66 minute read
Special Feature: Future Proof Emerging Tech & Lawyers
EMERGING TECH & LAWYERS Is DAO the New Form of a Corporation?
Introduction
The Hon T F Bathurst, former Chief Justice of New South Wales, in a speech to the Francis Forbes Society noted that the “…corporate form is a ubiquitous part of modern commercial life and has a significance to our economy which it is difficult to overstate” with its “separate legal personality, perpetual existence, transferable shares and limited liability for members”.1
However, regardless of its ubiquity, with the emergence and adoption of blockchain and smart contracts in modern commercial life, we seem to be moving with some speed towards a decentralised future, and away from the hierarchical structures of corporations, with its board of directors and shareholders. This acceleration is mostly due to the fact that decentralisation encourages participation and transparency.
This can be clearly seen in the 2020 rise of decentralised finance (DeFi), which has rekindled interest in Decentralised Autonomous Organisations (DAOs), as being the appropriate vehicle to take advantage of DeFi, to engage in digital transactions and the endless possibilities for its members to act with common purpose, for example, to invest, fundraise and to collect NFTs and other assets. The crypto community is predicting that DAOs will become the “next big trend”.2
ASIC Chair, Joe Longo at the Australian Financial Review’s Super & Wealth Summit in November 2021, admitted “to a certain fascination with DAOs”, and raised the following questions:
What are they? What do they do? How can DAOs be regulated? … To paraphrase a concept familiar to corporate lawyers, to whom does ASIC turn to ascertain the directing mind and will of a DAO? It is not clear who is accountable if things go wrong, or don’t go as intended or anticipated. Nor is it clear how a DAO itself can be held accountable in a court of law.3
So what is a DAO? The building blocks of DAOs are blockchains4 and smart contracts,5 and they work together to effect the decisions of the members of a DAO. Are DAOs the new corporate paradigm? This article will examine the characteristics of most DAOs (bearing in mind that DAOs are not homogenous), the legal issues they raise and possible solutions.
What is a DAO and how does it work?
DAOs are organisations that operate on decentralised blockchain infrastructure, essentially, they are exclusively ‘online’, generally using open source code to carry out their operations. While DAOs can come in all shapes, sizes and protocol, a DAO is essentially a group of people who have agreed to achieve a common goal or mission, from the purchasing of digital assets to building a media empire.
Each DAO has its own system of governance but a common feature is that it is not managed by a board or any other form of central authority. Instead, it is a democratised organisation and its governance is based on a community of members. DAOs operate on a flattened hierarchy, and decisions are made collectively by their members. A DAO’s members comprise a group of, for the most part, anonymous people/entities, located anywhere in the world, who may never have met (and may never meet) one another in real life, who agree to abide by certain rules to participate in the DAO.
Members (or governance token holders) of a DAO make decisions on what a DAO does, shaping the DAO’s future through voting. As token holders, they own a stake or ‘equity’ in the DAO, but not all token holders have voting rights, for example, only masternode operators are allowed to vote on funding community projects supporting the Dash ecosystem.6 However, with those that can vote, usually they do so on equal footing. There are a number of ways a person can join a DOA and obtain voting rights, they can buy governance tokens or be rewarded governance tokens for their work done for the DAO or through ‘airdrops’ (which are distributions of DAO tokens to members or potential members), for example, to encourage adoption or as a reward for early participation.
Any member can propose a project, the community of members will then discuss the project and vote. Depending on the rules or protocol governing the DAO (and which are embedded into its code), once consensus is reached, meaning when sufficient members agree according to the rules of the DAO, a decision is made and smart contracts action it. By way of example, a DAO’s rules could be as simple as ensuring that its decisions are only made by majority vote. Essentially, once decisions are made, the DAO’s smart contracts are activated. These smart contracts hang off the DAO blockchain effecting its operations through algorithms (based on the DAO’s rules, the code of the DAO) that run when certain criteria are met – they are non-repudiable and enforced without discretion, making the DAO’s functions automated and self-executing.
Every decision made and transaction carried out by the DAO through its smart contracts is coded on its blockchain; is immutable, tamperproof and transparent. No member or administrator/project governor (if the DAO has one) can edit the rules of the DAO (its source code) without other members noticing it. Essentially, the rules and governance of each DAO are coded in smart contracts on the blockchain and cannot be changed unless voted upon by the DAO’s members.
The use cases for DAOs are endless. In 2021, the ConstitutionDAO, made up of 17,000 members put together $40 million to bid on an early copy of the US Constitution – they were ultimately outbid by a hedge fund billionaire.7 Some of the more well-known DAOs that collect NFTs (Non-Fungible Tokens, which are a form of digital asset) include FlamingoDAO (with a portfolio in early 2022 of over $1 billion, and members comprising traders, developers, artists and builders)8 and PleasrDAO (notably the owners of Wu-Tang Clan’s one-of-akind unreleased album, “Once Upon a Time in Shaolin”).9 DAOs are also making the purchase or renting of digital land in the various metaverse platforms more accessible, by pooling funds to invest in digital real estate, for example, Pangea DAO is a metaverse land investment cooperative with the “goal of creating more equitable virtual worlds”.10 Then there are mission orientated DAOs, for example, the Komorebi Collective DAO, which invests in “exceptional female and non-binary founders”11 and the Big Green DAO, “a USA 501c3 non-profit that believes growing food changes lives”.12
Issues with DAOs and possible solutions
In 2016, the concept of DAOs ran into problems with the unfortunately named, “The DAO”. Initially extremely successful, The DAO raised $150 million, which at that time, was one of the largest crowdfunding efforts undertaken. A hacker (or hackers) exploiting an issue with The DAO’s code base, managed to draw $50 million worth of ether (ETH) from the DAO before it was stopped by Ethereum having to hard fork13 its blockchain to restore the siphoned funds (by moving the funds raised to a recovery address where the DAO’s token holders could exchange their DAO tokens for ETH).14 This created concerns around security and debate as to whether code should be the only law, meaning that if the algorithms of the smart contract (that formed part of the DAO’s code base) allowed the drawing of the $50 million, then it could not be illegal and should be allowed to stand.15
Since then, with the gains made in DeFi, confidence in DAOs is again increasing rapidly. However, DAOs in most jurisdictions are still not supported by government oversight or any regulatory structures that address issues of taxation and other legal uncertainties, as to member responsibility and potential liabilities.
In order to truly flourish, establish on a large scale and give long term benefit to its members, DAOs need certainty through regulation, they need to be recognised as a legal personality.16 Granting DAOs separate legal personality would mean that a DAO could own assets, sue and be sued and could also protect its members from personal liability.
The current situation (in Australia) is that DAOs are not established as legal entitles, and consequently, their decentralised governance structures do not fall readily within existing regulatory categories. At present, DAOs are likely to be considered common law partnerships or unincorporated associations, whose operations are run by smart contracts. These entities are not recognised as separate legal entities from their associated members/partners and consequently, this creates issues around the holding of assets, succession, the liquidation by members of their tokens, taxation and could potentially expose a DAO’s members to a number of risks and liabilities, including that they could be held liable for debts incurred by the DAO. To address these issues, hybrid structures have developed – DAOs are being wrapped in legal personality for example, through the creation of limited liability companies or trusts linked to DAOs, acting as service entities, giving DAOs the ability to enter into contracts, hold assets and ensure that their members are protected by limited liability.17
Until we have regulations that deal with DAOs, these structures provide a bridge between the digital world of the DAOs and the real world of legal regulations and protections. As reported in the Australian Financial Review, in 2021, the Digital Law Association (the DLA) proposed “formal recognition of new, decentralised models for corporate governance where a board of directors is replaced with an internet community” and suggested that a DAO Limited structure could draw from the “DAO Model Law” proposed by the Coalition of Automated Legal Applications (COALA), but not to adopt it wholesale,18 with a new “authorisation class” to be created in the Australian Financial Services Licence (AFSL) regime, for digital assets, the currency of DAOs.19 The DLA argued that DAOs:
…will increasingly feature as a business model in the digital and decentralised economy and must be given legal recognition, the clear ability to hold property and contract, as well as limited liability.20
The DLA also “called for a review of the impact of tax laws on DAOs to ensure technological neutrality happens in practice. It has also suggested that a multi-agency working group establish a
taxonomy for digital assets setting out the Australian legal and tax implications of digital asset businesses and transactions with input from multiple Australian regulators”.21
Following the DLA’s submissions and those of other interested parties, in October 2021, Senator Andrew Bragg’s Select Committee made a number of recommendations on cryptocurrency and digital assets, de-banking and “that the Australian Government establish a new Decentralised Autonomous Organisation company structure”,22 proposing that:
The government should examine the COALA model and other international examples in developing a DAO company structure that suits Australia’s specific corporate frameworks.23
Apart from legal personality, the protocol (or rules) of the DAO must be considered carefully as code is the law of the DAO. Transparency through open source coding (available in a public forum) is of fundamental importance here as usually, during the DAO’s development phase (before its member base is assembled), its creators and designers decide a number of substantive aspects of the DAO’s protocol including its decision framework, financial incentives, voting structure and governance (unless they set these up provisionally and include as part of the DAO’s protocol, an approval mechanism to allow members to vote on the DAO’s protocol when launched). Other issues that need to be considered when setting up or joining a DAO include:
1. whether the DAO has administrators, and their role in the DAO, for example, do they act as the ‘post box’ of the DAO, a contact point for regulators and other third parties;
2. was an audit of the DAO’s code done prior to launch and whether the DAO undergoes regular audits to ensure that its code continues to match the objectives of its members and is not subject to major security risks; 3. the different classes of tokens the
DAO offers and what rights and liabilities are attached to them, for example, whether there is protection of minority rights;
4. voting protocols – do they deal with voter indifference or voting fatigue and possible off-chain voter influence (to gain a majority to push a project through the DAO); to be liquidated, transferred or bequeathed;
6. the DAO’s dispute resolution processes; 7. fiduciary or other equitable obligations that members of a DAO may owe to each other – and how to legislate or contract out of these obligations;
8. the anonymity of members which could make recovery against them difficult and costly; 9. security issues – it may take time to vote on changing defective code and in the meantime, hackers may make use of the identified shortcomings in the code;
10. when a hard fork will be initiated (and how the fallout of possibly having two
DAOs in operation will be managed);
11. potential missing elements from smart contracts that could create disputes within the DAO or with third parties affected by the operation of a smart contract, including, representations made by the parties to a smart contract (for example, as to the scope of the contract or with regards to consumers of a DAO product), warranties, indemnities, force majeure provisions, governing law, notice provisions, human errors (for example, late payment even by mere hours may not result in the smart contract being triggered) and coding errors (for example, performance does not match the agreement between the parties); and
12. the massive energy consumption associated with running blockchains.
