Patch Up – Log4j and How to Avoid a Cybercrime Christmas

A vulnerability so dangerous that Cybersecurity and Infrastructure (CISA) Director Jen Easterly called it “one of the most serious [she’s] seen in [her] entire career, if not the most serious” arrived just in time for the holidays. On December 10, 2021, CISA and the director of cybersecurity at the National Security Agency (NSA) began alerting the public of a critical vulnerability within the Apache Log4j Java logging framework. Civilian government agencies have been instructed to mitigate against the vulnerability by Christmas Eve, and companies should follow suit.

The Log4j vulnerability allows threat actors to remotely execute code both on-premises and within cloud-based application servers, thereby obtaining control of the impacted servers. CISA expects the vulnerability to affect hundreds of millions of devices. This is a widespread critical vulnerability and companies should quickly assess whether, and to what extent, they or their service providers are using Log4j.

Immediate Recommendations

  • Immediately upgrade all versions of Apache Log4j to 2.15.0.
  • Ask your service providers whether their products or environment use Log4j, and if so, whether they have patched to the latest version. Helpfully, CISA sponsors a community-sourced GitHub repository with a list of software related to the vulnerability as a reference guide.
  • Confirm your security operations are monitoring internet-facing systems for indicators of compromise.
  • Review your incident response plan and ensure all response team information is up to date.
  • If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.

The versatility of this vulnerability has already attracted the attention of malicious nation-state actors. For example, government-affiliated cybercriminals in Iran and China have a “wish list” (no holiday pun intended) of entities that they are aggressively targeting with the Log4j vulnerability. Due to this malicious nation-state activity, if your company experiences a ransomware attack related to the Log4j vulnerability, it is particularly important to pay attention to potential sanctions-related issues.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact counsel.

© 2021 Bracewell LLP

OFAC Reaffirms Focus on Virtual Currency With Updated Sanctions Law Guidance

On October 15, 2021, the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) announced updated guidance for virtual currency companies in meeting their obligations under US sanctions laws. On the same day, OFAC also issued guidance clarifying various cryptocurrency-related definitions.

Coming on the heels of the Anti-Money Laundering Act of 2020—and in the context of the Biden administration’s effort to crackdown on ransomware attacks—the recent guidance is the latest indication that regulators are increasingly focusing on virtual currency and blockchain. In light of these developments, virtual currency market participants and service providers should ensure they are meeting their respective sanctions obligations by employing a “risk-based” anti-money laundering and sanctions compliance program.

This update highlights the government’s continued movement toward subjecting the virtual currency industry to the same requirements, scrutiny and consequences in cases of noncompliance as applicable to traditional financial institutions.

IN DEPTH

The release of OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry indicates an increasing expectation for diligence as it has now made clear on several occasions that sanctions compliance “obligations are the same” for virtual currency companies who must employ an unspecified “risk-based” program (See: OFAC Consolidated Frequently asked Questions 560). OFAC published it with the stated goal of “help[ing] the virtual currency industry prevent exploitation by sanctioned persons and other illicit actors.”

With this release, OFAC also provided some answers and updates to two of its published sets of “Frequently Asked Questions.”

FAQ UPDATES (FAQ 559 AND 546)

All are required to comply with the US sanctions compliance program, including persons and entities in the virtual currency and blockchain community. OFAC has said time and again that a “risk-based” program is required but that “there is no single compliance program or solution suitable for all circumstances” (See: FAQ 560). While market participants and service providers in the virtual currency industry must all comply, the risk of violating US sanctions are most acute for certain key service providers, such as cryptocurrency exchanges and over-the-counter (OTC) desks that facilitate large volumes of virtual currency transactions.

OFAC previously used the term “digital currency” when it issued its first FAQ and guidance on the subject (FAQ 560), which stated that sanctions compliance is applicable to “digital currency” and that OFAC “may include as identifiers on the [Specially Designated Nationals and Blocked Persons] SDN List specific digital currency addresses associated with blocked persons.” Subsequently, OFAC placed certain digital currency addresses on the SDN List as identifiers.

While OFAC previously used the term “digital currency,” in more recent FAQs and guidance, it has used a combination of the terms “digital currency” and “virtual currency” without defining those terms until it released FAQ 559.

In FAQ 559, OFAC defines “virtual currency” as “a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; and is neither issued nor granted by any jurisdiction.” This is a broad definition but likely encompasses most assets, which are commonly referred to as “cryptocurrency” or “tokens,” as most of these assets may be considered as “mediums of exchange.”

OFAC also defines “digital currency” as “sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency.” This definition appears to be an obvious effort by OFAC to make clear that its definitions include virtual currencies issued or backed by foreign governments and stablecoins.

The reference to “sovereign cryptocurrency” is focused on cryptocurrency issued by foreign governments, such as Venezuela. This is not the first time OFAC has focused on sovereign cryptocurrency. It ascribed the use of sovereign backed cryptocurrencies as a high-risk vector for US sanctions circumvention. Executive Order (EO) 13827, which was issued on March 19, 2018, explicitly stated:

In light of recent actions taken by the Maduro regime to attempt to circumvent U.S. sanctions by issuing a digital currency in a process that Venezuela’s democratically elected National Assembly has denounced as unlawful, hereby order as follows: Section 1. (a) All transactions related to, provision of financing for, and other dealings in, by a United States person or within the United States, and digital currency, digital coin, or digital token, that was issued by, for, or on behalf of the Government of Venezuela on or after January 9, 2018, are prohibited as of the effective date of this order.

