CryptocurrencyWhat Recent Cryptocurrency Heists Reveal About Blockchain Security

What Recent Cryptocurrency Heists Reveal About Blockchain Security

In early August 2021, blockchain-based platform Poly Network reported a hack in which malicious actors moved an equivalent of $600 million in cryptocurrencies to their private wallets. This hack was the largest ever, after the 2014 hack of a Tokyo-based bitcoin exchange, which led to the theft of the equivalent of $460 million. A few days later, DAO Maker, a decentralized finance (DeFI) crypto platform announced a hack and theft of 2,261 Ethereum (the equivalent of $7 million at the time of the hack).

These heists reveal potential security vulnerabilities in the current system for purchasing and exchange cryptocurrencies despite the general promises of security provided by decentralized cryptocurrencies.

To understand how these cryptocurrency heists occurred, it is crucial to understand how cryptocurrency functions. In particular, how certain organizations provide cryptocurrency conversion services (i.e., converting Bitcoin to Ethereum). Traditionally, forms of currency (often referred to as “fiat” currency when distinguished from cryptocurrencies) are government issued and rely on a centralized banking system to validate money transfers and accounts. Most fiat currencies are not backed by commodities, such as gold, and therefore, have no intrinsic value. Value in fiat currency derives from consumer confidence (and is subject to government manipulation).

Cryptocurrencies, such as Bitcoin or Ethereum, however, are decentralized currencies with no central banking or financial system to validate transactions. Rather, these currencies rely on a network of users to validate transactions and balances. The technology that supports the storing and validating of transactions in a database (essentially a digital ledger) is called blockchain.

Most cryptocurrencies distribute this Blockchain ledger database across its users. The users earn rewards (usually the in the form of cryptocurrency) for hosting the ledger, validating transactions in the blockchain ledger, and solving complex computational math problems.

Cryptocurrency TransferThe lack of centralization creates complexities in converting currencies. Traditional exchange services involving fiat currency are handled by financial institutions who have the capacity to receive one type of currency (i.e., U.S. Dollar) and provide the equivalent amount in a different currency (i.e., the Euro).

Performing a similar instant exchange among cryptocurrencies requires an exchange service to stockpile multiple cryptocurrencies. Of course, this type of exchange service is inherently centralized – and that centralization of decentralized currency creates the security vulnerability that led to the recent string of crypto currency heists.

The attackers targeted the code behind the accounts that convert cryptocurrencies and injected malicious code that made the exchange service believe that the attacker was the intended recipient of the converted cryptocurrency.  The attackers ultimately redirected the currency into their personal wallets.

These recent events do not mean that those interested in holding or trading cryptocurrency should entirely avoid the use of exchanges. No transaction is 100% secure, and users should understand the potential risk involved in exchanging cryptocurrencies or converting fiat currency within the current systems of exchange.

The legal concerns stemming from these incidents mirror those in traditional incidents involving consumer information or fiat funds. However, the potential risk of loss is increased by the fact that cryptocurrency transactions in certain instances are uniquely untraceable and irreversible, meaning that the exchange may not be able to recover the stolen funds. Further compounding the risk is that these crypto exchange services may not have the same financial protections, insurance, or government backing as traditional financial institutions.

These events serve as a reminder that the security provided by decentralized currency may be lost when that currency is funneled through a centralized exchange.

*Attorney advertising: prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Jordan FischerJordan L. Fischer Named A 2021 Super Lawyers Rising Star For Third Year In A Row

Jordan L. Fischer Named A 2021 Super Lawyers Rising Star For Third Year In A Row

Jordan L. Fischer, Esq., has been named to the 2021 Pennsylvania Rising Stars list for outstanding lawyers 40 years old or younger or in practice for 10 years or less. This is her third straight year, appearing on this list. Each year, no more than 2.5 percent of the lawyers in the state are selected by the research team at Super Lawyers to receive this honor.

