Friday, December 29, 2006

First Line of Defense Against Data Security Breaches: Employees [International]

As headlines continue to report data security breaches at an alarming rate, discussion often focuses on the need for enhanced technical controls, such as two-factor authentication and encryption, to protect sensitive, personally identifiable information. The role of the company employee, both as the cause of, and the first line of defense against, security breaches is often lost in the analysis. Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program.

Employees can be the source of major threats to a company's data security. They need not be bad actors in order to compromise their company's data security. Often it is the innocent actions of employees (e.g., losing a laptop with key data unprotected or succumbing to a third party's social engineering techniques) that leave a company facing a breach situation. At the same time, employees are key to a company's successful compliance with various legal and administrative requirements involving data security.

A recent survey of the IT departments in 461 U.S. organizations conducted by the Ponemon Institute reported that the average annual cost of managing insider threats to data security is $3.4 million per organization. Further, more than 78 percent of respondents reported one or more unreported insider-related security breaches within their company. Latest Ponemon Institute Study Ties Lack of Awareness in Corner Office to Insider Threat Challenges, available at, Sept. 12, 2006.

Raising the stakes further, a growing number of legal and industry guidelines governing data security are in place across multiple industry sectors, requiring companies to implement data security controls directed at their employees. Failing to satisfy such obligations can leave a company vulnerable to lawsuits filed by third parties as well as enforcement actions by federal and state government agencies.

However, employees need not be viewed as an expensive companion threat to outsiders. Instead, if companies properly focus on key employee-related security controls and implement those controls in a reasoned and responsive manner, employees can be powerful assets to data security. Employees can assist companies with compliance requirements and, at the same time, help serve as an important line of defense from insider and outsider threats.


When designing a security program, developing law generally requires that companies address certain categories of security controls. Typically, that list includes employee procedures and controls designed to ensure employee honesty, education and proper job performance, and to prevent employees from compromising system security. The need for such controls is outlined in several federal statutes, regulations, administrative enforcement actions and industry guidelines spanning multiple industry sectors.

Implementing regulations for the Gramm-Leach-Bliley Act (GLB) requires covered financial institutions to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information. That assessment, at a minimum, must include employee training and management. See, e.g., FTC Safeguards Rule, 16 CFR 314.4(b)(1).

Likewise, implementing regulations for the Health Insurance Portability and Accountability Act requires covered entities to take a number of actions regarding employees under the heading of "administrative safeguards." The regulations require covered entities to (among other requirements):

"(1) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity; (2) identify the security official who is responsible for the development and implementation of the policies and procedures required; (3) implement policies and procedures to ensure that all members of its work force have appropriate access to electronic protected health information and to prevent those members who do not have access from obtaining access to electronic protected health information." HIPAA Security Regulations, 45 CFR 164.308(a)(1)(ii)(C), (a)(2) and (a)(3)(i).

The Purchase Card Industry Data Security Standards (PCI Standards) require companies to "[m]aintain a policy that addresses information security for employees and contractors." Purchase Card Industry Data Security Standards, Version 1.1, Requirement 12. Under PCI Standards Requirement 12, companies must, for example, "develop usage policies for critical employee-facing technologies (such as modems and wireless devices) to define proper use of these technologies for all employees."

The FTC, in an enforcement action against Nationwide Mortgage Group Inc., found that the company violated the GLB Safeguards Rule in part by "stor[ing] customer information on a computer network accessible to all employees" and failing to "train employees on information security issues, or oversee the collection and handling of customer information by its loan officers." In the Matter of Nationwide Mortgage Group, Inc. and John D. Eubank, File No. 042-3104, Docket No. 9319 (FTC 2005).

In a similar GLB Safeguards Rule action brought against Sunbelt Lending Services Inc., the FTC found that Sunbelt failed "to implement reasonable policies and procedures in key areas, such as employee training and appropriate oversight of the security practices of loan officers working from remote locations." In the Matter of Sunbelt Lending Services, Inc., File No. 042-3153 (FTC 2005).

The Federal Financial Institutions Examination Council (FFIEC), a formal interagency body of the five key federal banking regulatory agencies empowered to prescribe uniform principles and standards for the federal examination of financial institutions, has created an IT Examination Handbook for use by examiners when evaluating a financial institution's risk management process. The handbook addresses the requirements for employee security in multiple areas. See Federal Financial Institutions Examination Council IT Examination Handbook, July 2006, available at Likewise, ISO 17799, an international standard for information security, requires multiple employee-related security controls. See BS ISO/IEC 17799: 2005.


In light of the above requirements, companies across a broad array of industry sectors should implement appropriate security controls aimed at the employee. These controls will form part of the foundation of a company's legal compliance effort and will become an integral part of that company's overall information security program. A review of the foregoing regulations, enforcement actions, and standards provides a good overview of best practice requirements likely to apply to any company seeking to satisfy its legal obligations to implement appropriate security. Below is a summary of some of the key employee-focused controls a company should consider.

Pre-hire background checks

Before an employee is hired, companies should consider whether background checks are appropriate, and if so, what information should be verified. For instance, the Handbook requires that all financial institutions, at a minimum, verify the information provided on job applications. Further, depending on the sensitivity of the job at issue and the access level to sensitive data that will be granted, the Handbook recommends a deeper investigation, including background and credit checks. According to the Handbook, the following checks are typically conducted as a matter of course: 1) character references, 2) criminal background checks, 3) confirmation of prior experience and education level and 4) confirmation of identity. Handbook, at p. 71. Likewise, ISO 17799 requires that "background verification checks on all candidates for employment ... [are] carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks." BS ISO/IEC 17799: 2005, at p. 23.

Background checks are an important first line of defense, especially for companies hiring employees that will have high-level access to sensitive data. While every company may not be required to conduct such a check, addressing whether one is necessary is an important consideration.

Comprehensive training and retraining

Once an employee is hired, proper training on the company's security policies and procedures is critical. Such training is an important component to any company's effort to implement reasonable security measures and is a requirement under the GLB Safeguards Rule. FTC Safeguards Rule, 16 CFR 314.4(b)(1). Similarly, the HIPAA regulations require companies to "implement a security awareness and training program for all members of its workforce (including management)." HIPAA Security Regulations, 45 CFR 164.308(a)(5)(i). Further, ISO 17799 requires companies to ensure that employees "are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems" and that they "are provided with guidelines to state security expectations of their role within organization …" BS ISO/IEC 17799: 2005, at p. 25.

Employees should not be hired and simply handed a thick security manual to digest. Instead, the employee should be offered comprehensive education programs that specifically relate to an employee's day-to-day security-related responsibilities. For example, if an employee has high-level access to sensitive data, procedures for accessing that data, processing that data, transferring that data and ultimately closing the access point to that data should be discussed and practiced. Further, employees should be trained on how to handle outsider threats such as social engineering, third party vendors and vulnerable locations such as airports. In addition, training should include a discussion of how to properly handle a breach once it has been discovered. Finally, training should not merely be a first day of work activity. Employees must also be continually retrained as technology and threats to that technology continue to evolve.

Contractual obligations

Ensuring that employees are contractually subject to appropriate obligations regarding confidentiality, nondisclosure and access to sensitive data, and that they clearly understand those obligations, is another important control. Contracts send a strong message to employees that security is an integral part of a company's operations and that they themselves are being held accountable. A company should consider using contracts that require employees to keep confidential their knowledge of key security information, including passwords and other access codes, remote access procedures and security vulnerabilities.

ISO 17799 recommends that such agreements address: 1) the type of information to be protected; 2) how long that information should be protected; 3) what occurs when the agreement terminates; 4) who will have access to the confidential information; 5) which party owns the confidential information; 6) how the confidential information may be used; and 7) how use of the confidential information can be monitored. ISO/IEC 17799: 2005, at p. 11.

Acceptable-use agreements that limit how an employee may use critical systems, and provide disciplinary consequences for noncompliance, are also important. According to the FFIEC, an acceptable-use policy often includes the following elements: "(1) the specific access devices that can be used to access the network; (2) hardware and software changes the user can make to their access device; (3) the purpose and scope of network activity; (4) network services that can be used and those that cannot be used; (5) information that is allowable and not allowable for transmission, using each allowable service; (6) bans on attempting to break into accounts, crack passwords, or disrupt service; (7) responsibilities for secure operation; and (8) consequences of noncompliance." Handbook, at p. 25.

Access control and monitoring

Proper employee access control limits the accessibility to a particular company asset to only those that require access on a need-to-use or event-by-event basis. According to the PCI standards, systems must be set to "deny all" except for those employees who do have a need-to-use. Purchase Card Industry Data Security Standards, Version 1.1, Requirement 7.2. HIPAA, in general terms, requires companies to implement policies and procedures that appropriately limit access to health information. HIPAA Security Regula-tions, 45 CFR 164.308(a)(3)(i). According to the Handbook, financial institutions should control access by: "(1) assigning users and devices only the access required to perform their required functions; (2) updating access rights based on personnel or system changes; (3) reviewing periodically users' access rights at an appropriate frequency based on the risk to the application or system; and (4) designing appropriate acceptable-use policies and requiring users to agree to them in writing." Handbook, at p. 22.

