. 18, 2017).
210. Bureau of the Fiscal Service Launches Two Innovative Pilot Projects, BUREAU OF THE
FISCAL SERV.,
https://www.publicdebt.treas.gov/fsservices/gov/fit/fit_launches_innovative_ pilot.htm
[https://perma.cc/NW5J-25YG].
211. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Joint Hearing Before
the H. Subcomm. on Oversight, H. Subcomm. on Research and Tech., and H. Comm. on
Sci., Space, & Tech., 115th Cong. 4–5 (2018) (statement of Ralph Abraham, Chairman, H.
Subcomm. on Oversight).
IV. BLOCKCHAIN AND CYBERSECURITY

A. How Blockchain Can Enhance Cybersecurity
Blockchain technology has the potential to tremendously improve

cybersecurity212 and many industries and enterprises are increasingly
considering its use.213 The Executive Director of the European Union Agency
for Network and Information Security agrees that “cyber security should be
considered as a key element in the Blockchain implementation.”214 The
technology has already been deployed in Estonia to protect the confidentiality,
integrity, and availability of marriage registrations, health records, and other
sensitive information.215 IBM has applied for a patent that would use
blockchain to increase the security and privacy of storing and managing data
associated with unmanned aerial vehicles.216 The National Aeronautics and
Space Administration (NASA) also proposed the use of a permissioned
212. See, e.g., JARED R. BUTCHER ET AL., CYBERSECURITY TECH BASICS: BLOCKCHAIN
TECHNOLOGY CYBER RISKS AND ISSUES: OVERVIEW (2019), https://www.steptoe.
com/images/content/1/8/v2/189187/Cybersecurity-Tech-Basics-Blockchain-Techno
logy-Cyber-Risks-and.pdf [https://perma.cc/6HCY-FUGN] (“Blockchain technology
offers important cybersecurity benefits” by “provid[ing] a strong method for securing
networked ledgers.”); Naveen Joshi, The Anatomy of a Cyber Attack: Dissecting the Science
Behind Virtual Crime, BBN TIMES (Mar. 4, 2019), https://www.bbntimes.com/
en/technology/the-anatomy-of-a-cyber-attack-dissecting-the-science-behind-virtual-
crime [https://perma.cc/Y6CC-8HXX] (“Blockchain can effectively detect a data breach,
and disrupt the process that forms the anatomy of a cyber attack.”).
213. See, e.g., Andrew Arnold, Here’s Why More Enterprises Are Considering Blockchain as
Data Privacy Solution, FORBES (Jan. 2, 2019, 1:07 PM), https://www.forbes.com/
sites/andrewarnold/2019/01/02/heres-why-more-enterprises-are-considering-block
chain-as-data-privacy-solution/#203f40abcb73 [https://perma.cc/S929-R95C];
Andrew Arnold, 4 Promising Use Cases of Blockchain in Cybersecurity, FORBES (Jan. 30,
2019, 4:30 AM), https://www.forbes.com/sites/andrewarnold/2019/01/30/4-promising-
use-cases-of-blockchain-in-cybersecurity/#22e4cd443ac3 [https://perma.cc/6EEZ-
6VS8]; Reinhardt Krause, How Cybersecurity Firms Palo Alto, Okta Can Capitalize on
Blockchain, INVESTOR’S BUS. DAILY (Apr. 13, 2018), https://www.investors.com/
news/technology/how-cybersecurity-firms-could-capitalize-on-blockchain-technology
[https://perma.cc/UVL3-XSDR].
214. ENISA Report on Blockchain Technology and Security, ENISA (Jan. 18, 2017),
https://www.enisa.europa.eu/news/enisa-news/enisa-report-on-blockchain-
technology-and-security [https://perma.cc/E3NE-BN9N].
215. Jamie Holmes, Blockchain for Cybersecurity: Protecting Infrastructure, Data
Telecommunications, BTCMANAGER.COM (Jan. 7, 2016),
https://btcmanager.com/blockchain-for-cyber-security-protecting-infrastructure-data-
telecommunications [https://perma.cc/HYM3-ZUCP]; Daniel Palmer, Blockchain
Startup to Secure 1 Million e-Health Records in Estonia, COINDESK (Mar. 3, 2016, 10:51
PM), https://www.coindesk.com/blockchain-startup-aims-to-secure-1-million-
estonian-health-records [https://perma.cc/V49B-KVAX].
216. U.S. Patent No. 20180270244 (filed Sept. 20, 2018).
1274 66 UCLA L. R EV. 1242 (2019)
blockchain to boost cybersecurity by “enabl[ing] aircraft privacy and

