Protecting the brands, expressions, ideas, innovations and
inventions that define the world's greatest companies, products and services.
Topics covered in our latest newsletter:
Navigating the Maze of Data Breach Laws
The highly publicized data breaches at Target and Neiman Marcus have highlighted the importance of protecting consumers' online data and privacy. In particular, many have been concerned about how long these companies knew about the breach before they notified consumers that their personal information had been compromised. So how long do data collectors have before they are required to notify consumers? The answer is not that simple.
Although many states have recognized the need to strengthen their individual state security breach laws, there is still no uniform federal law in place addressing this concern. This especially becomes a problem when internet-based companies conducting business nationally or even globally do not have a bright-line, national standard to follow. Instead, they are left attempting to comply with a patchwork of breach notification requirements in each individual state. President Obama did introduce a Consumer Privacy Bill of Rights as a "blueprint for privacy in the information age", but, two years later, Congress has not been able to agree on any of it.
In 2002, California was the first state to pass an online breach notification law. Since then, 46 states and the District of Columbia have followed suit by requiring business to notify consumers of security breaches of personal information. Each state's requirements, however, can differ significantly.
Illinois law provides that:
"Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system."
In other words, in Illinois, companies may delay notification if necessary to accommodate a law enforcement investigation and also if necessary to investigate the incident and restore system security. However, there is no strict time limit by which companies must provide notice. The statute simply states "in the most expedient time possible" and "without unreasonable delay." What exactly these terms mean is open to interpretation and leaves companies vulnerable to lawsuits arising from relatively short delays.
So while the politicians in Washington, D.C. continue to work towards a federal standard of what to do after there is a data breach, we think businesses should tackle the root cause: strengthening security so that the data breaches don't happen in the first place. Experts in the field often recommend the following:
- Have a security plan. Any business that collects personal information from consumers needs to have a plan to protect the confidentiality and integrity of the information. Consider hiring a security professional to ensure that all bases are covered, including the latest security software, web browser, and firewall.
- Practice data minimization. Don't collect or keep data that you don't need. Avoid keeping data longer than you need to.
- Encrypt sensitive information such as usernames, passwords, and financial information. In particular, the FTC specifically requires all receipts to truncate credit, debit, or bank account information. Receipts may display no more than the last five digits of the card number and must delete the card's expiration date.
- Make sure you dispose of the data properly. Many states have specific provisions detailing the appropriate methods of disposal, including redacting, burning, pulverizing, or shredding the personal information so that the information can no longer be read or reconstructed.
With the ever-growing technological sophistication of hackers, additional data breaches are inevitable, but implementing preventative polices within the workplace could minimize the risks.
Checking in with the New gTLD Rollout
The Internet Corporation for Assigned Names and Numbers (ICANN) is well into its launch of new gTLDs, or generic top level domains, with the first strings opened to the public late last month. Over 125,000 new gTLD domain names have already been registered, and the strings that have gone live are only the tip of the iceberg. One thousand nine hundred and thirty gTLD applications were submitted to ICANN back in 2012, and now dozens of new domains are available to the public, with many more in the pipeline. The new gTLD rollout is many years in the making, and this historic expansion has important consequences for trademark owners, internet users, and the new gTLD owners alike.
By way of background, the common .com, .net, and .org are among the original twenty-two gTLDs, and these have been the only options for internet users for decades. These will soon exist alongside a myriad of options. Among the gTLDs that recently went live are .bike, .camera, .clothing, .guru, .plumbing, and .singles, but this is merely a sampling, and many more are on the way. The new gTLDs include internationalized domain names (IDNs) in Arabic, Chinese, and Russian, marking the first time a gTLD is not limited to Latin characters. This expansion is meant to create a broader and more global internet landscape, in which succinct and specific domain names are available for every interest.
That's the idea, anyway. The companies that purchased the new gTLDs must now make these extensions profitable and compete not only against the familiar .com, but also against scores of new strings. One registry has taken an opportunist approach to generating interest in its gTLD. Sedo, owner of the .CLUB extension, is currently conducting a private auction for twenty-five winter sports related domain names. These include skiing.club, icehockey.club, figureskating.club, and even sochi.club. With the Winter Olympics all over the media and on internet users' minds, there is surely no better time to profit from these choice domain names. What will be interesting to see is if other registries follow suit, with the World Cup taking place later this year and numerous other events on the horizon.
