Intellectual Property Seminar - Microsoft … · © 2014 Husch Blackwell LLP. All Rights Reserved....

© 2014 Husch Blackwell LLP. All Rights Reserved.

1

Intellectual Property SeminarDecember 3, 2014

Mobile Applications: Conception to Launch

Bob Bowman


2

Mobile Applications: Conception

“IDEA” What the Application does How it works Who will use it Examples: Information Transactional Fully Interactive

Mobile Applications: Development

Application Development Agreements Features and Functionalities

Heart of the Contract However, typically included as an Exhibit

Equivalent of a Builder’s Blueprints Defines the scope of development Lets the developer know what to develop Lets the customer know what they are getting

The more specific, the less likelihood for misunderstandings


3


Project is broken into discrete parts or stages called “milestones”

Developer must deliver work product or “deliverables” at completion of each milestone

Payment often paired with completion of a milestone

Examples of Deliverables Project plan Flow charts, wire frames, GUI designs Core Framework Extensions, databases and libraries


Testing and Acceptance: Permits customer to test software to ensure

compliance with functional and performance specifications

Scope of testing

Procedures and timeframes to accept/reject/correct

Remedies for noncompliance


4


Ownership and Licensing Software programs are often a combination of custom

(new) aspects and base (pre-existing) aspects Custom aspects typically assigned to customer Base aspects typically licensed to customer

The more custom code developed, the more we suggest attempting to obtain ownership rights in the custom code

Beware of: Third-party software Open source software (more on this later) Offshore development


Development Agreement: Other Considerations Representation and Warranties

Title / Right to assign and license Non-infringement Application will conform to Functional and Performance

Specifications (tie to Exhibit) Third-party software and open source software No Viruses / Malicious Technology

Indemnification

Limitation of Liability (carve out for IP infringement)


5

Mobile Applications: Prior to Launch

Business Considerations How to govern the use of the Application

Who are the users?

What information will be collected through the Application


Governing the use of the Application Terms of Use

Privacy Policy

Failure to Use

These are Like Operating with No Transaction Contract, Default Liability, Default Warranties

Who will be using the Application? International users


6


Terms of Use Spell Out the Conditions on User’s Use of the Application. Information Only Applications – Not too Complicated Transactional Applications – Sets forth the terms of the transaction. Interactive Applications – More complicated when allowing users to post

content Governs Acceptable Activities and Uses Disclaimer of Warranties Limitation of Liability User Indemnification Interactive Applications (User Posts Content) Sets forth ownership of postings and any usage license Allows control of content subject matter

Provides opportunity to obtain safe-harbor under DMCA if allowing users to post content


Privacy Policy Generally describes what information you are collecting, why you

are collecting it, and how you are using it.

Needs to reflect Operator’s actual practices, no “cut and paste” privacy policy, no recycling of old privacy policy

Needs to reflect the actual technology used in the Application

Operating systems, information collection methodologies

Historically, was provided as customer service

Now becoming more of a defensive mechanism and/or legal requirement in most jurisdictions.

Enforced in U.S. by F.T.C. under the unfair trade practices act.


7


State Specific Privacy Policy Concerns California Privacy Laws Notice required if distributing customer contact information to

Third Parties for direct marketing purposes Includes affiliates, subsidiaries, or other related companies.

Upon request, Vendor has to provide each California Resident a list of entities to whom it has distributed person’s information Can be standardized

Limited to once per year

Utah Requires notice of giving user’s info to third parties


International Privacy Policy Concerns Most foreign countries have Privacy Laws that are more

strict than in the U.S.

If offering products or services internationally, a review of compliance is suggested

Based Upon a “Notice” and “Consent” system Require “Express” Consent

Click-Thru

Explicit Notice

Privacy Policy becoming more important.


8


International Privacy Policy Concerns The following are violations of European Privacy Law Collection and storage of a citizen’s information without notice

and express consent

Transmitting/storing a citizen’s personal information outside of E.U. (the transfer of data from an EU citizen’s computer to a server in the U.S.)

Violations can incur substantial fines: Mexico: Fines up to $1.5 million for violations of its privacy law.

