Advanced Technology Seminar - Intellectual Property Online (Continued)
Intellectual Property Seminar - Microsoft … · © 2014 Husch Blackwell LLP. All Rights Reserved....
Transcript of Intellectual Property Seminar - Microsoft … · © 2014 Husch Blackwell LLP. All Rights Reserved....
© 2014 Husch Blackwell LLP. All Rights Reserved.
1
Intellectual Property SeminarDecember 3, 2014
Mobile Applications: Conception to Launch
Bob Bowman
© 2014 Husch Blackwell LLP. All Rights Reserved.
2
Mobile Applications: Conception
“IDEA” What the Application does How it works Who will use it Examples: Information Transactional Fully Interactive
Mobile Applications: Development
Application Development Agreements Features and Functionalities
Heart of the Contract However, typically included as an Exhibit
Equivalent of a Builder’s Blueprints Defines the scope of development Lets the developer know what to develop Lets the customer know what they are getting
The more specific, the less likelihood for misunderstandings
© 2014 Husch Blackwell LLP. All Rights Reserved.
3
Mobile Applications: Development
Project is broken into discrete parts or stages called “milestones”
Developer must deliver work product or “deliverables” at completion of each milestone
Payment often paired with completion of a milestone
Examples of Deliverables Project plan Flow charts, wire frames, GUI designs Core Framework Extensions, databases and libraries
Mobile Applications: Development
Testing and Acceptance: Permits customer to test software to ensure
compliance with functional and performance specifications
Scope of testing
Procedures and timeframes to accept/reject/correct
Remedies for noncompliance
© 2014 Husch Blackwell LLP. All Rights Reserved.
4
Mobile Applications: Development
Ownership and Licensing Software programs are often a combination of custom
(new) aspects and base (pre-existing) aspects Custom aspects typically assigned to customer Base aspects typically licensed to customer
The more custom code developed, the more we suggest attempting to obtain ownership rights in the custom code
Beware of: Third-party software Open source software (more on this later) Offshore development
Mobile Applications: Development
Development Agreement: Other Considerations Representation and Warranties
Title / Right to assign and license Non-infringement Application will conform to Functional and Performance
Specifications (tie to Exhibit) Third-party software and open source software No Viruses / Malicious Technology
Indemnification
Limitation of Liability (carve out for IP infringement)
© 2014 Husch Blackwell LLP. All Rights Reserved.
5
Mobile Applications: Prior to Launch
Business Considerations How to govern the use of the Application
Who are the users?
What information will be collected through the Application
Mobile Applications: Prior to Launch
Governing the use of the Application Terms of Use
Privacy Policy
Failure to Use
These are Like Operating with No Transaction Contract, Default Liability, Default Warranties
Who will be using the Application? International users
© 2014 Husch Blackwell LLP. All Rights Reserved.
6
Mobile Applications: Prior to Launch
Terms of Use Spell Out the Conditions on User’s Use of the Application. Information Only Applications – Not too Complicated Transactional Applications – Sets forth the terms of the transaction. Interactive Applications – More complicated when allowing users to post
content Governs Acceptable Activities and Uses Disclaimer of Warranties Limitation of Liability User Indemnification Interactive Applications (User Posts Content) Sets forth ownership of postings and any usage license Allows control of content subject matter
Provides opportunity to obtain safe-harbor under DMCA if allowing users to post content
Mobile Applications: Prior to Launch
Privacy Policy Generally describes what information you are collecting, why you
are collecting it, and how you are using it.
Needs to reflect Operator’s actual practices, no “cut and paste” privacy policy, no recycling of old privacy policy
Needs to reflect the actual technology used in the Application
Operating systems, information collection methodologies
Historically, was provided as customer service
Now becoming more of a defensive mechanism and/or legal requirement in most jurisdictions.
Enforced in U.S. by F.T.C. under the unfair trade practices act.
© 2014 Husch Blackwell LLP. All Rights Reserved.
7
Mobile Applications: Prior to Launch
State Specific Privacy Policy Concerns California Privacy Laws Notice required if distributing customer contact information to
Third Parties for direct marketing purposes Includes affiliates, subsidiaries, or other related companies.
Upon request, Vendor has to provide each California Resident a list of entities to whom it has distributed person’s information Can be standardized
Limited to once per year
Utah Requires notice of giving user’s info to third parties
Mobile Applications: Prior to Launch
International Privacy Policy Concerns Most foreign countries have Privacy Laws that are more
strict than in the U.S.