anonymity while providing a secure and efficient method for communication
with . . . authorized entities.”217 Dozens of central banks around the world are
also experimenting with blockchain technology with the aim of addressing
cybersecurity concerns, among other things.218 The Department of Homeland
Security is getting ready to use blockchain technology to secure the storage and
transmission of data collected by security cameras, sensors, and other internal
databases.219 Additionally, the Colorado Senate recently passed a bill that
would require state departments to “annually assess the data systems of each
public agency for the benefits and costs of adopting and applying” blockchain
technology.220
Blockchain’s breakthrough is in its “culmination of decades of research
and breakthroughs in cryptography and security.”221 This combination makes
blockchain secure to the point where “no one has yet managed to break
the . . . decentrali[z]ed architecture” of it.222 Even the National Security
Agency and Federal Bureau of Investigation lack the ability to circumvent the
technology behind blockchain.223 Contrast this impenetrable nature with the
current state of cyber-insecurity, where even the largest companies get hacked
regularly, no matter how much money they spend on their own security
217. RONALD J. REISMAN, NASA AMES RESEARCH CENTER, AIR TRAFFIC MANAGEMENT
BLOCKCHAIN INFRASTRUCTURE FOR SECURITY, AUTHENTICATION, AND PRIVACY 1 (2019),
https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20190000022.pdf [https:
//perma.cc/Q867-X2KB]. NASA’s report also demonstrated how their prototype
blockchain represents a “scalable architecture and illustrates how [this technology] may
be rapidly deployed and economically maintained.” Id.
218. See WORLD ECONOMIC FORUM, CENTRAL BANKS AND DISTRIBUTED LEDGER TECHNOLOGY:
HOW ARE CENTRAL BANKS EXPLORING BLOCKCHAIN TODAY? (2019),
www3.weforum.org/docs/WEF_Central_Bank_Activity_in_Blockchain_DLT.pdf
[https://perma.cc/8WWV-NV4N].
219. Joseph Young, Homeland Security to Use Blockchain in Tracking Goods & People
Globally, COINTELEGRAPH (Jan. 15, 2017), https://cointelegraph.com/news
/homeland-security-to-use-blockchain-in-tracking-goods-people-globally
[https://perma.cc/6 MQ6-U9YC].
220. COLO. REV. STAT. § 24-37.5-501 (2018).
221. Ben Dickson, How Blockchain Can Help Fight Cyberattacks, TECHCRUNCH (Dec. 5, 2016,
1:38 PM), https://techcrunch.com/2016/12/05/how-blockchain-can-help-fight-cyber
attacks [https://perma.cc/34DU-LVJT].
222. BLOCKCHAIN: ENIGMA. PARADOX. OPPORTUNITY, supra note 153, at 12; see also TAPSCOTT
& TAPSCOTT, supra note 11, at 7 (hacking the blockchain is “practically impossible” to do);
Dante Disparte, IBM X-Force Red Launches Blockchain Cybersecurity Service, FORBES
(Mar. 5, 2019, 6:00 AM), https://www.forbes.com/sites/dantedisparte/ 2019/03/05/ibm-
x-force-red-launches-blockchain-cybersecurity-service/#767c543d1 602
[https://perma.cc/KF3S-ED86] (“[T]he public blockchain underpinning bitcoin
transactions has not been hacked at the protocol level since its launch in 2008.”).
infrastructure.224 Moreover, the security offered by blockchain is needed now

more than ever in order to heed cybersecurity experts’ warning that “the new
paradigm has to stop the hacker[s] getting in” before they can do damage.225
The key to solving the current “systemic” cybersecurity crisis lies in
blockchain’s ability to maximize decentralization and distribution of
computers, and thus create more fault-tolerant and unhackable networks.226
Although not a panacea,227 incorporating blockchain into a company’s
comprehensive cybersecurity plan can increase the confidentiality, integrity,
and availability of data, and better ensure the resilience of networks.
1. Confidentiality
Encryption methods and access controls, when combined with

blockchain, can ensure confidentiality of data.228 While public blockchains do
not provide confidentiality of data, on a private blockchain, a company can
decide to encrypt information end-to-end before storing it.229 Thus a hacker
who gains access to a node on a private blockchain’s network could not access
the information so long as the hacker does not possess the encryption key.230
224. See supra Part I.A.

225. The Cryptolife of John McAfee, BITMEDIA (Apr. 5, 2018), https://bit-media.org/
bitcoin/the-cryptolife-of-john-mcafee [https://perma.cc/A8YX-RH5U] (quoting John
McAfee); see also Steven Russo, A Guide for Understanding the New Paradigm,
CERTAINSAFE, https://certainsafe.com/a-guide-for-understanding-the-new-paradigm
[https://perma. cc/XXK8-UXR6].
226. See Bernard Lunn, Bitcoin Blockchain Could Solve the Cyber Security Challenge for Banks,
DAILY FINTECH (Oct. 30, 2015), https://dailyfintech.com/2015/10/30/Bitcoin-
blockchain-could-solve-the-cyber-security-challenge-for-banks
[https://perma.cc/2EXS-F27V].
227. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Hearing Before the
Subcomm. on Oversight & Subcomm. on Research & Tech. of the H. Comm. on Sci., Space
& Tech., 115th Cong. 5 (2018) (testimony of Chris Jaikaran, analyst in cybersecurity
policy) [hereinafter Jaikaran Testimony].
228. Encryption and access control technologies are readily available widely used. See, e.g.,
Encryption Methods, IBM KNOWLEDGE CTR., https://www.ibm.com/support/knowledge
center/en/SSEQTP_9.0.0/com.ibm.websphere.base.doc/ae/rwbs_wssencryptalgorithms.
html; DEP’T OF HOMELAND SECURITY, ACCESS CONTROL TECHNOLOGIES HANDBOOK
(2015), https://www.dhs.gov/sites/default/files/publications/ACT-HB_ 0915-508.pdf
[https://perma.cc/F43Q-6DTF].
229. See ERIC PISCINI ET AL., DELOITTE, BLOCKCHAIN & CYBER SECURITY. LET’S DISCUSS 6 (2017),
https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Technolo
gy/IE_C_BlockchainandCyberPOV_0417.pdf [https://perma.cc/67GX-NBWT].
230. See, e.g., Jorge Gonzalez-Orozco, The Linux Foundation’s Hyperledger Fabric Enables
Confidentiality in Blockchain for Business, IBM (Apr. 17, 2018), https://www.ibm.
com/blogs/blockchain/2018/04/hyperledger-fabric-enables-confidentiality-in-block
chain-for-business [https://perma.cc/9Y7V-928P]. Businesses are encouraged to use best
1276 66 UCLA L. R EV. 1242 (2019)
Moreover, a private blockchain can be designed to implement access

