Avoiding Infringement: Trademarks

Archive for the ‘Operations Security’ Category

Avoiding Infringement: Trademarks

Posted by

When designing trademarks, the organization has a responsibility to ensure that the new mark is not infringing on an existing mark. There was a case in 1998 where Tommy Hilfiger was assessed for damages on the “Star Class” trademark. Hilfiger had his attorney perform a search of federally registered marks, but failed to search state and common marks. This lead to damages as Hilfiger was not shown to have performed due diligence in the duty to search. New trademarks – whether it is a product name, service name, slogan, domain name, or other initiative – should be thoroughly researched to ensure that there is not a use in the federal or state registration systems, or in the commons.

When reusing another organization’s trademark, reasonable effort should be put forward to use the exact mark and include the ™ trademark symbol as appropriate. Many firms have restrictions on how their logo and mark can be used (for example, on a partner’s website or a business card.) These restrictions must be researched and understood. In doing so, an organization can avoid accidental misuse of another firm’s IP.

Avoiding Infringement

Posted by

April is Copyright Awareness month according to the Copyright Society of the USA. This article is part of a series delving into the topics of trademarks, copyrights, patents and trade secrets. Follow the tag “Intellectual Property” to read all the articles.

An information security professional has a duty to his organization to protect its information assets, and a duty to his profession to ensure the organization’s technology is not used for illegal activity. The next four articles cover Intellectual Property from the perspective of avoiding infringement.

Protecting your assets: Trade secrets

Posted by

The purposes of copyright and patents are to publicly distribute and protect intellectual property, while trade secrets are used to privately hold and use IP. While the information security field is naturally cautious of security through obscurity, keeping specific aspects of an organization’s processes and knowledge secret can provide an advantage. To define a trade secret, three items must be present: “the information is not generally known or ascertainable by proper means; the information has economic value; the owner of the secret must use reasonable efforts to maintain secrecy. (Stim, 2001)”

Demonstrating due care and due diligence in guarding an organization’s information systems and informational assets is critical in keeping trade secrets undisclosed, and prosecuting competitors should the secrets by discovered. “The enforcement of trade secret protection is time-consuming and expensive later on. Generally, the proof required consists of a showing that there was an active security program in place that was sufficient to protect the information as confidential (Bosworth & Kabay, 2002).”

There are several ways to protect trade secrets. The information security program and the controls over access (both physical and digital) play a role. Agreements – confidentiality, non-disclosure, and third-party – can also be used to restrict people who have access to the trade secret from communicating it out. The agreements can be used in breach of contract suits to prevent the trade secret from being released or to seek compensation for its release. In addition, the “inevitable disclosure doctrine” can be enacted to prevent employees who have access to sensitive information from leaving for a competitor where that information will naturally be a part of their role.

 

References:

Bosworth, S., & Kabay, M. E. (2002). Computer Security Handbook, 4th Edition. New York: John Wiley & Sons, Inc.
Stim, R. (2001). Intellectual Property: Patents, Trademarks, and Copyrights, 2nd Edition. Albany: Delmar.

Protecting your assets: Patents

Posted by

Copyright protects the expression, while patents protect both the expression and the underlying idea. For innovative intellectual property that required up-front capital expenditures and may have a long sales cycles, (e.g. durable goods in established industries), the patent is ideal. Years of sales may be necessary to realize the return from the initial reduction to practice investment. The patent provides a 20-year guaranteed monopoly over the idea and its sale.

What can be patented? The “smell test” used on the intellectual property that is applying for patent is that it is useful, novel, and non-obvious. The IP could be a composition of matter, a machine or a transformative process. Certain things cannot be patented, including: scientific principles, mathematic formulas, methods of doing business, and natural processes and compositions. Processes may be patented if they meet the “machine-or-transformation” test (that is, the process requires a mechanism or substantially transforms matter). Even here, if the process does not require specialized machinery or directly transform matter, it still may be patentable. The “smell test” and “machine-or-transformation” tests are two of many tests that the UPSTO uses when deciding on the patentability of an idea.

Once filed and granted, the patent becomes publically accessible on the UPSTO and other websites. The concern becomes, of course, infringement of the organization’s patent property. The infringement can be literal infringement: someone copies the property in its entirety and exactly. An infringement can be substantially the same as the original machine and produce substantially the same results. Under the “doctrine of equivalents”, the organization could push forward with an infringement suit to stop the opposing firm from selling the similar machine. The organization’s patented IP is also protected from other firms reproducing the core design and providing basic improvements. Should a product be found to infringe on the organization’s patents in any of these ways, an injunction can be filed to stop production and protect the organization’s market share and sales.

