Forum Magazine: Blockchain’s Promise – Verifying Value One Block at a Time

Originally published in Forum Magazine 

by Joseph Raczynski

Blockchain technology is truly transformative, impacting almost every industry. Over the next decade, this technology will significantly transmute the legal landscape as well – a process that has already begun.

Blockchain was initially considered a ridiculous notion – the idea of a digitized ledger beholden to no single owner was derided as unusable. However, the conversion of blockchain from joke to genuine is stark. For example, the top 50 banks in the world have unified in the realization this technology could disrupt the financial industry.

For those newer to blockchain technology, here’s a brief history: In its simplest form, the term “blockchain” refers to a peer-to-peer network of computers running a common software protocol that includes a database replicated on each computer connected to the network, where each user interaction (other than a query) is recorded as a new entry. (Each computer is called a “node,” while the database is often referred to as a “distributed ledger.”)

Further, each blockchain has a mechanism, referred to as a “consensus algorithm,” for ensuring that each copy of the ledger is updated in a consistent manner and is otherwise identical to all other copies of the ledger across the network. Thus, once a transaction has been recorded on the ledger, that record is shared among all the ledger’s users, and generally, it can’t be deleted or overwritten.

Is this technology ushering in an era that creates an undeniable source of truth for contracts and digital identity? How else might it impact how law is practiced and how the legal industry operates?

The Smart Contract

Central to any discussion of blockchain and its legal impact is understanding “smart contracts,” a term that has been around for decades but in this landscape has a specific meaning. A smart contract is a few lines of computer code that creates an “if/then” statement, e.g., if Amazon® stock is at $2,000 on January 1, 2019, then sell it. What is special about smart contracts on the blockchain is that once an agreement has been reached by two parties, it is programmed onto the platform and becomes self-executing and immutable – without any human intervention. For example, Ethereum, the first blockchain platform to popularize the idea of the smart contract, permits people to code “if/then” statements onto the blockchain or into a database with ease, allowing for infinite applications.

Clearly, self-executing legal documents will at some point be the norm. This is one of the most significant efficiencies that we will see in the transactional space.

Forum

Early on, legal industry experts saw that blockchain’s smart contract applications alone had the capability to revolutionize how transactional attorneys practice law, dramatically changing how they interact with documents and clients.

Indeed, it may change the way lawyers view their very function. “These systems embed legal logic, require review by legal counsel and raise unique issues around the proper scope of the lawyer’s review versus the engineer’s,” says Joe Dewey, partner at Holland & Knight. “On an ongoing basis, corporate counsel will need to ensure that the systems are updated when necessary to account for changes in law and company policy.”

The Future with Blockchain in the Legal Profession

Besides the revolution in smart contracts, blockchain is already changing many other aspects within the legal industry, such as:

Cryptocurrency and the Tokenization of Assets – The creation of cryptocurrencies like bitcoin, which use the technology to keep track of ownership and trades, is how most people know blockchain. Digital tokens that represent real value or ownership of other tangible assets has become one of blockchain’s most widely watched developments. With companies and others issuing these tokens via Initial Coin Offerings (ICOs) – raising more than $10 billion thus far this year – attention is being paid.

In the future, we could see all assets represented by these tokens, e.g., a car, house or painting, each a store of value represented by a token and making the transactions of leasing, renting or selling that asset far easier. This will have an impact on how we create and distribute wealth, further impacting the legal industry.

Digital Identity – With the 2017 Equifax breach of 160 million individuals’ private data, our Social Security numbers are nearing the end of their usefulness and a newer identifier may be created to replace them.

Recently at an MIT event, an organization named Sovrin described a new world where each of us will have a digital wallet containing all of our private information, including money, health records, log-ins to websites, birth certificate and driver’s license. Behind all of this information will be blockchain, enabled so there will no longer be a central point of breach where millions of people’s information can be exposed at once.

Legal Industry – Many have predicted that most administrative work now completed by law firms will be replaced with blockchain-enabled solutions – and in more specialized legal matters, such as due diligence, blockchain will have a similar oversized impact. Share ownership tables and company records will be transferred onto blockchain, allowing investors, acquirers and third parties to complete their diligence in less than one hour instead of the typical weeks or months. IPO registration offerings could be processed is less than a week instead of the typical six to nine months.

In a similar vein, Holland & Knight’s Dewey sees a significant change to law firms’ back offices. “When a law firm closes a loan for a bank it needs to send over copies of the executed loan documents and other post-closing deliveries… often, this doesn’t happen,” says Dewey. Blockchain, however, would allow the law firm and the bank to share a common repository and tracking functionality, even if different front-end software solutions are used. “The increased efficiency of such a system would be significant and benefit both the firm and the bank.”