In 2022, Forbes reported that
Ethereum and Bitcoin mining operations together were responsible for “emitting more than 78 million tons of CO2 into the atmosphere, equal to the annual tailpipe emissions of more than 15.5 million cars”.24
Conclusion
The potential of DAOs is enormous. It has the potential to democratise decision making, creating diverse opportunities for asset acquisition, ensuring that those who gather together to achieve a particular goal, will be able to do so transparently, quickly and efficiently. Vitalik Buterin, a co-founder of Ethereum noted that:
“One of the more interesting long-term practical benefits of the technology and concept behind decentralized autonomous organizations is that DAOs allow us to very quickly prototype and experiment with an aspect of our social interactions that is so far arguably falling behind our rapid advancements in information and social technology elsewhere: organizational governance. … Now, it may be possible to create systems that are more fluid and generalized that take advantage of the full power law curve of people’s ability and desire to contribute.” 25
However, to truly take advantage of all that DAOs promise, we must have proper and adaptable legal guardrails in place to regulate and provide oversight. This is what we need to be working on now. Angelina Gomez, counsel at Clifford Chance; Co-founder and director of the Digital Law Association, https://digitallawassociation.com/.
End Notes
1 The Hon T F Bathurst, Chief Justice Of New South
Wales, “The Historical Development of Corporations
Law”, Francis Forbes Society for Australian Legal
History: Introduction to Australian Legal History
Tutorials, Sydney, 3 September 2013. 2 Taylor Locke, “What are DAOs? Here’s what to know about the ‘next big trend’ in crypto”, CNBC, 25
October 2021, https://www.cnbc.com/2021/10/25/ what-are-daos-what-to-know-about-the-next-bigtrend-in-crypto.html, accessed 4 April 2022. 3 Speech by ASIC Chair Joe Longo at the AFR Super &
Wealth Summit, 22 November 2021, https://asic.gov. au/about-asic/news-centre/speeches/responsibilityamid-change/, accessed 6 April 2022. 4 A blockchain is a type of distributed ledger technology that can be used to verify and share/ track information or anything of value (e.g. financial transactions, property). Its main features are that it is decentralised, transparent and immutable. Each transaction on a blockchain is a block and every block is chained to a previous block using cryptography.
Blocks are time-stamped and can only be added to the chain sequentially. Blockchains can be open to everyone or restricted to permissioned participants.
In both, information is distributed across a network of computers and is decentralised, meaning that a trusted party is not required to validate each transaction. As each computer in the network possesses an identical copy of the ledger, when transactions are added, they are reflected in all copies of the ledger. 5 Nick Szabo first coined the term “smart contract” referring to “a set of promises, specified in digital form, including protocols within which the parties perform on these promises”: See Smart Contracts: Building Blocks for Digital Markets, by Nick Szabo, 1996, https://www. fon.hum.uva.nl/rob/Courses/InformationInSpeech/
CDROM/Literature/LOTwinterschool2006/szabo.best. vwh.net/smart_contracts_2.html, accessed 4 April 2022.
Smart contracts are essential to run most cryptobased projects. They are built in computer code and stored on a blockchain i.e. smart contracts can be hosted and executed on a blockchain. Smart contracts are self-executing agreements and with contractual terms embedded as computer code in software, they automatically enforce obligations.
Performance is enabled through technology and rule-based operations (using predefined inputs).
These automated contracts are irrevocable and once initiated the smart contract is coded to perform unless a pre-set condition is not met. Human discretion and control are excluded (unless it forms part of the code). After every transaction (if X then Y), the nodes on the blockchain update the new state of the distributed ledger. See also Scott A McKinney,
Rachel Landy, and Rachel Wilka, “Smart Contracts,
Blockchain, and the Next Frontier of Transactional
Law, 13 Washington Journal of Law, Technology & Arts
(2018) 313; Reggie O’Shields, “Smart Contracts: Legal
Agreements for the Blockchain”, 21 North Carolina
Banking Institute (2017) 177. 6 Dash, “Becoming a voting member”, https://www. dash.org/masternodes/, accessed 4 April 2022. 7 Tristan Bove, “A DAO outbid a billionaire for an original copy of the U.S. Constitution last year and nearly won. What a DAO is, and how it could change the future of business”, Fortune, 16 February 2022, https://fortune.com/2022/02/15/what-is-a-daoexplaining-decentralized-autonomous-organizations/, accessed 4 April 2022. 8 Tracy Wang, “FlamingoDAO’s NFT Portfolio Is Now
Worth $1B”, CoinDesk, 11 February 2022, https://www. coindesk.com/markets/2022/02/10/flamingodaos-nftportfolio-is-now-worth-1b/, accessed 4 April 2022. 9 Keira Wright, “PleasrDAO adds $4M ‘OG NFT’ Wu-
Tang Clan album to its collection”, CoinTelegraph, 21 October 2021, https://cointelegraph.com/news/ pleasrdao-adds-4m-og-nft-wu-tang-clan-album-to-itscollection, accessed 4 April 2022. 10 The PangeaDAO, https://www.pangeadao.org/, accessed 4 April 2022. 11 The Komorebi Collective, https://syndicate.io/ syndicate/komorebi_collective, accessed 4 April 2022. 12 The Big Green DAO, https://dao.biggreen.org/, accessed 4 April 2022. 13 A hard fork refers to a fundamental change to the rules or protocol of the blockchain underpinning the
DAO, usually resulting in two blockchains, with the
‘new’ blockchain no longer compatible with the earlier blocks on the ‘old’ blockchain. See Crypto Basics,
“What is a fork?”, Coinbase, https://www.coinbase. com/learn/crypto-basics/what-is-a-fork, accessed on 6
April 2022. 14 Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934:
The DAO, Release No. 81207, 25 July 2017, page 9, https://www.sec.gov/litigation/investreport/34-81207. pdf, accessed 4 April 2022; Christoph Jentzsch, What the
‘Fork’ Really Means, slock.it Blog, 19 June 2016), https:// blog.slock.it/what-the-fork-really-means-6fe573ac31dd, accessed 4 April 2022. 15 See further Cathy Hackl, “What Are DAOs And Why You
Should Pay Attention”, Forbes, 1 June 2021, https://www. forbes.com/sites/cathyhackl/2021/06/01/what-are-daosand-why-you-should-pay-attention/?sh=5f5578497305, accessed 4 April 2022; David Siegel, “Understanding
The DAO Attack”, CoinDesk, 25 June 2016, https://www. coindesk.com/learn/2016/06/25/understanding-thedao-attack/, accessed 4 April 2022. 16 Some jurisdictions have started to create legal structures for DAOs, and in July 2021, Wyoming became the first State in the US to recognise DAOs as legal entities and provided a legal framework for their existence: Decentralized autonomous organizations, Bill no. SF0038, LSO no. 21LSO-0263, https://www.wyoleg. gov/Legislation/2021/SF0038, accessed 4 April 2022. 17 It has also been proposed that while a DAO remains unrecognised as a legal person, a solution is to wrap an entire DAO as a single unincorporated non-profit association (UNA) or “siloing” DAO activity “between the treasury and the protocol, with the treasury being
“wrapped” in an UNA and the protocol remaining regimeless or “wrapped” in a variety of possible entities”, which will be determined by the facts and circumstances of a particular DAO: From David Kerr and
Miles Jennings, “A Legal Framework for Decentralized
Autonomous Organizations”, 2021, [LINK], accessed on 4 April 2022. 18 Coalition of Automated Legal Applications (COALA),
“Model Law for Decentralized Autonomous
Organizations (DAOs)”, 2021, https://coala.global/ reports/#1623963887316-6ce8de52-e0a0 and https:// coala.global/wp-content/uploads/2021/06/DAO-Model-
Law.pdf, accessed 4 April 2022. 19 James Eyers, “Digital lawyers call for a new legal entity: the DAO Limited”, Australian Financial Review, 15 July 2021; Digital Law Association Submission, “Third Issues
Paper (Senate Select Committee on Australia as a
Technology and Financial Centre)”, July 2021, page 29, [LINK], accessed 4 April 2022. 20 Ibid, Digital Law Association Submission. 21 Eyers, above n 20; Digital Law Submission. 22 The Senate, Select Committee on Australia as a
Technology and Financial Centre, Final Report, October 2021, pages vii-viii, https://parlinfo.aph.gov.au/parlInfo/ download/committees/reportsen/024747/toc_pdf/
Finalreport.pdf;fileType=application%2Fpdf, accessed 6
April 2022. 23 Ibid, page 138 [6.35]. 24 Ted Knutson, “Crypto Energy Consumption Enormous
But It Needn’t Be, Congressional Panel Hears”, Forbes, 20 January 2022, https://www.forbes.com/sites/ tedknutson/2022/01/20/crypto-energy-consumptionenormous-but-it-neednt-be-congressional-panelhears/?sh=1aff91084abb, accessed 4 April 2022. 25 Ethereum Foundation Blog, Research & Development,
“An Introduction to Futarchy”, posted by Vitalik
Buterin, 21 August 2014, https://blog.ethereum. org/2014/08/21/introduction-futarchy/, accessed 4
April 2022.
