• Trends in the Law of Information Security
• 2004 Top 10: The Big Stories – A Global View of the Year in IT
• Pursuing Brand Infringements Online: Why Policing the Internet for Brand Abuse is No Longer Optional

Mr. Smedinghoff is of counsel at Baker & McKenzie in Chicago, IL, where he practices e-commerce and information technology law.

Three legal trends are rapidly shaping the information security landscape for most companies.  They are:

1. an increasing recognition that providing information security is a corporate legal obligation;
2. the emergence of a legal standard against which compliance with that obligation will be measured; and
3. a new emphasis on a duty to disclose breaches of information security. 

While the law is still developing, and is often applied only in selective areas, these three trends are posing significant new challenges for most businesses.

1. Duty to Provide Information Security

For many companies, information security is no longer just good business practice. It is becoming a legal obligation.

Key to this developing trend is the fact that in today’s business environment virtually all of a company’s daily transactions, and all of its key records, are created, used, communicated and stored in electronic form using networked computer technology.  Electronic communications have become the preferred way of doing business, and electronic records have become the primary way of creating and storing information.  As a consequence, most business entities are now fully dependent upon information technology and the information infrastructure.

This has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity.  But the resulting dependence on information technology also creates significant potential vulnerabilities that are increasingly being exploited by a stream of new threats such as viruses, worms, hackers, phishing attacks and rogue employees.

Lawmakers are beginning to take notice of this problem.  Concerns include ensuring the viability of business operations, protecting individual privacy and avoiding identity theft, safeguarding sensitive business data, ensuring accountability for corporate financial information, and preserving the authenticity and integrity of transaction data.  Issues like these are driving the enactment of laws and regulations, both in the United States and globally, which are imposing new obligations on businesses to implement information security measures to protect their own data.

In the United States, corporate legal obligations to implement security measures are set forth in an expanding patchwork of federal and state laws, regulations and government enforcement actions, as well as common-law fiduciary duties and other implied obligations to provide “reasonable care.”  For a compilation of laws governing information security, see www.bakernet.com/ecommerce.  Some laws seek to protect the company and its shareholders, investors and business partners.  Others focus on the interests of  individual employees, customers and prospects.  And in other cases, governmental regulatory interests or evidentiary requirements are at stake.

These laws regulate information security from a variety of perspectives.  In some cases they are focused on the industry in which a company operates, particularly in the case of critical infrastructure industries.  Thus, for example, the operation of IT systems and the security of data is heavily regulated in the financial and healthcare industries.  In fact, in the financial industry alone there are over 200 laws, regulations, government bulletins, alerts and other guidance documents addressing the information security obligations of financial institutions.  For the list of these laws, regulations, and government bulletins, alerts and other guidance documents see www.ffiec.gov/ffiecinfobase/resources/re_01.html. 

In other cases, regulatory requirements focus on the type of corporate records involved, targeting categories of records such as those containing personal data, financial records, tax records and the like.  Privacy laws and regulations, for example, require companies to implement information security measures to protect certain personal data they maintain about employees, customers or prospects in a variety of cases.  See, e.g., 15 U.S.C. sections 6801, 6805; 42 U.S.C. sections 1320d-2 and 1320d-4; 15 U.S.C. sections 6501, et seq.  Corporate governance legislation, such as the Sarbanes-Oxley Act, requires public companies to ensure that they have implemented appropriate information security controls with respect to their financial information.

Tax-related records are governed by Internal Revenue Service (IRS) regulations, which require companies to implement appropriate information security measures to protect those records.  See IRS Rev. Proc. 97–22, 1997-1 C.B. 652, 1997-13 I.R.B. 9 and Rev. Proc. 98-25.  Likewise, other regulatory agencies, such as the Securities and Exchange Commission (SEC), the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Food and Drug Administration (FDA), and the U.S. Department of Health and Human Services (HHS) have adopted a variety of regulations designed to address information security issues of importance to the types of records they regulate.

Information security regulation also focuses on the nature of the electronic activity a company undertakes. Thus, for example, under some laws, electronic signatures are enforceable in certain cases only if appropriate security is used. The proposed Convention on the Use of Electronic Communications in International Contracts, which is being finalized by the United Nations, would condition the enforceability of electronic signatures on an assessment of their level of reliability or trustworthiness.  See Draft Convention on the Use of Electronic Communications in International Contracts, Article 9 (May 18, 2004).  Other laws in the United States, such as the Uniform Electronic Transactions Act (enacted in 46 states) and Uniform Commercial Code Article 4A (enacted in all states), recognize the role of information security as a basis for allocating risk of loss and liability. 