The company that has generated the most interest, however, is Donuts, Inc. Donuts was created for the sole purpose of applying for new gTLDs, and the company surprised many when it appeared out of the blue in July 2012 with over 300 gTLD applications. Although about half of these are in contention, Donuts still holds a significant share of the new internet landscape, with many of the recently opened extensions belonging to Donuts. Donuts does not sell domain names directly; rather, it partners with already existing registrars, such as GoDaddy. Its website touts the many benefits of the new gTLD options under the heading "There's a TLD for that," and it has even created a comprehensible cartoon to explain why one should use the new domains. With each gTLD application costing $185,000 or more, many are watching to see if Donuts' gamble will pay off, and with so much competition among domain extensions, some are wondering if the new gTLDs will be profitable.
Turning now to the effect of this rollout, the new gTLDs are of special concern to trademark owners, who have been vocal about the potential for increased trademark infringement and cyber-squatting as a result of the new strings. ICANN responded by creating the Trademark Clearinghouse, a database in which rights owners can register their marks in order to participate in a sort of watch and notification service. The Trademark Clearinghouse does two things. First, it offers a sunrise period in which trademark owners get an early opportunity to register new domain names before each gTLD is open to the public. The first sunrise periods began last fall and additional sunrise periods are opening every few weeks. Next, the Trademark Clearinghouse offers a service that generates a notice whenever someone seeks to register a domain name that matches a right owner's trademark. The service does not block the applicant from registering the domain, however, and notices are only provided for the first 90 days.
It is hard to say how trademark owners have responded to the Trademark Clearinghouse and its limitations. On the one hand, over 23,000 marks have already been submitted to the database, but on the other hand, only half of these filings are for multiple years. Trademark owners have the option of protecting their marks for one, three, or five years in the Trademark Clearinghouse, and since the new gTLDs are slated to roll out over the next several years, it seems that many trademark owners are testing the waters by applying for first year protection only.
Some gTLD owners are offering additional layers of protection for trademark owners. Donuts, for instance, has created a Donuts' Domains Protected Marks List (DPML), which allows trademark holders to block their marks from being registered across all Donuts gTLDs—for an extra price, of course. The program contains protection features noticeably lacking from the Trademark Clearinghouse; however, rights holders must register their marks within the Trademark Clearinghouse before they can be eligible for the DPML.
Other companies seem to be eschewing the Trademark Clearinghouse entirely, and some trademark holders are choosing a reactive rather than proactive approach. For instance, the last few weeks have seen the first Uniform Domain-Name Dispute Resolution Policy (UDRP) action arising over a new gTLD domain name, as well as the first Uniform Rapid Suspension (URS) case. The UDRP is a commonly used process established by ICANN to resolve domain name disputes, while the URS is a much more recent process created as a quick dispute resolution option for cases of blatant infringement. Canyon Bicycles GmbH is the first to file a UDRP against a new gTLD registrant who purchased the domain name canyon.bike, and shortly thereafter, IBM prevailed over the registrants of IBM.guru and IBM.ventures in the first test run of the new URS procedure.
While the jury is out on the advantages of using the Trademark Clearinghouse, one thing appears to be certain: trademark owners' fears of cyber-squatting seem to be justified. Research in the United Kingdom shows that cyber-squatters have registered domain names containing many of the country's largest brands. For the United Kingdom's fifty most valuable brands, eighty percent have been registered by unknown parties with regard to the new .web domain names; seventy-eight percent with regard to .app domain names; and seventy percent with regard to .shop. Jan Corstens, project director at the Trademark Clearinghouse, argues that this is a reason to register with the database, and further states that "the economy as a whole potentially stands to lose millions to grey and black market activities, with consumers inadvertently buying counterfeit products from third parties posing as the brand online."
