INSIGHT: Top Five Legal Issues Every Blockchain Startup Should Know

As blockchain startups mature through various market segments, it’s predicted that blockchain-based technologies will overtake cloud computing, IoT, and data analytics in investment.

Due to the novel and complex distributed and decentralized nature of the technology, however, the blockchain community is confronted with unique legal issues. This article discusses five legal issues every U.S. blockchain startup may encounter and the best approach to address them.

State and Federal Regulation

In the United States, it is currently legal to (i) transmit and develop virtual currencies such as bitcoin; (ii) purchase goods and services with virtual currencies, or to buy and sell them as investment; (iii) use and develop virtual currency technology and software; and (iv) utilize blockchain and distributed ledger for both monetary and non-monetary purposes.

However, virtual currency has becoming a target of both federal and state regulations in recent years. Several states have issued regulations over virtual currency-based business activities. New York is the first state to implement the “BitLicense” regime imposing license and various AML (anti-money laundering) and KYC (know-your-customer) requirements.

Several pre-existing federal regulations may also apply. For example, virtual currencies are deemed “commodities” (instead of “currency”) by the Commodity Future Trading Commission. A virtual currency business may also be deemed a money service business (MSB) falling under the jurisdiction of the Financial Crimes Enforcement Network which imposes numerous filing, AML, and KYC obligations. Finally, crypto tokens and coins may qualify as “securities” subject to the regulation of the Securities and Exchange Commission.

Blockchain startups should carefully navigate the regulatory landscape with the assistance of legal experts as failure to comply may lead to severe consequences including criminal charges.

Intellectual Property

The IP strategy for blockchain startups should follow a shield-sword approach: to shield off the potential liabilities from open source license violations; and to actively apply for patent protection for mission-critical components.

Many digital currency and distributed ledger projects are developed under open source licenses. An open source license is a non-commercial and (generally) royalty-free software license that often comes with specific restrictions. For example, the Apache 2.0 license on which Hyperledger is based imposes additional notice requirement and restrictions on derivative works absent in the MIT license under which the Bitcoin Project is released.

It is imperative, therefore, for companies to understand the type of open source license they are given, and the limitations and restrictions contained therein.

Patent applications have been seen increasingly in payment methods, systems of using blockchain or cryptocurrencies, encryption, and mining. Considering that the patenting process generally takes a few years and most patents are litigated in their mid-life, blockchain startups should carefully time its patent filings.

Companies that prefer to keep their core technology as trade secret to avoid public disclosure made by a patent filing should know that patent rights would bar others from practicing the technology embodied by the patent even if others had independently invented it whilst trade secret would not.

Privacy

Many jurisdictions have enacted laws to protect the collection and use of personal information and impose hefty penalties up to 4% to 5% of the worldwide turnover. Even though data being stored on a blockchain is historically non-personal data, privacy becomes relevant for at least two reasons.

First, pseudonymous public data on a blockchain can be used to re-identify an individual. Bitcoin is said to be “pseudonymous,” which means that it has data points which are not directly associated with a specific individual but where multiple appearances of a person can be linked together. This risk of re-identification will increase over time as techniques improve and more background information becomes available, and the permanence of transaction history in a distributed ledger exacerbates such risks.

A recent study by the New York Times described how enough pseudonymous location data can make identification of an individual trivial. Once attributed to an individual, a lifetime of pseudonymous transactions linked to that person may be permanently exposed. In addition, although not public, cryptocurrency wallet software can be forensically analyzed even without the passphrases or keys that are needed to use the wallet.

Second, personal information may be inserted onto a public blockchain, rendering blockchain automatically non-compliant under certain data protection laws. For example, the immutability and permanency of the information on a block could conflict with the “right to be forgotten” under the General Data Protection Regulation and consumer’s rights to a verifiable request under the California Consumer Privacy Act.

Thus, a privacy due diligence should be conducted before importing personal information onto a public blockchain. And the re-identification risks of the transaction data stored on the blockchain should also be studied.

Cybersecurity

To properly evaluate blockchain security, we need to consider the confidentiality (see Privacy Section above), integrity, and availability of information stored on the blockchain and transaction data.

While the distributed nature of blockchain ensures some degree of availability, blockchain is known for security risks due to 51% majority attack and fork problems, and bitcoin is subject to “Sybil” or “Eclipse” attacks and denial-of-service attacks against exchanges.

Conversely, while blockchain’s immutability ensures the integrity of transactions on the network, the lack of centralized authority provides no redress against fraudulent or mistaken transactions. This flaw is demonstrated by the estimation made by a crypto engineer in July 2018 that nearly one third of bitcoins then-existed were stolen or lost.

Both the federal government and states have laws penalizing companies causing personal data breaches for failure to adopt reasonable security. The costs and legal fees for handling a data breach can amount to millions. Companies should think twice about their readiness for handling data breaches before moving personal data onto a public blockchain.

Insurance

Crypto startups may seek insurance to manage legal risks. Under the characterization that bitcoin is equivalent to traditional assets like “money” or “securities,” traditional insurance coverages may cover some crypto-related risks.

Several major insurers reportedly have developed specialized insurance products for the bitcoin market. Until this insurance market matures, crypto startups should review their current insurance coverage to assess whether and how such insurance will respond in the event of common claim scenarios.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Xiaoyan Zhang is a counsel in Reed Smith’s IP, Tech & Data Group based out of San Francisco. She holds an advanced degree in computer science and counsels clients on legal issues in emerging technologies such as blockchain.

Shoshana O’Brien is an attorney at Mobilecoin who focuses on legal issues facing tech startups . She is a graduate of the University of Chicago Law School.