Clearly, blockchain is ripe for disrupting nearly every industry going forward, and the practice of law may feel the impact the most. Still, these are early days. Significant infrastructure must be built, and a great deal of legal guidance will be needed.

If there was ever a time to study blockchain technology and embrace it – and the opportunities it will create – the time for the legal industry is now.

The vice grip of cybersecurity concerns on law firms

Originally published on Legal Insights UK & Ireland

By Joseph Raczynski

Law firms stand in a very precarious position in the cybersecurity world. Next to financial institutions, private legal institutions are a virtual honey pot for cybercriminals. Any breach, no matter the size, impacts the client, and certainly could destroy a firm’s reputation.

Four years ago, I toured over 50 law firms discussing cybersecurity with chief information officers (CIO), managing partners, lawyers and support staff. Each year since, it remains one of the hottest legal technology topics with my clients. The unfortunate situation is that, while law firms have dramatically shored up the barriers of defence, criminals have new methods to circumnavigate the ramparts.

Why law firms now?

Recently, I was at a CIO conference with 350 medium and large law firm CIOs in attendance. The keynote speaker stunned the crowd with a singular statement: “do you realise you [CIOs] are the gatekeepers to 71 percent of the non-public intellectual property (IP)?” The first reason law firms are attacked is because of IP. Criminals of all sorts see law firms rife with IP that can be pilfered.

One Asian country has allegedly lifted massive amounts of IP from technology companies, not from the companies themselves, but rather their law firms. Once obtained, they pass the IP to their nation’s internal network of state owned companies for development. Apple could have trade secrets stolen and then developed and sold in China before Apple could get it to market in London. To this end, Joe Patrice, Editor of Above the Law, once called law firms “the soft underbelly of the cybersecurity world”. The good news is that law firms have fortified their gates more recently to stymie the IP raiders.

The second reason why law firms are attacked is business information. Last year a known hacker in Russia targeted the top 25 law firms in the world to pull out any merger and acquisition (M&A) information. The criminals silently slip past firewalls, identify M&A documentation of companies set to merge, then can use that information to purchase stock—all before it is publicly announced.

Methods of attack

There is a myriad of tried and true means to crack networks and computers. Having been a white hat hacker script kiddie, years ago, I recently dipped my toe back into the space to see what has changed. My conclusion: it is easier to hack now than it was 10 years ago.

I bought a £4 specialised USB the other day, which will load any sort of script onto a computer in under four seconds. Simply choose the script from 100’s publicly available on the web, convert the code through a free compiler, load it onto the USB stick—and voila! In my testing, I could scrape the user names and passwords entered on my computer, and have it automatically sent to a test email account, simply by placing the ’bad USB’ or ’Rubber Ducky’ into my drive for a few seconds. Does your firm lock down USB ports? Perhaps it is worth considering as an attack of this nature can be executed with relative ease.

There are countless other ways to hack a computer or IoT (Internet of Things) device, but no greater risk is higher than email. Allen Paller, of the US-based SANS Institute, cites 95 percent of all malware and breaches start with email. Phishing attacks, discussed in a new government report published by the National Cyber Security Centre: ‘The cyber threat to UK legal sector’, states that 80 percent of law firms in the UK have had attempted phishing attacks in the last year. These sorts of attacks can be prevented in several ways:

  • Have processes in place when dealing with accounting so emails are not approval for funds transfer—use an internal application for requests and verification
  • Use software to distinguish ‘external’ emails from ‘internal’
  • Link protection—use real-time analysis of URLs and domains so that the user is safely redirected to valid domains when clicking ‘unknown’ links in emails
  • Assuring that all applications are running their most up to date versions

One of the largest law firms in the world, DLA Piper, was hit by ransomware last year. Fortunately, DLA Piper survived, though weeks of recovery at a tremendous cost. Still, these types of attacks can be devastating. They encrypt all files on your computer or network—leaving you two options: pay the ransom to get the password, or delete everything off the computer and rebuild with your backup files. Either option can leave a law firm, for a short or long period of time, with limited ability to address client needs.

The future of cybersecurity will be a multi-pronged approach. No longer is antivirus software the ultimate defence. Instead, law firms will need tools that detect intruders using artificial intelligence infused algorithms to figure out abnormal activity on the network. Blockchain will help securitise information and identities with a distributed network—compared to a central repository of sensitive information. Lastly, the General Data Protection Regulation has already, and will continue to, force all parties to take security more seriously or risk significant fines.