controls and thus ensure that data is restricted to authorized personnel. Access
controls can determine who can read the data, who can submit transactions,
and who can validate them.231 The cryptographic validation process can even
be spread out among multiple computers,232 where each party only has partial
access to the information, and thus “[t]he parties are trusted as a whole,
decentralized unit, but not individually.”233 This is similar to the idea of a data
storage blockchain splitting up data into shards where one piece of
information is split into many different pieces and distributed throughout the
network.234
Access to data on a private blockchain can even be limited to as little as
two parties. IBM’s private blockchain235 allows the sharing of data through
channels with only those organizations that need to have access to it.236 For
example, in a medical information context, all organizations in the network
can see that an individual has health insurance, but only those in a particular
channel can see the coverage details.237
Employing encryption and access controls in a blockchain ensures the
confidentiality of data even when computers on the network are compromised.
Companies must assess their own risk tolerance in deciding what type of
blockchain to implement. Larger blockchain networks (with, for example,
more participants) make it more difficult for a hacker to know exactly which
participant has access to the data that they are looking for. Smaller blockchain
networks allow for more confidentiality because only a small number of
practices to manage their encryption keys. See, e.g., VIRTRU, THE SIMPLE GUIDE TO
ENCRYPTION KEY MANAGEMENT, https://www.virtru.com/wp-content/themes/virtru
/files/pdf/The%20Simple%20Guide%20to%20Encryption%20Key%20Management.pdf
[https://perma.cc/8K8Q-CMDG].
231. See Allison Berke, How Safe Are Blockchains? It Depends., HARV. BUS. REV. (Mar. 7, 2017),
https://hbr.org/2017/03/how-safe-are-blockchains-it-depends [https://perma.cc/B3TQ-
BMWG]. Access controls should also be managed according to best practices. See, e.g.,
ONE IDENTITY, 8 BEST PRACTICES FOR IDENTITY AND ACCESS MANAGEMENT (2017),
https://www.cbronline.com/wp-content/uploads/dlm_up loads/2018/02/Identity-
Gov-8-best-practices-for-identity-and-access-manage ment-white-paper-13721.pdf
[https://perma.cc/E3MB-5H9N].
232. See Dickson, supra note 221.
233. Id.
234. For an example of a public blockchain employing this method, see PROTOCOL LABS,
FILECOIN: A DECENTRALIZED STORAGE NETWORK (2017), https://filecoin.io/filecoin. pdf
[https://perma.cc/T3EV-M47W].
235. See supra Part III.B.
236. See Gonzalez-Orozco, supra note 230.
237. Id.
participants are privy to data, but are more likely to be breached because they
are less centralized.
2. Integrity
Blockchain’s innate characteristics of immutability and decentralization

ensure data integrity. Once data is inputted on a blockchain it is “usually there
forever.”238 It is so immutable that it has been dubbed a “digital tattoo.”239
The cryptographic validation mechanism, consensus model, and
decentralized nature make it very challenging for any party to tamper with the
data stored on a blockchain. Data can only be added on the blockchain if a
majority of nodes agree that the data should be added. Once added on the
blockchain, that data becomes a reference point which ensures that before any
new data can be added, the nodes must agree that the reference point (i.e.,
existing data) has not been altered. This structure ensures that once
information is on a blockchain, it will remain unaltered. Moreover,
mechanisms similar to those applied in data storage blockchains can
periodically verify the integrity of information.240
It should be noted that if hackers were to gain access to a majority of the
computers on a blockchain’s network, they would potentially be able to tamper
with the data.241 But a hacker’s successful control of a majority of computers
does not guarantee success.242 Rather, “an attacker would only be able to
modify transactions within the past few blocks” because “[t]he farther back in
the blockchain transactions are, the more secured they are against this kind of
attack.”243 Moreover, it is significantly more difficult for hackers to gain
control of an entire network where computers are distributed than for them to
gain control over a network that is centralized, which is often the model in
today’s cybersecurity landscape.244 In a manner parallel to confidentiality, the
larger the blockchain network, the more difficult it will be to corrupt the
238. Beyond Bitcoin: Emerging Applications for Blockchain Technology: Hearing Before the
Subcomm. on Oversight & Subcomm. on Research & Tech. of the H. Comm. On Sci., Space,
& Tech., 115th Cong. 2 (2018) (statement of Charles H. Romine, Director, Information
Technology Laboratory, National Institute of Standards and Technology).
239. Júlio Santos, Forever on the Chain, HACKERNOON (Nov. 14, 2017), https://hackernoon.
com/forever-on-the-chain-c755838dfc79 [https://perma.cc/XWA5-TAX7].
241. See 51% Attack, LEARN CRYPTOGRAPHY, https://learncryptography.com/cryptocurr
ency/51-attack [https://perma.cc/W34N-EQW8].
242. Id.
243. Id.
244. See, e.g., Lunn, supra note 226 (discussing centralization within banking context).
1278 66 UCLA L. R EV. 1242 (2019)
integrity of the data. Private blockchains operating with a lower number of

nodes should ensure that their network is sufficiently distributed with no
single points of attack.
Blockchain’s ability to ensure the immutability of data is especially
important for cybersecurity because the subtlety of altering data, rather than
stealing it or deleting it, makes this a particularly insidious form of attack.245
Implementing blockchain as part of a company’s comprehensive cybersecurity
plan can ensure the integrity of data far better than other methods.
3. Availability
Decentralization and immutability ensure that the data stored on a

blockchain and the system itself will remain available in the face of an attack.
The decentralized nature of blockchain guarantees that there is no single point
of failure.246 This means that if a node is taken down, data is still accessible
through other nodes since all of them maintain a full copy of the data—unless
access controls are set in place that would limit a certain node’s access.
Moreover, compromised nodes can be dropped from the blockchain
network.247 Even if a part of the network is compromised, distribution
guarantees that the blockchain network will be operational through the
remaining nodes. Immutability of information added on a blockchain also
ensures that a hacker cannot erase the data even if part of the network is
compromised.
Although the risk of a networkwide breach remains, that risk
proportionally decreases with greater distribution of nodes. As with
maintaining integrity, smaller private blockchains must ensure that their
network is sufficiently distributed so that there can be no single point of failure.
Similarly, proper access controls should be implemented as part of a
comprehensive cybersecurity plan to ensure that blockchain’s potential to
ensure availability can be realized.
4. Resilience
The most common type of cyberattack that would affect the resilience of
a network is the distributed denial of service (DDoS). DDoS attacks flood a
server with superfluous requests in an attempt to overload the system and
245. See SINGER & FRIEDMAN, supra note 13, at 35.