PROFESSIONAL STANDARDS SCHEME
The Law Society of Western Australia Professional Standards Scheme (Scheme) enables Australian legal practitioners and incorporated legal practices to limit their professional liability at $1.5 Million, $5 million or $10 million, subject to the exclusions contained in section 5 of the Professional Standards Act 1997(WA) (the Act), depending on the total annual fee income of their law practice.
Only members of an occupational association can be members of a limitation of liability scheme in accordance with the Act. Therefore only Ordinary members (members with a current Australia practicing certificate) and Incorporated Legal Practice (ILP) members of the Law Society can participate in the Scheme. The Scheme operates on a one-in all-in basis. For a law practice to receive the full benefit of the Scheme, all practitioners within the law practice and the law practice itself (if incorporated) need to participate in the Scheme. Participating members are required to disclose their limited liability status to clients. Failure to do so is an offence under the Act. For further information in relation to the Scheme, please visit the Law Society’s website or contact the Scheme Coordinator on (08) 9324 8653 or by email to pss@lawsocietywa.asn.au
lawsocietywa.asn.au/pss/
by Michael Woods
MCybSecurity BBus CISSP CCSP CISA CISM CRISC CGEIT CEH CDPSE Founder and CEO Tannhauser
Introduction
In 2021 we saw a distinct shift in the cyber threat landscape, with supply chain risk through software vendor vulnerabilities now a significant cyber security threat faced by organisations. The COVID-19 pandemic forced organisations to rapidly change how they operate, in turn creating new opportunities for threat actors in the process. Remote working meant that threats around offsite access and infrastructure were exposed, offering new challenges in securing data. This article explores the current cyber threat landscape for the legal profession and the challenges that must be addressed to protect your organisations.
Australia’s Growing Concern with Cyber Security
Our society is now heavily reliant on technology and digital services (public or private). The online environment is one that is constantly changing, with new threats and opportunities emerging at an unprecedented pace. In our alwaysconnected digital world, the stakes are higher than ever before, and as we navigate a period of increased geopolitical tension between global superpowers and their alliances, the Australian Government has been speaking publicly about cyber threats posed to local companies. Per the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report 2020-21, last financial year over 67,500 cybercrimes were reported, an increase of nearly 13 per cent from the previous year. Self-reported losses from these cybercrimes total more than $33 billion.
Published in January 2022, the World Economic Forum conducts their “Executive Opinion Survey: National Risk Perceptions” to understand the leading concerns of business leaders around the globe. For Australia, the failure of cybersecurity measures was named number one due to the growing digital dependency intensifying potential cyberthreats. Cyber risk outranked extreme weather events and climate action failure which may have changed now given recent events on the east coast of Australia.
The challenge in Western Australia is unique, but not uncommon: population of roughly 2.7 million, economic sector focus on rocks and crops, small technology sector, low digital literacy amongst senior business leaders, technology teams who wrestle with talking business risk, almost non-existent cyber risk appetite defined for individual businesses, lagging legislation and regulation, and a misrepresentation of core issues by the media for attention grabbing headlines. These contributing factors greatly increase the likelihood of a successful cyber-attack occurring within your organisation. Law firms must now assume intrusion within their network and shift focus to building resilience capabilities whilst protecting sensitive data and services.
Why Are Law Firms Targeted
It should come as no surprise to this audience that lawyers are privy to vast amounts of sensitive and valuable information. This is one reason why law firms are such popular targets for espionage and criminal activity. This information is not just sensitive personal and private client information, but also very valuable business documents related to finances, mergers and acquisitions, transactions, due diligence, business strategies, and much more.
Criminals seek to maximise their profits from a cyber attack in a variety of ways. Information could be sold to third parties or your systems and data could be held hostage until a ransom is paid. We have seen ransomware threats evolve from seeking ransom from the business, to criminals reaching out to their clients for ransom before disclosing information.
An increasing threat is funds payment manipulation either through phishing (business email compromise and/or whaling) or targeted attacks on payment systems and online bank accounts. And let’s not forget sometimes it’s pure pot luck for criminals who randomly search for a vulnerability on a range of global IP addresses and may happen to stumble upon the domain of a law firm and then explore Aladdin’s cave for their loot.
Notable Cyber-Attacks on Law Firms
Over the last decade cyber attacks have plagued law firms with increasing frequency and severity. The impacts have ranged from information disclosure, unavailability of systems due to ransomware and supply chain issues with software vendors. We have collated notable industry cyber incidents below:
2013: The International Consortium of Investigative Journalists’ (ICIJ) Offshore Leaks was a 260-gigabyte set of 2.5 million documents from the Portcullis offshore group. 2016: The Panama Papers comprised 11.5 million files of Panama law firm Mossack Fonseca, with 2.6 terabytes of data. Personal and private data was leaked leading to tax evasion investigations.
2017: DLA Piper LLP, one of the largest law firms in the world, was hit by a ransomware attack (Petya) that infected hundreds of thousands of computers across their platform. The global cyber event encrypted all affected files and requested a ransom of $300 in bitcoin to regain access to individual machines to avoid the threat of deletion.
2017: Paradise Papers in 2017 contained 13.4 million documents in 1.4 terabytes of data exfiltrated from British Virgin Islands law firm Appleby.
2021: Pandora Papers 2021 contained 14 different offshore service providers’ private information. The code name for the 12-month investigation was Aladdin.
2021: Campbell Conroy & O’Neil, P.C., a law firm handling hundreds of cases for the world’s leading companies, announced a large data breach that resulted from a ransomware attack in February.
2021: Allens suffered a high profile attack on their file-sharing system provided by third party cloud company
Accellion with confidential information accessed illegally.
And it’s not just Big Law that have suffered cyber incidents. Even smaller practitioners have had their pockets picked by sophisticated cyber criminals, whether ransomware wielders or email con artists. Business email compromise, also known as whaling, a type of sophisticated phishing, frequently impacts law firms with criminals trying to misdirect funds transfer. Please do not be led into a false sense of security that Western Australia’s geographic isolation provides your business protection from a cyber incident. To the contrary the internet has brought everyone closer and cyber criminals to your doorstep within a few clicks and carefully crafted emails.
Technical Debt
“Technical Debt” is an emergent condition present in many digitally-enabled law firms that have now discovered their existing technology is too rigid to accommodate new business objectives and priorities. This rigidity is created from past system design and architecture decisions that were made,
usually with the best intentions, based on the architect’s knowledge of business objectives that were available at the time.
No technology solution is able to do everything. In order to design a system for any particular purpose, architects and engineers must make a series of design choices, or trade-offs, along the way that, as a necessary consequence, sacrifice other choices that could have been made at that juncture. Specifically in security this phenomena is explained as control friction vs. user experience.
Addressing technical debt is a significant investment for any law firm and is typically left to the last minute or worse after a successful cyber attack. The point here is don’t leave technology change too late as it is far more costly recovering from a cyber attack or a loss of system availability.
The Push to Digital
COVID-19 created a digital rush which left many organisations exposed, with teams still cleaning up poorly implemented and/ or secured solutions. While there is no doubt that the pandemic amplified the adoption of new technologies, technological advancements were already changing the world over the past two decades, from living standards to the very nature of our work.
These changes require business leaders to revisit corporate strategy and necessary security considerations. Technology has created seismic shifts in the mix of skills required for the new workforce to remain relevant to our customers. These new skills and platforms change the risk environment for law firms.
Social Engineering
Threat actors continue to perfect their social engineering techniques and are being bolder with their engagements with targets. Social media platforms, once used for reconnaissance, are now increasingly used to directly interact with employee targets over multiple mediums.
LinkedIn is becoming a favoured platform to engage with targets. Criminals create fake recruiter profiles, building trust with their victims, sometimes over a period of weeks or months of interaction. Once trust is established, the conversation reportedly moves to other means of communication including WhatsApp, email, and even phone calls. Victims are tricked into opening malicious attachments disguised as job specifications which contain malware. Human error is still a major vulnerability of any cyber security defence, and we expect to see individuals continue to be targeted as an easy route to gaining access. Organisations must build a secure culture and ensure their entire workforce, no matter their role, adopt the secure behaviours and attitudes needed to keep the organisation safe.
Hybrid Working Now a Reality
Fighting a strong trend toward hybrid work, Goldman Sachs CEO David Solomon has repeatedly insisted that employees return to the office full-time, leaving no doubt that he views remote work as a temporary aberration. When the New York Offices opened up recently only 50% of staff returned. Employee expectations have shifted with demonstration, in some cases, that work can be effectively performed at home.
