Tuesday, August 18, 2015

Copyrighting Software? Don’t Rely on Screenshots Alone!

(This was cross-posted on August 18, 2015)

In a recent decision, the Second Circuit Court of Appeals recently held that a copyright application solely directed to screen shots generated from a software program was insufficient to establish copyright rights in the software as a whole, for purpose of giving the plaintiff a right to sue for infringement of the software. In A Star Group, Inc. v. Manitoba Hydro, the Second Circuit considered whether a plaintiff had jurisdictional standing to file suit for copyright infringement relating to its software – specifically because the plaintiff applied for copyright protection only over screen shots showing various displays that appear when its software was used and not in the software as a whole. (A Star Group, Inc. v. Manitoba Hydro, No. 14-2738-cv (2d Cir. July 27, 2015) affirming No. 13 Civ. 4501, 2014 WL 2933155 (S.D.N.Y. June 30, 2104) – BNA’s cite: 2015 BL 238362.)

The Copyright Office’s guidance for seeking registration of software (http://www.copyright.gov/circs/circ61.pdf) advises that at least some portion of the source code (subject to modifications due to trade secret claims) must be deposited with the Application in order to qualify for copyright registration in the software. In addition, the Copyright Office has confirmed that, “The registration [in computer software] will extend to any copyrightable screens generated by the program, regardless of whether identifying material for the screens is deposited.” (Circular 61, at 3). If instead, the applicant only wanted to protect certain design elements, then the applicant could apply for protection of only those elements as “works of visual arts.”

In the case at hand, A Star filed its application for registration the day before it filed a complaint in federal court for copyright infringement of its software. The copyright application only covered the screen shots; the deposit contained “operations risk reports, in the form of charts and graphs, apparently generated by the Timetrics software.” A Star did not apply for copyright registration in the software as a whole, nor did it submit a copy of the source code (either complete or excerpted due to trade secret claims) to the Copyright Office.

In its complaint, however, A Star described itself as “the owner of copyright rights to Timetrics software and related documentation, including without limitation, Timetrics screenshots, graphic representations, data compilations, source code, object code, programming tools and documentation related to Timetrics technology and derivative works thereof.” Essentially, asserting copyright ownership in a much broader collection of works than what was covered in its application for copyright registration.

The district court concluded that A Star’s infringement case was “deficient” because it had not completed its copyright application before filing suit. The district court also declined to allow A Star the opportunity to amend its complaint to refer to a subsequent registration of the screen shots alone, concluding plaintiff’s failure to tie the alleged infringement (of the software) to the registered copyright rights (in the screen shots) and thus had failed to allege how or when the defendant allegedly copied the copyrighted works.

The Second Circuit agreed with the conclusion – but for different reasons. The Second Circuit decided not to reach the ultimate question of whether a pending copyright application could meet the jurisdictional requirement for registering a copyright before filing an infringement lawsuit (see Psihoyos v. John Wiley & Sons, Inc., 748 F. 3d 120, 125 (2d Cir. 2014) (collecting cases regarding the different standards for registration before filing copyright infringement suits across various districts), and instead affirmed the dismissal on more basic grounds – that the plaintiff failed to identify how the defendant allegedly infringed the copyright in the screen shots.

As a result – software developers who seek to protect their code through copyright should apply for registration of every critical aspect of their software in order to obtain maximum protection against potential infringement. If the purpose is to protect the code, then the rights in the code should be claimed and a copy of the full source code (redacted if needed to account for trade secrets) should be submitted to the Copyright Office. If there is a user manual to be protected, that should be claimed and a copy submitted as well. While copyright protection exists the moment the “work is fixed in a tangible medium of expression,” a litigant cannot seek judicial redress for potential infringement unless the registration of the work sought to be protected has been accomplished BEFORE filing suit.

Copyright (c) 2015 by Christina D. Frangiosa All Rights Reserved.

Monday, April 13, 2015

Common Questions – Benefits of Trademark Searching

(This was cross posted on April 13, 2015)

Searching for potentially competing trademarks before you go through the time and expense of developing a strong brand is a very worthwhile exercise, but it costs money – and sometimes clients can be reluctant to spend the money if it's not technically "required" to do so.