246. See supra Part III.A.
247. See PISCINI ET AL., supra note 229, at 10.
prevent legitimate use of a system.248 These requests often originate from

thousands of sources, which makes them effectively impossible to stop.249 They
have been successful thus far because of the pervasive use of centralized
servers.250 DDoS attacks have been taking place for twenty years and are
growing more prevalent and stronger.251 Recently, Twitter, SoundCloud,
Spotify, and Shopify were the targets of DDoS attacks that caused their websites
to go offline temporarily.252 On the other hand, the Bitcoin blockchain has
remained operational in the face of regular and “massive” DDoS attacks since
its inception over ten years ago.253
Blockchain offers resilience against these types of attacks and others
through its decentralized structure. Even if a major part of a blockchain
network is under attack or compromised, it will remain fully operational
through the other nodes. Ensuring that nodes are sufficiently distributed will
increase the resilience of a network. As above, this may be more challenging
with smaller private blockchains because of the smaller number of nodes.
Therefore, blockchain technology should always be implemented as part of a
larger cybersecurity plan.
B. Absence of Blockchain as Unreasonable in the Data Storage Context
Companies handling consumer information must implement a security

program that contains technical safeguards that are appropriate to the
organization’s size, complexity, and activities, and to the sensitivity of the
248. Security Tip ST04-015: Understanding Denial-of-Service Attacks, US-CERT (Nov. 4,

2009), https://www.us-cert.gov/ncas/tips/ST04-015 [https://perma.cc/GGY3-7587].
249. Id.
250. See Jon Buck, Why Blockchain Technology Is Perfect for Fighting DDoS Attacks,
COINTELEGRAPH (Sept. 30, 2017), https://cointelegraph.com/news/why-blockchain-
technology-is-perfect-for-fighting-ddos-attacks [https://perma.cc/FVM8-NV9H].
251. See George V. Hulme, DDoS Explained: How Distributed Denial of Service Attacks Are
Evolving, CSO (Mar. 12, 2018, 5:32 AM),
https://www.csoonline.com/article/3222095/net work-security/ddos-explained-how-
denial-of-service-attacks-are-evolving.html [https:// perma.cc/MN24-3KMS].
252. See Darrel Etherington & Kate Conger, Large DDoS Attacks Cause Outages at Twitter,
Spotify, and Other Sites, TECHCRUNCH (Oct. 21, 2016), https://beta.techcrunch.com/2016
/10/21/many-sites-including-twitter-and-spotify-suffering-outage/?_ga=2.188934251.
1781959609.1525825710-1659847444.1525206072 [https://perma.cc/TY4M-T4FU].
253. See, e.g., Leo King, Bitcoin Hit By ‘Massive’ DDoS Attack As Tensions Rise, FORBES (Feb.
12, 2014, 7:27 AM), https://www.forbes.com/sites/leoking/2014/02/12/bitcoin-hit-
by-massive-ddos-attack-as-tensions-rise/#4a60100246ad [https://perma.cc/25W7 -
BM76].
1280 66 UCLA L. R EV. 1242 (2019)
personal information that the organization collects from users.254 They should
also look at a technology’s costs, benefits, and risks, and their ability to fund
and implement it.255 Understanding that the analysis of cybersecurity
reasonableness is always done case-by-case, this Subpart applies the FTC and
NIST cybersecurity guidelines to blockchain and argues that the FTC ought to
view failure to use blockchain as unreasonable. As a reminder, the guidelines
that would be relevant to incorporating blockchain technology into the FTC’s
understanding of reasonable cybersecurity measures are (1) using readily
available technology, (2) protecting data during storage and transmission, (3)
responding and recovering from cyber attacks, and (4) ensuring the security of
third parties.
1. Adopting Readily Available Technology
Blockchain is a current and state-of-the art technology that was created

about ten years ago.256 But importantly, new technology can still be considered
readily available in the FTC’s eyes. Readily available is understood to mean
adopted by the relevant industry, with allowance for imperfection in cases of
software.257 In fact, much of the technology behind blockchain is already in
widespread use,258 most importantly the Turing Award-winning technologies
of asymmetric cryptography and distributed systems. Asymmetric
cryptography was first conceived of in 1970 by a British cryptographer working
for the United Kingdom’s Government Communications Headquarters and
later made public in 1976.259 Since then it has been in wide use in the financial
and telecommunications industries among others.260 It is even required by the
NIST for use in the U.S. Federal Government.261 The FTC also recommends
254. See Microsoft Corp., Docket No. C-4069, at 2 (Fed. Trade Comm’n Dec. 20, 2002)
(decision and order).
255. See NAT’L INST. OF STANDARDS & TECH., supra note 12, at 14–15.
256. See, e.g., NAKAMOTO, supra note 160.
257. See Otto, supra note 118, at 340.
258. See SINGER & FRIEDMAN, supra note 13, at 45–50.
259. See Ghose, supra note 161; Patrick Sawer, The Unsung Genius Who Secured Britain’s
Computer Defences and Paved the Way for Safe Online Shopping, TELEGRAPH (Mar. 11,
2016, 9:00 PM), https://www.telegraph.co.uk/history/12191473/The-unsung-genius-
who-secured-Britains-computer-defences-and-paved-the-way-for-safe-online-
shopping.html [https:// perma.cc/J2HQ-5YDE].
260. See, e.g., Industry Specific Encryption, ANSI WEBSTORE, https://webstore.ansi.org/
software/Industry-Specific.aspx [https://perma.cc/A649-3PX3].
261. See ELAINE BARKER, NAT’L INST. OF STANDARDS AND TECH., GUIDELINE FOR USING
CRYPTOGRAPHIC STANDARDS IN THE FEDERAL GOVERNMENT: CRYPTOGRAPHIC
that companies “[u]se strong cryptography to secure confidential material