For cyber security, this increases potential avenues of attack. We are no longer sitting in our law firm castle with a big stone wall and a moat protecting our valuable data. Our data is in the homes of our employees on a portable laptop. How do we enable and empower our staff to make conscious security decisions from home?
Supply Chain Exposed
In 2021, several high-profile incidents related to supply chain compromise. In some cases, multiple threat actors compromised the same “supplier” entity independently, complicating the scoping, response, and attribution of incidents.
For the legal industry, the most highprofile supply chain compromise related to the file transfer platform Accellion. Critical vulnerabilities were identified within the cloud platform that allowed unauthorised users access to data stored within the platform. Allens, a legal adviser to almost three-quarters of Australia’s top 100 companies, was impacted by this supply chain incident.
Threat actors that target supply chains display a high level of sophistication and remain under the radar for months if not years. Organisations should be asking themselves about access privileges and whether they are giving IT management and security software too much leeway. They should also be assessing whether their threat detection capabilities can identify malicious activity across their environment and whether any changes could be made to identity and access management systems to detect the abuse of trusted or privileged access.
Changing Regulation and Legislation
There are major changes being introduced to state and federal legislation covering cyber security, privacy, ransomware, criminal penalties and critical infrastructure. These changes are necessary to keep up with technology and the risk presented to Australian citizens and organisations.
At Tannhauser, we support systemic changes to the Privacy Act 1988 (The Act) to focus on the privacy rights and protections of individuals rather than responsibilities of an insufficient subset of organisations within Australia. At June 30 2021 there were 2,402,254 actively trading businesses in the Australian economy, 93.0% of those businesses had turnover of less than $2 million. Businesses with a turnover over $3 million are required to meet the requirements within The Act. This does not consider the long list of excluded organisations from The Act. The Notifiable data breaches scheme, as part of the The Act, is an incredibly important tool for Australian Citizens to protect themselves. This requires businesses to notify upon a breach but the coverage of organisations is limited as illustrated. There must be greater emphasis on the protection of individuals and the obligations on entities to ensure business models and practices safeguard privacy.
The proposed Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 amends the geographical jurisdiction provision for computer offences, introduces standalone offences for extortive conduct associated with ransomware and increases maximum penalties for these offences. The Ransomware Payments Bill 2021 (No. 2) proposes the establishment of a mandatory requirement for Commonwealth, state or territory entities, corporations and partnerships to report to the ACSC ransomware payments paid in response to a ransomware attack.
Enhancement of critical infrastructure legislation is much needed, only emphasised during a pandemic and recent natural disasters. The Security Legislation Amendment (Critical Infrastructure) Act 2021 creates a framework for managing risks relating to critical infrastructure with reporting requirements related to critical assets and cyber security incidents.
Enforcement: Increasing Opportunity Cost
Existing legislation and enforcement powers against cyber criminals have been seen as toothless tigers. This has led to
Steps to Take Now
There are foundational cyber security controls that every business should strive towards and these are articulated within the Australian Cyber Security Centre’s Essential 8, these mitigation strategies are aimed at preventing an incident occurring. However, we know a cyber attack is inevitable (not if, but when), so we must also consider business resilience initiatives to ensure law firms can respond and recover from a cyber-attack swiftly to reduce any downtime and potential financial impacts to the firm. The first starting point is training staff to ensure everyone is on the same page with the risk they face in their day to day duties. For example, making the assumption that your staff have the same level of knowledge and ability when it comes to detecting a phishing attempt should be put to bed.
Avoiding the loss of private data is an important factor in protecting not only your company data, but connected customers and companies. Simple measures can significantly improve your security posture, these include:
1 Educate your staff on cyber threats; 2 Only people who need access to the sensitive data to perform their job are granted access; 3 Enabling multi-factor authentication for every internet accessible application; 4 Avoiding easily guessable passwords; 5 Being cautious when opening attachments in emails from unknown senders; 6 Avoid connecting your devices to public Wi-Fi networks; 7 Turning on your device firewall and installing antivirus software on all devices; and 8 Backing up your data.
Australian Law Firms who are starting their cyber security journey should conduct a cyber risk maturity assessment with a reputable and qualified cyber security firm.
recent proposals of increased penalties. Chief among these penalties are an increased maximum penalty of 10 years’ imprisonment for cybercriminals that use ransomware and a new maximum penalty of 25 years’ imprisonment for criminals that target Australia’s critical infrastructure. However, harsher fines and judgements do not necessarily contribute to the reduction of cyber crime.
In 2019, the effects of DNA databases on the deterrence and detection of offenders was researched in Denmark (Anker, et al). The report concluded that a 1% higher detection probability reduces crime by more than 2%. For example, a change in policing policy may increase the probability that an offender gets caught and subsequently taken to court. This can reduce the incentive to offend, reducing the offending rate. The challenge with cyber crime is that it’s often a faceless attack perpetrated overseas in an unfavourable jurisdiction. The Internet is a near anonymous environment where crimes can be committed with tracks hidden, paid in crypto currency which can then be “tumbled” or washed to further remain hidden. Legislation should emphasise and increase the likelihood of being caught and holding those to account. Attack attribution is by no means an easy feat but to reduce this crime type we need to introduce higher costs to the perpetrators either through enhanced control environments or increasing the propensity of threat actors actually being caught.
Backup Serves the Purpose of Recourse
A backup plan or contingency strategy is an alternative which can be used if something goes wrong with the main plan; a recourse. As mentioned above we must now assume intrusion which means your backup plan will be tested when cyber security controls fail. An immutable copy of your data is now essential. This allows recovery of data to a point in time that is known to be not impacted by the cyber attack. We have witnessed teams recovering with a compromised backup exacerbating the original incident. Backup will not eliminate all cyber risk to your organisation only those scenarios where recovery is required, e.g. ransomware. Backup doesn’t solve loss of confidentiality from exfiltrated data or payment redirection. Ensure you have the right solution for different scenarios that could impact your business.
Conclusion
Cyberspace continues to be increasingly dangerous; however, there are simple steps, as illustrated, to uplift your security posture to increase costs to the criminals to reduce the likelihood of attack on your firm. Barring any criminal activity, it’s a firm’s responsibility to protect information about their clients. A strong cybersecurity culture and the right defensive tools are the best way to protect the reputation of your firm as a secure place for clients’ data. While it can be costly for businesses to invest in the right people, processes and technology to protect against these threats, the damage that results from being unprepared is ultimately far more costly.
Our reliance on digital services will increase and as such so do the potential risks associated. We must look towards enhanced risk management practices and continuous monitoring to ensure those responsible and accountable for the organisation are well informed and make the best possible decisions available to them.
A Macro Way to Reputation Damage
by Brenda van Rensburg
Introduction
The increase of cyber-crime has placed a significant amount of responsibility on anyone using digital technology. Since its release to the public in 1994, digital technology has advanced at such an exponential rate that it is near impossible for legislation to keep up. While regulation is supposed to offer judicial direction, it often leaves victims at the hands of a faceless perpetrator without any legal recourse. In addition to this, businesses are left defending their reputational castle with nothing more than a thread of ethics and a Band-Aid of professional conduct.
Despite the increased use of security tools, data breaches have increased by over 68 percent in the last year1 leaving data security in the hands of businesses with an expectation to do the right thing. Fortunately, there is a level of accountability which is guarded by governance and discipline.2 A professional who breaches these rules could face serious penalties.3 This article will discuss a lawyer’s ethical and professional responsibility to prevent the unauthorised access and disclosure of personal and confidential data through the implementation of the Essential 8.
The Legal Expectation
According to Legal Professions Conduct Rules (WA), lawyers are expected to uphold fundamental ethical duties4 which, at the core, would not ‘bring the profession into disrepute’.5 A lawyer owes a ‘duty of care’ to both their client and the administration of justice, to ensure that their use of technology will not increase the likelihood of harm to a client, or the legal profession.6
With data breaches increasing rapidly, there is a heightened chance that information could be either accessed maliciously or disclosed in a manner that would place confidentiality at risk. According to Meghan LeWallen, lawyers ‘must be aware of security and confidentiality risks’ as this could ‘lead to ethics violations.’7 Arguably, unauthorised disclosure of information is disclosure without the client’s consent.8
In 2012, The American Bar Association amended the Professional Conduct Rules to include a lawyer’s responsibility to keep up to date with risks associated with technology.9 As a result, lawyers have a duty of competence to ensure that they either have knowledge of the technology they use, or they seek the advice of a person who specializes in this area.10
Essential 8 and Ethical Responsibility
In 2017, the Australian Cyber Security Centre published the Essential Eight Maturity Model11 (Essential 8). It was designed to protect ‘Microsoft Windowsbased-internet-connected networks.’12 The four levels of maturity, identified within the Essential 8, helps organisations to implement controls based on their business model.