Ms. Corstens is not alone in her concern for the online economy. The question of how consumers and internet users are affected by the new gTLD rollout is on many minds. The European Commission recently made some statements that call ICANN's leadership into question. First, the European Commission took issue with the new gTLD Auction Rules, under which companies who have applied for the same string resolve their dispute via auction. The European Commission is "deeply concerned about the implications that the Auction Rules in the gTLD program may have for the protection of public policy interests, competition, openness and innovation." If every new gTLD goes to the highest bidder, "small, innovative and community applicants" will be left out, which is inconsistent with ICANN's non-profit status and the gTLD Program's objectives, namely, "competition, diversity, innovation and consumer choice." The European Commission was also concerned about ICANN's location in the United States, asserting that "recent revelations of large-scale surveillance have called into question the stewardship of the U.S. when it comes to internet governance."
On a more micro level, the score of new gTLD options creates some practical problems. With so many domain extensions to remember, some argue that internet users are more likely to enter typos than they are with the ubiquitous .com. In those cases, consumers are less likely to end up at their desired site, and the owner of the intended domain name will lose business. For instance, consumers looking for womens.clothing, who accidentally type womens.clothes, will likely be taken to a search engine page, where the website they are looking for may not even appear. The potential confusion can hurt consumers and domain name holders alike.
In this early stage, it is difficult to characterize the new gTLD rollout: a headache for trademark owners? Confusing for internet users? Profitable for registries? Or none of the above? In fact, some wonder if the new gTLDs will have that great of an effect at all. The most popular new gTLD is currently .guru with over 35,000 registrations. Compare that to .com, which has more than a staggering 100 million registrations. The internet landscape may be changing, but to what extent is unclear.
Class Heading Does Not Cover All in the United States
Using International Class headings to identify goods or services may sound like a convenient way to file trademark applications in multiple countries. It is simple, consistent, and presumably covers everything in that class. However, a recent decision by the U.S. Trademark Trial and Appeal Board rejected the "class heading covers all" assumption. In re Fiat Group Marketing & Corporate Communications S.p.A., Serial No. 79099154 (January 31, 2004).
Fiat Group Marketing & Corporate Communications S.p.A. (Fiat) obtained an international trademark registration for "Fiat 500" covering 9 classes of goods and services in 2011. It subsequently filed an application in the United States in these classes. For its Class 35 description, it used the class heading, "advertising; business management; business administration; office functions." The description was rejected by the U.S. trademark examiner on the basis that it was not sufficiently specific.
Fiat responded by amending the description into "advertising services; retail store and on-line retail store services featuring a wide variety of consumer goods of others." The examiner rejected the description again, reasoning that retail store and on-line retail store services exceeded the scope of the original application. Fiat argued that the services were included in "business management" in the Class 35 heading and therefore did not exceed its coverage.
Applying the "ordinary meaning" test, The Board found that the term "business management" cannot be construed as encompassing retail store services. The Board agreed with the examiner and found that the amendment improperly broadened the identification of services. The Board further explained:
Class headings...are by their nature comprised of intentionally broad terms, but do not necessarily cover all goods or services within that class...[t]he USPTO will not permit the applicant to amend to include any item that falls in the class, unless the item falls within the ordinary meaning of the words in the heading.The implication of In re Fiat for foreign companies is that when fling trademark applications through the WIPO, the class heading is not necessarily understood to include everything in the class in the United States.
Several jurisdictions, including Argentina, Cambodia and Laos, allow the use of class headings to claim all goods or services in the class. In most other jurisdictions, class headings are acceptable, but only cover goods or services specifically mentioned in the class heading.
In the United States, not only will the class heading not be accepted as written, but it may be interpreted restrictively by the USPTO and may not include key goods and services of interest to the applicant. As a consequence, applicants planning on designating the U.S. may want to make sure the key goods and/or services are specifically mentioned in their home registration intended to be used as a basis for registration in the U.S.
Online File Sharing and Copyright Enforcement: The Public Relations Component
In what is the latest in a string of lawsuits involving unauthorized digital sharing of copyrighted music, well known recording artist Prince has recently filed a lawsuit against certain users of Facebook, Google and other blogging websites. The lawsuit accuses them of both direct and contributory copyright infringement. As with similar cases before it, this lawsuit has sparked a public debate regarding enforcement of copyright laws by the artists and record companies that own copyrighted works. This debate goes beyond the legal merits of the cases involved and implicates business interests and public opinion as well. Perhaps in part due to negative publicity, Prince dismissed his lawsuit two weeks after it was filed, claiming that the complaint had deterred further unlawful activity. He also claimed that the infringing material was removed and thus the lawsuit's aims had been achieved. As discussed below, this case is only the latest evolution in an issue for which legal merit and public opinion have sometimes been at odds.