Trademark searching is not required before you file an application for federal trademark registration with the U.S. Patent & Trademark Office (USPTO), but it is highly recommended. Here are a few reasons why:

1) The USPTO's filing fees are non-refundable if an Examining Attorney refuses registration of your mark based on a pre-existing application or a registration owned by another;
2) The owner of the pre-existing mark could send you a cease and desist letter demanding that you stop using their mark, change your mark, perhaps destroy products or advertising material that uses the mark, seek disgorgement of profits for earnings using their mark or seek other remedies; and
3) The whole point of developing a valuable trademark (or service mark) is to create "source identification" – basically, to allow the consuming public to associate your unique mark with you. And only you. This value is undermined if there are lots of marks that are very similar to the one you ultimately adopt and use.
There are different levels of searching that can be beneficial – depending on your circumstances. They include:

Brief Internet Search – While this level of searching would not give you a comprehensive picture of all potential risks in adopting and using a mark, it's a good first step. You might find an exact match that would cause you to change your brand strategy. But, again, it's not complete and other risks may still exist.

Knockouts/Screenings – This search only targets the USPTO's database of federal trademark registrations and pending applications, focusing on close matches to see whether there might be an absolute bar to your application. Again, not a complete picture of potential conflicting marks, but it might find exact matches you want to avoid.

Full Searches – Using various tools and databases, this search looks for competing trademark uses in the USPTO's database, state registration databases, at common law, in corporate registrations, domain names, the Internet and other relevant resources. These searches may be performed by commercial vendors, whose charges to undertake these searches will vary based on particular circumstances.

Design searches (looking for logos or other designs) and/or international searches (scope and cost can vary based on jurisdictions) may also be relevant to confirm that a mark you propose to use in a particular market is clear.

Each set of search results should be reviewed and discussed with your trademark attorney to determine whether a particular mark can be considered "clear" and available for use – or perhaps poses a risk because of certain search results. Sometimes search results from either a quick or knockout search will cause you to want to dig deeper to be sure that a mark is clear for use or simply change your mark and start over.

Once you have received the results of a search – and have consulted with your attorney to figure out how much weight to give the results – you can decide whether to pursue an application for federal registration or to modify a litigation defense strategy, if you've already received a cease and desist letter.

In either event, search results can go stale because a new application can be filed or use of a mark can begin almost immediately after the results have been obtained. As a result, you should not sit on search results too long before taking your next step. If substantial time has passed, you may want to revisit the search and perform an update to be sure nothing new has been filed.

Copyright (c) 2015 by Christina D. Frangiosa All Rights Reserved.

Tuesday, February 10, 2015

Why Privacy Policies Must be Personalized

(This was cross-posted.)
The best argument for why companies should never simply copy and paste the text of another entities' privacy policy onto their own website can be found in the recent announcement by the FTC of a settlement reached with Snapchat – relating to misrepresentations contained in the Privacy Policy, among other things. (Snapchat is not alleged to have used someone else's Privacy Policy as its own; however, its mistakes in its public statements about its products illustrate fully that companies should say what they mean, and mean what they say in their privacy policies!)
The FTC's Complaint Against Snapchat
On December 31, 2014, the Federal Trade Commission (FTC) announced its approval of a final order settling charges against Snapchat for deceptive trade practices in the form of:
1) Snapchat's misrepresentations to consumers that images or videos shared through Snapchat would actually disappear within the timing set by the consumer (and in no event more than 10 seconds after shared);
2) False promises that if a recipient were to take a screenshot of the image, the sender would be notified; and
3) Misrepresentations about the nature and scope of the data actually collected from a user's phone the Snapchat's Find Friends tool.
See also "FTC Approves Final Order Settling Charges that Snapchat Deceived Users," Bloomberg BNA, Social Media Law & Policy Report (Jan. 5, 2015); see also In re Snapchat, Inc., FTC No. 132-3078, Final Order (Dec. 23, 2014).
In addition to these claims about Snapchat's misrepresentations about its data collection and use, the FTC also alleged that Snapchat failed to secure its Find Friends feature, which failure resulted in a security breach in December 2013 relating to a database of 4.6 million Snapchat usernames and phone numbers. FTC Press Release, "Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False; Snapchat Also Transmitted Users' Location and Collected Their Address Books Without Notice or Consent" (May 8, 2014).