Risk Management in the Cryptosphere: A Talk with Gibson Dunn’s Judith Alison Lee

Originally published in the Legal Executive Institute 

By Joseph Raczynski

Cryptocurrencies and its underlying blockchain technology is upending the traditional paradigm for financial institutions and regulators around risk management. This disruption includes unique challenges around identity association and verification in the cryptosphere, specifically around decentralized exchanges, applications (DApps), and identities. We discussed these topics with Judith Alison Lee, a partner at Gibson Dunn & Crutcher, who advises on issues relating to virtual and digital currencies, blockchain technologies, and distributed cryptoledgers.

Judith, what are the legal challenges in identity-linking and verification in the cryptosphere?

Judith Alison Lee: Given the pseudonymous nature of cryptocurrencies, there needs to be a framework — most likely at the exchange level — to identify the individuals that transact in cryptocurrencies. Most exchanges do collect and attempt to verify customer identifying information; however, depending on the exchange, the information collection and verification may not be robust, and customers may engage in various location- or identity-masking services that pose challenges.

Additionally, there may be jurisdictional challenges regarding privacy laws and the transfer of identifying information. Finally, as we are seeing more and more decentralized platforms supporting peer-to-peer transactions, linking customer identity to particular transactions will likely become more difficult.

How are regulators starting to deal with identity and blockchain?

Regulators are requiring licensing or registration for money transmitter licenses at both the federal and state levels, which requires such entities to comply with Know your Customer and anti-money laundering (KYC/AML) requirements and is one way regulators are addressing identity.


blockchain

Judith Alison Lee of Gibson Dunn & Crutcher

Given the pseudonymous nature of cryptocurrencies, there needs to be a framework — most likely at the exchange level — to identify the individuals that transact in cryptocurrencies.

 


It gets a bit more complicated when we start to talk about linking participants to particular transactions, particularly since the transactions in spot-market cryptocurrencies are not regulated in the same way as transactions in securities or derivatives. As a result, regulators have focused on fraud and manipulation in those markets and have relied on asking the exchanges for transaction-level information, including any identifying information they have collected.

With regard to KYC/AML, terrorist financing, and anonymous transactions, what does the legal landscape look like and how are states or the federal government handling this currently or planning to in the future? 

At the federal level in the US, entities that exchange cryptocurrency may be required to register as money services businesses, while at the state level, many (but not all) states require them to obtain a money transmitter or equivalent license. Both the states and federal government have been involved in enforcement actions to protect against fraudsters in the cryptocurrency space.

In the future, we will have to wait and see if the next Congress will issue legislation on cryptocurrencies.

Is there a way to utilize blockchain for customer due diligence?

It certainly seems that there is a role for blockchain in customer due diligence. The permanent and transparent nature of the blockchain makes it a logical tool to streamline the KYC process. The blockchain would likely be a good way for regulators to have a single source of data and access to the latest information. However, it seems unlikely that a blockchain solution could be utilized for all customer due diligence — though it could certain help to simplify it, particularly for financial institutions.

Clearly, these are the embryonic stages of regulation and oversight for identity management and verification in the crypto space. As adoption of these token rise, global banks and government agencies will further adapt under this decentralized technology-driven revolution.

How medium-sized law firms can use legal tech to compete with the big industry players

Originally published in the Legal Insights UK & Ireland

By Joseph Raczynski

The familiar trio of ‘People, Process, and Technology’ play a role in every business. However, as medium-sized law firms increasingly compete for the same pool of clients with large law, it is the ‘Process and Technology’ that are shifting, and levelling the playing field. As for ’People’ – there is still a dearth of amazing lawyers available since the recession, so while important, it is the least altering factor among the three.

Large law firms are currently flanked on two sides: the Big Four consulting companies from the left and medium-sized law firms to the right. Some of the largest clients are increasingly seeking full service houses. For example, PwC or KPMG can handle everything from tax, IT services, marketing, facilities, procurement, and now legal services, all under one roof. As this goes to press, Ernst & Young just acquired Riverview Law to expand its managed legal services business, which further emphasises this point. This shift has been expanding as the Big Four grow their legal expertise. While it is unlikely that clients utilising the consulting companies may have considered a medium-sized firm, all of the remaining clients are now fair game for both large and medium law, and here is why.

Simply put, technology tools are levelling the playing field. With a proliferation of legal technology instruments on the market, each attempting to nibble at the traditional business of law or practice of law, there is a load of opportunity for any agile firm to gain traction. The surge in legal tech start-ups is global. Led by what some consider the last bastion of massive margins in business, the legal honeypot of financial gain awaits. In a business which has traditionally been less than efficient, the startups can taste the sweetness on their fingertips and are innovating in every direction in the legal landscape. The medium-sized firms that are open to the adoption of technology will have the upper hand.

