' Matthew Garry | MTTLR

Who You Gonna Call? The SEC, CFTC, and Regulatory Jurisdiction Over Digital Assets

The proliferation of digital assets has raised a persistent question: who regulates them? Both the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have claimed jurisdiction over different digital assets. Broadly speaking, the SEC regulates Initial Coin Offerings (ICOs) while the CFTC regulates “virtual currencies.” Cases involving ICOs are clear cut; in other situations, it can be much harder to discern which agency should have jurisdiction over a particular digital asset. The CFTC has claimed jurisdiction over virtual currencies since 2014. But the agency’s position wasn’t vindicated until 2018, when two separate federal district court opinions ruled that virtual currencies fell under the purview of the CFTC as commodities. The first of the two cases, CFTC v. McDonnell, 287 F.Supp.3d 213, 228 (E.D.N.Y. 2018), held that Bitcoin—as well as other virtual currencies—qualify as commodities because they “are ‘goods’ exchanged in a market for a uniform quality and value.” However, it is not clear which other digital assets count as commodities rather than securities. The court in CFTC v. My Big Coin Pay, Inc. et al., 334 F.Supp.3d 492 (D. Mass. 2018) held that a scam digital currency called My Big Coin qualified as a commodity. This holding might imply a more expansive view of digital assets as commodities—yet the court in My Big Coin Pay seemed to base much of its reasoning on the allegedly false claim that the value of My Big Coin was essentially derived from the value of Bitcoin. It’s unclear how the court would have ruled if My Big Coin had been promoted as a standalone cryptocurrency. The ambiguity surrounding the exact definition...

My Data Has Been Breached—Can I Sue?

Earlier this week, Facebook announced that 50 million user accounts had been compromised in a data breach. This is just the latest episode in a series of high profile and far-reaching data breaches in which consumers’ sensitive personal and financial information has been exposed or stolen. Discourse about issues relating to data protection frequently center on prevention: how to make systems more secure from hacking and other cyber attacks, or how to improve detection speed when such attacks are successful. However, there is another aspect of digital data breaches that deserves attention: liability. What legal options do affected consumers have? Can one of the 50 million people whose accounts have been hacked sue Facebook for negligence? In similar situations, the answer has been no. Part of the problem is that the duty to provide data privacy and security does not neatly fit into any established category in tort law. The common law does not recognize a general cause of action resulting from the accession or theft of a consumer’s private information. Plaintiffs may thus find it necessary to argue that special circumstances mean the company owes consumers a specific duty, like a fiduciary duty. For example, a class-action lawsuit against Equifax for a 2017 data breach was brought on the theory that the company had a duty to protect personal information. The strength of the plaintiffs’ legal claim is being tested—Equifax has filed a motion to dismiss that awaits ruling in the Northern District of Georgia. If Equifax succeeds in defeating the claim that it owed a duty, the plaintiffs will be in serious trouble. This is because the common law generally...