during storage and transmission.”262 Moreover, the entire architecture of the
current World Wide Web is based on the distributed systems model.263
Essentially, blockchain’s innovation was its combination of existing
technologies.264
Additionally, blockchain technology is open-source code that can be
downloaded and run by anyone for free.265 The barriers of entry are
exceedingly low and should not inhibit a company from adopting this
technology. In fact, there are already a number of fully-functional and market-
ready blockchain-based data storage applications.266 Moreover, there are a
number companies that offer blockchain services that are directly aimed at
enhancing cybersecurity267 and some companies are already adopting the
technology for this purpose.268 Also, across nearly every sector, billions of
dollars are being spent on blockchain funding269 and Fortune 500 companies
have filed hundreds of blockchain patents.270 A large company with adequate
MECHANISMS 1 (2016), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.

SP.800-175b.pdf [https://perma.cc/9S4W-DFVW].
263. See, e.g., ANDREA OMICINI, UNIVERSIT`A DI BOLOGNA A CESENA, THE ARCHITECTURE OF THE
WORLD WIDE WEB: DISTRIBUTED SYSTEMS (2013), campus.unibo.it/104219/ 1/3-SD-
rest.pdf [https://perma.cc/2BX2-5G57].
264. See Jaikaran Testimony, supra note 227, at 1.
265. See Scott J. Shackelford & Steve Myers, Block-By-Block: Leveraging the Power of
Blockchain Technology to Build Trust and Promote Cyber Peace, 19 YALE J.L. & TECH. 334,
355 (2017).
266. See infra Part IV.B.2.
267. See PolySwarm Launches VirusTotal Replacement, Invites Companies To Try Free,
CISION (Mar. 4, 2019),
https://www.prweb.com/releases/polyswarm_launches_virustotal_replace
ment_invites_companies_to_try_free/prweb16141923.htm [https://perma.cc/X3WB-
EF2R]; IBM X-Force Red Launches New Service for Blockchain Security Testing, IBM
NEWS ROOM (Mar. 5, 2019), https://newsroom.ibm.com/2019-03-050-IBM-X-Force-
Red-Launches-New-Service-for-Blockchain-Security-Testing [https://perma.cc/5Z54-
P5 AZ]; Acronis Blockchain Technology Initiative, ACRONIS,
https://www.acronis.com/en-us/ business/blockchain-notary [https://perma.cc/E2HC-
9EKP].
268. See Vilija Simkiene, Telefonica, Rivetz and PeerStream Join for Blockchain-Powered
Cybersecurity, VOIP REV. (Mar. 19, 2019), https://voip.review/2019/03/19/telefonica-
rivetz-peerstream-join-blockchain-powered-cybersecurity [https://perma.cc/ZHL6-
FYZ9].
269. See Jonathan Ponciano, Blockchain Tops $4.5 Billion in Private Funding This Year, But
Deal Growth Stalls, FORBES (Sept. 22, 2017, 9:00 AM), https://www.forbes.com/sites/jon
athanponciano/2017/09/22/blockchain-tops-4-5-billion-in-private-funding-this-year-
but-deal-growth-stalls/#4de6e82374c6 [https://perma.cc/553R-GKN7].
270. See, e.g., Susan Decker & Jennifer Surane, BofA Tops IBM, Payments Firms With Most
Blockchain Patents, BLOOMBERG (Jan. 16, 2018, 2:00 AM), https://www.bloomberg.com/
1282 66 UCLA L. R EV. 1242 (2019)
capital that collects sensitive information from numerous individuals would

be remiss to not adopt this technology because its cybersecurity benefits greatly
outweigh its costs. From the perspective of a reasonable company, blockchain
in the cybersecurity and data storage context is a known solution271 to data
breaches and thus its absence will lead to FTC enforcement actions sooner
rather than later. Not using blockchain is akin to running outdated software,
where adding a few lines of code can address critical vulnerabilities.272
2. Filling Gaps in Encryption/Security in the Storage-

Transmission Chain
Companies must implement technology that protects data during its

storage and transmission.273 Blockchain technology is capable of achieving this
exact result throughout the lifecycle of the stored data.
Blockchain can ensure confidentiality of data with the addition of
encryption and access control mechanisms.274 This is similar to other
technologies that the absence of which would be considered unreasonable.
And blockchain’s immutability and decentralization ensure data integrity,
data and network availability, and network resilience.275
The potential of blockchain to protect data while stored and in transit is
already being realized through various blockchain-based data storage
networks. Filecoin,276 Siacoin,277 and STORJ278 are examples of blockchains
that aim to revolutionize data storage by creating a platform for decentralized
cloud storage. Instead of renting storage from a centralized provider, such as
Dropbox,279 with one or a few points of attack,280 these blockchain-based
news/articles/2018-01-16/bofa-tops-ibm-and-payments-firms-with-most-blockchain-
patents.
271. See Breaux & Baumer, supra note 122, at 191.
274. See supra Part IV.A.1.
275. See supra Part IV.A.2–IV.A.4.
276. See PROTOCOL LABS, supra note 234.
277. See DAVID VORICK & LUKE CHAMPINE, SIA: SIMPLE DECENTRALIZED STORAGE (2014),
https://www.sia.tech/whitepaper.pdf [https://perma.cc/TA2M-T63R].
278. See STORJ LABS, STORJ: A DECENTRALIZED CLOUD STORAGE NETWORK FRAMEWORK (2018),
https://storj.io/storj.pdf.
279. See Where Does Dropbox Store My Data?, DROPBOX, https://www.dropbox.com/help/
security/physical-location-data-storage [https://perma.cc/N5FG-4X98] (files added to
Dropbox are stored in Dropbox’s data centers across the United States).
280. Dropbox servers were breached in 2012 and account information of sixty-eight million
users was compromised and put up for sale on the dark web. See Karen Turner, Hacked
Dropbox Login Data of 68 Million Users Is Now for Sale on the Dark Web, WASH. POST
decentralized cloud storage services create distributed networks that enable