Google Fines: Around $1.5 Million in Spain because its privacy policy did not comply with legal requirements No finding that they misused personal information, just technicalities

related to the privacy policy.

Mobile Application: Launch

Hosting Third Party Hosting, hosting agreement

Service Level Agreement (SLA)

Uptime requirement (e.g., 99.9% - that’s 8.76 hours of down time per year) Penalties if not met

Data integrity and backup

Standard of Security Measures


9

Mobile Application: Launch

Maintenance and Support Specify the scope Updates, modifications, design changes, remedying errors

Availability Normal business hours or 24/7

Type of staff available Escalation levels based on severity Priority levels and response times

Pricing Commencement of support and payments

Mobile Application: Conclusion

Conclusion:

All items dependent upon the functionalities and the scope of the mobile application.

Best to consult an attorney at the beginning of the process so that all considerations are addressed.

Questions?


10

Not Your Father’s Quill and Scroll: The Electronic John Hancock

Nathan Oleen

What is an Electronic Signature?

Electronic sound, symbol, or process Attached to or logically associated with a

contract or other record Executed or adopted by a person With the intent to sign the record

ESIGN: 15 U.S.C. § 7006(5)UETA: § 2(8)


11




12

Digital Signature

Type of electronic signature

Involves asymmetric “dual key” encryption and creation of: Private key to create

a digital signature, and

Public key to verifythe digital signature

Federal and State Statutes

Uniform Electronic Transactions Act (UETA)

Electronic Signatures in Global and National Commerce Act (ESIGN)

Both give contracting parties broad discretion to select the method of signature


13

UETA

Adopted by every state, except Illinois, New York and Washington

UETA

Scope Only applies to “transactions” between two or

more persons

Does not apply to wills or trusts


14

UETA

Three pillars A record or signature may not be denied legal

effect or enforceability solely because it is in electronic form

If a law requires a record to be in writing, an electronic record satisfies the law

If a law requires a signature, an electronic signature satisfies the law

ESIGN

Designed to preempt state law (UETA) for all transactions “in or affecting interstate or foreign commerce” Scope Generally same as UETA However, does not apply to purely “intrastate”

transactions.

Three pillars Generally same as UETA


15

Primary Considerations

Consent

Authentication / Verification

Attribution / Form of Signature

Consent

“Opt-in”; affirmative consent required Hand written signature alternative must be

provided

Business-to-Business Transactions

Consumer Transactions Heightened requirements for consent

disclosures


16

Authentication / Verification

Variety of methods for identifying the signing party

Spectrum of options (non-exhaustive; not to scale)

No authentication Dual emails w/ unique secured website link and PIN

PKI / Digital certificate

BiometricsSingleemail

Attribution / Form of Signature

Must establish signer intended to sign and be bound

Spectrum of options (non-exhaustive; not to scale)

/s/ John Doe/John Doe/

PKI / Digital certificate

“I Accept” button


17

Designing an Electronic Signature Process

**No “one-size-fits-all” approach**

Balance between (a) risk aversion and (b) usability Risk of repudiation, risk of loss of records

vs.

Functionality, convenience, cost

Designing an Electronic Signature Process

Considerations Relationship of the parties

Hardware and software being employed

Sophistication of the parties

Nature of transaction

Liability exposure

Extent to which surrounding circumstances will validate the transaction


18

Notaries

UETA and ESIGN permit use of electronic signature by notaries

However, they do not override state law requirements (e.g., signer must personally appear before notary, etc.)

A Few Vendors

Adobe EchoSign DocuSign Assure Sign Salanis eOriginal AlphaTrust

*Not an endorsement of these vendors


19

2014: Changing IP Landscape

Kris Kappel

Significant Supreme Court Cases of 2014

Alice Corp. Pty. Ltd. v. CLS Bank Int’l., 134 S. Ct. 2347 (2014)

Petrella v. Metro-Goldwyn-Mayer, Inc., 134 S. Ct. 1962 (2014)

Lexmark Int’l v. Static Control Components, Inc., 134 S. Ct. 1377 (2014)


20

Alice Corp. Pty. Ltd. v. CLS Bank Int’l., 134 S. Ct. 2347 (2014)