Protecting your assets: Copyrights

Posted by

Copyright can be contentious issue for security practitioners weaned on open source and raised on Slashdot. It is important to remember that open source licenses, Copyleft, and Creative Commons are themselves imaginative hacks on traditional copyright law. It is copyright that makes these alterative licenses possible.

The purpose of Copyleft and Creative Commons is simple: disperse information as widely and as freely as possible. The purpose lines up neatly with the hacker ethic. Information wants to be free, after all, and these licenses are ways to ensure its freedom while still maintaining some protective controls for the author. The purpose is in turning works into generative pieces. Standard copyright reserves all rights for the author.

The decision on the copyright license to use lies with the organization. Specifically, the designated owner of the information asset is charged with making these decisions. As the security managers for the information networks, our responsibility is to educate the designated owner and ensure that the decisions are enforced correctly and consistently.

Copyrighting a document has a few obvious requirements. The document must be original and not infringe on other’s existing copyrights. It must be fixed form, like a document, image, or an audio/visual recording. Architectural plans and software source code can also be copyrighted. The copyright protects a given expression of an idea, but not the idea itself. Thus an architecture plan that is copyrighted protects the plan itself, but not the ideas behind designing the plan. Software copyrights are similar. The copyright protects the specific source code but not the underlying idea, method, or algorithm. Copyrighted works must be substantive. A short phrase, a brief sound clip, a plan for a room’s walls, and a short code snippet all are non-copyrightable.

Copyright provides specific protections. Other organizations cannot copy without permission (unless permission has been granted with Creative Commons or similar licensing). People and firms that buy copyrighted material, however, do have extended rights (called First Sale doctrine) to resell or redistribute the purchased copy. Similarly, the Right to Adapt exists that gives control over derivative works are produced to the original author. End user license agreements can be tailored to avoid First Sale doctrine and Right to Adapt. These licenses provide tighter control over how the property is used.

The commercial impact of unauthorized works is taken into account in copyright infringement cases. The end users can still reuse and create the document under Fair Use. Fair Use allows remixes based on four conditions: how different and unique the new content is, the nature of the work, the amount of the original copyrighted material in the new material, and the effect on the market. Evidence of the market effect may be present in the information systems. The evidence, for example, may be in sales trends, in store traffic, or in web site traffic. It is, therefore, important that copyright protection mechanism include systems that gather, correlate, and maintain statistics on use.

Copyright materials can be registered with the United States Patent and Trademark Office (USPTO). Simply affixing the © symbol to a work (or corresponding Creative Commons symbol) creates an enforceable copyright. Copyright protects intellectual property for the life of the longest living author plus a period of 70 years. Works for hire, created for a firm for pay, are protected for 95 years from the date of first published or 120 years from when the material was created, whichever is less.

Strategies for allowing guest access

Posted by

From time to time, guests and other non-employees will need access to an organization’s network. This poses a bit of risk as their equipment has an unknown security posture. It is not unheard of for a vendor to bring a fast spreading worm into an organization, and give it free reign behind the firewall. Oh it is always on accident to be sure, but there is damage nonetheless.

What are some of the strategies for allowing access while minimizing risk?

Kiosks. This falls under the “don’t do it” line of thinking. Rather than allow guest access onto the network, provide guest accounts to kiosk computers thru out the facility. Pros: no risk from infected computers; controlled environment. Cons: reduced collaboration; increased equipment costs; may cause political pushback.

Trust but verify. Dispatch a support person to scan any notebooks or media the vendor is bringing in. Ensure it meets your security standards. Have the guest sign an acceptable use policy. Pros: reduced risk of infected computers brought into the environment. Cons: increased personnel costs; decreased responsiveness time (which may translate to dollars, if the consultant cannot work; may cause political pushback.

Trust but segment. Put computers not managed by the organization onto a separate network. I have seen this done two ways. Use network-level authentication and route computers onto a wired vlan. Alternatively, use network-level authentication to block all non-managed devices, and then provide guest wireless. Either way, keep the guest traffic separate from trusted traffic.

Trust but really segment. Take the last one a few notches further. I have seen separate network switches used for guests and production. The air gap is a good measure to prevent against accidental misconfiguration. I have also seen separate Internet connections, to avoid the guest traffic competing for bandwidth.

Those are some options. Are you using one that I did not cover? Let’s discuss.