Previously, larger pools of support staff and lawyers were necessary to accomplish or finish tasks. Now, leaner numbers can be prolific producers when it comes to rote services. There are tools which can magnificently automate documents in any number of areas including; real estate, employment, M&A, trust & estates agreements. Such processes essentially allow for more scale that medium sized law firms could not handle previously, by automating exemplar documents and turning them into intuitive questionnaires. This sort of example illustrates that any firm leveraging these types of technology can compete with nearly any other firm at some level. This was one. There are many similar examples where new tools are ushering in impressive efficiencies through a myriad legal technology tools. At the beginning of this technological shift, the tools will aid in the rote, and in the years ahead more complicated bespoke work will be enabled.

The risk ahead is for the firms that fail to innovate. Without the adoption of basic technology tools, they will not be able to compete with efficiency and turnaround for their clients. It will start gradually, but quickly impair the late or non-adopters.

Process isn’t proprietary ̶ it’s widely available  

Further, levelling the playing field is a process. Once upon a time, a barn full of lawyers was necessary to review documents for complex litigation. Those days are past. Now, a medium-sized firm can call upon LPO (Legal Process Outsourcing) to bring in 50 lawyers in 24 hours. Thus medium-sized firms can now use alternative legal service providers to ramp up instantaneously. The firm of 100 can now puff out their chest as they handle a far grander case than once was feasible with temps and staff lawyers. In addition, to magnify this, these LPOs are using increasingly efficient tools like TAR (Technology Assisted Review) to aid in the EDRM (Electronic Discovery Reference Model) and vastly improve speed to find relevant material.

Ceteris paribus, as legal technology tools advance rapidly and process is flattened, the distinguishing factor between large and medium firms will blur. In the end, with an even playing field, the unique creative “People” vision will likely tip a client into one camp or another. Ultimately, competition among all law firms will become progressively more spirited because of technology and process.

Legislating for the future: Drones in the UK

Portions originally published in The Guardian.

by Joseph Raczynski

 

1. What are your thoughts on the UK’s drone regulations/regulatory approach, and how does it compare to other approaches around the world? Are there any ideas we should borrow from Australia, the US, etc?

 

Drone enthusiast beware, a new era of regulation is about to hit the air.  On July 31, 2018 a new set of laws will go into effect in the UK.  The rules are more restrictive than in the past, stating:

  • Do not fly higher than 400 feet
  • Stay at least one kilometer outside of the airport walls
  • Keep the drone in constant direct eyesight
  • Fly no closer than 150 metres from crowds of 1,000 or more people (think stadiums)
  • Kept it 50 metres away from people and private property

 

  • On November 30, 2019 everyone who owns a drone that weighs 250 grams or more will need to study up. After that date you will need to register your drone with the Civil Aviation Authority (CAA) and then pass an online drone safety test.  Failure to do both will land you a fine of £1,000.
  • There are multiple sights that drone owners can go to understand the landscape better. Drone Safe UK is one of them.

 

These rules are not the most restrictive found around the world, but they are certainly not the most lenient either.  In fact, if you strictly adhere to these rules, it is more than likely that your drone will remain grounded, unless you live in a very rural location.  The most challenging of the above is keeping the quadcopter 50 metres away from people and private property.  Just launching your drone in an urban or suburban area will break this rule.  Operators will need to do considerable research before taking flight.  To that end, numerous mobile apps are available to assist in your planning before you fly.

 

Every country around the world seems to have issued guidance in this area.  While the UK is more restrictive than most, the norm, also the rules in the US, seems to be keeping the drone within eyesight, flying no higher than 400 feet, staying away from crowds, possibly registering the device, and not flying closer than five miles from airports.  There are more restrictive countries like Morocco where drones are now completely banned.  If you bring a drone into the country without declaring it, they will confiscate the device.  Australia has very similar rules to the US which are less onerous than the new UK rules.  I have flown in UAE, Costa Rica, US, UK, Colombia, Switzerland, and several other countries and most allow you to fly following the aforementioned rules.

 

All countries are grappling with their policies on drone usage.  The concerns range from privacy to safety.  Privacy issues will always be a concern with a small minority of pilots flying over private property recording video where a private citizen has the expectation of privacy.  The safety concern is one most likely to fade away over the next five years, when the devices become even more reliable and safe.  Currently there has been marked improvement in the way the software on drones handle a dying battery, location awareness, and object avoidance.  These are now standard on most new drones, so that the devices can return home safely and therefore tend to drop out of the sky far less frequently than a few years ago.