the formation and execution of storage contracts between peers.281 By forming
a contract, a storage provider (the host) agrees to store a client’s data and to
periodically submit proof of their continued storage until the contract
expires.282 The process works in much the same way that Airbnb lets people
utilize their home to make money when it would have otherwise sat idle and
empty. The consensus network of the blockchain can be used to automatically
enforce storage contracts, which means that clients do not need to personally
verify storage; “they can simply upload their file and let the network do the
rest.”283 Data that is submitted by a client is encrypted end-to-end and hosts do
not have access to decryption keys.284 The data is then split into multiple parts
(shards).285 This is important because no one host has access to all of the data
stored by a client. Prior to being sent to the various hosts, the encrypted shards
are duplicated.286 This aspect safeguards against a host going offline or having
their system compromised. The splitting, duplication, and decentralization of
data also eliminate the risk of single points of attack. The encrypted data shards
are inputted into the blockchain, and a host must periodically verify, by solving
a cryptographic function, that the information is still being stored and has not
been altered.287 This creates an incentive system where a host can add a new
transaction to the blockchain, and thus receive payment, only if they verify the
integrity and availability of the data.288
To simplify this structure, say that a client was to store “ABC” on one of
these three networks. The client would upload “ABC,” after which the data
would be encrypted (“XYZ”, for example). Then the network would split
(Sept. 7, 2016), https://www.washingtonpost.com/news/the-

switch/wp/2016/09/07/hacked-dropbox-data-of-68-million-users-is-now-or-sale-on-
the-dark-web/?noredirect=on&ut m_term=.ad4ed0b60307 [https://perma.cc/B7H2-
3EP3].
281. See PROTOCOL LABS, supra note 234; VORICK & CHAMPINE, supra note 277; SHAWN
WILKINSON ET AL., STORJ: A PEER-TO-PEER CLOUD STORAGE NETWORK (2016),
https://storj.io/storj.pdf [https://perma.cc/CHW2-7BNH].
282. VORICK & CHAMPINE, supra note 277, at 1.
283. Id.
284. PROTOCOL LABS, supra note 234, at 21.
285. WILKINSON ET AL., supra note 281, at 2. The ability to fragment/split data has been
available well before the creation of blockchain. See Peter M. Chen et al., RAID: High-
Performance, Reliable Secondary Storage, 26 ACM COMPUTING SURVEYS 145 (1994).
286. VORICK & CHAMPINE, supra note 277, at 5.
287. Id. at 3.
288. As mentioned in Part III.A, transactions on a blockchain are immutable. In the case of
utility blockchains used for data storage, past transactions are the uploads of data from
client to host. Thus, data uploaded to a host cannot be altered.
1284 66 UCLA L. R EV. 1242 (2019)
(“X/Y/Z”) and duplicate it, creating multiple copies of X, Y, and Z. The

multiple copies of X, Y, and Z are then sent to various servers across the
network (where, for example: hosts 1, 2, 3, would each have X; 4, 5, 6, would
each have Y; and 7, 8, 9, would each have Z). This model of data storage creates
higher levels of data security by increasing confidentiality (end-to-end
encryption, splitting of data, and distributing across network), integrity
(blockchain’s inherent element of immutability and periodic verification of the
integrity of the data), availability (duplicating the encrypted data shards,
distributing them across the network, and requiring periodic verification and
availability of that data), and resilience (distributed networks are more fault-
tolerant because they are not easily susceptible to networkwide crashes or
hacks).
3. Responding and Recovering Quickly From Breaches
A comprehensive cybersecurity plan must ensure that a company can

adequately respond to and recover from an incident; a plan that fails to do so
may be considered unreasonable.289 When included as part of a
comprehensive cybersecurity plan, blockchain technology offers unparalleled
opportunities for companies to contain and mitigate incidents.
Any attempted alteration of data on the blockchain creates a discrepancy
that other recordkeepers in the network immediately notice.290 This allows the
network to quickly respond by shutting down the compromised node and
removing it from the network. Blockchain technology also allows a company
to recover from an incident because of its decentralized structure. Even if a
major part of a blockchain network is under attack or compromised, the
network will continue to be fully operational through the other nodes. The
resilience of blockchain is evinced through the technology’s ability to
withstand numerous DDoS attacks.291
4. Ensuring the Security of Third-Parties: The Trust Machine
According to the FTC and NIST, companies are responsible for ensuring
that third-party contractors implement reasonable security measures.292
Companies must determine what requirements are necessary and must verify
289. See supra Part II.A.3.