In addition, government enforcement agencies such as the Federal Trade Commission (FTC) have actively pursued companies for “deceptive” trade practices whenever the information security representations they voluntarily make to the public do not match their actual security practices.  This may occur, for example, on websites, in privacy policies, or in documents where companies seek to assure potential customers that the company’s products, the customer information they collect, or the electronic transaction processes they use are safe, adequately protected, and free from unauthorized alteration or disclosure.  Companies such as Eli Lilly, Microsoft, Guess?, Tower Records and Barnes & Noble have all been the target of enforcement actions based on FTC allegations that they were not living up to their representations regarding information security.  Even more significant, however, the FTC has recently hinted that it is prepared to expand its enforcement actions to pursue companies who do not provide adequate information security, even in the absence of any voluntarily representations, on the ground that such failure constitutes an “unfair” trade practice.

Information on a company’s computer system is not the only target.  As companies move to outsource an ever-increasing array of business processes, government regulators are focusing their efforts on requirements that ensure the security of the corporate information that will be under the control of the outsource provider.  In many cases, laws and regulations imposing information security obligations expressly cover the use of third-party outsource providers.   This is particularly true in the financial sector, and under the various EU data protection laws.  Thus, laws are recognizing that it is absolutely essential that any outsourcing agreement impose information security obligations on the outsource provider in a manner designed to ensure that the data will be protected in a manner that satisfies the legal obligations.

Finally, it is important to recognize that information security is no longer just a technical issue for the IT department.  New laws and regulations are making clear that it is a legal and corporate governance issue for upper management.  And, in many cases, these laws, as well as government enforcement actions, put the responsibility directly on the chief executive officer and the board of directors.

2. The Developing Legal Standard for Information Security

A legal obligation to address information security raises key questions for companies that must comply.  Just what exactly is a business obligated to do?  What is the scope of its legal obligations to implement information security measures? 

The FTC has acknowledged that the mere fact that a breach of security occurs does not necessarily mean that there has been a violation of a company’s legal obligations.  But it has also noted that an organization can fail to meet its security obligations, even in the absence of a breach of that security.  See Prepared Statement of the Federal Trade Commission before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, U.S. House of Representatives, on “Protecting Our Nation’s Cyberspace,” at 5-6 (Apr. 21, 2004).  Thus, the key issue (from a legal perspective) is defining the scope and extent of a company’s “legal” obligation to implement information security measures.

Until recently, most laws addressing information security focused simply on establishing a requirement to provide security procedures, controls, safeguards or measures, often without any further direction.  And, if they specified a standard, it was only a general one, such as requiring “reasonable” security or “appropriate” security.  Other expressions of the standard that appear in some regulations include “suitable,” “necessary” and “adequate.” 

Yet recently enacted U.S. statutes and regulations, as well as a series of government enforcement actions, suggest that we are witnessing the development of a legal standard for information security that is that is likely to be applied to most organizations whenever an obligation to provide security arises.  The trend in U.S. law adopts a relatively sophisticated approach to corporate information security obligations, and recognizes that legal compliance with security obligations requires a “process” applied to the unique facts of each case.

Thus, rather than telling companies what specific security measures they must implement, developing law requires companies to engage in an ongoing and repetitive process that is designed to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.  In most cases, it does not require use of any specific security measures, instead leaving the decision up to the company.

Key to the new legal standard is a requirement that security be responsive to a company’s fact-specific risk assessment.  In other words, merely implementing seemingly strong security measures is not sufficient.  Those measures must be responsive to the particular threats a business faces and must address its vulnerabilities.  Posting armed guards around a building, for example, sounds impressive as a security measure, but if the primary threat the company faces is unauthorized remote access to its data via the Internet, that particular security measure is of little value.  Likewise, firewalls and intrusion detection software are often effective ways to stop hackers, but if a company’s major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords, then even those sophisticated security measures, while important, will not adequately address the problem.

As a consequence, newer U.S. statutory and regulatory requirements (and government enforcement actions) are beginning to require the development of what is often referred to as a “comprehensive information security program.”  Rather than require implementation of specific security measures, they take a process-oriented approach, requiring each entity to do a risk assessment and then develop and implement a security plan appropriate to its specific business and the specific threats it faces.  Thereafter, continual monitoring, review, reassessment and revision of the plan are also required.

The essence of the comprehensive process-oriented approach to security compliance is implementation of a program that requires companies to:

• Conduct periodic risk assessments to identify the specific threats and vulnerabilities the company faces;
• Develop and implement a security program to manage and control the risks identified;
• Monitor and test the program to ensure that it is effective;
• Continually review and adjust the program in light of ongoing changes;
• Obtain regular independent audits and reporting;
• Oversee third-party service provider arrangements; and
• Make upper management (e.g., the chief executive officer and the board of directors) responsible for the security program.