Fischer leads Beckage’s Global Privacy team where she represents clients in cross-border data management, creating cost-effective and business-oriented approaches to cybersecurity, data privacy and technology compliance. She practices in several jurisdictions throughout the United States in both state and federal courts, as well as internationally in both Europe and Asia.

At Beckage, she provides counsel to clients on a wide variety of regulatory requirements, including the General Data Protection Regulation and implementing member state law, the California Consumer Privacy Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, biometric data laws, global data breach standards, and federal and state unfair business practices acts. She also provides counsel on a variety of security and privacy frameworks, including the International Standards Organization 27001 and 27701, the National Institute of Standards and Technology cyber and privacy frameworks, and the Payment Credit Card Industry Data Security Standard.

Super Lawyers, a Thomson Reuters business, is a rating service of outstanding lawyers from more than 70 practice areas who have attained a high degree of peer recognition and professional achievement. The annual selections are made using a patented multiphase process that includes a statewide survey of lawyers, an independent research evaluation of candidates and peer reviews by practice area. The result is a credible, comprehensive, and diverse listing of exceptional attorneys.

About Beckage
Beckage is a women-owned law firm that focuses on technology, data security, and privacy. Our attorneys counsel clients on matters pertaining to data security and privacy compliance, litigation and class action defense, incident response, government investigations, technology intellectual property, and emerging technologies such as Artificial Intelligence (AI), digital currencies, Internet of Things (IoT) devices, and 5G networks. Beckage has offices from California to New York. Learn more at Beckage.com

                                                                               ###

Contact: Morgan Neal
mneal@beckage.com
585.738.2438

BiometricsIn the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

In the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

Illinois lawmakers are considering a bill which has the potential to dramatically rein in the state’s strict Biometric Information Privacy Act (“BIPA”).  On March 9, 2021, the Illinois House judiciary committee advanced House Bill 559 (the “Bill”) which would amend BIPA.  The Bill has a couple of key amendments that may impact your business.

First, the Bill changes BIPA’s “written release” requirement to instead simply require “written consent”.  Thus, under the Bill, businesses would no longer be required obtain written release, but instead could rely on electronic consent.

Second, whereas BIPA currently requires that a business in possession of biometric identifiers draft and provide a written policy regarding its handling of biometric data to the general public, under the Bill, businesses would only be required to provide this written policy to affected data subjects.

Third, the Bill creates a one-year statute of limitations for BIPA claims.  Moreover, the Bill provides that prior to initiating a claim, a data subject must provide a business with 30 days’ written notice identifying the alleged violations.  If the business cures these violations within the 30 day window, and provides the data subject an express written statement indicating the issues have been corrected and that no further violations shall occur, then no action for individual statutory damages or class-wide statutory damages can be taken against the business.  If the business continues to violate BIPA in breach of the express written statement, then the data subject can initiate an action against the business to enforce the written statement and may pursue statutory damages.  Therefore, not only does the Bill finally create a statute of limitations, but also provides a mechanism by which businesses can respond to alleged violations of BIPA prior to engaging in costly litigation.

Fourth, the Bill modifies BIPA’s damages provisions.  Currently BIPA provides that prevailing plaintiff is entitled liquidated damages of $1,000 or actual damages, whichever is greater, when a business is found to have negligently violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to only actual damages.  Similarly, in its current form, BIPA provides that a prevailing plaintiff is entitled to liquidated damages of $5,000 or actual damages, whichever is greater, when a business is found to have willfully violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to actual damages plus liquidated damages up to the amount of actual damages.  Therefore, the Bill would limit a businesses exposure in BIPA claims to what a prevailing Plaintiff can demonstrate as actual damages.

Finally, the Bill provides that BIPA would not apply to a business’ employees if the those employees were covered by a collective bargaining agreement.  Something which has been at issue in recent BIPA litigation as discussed here.