The Essential 8 offers lawyers a guide to protecting confidential data which is ‘fundamental to the lawyer-client relationship.’13 The duty of confidentiality is necessary for the adversarial system, client compliance and to promote ‘client trust, dignity and autonomy.’14
In New South Wales Bar Association v Cummins, the court agreed that ‘clients must feel secure in confiding their secrets’.15 Arguably, clients place their trust in a lawyer, and this relationship should not be seen as a commercial one.16 The North Dakota Supreme Court illustrated that lawyers must provide competent representation which ‘includes keeping abreast of changes in technology.’17 Therefore, it would be expected that lawyers have a level of responsibility to ensure that they adopt a security framework that would not place the information at ‘risk of coming into the hands of someone with an adverse interest.’18
A Macro Disaster
The Essential 8’s mitigation strategies cover 3 key areas that include prevention, limitation, and recovery. The Australian Signals Directorate considers the Essential 8 as the one of the most effective cyber resilience models for any organisation.19 These controls were designed to help businesses protect their security systems against a range of adversaries.
One of the 4 preventative controls within the Essential 8, is configuration of the Microsoft Office macro settings. The Microsoft Office suite, also known as Microsoft 365, contains an ‘embedded code written in Visual Basic for Applications (VBA) programming language’.20 It allows a user to automate repetitive tasks.21 The same code can also be used to hide malware which can lead to malicious actors accessing different information systems.22
The first time the world experienced a global macro attack was in 1999. The Melissa Virus, which took advantage of the macro security flaw, created havoc that allowed adversaries to access personal and sensitive information.23 Malicious actors continually use this tactic because it is simple to use, and documents are shared quickly between friends and associates.24
In 2021, Microsoft announced that ‘internet macros’ would be blocked by default.25 The added new feature is a message bar with a button to notify users about the risks and safe practices.26 Unfortunately, users can still enable macros by a click of button leaving organisations to accept the risk when using Microsoft Office documents.
Reputational Risk
Cyber security presents several risks to a business. The most critical of all is reputational risk. According to Tori Taylor, 87% of consumers are ‘willing to take their business elsewhere’ if a data breach was to occur.27
In 2016, Target Pty Ltd experienced a data breach which exposed 40 million credit card records.28 Target sales dropped by
46% for that quarter which was equivalent to roughly $520 million. Arguments have been raised that due to their size and popularity, consumers felt they ‘should have known better’.29
It was identified in the 2019 American Bar Association (ABA) Technology Survey Report, that 26% of legal firms had experienced a data breach. The consequence of this breach included loss of billable hours, replacement of hardware, loss of data, informing clients of a data breach and reporting the breach to regulators.30 Arguably, all consequences can ultimately lead to reputational damage.
The ABA Model Rules of Professional Conduct state that a ‘lawyer shall provide competent representation to a client.’31 The ABA commentary illustrates that an ‘ethical practice includes knowledge and understanding of the risks and benefits’ associated with the use of technology.32 According to the North Dakota Rules of Professional Conduct, lawyers have a duty ‘not to reveal client confidences, no matter the source, form, or media, whether electronic, paper or oral.’33 Failure to secure confidential data could be considered as ‘unsatisfactory professional misconduct’ as lawyers must not ‘disclose any information which is confidential’.34 Arguably, a client, whose information has been compromised, can make a complaint against a lawyer that could ultimately lead to both reputational damage and financial compensation.35
Taking a Macro Action
The Essential 8 identifies macros as a serious security issue.36 It highlights the importance to restrict the use of macros within the organisation. Notably, several departments will use macros as it was designed to automate mundane tasks.37 Disabling macros on all devices may disrupt a business’s function. Therefore, it is strongly recommended that businesses identify which departments and individuals require the use of Microsoft Office macros.
If a business decides to allow all employees to use macros, then it is recommended that users are trained to review macros within documents they download or receive. This review process will require technical skills.
Ideally, it is recommended that a business creates an organisation process on screening macros which should include a third party that has technical skills.38 Both training and documentation can be easily achieved through a company that specializes in this area. If, however, a business decides to disable macros, it is recommended that they develop a change management strategy before authorizing the security configuration within the organisation’s group policy.39 This would help the business to identify which areas would be significantly impacted by this change. Additionally, businesses should further consider including a ‘macro request process’ to reduce resistance to this modification.
Conclusion
The advancement of technology has raised concerns with many industry experts. As we surge forward into the digital world, we are finding that the cyber world is riddled with risks. Lawyers are not only left navigating through a minefield of legal decisions, but also face a duty of care when using technology.
Most lawyers are aware of the risks around the collection, storage, and disclosure of personal and sensitive information. Arguably, they have a fundamental ethical duty to ensure this information is secure from unauthorised access or disclosure.
The Australian Cyber Security Centre recognised the risks facing all organisations. The Essential 8 was purposefully designed to help organisations, such as law firms, to navigate through the minefield of cyber risk. A course of action a law firm can take is to complete an Essential 8 assessment to establish a cyber security baseline. This will assist in identifying gaps and developing a strategy to reduce the risk of a data breach which ultimately could impact their reputation.
End notes
1 Bee Fowler, Data Breaches Breach Record in 2021 (Web Page, 24 January 2022) website < https://www. cnet.com/tech/services-and-software/record-numberof-data-breaches-reported-in-2021-new-report-says/>. 2 Australian Solicitors Conduct Rules 2015 (Cth). 3 Legal Profession Act 2008 (WA). 4 Australian Solicitor’s Conduct Rules 2015 (Cth) r 4. 5 Australian Solicitor’s Conduct Rules 2015 (Cth) r 5. 6 Kevin Crews, The Door to a Virtual Law Practice is
Always Open: and the Proper Use of Technology can keep it that way (2014) The Florida Bar Journal 6. 7 Meghan C LeWallen, ‘Cloud Computing: A Lawyer’s
Ethical Duty to Act with Reasonable Care when Storing
Client Confidences in the Cloud’ (2013) 60 Cleveland
State Law Review 1133. 8 Rick Cullen, ‘The Duty of Confidentiality’ (2018) Brief 17. 9 American Bar Association Model Rules of Professional
Conduct (2012) r 11. 10 Erik Mazzone and David Ries, A Techno-ethics
Checklist: Basics for Being Safe, not Sorry (2009) 35
Law Practice 2. 11 Australian Cyber Security Centre, Essential Eight
Maturity Model (Web Page) < https://www.cyber.gov. au/acsc/view-all-content/publications/essential-eightmaturity-model>. 12 ACSC, Essentail Eight Maturity Model (Web Page) < https://www.cyber.gov.au/acsc/view-all-content/ publications/essential-eight-maturity-model>. 13 Paul Baron and Lillian Corban, Ethics and Legal
Professionalism in Australia (Oxford University Press, 2020) 159. 14 Rebecca Aviel, The Boundary Claim’s Caveat: Lawyers and Confidentiality Exceptionalism (2011-12) 86 Tulane
Law Review 1005.
15 New South Wales Bar Association v Cummins [2001]
NSWCA 284.
16 Hospital Products Limited v United States Surgical
Corporation (1984) 156 CLR 41. 17 Tracy Vigness Kolb, ‘Technology Competence: The New
Ethical Mandate for North Dakota Lawyers and the
Practice of Law’ (2016) 92 North Dakota Law Review 91. 18 Prince Jefri Bolkiah v KPMG [1999] 2 AC 222. 19 Australian Cyber Security Centre, Essential Eight
Maturity Model (Web Page) < https://www.cyber.gov. au/acsc/view-all-content/publications/essential-eightmaturity-model>. 20 Ibid.
21 Steven Roman, Writing Excel Macros with VBA (O’Reilly
Media Inc, 2002). 22 Arielle Waldman, Microsoft Disables VBA Macros by default (Web Page, 08 February 2022)< https://www. techtarget.com/searchsecurity/news/252513141/
Microsoft-disables-VBA-macros-by-default>. 23 Lee Garber, Melissa Virus Creates a New Type of
Threat (1999) 31 Computer 6. 24 Paul Docherty and Peter Simpson, Macro Attacks:
What Next After Melissa? (1999) Computers & Science 18.
25 Arielle Waldman, Microsoft Disables VBA macros by default (Web Page, 08 February 2022) https://www. techtarget.com/searchsecurity/news/252513141/
Microsoft-disables-VBA-macros-by-default>. 26 Ibid
27 Tori Taylor, How Reputational Damage from a Data
Breach Affects Consumer Perception (Web Page, 22
February 2022)< https://www.securelink.com/blog/ reputation-risks-how-cyberattacks-affect-consumerperception/>. 28 Dough Drinkwater, Does a Data Breach Really Affect your Firm’s Reputation? (Web Page) < https://www. databreaches.net/does-a-data-breach-really-affectyour-firms-reputation/>. 29 Christos Makridis, Do Data Breaches Damage
Reputation? Evidence from 45 Companies between 2002 and 2018 (2021) 1 Journal of Cybersecurity 8. 30 John Loughnane, Tech Report 2019: Cybersecurity (2019) Law Technology Today. 31 American Bar Association Model Rules of Professional
Conduct (2020) r 1.1. 32 Heidi Frostestad Kuehl, Technologically Competent:
Ethical Practice For 21st Century Lawyering (2019) 10
Journal of Law, Technology, and the Internet. 33 Tracy Vigness Kolb, ‘Technology Competence: The New
Ethical Mandate for North Dakota Lawyers and the
Practice of Law’ (2016) 92(1) North Dakota Law Review 91.
34 Australian Solicitor’s Conduct Rules (Cth) r 9. 35 Legal Profession Uniform Law 2018 (NSW) s 275. 36 Australian Cyber Security Centre, Essential Eight
Maturity Model (Web Page) < https://www.cyber.gov. au/acsc/view-all-content/publications/essential-eightmaturity-model>. 37 Victorian State Government, Improving Cyber Maturity with the Essential Eight (2021) 3 Victorian Government
Cyber Maturity Benchmark 1. 38 Victorian State Government, Improving Cyber Maturity with the Essential Eight (2021) 3 Victorian Government
Cyber Maturity Benchmark 1. 39 Ibid.