A key aspect of this process is recognition that it is never completed.  It is ongoing, and continually reviewed, revised and updated. 

This comprehensive and “process oriented” approach to corporate security compliance was first set forth in a series of Gramm-Leach-Biley Act ("GLBA") Guidelines Establishing Standards for Safeguarding Consumer Information issued by the Federal Reserve, OCC, FDIC and the Office of Thrift Supervision (OTS), on February 1, 2001.  This approach was adopted by the FTC in its GLBA Safeguards Rule on May 23, 2002.   The same approach was also incorporated in the Federal Information Security Management Act of 2002 (“FISMA”), and in the HIPAA Security Standards issued by HHS on February 20, 2003. 

The FTC has also adopted the view that this approach to information security sets forth a general “best practice” approach to legal security compliance, and has, in effect, implemented this approach in all of its decisions and consent decrees relating to alleged failures to provide appropriate information security.  See, e.g., In the Matter of MTS, Inc., d/b/a Tower Records/Books/Video (FTC File No. 032-3209, April 21, 2004); In the Matter of Guess?, Inc. (FTC File No. 022-3260, Jun. 18, 2003); FTC v. Microsoft, Inc. Consent Decree (FTC, Aug. 7, 2002); and In the Matter of Eli Lilly and Co., Decision and Order (FTC Docket No. C-4047, May 8, 2002). The National Association of Insurance Commissioners has also recommended the same approach, and, to date, several state insurance regulators have adopted it. See, e.g., National Association of Insurance Commissioners, Standards for Safeguarding Customer Information (adopted in 9 states). Several state Attorneys General have also adopted this approach in their actions against perceived offenders. See, e.g., In the Matter of Barnes & Noble.com, LLC (Attorney General of New York) Assurance of Discontinuance, Apr. 20, 2004; In the Matter of Ziff Davis Media Inc. (Attorneys General of California, New York and Vermont), Assurance of Discontinuance, Aug. 28, 2002.

Although this remains an unsettled area, the bottom line is that developing law seems to be recognizing what security consultants have been saying for some time:  “security is a process, not a product.”  Consequently, legal compliance with security obligations involves a “process” applied to the facts of each case in order to achieve an objective (i.e., to identify and implement the security measures appropriate for that situation), rather than the implementation of standard specific security measures in all cases.  Thus, there will likely be no hard and fast rules.  Instead, the legal obligation regarding security seems to focus on what is reasonable under the circumstances to achieve the desired security objectives.  Consequently, the legal trend focuses on requiring businesses to develop comprehensive information security programs, but leaves the details to the facts and circumstances of each case. 

3. Duty to Disclose Security Breaches

Finally, we are also witnessing a series of new and proposed laws and regulations focused not on imposing an obligation to implement security measures, but rather on imposing an obligation to disclose security breaches.  These are also beginning to have a significant impact.

Designed in many cases as a way to help protect persons who might be adversely affected by security breach, this approach seeks to impose on companies an obligation similar to the common law “duty to warn” of dangers.  Such a duty is often based on the view that a party who has a superior knowledge of a danger of injury or damage to another that is posed by a specific hazard must warn those who lack such knowledge.

The most widely publicized law requiring disclosure of security breaches is the California Security Breach Information Act, which became effective on July 1, 2003.  That law requires all companies doing business in California to disclose any breach of security that results in an unauthorized person acquiring certain types of personally identifiable information about a California resident.  Disclosure must be made to all persons whose personal information was compromised, and anyone who is injured by a company’s failure to do so can sue to recover damages.  But notwithstanding all the publicity it has received, the law appears to be just one of a growing list of security disclosure requirements imposed on companies. 

IRS regulations also impose a disclosure requirement on taxpayers whose electronic records were the subject of a security breach.  In a Revenue Procedure that sets forth its basic rules for maintaining tax-related records in electronic form, the IRS requires taxpayers to “promptly notify” the IRS District Director if any electronic records “are lost, stolen, destroyed, damaged, or otherwise no longer capable of being processed…, or are found to be incomplete or materially inaccurate.”  Rev. Proc. 98-25, section 8.01.  Likewise, the OCC requires banks to report cases where they are the victim of a phishing attack.  See OCC Alert 2003-11 (Sept. 12, 2003).