Monitoring of employee activities also helps to ensure that the access controls are in place and working effectively. ISO 17799 requires companies to monitor their systems and record information security events. Further, ISO 17799 calls for companies to: 1) "[use] operator logs and fault logging … to ensure information system problems are identified;" 2) "comply with all relevant legal requirements applicable to its monitoring and logging activities"; and 3) "[use] system monitoring … to check the effectiveness of controls adopted and to verify conformity to an access policy model." ISO/IEC 17799: 2005, at p. 55. Finally, GLB's regulations also weigh in on access control and monitoring, requiring financial institutions to design information safeguards that regularly test or monitor the effectiveness of security controls, systems and procedures. FTC Safeguards Rule, 16 CFR 314.4(b)(3)(c).

Proper use of remote devices

Employees who work out of the office may utilize devices that if used improperly or left unattended can create significant security threats. For example, employees may travel with laptops or USB hard drives that contain sensitive data available to anybody who picks up the device. Employees may also complete sensitive tasks while utilizing an unsecured home computer. It is important to provide employees with detailed policies and procedures on how to securely use technology outside of the office.

According to ISO 17799, a company's mobile computing policy should include requirements for physical protection, access controls, cryptographic techniques, backups and virus protection. In addition, the policy should include "rules and advice on connecting mobile facilities to networks and guidance on the use of these facilities in public places." ISO/IEC 17799: 2005, at p. 74.

Remote access can also mean that an employee is transferring data over a network connection. A company's remote access policies should address this potential vulnerability. HIPAA specifically addresses this component, requiring entities to implement security measures that guard against unauthorized access to electronically transmitted data. HIPAA Security Regulations, 45 CFR 164.312(e)(1). The handbook requires financial institutions to use strong authentication and encryption methods to secure communications (Handbook, at p. 50), and the PCI Standards require entities to utilize two-factor authentication before employees can gain remote access to systems. Purchase Card Industry Data Security Standards, Version 1.1, Requirement 8.3.

Employee policies should also be in place regarding how to handle the loss of such a device, including how to isolate the data loss to the greatest extent possible and how to properly report the loss.


Should a breach occur, it is important to have rules and procedures in place for employees while reporting and responding to security incidents. Considerations should include: 1) ensuring that the right personnel are notified and available to take action; 2) determining who is responsible for restoring systems and how that will be accomplished (including when it is appropriate to return sensitive data to the network); 3) how to maintain evidence of the breach; 4) how to respond to law enforcement, supervisory agencies, customers, service providers, potential victims, the press and others; and 5) when to involve outside experts. Further, many state laws require companies to report security breaches of a certain magnitude to the public. It is important to analyze these laws in light of the breach and determine whether it is necessary to inform the public.

The Handbook specifically instructs financial institutions to determine: "which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems." Further, the Handbook requires the creation of escalation policies that address when different personnel within an organization will be contacted about a security incident and what their responsibilities will be. Handbook, at pp. 91-92. Moreover, according to ISO 17799:

"A formal information security event reporting procedure should be established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event. A point of contact should be established for the reporting of information security events. It should be ensured that this point of contact is known throughout the organization, is always available, and is able to provide adequate and timely response. All employees, contractors and third-party users should be made aware of their responsibility to report any information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact." ISO/IEC 17799: 2005, at p. 90.


When a company does identify an employee whose conduct has caused or is likely to cause a security issue, the company must take affirmative steps to address the situation, sanction the appropriate employee and move toward a resolution. These steps should include: 1) a thorough investigation of the employee activities at issue, including a look at that employee's past performance and disciplinary history; 2) proper discipline of the employee involved; and 3) retraining of the involved employee (if that employee remains with the company) as well as other employees with similar responsibilities or roles. If an employee is released, that employee should be required to return all company assets in his or her possession.

According to the HIPAA security regulations, entities must apply appropriate sanctions against employees that fail to comply with security policies and procedures. HIPAA Security Regulations, 45 CFR 164. 308(a)(1)(ii)(C). Further, ISO 17799 states that breaches should be a source of learning for companies and an occasion to implement policies and procedures that absorbs lessons-learned to address recurring or high-impact security incidents. ISO/IEC 17799: 2005, at p. 93.


Finally, in light of all the evolving legal requirements and technological threats to security discussed above, it is important for companies to ground security in the culture of their organization. This begins with the training process, but also requires an ongoing emphasis on the importance of security.

European Commission makes sweeping changes to codified law [EU]

European Commission makes sweeping changes

European Commission makes sweeping changes to codified law
* Directive 2006/114 of 12 December 2006 concerning misleading and comparative advertising (codified version) - in force from 12 December 2007

* Directive 2006/115 of 12 December 2006 on rental right and lending right and on certain rights related to copyright in the field of intellectual property - in force from 16 January 2007 (ie 20 days from the date of its publication of the Official Journal)

* Directive 2006/116 of the European Parliament and of the Council of 12 December 2006 on the term of protection of copyright and certain related rights (codified version) - in force from 16 January 2007 (ie 20 days from the date of its publication of the Official Journal)

Thursday, December 21, 2006

Registrar Refuses 'Rare Blend' Application [India]

Under the World Trade Organization Agreement on Trade-Related Aspects of Intellectual Property Rights wines and spirits are categorized separately and enjoy a higher level of protection than other products. Scotch is a well-known type of whisky and the Scotch Whisky Association, which is responsible for protecting Scotch whisky, registers the product worldwide. The association is vigilant in safeguarding and protecting the interests of its members, and has successfully challenged the registration of a number of brands worldwide, including in India.


In Srilab Breweries Pvt Ltd v Scotch Whisky Association (2006 (33) PTC 527 (Reg)) Srilab Breweries Pvt Ltd filed an application to register the mark RARE BLEND with the Trademarks Registry. The Scotch Whisky Association filed an opposition on the grounds that the term 'rare blend' is devoid of any distinctive character and thus is not registrable.

The association's main argument was that the word 'blend' is used to describe a whisky that is a mixture of two or more whiskys. Further, the term 'rare blend' is regularly used to indicate the quality of the product; therefore, it is common to trade and devoid of any distinctive character. The association also submitted that as early as 1860 it had used the word 'blend' in its trade. It also stressed that the word 'rare' is a common English word meaning excellent or uncommon. The association argued that the term 'rare blend' is internationally used as a descriptive term and thus cannot be termed a trademark under Section 2(1)(zb) of the Trademarks Act.


The deputy registrar of trademarks held that the term 'rare blend' is highly descriptive and characteristic of the goods in question, and thus cannot qualify for registration. It is a prevailing practice in the whisky trade to use 'rare blend' or 'blend' to describe the characteristics and quality of the goods. It is left open for other traders to use the term to describe their goods; therefore, no monopoly can be awarded to the words 'rare blend'. The deputy registrar further observed that as the mark had not yet been used by the applicant, no harm was likely to be caused to the applicant. In light of these observations, the registrar refused registration of the mark.


This decision shows that a mark which is devoid of any distinctive character or which is incapable of distinguishing the goods of one party from those of another constitutes grounds for refusal under Section 9 of the Trademarks Act. Further, any mark that indicates, for example, the quality or quantity of the goods is liable to be refused registration. The deputy registrar correctly observed that it is left to other traders to describe the nature and quality of their goods legitimately. An application for any mark that would hinder such freedom is liable to be refused.

Source :

Notifications concerning submission or transmittal of priority document (Form PCT/IB/304), and recording of changes (Form PCT/IB/306)

PatentScope Search Service now includes, for all international PCT applications filed from January 2006, the following forms:
  • PCT/IB/304: Notifications concerning submission or transmittal of priority document that is to say the date on which the priority document has been received and the indication whether the priority document is in compliance with Rule 17.1(a) or (b) of PCT Regulations.
  • PCT/IB/306: Notifications of the recording of changes (person, name, residence, nationality or address of the applicant, as well as person, name, or address of the agent, the common representative or the inventor) as received by the International Bureau before the expiration of 30 months from the priority date.

Publici Juris – In Pharma Products [India]

"Publici juris" is a Latin word, and in the legal parlance, means, "of public right." The term signifies a thing or a right that is open and exercisable by all persons. It designates things that belong to the entire community, and not to any private party.

Usually, common suffixes or prefixes do not come in the way of distinctiveness. The nature of certain trades may require common suffix/ prefix for the purpose of familiarity. The distinctive nature of the word would then depend on the remaining part of the word attached to these common suffixes and prefixes. A term would be considered as a prefix or suffix only if they are derived from common or generic words. It is in this scenario the case under comment comes into limelight. The Madras High Court in Apex Laborataries Ltd v. Zuventus Health Care Ltd, 2006 (33) PTC 492 (Mad.)(DB) ruled that "Zincovit" and "Zinconia" are two words phonetically dissimilar and the visual impressions are also different and hence, it is hardly likely to cause confusion.