 

2. How do we balance regulation and technology to ensure drone innovation isn’t held back? Do we have a good balance so far?

 

The newest drones are amazing!  My current version can fly four miles away, shoots in 4K video, and can go at least a mile high – not that I have flown it that far.  The technology is well beyond what we are currently allowed to do.  The alarm bells sounded recently, and subsequent regulation created when some operators did dumb things.  People have been caught flying over football stadiums during games, others have flown in the path of airplanes or over forest fires putting emergency helicopter workers in danger.  The issue is that these devices are powerful and now put into the hands of the masses, some have made poor decisions, which could impact general safety and people’s privacy.  I think in the short term we are going to see more restrictive rules like what the UK is enacting now, but in the long term these will ease.  They will relax, as the devices become safer with newer technology – software and sensors.  They will have better obstacle avoidance and baked in no-fly zones will be a norm across all manufactures.  Currently a handful of drone producers have software that if you try to take off next to Big Ben, the drone won’t even move because it uses GPS.

 

Since we have people sometimes making poor decisions, the current set of normalized rules found in most countries make sense.  I would suggest that the UK has gone a bit further than I would deem reasonable, but still generally acceptable.

 

3. How do you see drones influencing city planning? What do drones mean for residential development (delivery pads on apartment roofs)? What about noise considerations and safety?

 

The next great leap into the future that is happening at an exponential rate will be service drones in densely populated areas.  Clearly delivery drones are coming.  Amazon is testing this now.  So you will be able to purchase your bag of crisps and soft drinks via your mobile and have them delivered via drone in short order.  This will impact how buildings are constructed.  You will see more landing pads off of balconies.  In addition, non-balcony flats will have landing pads on the roof, with autonomous rolling rovers which will pick up the drone dropped package and deliver it to your front door.   If you live by a beach, drones are starting to be used in saving lives.  Instead of a lifeguard having to jump off from their perch, run across the hot sand, battle the waves to get to the struggling person, they will launch a drone fly it above the person in distress and drop the life preserver.  The first water rescue of this manner happened in March down in Australia.  Another plan is to have drones help guide you to open parking spaces in the city.  Do you want to get a closer look at out of reach parts of London Bridge as a tourist?  You will be able to dawn a headset and a mini drone will take you to parts of the bridge unseen by most.  Drones might monitor traffic.  Helping with real-time incident reports for accidents, and giving real-time feedback about troubled areas.  We will also see drones watching over as police helpers. Making sure that areas which might have more crime are being monitored more closely.

 

The noise issue is also temporary.  Companies are now creating “props” or propellers that make far less noise than even a year ago, and this will continue to improve until we have something that is nearly silent.

 

There are countless other areas that will be impacted with drones.  Fire and rescue, compliance for real estate ordinances – did you build a deck without a permit?

 

4. How can drone rules be enforced? What good technologies have you seen in use so far?

 

Right now drone rules are being enforced by the drone companies.  They are baking into their software all of the rules and regulations mentioned earlier based on your location and common standards.  This is being done proactively for fear of the Morocco situation – an outright ban of recreation drones.  Every time I turn on my drone, it asks me to update my software, it adds new “no-fly zones” as more and more areas around the world request a no drone area.  Companies are simply trying to self-regulate.  On the other side, honestly it is very difficult for enforcement to go after operators.  They essentially need to witness a drone flying in a restricted area, then find the person flying the device.  They typically find them as the drone runs low on battery and the pilot brings it down.  It is only a matter of minutes for the enforcement to find that person before they take off.  In very restricted areas, some countries have devices to scramblers the communications of the drone operator, which can do a few things to the misguided drone; drop it out of the sky or take over the flight from the owner.

 

5. How do you see drones actually being used in the next five years? What use cases are over hyped and which are realistic?

 

I believe in some areas we will have drone delivery.  I actually think in the next 5 to 10 years we will have the flying vehicles people always dreamed about.  The first human drone vehicles have been made.  The major hurtle will be regulation of these devices.  Drones will routinely monitor forests looking for hot spots to prevent massive forest fires.  I think we will start seeing some policing with drones, observing areas with high crime.  Selfie drones, the size of a deck of cards will be in most tourist’s pockets.  They will have a very limited distance and primarily take pictures and video from cool new perspectives… like you rock-climbing 500 feet above a ravine and you simply call it out to take a video and then returns to your momentarily free hand.  I think you will also start to see ambulance drones – is someone having a heart attack near you.  You call 911 and the drone is dispatched much faster and arrives in a few minutes compared to the ambulance itself.