Perhaps the most expansive cybersecurity disclosure requirements to date appear in proposed rules released for comment last year by several federal financial regulatory agencies.  See proposed “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” 68 Fed. Reg. 155 at 47954 (Aug. 12, 2003).  These proposed regulations require financial institutions to develop a response program to protect against and address breaches of the security of customer information maintained by the financial institution or its service provider.  Such program must include procedures for notifying customers, as well as regulatory and law enforcement agencies, about incidents of unauthorized access to customer information that could result in substantial harm or inconvenience to the customer.  The rules would also require the financial institution to offer assistance to customers whose information was the subject of the incident (e.g., inform customers of their rights, recommend actions that they should take, assist them in the process, etc.).

Taken as a group, these existing and proposed rules seem to suggest a possible new direction for the law on corporate information security obligations -- one that does not necessarily require a company to protect itself as much as to warn those who might be adversely impacted by a failure of, or lack of, its security.  Implicit in such an approach is recognition of the wide-ranging impact of a company’s electronic activities, and the fact that corporate security vulnerabilities can have a significant adverse impact on others outside of the company.  In all cases, however, what we are seeing is an increasing recognition that information security is critical, and that addressing it is a legal obligation.

(Originally published by Baker & McKenzie. Reprinted with permission.)

back to top

Computerworld is New Zealand’s leading specialized information systems newsweekly. Mr. Ferranti is a reporter for Computerworld.

If there were any lingering doubts that we are in the post-PC era, several big stories this year should have cleared them up. The sale of IBM's PC business to China's Lenovo Group, and the death of Comdex, were powerful reminders that IT is in a transitional stage. When one of the hottest business stories of the year involves an IPO of a company whose technology helps people find information on the Internet, it's certain that the network, to paraphrase the well-known dictum of Sun Microsystems, has become the computer. This transitional era involves not only shifts in computing technology per se, but issues related to law and technology strategy. Would technology advance more rapidly if patents were disallowed? Can users deploy mission-critical open source systems secure in the knowledge that the legal underpinnings of the code are sound? There are no easy answers, as the biggest stories of the year reveal.

Here are the top 10 IT stories of the year, not necessarily in order of importance:

IBM bows to reality, sells PC unit to Lenovo

If there ever was a sign of the times, it was IBM's sale of its PC unit to China's Lenovo Group just a few weeks before the year ended. The deal, which will give IBM more than $1 billion in cash and equity, calls for IBM to keep its foot in the PC arena in order to continue offering a full range of services and products. IBM will own 18 percent of Lenovo, which will be headed by a current IBM executive and headquartered in New York. Still, there is no doubt that the company that gave legitimacy to the PC revolution of the 1980s essentially is exiting the PC business because margins are too thin and the competition is fiercer than ever.  Analysts expect more vendor consolidation over the next few years. The Lenovo deal also pointed to…

China: the next India, or the next…US?

While Western vendors have for years been beating down the door to get into China, this past year the country began to emerge as a player in its own right. Speaking in Beijing in September 2004, Cisco president and chief executive officer John Chambers said China "will become the IT center of the world." He was speaking in terms of decades, but nevertheless the year has seen major companies such as Accenture and IBM, as well as Indian services providers such as Wipro, establish or expand outsourcing facilities in the country. The facilities still cater mainly to the local markets, but China's IT and facilities infrastructure is stronger than India's. As China fortifies its foreign language skills and piracy laws, look for its increasing presence in the service sector. Meanwhile, hardware and networking companies such as Lenovo and Huawei Technologies are reporting rapid international growth, while software companies such as Red Flag Software are starting to take more of a leadership role in international software trends.

Oracle v. PeopleSoft part II: Larry wins it.

So Larry Ellison meant it, after all! Many industry insiders thought the incendiary Oracle co-founder and chief executive officer made a hostile bid for Enterprise Resource Planning (“ERP”) rival PeopleSoft last year mainly to take advantage of the fear, uncertainty and doubt that such a move was sure to cause. But on December 13, 2004, Oracle closed the deal to buy Peoplesoft for approximately $10.3 billion, ending an acrimonious takeover battle. Despite the many obstacles PeopleSoft put up, Oracle persisted and in September 2004 got the regulatory green light to continue its pursuit when a federal judge rejected the U.S. Department of Justice's effort to block the offer on antitrust grounds. Finally, two years after Oracle's initial bid, the story ends as another case of industry consolidation.

Sun and Microsoft, friends after all

One of the shocks of the year was to see Sun co-founder and chief executive officer Scott McNealy sitting side-by-side with Microsoft chief executive officer Steve Ballmer, laughing and joking about their surprise "broad cooperation agreement." The April 2004 deal settles all outstanding litigation between the formerly bitter industry enemies and calls for Microsoft to pay Sun $1.6 billion to resolve antitrust and patent issues. The agreement appeared to be a winner for all sides: Sun gets cash to help its corporate makeover, which has entailed a souped-up Solaris and a new round of products for its core financial industry users; Microsoft placated a fierce rival and laid to rest some legal problems; and users, in theory, will get products that work better together.