Apex laboratories Limited (Appellants), the manufacturers of the Pharmaceutical products adopted trademark "Zincovit in 1988. It is their claim that they have at times filed case against infringement of their said mark and secured injunctions. In early 2006, they came to know that the respondents were carrying on trade under the trademark "Zinconioa." It is alleged that the respondents are guilty of infringement and passing off and hence have filed the civil suit and injunction.

The respondents on the other hand resisted the application raising the contention that there are several registered trademark owners registered with the word ‘Zinco." Further, there is no likelihood of confusion as there is no phonetic, visual or conceptual similarity is attached to the said marks. The exparte injunction already granted was vacated on the ground that there is no likelihood of confusion in the minds of the purchaser.

The appeal preferred by the Apex Laboratories is against the vacation of expatre injunction.


A catena of cases was cited for substantiating the contentions. The court referred to Ciba Geigy Limited & Hindustan Ciba-Geigy Ltd. v. Croslands Research Laboratories Ltd., 1995 IPLR 375; where the division bench granting the injunction held that EUGEL was strikingly similar to EMULGEL.


On the question of similarity, which being the moot issue in this case, the Court relied on Cadila Health Care Ltd. v. Cadila Pharmaceuticals Ltd., 2001 PTC 300(SC), where the apex court held that the drug even if sold under the prescription or only to the physicians cannot itself be considered as a sufficient ground against confusion. The factors to be adequately considered for deciding the question of similarity are

  1. The nature of marks i.e. where it is a word mark or label mark or composite mark;
  2. The degree of resemblances;
  3. The nature of goods;
  4. The similarity in nature, character, performance of rival traders;
  5. The class of purchasers;
  6. The mode of purchasing the goods;
  7. The other surrounding circumstances;

The court for buttressing the conclusion relied on Corn Products Refining Co. v. Shangria Food Products Ltd, AIR 1960 SC 142; where it was held that the question whether the two marks are likely to give rise to confusion or not is a question of first impression.

On the question of generic term and publici juris, the court buttressed the argument by relying on SBL LTD. v. Himalaya Drug Co, 1997 (17) PTC (DB) and Roche & Co. v. G. Manner & Co, AIR 1970 SC 2062; where it was categorically held that no one can claim an exclusive right to a generic term and the customer will not consider the common feature and would pay more attention to the descriptive features. It is common in the pharmaceutical trade that abbreviations for vitamins and chemical names are extensively used. The court observes that if the term is both descriptive and common to the trade, more attention is to be paid to the uncommon element in the two words, and then there would not be any confusion.

The present Court engineered with the above precedents held that as both the medical preparations contains ‘Zinc’ and that the word is common to the trade and hence it is definitely publici juris. The Apex Laboratories have no right to claim ownership over the above word and as both the trade names contain the word ‘Zinc, it would be dangerous to split the word into two and grant injunction. Cardboard cartons were produced before the court to substantiate the claim that there were broad dissimilarities and the court was convinced to the same. The court ruled that ‘Zincovit’ and ‘Zinconia’ are phonetically dissimilar and the visual impressions are also different and hence there is least chance for causing confusion and there by the appeal is dismissed.


The rules regarding deceptive similarity take a special connotation with regard to pharmaceutical trade names. As the drugs are prescribed by registered medical practitioners and dispensed by qualified pharmacists, the chances of confusion arising out of two products being deceptively similar are considerably reduced. To this extent, some similarity is allowed. Further many names are common to the trade and hence fall under publici juris, but it is always a matter of concern for the judiciary, where to draw the line, as whose impression is to be weighed, literates’ or illiterate’s, in deciding trademarks cases. It is clear from the precedents that the matter is not yet crystallized, and judicial mind is required to be exercised in each case according to the facts and circumstances.

"Interested Person" Under The Copyright Act, 1957 [India]

One of the important criteria for obtaining registration under the Copyright Act, 1957 is that, the application must include a statement accompanied by a certificate from the registrar to the effect that no trademark identical or deceptively similar to such artistic work has been registered under the Trademark Act. As per the Copyrights rules 1958, the person applying for the registration is required to give notice to any person who claims or has any interest in the subject matter. Now, the moot question is whether a rival trader is an interested person as per the Act and should notice be sent to him also. Sakthi Kulangara Match Workers Industrial Co-operative Society Ltd v. Arason Match Industries, 2006 (33) PTC 542 (CB); precisely discusses this issue.


The petitioners, Shakti Kulangra Match Association, (SKMWI) are a registered cooperative society, engaged in the business of manufacture and sale of safety matches started its functions from the year 1978. They adopted a trade label of three and four birds sitting on a branch of a tree and with the word marks ‘WE THREE’ and ‘WE FOUR’ respectively. They claim to use the said labels from 1983 onwards with the approval of Central Excise Authorities from time to time. The petitioners received a legal notice in 2001 from the respondents (Arasin Match Industries) alleging infringement of their trademark ‘WE TWO’ and carrying a similar trade label. Arason Match Industries further lodged a complaint before the Deputy Inspector General of Police alleging the violation of copyright under section 63 and 64 of the Act. The petitioners initiated a Writ petition seeking a direction to restrain the police from harassing them. In that Writ, the respondents (respondents here in were also made respondents in the writ), claimed that they are registered owners of the label "WE TWO" under the Copyright Act, 1957.

This being new information, the SKMWI, moved an application for expunging the entry in the register under section 50 of the Copyright Act.


SKMWI contended that the picture of the two birds sitting on a branch of a tree is a common picture, it has a limited way of expression and hence it lacks originality. Barring the legal notice in 2001, the SKMWI is using the trademark as well as the trade label uninterrupted. It is further contented that different producers of the matchbox are commonly using the picture of bird representing a family to create an image of household products.

The Arson Match Industries on the other hand contended that they were using the said label since 1956 and that the label of the SKMWI is only an adaptation of their Trademark.

On the question of interested persons the SKMWI submitted that they were very much interested persons and that it was mandatory that a notice about the proposed application for registration be sent to them, and that such concealment was with mala fide intentions. The Arason on the other hand argued that the SKMWI is infact an infringers and hence not entitled to notice.


The Court while addressing the question of interested person went into the intricacies of the Section 45 of the Copyright Act which mandates that in respect of an application for artistic works used or capable of being used in relation to any goods, a statement along with the certificate of Registrar of Trademark to the effect that no trademark identical with or deceptively similar to the artistic work has been registered under the act by any person other than the applicant himself. Further, Rule 16(3) make it explicitly clear that the person applying for registration under the Copy right Act shall give notice to every person who claims or has interest in the subject matter of the Copyright or disputes the right of the applicant.

The Copyright Act unlike Trademark Act, places heavy burden on the applicant. The Applicant as per section 45(1) is required to give a statement accompanied by a certificate from the Trademark registrar, about his rivals in the trade, to the effect that notrademark identical with or deceptively similar to his artistic work has been registered under the Act, by any other person other than the applicant himself. The rule has been further reinforced by the amendments brought out in 1992, which cast heavier duty upon the applicant to put his trade rivals to notice.

The court while finding the SKMWI an aggrieved person, buttress the finding by highlighting that as the respondent himself has initiated a complaint, alleging infringement of the copyright. The court ruled that an opponent is necessarily a person interested in the matter in an adversial system of dispensation of justice. The court also relied on the mandatory nature of rule 16(3) of the Copyright Rules, 1958.

It is clear from the provisions of the Copyright Act and Rules that a much heavy burden is cast upon the applicant and his duty to issue notice extends even to rival traders. One of the rationales for providing such stringent measures is to ensure that the applicant himself after obtaining registration faces no further difficulties.

Power Of Registrar To Accept Rectification Application During The Pendency Of Suit [India]

Sec. 57 of the Trade and Merchandise Marks Act, 1958 gives power to registrar to rectify the register. However, the plain reading of this section gives rise to a conflicting situation in light of section 107 of the Act, which puts a bar on power of registrar in this regard. The Intellectual Property Appellate Board, Chennai addressed the question of power of registrar to accept rectification application during a pendency of suit in High Court, in the of Sun Pharmaceutical Industries Ltd v. Stadmed Pvt.Ltd &Ors., 2006 (33) PTC 506 (IPAB).


The rectification application is filed by Stadmed Pvt.Ltd (respondent) against M/s Sun Pharmaceutical Industries Ltd who is the appellant in this case. The Sun pharmaceuticals are the manufacturers of medicines and medicinal preparations. They are selling the medicines under the registered trademarks ‘ALZOLAM’ and ‘ZOLAM’. . The trademark ‘ZOLAM’ was first applied and registered by a company named FDC Limited during 1986.The mark was later on assigned to one Mr.Harish Uchil who in turn assigned the said mark to the appellant. The petitioners are presently the proprietors of the said mark.