Settlement with the FTC
On December 23, 2014, following the public comment period, the FTC formalized its complaint and gave final approval to the settlement, which requires Snapchat to:
  1. Implement a comprehensive privacy program that will be monitored by an independent privacy professional (a third-party whom Snapchat has to pay) for the next 20 years;
  2. Hire this independent privacy professional to conduct a follow up review every two years and provide a compliance report to the FTC;
  3. Conduct this two-year review until December 23, 2034;
  4. Revise Snapchat's privacy policy, product descriptions, advertising and any other public statements to disclose accurately the following:
    • The extent to which a message is deleted after being viewed by the recipient;
    • The extent to which Snapchat or its products/services are capable of detecting or notifying the sender when a recipient has captured a screen shot or saved a message;
    • The categories of personal information that Snapchat actually collects; and
    • The steps taken to protect against misuse or unauthorized disclosure of covered information.
  5. Maintain records for at least five (5) years of the following types of documents:
    • Every communication to consumers about the extent to which Snapchat "maintains and protects the privacy, security and confidentiality of any covered information";
    • All consumer complaints directed at Snapchat, or forwarded to Snapchat by a third party, that relate to the conduct prohibited by this order and any responses to such complaints;
    • Any documents that contradict, qualify, or call into question Snapchat's compliance with this order; and
    • All materials relied upon to prepare the required Assessment, "including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, for the compliance period covered by such Assessment."
Id. Lest anyone mistakenly believe that these consequences are not serious because there is no monetary penalty assessed, note that Snapchat risks civil penalties of $16,000 per violation per day if it fails to abide these terms. See  Letters to Commentators, at 1 (Dec. 23, 2014) (as provided by Section 5(1) of the FTC Act, 45 U.S.C. § 45(1), as adjusted by 16 C.F.R. § 1.98(c)).
Also note that the preparation of each of the items identified above will "cost" Snapchat money in terms of employee, consultant and/or contractor time, and in taking these resources away from working on money-making endeavors, whether they receive salaries or some other compensation.

Similar Settlement with Maryland Attorney General
In the midst of this dispute with the FTC, in June 2014, Snapchat settled a similar complaint with the Maryland Attorney General.
In its Complaint, the Maryland AG accused Snapchat of collecting data from its users' electronic address books without their knowledge or consent and "knowingly collect[ing] e-mail addresses and photographs from users younger than 13." "Snapchat to Pay $100,000 in Settlement with Maryland Over Privacy of User Snaps," Bloomberg BNA Social Media Law & Policy Report (June 12, 2014); Jeff Clabaugh, "Snapchat pays Maryland $100K in settlement," Washington Business Journal (June 12, 2014).
The settlement agreement with the Maryland Attorney General requires Snapchat to:
  1. Create and publicize mechanisms for users to report accounts that may be used by children;
  2. Provide notice and affirmative consent before Snapchat could collect any address book data – and this notice must appear separately from the user's agreement to the general terms of service; and
  3. Provide Maryland with annual reports for the next 10 years, documenting its compliance with the settlement.
CONCLUSION: Privacy Policies Must be Customized
There is no single, standard form privacy policy. Instead, privacy policies have evolved as a place where web sites disclose to users what data are collected, from which users, and how the data are then used. Privacy policies must disclose correctly how that particular site collects and uses data. See Privacy Policy, Wikipedia (last modified Jan. 10, 2015) (provides a good summary of the history of privacy policy development).
As a result, never simply block and copy an entity's Privacy Policy and adopt it as your own. You have no idea why the other entity included the technical and/or detail oriented promises in its Privacy Policy, and simply copying because it "looks good" is a bad idea and can subject you to enforcement liability.
In fact, the only promises that should appear in your Privacy Policy about what you do with data, cookies, personal information, or other data you collect from a user's device are those things you actually do.
Christopher Olsen, assistant director of the Division of Privacy and Identity Theft Protection in the FTC's Bureau of Consumer Protection, actually stated it best:
The agency [the FTC] certainly supports and encourages the development of privacy protective products, but if there is one message we want to make sure is clear today, it is that, if you make promises about privacy, you must honor those promises; otherwise you risk FTC enforcement action.
"Snapchat Settles FTC Accusations of Failure to Purge 'Snaps' by Senders," Bloomberg BNA Social Media Law & Policy Report (May 8, 2014).
Copyright (c) 2015, Christina D. Frangiosa, All Rights Reserved.