If offering products or services internationally, a review of compliance is suggested
Based Upon a “Notice” and “Consent” system Require “Express” Consent
Click-Thru
Explicit Notice
Privacy Policy becoming more important.
© 2014 Husch Blackwell LLP. All Rights Reserved.
8
Mobile Applications: Prior to Launch
International Privacy Policy Concerns The following are violations of European Privacy Law Collection and storage of a citizen’s information without notice
and express consent
Transmitting/storing a citizen’s personal information outside of E.U. (the transfer of data from an EU citizen’s computer to a server in the U.S.)
Violations can incur substantial fines: Mexico: Fines up to $1.5 million for violations of its privacy law.
Google Fines: Around $1.5 Million in Spain because its privacy policy did not comply with legal requirements No finding that they misused personal information, just technicalities
related to the privacy policy.
Mobile Application: Launch
Hosting Third Party Hosting, hosting agreement
Service Level Agreement (SLA)
Uptime requirement (e.g., 99.9% - that’s 8.76 hours of down time per year) Penalties if not met
Data integrity and backup
Standard of Security Measures
© 2014 Husch Blackwell LLP. All Rights Reserved.
9
Mobile Application: Launch
Maintenance and Support Specify the scope Updates, modifications, design changes, remedying errors
Availability Normal business hours or 24/7
Type of staff available Escalation levels based on severity Priority levels and response times
Pricing Commencement of support and payments
Mobile Application: Conclusion
Conclusion:
All items dependent upon the functionalities and the scope of the mobile application.
Best to consult an attorney at the beginning of the process so that all considerations are addressed.
Questions?
© 2014 Husch Blackwell LLP. All Rights Reserved.
10
Not Your Father’s Quill and Scroll: The Electronic John Hancock
Nathan Oleen
What is an Electronic Signature?
Electronic sound, symbol, or process Attached to or logically associated with a
contract or other record Executed or adopted by a person With the intent to sign the record
ESIGN: 15 U.S.C. § 7006(5)UETA: § 2(8)
© 2014 Husch Blackwell LLP. All Rights Reserved.
11
What is an Electronic Signature?
What is an Electronic Signature?
© 2014 Husch Blackwell LLP. All Rights Reserved.
12
Digital Signature
Type of electronic signature
Involves asymmetric “dual key” encryption and creation of: Private key to create
a digital signature, and
Public key to verifythe digital signature
Federal and State Statutes
Uniform Electronic Transactions Act (UETA)
Electronic Signatures in Global and National Commerce Act (ESIGN)
Both give contracting parties broad discretion to select the method of signature
© 2014 Husch Blackwell LLP. All Rights Reserved.
13
UETA
Adopted by every state, except Illinois, New York and Washington
UETA
Scope Only applies to “transactions” between two or
more persons
Does not apply to wills or trusts
© 2014 Husch Blackwell LLP. All Rights Reserved.
14
UETA
Three pillars A record or signature may not be denied legal
effect or enforceability solely because it is in electronic form
If a law requires a record to be in writing, an electronic record satisfies the law
If a law requires a signature, an electronic signature satisfies the law
ESIGN
Designed to preempt state law (UETA) for all transactions “in or affecting interstate or foreign commerce” Scope Generally same as UETA However, does not apply to purely “intrastate”
transactions.
Three pillars Generally same as UETA
© 2014 Husch Blackwell LLP. All Rights Reserved.
15
Primary Considerations
Consent
Authentication / Verification
Attribution / Form of Signature
Consent
“Opt-in”; affirmative consent required Hand written signature alternative must be
provided
Business-to-Business Transactions
Consumer Transactions Heightened requirements for consent
disclosures
© 2014 Husch Blackwell LLP. All Rights Reserved.
16
Authentication / Verification
Variety of methods for identifying the signing party
Spectrum of options (non-exhaustive; not to scale)
No authentication Dual emails w/ unique secured website link and PIN
PKI / Digital certificate
BiometricsSingleemail
Attribution / Form of Signature
Must establish signer intended to sign and be bound
Spectrum of options (non-exhaustive; not to scale)
/s/ John Doe/John Doe/
PKI / Digital certificate
“I Accept” button
© 2014 Husch Blackwell LLP. All Rights Reserved.
