Trademark practitioners should be familiar with data security and privacy issues for two primary reasons: (1) we have an obligation to safeguard and keep private our clients’ information; and (2) whether we handle the matter ourselves or refer to colleagues, many of our clients will have privacy and security issues that require legal advice.
I. Data Security for Your Practice as Trademark Practitioner
A. Data Security Issues in the Trademark Practice
Why should we care about data security?
All industries are at risk, but law firms are deemed to be a weak link with highly valuable and confidential business information
- 2012 Mandiant Report – Estimated 80% of 100 largest U.S. firms were subject to a successful data breach by malicious intruders in 2011
- What data security issues are unique to attorneys and the trademark practice specifically?
- While attorneys are expected to maintain privilege/confidentiality and there is a high level of trust with clients, attorneys may not always see information security as part of this ongoing obligation.
- Attorneys have a high level of duty to clients, but the industry is largely unregulated.
B. How Do We Analyze Our Own Data Security Practices
- FISMA (Federal Information Security Management Act) – 44 USC 3541 - applies to government and government contractors but used as a resource across all industries
- CIA - Confidentiality, Integrity and Availability – key security objectives
- For any given piece of information or information system – files, data, email, networks, laptop phone, docket system – ask CIA questions.
- Information system - anything that moves, stores, or does something with information.
- Discuss examples of information and information systems in the practice of law. In trademark practice specifically. E.g., docket system (in-house or hosted by third party, document management system)
- Discuss: What information/information systems are we trying to protect? And what are our CIA requirements for those?
- Example: Federal filing system: Confidentiality – not really an issue. Integrity – both data and system need to function properly. Availability – key concern because of the system is down, there are major issues for courts.
- Example: Client email with confidential marketing plan and related trademarks attached.
- Example: Docketing system that contains some privileged information.
C. What Controls (i.e., Protections) Do We Need in Place?
- 2 factor authentication to access networks and email (2 codes/passwords)
- Backups are super critical for trademark practice – consider offsite backups every day for digital files.
- Ask yourself whether your business can survive if there was a fire or you system totally dies.
- Good Resources
- Threats are not limited to cyber threats. Think about other threats to security, i.e. physical security, outside individuals with access to your offices, unlocked computers and smart phones.
- Threats are not always malicious threat. Breaches can occur because of someone’s negligence, recklessness, or ignorance.
- Super hackers are not the only perpetrators.
- When does a firm/business need staff dedicated to data security? You may need a Chief Information Security Officer, outside consultant or someone knowledgeable enough to address key issues.
- Clients increasingly expect attorneys to be on top of data security and are driving the legal practice to take action.
- While a risk-based approach is common, remember that best practices exist and should be strived for.
- Threats – 2 major threats are phishing and spear phishing. Insider threats (like a disgruntled worker) are also common. Limit access to information on a need-to-know basis.
- Maintain GOOD passwords.
II. Data Security 101 for Your Clients
- Identify, protect, detect, respond, recover.
- Most breaches are 6-18 months old before detection
- Does your business know its security health? The first step is to conduct an assessment.
- Do you have an on-call incident response plan or provider? How do you know what a critical incident is?
- How are you classifying and handling data?
- FTC Enforcement Activity and the Implications of Third Circuit’s Decision in FTC v. Wyndham (Aug. 24, 2015)
- Data Breach Notification Laws
III. Privacy 101 for Your Clients
A. Overarching Issues
- Unlike many foreign countries, the U.S. does not have a federal broadly applicable privacy law. Rather, privacy laws in the U.S. are sector specific (e.g., GLBA in financial services sector, HIPAA in health care sector). FTC enforces privacy violations as unfair and deceptive trade practices under Section 5 authority.
- U.S. privacy laws are not in alignment with Canadian, EU and other foreign privacy regimes. If collecting personal information (including cookie information) from foreign residents, consider foreign legal obligations. E.g. EU Data Privacy Directive and member state enabling legislation; Canadian PIPEDA, Anti-spam Legislation.
- Good Privacy Practices
- COPPA - COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
- The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
C. California Online Privacy Protection Act and Shine the Light Law
- Shine the Light Law - California Civil Code Section 1798.83 permits California residents to request information regarding the disclosure of their personal information to third parties for third parties’ direct marketing purposes.
D. Online Behavioral Advertising
- Online Behavioral Advertising (“OBA”) is the collection information about online activity to show relevant ads or content?
- Client’s must provide notice about tracking activities and choice over those activities.