EU slaps Microsoft with antitrust ruling

It took the European Union's antitrust ruling against Microsoft to show that the software giant could not completely buy its way out of legal trouble. Though Microsoft settled various antitrust cases and complaints with payoffs to several states, companies and organizations, the EU in March hit Microsoft with a 497 million Euro fine and required the company to offer a version of its Windows operating system without the Windows Media Player software. The ruling goes beyond the settlement in the U.S. antitrust case, and Microsoft appealed. The case will drag on for years, but if Microsoft is forced permanently to offer Media Player as a separate product, it could force a change in its business model.

Intel's annus horribilis

Intel, a company that once prided itself on smart business strategy execution and industry-leading innovation, exits 2004 with a completely overhauled desktop and server roadmap, scaled-down expectations for consumer electronics and communications products, several embarrassing manufacturing gaffes, diminished respect and a drop in its stock price. The flip side of the story is that Advanced Micro Devices seems to be encroaching on the mighty Intel's market dominance. In February 2004, despite earlier statements to the contrary, Intel was forced to unveil a 64-bit processor for low-end servers in response to rival AMD's early success in generating demand for a similar product. If anything, this might prove that competition does indeed spawn technology advances.

Gaga over Google

Google's initial public offering in August 2004, one of the most talked-about business stories of the year, brought up bittersweet memories of the dot-com era and some cautious optimism for the economy. Would all the interest in the Internet search engine company mean that investors would start pumping money into the market? That question has not been answered yet, but the stock opened strongly, the company has shown some good financials, and its Gmail 1GB e-mail service has spawned copycat offerings. There were some embarrassing gaffes, for example when its confusing October 2004 financial report had analysts wondering whether it had missed or exceeded financial expectations (it in fact exceeded them). Though it may not herald another dot-com boom, the IPO showed that with the right technology and market position, a company can still attract an investing public.

Peeved about patents

The turmoil over ratifying the European Union's patent directive has exposed the fear and confusion surrounding the concept of ownership of intellectual property. As originally proposed by the European Commission, the directive would allow software patents. But subsequent versions by the European Parliament were changed to disallow software patents, and just before the end of the year it became apparent that a vote in another legislative body, the Council of Ministers, would be postponed, apparently because political pressure had smashed a consensus about which version to ratify. For the most part, large corporations are for patents and open source advocates and smaller companies, which have fewer resources to deal with patent issues, are against them. The issue, however, has even large U.S. companies concerned. A loose consortium of large U.S. companies was reported to be seriously considering buying web services patents auctioned off by bankrupt software company Commerce One, for example, in order to ward off potential legal problems.

SCO case imploding, Linux growth exploding

The SCO Group's lawsuit against IBM last year worried many users, who feared that SCO's intellectual property claims could restrict the growth of Linux. SCO alleges that IBM illegally contributed source code to Linux. This year SCO broadened the case, filing lawsuits against Novell and users Autozone and DaimlerChrysler. Now, while SCO may still prevail against IBM, prospects for its success appear to have dimmed. A judge threw out a large component of the case against DaimlerChrysler, and, in a late-in-the-game move, SCO changed its claim against IBM to copyright infringement. SCO also has failed to sign up many customers for its Intellectual Property License for Linux. Although the IBM suit may not go to trial until late 2005, it does not appear to have dampened Linux's prospects. IDC expects Linux to make up 25.7 percent of worldwide server shipments in 2008, up from 15.6 percent of worldwide server shipments in 2003.

Comdex: the party's over

The long lines for buses, the chatty cabbies, the monstrous exhibit halls, the parties imbued with rock-star glow by young billionaires: all this may continue to happen at trade shows, but not at Comdex, which was cancelled this year. After losing 40 percent of its attendance in 2001 in the wake of the September 11, 2001 terrorist attacks and the dot-com bust, it never recovered. The show, which came of age in the 1980s as the Computer Dealers Exposition, probably hit its peak in the mid-to-late 1990s but was carried along by an exuberant industry buoyed by dot-com era dollars. As much as anything else, the demise of Comdex signals the end of an era, which began with the PC revolution and hit its zenith with the explosive growth of the Internet. Perhaps the way is clearing up for a rational rebirth.

(Originally published in slightly different form by IDG Communications Ltd. Republished with permission.)