17
Designing an Electronic Signature Process
**No “one-size-fits-all” approach**
Balance between (a) risk aversion and (b) usability Risk of repudiation, risk of loss of records
vs.
Functionality, convenience, cost
Designing an Electronic Signature Process
Considerations Relationship of the parties
Hardware and software being employed
Sophistication of the parties
Nature of transaction
Liability exposure
Extent to which surrounding circumstances will validate the transaction
© 2014 Husch Blackwell LLP. All Rights Reserved.
18
Notaries
UETA and ESIGN permit use of electronic signature by notaries
However, they do not override state law requirements (e.g., signer must personally appear before notary, etc.)
A Few Vendors
Adobe EchoSign DocuSign Assure Sign Salanis eOriginal AlphaTrust
*Not an endorsement of these vendors
© 2014 Husch Blackwell LLP. All Rights Reserved.
19
2014: Changing IP Landscape
Kris Kappel
Significant Supreme Court Cases of 2014
Alice Corp. Pty. Ltd. v. CLS Bank Int’l., 134 S. Ct. 2347 (2014)
Petrella v. Metro-Goldwyn-Mayer, Inc., 134 S. Ct. 1962 (2014)
Lexmark Int’l v. Static Control Components, Inc., 134 S. Ct. 1377 (2014)
© 2014 Husch Blackwell LLP. All Rights Reserved.
20
Alice Corp. Pty. Ltd. v. CLS Bank Int’l., 134 S. Ct. 2347 (2014)
Case Background Business method patent (examples: electronic shopping
methods, computer software, financial transactions)
Challenges to business method patents has continued to increase
Patents at issue in Alice disclosed a computer-implemented scheme for mitigating settlement risk in financial trading systems
The Court considered whether the computer-implemented claims where patent eligible under 35 U.S.C § 101
New Two-Part Test The Court set forth a two-part test in
evaluating patentable subject matter for computer implemented inventions:1) Determine whether the claims at issue are
directed to one of the patent-ineligible concepts;
2) Determine if the elements of the claims transform the nature of that claims into a patent-eligible application
© 2014 Husch Blackwell LLP. All Rights Reserved.
21
Relevance
Issued patents and pending patent applications for computer-implemented methods need to have more than just a computer involved in the process and should be reviewed Software-related patents hindering your
business may now be subject to attack Valuation of issued patents involving
computer-implemented methods
Jim Bessen, What the Courts Did to Curb Patent Trolling – for Now, The Atlanta, December 1, 2014
© 2014 Husch Blackwell LLP. All Rights Reserved.
22
Jim Bessen, What the Courts Did to Curb Patent Trolling – for Now, The Atlanta, December 1, 2014
Petrella v. Metro-Goldwyn-Mayer, Inc., 134 S. Ct. 1962 (2014)
Case Background Paula Petrella (daughter of Frank Petrella)
filed suit against MGM alleging copyright infringement related to rights in the screenplay for the film “Raging Bull” Mr. Petrella co-wrote two screenplays and a
book based on retired boxer, Jake LaMotta’s life They registered the works, which MGM
acquired through various assignments
© 2014 Husch Blackwell LLP. All Rights Reserved.
23
Petrella’s Suit
Under the Copyright Act there is a three-year statute of limitation
Petrella waited 18 years to file suit against MGM, but only sued for the preceding three-years of damages
District court granted summary judgment to MGM under the doctrine of laches due to the 18-year delay
Holding/Relevance
The Court found that laches could not properly bar Petrella’s claim for damages because she was only suing for the previous three years of damages
Directly impacts copyright infringement litigation
Could have a broader effect on the doctrine of laches
© 2014 Husch Blackwell LLP. All Rights Reserved.
24
Lexmark Int’l v. Static Control Components, Inc., 134 S. Ct. 1377 (2014)
Case Background Lexmark manufactures laser printers and
designed a microchip for its cartridges in an effort to prevent “remanufacturers” from selling refurbished toner cartridges
Static Control developed a microchip that mimics Lexmark’s chip
Lexmark sued Static Control alleging violation of the Copyright Act and Digital Millennium Copyright Act
Static Control filed a counterclaim for false advertising under the Lanham Act, claiming Lexmark made false or misleading statements on the legality of refurbished cartridges
© 2014 Husch Blackwell LLP. All Rights Reserved.