The law of contributory infringement as it relates to online file sharing has evolved from the early 2000s, in particular involving file-sharing service Napster. In 2001 and 2002, Napster was bankrupted and later shut down by various court rulings. Perhaps the most noteworthy of these decisions was A & M Records vs. Napster, in which a number of record companies joined forces against Napster's central hosting of music files that mostly consisted of unauthorized copies of recorded music. The Court held that Napster engaged in contributory infringement because it had specific knowledge of infringing activity and materially contributed to this infringement through its provision of the "site and facilities" involved in the unauthorized downloads. This ruling set the stage for further attacks against file sharing sites, many of which went online after Napster was shut down. Most of these have also encountered subsequent legal challenges.
Perhaps the most high profile analogous case to the lawsuit filed by Prince is Metallica v. Napster, in which the popular heavy metal band Metallica sued Napster as well as several universities for contributory copyright infringement. In addition, it went a step further in demanding that the Napster accounts of "fans" that illegally downloaded Metallica's songs be terminated. Metallica, along with another well known recording artist, Dr. Dre, sued Napster after Metallica's entire catalogue was found to be available for unauthorized download. Metallica received a preliminary injunction after which the parties reached an undisclosed settlement. However, Metallica, a band that had already become extremely financially successful, faced a public backlash over its lawsuit. Its fans believed that the band had become greedy. Fans believed that they had already invested a sufficient amount of money in the band in the form of concert tickets, t-shirts and other merchandise. Therefore, they felt that they should be able to download Metallica tracks via file sharing services. Metallica countered that its actions were more about artistic control than finances, given that the suit was initially prompted by an unauthorized release of a non-final demo tape that made its way to FM radio via Napster. In this vein, Metallica simply argued that it wished to control what version of its music was released and at what time. In this case, although Metallica and other allied actors arguably outmaneuvered Napster in the legal arena, the backlash amongst their fans perhaps rendered this victory somewhat hollow.
In his lawsuit, Prince named 22 users as being collaborators in the alleged copyright infringement conspiracy. Many of these individuals were not able to be identified by more than their online personas. The complaint alleged that these individuals conspired to illegally record and distribute various musical performances by Prince primarily through Facebook and Google. They allegedly accomplished this through a series of semi-hidden links that were shared within the community, similar to a quasi-underground version of Napster. Under the applicable law, this activity arguably presented a strong case of infringement.
However, instead of a clear-cut legal victory, the lawsuit faced a backlash almost from the outset. Taking the approach in Metallica a step further, Prince sued the users of the allegedly offending accounts directly instead of going after the online intermediaries. With online personas indicating that these users were likely fans of Prince, the online fan community reacted quite negatively to the suit. As with previous cases, issues of finances clashed with claims of artistic control. Prince dismissed the suit without prejudice after two weeks, claiming that the infringement had been taken down and that the suit was no longer necessary. The suit likely served as a strong deterrent given that damages of over $1 million per user were sought. However, its publicity backlash is yet to be measured.
These cases illustrate a quagmire in copyright enforcement in that sometimes justified legal action can be misunderstood by the public at large. This is especially true when oftentimes fickle rock and roll fans are involved. Although a solution is yet unclear, artists may wish to make their recording and file sharing policies clear to their fans to avoid the appearance of attempted overreaching. For example, Metallica had previously allowed fans to record concerts without the band's permission and share these files online. This fact was perhaps lost in the noise of the lawsuit once filed. In any event, artists should choose their legal methods carefully, less a meritorious legal claim be turned into a public relations nightmare.
Disclaimer: The contents of this newsletter are presented for information purpose only, and as such are not intended to constitute legal advice and should not be construed as such or acted upon without seeking advice of legal counsel. This information is not intended to and shall not create an attorney-client relationship of any kind or nature with IpHorgan Ltd. Please contact the firm with queries, concerns or for further details regarding the information presented herein. The entire contents are current only as of the date of the newsletter and are not to be interpreted as the opinions of our clients past, present, pending or future. (c)2014, IpHorgan Ltd. All Rights Reserved.