Case Background Business method patent (examples: electronic shopping

methods, computer software, financial transactions)

Challenges to business method patents has continued to increase

Patents at issue in Alice disclosed a computer-implemented scheme for mitigating settlement risk in financial trading systems

The Court considered whether the computer-implemented claims where patent eligible under 35 U.S.C § 101

New Two-Part Test The Court set forth a two-part test in

evaluating patentable subject matter for computer implemented inventions:1) Determine whether the claims at issue are

directed to one of the patent-ineligible concepts;

2) Determine if the elements of the claims transform the nature of that claims into a patent-eligible application


21

Relevance

Issued patents and pending patent applications for computer-implemented methods need to have more than just a computer involved in the process and should be reviewed Software-related patents hindering your

business may now be subject to attack Valuation of issued patents involving

computer-implemented methods

Jim Bessen, What the Courts Did to Curb Patent Trolling – for Now, The Atlanta, December 1, 2014


22

Jim Bessen, What the Courts Did to Curb Patent Trolling – for Now, The Atlanta, December 1, 2014

Petrella v. Metro-Goldwyn-Mayer, Inc., 134 S. Ct. 1962 (2014)

Case Background Paula Petrella (daughter of Frank Petrella)

filed suit against MGM alleging copyright infringement related to rights in the screenplay for the film “Raging Bull” Mr. Petrella co-wrote two screenplays and a

book based on retired boxer, Jake LaMotta’s life They registered the works, which MGM

acquired through various assignments


23

Petrella’s Suit

Under the Copyright Act there is a three-year statute of limitation

Petrella waited 18 years to file suit against MGM, but only sued for the preceding three-years of damages

District court granted summary judgment to MGM under the doctrine of laches due to the 18-year delay

Holding/Relevance

The Court found that laches could not properly bar Petrella’s claim for damages because she was only suing for the previous three years of damages

Directly impacts copyright infringement litigation

Could have a broader effect on the doctrine of laches


24

Lexmark Int’l v. Static Control Components, Inc., 134 S. Ct. 1377 (2014)

Case Background Lexmark manufactures laser printers and

designed a microchip for its cartridges in an effort to prevent “remanufacturers” from selling refurbished toner cartridges

Static Control developed a microchip that mimics Lexmark’s chip

Lexmark sued Static Control alleging violation of the Copyright Act and Digital Millennium Copyright Act

Static Control filed a counterclaim for false advertising under the Lanham Act, claiming Lexmark made false or misleading statements on the legality of refurbished cartridges


25

Holding The Court affirmed the Sixth Circuit’s holding that

Static Control had standing because it “alleged a cognizable interest in its business reputation and sales to remanufacturers and sufficiently alleged that those interests were harmed by Lexmark’s statements to the remanufacturers that Static Control was engaging in illegal conduct.”

For a party to have standing under the Lanham Act for a false advertising claims, they must plead injury to a commercial interest in sales or business reputation caused by the defendant’s misrepresentations

Relevance

The Court’s decision will deter forum shopping on the standing issue in Lanham Act false advertising matters

Broaden scope of standing in those circuits that previously required the claims must be brought by “competitors”

Individuals can not bring false advertising claims under the Lanham Act itself


26

Trademark Cases to Watch First cases taken by the Supreme Court in 10 years B&B Hardware Inc. v. Hargis Industries, Inc., 716 F.3d

1020(8th Cir. 2013), cert granted, 134 S. Ct. 2899 (2014) Does an earlier likelihood of confusion ruling by the Trademark

Trial and Appeal Board on the registration question preclude a later, opposite confusion ruling on the infringement question?

Hana Financial, Inc. v. Hana Bank, 735 F.3d 1158 (9th Cir. 2013), cert granted, 134 S. Ct. 2842 (2014) Does a judge or jury determine whether a trademark may claim

the priority date of an older mark through tacking? Tacking is where a trademark owner is allowed to claim priority

back to an earlier, similar version of a mark, as long as the marks are not sufficiently materially different.


27

Inter Partes Review – Your Best Defense?