25
Holding The Court affirmed the Sixth Circuit’s holding that
Static Control had standing because it “alleged a cognizable interest in its business reputation and sales to remanufacturers and sufficiently alleged that those interests were harmed by Lexmark’s statements to the remanufacturers that Static Control was engaging in illegal conduct.”
For a party to have standing under the Lanham Act for a false advertising claims, they must plead injury to a commercial interest in sales or business reputation caused by the defendant’s misrepresentations
Relevance
The Court’s decision will deter forum shopping on the standing issue in Lanham Act false advertising matters
Broaden scope of standing in those circuits that previously required the claims must be brought by “competitors”
Individuals can not bring false advertising claims under the Lanham Act itself
© 2014 Husch Blackwell LLP. All Rights Reserved.
26
Trademark Cases to Watch First cases taken by the Supreme Court in 10 years B&B Hardware Inc. v. Hargis Industries, Inc., 716 F.3d
1020(8th Cir. 2013), cert granted, 134 S. Ct. 2899 (2014) Does an earlier likelihood of confusion ruling by the Trademark
Trial and Appeal Board on the registration question preclude a later, opposite confusion ruling on the infringement question?
Hana Financial, Inc. v. Hana Bank, 735 F.3d 1158 (9th Cir. 2013), cert granted, 134 S. Ct. 2842 (2014) Does a judge or jury determine whether a trademark may claim
the priority date of an older mark through tacking? Tacking is where a trademark owner is allowed to claim priority
back to an earlier, similar version of a mark, as long as the marks are not sufficiently materially different.
© 2014 Husch Blackwell LLP. All Rights Reserved.
27
Inter Partes Review – Your Best Defense?
Bill Kircher and Patrick Kuehl
Similarities and Differences in Practice in the PTAB and in the
Courts
Based on AIPLA Studies
© 2014 Husch Blackwell LLP. All Rights Reserved.
28
Overview
1. Grounds for claims
2. Time to decision
3. Bringing a claim
4. Burden of proof
5. Claim construction
6. Discovery
7. Evidence
Post-Grant Proceedings
Inter Partes Review• anticipation and obviousness
(102 and 103)• patents and printed
publications• reasonable likelihood of
prevailing
Post Grant Review• filed on or after March 16, 2013• any grounds of unpatentability• must be filed within 9 months of
grant• more likely than not or important legal issue
Covered Business Method• method or process claim (software)• financial product or service• must be sued or charged with
infringement• more likely than not or important issue
Post-GrantProceedings
© 2014 Husch Blackwell LLP. All Rights Reserved.
29
Grounds
Post-Grant Proceedings
Inter Partes Review: Anticipation and obviousness
(§§102 and 103)
Printed publication
Post Grant Review: Any grounds of unpatentability
can be brought
Litigation Resolve any infringement
issues
Any grounds of invalidity
Time to Decision
Post-Grant Proceedings
Inter Partes Review: 12 – 18 months to final
decision
Post Grant Review: 12 – 18 months to final
decision
Litigation Jurisdiction dependent
Approximately 3 years (average time to trial in U.S. District Courts)
© 2014 Husch Blackwell LLP. All Rights Reserved.
30
Bringing a Claim
Post-Grant Proceedings
Inter Partes Review: Reasonable likelihood would
prevail as to at least one claim
Post Grant Review: More likely than not at least
one claim is unpatentable; OR
Important issue
Litigation Rule 11 basis to bring claim
Courts will resolve all pending claims and defenses
Burden of Proof
Post-Grant ProceedingsInter Partes Review: Preponderance of the evidence
No presumption of validity
No deference to the examiner
De novo review
Post Grant Review: Preponderance of the evidence
No presumption of validity
No deference to the examiner
De novo review
Litigation Clear and convincing evidence
Presumption of validity (35 U.S.C. § 282)
© 2014 Husch Blackwell LLP. All Rights Reserved.
31
Claim Construction
Post-Grant ProceedingsInter Partes Review: Broadest reasonable interpretation Prosecution history generally
irrelevant Preliminary claim construction at
petition decision
Post Grant Review: Broadest reasonable interpretation Prosecution history generally
irrelevant Preliminary claim construction at
petition decision
Litigation Interpreted in view of the
intrinsic record
Prosecution history is considered
Timing is court dependent
Discovery
Post-Grant Proceedings
Inter Partes Review: Limited discovery permitted
Standard: “in the interest of justice”
Post Grant Review: Limited discovery permitted
Standard: “in the interest of justice”
Litigation Broad discovery permitted
(Rule 26 Fed. R. Civ. P)
Standard: “good cause”
© 2014 Husch Blackwell LLP. All Rights Reserved.