 

This tech is just about to take off.  The next few years are going to be a mix of tech pushing the boundaries and regulators having to make new decisions.

Artificial Intelligence and the UK vs. US Approach

Originally published on Legal Insights UK & Ireland

By Joseph Raczynski, edits, questions and preface by Ann Lundin and Joe Davis.

Artificial intelligence will threaten most jobs at some point soon—and new jobs will emerge’

The impact of innovative technology is undoubtedly going to radically reshape the delivery of legal services in the years ahead. To help consider the extent of this impact within the legal industry – and indeed, the current state of play, Legal Insights UK & Ireland spoke to Technologist and Futurist at Thomson Reuters, Joe Raczynski.

Tell us something about Joe Raczynski. You have been labelled as a ‘super geek’. How did you achieve this unique status?

It’s actually ‘Sir Super Geek of the Square Table’—as the Queen kindly bestowed recently. More seriously, I am very fortunate. My personal passions and professional career have spectacularly collided. Since I was young I would tinker with electronics, including building a home security system from spare computer parts, penetration testing networks as a white hat hacker, building websites and eventually fiddling with all things computer and technology related. For me, pure satisfaction is derived from being an early adopter of a technology, immersing myself in it, and then sharing that with others—ultimately seeing their eyes grow in amazement, interest and most importantly extrapolation. I still recall describing ‘digital cash’, e.g. Bitcoin, in 2011 to friends and seeing their awe and skepticism. On the other side, I bought Google Glass and trumpeted its potential, until the overwhelming collective societal shame forced them back into their box. The technology in a more robust form will return in a few years, I promise.

Tell us about your role at Thomson Reuters.

I oversee a wonderfully nimble team of technical client managers. Our collective goal is bifurcated. Part one is to assure that all our (80-plus) Thomson Reuters Legal products and services work well for our customers. Part two, which is ever growing, is sitting down with our customers across law firms, corporations, and government agencies to understand their technology initiatives. We are able to see the trends across the various facets of our legal customers, and serve as technology evangelists to share those insights with our customers. Historically, we have also listened to them about where ‘tool gaps’ lie, and either code those solutions ourselves, or work with the larger Thomson Reuters to build solutions.

Does the progressive development of AI and robots threaten your job or anyone else’s? If so, how soon?

AI will threaten most jobs at some point soon, mine included but a tad further out. Anything repeatable, routine, or even easy to adapt to ‘if then’ statements, will be impacted. Many of the traditional services positions will fade away first: drivers, wait staff, store clerks, and then some professional positions, such as project managers, will be next. Mentally, we all need to prepare for this eventuality. The positive is that new industries will evolve which haven’t been invented yet, which will spur new jobs.

How is AI currently disrupting the legal industry?

In the legal space, you can already see it on the eDiscovery front. Eight years ago, new lawyers might be tasked with document review spending 80 hours a week. Now law firms need far fewer eyes reviewing documents, because of AI infused tools. Document automation tools like Contract Express or Drafting Assistant make law firms much more efficient by replicating and modifying exemplar documents with ease. Those firms that adapt soonest, will be best positioned moving forward.

What do you make of law firms engaging more directly with incubators/tech start-ups?

There are several things afoot. Law firms traditionally were technology risk adverse, but that is rapidly changing. The first tug on the law firm are clients asking for them to be more agile forcing new mindsets. Another pull is that law firms tend to be a highly profitable industry, and for that reason small companies have now cast their gaze on their large margins. You have hundreds of new start-ups seizing upon niches of the legal business, be it the practice or business of law. Lastly, law firms are seeing the above and deciding to band together with start-ups to test the waters on new products and services. This has a secondary purpose, it also better positions the firm as forward thinking for new clients.

How do UK and US large law firms’ attitude differ in their receptiveness to new legal technology, and willingness to invest?

I have seen a wide variety of responses on adoption of legal technology at US law firms. Recently one firm stated, ‘we are not going to invest in AI because we are an insurance firm and it will not help us’. Conversely, I have seen several large law firm tossing millions of dollars at internal initiatives to develop new tools. My experience with UK firms demonstrates a real tilt toward innovation perhaps more universally than in the US. It seems that currently the push to be more efficient in the UK surpasses that need in the US. Despite major transformative landscape changes in the US, there are clusters of firms that will not change—until forced to do so, which will likely happen within five years. In general UK firms are thinking more like a business.

Does the growing necessity to adopt time-saving, efficiency-driven legal technology put pressure on small and medium-sized law firms to invest? What will likely happen if they don’t?