BIPA litigation has increased dramatically and resulted in a number of recent high-profile settlements, including TikTok’s $92 million dollar settlement and Facebook’s $650 million dollar settlement.  This Bill has the potential to greatly curtail this spiral of litigation and high settlement figures.  Beckage will continue to monitor any developments regarding the Bill and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

5GWith 5G, will your thermometer need malware protection?

With 5G, will your thermometer need malware protection?

5G is perhaps the biggest critical infrastructure build the world has seen in twenty-five years.  It will allow for the connection of millions of Internet of Things (“IoT’) devices.  However, with these added benefits comes related vulnerabilities and cybersecurity risks. 

What are the specific cybersecurity risks are associated with the 5G network?

First, the 5G network itself can pose many security risks.  The 5G infrastructure is built using many components, each of which may be corrupted through an insecure supply chain.  Significantly more software is being used allowing for more entry points and more potential vulnerabilities.  Similarly, more hardware devices are required (cell towers, beamforming devices, small cells, etc.), and each one of these hardware devices must be adequately secured.  Small, local cells may be more physically accessible and therefore subject to physical attack.  Further, 5G will be built, in part, on legacy 4G LTE components – which themselves can have vulnerabilities.

Second, with specific focus on IoT devices, cybersecurity protections will need to become much more granular and more capable of being deployed on less intelligent “Things.”  Historically, one could think of a Thing as a device that can be connected to a network, but which lacked sufficient processing power to handle more advanced computations.  Things are “dumb.”  By connecting a processor, we could make such dumb Things “smart.”  These new smart IoT devices are interesting vectors of attack by malicious actors and further confound overall cybersecurity programs.  The ability to detect a cyber attack on a light bulb will require additional cybersecurity solutions.

Finally, with 5G facilitating the implementation of more IoT devices, more sensitive data may be stored requiring the need to protect edge computers servicing the IoT device.  If we consider the ubiquity of thermometer scanning now and how those and similar IoT devices could easily become part of 5G, then we begin to understand the seemingly exponential possibility for threat vectors on our networks.  We may have sensitive data (Am I sick?  What time do I show up for work?) and we may have the concern that a malicious actor may look to infect a network through a Thing. Will thermometers need malware protection?  More devices arguably allow for more places for a hacker to attempt to attack and thus the possibility of a greater availability of distributed denial of service (DDOS) attacks.  There were reports of Things being used collectively to deny service with the LTE network.  With 5G, the concept of an army of coffee makers attacking by all issuing a request to an address will become a greater possibility and manufacturers could be liable to other parties if their insecure Things are used to deny the service of someone else.

Regardless of the attack vector, incident response practices are universal, and Beckage’s Incident Response Team can help prepare your team from IoT and other attacks.

What potential solutions are available to mitigate this risk?

Companies looking to incorporate 5G should partner with experienced tech counsel who can assist by reviewing contracts, conducting risk assessments, and evaluating and updating incident response plans and procedures to account for any additional risks associated with 5G.

In addition, there are already some attempts at governmental solutions.  In March 2020, President Trump issued a National Strategy to Secure 5G – requiring, in relevant part, that the Unites States must identify cybersecurity risks in 5G.

The CISA (Cybersecurity & Infrastructure Security Agency) also issued some documents relating to the security of 5G.  Similarly, we are seeing a push for international standards and certain untrusted companies have had their products banned from use.  The Federal government is using regulations to limit the adoption of equipment that may contain vulnerabilities.

So, what is the solution?  The same as always.  Innovation.  Businesses are encouraged to develop trusted solutions and innovation in this space.  Advanced cybersecurity monitoring and protection by design will continue to be needed.

The Beckage Team of lawyers, who are also technologists, is well-versed in new and emerging technologies and works with clients to facilitate innovation through the use of IP protections.  We also assist companies in the implementation new technologies, like 5G, taking into consideration the cybersecurity, data privacy, and regulatory obstacles associated with their use.  From patent acquisition to policy drafting and review, Beckage attorneys are here to help your company capitalize on innovation.