32
Evidence
Post-Grant Proceedings
Inter Partes Review: No live testimony
Declarations
Deposition testimony
Post Grant Review: No live testimony
Declarations
Deposition testimony
Litigation Live testimony permitted
Deposition testimony
Other evidence
Parallel Patent-Related Proceedings in the PTO and in Litigation
Intellectual Property Law
© 2014 Husch Blackwell LLP. All Rights Reserved.
33
CAFC’s In Re Baxter Holding (2012)
The significance of the Federal Circuit’s 2012 In re Baxter decision is that it confirmed the 2008 CAFC panel decision In re Swanson, specifically the principal that the reexaminations and reviews at the Patent Office are not controlled by earlier District Court judgments of validity, even if those earlier judgments are affirmed by the Federal Circuit. The decision also spelled out several other significant points.
In the courts, a party seeking to invalidate a patent must present “clear and convincing evidence” that the patent is obvious or anticipated; this is the highest standard in civil litigation. In reexamination, a party seeking to invalidate a patent must present only “a preponderance of evidence” that the patent is obvious or anticipated, a lower level of proof, sometimes described as “more likely than not.”
© 2014 Husch Blackwell LLP. All Rights Reserved.
34
In the courts, claims are construed according the CAFC decision in Phillips, but in reexamination, claims are given “broadest reasonable construction.” This broader construction of claims in reexamination makes them more vulnerable to prior art attack.
Because of these different standards, the CAFC might reach one conclusion regarding patent validity on an appeal from the courts, but reach a different conclusion on the same issue on an appeal from a reexamination proceeding at the PTO.
The PTO is not barred from conducting a reexamination by an earlier judgment in the courts that the patent is valid.
© 2014 Husch Blackwell LLP. All Rights Reserved.
35
The Fresenius v. Baxter decision goes beyond Swanson and Baxter, permitting an accused infringer to avoid an adverse damages judgment in District Court by succeeding in a reexamination or review proceeding at the Patent Office, provided that the judgment is not “final.”
In light of the PTO’s cancellation of the asserted ‘434 claims, and of the fact that the infringement suit remains pending before the CAFC, the CAFC found that Baxter no longer has a cause of action. Accordingly, the CAFC vacated the trial court’s judgment, remanding the case with instructions to dismiss. Baxter conceded that cancellation of a patent claim moots any pending infringement litigation.
© 2014 Husch Blackwell LLP. All Rights Reserved.
36
On the other hand, Baxter insisted, cancellation of the asserted claims in this case does not have any effect at this moment in the infringement litigation, because the validity of the ‘434 patent and Fresenius’ infringement of that patent were conclusively decided in 2007. According to Baxter, the trial judge’s 2007 judgment is “final” and “binding” on the parties. Invoking notions of res judicata, Baxter asserted that “the liability determination and Past Damages Award are now final and Fresenius is precluded from relitigating those issues.”
The subsequent remand to the trial court did not end the controversy between the parties, or leave “nothing for the court to do but execute the judgment.” “To the contrary, we left several aspects of the district court’s original judgment unresolved, including royalties on infringing machines, royalties on related disposables, and injunctive relief ... where the scope of relief remains to be determined, there is no final judgment binding the parties (or the court).”
© 2014 Husch Blackwell LLP. All Rights Reserved.
37
Judge Dyk then reviewed the relevant case law, including the CAFC’s 1994 decision in Mendenhall v. Barber-Greene, concluding any decision on validity and infringement, where “further damages proceedings [are incomplete,] is not a final judgment.”
In March Baxter petitioned the Supreme Court for certiorari, putting the following questions to the Court:
Whether an Article III court’s final judgment may be reversed based on the decision of an administrative agency.
Whether a final determination of liability that has been affirmed on appeal may be reversed based on the decision of an administrative agency merely because an appeal regarding the post-verdict remedy is pending.
In May the Supreme Court denied cert. leaving the CAFC’s decision intact.
© 2014 Husch Blackwell LLP. All Rights Reserved.