The appellant claims that they have filed an infringement suit against respondent in the High court of Calcutta for the infringement of said marks. However, the injunction granted in that case was ultimately vacated.

Later on, tadmed Pvt Ltd filed an application for rectification on the ground that the trade mark ‘ZOLAM’ is not distinctive and the same was registered without any bonafide intention to use and that there is infact no bonafide use of the said mark for the time being. One month before the date of application or that up to the date of one month before the date of application a continuous period of five years have elapsed during which the trademark ZOLAM was not used and hence, it is liable to be removed from the registrar. It was further pointed out that the application of the Stadmed to the said mark is pending before the registrar.

Respondent further preferred another application for rectification on the ground that the trademark ‘ALZOLAM’ was also not registrable as it is deceptively similar to the basic drug ‘ALPRAZOLAM’ and the registrar decided against respondent i.e. Stadmed Pvt. Ltd.

The case of the Sun Pharmaceuticals is that when the registrar had allowed the rectification of the mark a suit for the infringement of the same was pending before the High Court and, hence the application ought to have been made to the High Court as per Section107 of the Trade and Merchandise Marks Act 1958, and registrar have no jurisdiction to entertain the petition.

The Deputy registrar by his order held that the Act or Rules are silent as to whether the registrar should not deal with the rectification application or whether the same should be withdrawn and refiled while the suit is pending before the High Court, and hence proceeded with the matter and asked appellant to file counter statement. The registrar after recording the evidence, allowed the application for rectification for the trade mark ‘ZOLAM’ and disallowed the rectification application on ‘‘ALZOLAM’. The present appeal is against this order of Deputy Registrar.


The specific contention raised by the appellant is that the Deputy registrar had failed to appreciate that section 107(1) provides that in a suit for infringement, where the validity of the registration is questioned by the defendant, he issue of the validity has to be decided by an application made to the High Court. Hence, the deputy registrar ought to have dismissed the application as per the provisions of Section 107(1) of the Act and ought to have been referred the same to the High Court as per the Section 107(2) of the Act.

In order to buttress their argument they relied on the Whirlpool Corporation v. Registrar of Trademarks, Mumbai & Ors, 1998 PTC (18) 717 (SC); where the Court held that " The extent of jurisdiction conferred by the Section 56 of the Registrar to rectify the Register, is however, curtailed by Section 107 which provides that an application for rectification shall, in certain situation, be made4 only to the High court. These situations are mentioned in Sub-section (1) of section 107, namely where in a suit for infringement of the registered Trademark, the validity of the registration is questioned by the Defendant or the defendant, in that suit, raises the defense contemplated by section 30(1) (d) in which the acts which do not constitute an infringement, have been specified, and the plaintiff in reply to this defense questions the validity of the registration of defendant’s trademark. In these situations, the validity of the registration of the Trademark can be determined only by the High Court and not by the registrar".

On the other hand, respondent contented that they are carrying on with the manufacture of medicines and they had applied for the registration of the mark ‘ZOLAM’ which they have invented and adopted for pharmaceutical products since 1991. Further, it was pointed out that the said suit in the Calcutta High Court was stayed on the ground that an application for rectification is pending before the Registrar and this has not been challenged by Sun pharmaceuticals. It is alleged that the Sun pharmaceuticals have approached the court with unclean hands and hence the appeal is to be dismissed. Owing to the above facts, it is contented that the issue cannot be reopened.


The court placed its reliance on the Whirlpool Corporation case and held that the registrar have no power to entertain the application for rectification under section 107 of the Trade and Merchandise Marks Act, 1958 when the suit is pending before the High Court.


Section 107(1) and (2) of the Trade and Merchandise Act, 1958 categorically holds that when a suit for infringement is pending before the High Court the registrar has no power to entertain an application for rectification. The view of the deputy registrar that the Act or rules are not are not clear in this matter is unfounded. If a matter is pending before the higher court, it is the prerogative of that court to decide the matter and the lower court is not expected to make any observations in the same case. The objective is to give finality to the judgment of the Court and this seems to be the rationale for section 107(1) and (2). The case can also be considered as an example of purposive interpretation given to the two provisions.

Though the case is based on the Trade and Merchandise Marks Act, 1958 but the procedure with regard to powers of registrar for accepting a rectification application during Pendency of suit is similar in the Trade Marks Act, 1999 – the present Act in force. The corresponding section to 107 of Trade and Merchandise Marks Act, 1958 is section 125 of the Trade Marks Act, 1999 which states that "notwithstanding anything contained in section 47 or section 57, such application shall be made to the Appellate Board and not to the Registrar".

Sony BMG settles 'rootkit' case [US]

Sony BMG will settle a US lawsuit over its Digital Rights Management software for $750,000. The payment will end the suit brought against the record company by the attorneys general of Los Angeles county and California.

The record company was embroiled in controversy when 12.6 million of its CDs were sold containing software designed to restrict users' use of the music in order to protect the songs from being distributed online.

Users who put the CDs into their computers said that the software damaged their computers and potentially opened the door to hackers to break into their computers.

Some CDs included software known as XCP which installed a so-called rootkit on the user's computer. This is a technique more often used by virus writers hoping to conceal the existence of their software: files are hidden deep in the architecture of a computer's operating system, making them difficult to find and remove.

California and Los Angeles sued Sony BMG for not disclosing any information about the software or about the limit it placed on the numbers of copies consumers could make of the music contained on the CD. The suit also accused the company of false advertising, unfair competition and unlawful computer intrusion.

The settlement promises up to $175 to consumers in California who can provide documentation relating to the damage they say was done to their computers. On top of that the company will pay $750,000 to the attorneys general in fines and to pay legal fees.

The Californian suit was settled almost as soon as it was filed, said newswire AP, and some states, including Texas, still have outstanding suits against the company, though some cases are almost settled, said reports.

A key part of the case was the fact that consumers were not told that the CD they were buying would automatically install software on their PC. Sony BMG has agreed to warn users in future if it ever uses digital rights management technology again.

"They're requiring disclosures to consumers before sale on the CD packaging," Corynne McSherry, a staff attorney with the Electronic Frontier Foundation, told AP. "I think that's really crucial. Part of the whole background of the rootkit fiasco was that consumers just didn't know what they were getting into."

One of the recommendations of the review just conducted in the UK by former Financial Times editor Andrew Gowers was that any CD sold in the UK with digital rights management software on it carry a label clearly outlining that fact.

Companies must update information on websites [UK]

Companies in the UK must include certain regulatory information on their websites and in their email footers before 1st January 2007 or they will breach the Companies Act and risk a fine.

Every company should list its company registration number, place of registration and registered office address on its website as a result of an update to the legislation of 1985. The information, which must be in legible characters, should also appear on order forms and in emails. Such information is already required on 'business letters' but the duty is being extended to websites, order forms and electronic documents.

The change is being made by a Statutory Instrument that is expected to be passed on Thursday to implement a European law, the First Company Law Amendment Directive, into UK law. According to a Department of Trade and Industry spokesperson, the law will take effect on 1st January, one day later than the Directive requires.

The information is likely to appear in the footer of every email sent from a company, to avoid having to decide whether each email amounts to a 'business letter' or not. Many companies do this already because the term 'business letters' was thought likely to include emails even without this new clarification.

For websites, contrary to the fears of some, the specified information does not need to appear on every page. Again, many websites will already list the required information, perhaps on their 'About us' or 'Legal info' pages.

The E-commerce Regulations, passed in 2002, require that certain information is listed on a website, including, "where the service provider is registered in a trade or similar register available to the public, details of the register in which the service provider is entered and his registration number, or equivalent means of identification in that register".

That has been understood as including the company registration number and place of registration. The E-commerce Regulations also required a note of "the geographic address at which the service provider is established" – which many have taken to mean the registered office address.

However, the wording in the E-commerce Regulations is ambiguous compared to the new provisions. Further, many organisations' sites currently omit the information, perhaps making the mistake of thinking that the E-commerce Regulations do not apply to websites that do not sell online (in fact they apply to almost all websites).

Information that must be on your website: an aide memoire

The following is the minimum information that must be on any company's website (from OUT-LAW's guide, The UK's E-commerce Regulations).

  • The name, geographic address and email address of the service provider. The name of the organisation with which the customer is contracting must be given. This might differ from the trading name. Any such difference should be explained – e.g. " is the trading name of XYZ Enterprises Limited."

It is not sufficient to include a 'contact us' form without also providing an email address and geographic address somewhere easily accessible on the site. A PO Box is unlikely to suffice as a geographic address; but a registered office address would. If the business is a company, the registered office address must be included.