Bill Kircher and Patrick Kuehl

Similarities and Differences in Practice in the PTAB and in the

Courts

Based on AIPLA Studies


28

Overview

1. Grounds for claims

2. Time to decision

3. Bringing a claim

4. Burden of proof

5. Claim construction

6. Discovery

7. Evidence

Post-Grant Proceedings

Inter Partes Review• anticipation and obviousness

(102 and 103)• patents and printed

publications• reasonable likelihood of

prevailing

Post Grant Review• filed on or after March 16, 2013• any grounds of unpatentability• must be filed within 9 months of

grant• more likely than not or important legal issue

Covered Business Method• method or process claim (software)• financial product or service• must be sued or charged with

infringement• more likely than not or important issue

Post-GrantProceedings


29

Grounds


Inter Partes Review: Anticipation and obviousness

(§§102 and 103)

Printed publication

Post Grant Review: Any grounds of unpatentability

can be brought

Litigation Resolve any infringement

issues

Any grounds of invalidity

Time to Decision


Inter Partes Review: 12 – 18 months to final

decision

Post Grant Review: 12 – 18 months to final

decision

Litigation Jurisdiction dependent

Approximately 3 years (average time to trial in U.S. District Courts)


30

Bringing a Claim


Inter Partes Review: Reasonable likelihood would

prevail as to at least one claim

Post Grant Review: More likely than not at least

one claim is unpatentable; OR

Important issue

Litigation Rule 11 basis to bring claim

Courts will resolve all pending claims and defenses

Burden of Proof

Post-Grant ProceedingsInter Partes Review: Preponderance of the evidence

No presumption of validity

No deference to the examiner

De novo review

Post Grant Review: Preponderance of the evidence

No presumption of validity

No deference to the examiner

De novo review

Litigation Clear and convincing evidence

Presumption of validity (35 U.S.C. § 282)


31

Claim Construction

Post-Grant ProceedingsInter Partes Review: Broadest reasonable interpretation Prosecution history generally

irrelevant Preliminary claim construction at

petition decision

Post Grant Review: Broadest reasonable interpretation Prosecution history generally

irrelevant Preliminary claim construction at

petition decision

Litigation Interpreted in view of the

intrinsic record

Prosecution history is considered

Timing is court dependent

Discovery


Inter Partes Review: Limited discovery permitted

Standard: “in the interest of justice”

Post Grant Review: Limited discovery permitted

Standard: “in the interest of justice”

Litigation Broad discovery permitted

(Rule 26 Fed. R. Civ. P)

Standard: “good cause”


32

Evidence


Inter Partes Review: No live testimony

Declarations

Deposition testimony

Post Grant Review: No live testimony

Declarations


Litigation Live testimony permitted


Other evidence

Parallel Patent-Related Proceedings in the PTO and in Litigation

Intellectual Property Law


33

CAFC’s In Re Baxter Holding (2012)

The significance of the Federal Circuit’s 2012 In re Baxter decision is that it confirmed the 2008 CAFC panel decision In re Swanson, specifically the principal that the reexaminations and reviews at the Patent Office are not controlled by earlier District Court judgments of validity, even if those earlier judgments are affirmed by the Federal Circuit. The decision also spelled out several other significant points.

In the courts, a party seeking to invalidate a patent must present “clear and convincing evidence” that the patent is obvious or anticipated; this is the highest standard in civil litigation. In reexamination, a party seeking to invalidate a patent must present only “a preponderance of evidence” that the patent is obvious or anticipated, a lower level of proof, sometimes described as “more likely than not.”


34

In the courts, claims are construed according the CAFC decision in Phillips, but in reexamination, claims are given “broadest reasonable construction.” This broader construction of claims in reexamination makes them more vulnerable to prior art attack.

Because of these different standards, the CAFC might reach one conclusion regarding patent validity on an appeal from the courts, but reach a different conclusion on the same issue on an appeal from a reexamination proceeding at the PTO.

The PTO is not barred from conducting a reexamination by an earlier judgment in the courts that the patent is valid.


35

The Fresenius v. Baxter decision goes beyond Swanson and Baxter, permitting an accused infringer to avoid an adverse damages judgment in District Court by succeeding in a reexamination or review proceeding at the Patent Office, provided that the judgment is not “final.”