Personally, I believe the medium sized firms could be best positioned with new efficiency driven legal solutions. To that end, I am starting to see medium sized firms competing against the biggest law firms. Five years ago, this wasn’t as feasible. No matter the size of the firm, they must have a keen eye to investigate the latest legal technology trends, tools, and service models. If they don’t, they will miss opportunities—and a streak of missed opportunities will lead to significant risk of survival.

 

Classification of Cryptocurrency: Coins, Tokens & Securitized Tokens

Originally published in the Legal Executive Institute

By Joseph Raczynski

One of the most contentious debates in the cryptocurrency world surrounds classification of blockchain-based digital assets, tokens and cryptocurrencies. A panel at the recent Thomson Reuters Regulation of Financial Services Conference discussing the basics of cryptocurrenciesexamined this argument. With more than 1,650 cryptocurrencies or tokens trading in the public domain, it is important to understand their nuanced differences.

Cryptocurrency

Dominating this conversation in the United States is whether specific coins are securities, and secondly, if a utility token can exist. In addressing the first part, the US Securities and Exchange Commission (SEC) recently shed some light by declaring both Bitcoin and Ethereum non-securities. This assertion defines that there is no expectation of equity or return on any investment in these virtual currencies. The overarching belief had held that Bitcoin is a currency and thus a competitor to the US Dollar or Euro; and Ethereum is more complicated.

Tokens

The original intent behind Ethereum was that it supported smart contracts by using their blockchain token called Ether or ETH. In this case, a token stands as a digitized tool to perform a service, similar to those physical token coins used in some video game arcades or laundromats. In this digitized version, the Ethereum platform was intended to perform a service and store more complex, automated, yet immutable code on their blockchain (for example, storing a contract on the blockchain that dictates a sell order if the stock of Amazon reaches $2,000 per share on January 1, 2020).

What differentiates Ethereum from Bitcoin is that the token ETH is used to upload and save that smart contract to a blockchain using “gas”, basically the payment of ETH for each transaction. Therefore, many argue that ETH is a “utility token”, performing a service, i.e. saving that contract to the blockchain. What complicates this is that many start-up tech companies are using Initial Coin Offerings (ICOs) on the Ethereum platform to launch crowd-funding campaigns and raising money. The complication — raising money in this form — have some regulators and industry watchers arguing that these ICOs are more like securities, similar to stocks, even if they are sitting atop of the Ethereum token-based platform rather than on a stock exchange.

Tokenized Securities

Now, a hybrid product that is emerging quickly is the tokenized security. Recently at Consensus in New York City, a company called Polymath created a platform for anyone who wishes to raise money for their company quickly can do so by issuing tokenized securities. The primary difference with this model is that the issuer is offering shares or portions of ownership of the company. There is also a belief that these types of securities will eventually adhere to SEC regulation, which is yet to be determined. What drives the regulatory discussion is a 1946 Supreme Court ruling now called the Howey Test, which determine if something is a security or not. The tenets of the Howey Test are as follows:

  1.  It is an investment of money
  2.  There is an expectation of profits from the investment
  3.  The investment of money is in a common enterprise
  4.  Any profit comes from the efforts of a promoter or third party

 

For a token to be considered a security, each of the above must be true. The primary point of contention is around point four, “Any profit comes from the efforts of a promoter or third party”. This aspect is typically out of the hands of the investor and not something they can control. When these tokens are launched on third-party exchanges, this falls outside of that individual investors domain, and for many, nullifies the Howey Test.

Or as Ash Bennington of CoinDesk phrased it:

A long time ago, someone named Howey owned an orange grove.

Howey said: “I’ve got this orange grove and I’ve got no way to make money out of it — because I need money to make money.”

Tell you what. I’m going to sell you this orange grove and, in exchange, you get whatever profits are made from that little plot.

I’ll work the land. I’m going to pick the oranges. I’m going to squeeze the juice. You just pay me the money.

The plaintiffs said: “That’s a security.”

The SEC said: “That’s a security.”

Howey said: ‘No, no. That’s just selling plots of oranges.”

Ultimately, the Supreme Court said: “That’s a security” – because it passed this test: There was an investment of money. And a common enterprise. With the expectation of profit, primarily from the efforts of others.

Governments around the world are grappling with the classification of cryptocurrencies in what should become a multi-trillion-dollar industry within the next decade. With so much at stake for everyone from the garage startups to the Morgan Stanleys of the world, some regulation is inevitable. Most are merely hoping for clarity, not confines, which could hurt the innovation stemming from the once-a-generation revolutionary platform technology called blockchain.