38
Comparison of Post-Grant Review to EPO Opposition
Post-Grant Review EPO OppositionTiming of Filing 9 months from patent grant 9 months from publication of patent grant
Filing fee $30,000 for up to 20 claims EUR 775
Identity Requires identification of the real-party-in-interest Any third party; can remain anonymous
Possible Bases for Request
Patent-eligible subject matter (§101), anticipation (§102), obviousness (§103) and requirements of §112, other than best mode (not limited to patents and printed publications)
Novelty, inventive step or industrial applicability, non-patentable subject matter or matter offensive to public interest or morality, insufficient disclosure
Adjudicating Group Patent Trial and Appeal Board composed of administrative law judges 3 patent examiners, at least two of which did not take part in the examination of the original patent
Right to amend Limited; Patent owner has right to file claim amendments once More liberal; Patent owner has right to file multiple claim amendments (main and auxiliary requests)
Discovery Limited discovery available Not available
Time toCompletion
Decision must be reached within one year Average time to completion is about 3-5 years (without appeals)
Right to Appeal Either party can appeal. Appeal goes directly to the U.S. Court of Appeals for the Federal Circuit
Either party can appeal. Appeal goes to the EPO Board of Appeals. No judicial recourse to an adverse EPO Board of Appeal decision.
Ability to Settle Parties retain ability to settle Parties retain ability to settle
Estoppel Effect Precludes challenger from raising in Challenger not estopped from raising same the PTO, district court, or USITC
Issues in subsequent litigation any issue that was “raised or reasonably could have been raised”
© 2014 Husch Blackwell LLP. All Rights Reserved.
39
Lawyer Ethics & the Reasonable Information
Security Program
Peter Sloan and Wade Kerrigan
Dangerous World for Information
© 2014 Husch Blackwell LLP. All Rights Reserved.
40
Verizon 2014 Data Breach Investigations Report
63,437 Security Incidents in 2013:
25% Miscellaneous Errors
20% Crime-ware
18% Insider Misuse
14% Physical Theft/Loss
6% Web App Attacks
3% Denial-of-Service Attacks
1% Cyber-espionage
<1% Point-of-Sale Intrusions
<1% Card Skimmers
12% Other
Verizon 2014 Data Breach Investigations Report
1,367 Security Breaches in 2013 with Confirmed Data Loss:
35% Web App Attacks
22% Cyber-espionage
14% Point-of-Sale Intrusions
9% Card Skimmers
8% Insider Misuse
4% Crime-ware
2% Miscellaneous Errors
<1% Physical Theft/Loss
0% Denial of Service Attacks
6% Other
© 2014 Husch Blackwell LLP. All Rights Reserved.
41
“There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”
- FBI Director Robert Mueller, 2012
The Model Rules
“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
- Comment 8 to Rule 1.1, Competency
© 2014 Husch Blackwell LLP. All Rights Reserved.
42
The Model Rules
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
- Rule 1.6(c), Confidentiality of Information
The Model Rules
“The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
- Comment 18 to Rule 1.6(c), Confidentiality of Information
© 2014 Husch Blackwell LLP. All Rights Reserved.
43
The Model Rules
“When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”
- Comment 19 to Rule 1.6(c), Confidentiality of Information
The Model Rules
“A partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.”
- Rule 5.1(a), Responsibilities of a Partner or Supervisory Lawyer
© 2014 Husch Blackwell LLP. All Rights Reserved.
44
The Model Rules
“A lawyer having direct supervisory authority over another lawyer shall make reasonable efforts to ensure that the other lawyer conforms to the Rules of Professional Conduct….”
- Rule 5.1(b), Responsibilities of a Partner or Supervisory Lawyer
The Model Rules
“With respect to a nonlawyer employed or retained by or associated with a lawyer: (a) a partner, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer ….”
- Rule 5.3(a), Responsibilities Regarding Nonlawyer Assistance
© 2014 Husch Blackwell LLP. All Rights Reserved.
45
The Model Rules
“With respect to a nonlawyer employed or retained by or associated with a lawyer: …(b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer….”
- Rule 5.3(b), Responsibilities Regarding Nonlawyer Assistance
The Relevance of Reasonableness
Trade Secret Law
HIPAA
Gramm-Leach-Bliley Act
FACTA
COPPA
State PII Security Laws
U.S./EU Safe Harbor Framework
FTC Act § 5
© 2014 Husch Blackwell LLP. All Rights Reserved.