In light of the PTO’s cancellation of the asserted ‘434 claims, and of the fact that the infringement suit remains pending before the CAFC, the CAFC found that Baxter no longer has a cause of action. Accordingly, the CAFC vacated the trial court’s judgment, remanding the case with instructions to dismiss. Baxter conceded that cancellation of a patent claim moots any pending infringement litigation.


36

On the other hand, Baxter insisted, cancellation of the asserted claims in this case does not have any effect at this moment in the infringement litigation, because the validity of the ‘434 patent and Fresenius’ infringement of that patent were conclusively decided in 2007. According to Baxter, the trial judge’s 2007 judgment is “final” and “binding” on the parties. Invoking notions of res judicata, Baxter asserted that “the liability determination and Past Damages Award are now final and Fresenius is precluded from relitigating those issues.”

The subsequent remand to the trial court did not end the controversy between the parties, or leave “nothing for the court to do but execute the judgment.” “To the contrary, we left several aspects of the district court’s original judgment unresolved, including royalties on infringing machines, royalties on related disposables, and injunctive relief ... where the scope of relief remains to be determined, there is no final judgment binding the parties (or the court).”


37

Judge Dyk then reviewed the relevant case law, including the CAFC’s 1994 decision in Mendenhall v. Barber-Greene, concluding any decision on validity and infringement, where “further damages proceedings [are incomplete,] is not a final judgment.”

In March Baxter petitioned the Supreme Court for certiorari, putting the following questions to the Court:

Whether an Article III court’s final judgment may be reversed based on the decision of an administrative agency.

Whether a final determination of liability that has been affirmed on appeal may be reversed based on the decision of an administrative agency merely because an appeal regarding the post-verdict remedy is pending.

In May the Supreme Court denied cert. leaving the CAFC’s decision intact.


38

Comparison of Post-Grant Review to EPO Opposition

Post-Grant Review EPO OppositionTiming of Filing 9 months from patent grant 9 months from publication of patent grant

Filing fee $30,000 for up to 20 claims EUR 775

Identity Requires identification of the real-party-in-interest Any third party; can remain anonymous

Possible Bases for Request

Patent-eligible subject matter (§101), anticipation (§102), obviousness (§103) and requirements of §112, other than best mode (not limited to patents and printed publications)

Novelty, inventive step or industrial applicability, non-patentable subject matter or matter offensive to public interest or morality, insufficient disclosure

Adjudicating Group Patent Trial and Appeal Board composed of administrative law judges 3 patent examiners, at least two of which did not take part in the examination of the original patent

Right to amend Limited; Patent owner has right to file claim amendments once More liberal; Patent owner has right to file multiple claim amendments (main and auxiliary requests)

Discovery Limited discovery available Not available

Time toCompletion

Decision must be reached within one year Average time to completion is about 3-5 years (without appeals)

Right to Appeal Either party can appeal. Appeal goes directly to the U.S. Court of Appeals for the Federal Circuit

Either party can appeal. Appeal goes to the EPO Board of Appeals. No judicial recourse to an adverse EPO Board of Appeal decision.

Ability to Settle Parties retain ability to settle Parties retain ability to settle

Estoppel Effect Precludes challenger from raising in Challenger not estopped from raising same the PTO, district court, or USITC

Issues in subsequent litigation any issue that was “raised or reasonably could have been raised”


39

Lawyer Ethics & the Reasonable Information

Security Program

Peter Sloan and Wade Kerrigan

Dangerous World for Information


40

Verizon 2014 Data Breach Investigations Report

63,437 Security Incidents in 2013:

25% Miscellaneous Errors

20% Crime-ware

18% Insider Misuse

14% Physical Theft/Loss

6% Web App Attacks

3% Denial-of-Service Attacks

1% Cyber-espionage

<1% Point-of-Sale Intrusions

<1% Card Skimmers

12% Other


1,367 Security Breaches in 2013 with Confirmed Data Loss:

35% Web App Attacks

22% Cyber-espionage

14% Point-of-Sale Intrusions

9% Card Skimmers

8% Insider Misuse

4% Crime-ware

2% Miscellaneous Errors

<1% Physical Theft/Loss

0% Denial of Service Attacks

6% Other


41

“There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”

- FBI Director Robert Mueller, 2012

The Model Rules

“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

- Comment 8 to Rule 1.1, Competency


42

The Model Rules

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

- Rule 1.6(c), Confidentiality of Information

The Model Rules

“The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”

- Comment 18 to Rule 1.6(c), Confidentiality of Information


43

The Model Rules

“When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”


The Model Rules

“A partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.”