  • If a company, the company's registration number should be given and, under the Companies Act, the place of registation should be stated (e.g. "XYZ Enterprises Limited is a company registered in England and Wales with company number 1234567")
  • If the business is a member of a trade or professional association, membership details, including any registration number, should be provided.
  • If the business has a VAT number, it should be stated – even if the website is not being used for e-commerce transactions.
  • Prices on the website must be clear and unambiguous. Also, state whether prices are inclusive of tax and delivery costs.

Finally, do not forget the Distance Selling Regulations which contain other information requirements for online businesses that sell to consumers (B2C, as opposed to B2B, sales). For details of these requirements, see our guide, The Distance Selling Regulations - An Overview.

For help with email notices, such as disclaimers, see OUT-LAW's guide on Email notices.


Tuesday, December 19, 2006

ISP Liability in Piracy Case [Australia]

The Australian Full Federal Court yesterday confirmed a finding of infringement by authorising copyright infringement against the owners of a file-sharing website,, an ISP and their respective directors.

The court found that
"Mr Cooper [the director of MP3s4FREE] had power to prevent the communication of copyright sound recordings to the public in Australia via his website…. He had that power because he was responsible for creating and maintaining his MP3s4FREE website….It was not reasonably open to Mr Cooper to claim mere indifference to the use internet users made of the website”.
“E-Talk [the ISP] countenanced the infringing downloading by internet users who visited the website that it hosted.”
Likewise, the ISP’s director had failed to take reasonable steps to prevent the infringement.

World Wildlife Fund Fails To Obtain Transfer Of WWF.Com [UDRP]

A WIPO panel has rejected a complaint made by the World Wildlife Fund for Nature which had sought to obtain a transfer of the disputed domain name under the Uniform Domain Name Dispute Resolution Policy (UDRP). In reaching its decision, the panel considered that the current owner of the domain name had purchased it in good faith to use for a "Web Wrestling Forum" website and so refused to order the transfer of the domain name. The panel stated that, in cases where it was one party's word against the other, and where an injunction is necessary, the proper forum for the dispute was the courts.

The panel's decision is further evidence that, in applying the UDRP, experts increasingly view their role as limited to the assessment of disputes involving cybersquatters and, as such, they will not be drawn on issues of trade mark infringement or matters of litigation.

For analysis and comment on the WIPO decision in WWF-World Wide Fund for Nature v Moniker Online Services LLC and Gregory Ricks.


The Worldwide Fund for Nature (WWF) is a worldwide nature organisation and the owner of numerous trade marks for the letters WWF throughout the world. WWF had commenced a number of legal actions in recent years against the World Wrestling Federation (the Federation) over the use by the Federation of the WWF mark. In 2002, following breach by the Federation of a co-existence agreement, WWF obtained a court order which stated that the Federation should cancel or change its domain name registrations, or alternatively to transfer them to WWF. In relation to the domain name, the Federation failed to take any of these steps and instead offered the domain name for sale on an internet discussion forum website. The domain name was purchased by a Mr Ricks who first used the domain for a site containing links to third-party commercial sites and later for a discussion forum known as the "Web Wrestling Forum".

UDRP procedure

One forum available to hear disputes over generic top-level domain names, such as those ending in .com, .org, and .net, is the Arbitration and Mediation Centre of the World Intellectual Property Organisation (WIPO) under the Uniform Domain Name Dispute Resolution Policy (UDRP).

Under the UDRP, to obtain an order requiring the cancellation or transferral of a domain name, a complainant must prove each of the following three elements:

  • that it has rights in a trade mark which is identical or confusingly similar to the domain name;
  • that the owner of the domain name has no rights or legitimate interests in it; and
  • that the domain name has been registered, and is being used, in bad faith.
  • A respondent can demonstrate the existence of rights or legitimate interests in the disputed domain name where, among other things, the use of the domain name is in connection with an offering of goods or services in good faith, or where he is making a legitimate non-commercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trade mark.

    WIPO decision

    WWF filed a UDRP complaint against Mr Ricks (the Respondent), claiming, among other things, that his registration and ongoing use of a domain name corresponding to a well-known mark was made in bad faith and that he had no legitimate interests in the domain name.

    The WIPO panel rejected the complaint on the basis that there was insufficient evidence to establish that the Respondent was acting in bad faith when he registered the domain name, particularly given the length of time between the date of registration and the filing of the complaint by WWF and the fact that it was one party's word against the other. The fact that in 2002 the disputed domain name was on the market for sale and was not transferred to WWF, was an indication to the Respondent (and the public at large) that it had not been part of any court order made in the litigation. The WIPO panel also considered that the Respondent had shown "demonstrable preparations" to use the domain name for a legitimate purpose (the Web Wrestling Forum) before receiving notice of the WWF complaint.


    The decision in this case illustrates that, in applying the UDRP, WIPO experts wish to make it clear that they will not rule on issues of trade mark infringement or matters of litigation. This approach was also shown in the recent WIPO decision in Geoffrey Inc. v Not The Usual of 18 October 2006, in which a WIPO panel rejected a complaint by TOYS "R" US against the owner of the domain names and The panel affirmed that UDRP proceedings are for clear cases of cybersquatting and that the proper forum for resolving trade mark infringement or trade mark dilution disputes was the courts.

    WWF's delay in filing a complaint under the UDRP meant that the respondent was able to acquire legitimate rights in the domain name through his continued use of the site for what the panel viewed as a legitimate purpose. Even if the respondent's registration of the domain name was in bad faith, his subsequent use was not. This result should, therefore, serve as a warning to trade mark owners that they should file any complaint under the UDRP as soon as possible after learning of the registration or use of the domain name in question.

    Monday, December 18, 2006

    Podcasting Guidelines [IBM]

    IBM - Podcasting Guidelines

    The medium that has come to be known as podcasting -- like blogging -- offers individuals with low-cost, easy-to-use tools to publish content (in this case, audio content). As podcasting mirrors blogging in many ways, it is worth revisiting some points from IBM's Blogging Policy and Guidelines.

    Whether or not an IBMer chooses to create or participate in a blog or a wiki or other form of online publishing or discussion is his or her own decision. However, it is very much in IBM's interest -- and, we believe, in each IBMer's own -- to be aware of this sphere of information, interaction and idea exchange:

    • To learn: As an innovation-based company, we believe in the importance of open exchange and learning -- between IBM and its clients, and among the many constituents of our emerging business and societal ecosystem. The rapidly growing phenomenon of blogging and online dialogue are emerging important arenas for that kind of engagement and learning.
    • To contribute: IBM -- as a business, as an innovator and as a corporate citizen -- makes important contributions to the world, to the future of business and technology, and to public dialogue on a broad range of societal issues. As our business activities increasingly focus on the provision of transformational insight and high-value innovation -- whether to business clients or those in the public, educational or health sectors -- it becomes increasingly important for IBM and IBMers to share with the world the exciting things wee doing learning and doing, and to learn from others.

      In 1997, IBM recommended that its employees get out onto the Net -- at a time when many companies were seeking to restrict their employees' Internet access. We continue to advocate IBMers' responsible involvement today in this new, rapidly growing space of relationship, learning and collaboration.

    One of the defining attributes of the emerging Web 2.0 and social networking technologies is their ability to surface unique voices and points of view. IBM supports this democratization of communication and encourages IBMers to take advantage of this new capability in its various forms, as appropriate for their work and the sharing of their expertise.

    The basic IBM guidelines for blogging apply to podcasting as well. Of those, the most important one is that all IBMers must follow the Business Conduct Guidelines. Please be sure to review and understand the Business Conduct Guidlines before you begin blogging, podcasting or participating in wikis. However, because there are some special circumstances involved in working with audio files, these additional guidelines have been created to help IBM podcasters.

    Additional Guidelines for IBM Podcasters

    Do not podcast IBM Confidential material. Currently, there is no way to protect/encrypt audio files in a manner that meets IBM's security guidelines. Therefore, if you create and distribute audio files internally, anticipate that those files could be shared outside of IBM. Don record anything you wouldn disclose outside the company. Keep this in mind particularly if your internal podcast is meant to supplement or replace periodic departmental calls or meetings.

    Be mindful not only of what you say, but how you say it. Sometimes the way you say something -- the tone of your voice, such as a hint of sarcasm -- can be as revealing as what you say.

    Protect your privacy and the privacy of others. Make sure you don record any person without his or her consent and awareness. Surreptitiously recording and distributing conversations is a breach of others' privacy and can have severe consequences for you. You must have the consent from every individual whose voice can be heard on your podcast. Start each audio recording by identifying all the individuals participating. When recording a meeting or event, be sure to make a statement at the beginning, such as "This conversation is being recorded for a podcast," so the participants are aware when the microphone has been switched on. And think about what you're presenting about yourself, too. MP3 files can remain accessible on the Web for years.

    Set the bar as high as you can for audio production and content quality. External podcasts that present topics or points of view relevant to IBM's business or broader corporate interests inevitably reflect on the company's brand. These podcasts should be produced with care, with attention to detail and production values. With blogging, the quality of the thinking, writing and expertise are paramount. When it comes to audio content, the same is true, but add to that the quality of audio production. To put it bluntly, if it does not sound good, even the greatest ideas may not be enough to hold a listener attention.

