Privacy & Information Security Law Blog

On May 5, 2023, New York Attorney General Letitia James released proposed legislation that seeks to regulate all facets of the cryptocurrency industry. Entitled the “Crypto Regulation, Protection, Transparency, and Oversight (CRPTO) Act,” if enacted the bill would substantially expand New York’s oversight of crypto enterprises conducting business in the Empire State, including as to matters involving privacy and cybersecurity.

The bill includes a broad set of measures intended to regulate comprehensively the entire cryptocurrency ecosystem. Subject to certain exceptions for tokens used in online gaming, sports wagering, customer loyalty programs and other favored uses, “digital asset” is expansively defined under the bill to include any “type of digital unit, whether labeled as a cryptocurrency, coin, token, virtual currency, or otherwise, that can be used as a medium of exchange, a form of digitally stored value, or a unit of account.” The bill also provides that “digital asset shall be broadly construed to include digital units that have a centralized repository or administrator, are decentralized and have no centralized repository or administrator, or may be created or obtained by computing or manufacturing effort.”

Attorney General James’s bill includes a wide array of provisions that would impact various parties who transact in digital assets, including their issuers, brokers, investment advisers, marketplaces and even social media influencers. Among other things, the bill would impose on these parties far-ranging registration, disclosure, audit and business conduct rules. For example, digital asset brokers would be required to maintain net capital in the same way as securities broker-dealers, and digital asset intermediaries would be required to reimburse customers for unauthorized and fraudulent transfers. Many common practices for crypto exchanges would also be outlawed entirely, such as cross-ownership of digital asset issuers, marketplaces, brokers and investment advisers; borrowing or lending customer assets; certain trading strategies; and self-custody of digital assets. The bill would also limit the use of the term “stablecoin” to describe or market digital assets unless they meet narrow criteria.

The bill provides that every digital asset issuer, digital asset broker, digital asset marketplace, and digital asset investment adviser must create, implement and maintain an effective cybersecurity program that satisfies the requirements of applicable state and federal data privacy and cybersecurity laws. The bill additionally imposes an unusual obligation on digital asset marketplaces to verify that the digital asset software code is consistent with the issuer’s disclosures to purchasers, and that it contains security properties in compliance with applicable state and federal laws.

The bill also includes new enforcement authority and a new antifraud statute for the Attorney General. If adopted, the bill further grants the Attorney General broad rule-writing authority.

It is unclear what the prospects for passage of the bill are in the New York State Legislature, but the Attorney General’s press release announcing the draft includes favorable commentary from numerous political figures, state legislators and consumer protection advocates.