- Rule 5.1(a), Responsibilities of a Partner or Supervisory Lawyer


44

The Model Rules

“A lawyer having direct supervisory authority over another lawyer shall make reasonable efforts to ensure that the other lawyer conforms to the Rules of Professional Conduct….”

- Rule 5.1(b), Responsibilities of a Partner or Supervisory Lawyer

The Model Rules

“With respect to a nonlawyer employed or retained by or associated with a lawyer: (a) a partner, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer ….”

- Rule 5.3(a), Responsibilities Regarding Nonlawyer Assistance


45

The Model Rules

“With respect to a nonlawyer employed or retained by or associated with a lawyer: …(b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer….”

- Rule 5.3(b), Responsibilities Regarding Nonlawyer Assistance

The Relevance of Reasonableness

Trade Secret Law

HIPAA

Gramm-Leach-Bliley Act

FACTA

COPPA

State PII Security Laws

U.S./EU Safe Harbor Framework

FTC Act § 5


46

Trade Secret Law

Trade secret status only exists if “reasonable measures” are taken to maintain the information’s secrecy.

- 18 U.S.C. § 1839(3)(A) (“The owner therefore has taken reasonable measures to keep such information secret”)

- UNIF. TRADE SECRETS ACT § 1(4)(ii) (“is the subject of efforts that are reasonable under the circumstances to maintain its secrecy”).

HIPAA Security Rule

Requires protection: o “against any reasonably anticipated threats or

hazards to the security or integrity” of electronic protected health information and

o “against any reasonably anticipated uses or disclosures of such information that are not permitted or required” under the HIPAA privacy rules.

- 45 C.F.R. § 164.306(a)(2)&(3).


47

HIPAA Security Rule

Covered entities and business associates: o must establish security measures “sufficient to reduce

risks and vulnerabilities to a reasonable and appropriate level….”

o may “use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified” in the Security Rule.

- 45 C.F.R. §§ 164.306(b) & 164.308(a)(1)(ii)(B).

FTC’s GLBA Safeguards Rule

Rule contains “standards for developing, implementing, and maintaining reasonableadministrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”

Comprehensive information security program must be “reasonably designed” to achieve the standards’ objectives.

- 16 C.F.R. § 314.1(a) & 314.3(a).


48

FTC’s FACTA Disposal Rule

Persons who maintain or possess consumer information comprising or derived from a consumer report for a business purpose must properly dispose of such information “by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”

- 16 C.F.R. §682.3(a).

FTC’s COPPA Rules

Operators of websites or online services directed to children “must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”

- 16 C.F.R. § 312.8.


49

State PII Security Laws

Must implement and maintain “reasonablesecurity procedures and practices, appropriate to the nature of the information concerned, to protect such information from unauthorized access, destruction, use, modification, or disclosure.”

- ARK. CODE ANN. § 4-110-104(b).

U.S./EU Safe Harbor Framework

“Organizations must take reasonableprecautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

- Security Principle, U.S./EU Safe Harbor Framework


50

FTC Act § 5

Prohibits “unfair or deceptive acts or practices in or affecting commerce.”

- 15 U.S.C. § 45(a)(1).

Unfairness requires that “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

- 15 U.S.C. § 45(n).

FTC Enforcement of FTC Act § 5

Company must establish a comprehensive information security program that is “reasonably designed to protect the security, confidentiality, and integrity” of consumer information.

- Consent Order at 3, In re Cbr Systems, Inc., FTC File No. 112-3120, No. C-4400 (F.T.C. April 29, 2013).


51

Why Reasonableness?

Different organizations in different industries face different security threats.