On the Rise and Rise of Stablecoins
by Eli Bernstein
Eli Bernstein is a fintech, privacy and emerging technologies lawyer at Cornwalls. The views expressed are the author’s and do not necessarily reflect those of Cornwalls.
While digital assets like Bitcoin or Ethereum rise and fall sharply - with volatility as their only constant, another asset class that has kept its price constant has been growing over time. Indeed, total market capitalisation for stablecoins has grown fourfold in 2021 alone and continues to grow.1 The Financial Stability Oversight Council reported that in the twelve months ending October 2021, the market capitalisation for stablecoins has grown 500% to reach USD $127 billion market capitalisation.2 In the five months since that report was issued, the market has grown a further 50% (to reach USD $189 billion as of the time of writing).3
In Australia, ANZ recently announced its foray into this space with the launch of the A$DC stablecoin.4
This stable cryptocurrency merits some attention. Any examination of stablecoins would require an understanding of the interaction of three frameworks: economic, technical and regulatory.
A Brief History Of Money
In 1875 William S Jevons described how money functions to overcome the limitations of barter he described four functions:5 Money’s a matter of functions four, A Medium, a Measure, a Standard, a Store.6 Most modern economists have since dropped the Standard (of debt) and now claim three functions of money, as:
1. a medium of exchange (Medium) that can facilitate trade even where only one desires what the other supplies.
2. a unit of account (Measure) that can be used as a single measure to price all things (from houses to oranges), and furthermore, be subdivided.
3. a store of value (Store) capable of transferring purchasing power from the present to the future (though perhaps not as well as gold or property).7
From the origins of sovereign-backed money, such as the Lydian Slater (6th Century BCE) until 1971, money was backed by physical commodities, typically gold (Commodity money). When on 15 August 1971, the US dollar, and along with it the global supply of money pegged to it was no longer constrained by any physical commodity, Fiat money was born (Fiat).8 Since then, the US dollar lost 98% of its value when compared to gold.9 10 11
On 3 January 2009, following the Global Financial Crisis and subsequent bailouts, Satoshi Nakamoto, the pseudonymous creator of Bitcoin released the genesis block of the Bitcoin network.12 Bitcoin combines encryption, decentralised computing and game theory to create a currency that keeps inflation in check (there is an upper limit of 21 million coins).
Since the advent of bitcoin, thousands of cryptocurrencies emerged. They can generally be classified as one of the following categories:
a) Payment coins (currency or monero) are used to replace cash (eg. Bitcoin,
Bitcoin Cash).
b) Stablecoins – coins pegged to the value of other assets (eg. USD Tether).
c) CBDC (Central Bank Digital Currency) – government-issued stablecoins (eg.
Digital Yuan).
d) Privacy coins – payment coins that obfuscate sender and receiver information (eg. Zcash).
e) Governance tokens – managing voting rights for decentralised protocols (eg.
Uniswap).
f) Utility tokens – tokens that unlock access to a service (eg. Ethereum).
g) Non-fungible Tokens – unique tokens incorporating digital (or representing physical) assets (eg. Cryptokitties).
h) Security tokens – tokens that represent ownership rights (eg. Tokenised REITs).
Bitcoin was created to act as a peer-topeer payment mechanism. In practice, however, the utility of Bitcoin as a Medium has been dampened by speculation about its value as a Store and the price volatility associated with speculative trading.13 This is consistent with Hayek’s concerns in the Denationalisation of Money about the utility of an intrinsically or speculatively valuable currency as a media of exchange.14 Most Bitcoin holders (or ‘hodlers’) would likely seek to avoid the story of Laszlo Hanyecz who spent 10,000 Bitcoins (today worth over USD $400 Million today) to purchase two pizzas back in May 2010.15 Such concern coupled with relatively high transaction costs have dampened Bitcoin’s utility as an efficient Medium. As such, the need for a reliable, secure, stable and efficient medium of exchange for cryptocurrencies was born.
What are stablecoins?
A stablecoin is “a crypto-asset that seeks to stabilise the price of the ‘coin’ by linking its value to a pool of assets, making it a reliable and attractive store of value.”16 ASIC in a recent submission defined Stablecoins as “a form of cryptoasset that aim to maintain a stable value relative to a specified unit of account or store of value,” such as dollars or gold. A stablecoin has some or all of the characteristics of ‘money’, being a unit of account, a means of payment, and potentially a store of value.17
Functionally, stablecoins therefore act as a bridge between a volatile Store (eg. Bitcoin) and a stable Medium (eg. USD). Tony Richards (Head of Payments Policy at the Reserve Bank of Australia) in a recent address19 identified three main functions of stablecoins as:
1. Trading Pairs: Stablecoins are used to bridge between Fiat currency and Cryptocurrency as a Medium for payment or settlement for transactions involving cryptocurrencies or tokenised assets.
Stablecoins are also used as a Store of value for those wishing to transfer their assets from cryptocurrencies to fiat currency without leaving the blockchain ecosystem (eg. USD Tether $USDT). 2. Institutional and reserve banking: large investment banks are proposing treasury and cross-border payments collateralised by assets, such as deposits at private or central banks.20
3. A retail currency (referred to as a Global Stablecoin) a stablecoin aimed at retail use - for households or merchants using the stablecoin in everyday transfers and payments (eg.
Facebook’s Diem, the coin formerly known as Libra).21
Structurally, three general approaches to stablecoin collateralisation exist:22
1. Fiat-collateralised stablecoins
These asset-backed stablecoins maintain a stable value by reference to financial assets. These are typically fully collateralised and often centrally governed. They are typically backed by:
Fiat: Coins like USD Coin or Binance USD are backed by funds secured in a trust account in a third-party licensed financial institution. Ideally, the accounts are regularly audited to ensure stablecoins match collateralised funds. In some cases, the stablecoin is backed by a basket of currencies rather than a single currency (as Facebook’s Libra initially proposed)
2. Asset-collateralised stablecoins
These asset-backed stablecoins maintain a stable value by reference to a single asset or basket of assets, typically commodities or crypto assets.
Types of Crypto Assets
PAYMENT COINS
Used to purchase everyday items. Includes BTC, ETH, LTC and Bitcoin Cash. The likes of Bitcoin and Etherium can also be used as a store of value.
STABLECOINS
Stable coins aim to reduce volatility by tying the value of the token to assets such as USD, the Pound, Euros and precious metals.
CBDCs
Comparible to stable coins. Issued by central banks rather than private companies. Currently being considered by the USA and being trialled by China.
PRIVACY COINS
The blockchain nature of Bitcoin creates concerns over privacy of transactions. Privacy coins like Zcash and Monero aim to obfuscate transaction values as sender details.
GOVERNANCE TOKENS
These allow people to vote on changes to the way the platform works. Commonly associated with decentralised financial protocols like Uniswap and Yearn Finance.
UTILITY TOKENS
Access to services can be unlocked with these. As an example tokens created using the ERC-20 standard represent subscriptions.
NON-FUNGIBLE TOKENS
Designed to be completely unique and rare, like fine art originals. These tokens are often created using the ERC-721 standard.
They are typically backed by:
Commodities: Coins like Paxos Gold and DigiX fall in this category. Each stablecoin is backed by 1 troy ounce of fine gold against either allocated gold (serialised and held in vaults) or unallocated gold (spot market with physical delivery) and is redeemable on demand. They are typically fully collateralised and governed by a centralised platform.
Crypto Assets: Stablecoins such as MakerDAO’s DAI and Synthetix’s sUSD fall in this category and are over-collateralised and governed by decentralised protocols. For instance, in the case of DAI, each $1 of stablecoins is backed by $2 of ETH assets, allowing for liquidation in case of a sharp fall in ETH price.
3. Algorithmic stablecoins
These tokens adjust supply - and in some cases, induce demand - deterministically (i.e. through a pre-determined algorithm).23 Unlike the other stablecoins, algorithmic stablecoins are neither redeemable to, nor backed one-to-one by U.S. dollars or any assets. There are a number of general models of algorithmic stablecoins, offering either direct or indirect control over money supply, and the field is still developing. In direct price control models, price control is achieved by increasing or decreasing the supply of stablecoins in response to changes in demand, keeping the price of a stablecoin constant.24 Methods of direct control include:
Rebase model: the first iteration of algorithmic stablecoins (such as Ampleforth (AMPL), loosely based on Ametrano’s 2014 paper25) saw a rules-based, supply-elastic cryptocurrency that rebases according to demand. This means that the number of stablecoins in circulation in each user’s wallets is volatile while their total value is kept stable.
Seigniorage Shares model: Similar to the rebase model but with a key distinction, instead of a rebasing currency, the system consists of two tokens, a supply-elastic stablecoin and Seigniorage Shares, which are tokens representing investment shares of the network. Seigniorage Shares holders are exposed to inflationary rewards when stablecoin demand is high and deflationary costs when stablecoin demand is low while the rest of the network experiences stability of both price and volume of stablecoin supply. (like Basis Cash, loosely based on Sam’s 2014 paper26)
In contrast to the above, indirect price control deals with demand rather than supply. They do not directly expand and contract coin supply but offer the incentive framework for changing demand patterns. One such method is:
Coupon model: When supply outstrips demand, devaluation is avoided by issuing bonds at a discount to face-value, utilising funds raised to buy on-market stablecoins, burning them (bringing back its price to par value) and redeeming them from bondholders by issuing new stablecoins.
