Thought Leadership

Web3 Awaits a Framework – the NIST Cybersecurity and Data Privacy Frameworks Are Ready

May 20, 2022 Advisory

In January, when leaders of the region’s rapidly expanding Web3 community met at the Cryptopia pop-up event to discuss crypto, decentralized finance (DeFi), nonfungible tokens (NFTs) and decentralized autonomous organizations (DAOs), the likelihood of new laws, regulations, and industry standards was a reoccurring theme

But no one could have predicted the speed of last week’s (1) spectacular collapse of cryptocurrency Luna and its algorithmically linked stablecoin TerraUSD, a cryptocurrency that was supposed to be, well, stable, (2) the steep fall in value of other cryptocurrencies, including industry-leader Bitcoin, and (3) Coinbase reporting a $430 million quarterly loss and the loss of more than two million users.

Even so, rising out of the rubble of last week’s carnage, there are reasons to believe that with digital assets generally, strong steps will be taken to protect consumers, investors, and businesses, and that the new laws, regulations and industry standards forecasted earlier to provide some stability and certainty are beginning to take shape.

Regulation, ever-so slightly, is being assisted by expanded law enforcement – The Crypto Cops are coming!

On March 9, an Executive Order urged “strong steps to reduce the risks that digital assets could pose.” A few months prior, the Federal Reserve released a paper – “the first step in a public discussion” – that said digital assets should, among other things, “protect consumer privacy” and “protect against criminal activity.”

Similarly, on March 23 the Fed’s Chair said digital assets will be regulated to “keep the trust of users, [and] protect consumers.” For these same reasons, the Department of Justice recently appointed its first director of its National Cryptocurrency Enforcement Team, the FBI established its Virtual Asset Exploitation Unit, and the SEC announced it would double the size of its Crypto Assets and Cyber Unit by hiring 20 new enforcement officers to increase the overall force to 50 dedicated positions. The SEC has positioned itself as the chief government enforcer against crypto crime, with its cyber unit officers referred to in the Web3 world as “crypto cops.”

As previously noted, according to the Department of Justice the February arrests of cybercriminals linked to the theft of $4.5 billion in stolen bitcoin from a crypto exchange underscored how blockchain and crypto “comprise an expanding part of the U.S. financial system.”

Not to be left out, on April 7, the FDIC issued a letter stating “[c]rypto-related activities may pose significant safety and soundness risks, as well as financial stability and consumer protection concerns” and asking for feedback from supervised institutions about these risks including safety and soundness standards that should exist.

“A Framework! A Framework! We have got a Framework, and there cannot be any more Framework!”

“We really need a regulatory framework to guard against the risks … a comprehensive framework so that there are no gaps in the regulation,” Treasury Secretary Janet Yellen said a week ago before Congress. Frameworks often form the basis for industry standards and can lead to transparency about legal obligations. Indeed, even before last week’s meltdown, numerous elected and appointed officials had called for “some kind of framework” for digital assets.

We have been here before. In February 2013, an executive order was issued requiring government and private-sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

In 2014, the National Institute of Standards and Technology (NIST) published the Cybersecurity Framework (CSF). The Organization of American States and Amazon Web Services described it as:

[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs

(Emphasis added). 

The CSF has become so widely accepted that the state of Utah has referenced it in its safe harbor statute, the Utah Cybersecurity Affirmative Defense Act. In short, if an organization’s written information security program “reasonably conforms” to the CSF, it would have an affirmative defense to a civil tort claim such as negligence if it experienced a “breach of security system” and was sued.

In 2020, NIST released a data privacy companion to the CSF known as the NIST Privacy Framework. This framework was designed to help organizations keep up with technology advancements and new uses for data. The PF purports to improve risk management through mitigation, transfer, avoidance and acceptance principles. It is designed for all types of organizations regardless of category or size and their objectives and needs, and can be “adaptable to any organization’s role(s) in the data processing ecosystem.

In sum…

A framework designed to “protect consumer privacy” and “protect against criminal activity” for the new technologies underpinning Web3 could take years. During this time consumers, investors, and businesses could become so disenchanted by the current threat landscape and the negative impacts it is having, that the ecosystem could be damaged beyond repair. 

On their own initiative, Web3 organizations should adopt the CSF and NIST Privacy Framework, at least in part, and the Executive and Legislative branches should empower NIST to develop a framework similar to these that is complementary. NIST has already begun to investigate blockchain technologies at multiple levels.

For further information about Web3 and the frameworks, whose applications will be explained in subsequent advisories, see the previous articles in this series on crypto, DeFi, NFTs, and DAOs referred to at the beginning, or reach out to the authors who are actively engaged in facilitating a safe and secure Web3 ecosystem.

Highlights

News Item

Armstrong Teasdale Welcomes Data Privacy Lawyer Ashfin Islam in Boston

Ashfin Islam

AT Health Law Beat, March 2023

AT Health Law Beat

EU Establishes New Regime to Regulate Digital Platforms

Advisory

2023 Is Here, and So Are Data Privacy Compliance Deadlines

Advisory
News Item

Ramos, Dunham Develop Governance Documents for National Institute of Corrections

The National Institute of Corrections (NIC) has published a revised version of its Guidelines for Developing a Criminal Justice Coordinating Committee , designed to help local criminal justice stakeholders, including government officials, enhance public...

Illinois Supreme Court Decision Exposes Employers to Significant Damages for Biometric Information Privacy Act Claims

Advisory

Recent Federal, State Actions Signal Increased Scrutiny for Executives on Cybersecurity Compliance

Advisory

Confronting the “Digital Elephant in the Room”: Expansion of SEC Crypto Regulation Looms

Advisory
News Item

Armstrong Teasdale’s McLaughlin Named a Go-To Cybersecurity/Data Privacy Lawyer

Peter McLaughlin
News Item

2023 Edition of Benchmark Litigation USA Recognizes 11 Armstrong Teasdale Trial Lawyers

Litigators Earn High Marks from Benchmark Litigation
Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1250
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1050 Connecticut Avenue NW
Suite 500
Washington, DC 20036
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware
Key Industries
About Us
Inclusion
Careers
Insights
Locations