    There may be some invitations to participate in non-IBM podcasts that warrant IBM Communications' involvement. You should treat these the same way you would treat an interview request from a reporter. If you're in doubt, be sure to talk to your local Communications people to discuss the opportunity before agreeing to participate.

    Identify your podcast as the voice of an individual or small group within the company, not the "official" voice of the company. This is similar to the standard disclaimer in IBM blogging guidelines -- but in the case of a podcast, it's necessary to make such a declaration verbally.

    Before you initiate a podcast, ask yourself if it is the most appropriate method to communicate with your audience. Before creating a podcast, listen to some. Experience what podcasting is like from the audience's perspective. Go out and listen to some podcasts. What do you think works well? What do you dislike? What is it that you have to say -- and is this the right medium in which to say it?

    Podcasting Rules [General Compliance]

    Some podcasting 'rules', more to come, in time,

  • Do not podcast Confidential material.
  • Be mindful not only of what you say, but how you say it.
  • Protect your privacy and the privacy of others.
  • Set the bar as high as you can for audio production and content quality.
  • Identify your podcast as the voice of an individual or small group within the company, not the “official” voice of the company.
  • Before creating a podcast, listen to some.
  • Data Breaches - How to respond [US]

    During the past year, news headlines announced a steady stream of information security breaches. During this time, roughly 170 breach incidents have been subject to public scrutiny; countless other incidents have gone unreported. It is estimated that more than 81 million individuals have been impacted by the publicized security breaches alone, including 26.5 million individuals whose personal information was contained on a laptop computer lost by an employee of the Department of Veterans Affairs in late May. While security breach incidents certainly occurred prior to 2005, a little-known California law passed in 2002 brought about the sudden surge in news coverage of such incidents.

    This law, known as the California Computer Security Breach Notification Act (SB 1386), requires businesses to notify California residents whose personal information has been the subject of a security breach. Not to be outdone, 29 other states have jumped on the California bandwagon and passed breach notification laws of their own after witnessing the broad impact of the California law.

    With no federal law imminent, businesses that suffer security breaches are finding themselves in the unenviable position of having to comply with 30 state laws that require notification to affected individuals. Making matters more complex, many of these 30 state laws differ substantially, upping the ante on the need for a thorough understanding of the legal landscape in this everevolving area.


    Under California's SB 1386, businesses are required to notify individuals if personal information about them maintained in computerized form was, or is reasonably believed to have been, acquired by an unauthorized person. "Personal information" means an individual's name in combination with a (i) Social Security number, (ii) driver's license or state identification card number, or (iii) account, credit or debit card number in combination with any required security code. The law provides a safe harbor for encrypted personal information such that notification is not required in the event of unauthorized acquisition.

    If notification is required, businesses may satisfy the law's requirement by providing (i) written notice, (ii) electronic notice under limited circumstances or (iii) substitute notice (consisting of e-mail notice, conspicuous posting on the business' Web site and notification to major statewide media) if notifying customers will cost more than $250,000 or if more than 500,000 customers are impacted.

    In the initial months following the effective date of SB 1386 on July 1, 2003, companies that suffered security breaches complied by providing notice to impacted individuals in California. If the breach impacted people outside of California, many companies chose not to notify these non-California residents, reasoning that the legal notification obligation was limited to residents of California.

    While this approach is correct from a strict legal perspective, companies that took this approach suffered significant reputational harm in the media firestorm that ensued following discovery of the breach. This media frenzy resulted in the passage of state security breach notification laws in a handful of other states in which state legislators feared businesses would continue to suffer breaches and not notify their state residents. This handful, which did not begin passing breach notification laws until 2005, quickly became 30 states by the beginning of 2006.

    The panoply of security breach notification laws at the state level has made compliance challenging for companies that have suffered national breaches in the past year. While the state laws are similar in many ways, they differ in four crucial ways, all of which bear on a company's notification obligations.

    First, the laws address different media. While most states follow California's approach and regulate breaches that involve "computerized" data, others (like North Carolina and Wisconsin) require notification if there has been unauthorized access to and acquisition of personal information in any form, whether computerized, paper or otherwise.

    A second area of conflict arises in how states define "personal information." A significant percentage of states follow California's approach and define personal information to include name plus Social Security number, driver's license or state identification card number, or financial account number. Other states, however, use a more expansive definition of personal information. For example, personal information includes medical information in Arkansas, date of birth and mother's maiden name in North Dakota, and DNA profile in Wisconsin.

    A third key difference among the state laws turns on whether the law contains a harm threshold that triggers notification. In California, no such harm threshold exists -- all California residents whose personal information has been acquired, or is reasonably believed to have been acquired, must be notified. That is not true in several states, where notification is required only if there is a reasonable likelihood that information acquired by an unauthorized person will result in harm.

    In addition, the state laws have different requirements about who should be notified by businesses that suffer security breaches. In California, businesses are required to notify only those individuals affected by the breach. In other states, state regulators and consumer reporting agencies must be notified. For example, in New York and North Carolina, businesses that suffer security breaches must notify the Attorney General's office, while in New Jersey the state police must be notified.

    These substantive differences highlight the need for businesses that suffer a breach to understand all 30 state laws. This understanding is particularly important in light of the reputational risk associated with notifying only in those states that require notification.

    Given this reputational risk, a business' decision to notify all individuals impacted by a breach (a number that often reaches into the hundreds of thousands and sometimes millions) can turn on a faraway state's notification requirement.

    Thus, from both a compliance perspective and a bottom line perspective, it is imperative that businesses fully understand, and prepare to address, each of the 30 state laws governing breach notification.


    The first, and most critical, step any company that learns of a possible security breach must take is to determine whether personal information is reasonably believed to have been acquired or accessed by an unauthorized person. In making this determination, companies should look to several indicators, including whether the information (i) is in the physical possession or control of an unauthorized person (e.g., a stolen computer), (ii) has been downloaded or copied, or (iii) was used by an unauthorized person, such as having fraudulent accounts opened or reported instances of identity theft.

    Making this determination is often easier said than done. Depending on the complexity of the circumstances, determining whether a breach has even occurred could require working with a forensic investigator, at significant expense, to recreate activity on the database.

    Once there is a reasonable belief that a security breach has occurred, the next step involves going to law enforcement (if necessary) and taking any internal measures necessary to restore the integrity of the affected system. As part of the report to law enforcement, companies should explain that they intend to provide notice of the breach to affected individuals in the most expedient time possible and without unreasonable delay.

    In certain situations, law enforcement authorities will ask companies to delay notification so as not to impede their investigation. Most of the state breach notification laws provide a safe harbor for these circumstances, but companies in this situation should make sure to ask law enforcement when it would be appropriate to send the notification and to be prepared to send the notices as soon as reasonably practicable after getting the go-ahead from law enforcement.

    Once given the go-ahead to notify, companies should provide written notice to affected individuals in the most expedient time possible. In some states, such as Florida and Ohio, there is a time limit of 45 days after discovering the breach or receiving the go-ahead from law enforcement. Depending on the sensitivity of the circumstances, drafting breach notices can be an arduous task that requires significant assistance from counsel and public relations resources.

    At the very least, a breach notice should include (i) a general description of what happened, (ii) the nature of the personal information involved, (iii) a description of the steps taken by the company to protect personal information from further unauthorized acquisition or access, (iv) a description of how the company will assist affected individuals (e.g., by providing credit monitoring for the affected individuals), (v) information on how individuals can protect themselves from identity theft, including contact information for the three credit reporting agencies, and (vi) contact information for the Federal Trade Commission.

    In addition to affected individuals, companies that suffer security breaches may be required to notify other stakeholders, including state and federal regulators, credit reporting agencies and credit card issuers. New York, New Jersey, North Carolina and Maine all require some form of notification to state regulators, typically the state attorney general's office. New Jersey is unique in that it requires companies that suffer a security breach to notify the state police, and this notification must take place prior to notifying affected individuals.

    The notification to state regulators should provide information as to (i) the nature and circumstances of the breach, (ii) the timing, content and distribution of the notices, and (iii) the approximate number of affected individuals. Because the credit reporting agencies will likely be inundated with calls from individuals affected by the breach who wish to sign up for credit monitoring or obtain a credit report, it is also a good idea, and a legal requirement in several states, to notify the credit bureaus. In Minnesota, this notification is required to occur within 48 hours of notifying affected individuals.

    Finally, if the breach involves personal information associated with a credit card, the company is likely contractually required to notify affected credit card issuers.


    Given the panoply of state breach notification laws and their varying requirements, it is only a matter of time before Congress passes a federal security breach notification law. There are currently more than a dozen security breach notification bills that have been introduced in Congress.