The regulatory approaches to stablecoins will differ for each stablecoin model structure described above, for every functional use and for every jurisdiction they are traded in.
US Regulatory Trends
The regulatory experience for stablecoins in the United States to date has been mixed:
a) Tether, the largest stablecoin by market capitalisation, was recently fined
US$41 million by the US Commodity
Futures Trading Commission (CFTE) for misleading statements regarding its asset-backing having found that it had adequate cover for only 27.6% of the time (sampled). Furthermore, Tether relied on unregulated third-party entities to provide custody, co-mingled its reserve, operational and customer funds; and held reserves in non-fiat financial products.27
b) Paxos claims to take “a regulation-first approach to its products and service.”28
Paxos launched the world’s first regulated stablecoin, the Pax Dollar (USDP) - redeemable and backed by
USD in regulated and audited trust accounts, as well as Pax Gold (PAXG) - redeemable and backed by gold reserves held in secured vaults. Paxos operates under a trust regulated by the New York State Department of
Financial Services.29 TrueUSD (TUSD) have taken a similar approach to regulation.30
c) Basis.io was the first centralised solution seeking to develop an algorithmic stablecoin with bond and share tokens alongside a stablecoin. After receiving advice that the bond and share tokens associated with their platform would be characterised as securities (even though the stablecoin itself was not), Basis decided it could not carry out the project and refunded investors the $133 million it had raised. 31 The project has since been revived in decentralised form as Basis Cash, an unregulated non-custodial Decentralised-Finance (DeFi) platform.32
Recent US Developments suggest a tightening of regulation around stablecoins is likely in the near term. The recent report by the President’s Working Group on Financial Markets (PWG) highlighted the risks of payment stablecoins and was critical of gaps in its regulation.33 The report recommended that Congress enact legislation, or in its absence, FSOC act without congressional approval, to designate some stablecoin activities as systemically important payment, clearing, and settlement activities which guard against stablecoin runs (the ‘bank run’ equivalent if confidence in stablecoin is low), monopolistic power, payment system risk and general risk-management standards.34 FSOC in its annual reports, echoed the concerns about the risks posed by stablecoins as a means of payment creating a range of prudential concerns, and highlighting the need to manage risks relating to illicit financing, national security, cybersecurity, privacy and international monetary and payment systems integrity.35
Australian Market and Regulatory Trends
In Australia, both the use of stablecoins as a payment method and the supply of Australian dollar-linked stablecoins has been very limited. Dark et al 37 argue that the reason for low demand to date has been the fact that the alternative is a reliable, low-inflation store of value (the Australia Dollar) and an efficient payments network.As such, no compelling proposition for widespread use of stablecoins exists in Australia.38 Until recently, a few attempts have been tried without great success. The AUDRamp (AUDR) was the first Australian project to do so in 2018. It obtained approval as a managed investment scheme but does not appear to have ever reached active trading. TrueAUD (TAUD) was launched by TrustToken (the issuers of TrueUSD) in 2019,39 but appears to not have significant trading volume or the liquidity required to stabilise its price at $1. Terra AU (AUT) is a new stablecoin built on the Terra ecosystem.
The following is a summary of regulatory issues, categorised by functions and activities affecting stablecoins as identified by the Financial Stability Board:
Functions Activities
Governance of the arrangement Establishing rules governing the stablecoin arrangement Issuance, redemption and stabilisation of value of coins Issuing, creating and destroying stablecoins Managing reserve assets Providing custody/trust services for reserve assets
Transfer of coins Operating the infrastructure Validating transactions
Interaction with users Storing the private keys (wallet) Exchanging, trading and reselling Marketmaking
Adapted from the Financial Stability Board’s report36
Promisingly for the market was the recent announcement by ANZ Bank of the launch of A$DC, a Fiat stablecoin pegged to the Australian dollar. The A$DC is backed $1 for $1 in a client trust account held at an ADI. This is the first Australian stablecoin backed by an authorised deposit-taking institution. ANZ is reported to be working with regulators, including APRA and AUSTRAC.40
In light of this milestone development coupled with the explosive growth in stablecoins over the past year, further regulatory clarity around stablecoins is warranted.
In June 2021, the Council of Financial Regulators (comprising of ASIC, APRA, RBA and Treasury) was forming a working group with other government agencies (including ACCC, AUSTRAC, and the ATO) to study the effects of stablecoins on the Australian economy.41 The report has yet to be released.
Reserve Bank officials, like their US counterparts, have been calling for greater regulation of stablecoins. Tony Richards (Head of Payments Policy at the RBA) recently suggested that “given the possibility that there could be a potential significant role for stablecoins in the settlement of transactions in tokenised assets, or that large retail-focused stablecoins could emerge, it is important that a suitable regulatory framework is developed”. Sentiments echoed by the Reserve Bank Governor. 42
Regulatory Considerations
In Australia, the key question in regulating stablecoins is whether a stablecoin is considered a financial product for the purposes of the Corporations Act 2001 (Cth) (‘Corporations Act’). If a stablecoin is a security, managed investment scheme or derivative or if it meets the general definition of a of a financial product (a facility for making a financial risk, managing a financial risk or making a noncash payment), it will be considered a financial product and regulated under Chapter 7 of the Corporations Act. Restrictions will apply to those who can provide advice, trade, provide intermediary services, or operate a market in relation to such stablecoins.
Each stablecoin will differ in legal classification depending on the following:
Structural characteristics: collateralised (1:1, under or over-collateralised); algorithmic
Asset backing: Fiat; Commodity; Real
Estate; Crypto; or Nothing
Functional characteristics: Trading
Pairs; Institutional and reserve banking;
Global Stablecoin (retail) The following questions may be used to analyse whether a stablecoin will amount to a financial product or not. Depending on its structure, function and asset-backing. 1. Is the stablecoin a facility for making a financial investment under s 763B or alternatively a Managed Investment
Scheme under s 764A?
1.1. Does the fact the primary objective of the stablecoin is stability mean its purpose is not to “generate a financial return or other benefit” for the purposes of s 763B (making a financial investment) or “to produce financial benefits”43 for the purposes of ss764A, 9 (Managed investment Scheme)? 1.2. In an algorithmic model, are the incentives offered a “financial return” under s 763B or “financial benefit” under s 9 (Managed investment Scheme)? 1.3. Does the contributor have “dayto-day control” for the purposes of the Act?44
1.4.Is there a pooling of contributions or a common enterprise for the purpose of s 9 (Managed
Investment Scheme)?
2. Is the stablecoin a security or debenture under s 764A?
2.1.What legal and equitable rights are attached to an asset-backed token?
2.2.Do bonds in the Coupon model amount to debentures?
2.3.Do Seigniorage Shares amount to securities?
3. Is the stablecoin a derivative under s 761D?
3.1.Does the stablecoin platform offer an arrangement for future consideration (beyond 1 day)? 3.2.Is that consideration determined in reference to the value of something else? 4. Is the stablecoin a facility for managing financial risk under s 763C?
4.1.Is a stablecoin used to limit the financial consequences of price fluctuations, or rather: is the use of the stablecoin a way of managing the financial risk itself rather than mitigating its consequences?
5. Is the stablecoin a facility for making a non-cash payment under s 763D?
(For this purpose, a functional analysis of how the stablecoin is utilised for payments is more appropriate than a structural analysis of the assets that back it.)45
Stablecoins now represent 10% of the crypto market and are growing fast. With time, as web 3.0 adoption grows and smart contracts become ubiquitous in managing our financial life, demand for stablecoins will increase beyond the crypto world.45 We are likely still at early phases of stablecoin market adoption.
200b Total Stablecoin Supply
USDT USDC BUSD UST DAI 10 Others
150b
100b
50b
0
May ‘21 Jul ‘21 Sep ‘21 Nov ‘21 Jan ‘22 Mar ‘22
5.1. Would a Global Stablecoin used for retail currency (as proposed by Facebook’s Diem) meet the definition of making a payment otherwise than through the physical delivery of cash?
5.2. Would a stablecoin used merely for trading pairs or for institutional and reserve banking meet the definition?
6. Is it specifically included under s 764A? 7. Is it specifically excluded under s 765A? 8. Is the financial product aspect an incidental facility of a non-financial product purpose under s 763E?
9. If the stablecoin is determined to be a security, derivative or interest in a managed investment scheme, can the issuer be said to be providing a
Clearing and Settlement facility (CS facility) under s 768A(1)?
Conclusion
Stablecoins now represent 10% of the crypto market and are growing fast. With time, as web 3.0 adoption grows and smart contracts become ubiquitous in managing our financial life, demand for stablecoins will increase beyond the crypto world.46 We are likely still at early phases of stablecoin market adoption.
Policy makers will need to balance between the competing needs of consumer protection (such as ensuring collateralised stablecoins are adequately backed) and the need to allow for innovation in this field to emerge. Reserve Bank governor Philip Lowe recently said, referring to privatelybacked stablecoins:
If this is how the system develops, it will be important that these tokens are backed by high-quality assets and that they meet high standards for safety and security. One reason I say this is that a lesson from history is that privately issued and backed money all too often ends in financial instability and losses for consumers. This is one reason why national currencies are today ultimately backed by the state. So if privately issued stablecoins are ultimately the way things head, it will be crucial that they meet very high standards. And if there were to be multiple stablecoins, there would be advantages in them being interoperable.47
While stories like Tether misrepresenting their asset-backing give cause for concern for regulators, there is a risk that overregulation may backfire and cause the stablecoin ecosystem to move to DeFi. This was the story of Basis, a project that having failed in the regulated environment (Basis. io) was reborn as a DeFi project (Basis. Cash) with the tagline: ‘Basis.io without Regulatory Risk’.48 Overzealous regulation of stablecoins will lead projects down this path.