MarkMonitor is a leading provider of corporate identity management solutions, particularly in the areas of domain management, brand management, trademark management and fraud protection. MarkMonitor is headquartered in San Francisco, CA. Ms. Bradley is intellectual property counsel with Advanced Medical Optics in Santa Ana, CA.

Introduction

The Internet is the largest repository of information in the world. Its global reach and speed of access to staggering amounts of information has changed the way companies conduct business. Although this new marketplace has created a vast amount of new opportunities, it has also presented intellectual property lawyers with a host of legal issues, with online policing at the forefront.

The enormous popularity of online searching through search engines such as Yahoo! or Google has led third-party companies to “borrow” famous trademarks and brand names as a means of creating false affiliations and thereby confusing consumers. In the online world it is easy to create such an affiliation since one only needs to add the third-party trademark or brand name to the visible or hidden text of a web site which in turn fools a search engine. This is typically referred to as “diversion of traffic” in common Internet parlance. Unchecked, a product name or trademark that a company has spent millions of dollars branding in the marketplace can be substantially diluted and weakened if hundreds of web sites “borrow” these popular brand names or trademarks without authorization.

Monitoring your trademark on the Internet is therefore important in order to protect the distinctiveness of the mark. Strong marks generally receive greater protection than weaker marks (consider KODAK versus GOLD SEAL). The test for determining the strength of a mark is the relative distinctiveness of the mark in the mind and perception of the consuming public. A highly distinctive mark is stronger than a less distinctive mark since it is more readily identified as a source of goods in the minds of the consuming public. The only way to prevent a mark from becoming weakened or crowded by similar marks is to enforce assertively the rights that were granted with the trademark registration – that is, the right to exclude others from using the mark as an indicator of source. This is referred to as “policing” a mark. Successful policing of a mark will add to the strength of a mark to the extent that it prevents weakening of the mark’s distinctiveness in the relevant market. Policing activities are not confined to one venue. They include monitoring new federal and state trademark registrations, filings made by competitors, and now searching the Internet.

At a minimum, companies need to implement policies that includes both the monitoring of trademark misuse and the selective enforcement of rights, particularly when the infringement directly affects business. Doing so should strengthen the ability to prove the distinctiveness of marks without requiring prosecution of every known user. The duty to police extends to the monitoring of the Internet for instances of trademark misuse. For example, under the federal Trademark Cyberpiracy Prevention Act, one who registers a domain name containing another’s trademark with a bad-faith intent to profit from such registration is liable in a civil suit for damages. The U.S. House of Representatives Report on the Trademark Cyberpiracy Prevention Act indicates that, in the view of the House of Representatives, trademark owners are required to police their marks on the Internet, or risk losing their rights in the marks. In discussing the background and the need for the legislation, and the harm that can be caused by cyberpiracy, the House Report says:

Cyberpiracy can hurt businesses in a number of ways. First, a cyberpirate’s expropriation of a mark as part of a domain name prevents the trademark owner from using the mark as part of its domain name. As a result, consumers seeking a trademark owner’s web site are diverted elsewhere, which means lost business opportunities for the trademark owner.

A cyberpirate’s use may also blur the distinctive quality of a mark and, when linked to certain types of Internet activities such as pornography, may also tarnish the mark. Finally, businesses are required to police and enforce their trademark rights by preventing unauthorized use, or risk losing those rights entirely.

The federal courts have similarly discussed a trademark owner’s affirmative duty to police their marks on the Internet. For example, in Hard Rock Café Int’l (USA) Inc. v. Morton, the federal trial court noted that the plaintiff “did not have an adequate program of trademark control, policing, or due diligence in place regarding third-party use of its trademarks on the Internet.” What is interesting to note is the court’s treatment of the proffered evidence. Evidence was introduced showing that the plaintiff was aware of at least 220 Hard Rock-related sites, all of which were “borderline embarrassing.” However, the plaintiff had “done little to police the use of its trademarks and trade names on the Internet.” In discussing these facts, the court stated that “[t]he evidence demonstrates that as of the commencement of this litigation, and as of the trial of this action, [the plaintiff] did not have an adequate program of trademark control, policing, or due diligence in place regarding third-party use of its trademarks on the Internet.” Clearly, the court felt the burden was on the plaintiff to police its mark on the Internet.

Under federal trademark law, trademark owners who fail to police their marks run the risk of marks losing their distinctiveness, and therefore their strength. “The trademark owner who fails to police a mark both shows that he doesn’t really value it very much and creates a situation in which an infringer may have been unaware that he was using a proprietary mark because the mark had drifted into the public domain…” A systematic policing program can provide proof of the strength of the mark. In evaluating the strength of a mark, the federal courts typically conduct an appraisal of the owner’s policing efforts to ensure that whatever distinctiveness or exclusivity originally associated with the mark is not lost through neglect, inattention or consent to infringing uses. For this reason, trademark litigants frequently introduce evidence of their policing activities when prosecuting infringement cases.