    Most commentators agree that a law will not be passed by the end of this fall's congressional session. From a business perspective, the most important feature of any federal breach notification law is that it pre-empt state law. Because data often flows beyond state boundaries, a federal law that pre-empts state breach notification laws would ensure that affected residents of every state are notified of a data breach while at the same time easing the ability of companies to provide such notification by allowing them to adhere to a single standard.

    Until a federal law is passed, companies that suffer security breaches across state lines find themselves in the difficult position of analyzing the law in 30 or more states to understand their compliance obligations. Given the reputational risks associated with security breaches, in addition to legal compliance exposure, it is imperative that companies not only understand these issues, but also have a plan in place to manage the notification process in the event they suffer a security breach.

    Tips for selecting outside counsel

    When selecting outside counsel, competitive intelligence, or objective market information, makes for better decision making. Here are some ways to get started:

    1. To select outside counsel, make a list of criteria that a firm or lawyer must meet. Such criteria might include firm specialization, responsiveness, cost, history with the company, reputation, location and partnering capabilities.
    2. Consider using available vender services that evaluate a firm's or lawyer's expertise, service and quality.
    3. Cull names of outside counsel from important legal matters. Attend conferences or seminars and retain the names of lawyers who give impressive presentations.
    4. Decide whether a Request for Proposal process is the best approach to choosing outside counsel. If so, be precise in what you ask and set a timeline. Use your contract -- not the outside counsel's -- for the basis of an agreement.
    5. Whether you're using a checklist approach or an RFP, interview the outside counsel to determine if they meet your criteria. If you're using an RFP, make sure all responses comform so you can compare responses. "Talk with former clients and adversaries of the outside counsel and ask about the firm's work so you can find out if their experience is real and how much of their results is based on talent and skill versus dumb luck," says Charles James of Chevron.
    6. Gather macro information about the legal industry to determine what the legal department should anticipate from its firms in terms of billing rates for the next year.
    7. If you're using an RFP, run parallel negotiations with many outside counsel. Eliminate one each round. Use a fixed format.
    8. Once a firm is hired, institute a formal evaluation process to determine whether your criteria continue to be met. Make sure internal business clients evaluate outside counsel, too. Cull data from e-billing and information management systems to determine such things as: efficiency in providing services, results achieved, whether the firm adhered to your guidelines for billing, expenses, communication and access to a firm's premier lawyers.

    Google Patents [Further Thoughts]

    • The “advanced search page” provides a nice search interface for the database:
    • Doing a search also provides a list of forward (references cited) and backwards (cited by) patents. Very useful!
    • The images provided appear to be PNGs. No PDF download option (yet?). Of course, if you are looking for a free patent PDF, you could use one of the programs mentioned here.

    Sunday, December 17, 2006

    How to avoid Genericide [IP Practice]

    Genericide is the term coined to describe the loss of a trademark that no longer serves as an indicator of a source of goods because consumers came to regard the trademark as a generic term. Examples of trademarks lost to genericide include Aspirin, Xerox and Band-Aid.

    The July/August [2005] edition of the "ACC Docket" provides some useful tips on how to prevent your trademark from becoming generic:

    Always connect the mark to a generic term. The mark should:

    be used as an adjective. Not "Xerox", but "Xerox photocopier";

    not be used as a noun of any type, singular, plural or possessive. not "put on a band-aid", or "two band-aids", or "band-aid's adhesive quality", but rather "put on a Band-Aid bandage", or "the adhesive qualities of Band-Aid bandages"; and

    not be used as a verb (never "Xeroxed", but rather, "photocopied").

    Always distinguish the mark from the rest of the text by italics (Ivory soap), capitals (the XEROX photocopier), or some similar method.

    On its first use in any materials, the mark should carry, as appropriate, TM, SM, or ®. The ® mark may be used only if registration has actually issued, TM and SM may be used with any mark.

    Finally, remember that even your internal use of the mark can be discoverable.

    These tips are useful to prevent the loss of your mark to genericide. Keep in mind to also pay your renewal fees and to continue to use your mark. Otherwise, your mark may go abandoned.

    Friday, December 15, 2006

    Google: Patent Search

    Law Wire™ notes that Google has launched its patent search facility at It seems to be a Beta site, so things can only get beta ...

    The front page is clean, crisp and easy on the eye; you can search under Web, Images, Video, News, Maps and More ... and there's a continuously changing selection of five featured patents if you just fancy a gentle browse. Google offer over 7 million patents, though that's not the same as 7 million inventions. The Patent Search Help facility even helps laymen make some sense of their search results once they've got them.

    Information Commissioner names and shames newspapers [UK]

    The Information Commissioner will today name and shame the newspapers he says are breaking the law in their pursuit of stories. Richard Thomas has published a report to Parliament on information theft which contains a league table of alleged offenders.

    Six months ago Thomas signalled his intent to get tough on those who trade in illegally obtained personal information.

    His league table alleges that the Daily Mail has used a raided investigations agency more than any other paper. As well as tabloid papers, broadsheets and magazines were represented on the list. The list should not be taken as definitive, since it only represents the usage ratios relating to one agency, but it does show how widespread the purchase of information is.

    "People care about their personal privacy and have a right to expect that their personal details are and should remain confidential. Who they are, where they live, who their friends and family are, how they run their lives: these are all private matters," said Thomas in the introduction to the new report. "Individuals may choose to divulge such information to others, but information about them held confidentially by others should not be available to anyone prepared to pay the right price.

    The report, What Price Privacy Now?, is the Information Commissioner's Office (ICO) update to his original report, What Price Privacy?, published in May. In that report he outlined the market for information and said he wanted sentences to increase and wanted individuals to face jail sentences of up to two years for buying or selling illegally obtained information.

    "Progress has been significant and encouraging. In particular I welcome the Government’s consultation on increased sentences," he said. "Overwhelmingly the responses indicate support for the proposals. Many organisations have taken steps of their own to raise awareness and tighten security as well as more generally condemning the illegal trade."

    Thomas's naming of newspapers is sure to be a controversial step in the battle against information theft. Newspapers have already accused him of seeking to stifle free speech in recommending stiff sentences for people such as the News of the World's Clive Goodman, who recently pleaded guilty to plotting to intercept personal information.

    "Explicitly targeting the press in his report is a high risk strategy," said Dr Chris Pounder, a specialist in privacy law at Pinsent Masons, the law firm behind OUT-LAW. "Many journalists still think the end justifies the means and see no wrong if they obtain information by deception when an overriding public interest can be claimed for story."

    "In order to comply with the ICO's orders newspapers will have to start training journalists to use legal techniques or they themselves could face action", said Pounder.

    "If a newspaper publishes a story which the journalist has written about an individual which has used personal data obtained by deception, then the newspaper could also be in breach of the Seventh Principle [of the Data Protection Act] which requires all appropriate steps to be taken to guard against unlawful processing. This means training journalists not to use such methods complained of in the Commissioner's new report."

    The Commissioner's report says that most investigations agency representative bodies and press representative groups have responded positively to his recommendations and communicated with their members about their obligations, and that he was disappointed with only a few of them.

    Tuesday, December 12, 2006

    Qualcomm Faces Hard 'Cell' in Battle Over Phone Royalties [US]

    Nokia and several other cell phone companies are fighting Qualcomm over royalties for next-generation technology.

    Like two superpowers that cooperate for mutual benefit while eyeing each other warily, Nokia Corp. and Qualcomm Inc. have forged an uneasy alliance. Since the early 1990s, Qualcomm has reigned over the cell phone industry, licensing out the basic patents underlying the two main industry standards, GSM and CDMA. As the world's leading cell phone manufacturer, with $50 billion in annual revenue, Nokia is one of Qualcomm's most important licensees. The Finnish company has paid Qualcomm billions of dollars for the rights to so-called second-generation cell phone technology.

    Now this fragile détente has reached a breaking point. In April the patent cross-license between the two giants is set to expire. The terms of that pact are confidential, but it is widely believed that Qualcomm collects an average of 5 percent from licensees of its CDMA cell phone technology. Nokia wants a better deal -- and it's not alone.

    The time is ripe for renegotiation. The cell phone industry marks its progress in terms of three generations of technology. The first generation, which relied on analog signals, came into its own in the 1980s. The second, benefiting from advances in digital systems, has thrived since the early 1990s. Qualcomm has thrived along with it. About a third of the company's $7 billion revenue comes from patent royalties, which account for about 60 percent of profits. The third generation, or 3G, may not be so lucrative for Qualcomm. Powered by a high-speed digital format, 3G offers whiz-bang features like Web surfing, music downloads and streaming TV clips. While Qualcomm has patents covering 3G technologies, Nokia contends that Qualcomm doesn't have the same kind of death grip as it did on the second generation. In patent and antitrust cases filed across the United States and in Europe, Nokia is pressuring Qualcomm to lower its licensing fees in accordance with the value of its IP contribution to 3G technology. William Plummer, Nokia's vice president of external affairs, sums up the company's grievance this way: "Qualcomm is trying to project its current business model into the future in an uneconomical, irrational way."