46
Trade Secret Law
Trade secret status only exists if “reasonable measures” are taken to maintain the information’s secrecy.
- 18 U.S.C. § 1839(3)(A) (“The owner therefore has taken reasonable measures to keep such information secret”)
- UNIF. TRADE SECRETS ACT § 1(4)(ii) (“is the subject of efforts that are reasonable under the circumstances to maintain its secrecy”).
HIPAA Security Rule
Requires protection: o “against any reasonably anticipated threats or
hazards to the security or integrity” of electronic protected health information and
o “against any reasonably anticipated uses or disclosures of such information that are not permitted or required” under the HIPAA privacy rules.
- 45 C.F.R. § 164.306(a)(2)&(3).
© 2014 Husch Blackwell LLP. All Rights Reserved.
47
HIPAA Security Rule
Covered entities and business associates: o must establish security measures “sufficient to reduce
risks and vulnerabilities to a reasonable and appropriate level….”
o may “use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified” in the Security Rule.
- 45 C.F.R. §§ 164.306(b) & 164.308(a)(1)(ii)(B).
FTC’s GLBA Safeguards Rule
Rule contains “standards for developing, implementing, and maintaining reasonableadministrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
Comprehensive information security program must be “reasonably designed” to achieve the standards’ objectives.
- 16 C.F.R. § 314.1(a) & 314.3(a).
© 2014 Husch Blackwell LLP. All Rights Reserved.
48
FTC’s FACTA Disposal Rule
Persons who maintain or possess consumer information comprising or derived from a consumer report for a business purpose must properly dispose of such information “by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
- 16 C.F.R. §682.3(a).
FTC’s COPPA Rules
Operators of websites or online services directed to children “must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”
- 16 C.F.R. § 312.8.
© 2014 Husch Blackwell LLP. All Rights Reserved.
49
State PII Security Laws
Must implement and maintain “reasonablesecurity procedures and practices, appropriate to the nature of the information concerned, to protect such information from unauthorized access, destruction, use, modification, or disclosure.”
- ARK. CODE ANN. § 4-110-104(b).
U.S./EU Safe Harbor Framework
“Organizations must take reasonableprecautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.”
- Security Principle, U.S./EU Safe Harbor Framework
© 2014 Husch Blackwell LLP. All Rights Reserved.
50
FTC Act § 5
Prohibits “unfair or deceptive acts or practices in or affecting commerce.”
- 15 U.S.C. § 45(a)(1).
Unfairness requires that “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
- 15 U.S.C. § 45(n).
FTC Enforcement of FTC Act § 5
Company must establish a comprehensive information security program that is “reasonably designed to protect the security, confidentiality, and integrity” of consumer information.
- Consent Order at 3, In re Cbr Systems, Inc., FTC File No. 112-3120, No. C-4400 (F.T.C. April 29, 2013).
© 2014 Husch Blackwell LLP. All Rights Reserved.
51
Why Reasonableness?
Different organizations in different industries face different security threats.
© 2014 Husch Blackwell LLP. All Rights Reserved.
52
Verizon 2014 Data Breach Investigations Report
Top Incident Patterns per Industry, 2011-2013:
Retail Denial of Service
Point-of-Sale Intrusion
Web App Attack
Professional
Denial of Service
Cyber-espionage
Web App Attack
Healthcare Theft/Loss
Insider Misuse
Miscellaneous Error
Accommodation
Point-of-Sale Intrusion
Why Reasonableness?
Different organizations in different industries face different security threats.
Security threats are not static – they change over time, sometimes rapidly.
© 2014 Husch Blackwell LLP. All Rights Reserved.
53
Verizon 2014 Data Breach Investigations Report
Most Prevalent Threat Actions per Year:
2009:
Spyware/Key Logger (malware)
Backdoor (malware)
Use of Stolen Credentials (hacking)
Capture Stored Data (malware)
2013:
Use of Stolen Credentials (hacking)
Export Data (malware)
Phishing (social engineering)
RAM Scraper (malware)
© 2014 Husch Blackwell LLP. All Rights Reserved.