290. Jayachandran, supra note 170.
291. See supra Part IV.A.4.
that they are met by the third party.293 Blockchain provides the opportunity for
companies to streamline this effort of building trust.
Blockchain has been dubbed “the trust machine” because it allows parties
who have no particular confidence in each other to collaborate without having
to go through a neutral party.294 This technology can “be applied in any context
in which trust is essential.”295
Although it may seem like an insurmountable task to replace for example
traditional third-party storage services with blockchain-based storage, the
current system is unsustainable and change is necessary. Companies, and in
particular large companies that collect tremendous amounts of consumer
information, overwhelmingly rely on third parties for data storage.296 Third
parties have increasingly been the targets of cyber attacks, which are
considered to be the most expensive type of incident.297 Yet the amount of
sensitive and confidential information that these third parties possess
continues to grow.298 The current cybersecurity landscape is problematic
because the contracting party is expected to ensure the security of the third
party’s networks299 and this oversight has been found to be insufficient.300
Moreover, the FTC continues to target the “big fish” companies even when the
third-party service provider lacked reasonable security measures and was the
one who was breached.301 Under the status quo, third parties will continue to
pose security risks and will remain the “weakest link.” Incorporating
blockchain technology can resolve this problem.
Replacing traditional third-party data storage providers with data storage
providers operating on the blockchain has tremendous benefits. Companies
would have a guaranteed way of ensuring the security of the service provider
because data center standards can be codified into the blockchain302 and thus
293. See NAT’L INST. OF STANDARDS & TECH., supra note 12, at 16.
294. See The Trust Machine, ECONOMIST (Oct. 31, 2015), https://www.economist.com/news
/leaders/21677198-technology-behind-bitcoin-could-transform-how-economy-works-
trust-machine [https://perma.cc/54QG-7XHQ].
295. Shackelford & Myers, supra note 265, at 357.
296. See supra notes 62, 70 and accompanying text.
297. See supra notes 67, 69 and accompanying text.
302. See Mike Klein, SAS 70, SSAE 16, SOC and Data Center Standards, DATA CTR.
KNOWLEDGE (Mar. 3, 2011), www.datacenterknowledge.com/archives/2011/03/03/ sas-
70-ssae-16-soc-and-data-center-standards [https://perma.cc/TZM2-DM55].
1286 66 UCLA L. R EV. 1242 (2019)
trust can be regulated through code (i.e., “code is law”).303 This would solve the
current problem of “insufficient” oversight.304 Moreover, a blockchain-based
decentralized storage network offers more security than traditional cloud
storage. This would minimize a company’s risk of facing an enforcement
action by “reducing the risk posed by a third-party.” Blockchain could remove
the “weakest link” third party but still retain the service provider. This can also
be more cost-efficient than the traditional third-party data storage structure
because storage on the blockchain is up to ninety percent cheaper than storage
on traditional servers.305
C. Concerns About Market Adoption, Job Killing, and the “Right

to be Forgotten”
Some commentators argue that blockchain technology is “not ready for

mainstream deployment”306 and that companies should consider switching to
blockchain-based service providers only several years from now, when “the
technology’s full potential becomes clear.”307 These commentators compare
blockchain’s adoption to “patterns of technology adoption” in the past.308
But the rate of technology adoption is speeding up across the board and
innovations introduced more recently are being adopted more quickly.309 For
example, it took decades for the telephone to reach fifty percent of U.S.
households but only took five years for the cellphone to accomplish the same
penetration.310 Companies who move faster to capture opportunities that
present themselves have a competitive advantage. Moreover, “[c]hange
happens at the enterprise level when new technology solves an A list
challenge,” and “cybersecurity is an A list challenge.”311 The combination of
303. See Lawrence Lessig, Code Is Law, HARV. MAG. (Jan. 1, 2000), https://harvard
magazine.com/2000/01/code-is-law-html [https://perma.cc/P8B5-K9VV] (arguing that
code should be the regulator of cyberspace).
304. See PONEMON INST., supra note 64, at 3.
305. See, e.g., VORICK & CHAMPINE, supra note 277.
306. TIERION, BLOCKCHAIN HEALTHCARE 2016 REPORT: PROMISE & PITFALLS (2016),
https://blog.tierion.com/blockchain-healthcare-2016-report.
307. The Trust Machine, supra note 294.
308. See Marco Iansiti & Karim R. Lakhani, The Truth About Blockchain, HARV. BUS. REV.,
Jan.–Feb. 2017, https://hbr.org/2017/01/the-truth-about-blockchain [https://perma.
cc/B735-B4TW].
309. Rita Gunther McGrath, The Pace of Technology Adoption Is Speeding Up, HARV. BUS. REV.
(Nov. 25, 2013), https://hbr.org/2013/11/the-pace-of-technology-adoption-is-speed ing-
up [https://perma.cc/R4BM-Z6JE].
310. Id.
311. Lunn, supra note 226.
market incentives and cybersecurity benefits that blockchain offers ensures

that its adoption will happen sooner rather than later.
Others argue that blockchain technology is a “job killer.”312 They contend
that if companies switch from traditional third-party storage to blockchain-
based storage providers, traditional workers would be displaced. But this is a
trend that has been seen before. And each time, embracing the benefits of
technology has won out in spite of its job-killing effect. New technologies
disrupt the labor market temporarily, but ultimately generate new and
incrementally more jobs.313 Lost jobs are reincarnated in new form. Why
should blockchain be any different?
Lastly, there are those that argue that blockchain’s immutable nature
conflicts with the European Union’s “right to be forgotten” laws314 and the
FTC’s recommendation of disposing of information once a company no
longer has any legitimate business need for it.315 Two solutions have been
offered to solve this problem. First, prototype blockchains have already been
developed in line with the needs of large banks.316 But the ability to edit data
on a blockchain while maintaining their authenticity requires the nomination
of trustworthy administrators who are authorized to alter the ledger.317
Therefore, some of the essential characteristics of a decentralized database may
not be retained. Second, some commentators suggest that instead of having
the ability to erase the data off of a blockchain, it should be sufficient to destroy
the decryption keys and thus render the data unreadable.318 However, the data
is technically still on the blockchain. It is worth noting that a company running
a private blockchain can also easily, if desired, revert transactions.319
312. See, e.g., Joichi Ito et al., The Blockchain Will Do to the Financial System What the Internet
Did to Media, HARV. BUS. REV. (Mar. 8, 2017), https://hbr.org/2017/03/the-blockchain-
will-do-to-banks-and-law-firms-what-the-internet-did-to-media
[https://perma.cc/33FM-KPEY].
313. See, e.g., TAPSCOTT & TAPSCOTT, supra note 11, at 270–71.
314. See, e.g., Andries Van Humbeeck, The Blockchain-GDPR Paradox, MEDIUM (Nov. 21,
2017), https://medium.com/wearetheledger/the-blockchain-gdpr-paradox-fc51e663d
047 [https://perma.cc/6M9S-QLQB].
316. Blockchain From a Perspective of Data Protection Law, DELOITTE,
https://www2.deloitte.com/ dl/en/pages/legal/articles/blockchain-
datenschutzrecht.html [https://perma.cc/3D HA-MUPK].
317. Id.
318. See When the Right to be Forgotten Becomes Possible on the Ethereum Blockchain, NEWS
BTC (Nov. 18, 2017, 11:43 PM), https://www.newsbtc.com/press-releases/bcdiploma-
right-to-be-forgotten-ethereum-blockchain [https://perma.cc/2L4D-4YMY].
319. See Buterin, supra note 182.
1288 66 UCLA L. R EV. 1242 (2019)
While these problems make blockchain an imperfect substitute for third-