    A list of household names in the cell phone industry have filed similar complaints in various venues in the United States, Europe and South Korea -- including Ericsson, Texas Instruments Inc. and Broadcom Corp. Qualcomm has countered by filing a string of patent suits against Nokia, Texas Instruments and Broadcom. One investment research firm in London terms the great maze of legal disputes a "holy war." Fighting the crusade are some of the best-known litigators in the U.S. Qualcomm has brought in Evan Chesler, the deputy presiding partner at Cravath, Swaine & Moore and his partner Richard Stark. Broadcom has hired David Boies of Boies Schiller & Flexner as well as George Cary of Cleary Gottlieb, Steen & Hamilton, and William Lee and Michael Esch of Wilmer Cutler Pickering Hale and Dorr. Texas Instruments and Nokia are both represented by Quinn Emanuel Urquhart Oliver & Hedges. Partner Stephen Neuwirth represents T.I. and name partner A. William Urquhart is lead counsel for Nokia.

    The stakes in the game contain a dizzying number of zeroes. Worldwide revenue from handsets over the next five years will likely exceed half a trillion dollars, most of it from the sale of 3G devices, according to Marina Amoroso, a wireless industry analyst for the Yankee Group, the Boston-based high-tech research firm. Qualcomm's licensing fees are pegged to handset sales. If the company were forced to accept a lesser royalty rate for 3G, its bottom line would take a hit. "A few points of royalty are likely to amount to many, many millions of dollars over many years," notes Louis Lupin, general counsel and a senior vice president at Qualcomm. "Companies are motivated to fight about it."

    The battle is taking place in court, but its roots lie within the arcane world of standard-setting bodies, the nonprofit industry associations that decide what patents are relevant to a given technology and mandate that members license those patents on fair and reasonable terms. What constitutes "fair and reasonable," as the language of many standard-setting agreements requires, is at the heart of the complaints against Qualcomm. As the fight over royalty fees proceeds, it could result in far-reaching rulings by courts or regulatory bodies that would redefine how parties to standard-setting agreements must deal with one another.

    National and regional standard-setting bodies helped decide the fate of the second-generation cell phone standards. The GSM standard got its big boost in 1990, when the European Telecommunications Standards Institute picked the technology -- developed largely by European companies -- as the sole cell phone standard for the European market. Standard-setting bodies in the U.S. and Japan designated both CDMA and GSM as their countries' standards. Both second-generation standards solve the technical problem of many people trying to talk at the same time on the same frequency, but they do so in different ways -- CDMA encodes wireless signals, and GSM divides signals into minifractions of a second among multiple users. The split among the world's 2.5 billion cell phone users stands at about 75-25, with GSM in the lead, according to the Yankee Group.

    A few years ago, another standard, CDMA 2000, began supplanting CDMA. Groups like the Telecommunications Industry Association in North America and the Telecommunication Technology Committee (Japan) have endorsed some of the CDMA 2000 technology. Meanwhile, GSM has morphed into WCDMA (the "W" stands for wideband). The European standards group has endorsed all of the WCDMA standards, and other groups in Japan, China, South Korea and North America have signed on to some of those technologies.

    Qualcomm holds patents in both standards, and it says that about 135 companies have taken a license to one or more of its 3G technologies. Nokia, Broadcom and the other companies suing Qualcomm allege that it's asking too much for these licenses. As a party to several standard-setting protocols, Qualcomm is obligated to license out patents according to fair, reasonable and nondiscriminatory terms. The standard-setting organizations leave it to participating companies to hash out whether an offer satisfies these obligations.

    According to a complaint filed by Nokia on Aug. 8 in Delaware Chancery Court, Qualcomm has about 80 percent of the patents in the second-generation CDMA standard. Nokia alleges that Qualcomm's percentages in both 3G standards are much lower. Qualcomm has "less than" 50 percent of the CDMA 2000 patents, and "at most" 20 percent of WCDMA, Nokia writes in the complaint. (Qualcomm's Lupin disputes the numbers but declined to say what the company believes the ratios are.)

    Nokia claims that Qualcomm's royalty rates should be lowered in proportion to the lower percentages. The company is asking the Delaware court to devise a test that standard-setting bodies can use to determine a fair and reasonable royalty rate. Nokia wants the court to look at the number of patents that Qualcomm holds. Nokia also wants the court to consider: the cumulative royalty charged by all holders of WCDMA patents; the existence of noninfringing alternatives to Qualcomm's WCDMA patents at the time the standard was adopted; and the extent to which Qualcomm might have exploited its WCDMA patents had they not been included in the standard. A trial is scheduled for March 6.

    Few, if any, courts or regulatory agencies have specified a yardstick of that sort, says Lupin. Nor in his view should they do so, because, he says, "It's not what the standards bodies have intended, and that's not how it has worked." He adds that "there's a generally understood meaning within the industry. People know more or less what's required, but the concept is flexible to allow the parties to craft something that works well for their individual situation." As for Nokia's "patent-counting exercise," as Lupin calls its proposed test, he insists that Qualcomm would meet it because, he says, the company has been a "key contributor" to "all CDMA approaches," including WCDMA.

    While Nokia has been dogging Qualcomm in Delaware, other companies, especially Broadcom, have been moving against it on several fronts. With $3.5 billion in annual revenue, Irvine, Calif.-based Broadcom ranks among the world's top 20 chip makers. Only within the past two years, however, has the company started supplying chips for cell phones. In an effort to clear the way on patent rights, Broadcom negotiated with Qualcomm during several months last year. But, as in Nokia's case, the negotiations stalled. What Qualcomm offered was "fundamentally onerous," says David Rosmann, Broadcom's vice president for IP litigation.

    On May 19, 2005, Broadcom brought a complaint before the International Trade Commission claiming that chips imported by Qualcomm into the United States infringe its patents. (Qualcomm lodged a similar ITC complaint against Nokia in June.) Since then, the dispute has widened. Broadcom filed an antitrust complaint in July 2005 in federal district court in Trenton, N.J., claiming that Qualcomm's "abuses" of its 3G patent power pose the "dangerous probability" of excluding Broadcom and other competitors from the WCDMA chip market. And in federal courts in San Diego and Santa Ana, Calif., the companies have hurled patent infringement claims against each other. Qualcomm claims that Broadcom has infringed 18 patents; Broadcom says that Qualcomm has infringed 12.

    Broadcom was one of six companies -- along with Nokia, Texas Instruments, Ericsson, NEC and Panasonic Mobile Communications -- that filed simultaneous unfair trade claims against Qualcomm with the European Union on Oct. 28, 2005. The claims rest on what several lawyers in the case say is a novel theory: that Qualcomm's alleged failure to offer WCDMA licenses on fair and reasonable terms violates EU competition law.

    Like Nokia in Delaware, the claimants in the EU argue that the royalties Qualcomm demands on its WCDMA patents are "excessive and disproportionate." The EU claimants go further, however, claiming that Qualcomm's alleged practice of offering lower royalty rates to customers who buy its chips exclusively undermines competition among chip makers. This June, acting alone, Texas Instruments lodged a comparable claim against Qualcomm with South Korea's Fair Trade Commission. Qualcomm denies all these claims. Indeed, company chairman Irwin Jacobs insists that Qualcomm has actually spurred competition among handset producers, making its patents available to new and innovative companies and thus challenging "entrenched" competitors, according to the published text of a speech he made in August at a business policy conference in Aspen, Colo.

    The legal disputes have a long way to go before there is any kind of resolution, though some preliminary results are in. On Aug. 30, U.S. District Court Judge Mary Cooper issued a 47-page opinion in the New Jersey case concluding that Broadcom's antitrust allegations, even if true, did not state a viable antitrust claim. Broadcom is appealing the decision to the 3rd U.S. Circuit Court of Appeals.

    Also in October, an ITC administrative law judge ruled that Qualcomm's chips infringe a Broadcom patent, but stopped short of recommending that cell phones containing the chips be barred from the U.S. market. A decision by the full commission, which is expected in early 2007, would be subject to appeal. But the looming threat of an injunction may pressure Qualcomm into sweetening the patent terms it is offering its legal adversaries. Conversely, rulings in favor of Qualcomm might stiffen its backbone in negotiations.

    In an extraordinary step to expedite a settlement between Broadcom and Qualcomm in the case in San Diego federal court, Magistrate Anthony Battaglia ordered an October meeting between the chairmen of both companies -- Jacobs of Qualcomm and Henry Samueli of Broadcom -- to discuss a "global resolution" of their disputes. But the closed-door meeting did not produce a settlement.

    Patent licensing cases typically settle out of court. But this is no garden-variety patent spat. The outcome will not only divide a huge pot of third-generation cell phone royalties, but could also shape the cell phone industry's IP leadership for generations to come.