54
Flexibility Factors under Model Rule 1.6(c)
“the sensitivity of the information” “the likelihood of disclosure if additional safeguards are
not employed” ‘the cost of employing additional safeguards’” “the difficulty of implementing the safeguards” “the extent to which the safeguards adversely affect the
lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)”
- Comment 18 to Rule 1.6(c), Confidentiality of Information
Flexibility Factors Generally
The organization’s size and complexity, and the nature and scope of its activities The organization’s information security
capabilities The organization’s available resources
and the costs of security measures The amount and sensitivity of the
information at issue, and the degree of risk to its security
© 2014 Husch Blackwell LLP. All Rights Reserved.
55
The Reasonable Information Security Program
A. An organization should identify the types of information in its possession, custody, or control for which it will establish security safeguards (“Protected Information”).
The Reasonable Information Security Program
A. An organization should identify the types of information in its possession, custody, or control for which it will establish security safeguards (“Protected Information”).
B. An organization should assess anticipated threats, vulnerabilities, and risks to the security of Protected Information.
© 2014 Husch Blackwell LLP. All Rights Reserved.
56
The Reasonable Information Security Program
A. An organization should identify the types of information in its possession, custody, or control for which it will establish security safeguards (“Protected Information”).
B. An organization should assess anticipated threats, vulnerabilities, and risks to the security of Protected Information.
C. An organization should establish and maintain appropriate policies and administrative, physical, and technical controls to address the identified threats, vulnerabilities, and risks to the security of Protected Information.
The Reasonable Information Security Program
D.An organization should address the security of Protected Information in its third-party relationships.
© 2014 Husch Blackwell LLP. All Rights Reserved.
57
The Reasonable Information Security Program
D.An organization should address the security of Protected Information in its third-party relationships.
E. An organization should respond to detected breaches of the security of Protected Information.
The Reasonable Information Security Program
D.An organization should address the security of Protected Information in its third-party relationships.
E. An organization should respond to detected breaches of the security of Protected Information.
F. An organization should periodically review and update its policies and controls for the security of Protected Information.
© 2014 Husch Blackwell LLP. All Rights Reserved.
58
The Reasonable Information Security Program
A. Identify Protected Information
Information related to the Client (Model Rule 1.6) PHI of Covered Entities & Business Associates
(HIPAA) Nonpublic Customer Information (GLBA) PII (State Laws) FTC Enforcement under FTC Act § 5 Information given protected status by privacy notices
or contract Trade secret and business confidential information
State-level PII
Generally, state resident’s name combined with another identifier:
Social Security number,
driver’s or state identification number, or
financial or card number with access information
© 2014 Husch Blackwell LLP. All Rights Reserved.
59
State-level PII
Additional combination elements: medical information (AR, CA, FL, MO, PR, & TX)
health insurance information (CA, FL, MO, ND, & TX)
unique biometric data/DNA profile (IA, NE, NC, TX, & WI)
taxpayer ID or other taxpayer information (MD & PR)
e-mail address & Internet account number or identification name (FL & NC)
employment ID number (ND)
birthdate ((ND & TX)
parent’s surname before marriage (NC, ND, & TX)
work-related evaluations (PR)
The Reasonable Information Security Program
B.Assess Threats, Vulnerabilities, & Risks
© 2014 Husch Blackwell LLP. All Rights Reserved.
60
The Reasonable Information Security Program
C.Establish Policies and Administrative, Physical, and Technical Controls
Information Security Policy
Controls
Training
Testing
Information Security Controls
System Access
Physical Access
Encryption
Transmission Security
Mobile Devices & Portable Media
System Change Management
Employee Management
Environmental Risk
Monitoring & Detection
Retention
Disposal
© 2014 Husch Blackwell LLP. All Rights Reserved.
61
The Reasonable Information Security Program
D.Address Security in Third-party Relationships Selection
Contracting
Oversight
Security in Third-party Relationships
“A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.”
- Comment 18 to Rule 1.6(c), Confidentiality of Information
© 2014 Husch Blackwell LLP. All Rights Reserved.
62
Third-party Security Considerations
Agreements with direct vendors
Upstream & downstream vendors & users
Cloud Computing Website terms & conditions
Indemnification Insurance – traditional & cyber
SSAE 16
© 2014 Husch Blackwell LLP. All Rights Reserved.
63
The Reasonable Information Security Program
E. Respond to Detected Breaches Breach Response Plan
Incident Identification, Investigation, & Response
Lessons Learned
The Reasonable Information Security Program
F. Review and Update Policies and Controls