Kill Chain: The 7 Stages of a Cyberattack

Originally published in the Thomson Reuters Tax & Accounting Blog

By Joseph Raczynski

In our new world reality where cyberattacks are a daily occurrence and every organization must focus on critical infrastructure surrounding cybersecurity, businesses have begun to think like the military. How can we defend our enterprise? To that end, it’s not surprising that companies have adopted soldierly, combative mindsets and terminology.

The term “kill chain” originates from the armed forces and refers to the structure—or seven stages—of a cyberattack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Action on Objectives

Now, many proactive institutions are attempting to “break” an opponent’s kill chain as a defense method or preemptive action. One of the leaders in this space adapting the concept for Information Security is Lockheed Martin.

Thinking Like a Hacker
A hacker typically has a creative, analytical mindset. These individuals search for paths toward a solution—often devising serpentine and circuitous routes to attain their goal. It’s this approach that we need to build awareness around if we are to thwart an onslaught of attacks.

As an example, let’s pretend that a hacker wants to get into your Tax Consultancy LLP organization to pilfer the Social Security numbers of your clients. This is how they may think at every stage of the kill chain. Your goal is to understand the steps and proactively counter each one to protect your network.

Stage 1: Reconnaissance
Hackers begin by researching your company online—gathering names, titles, and email addresses of people who work for the organization. They identify one person to target and then plan their avenue of attack. They may use e-mail attachments with viruses, port surf the company network, drop a memory card containing malicious code in the parking lot, or decrypt WiFi traffic. In this scenario, let’s say they choose e-mail as their method. An e-mail containing a link is sent to the selected individual, who, once they click on the link, inadvertently downloads the malware.

Stage 2: Weaponization
Hackers have libraries of code at their disposal that they use and tweak for their attacks. They consider the networks, operating systems, and software that Tax Consultancy LLP—and every company they target—may run. By identifying these components through research, the hackers can customize their code to work in those environments. One of the most common ways to compromise a computer or network is to attack unpatched software by companies such as Microsoft Cisco—applications that have known vulnerabilities, but ones that Tax Consultancy LLP may not have updated.

Stage 3: Delivery
In this instance, the hacker has decided to target the CFO of Tax Consultancy LLP. Through research, the hacker knows the name of the CFO, where she lives, works and even personal information gathered from the Web. He knows she coaches an eighth-grade softball team, enjoys camping, and shops at a local Safeway Food store she once complained about on Google reviews. Armed with this information, the hacker decides to lure the CFO with a spear phishing tactic.

Stage 4: Exploitation
The hacker crafts a perfectly feasible email to the CFO.

“Dear Jenny, it has been too long since we last spoke! I hope all is well. The last time we chatted we were at Safeway, complaining about their so called “fresh fish” section. One of these days they will have fresh shrimp, not just the frozen variety. The reason I am writing is that our daughters are in the same softball league. They have grown up so fast! I know you are busy, so you may not be aware, but they are hoping to go to Florida for a tournament in a few months. We are trying to raise some money for the kids who currently don’t have the means to get there, can you please help by donating say $20 to the cause? You can click here to donate.”

Stage 5: Installation
There is a 96 percent likelihood that the CFO will click on the link in the spear phishing e-mail. When she does, the malicious software takes root.

Stage 6: Command & Control
Once the malicious code has been installed, it phones home to the hacker. The hacker then has the ability to control it, let it sit for an extended period of time, automatically listen to packets across the network, or crawl through the network. All of this depends on what was deployed and what the hacker wants from the system. In our imaginary scenario, the hacker is after Social Security numbers, so he may attack the central database of Tax Consultancy LLP that houses all of their clients’ information, most likely found in an unencrypted DBA system, or perhaps Excel spreadsheets or other email accounts. The hacker is then able to harvest the information and send it out through the firm’s firewall to a remote server as a repository.

Stage 7: Action on Objectives
Finally, the hacker is able to extract whatever information they’ve been targeting. They can now easily gather Social Security numbers contained in the firm’s data. Of course, the options for exploiting this sort of information are many. The hacker may sell the numbers on the dark web, file fake tax returns, or use them to apply for credit or new identities.

Be Vigilant
All of this happened because the hacker was able to effectively use each stage of the kill chain to astutely identify the company’s possible vulnerabilities and leverage them. Today, all businesses should spend time walking through these stages, identify vulnerabilities, and shoring up their defenses to eliminate them. It’s not an easy task, but the more critically each of us look at these seven stages of the kill chain, the better we can prevent the next hack.