Evidence of policing activity is also useful in meeting the burden of proof that a mark has not become generic. For example, in Dupont v. Yoshida, the federal trial court stated that any doubts should be resolved in favor of the trademark holder, especially if he or she can demonstrate having taken appropriate action to counteract or resist indiscriminate use of the mark by others.

While there is clearly a duty to police a trademark, there does not appear to be a “bright line” defining the number of users or type of use that will invalidate or weaken a trademark in U.S. case law. For example, in Microsoft’s trademark dispute against Lindows.com, the federal trial court noted:

[T]he sheer volume of windows-related uses in the computer industry is notable. Microsoft is correct that its decision not to prosecute all the users of its marks…is not an indication of abandonment of the mark… Rather, the ubiquity of “windows” variants in the computer market may tend to show the mark is generic, as distinctiveness can be lost by failing to take action against infringers. If there are numerous products in the marketplace bearing the alleged mark, purchasers may learn to ignore the “mark” as a source of identification.

The Microsoft and Hard Rock cases confirm that the traditional duty to police extends to trademark abuse online. This is consistent with the advice provided by trademark experts in well-regarded treatises and trade publications. Additionally, the Microsoft case clearly demonstrates that not every abuse must be addressed, only that a company must have an active and effective program in place to monitor and respond to online infringements. Thus, the question remains, why do trademark owners hesitate to police their marks over the Internet?

Trademark owners frequently balk at the suggestion that they need to police the Internet. The Internet is vast with new web sites added daily. Further, with thousands of people adding to and revising their web sites by the hour, the content of the Internet is constantly shifting and changing. How can a trademark owner be required to keep pace with all this?

During the early days of the Internet, there was a sort of “caveat emptor” attitude on the Internet, a feeling that the “normal rules” do not apply. It was a new realm, and the laws governing it had not yet been fully developed. The international nature of the Internet made the notion of policing the Internet overwhelming.

Today, the applicability of trademark principles to the Internet is no longer in question. With the enactment of laws such as the Anticybersquatting Consumer Protection Act, the widespread adoption of the ICANN Uniform Dispute Resolution Policy, and the growing body of case law applying trademark law to Internet abuse found in banner ads, metatags, pop-up ads and deep linking, you can no longer hide behind the excuse of “there is nothing I can do because it’s the wild west.” For example, in Louis Vuitton Malletier & Oakley, Inc. v. Veit, the luxury goods manufacturer Louis Vuitton was successful in obtaining a default judgment against the seller of counterfeit goods that registered the domain name louisvuittonreplicas.com. This case resulted in a permanent injunction, the transfer of the domain name, and an award of damages and costs in excess of $1,600,000. Similarly, the publisher of Vogue magazine obtained a permanent injunction against the registrant of teenvogue.com and other domain names because the court recognized that the public was deceived by the confusing use of the famous VOGUE trademarks. These are just some examples of the success that can be achieved if you actively police your marks.

Some trademark owners cite the principle of “laches” as the reason not to police the Internet. Laches is a common-law defense raised when there is an inexcusable delay by a trademark owner in enforcing its rights. To find laches, however, the delay must be so outrageous, unreasonable and inexcusable as to constitute a virtual abandonment of its rights. For example, courts have rejected laches when a trademark holder has waited to file suit until after the infringing use has made an impact on its sales.

Indeed, adopting a systematic program of policing can reduce the likelihood of laches. As noted by Ann Gilson:

A trademark owner that neglects to monitor Web page infringements runs the risk of allowing an infringer to build up rights over a period of months or years, making the infringement more difficult to cure. Similarly, if a trademark owner that becomes aware of a Web page infringement does not challenge promptly, it risks enabling the infringer to successfully raise a defense of laches or acquiescence when the infringement is later attacked. These possibilities, however, do not mean that the trademark owner must go after every cyberpirate that registers obscure variations on marks and maintains inactive web sites. Instead, trademark owners should establish a policy of monitoring the Internet and a policy of documenting and prioritizing Internet issues. These should go a long way toward convincing a court that some delay was inevitable.

Federal courts have resisted finding laches or abandonment where the plaintiff had been vigilant and consistent in preventing the use of its name by others. Thus, a trademark owner need not worry that its online policing program will increase the likelihood of laches or abandonment of its trademark.