party data storage providers, the existence of potential solutions to these
problems, coupled with the blockchain’s significant cybersecurity benefits—so
desperately needed in an insecure landscape—ensure that blockchain’s
adoption will come sooner than anticipated. As noted above, software like
blockchain can be considered a reasonable security measure by the FTC even
if it is imperfect.320
CONCLUSION
The current cybersecurity landscape is unsustainable. Companies are

increasingly relying on third parties for conducting services, yet these third
parties continue to be targets of attack due to their weak cybersecurity
measures. The problem arises because contracting companies bear the
responsibility of ensuring the adequate cybersecurity of third parties: the FTC
only goes after the “big fish” companies for unreasonable security measures,
even when the third party was the one who was breached due to their own
inadequate security. Enforcement actions thus have no direct effect on third
parties, and they operate outside cybersecurity enforcement. This oversight
mechanism has proven to be inadequate, and third parties remain the
untrustable “weakest link.”
Blockchain technology ensures confidentiality, integrity, availability, and
resilience—the core components of good cybersecurity. Moreover, the
technology, even in its current nascent state, comports with the FTC’s
cybersecurity guidelines on reasonableness. The absence of blockchain-based
data storage by a large company—with adequate means and who collects
sensitive information from many people—can thus be unreasonable. The
myriad cybersecurity benefits that blockchain offers make this technology a
unique and unparalleled solution to the third-party data breach problem.
Large companies handling sensitive and confidential data should start with
trust and include blockchain technology as part of their comprehensive
cybersecurity plan.
320. See Otto, supra note 118, at 340.

Shaverdian Final Article Pages - Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Shaverdian Final Article Pages - Final

Uploaded by

Copyright:

Available Formats

U.C.L.A.

The current cybersecurity landscape is unsustainable. Companies are increasingly relying on

Blockchain technology should be implemented as part of a large company’s comprehensive

66 UCLA L. Rev. 1242 (2019)

9. See infra notes 147–148 and accompanying text.

computer science—both of which, standing alone, are widely used throughout

I. CURRENT CYBERSECURITY LANDSCAPE

Cybersecurity is “[t]he process of protecting information by preventing,

A system’s ability to protect its information17 from “unauthorized access,

Availability is the idea of “being able to use the system as anticipated.”27 It

27. SINGER & FRIEDMAN, supra note 13, at 35.

B. Breadth and Scope of the Problem

includes information such as email addresses, phone numbers, and

More importantly, the future of cybersecurity breaches seems bleak if the

59. See DELOITTE, OVERCOMING THE THREATS AND UNCERTAINTY: THIRD-PARTY

involving third parties are the most expensive type of cybsersecurity

II. CYBERSECURITY ENFORCEMENT IN THE UNITED STATES

Despite the growing threat and cost of cybersecurity breaches, there is no

can pose a challenge.93 Recommendations for international coordination to

cybersecurity.100 That changed when the FTC sued Wyndham Worldwide

The FTC brings enforcement actions against companies whose security is

cybersecurity procedures because it gives regulators flexibility to update their

“reasonably designed to protect the security, confidentiality, and integrity” of

1. Failing to Adopt Readily Available Technology

A company should keep their security “current”114 and employ readily

of . . . code” to implement “secure communications mechanisms” to address

2. Leaving Gaps in Encryption/Security in the Storage-

In order to protect information, technology and procedures must be

121. Id. at *6.

3. Responding and Recovering Too Slowly From Breaches

According to the FTC, not adequately responding to and recovering from

4. Inadequately Policing the Security of Third-Party Service Providers

A company is responsible for ensuring that its third-party service

129. Id. at 2–3.

be unreasonable.137 This includes not only “determining” the adequate

B. Cybersecurity of Third Parties and Inconsistent Enforcement

The current structure of enforcing reasonable security measures of third

III. WHAT IS BLOCKCHAIN?

As a relatively new technology that employs a sophisticated system of

driven, and secured by cryptographic verification.153 But just as important as

In order to validate a transaction,164 a node must trace the history of all of

nodes in the network. The malicious actor’s attempts to create block D as A +

B. Public, Consortium, and Private Blockchains

Like many other databases, blockchains can be public, private, or some

173. See Jayachandran, supra note 170.

Private (or “permissioned”) blockchains require “an invitation and must

179. Jayachandran, supra note 170.

that aims to service the needs of a permissioned group of financial

190. See What Is Quorum?, J.P. MORGAN, https://www.jpmorgan.com/global/Quorum

integrity monitoring systems.”205 In May 2017, ITAMCO, a developer of the

IV. BLOCKCHAIN AND CYBERSECURITY

Blockchain technology has the potential to tremendously improve

blockchain to boost cybersecurity by “enabl[ing] aircraft privacy and

infrastructure.224 Moreover, the security offered by blockchain is needed now

Encryption methods and access controls, when combined with

224. See supra Part I.A.

Moreover, a private blockchain can be designed to implement access

Blockchain’s innate characteristics of immutability and decentralization

integrity of the data. Private blockchains operating with a lower number of

Decentralization and immutability ensure that the data stored on a

245. See SINGER & FRIEDMAN, supra note 13, at 35.

prevent legitimate use of a system.248 These requests often originate from

B. Absence of Blockchain as Unreasonable in the Data Storage Context