Wednesday, January 28, 2015

New Blog Post in Honor of Data Privacy Day

As you may recall, this blog has now moved to http://www.privacyandiplawblog.com.  Earlier today, I posted on Data Breach Planning for Small Businesses in honor of Data Privacy Day.  I look forward to your feedback!

Data Breach Planning for Small Businesses

Many of the top stories last year related to data breach – from the Target breach during the Christmas Shopping Season (Dec. 2013: Prior Post, Small Business Magazine article; additional news coverage) to the UPS Store data breach during the summer (Aug. 21, 2014) to, more recently, the intentional hacking of Sony Pictures' servers (Nov. 24, 2014) and Staples' data breach (Dec. 19, 2014).
It would be easy to believe that data security breaches happen only to large organizations, but such a belief would be mistaken. In the last year, a number of smaller companies have experienced breaches of the records they maintain. These can occur in at least two ways – 1) they may be the third-party vendor through whom hackers invade a larger company like Target or Home Depot; or 2) they use a third-party vendor who experiences a breach that impacts the smaller company's customers.

Using Small Businesses as Door Opener

In the case of Target, for instance, the initial open door to Target's point-of-sale system came through a third-party vendor – an HVAC company that had legitimate access to Target's systems for purposes of billing, contract submission and project management. Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It," Bloomberg Business Week, Mar. 13, 2014.

The hackers used stolen login credentials from this HVAC company to gain access to Target's systems. The end result? More than 40 million credit card numbers were breached, and over 70 million records containing personally identifiable information ("PII") were stolen. Sara Germano, Robin Sidel and Danny Yadron, "Target Faces Backlash After 20-Day Security Breach," Wall Street Journal, Dec. 19, 2015 (subscription may be required).

This breach occurred despite Target's investment in a $1.6 million security system. See
Riley Article.

A similar breach – using stolen passwords from a third-party vendor who provided services to Home Depot – happened in November 2014 that resulted in information about more than 50 million of Home Depot's customer accounts being breached. Ben DiPietro, "Retailer Breaches Put Spotlight on Vendor Contracts," Wall Street Journal Risk & Compliance Blog, Nov. 12, 2014.

Breaches Affecting Small Business's Customers Because of a Vendor's Breach

More locally, in September of 2014, local news reported that more than two dozen restaurants in the Bucks County area were hacked through their use of a common payment card system. Many of these restaurants were of the hoagie/sandwich shop size.

Most Common Sources of Data Breach

According to a recent study by the Ponemon Institute, the most common "root causes" of data breach are (some of these may overlap):
  • Malware – 44%
  • Trusted insider (inadvertent) – 30%
  • Hacker – 27%
  • SQL Injection – 26%
  • Password compromise – 24%
  • Targeted attack – 19%
  • Trusted insider (malicious) – 15%
  • Lost, stolen or hijacked device – 12%
Ponemon Institute Research Report, "2014: A Year of Mega Breaches," at 11, Jan. 21, 2015.

Lessons Learned Moving into 2015
The lesson here is NOT to ignore the potential for data breach based on an assumption that your company is too small for it to happen to you. Indeed, sometimes small companies have the "keys to the kingdom" to allow a malicious actor to gain access to a larger pool of data – and the smaller company may not have a large budget for data security.

However, it is critical to start planning for the possibility:

1) Develop an incident response plan that is appropriate for your business. Cover both paper and electronic data in your plan – loss of either can constitute a "breach" depending upon the specific law that applies. Involve key stakeholders in your planning.
2) Examine how you use data and where they are stored. Ask a key question: Do you need to keep those data? If not, destroy them securely (some states have data destruction laws with which you need to comply – see prior post). Do not hold onto sensitive data "just in case" you may need it later – these data can actually cause more problems if you do not actually need them.
3) Work with your IT department (or outside consultant) to ensure that your internal systems do not permit outsiders to gain unauthorized access, and lock them down if they do.
4) Work with your attorney to put any protective policies into place (such as incident response plans, BYOD or document retention policies) to make sure your procedures match your expectations.
Most importantly, it's not "if" a breach will occur – it's when, and how bad it will be. Prepare now, and perhaps you can reduce the impact.