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter

AIAccountability and the Use of Artificial Intelligence

Accountability and the Use of Artificial Intelligence

As artificial intelligence (“AI”) and automated decision-making systems make their way into every corner of society – from businesses and schools to government agencies – concerns about using the technology responsibly and accountability are on the rise. 

The United States has always been on the forefront of technological innovations and our government policies have helped us remain there.  To that end, on February 11, 2019, President Trump issued an Executive Order on Maintaining American Leadership in Artificial Intelligence (No. 13,859).  See Exec. Order No. 13,859, 3 C.F.R. 3967.  As part of this Executive Order, the “American AI Initiative” was launched with five guiding principles:

  1. Driving technological breakthroughs; 
  2. Driving the development of appropriate technical standards; 
  3. Training workers with the skills to develop and apply AI technologies; 
  4. Protecting American values, including civil liberties and privacy, and fostering public trust and confidence in AI technologies; and
  5.  Protecting U.S. technological advantages in AI, while promoting an international environment that supports innovation. Id. at § 1. 

Finally, the Executive Order tasked the National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce with creating a plan for the development of technical standards to support reliable, robust, and trustworthy AI systems.  Id. at § 6(d). To that end, the NIST released its Plan for Federal Engagement in Developing Technical Standards in August 2019.  See Nat’l Inst. of Standards & Tech., U.S. Leadership in AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tools (2019). 

While excitement over the use of AI was brewing in the executive branch, the legislative branch was concerned with its accountability as on April 10, 2019, the Algorithmic Accountability Act (“AAA”) was introduced into Congress.  See Algorithmic Accountability Act of 2019, S. 1108, H.R. 2231, 116th Cong. (2019).  The AAA covered business that: 

  1. Made more than $50,000,000 per year;
  2. Held data for greater than 1,000,000 customers; or
  3. Acted as a data broker to buy and sell personal information.  Id. at § 2(5). 

The AAA would have required business to conduct “impact assessments” on their “high-risk” automated decision systems in order to evaluate the impacts of the system’s design process and training data on “accuracy, fairness, bias, discrimination, privacy, and security”.  Id. at §§ 2(2) and 3(b).  These impact assessments would have required to be performed “in consultation with external third parties, including independent auditors and independent technology experts”.  Id. at § 3(b)(1)(C).  Following an impact assessment the AAA would have required that business reasonably address the result of the impact assessment in a timely manner.  Id. at § 3(b)(1)(D).  

It wasn’t just the federal government who is concerned about the use of AI in business as on May 20, 2019, the New Jersey Algorithmic Accountability Act (“NJ AAA”) was introduced into the New Jersey General Assembly.  The NJ AAA was very similar to the AAA in that it would have required businesses in the state to conduct impact assessments on “high risk” automated decisions. See New Jersey Algorithmic Accountability Act, A.B. 5430, 218th Leg., 2019 Reg. Sess. (N.J. 2019).  These “Automated decision system impact assessments” would have required an evaluation of the systems development “including the design and training data of the  automated  decision  system,  for  impacts  on accuracy,  fairness,  bias,  discrimination,  privacy,  and  security” as well as a cost-benefit analysis of the AI in light of its purpose.  Id. at § 2.  The NJ AAA would have also required businesses work with independent third parties, record any bias or threat to the security of consumers’ personally identifiable information discovered through the impact assessments, and provide any other information that is required by the New Jersey Director of the Division of Consumer Affairs in the New Jersey Department of Law and Public Safety.  Id

While the aforementioned legislation has appeared to have stalled, we nevertheless anticipate that both federal and state legislators will once again take up the task of both encouraging and regulating the use of AI in business as the COVID-19 pandemic subsides.  Our team at Beckage contains attorneys who are focused on technology, data security, and privacy and have the experience to advise your business on the best practices for the adoption of AI and automated decision-making systems. 

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter

1 2 3 5