Trademark owners that do not police their marks permit their customers to be exposed to undesirable and harmful content on the Internet, thereby damaging the company’s reputation and good name. Unscrupulous operators of pornography, hate sites, politically motivated sites and fraudulent web sites target the unsuspecting customers of the world’s largest banks and multinational corporations. These institutions invest millions of dollars in marketing campaigns aimed at portraying their carefully crafted images to the public. These efforts can be easily jeopardized by cybersquatters, disgruntled employees, and hate-motivated activists targeting major corporations.

Much can be learned from the Internet antics of William Purdy. Mr. Purdy is a purported anti-abortion rights activist who attempted to expand the audience for his anti-abortion rights web site by registering domain names containing variations of famous trademarks, such as mymcdonalds.com, mypepsi.com, drinkcoke.org and washingtonpostsays.com. When consumers visited these sites, they were surprised to find there anti-abortion rights commentary and graphic images of aborted and dismembered fetuses. The content also copied the look and feel of the authentic Washington Post web site featuring the headline “The Washington Post proclaims ‘Abortion is Murder.’” Fortunately, the affected companies caught on to Mr. Purdy. In The Coca-Cola Co. v. Purdy, several companies sued Mr. Purdy and were successful in obtaining a preliminary injunction against him. Affirming the preliminary injunction, the U.S. Court of Appeals for the Eighth Circuit held that the Anticybersquatting Consumer Protection Act provides protection from those who register a domain name with a bad-faith intent to profit by tarnishing and diluting plaintiff’s trademarks and by relying on their good names and goodwill to promote their messages, generating publicity and raising money for supported causes. A permanent injunction was recently entered. Clearly, a well-designed policing program enables a trademark holder to identify quickly and address egregious activity targeted at its customers or its public image.

A more serious problem facing trademark holders is the increasing prevalence of e-mail “phishing” attacks designed to steal the confidential financial information of consumers. A phishing attack involves the sending of e-mail to consumers that appears to be from their financial institutions, and requests that they update their account information. When the consumer clicks on the link provided in the e-mail, he or she lands on a bogus web site page that prompts the customer to provide account information, passwords and other confidential information, which is later used to siphon funds from the account. According to the Gartner Research firm, more than 57 million American adults have received emails from phishers. With the incidence of e-mail phishing attacks rising dramatically, the federal regulatory agencies have responded by issuing guidance urging banks to monitor their trademarks in an effort to curtail phishing attacks and other Internet-related abuses affecting their customers.

Financial institutions are not the only businesses affected by phishing attacks. Today’s cyber-criminals have expanded their attacks to the customers of retail companies such as online auction, travel and software companies. Trademark holders, particularly those in the retail and financial industries, should be proactive in their policing to identify the types of online abuse that could expose their customers to identity theft and fraud.

U.S. trademark law today, as noted above, requires a certain amount of policing to maintain the strength of a trademark. This requirement does not limit the areas that must be monitored or manner in which the goods are distributed. It also is not limited to that which originates in the United States. If a foreign manufacturer markets or promotes a product in the United States, it is subject to the trademark laws of the United States. The Internet, which is international in nature, is one of the areas that should be monitored in order to understand how your marks may be infringed upon by foreign-sourced products.

In the early days of the Internet, many trademark holders policed their marks by using search engines to identify instances of abuse. While this method of policing highlights some examples of online abuse, it is no longer sufficient to identify the types of cybersquatting activity associated with fraud, counterfeit goods, typosquatting and offensive content. These types of abuses stem from registering domain name variations or misspellings that do not need the help of a search engine to reach its targeted audience. For this reason, the Federal Deposit Insurance Corp. has urged banks to monitor the registration of new domain names containing variations of their brands. Domain name monitoring services are effective in identifying many types of brand abuse, such as that experienced in the Louis Vuitton and Vogue International cases highlighted above.

Fortunately, monitoring of the Internet has evolved into a manageable task for trademark owners. There are now many services available to monitor your marks online. These services can quickly filter through millions of Internet pages in order to identify the most egregious instances of abuse for action by the trademark holder. Capabilities are available through service providers to help identify marks in domain names, titles, metatags, hidden text and within web site content itself. These services can help prioritize activities and provide evidence to take action against infringers.

The Internet has grown in importance as a business source. Companies have reduced costs by using the Internet to provide critical business functions, such as sales, customer service, channel management and employee training. Failure to police your marks and monitor your brand use online can have a negative impact on your business in terms of lost revenue, damaged reputation and a weakened trademark position. Don’t ignore monitoring this important venue. Policing your brand online is no longer optional – it’s a business requirement.

(Originally published in slightly different from by MarkMonitor. Republished with permission.)