What may very well emerge is a two-tiered system: On one side, regulated fiatcollateralised, asset-backed stablecoins which apply client money rules, have third party trust custody, and are regularly audited or licenced (as required) for institutional and mainstream retail investors. On the other hand, crypto investors will likely prefer an unregulated DeFi stablecoin, either asset-backed (overcollateralized crypto assets) or algorithmic (uncollateralised) with the user controlling their assets (on a noncustodial wallet) and a monetary supply that is governed deterministically.49
Whichever way regulation ultimately develops, we must heed the warning of John Maynard Keynes who said: “There is no subtler, no surer means of overturning the existing basis of society than to debauch the currency. ”50
Whether the debauched currency is the stablecoin or the fiat that backs it remains to be seen.
End Notes
1 Katherine Greifeld, ‘Stablecoins Soar in Value as
Everything Else in Crypto Shrinks’, Bloomberg (Article, 24 February 2022) <https://www.bloomberg.com/ news/articles/2022-02-24/stablecoins-soar-in-valueas-everything-else-in-crypto-shrinks>. 2 FSOC Annual Report, p124 3 ‘Stablecoins by Market Capitalization’, CoinGecko (Web
Page, 27 March 2022) <https://www.coingecko.com/ en/categories/stablecoins>. 4 James Eyers, ‘ANZ the first bank to mint an Australian dollar stablecoin, the A$DC’ Australian Financial
Review (24 March 2022) <https://www.afr.com/ companies/financial-services/anz-the-first-bankto-mint-an-australian-dollar-stablecoin-the-a-dc20220323-p5a743>. 5 William S Jevons, Money and the Mechanism of
Exchange (1875), D. Appleton, London. 6 A 1919 couplet based on Jevons, above n 4 7 N. Gregory Mankiw, Macroeconomics (Harvard
University, Worth Publishers, 9th ed, 2016) 82. 8 Ibid 84. 9 An ounce of gold worth $38 in 1971 is worth over $1900 as of today. 10 Gold and property can therefore be said to be better Stores of value than Fiat Currency, as they are restrained by physical scarcity while Fiat is not. On the other hand, fiat currency is more transferable than gold or property, and acts as a better Medium of exchange and as a common Measure (especially in the case of the USD while it holds the status of a global reserve currency). 11 Benn Steil and Manuel Hinds, Money, Markets, and
Sovereignty (Yale University Press, 2009). 12 In a clue to their motivation, Nakomoto embedded within the first block the following message and proof of date: ‘The Times 03/Jan/2009 Chancellor on brink of second bailout for banks’. 13 Cameron Dark, David Emery, June Ma and Clare
Noone ’Cryptocurrency: Ten Years On’, Reserve
Bank of Australia (Bulletin, 20 June 2019) < https:// www.rba.gov.au/publications/bulletin/2019/jun/ cryptocurrency-ten-years-on.html >. 14 Frederick A Hayek, Denationalization of Money: The
Argument Refined, An Analysis of the Theory and
Practice of Concurrent Currencies (1990, Third edition),
Institute of Economic Affairs. Online at <fee.org/ resources/denationalization-of-money/>, accessed 20
March 2022. 15 ‘10 Years After Laszlo Hanyecz Bought Pizza With
10K Bitcoin, He Has No Regrets’, CoinDesk (Web
Page, 22 May 2020) <https://www.coindesk.com/ markets/2020/05/22/10-years-after-laszlo-hanyeczbought-pizza-with-10k-bitcoin-he-has-no-regrets/>, , accessed 27 March 2022. 16 G7 Working Group on Stablecoins, Investigating the impact of global stablecoins (Report, October 2019) ii. 17 ASIC, Submission 61, Senate Select Committee on
Australia as a Technology and Financial Centre (June 2021) 6. 18 Dark et al, above n 13. 19 Tony Richards, ‘The Future of Payments:
Cryptocurrencies, Stablecoins or Central Bank Digital
Currencies’, Address to the Australian Corporate
Treasury Association, Reserve Bank of Australia (18 November 2021) <https://www.rba.gov.au/ speeches/2021/pdf/sp-so-2021-11-18.pdf> , accessed 20 March 2022. 20 Related but distinguished from central Bank Digital
Currency (CBDC): government-backed stablecoins such as the Chinese Digital Yuan, which the Australia and the US are both investigating its use case. 21 Ibid. 22 With the first two approaches to stablecoin collateralisation being subsets of asset-backed stablecoins. 23 Benjamin Simon, ’Stability, Elasticity, and Reflexivity:
A Deep Dive into Algorithmic Stablecoins‘ Mechanism
Capital (Wep page, 21 December 2020) <https://www. mechanism.capital/algorithmic-stablecoins/>. 24 Ibid. 25 Ferdinando M. Ametrano, Hayek Money: The
Cryptocurrency Price Stability Solution (April 2014;
Revised: August 2016). Available at SSRN: https://ssrn. com/abstract=2425270 or http://dx.doi.org/10.2139/ ssrn.2425270, , accessed on 20 March 2022. 26 R. M. Sams, A Note on Cryptocurrency Stabilisation:
Seigniorage Shares (October 2014, Revised: April 2015)
Available at https://github.com/rmsams/stablecoins/ blob/master/paper.pdf, accessed on 20 March 2022. 27 CFTC Press Release 8450-21, 15 October 2021 <https://www.cftc.gov/PressRoom/
PressReleases/8450-21>, accessed 27 March 2022 28 Paxos, www.paxos.com, , accessed 27 March 2022 29 Ibid 30 Dark et al, above n 13 31 Basis <www.basis.io>, , accessed 27 March 2022 32 Basis Cash <www.basis.cash>, , accessed 27 March 2022 33 Issued on November 1 2021 along with the Office of the Comptroller of the Currency (OCC) and Federal
Deposit Insurance Corporation (FDIC). 34 ‘Report on Stablecoins,’ President’s Working Group on Financial Markets (PWG), the Federal Deposit
Insurance Corporation (FDIC) and the Office of the
Comptroller of the Currency (OCC) (November 2021) <https://home.treasury.gov/system/files/136/
StableCoinReport_Nov1_508.pdf > 35 2021 Annual Report, Financial Stability Oversight
Council, US Department of Treasury (17 December 2021) <https://home.treasury.gov/system/files/261/
FSOC2021AnnualReport.pdf>. 36 From Table 1: Functions and activities in a stablecoin arrangement in ‘Addressing the regulatory, supervisory and oversight challenges raised by
“global stablecoin” arrangements,’ Financial Stability
Board, p10 (14 April 2020). 37 Dark et al, above n 13. 38 Ibid, 210. 39 Ibid. 40 James Eyers, ‘ANZ the first bank to mint an Australian dollar stablecoin, the A$DC’ Australian Financial
Review (Article, 24 March 2022) <https://www.afr. com/companies/financial-services/anz-the-first-bankto-mint-an-australian-dollar-stablecoin-the-a-dc20220323-p5a743>. 41 ASIC, Above n 16 42 Tony Richards, above n 15 43 As defined in s9 44 The answer may vary depending on the level of
decentralisation and user control. A centralised infrastructure (CeFi) holding custody of the stablecoin offers far less “day-to-day control” than a decentralised platform (DeFi) running on pre-set rules where the user controls their stablecoins on a noncustodial wallet. 45 That said, a structural analysis would nevertheless be beneficial to determine whether the stablecoin is comparable to elements specifically included as making a non-cash payment (such as traveller’s cheques, stored value cards or electronic cash) or those specifically excluded (such as a means of guarantee given by a financial institution). 46 For example, an insurance smart contract could offer a refund if a flight is delayed (using flight departure data source as an oracle). To do so, it would require to lock digital currency in a smart contract to be released to the insured upon the insurable event occurring, resulting in fully automated claims process. Users are likely to prefer an AUD-pegged policy than one that pays out in Ethereum. 47 Philip Lowe, ‘Payments: The Future?’ Reserve Bank of
Australia (Address to the Australian Payments Network
Summit 2021, 9 December 2021) <https://www.rba. gov.au/speeches/2021/sp-gov-2021-12-09.html>. 48 Basis Cash, above n 31 49 As advocated by Henry C Simon, “Rules versus
Authorities in Monetary Policy,” Journal of Political
Economy 44 (1936) 1-30 and agreed to by Frederick A
Hayek in “The Monetary Framework,” The Constitution of Liberty, University of Chicago Press, 1960. 50 John Maynard Keynes, The Economic Consequences of the Peace (Harcourt, Brace and Howe, 1920).
GAIN PRACTICAL LEGAL TRAINING WITH CURTIN LAW SCHOOL
Curtin’s Practical Legal Training program has a strong emphasis on technical legal skill development, with practical training conducted through the John Curtin Law Clinic.
Taught by experienced legal practitioners with extensive legal experience, the program is highly flexible, delivered through a blend of face-to-face teaching and online self-directed learning. Find out more about the Practical Legal Training program or contact the Curtin Law School.