52


Top Incident Patterns per Industry, 2011-2013:

Retail Denial of Service

Point-of-Sale Intrusion

Web App Attack

Professional

Denial of Service

Cyber-espionage

Web App Attack

Healthcare Theft/Loss

Insider Misuse

Miscellaneous Error

Accommodation

Point-of-Sale Intrusion

Why Reasonableness?

Different organizations in different industries face different security threats.

Security threats are not static – they change over time, sometimes rapidly.


53


Most Prevalent Threat Actions per Year:

2009:

Spyware/Key Logger (malware)

Backdoor (malware)

Use of Stolen Credentials (hacking)

Capture Stored Data (malware)

2013:

Use of Stolen Credentials (hacking)

Export Data (malware)

Phishing (social engineering)

RAM Scraper (malware)


54

Flexibility Factors under Model Rule 1.6(c)

“the sensitivity of the information” “the likelihood of disclosure if additional safeguards are

not employed” ‘the cost of employing additional safeguards’” “the difficulty of implementing the safeguards” “the extent to which the safeguards adversely affect the

lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)”


Flexibility Factors Generally

The organization’s size and complexity, and the nature and scope of its activities The organization’s information security

capabilities The organization’s available resources

and the costs of security measures The amount and sensitivity of the

information at issue, and the degree of risk to its security


55

The Reasonable Information Security Program

A. An organization should identify the types of information in its possession, custody, or control for which it will establish security safeguards (“Protected Information”).



B. An organization should assess anticipated threats, vulnerabilities, and risks to the security of Protected Information.


56



B. An organization should assess anticipated threats, vulnerabilities, and risks to the security of Protected Information.

C. An organization should establish and maintain appropriate policies and administrative, physical, and technical controls to address the identified threats, vulnerabilities, and risks to the security of Protected Information.


D.An organization should address the security of Protected Information in its third-party relationships.


57



E. An organization should respond to detected breaches of the security of Protected Information.



E. An organization should respond to detected breaches of the security of Protected Information.

F. An organization should periodically review and update its policies and controls for the security of Protected Information.


58


A. Identify Protected Information

Information related to the Client (Model Rule 1.6) PHI of Covered Entities & Business Associates

(HIPAA) Nonpublic Customer Information (GLBA) PII (State Laws) FTC Enforcement under FTC Act § 5 Information given protected status by privacy notices

or contract Trade secret and business confidential information

State-level PII

Generally, state resident’s name combined with another identifier:

Social Security number,

driver’s or state identification number, or

financial or card number with access information


59

State-level PII

Additional combination elements: medical information (AR, CA, FL, MO, PR, & TX)

health insurance information (CA, FL, MO, ND, & TX)

unique biometric data/DNA profile (IA, NE, NC, TX, & WI)

taxpayer ID or other taxpayer information (MD & PR)

e-mail address & Internet account number or identification name (FL & NC)

employment ID number (ND)

birthdate ((ND & TX)

parent’s surname before marriage (NC, ND, & TX)

work-related evaluations (PR)


B.Assess Threats, Vulnerabilities, & Risks


60


C.Establish Policies and Administrative, Physical, and Technical Controls

Information Security Policy

Controls

Training

Testing

Information Security Controls

System Access

Physical Access

Encryption

Transmission Security

Mobile Devices & Portable Media

System Change Management

Employee Management

Environmental Risk

Monitoring & Detection

Retention

Disposal


61


D.Address Security in Third-party Relationships Selection

Contracting

Oversight

Security in Third-party Relationships

“A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.”



62

Third-party Security Considerations

Agreements with direct vendors

Upstream & downstream vendors & users

Cloud Computing Website terms & conditions

Indemnification Insurance – traditional & cyber

SSAE 16


63


E. Respond to Detected Breaches Breach Response Plan

Incident Identification, Investigation, & Response

Lessons Learned


F. Review and Update Policies and Controls

Intellectual Property Seminar - Microsoft … · © 2014 Husch Blackwell LLP. All Rights Reserved....

Documents

Transcript of Intellectual Property Seminar - Microsoft … · © 2014 Husch Blackwell LLP. All Rights Reserved....