On March 19, 2018, OFAC issued FAQs 564, 565 and 566, which were specifically focused on Venezuela issued cryptocurrencies, stating that “petro” and “petro gold” are considered a “digital currency, digital coin, or digital token” subject to EO 13827. While OFAC has not issued specific FAQs or guidance on other sovereign backed cryptocurrencies, it may be concerned that a series of countries have stated publicly that they plan to test and launch sovereign backed securities, including Russia, Iran, China, Japan, England, Sweden, Australia, the Netherlands, Singapore and India. With the release if its most recent FAQs, OFAC is reaffirming that it views sovereign cryptocurrencies as highly risky and well within the scope of US sanctions programs.

The reference to a “digital representation of fiat currency” appears to be a reference to “stablecoins.” In theory, stablecoins are each worth a specified value in fiat currency (usually one USD each). Most stablecoins were touted as being completely backed by fiat currency stored in segregated bank accounts. The viability and safety of stablecoins, however, has recently been called into question. One of the biggest players in the stablecoin industry is Tether, who was recently fined $41 million by the US Commodities Futures Trading Commission for failing to have the appropriate fiat reserves backing its highly popular stablecoin US Dollar Token (USDT). OFAC appears to have taken notice and states in its FAQ that “digital representations of fiat currency” are covered by its regulations and FAQs.

FAQ 646 provides some guidance on how cryptocurrency exchanges and other service providers should implement a “block” on virtual currency. Any US persons (or persons subject to US jurisdiction), including financial institutions, are required under US sanctions programs to “block” assets, which requires freezing assets and notifying OFAC within 10 days. (See: 31 C.F.R. § 501.603 (b)(1)(i).) FAQ 646 makes clear that “blocking” obligations applies to virtual currency and also indicates that OFAC expects cryptocurrency exchanges and other service providers be required to “block” the virtual currency at issue and freeze all other virtual currency wallets “in which a blocked person has an interest.”

Depending on the strength of the anti-money laundering/know-your-customer (AML/KYC) policies employed, it will likely prove difficult for cryptocurrency exchanges and other service providers to be sure that they have identified all associated virtual currency wallets in which a “blocked person has an interest.” It is possible that a cryptocurrency exchange could onboard a customer who complied with an appropriate risk-based AML/KYC policy and, unbeknownst to the cryptocurrency exchange, a blocked person “has an interest” in one of the virtual currency wallets. It remains to be seen how OFAC will employ this “has an interest” standard and whether it will take any cryptocurrency exchanges or other service providers to task for not blocking virtual currency wallets in which a blocked person “has an interest.” It is important for cryptocurrency exchanges or other service providers to implement an appropriate risk-based AML/KYC policy to defend any inquiries from OFAC as to whether it has complied with the various US sanctions programs, including by having the ability to identify other virtual currency wallets in which a blocked person “has an interest.”

UPDATED SANCTIONS COMPLIANCE GUIDANCE

OFAC’s recent framework for OFAC Compliance Commitments outlines five essential components for a virtual currency operator’s sanctions compliance program. These components generally track those applicable to more traditional financial institutions and include:

  1. Senior management should ensure that adequate resources are devoted to the support of compliance, that a competent sanctions compliance officer is appointed and that adequate independence is granted to the compliance unit to carry out their role.
  2. An operative risk assessment should be fashioned to reflect the unique exposure of the company. OFAC maintains both a public use sanctions list and a free search tool for that list which should be employed to identify and prevent sanctioned individuals and entities from accessing the company’s services.
  3. Internal controls must be put in place that address the unique risks recognized by the company’s risk assessment. OFAC does not have a specific software or hardware requirement regarding internal controls.
    1. Although OFAC does not specify required internal controls, it does provide recommended best practices. These include geolocation tools with IP address blocking controls, KYC procedures for both individuals and entities, transaction monitoring and investigation software that can review historically identified bad actors, the implementation of remedial measures upon internal discovery of weakness in sanction compliance, sanction screening and establishing risk indicators or red flags that require additional scrutiny when triggered.
    2. Additionally, information should be obtained upon the formation of each new customer relationship. A formal due diligence plan should be in place and operated sufficiently to alert the service provider to possible sanctions-related alarms. Customer data should be maintained and updated through the lifecycle of that customer relationship.
  4. To ensure an entity’s sanctions compliance program is effective and efficient, that entity should regularly test their compliance against independent objective testing and auditing functions.
  5. Proper training must be provided to a company’s workforce. For a company’s sanctions compliance program to be effective, its workforce must be properly outfitted with the hard and soft skills required to execute its compliance program. Although training programs may vary, OFAC training should be provided annually for all employees.

KEY TAKEAWAYS

As noted in OFAC’s press release issued simultaneously with the updated FAQ’s, “[t]hese actions are a part of the Biden Administration’s focused, integrated effort to counter the ransomware threat.” The Biden administration’s increased focus on regulatory and enforcement action in the virtual currency space highlights the importance for market participants and service providers to implement a robust compliance program. Cryptocurrency exchanges and other service providers must take special care in drafting and implementing their respective AML/KYC policies and in ensuring the existence of risk-based AML and sanctions compliance programs, which includes a periodic training program. When responding to inquiries from OFAC or other regulators, it will be critical to have documented evidence of the implementation of a risk-based AML/KYC program and proof that employees have been appropriately trained on all applicable policies, including a sanctions compliance policy.

Ethan Heller, a law clerk in the firm’s New York office, also contributed to this article.

© 2021 McDermott Will & Emery
For the latest in Financial, Securities, and Banking legal news, read more at the National Law Review.

Thieves Breach Twitter Security to Commandeer Famous Accounts

The Twitter accounts of major companies and individuals were briefly taken over as part of a bitcoin scam. Former and current heads of states, global corporations, and presidential candidates had their twitter accounts compromised. The tweet from many of the twitter account said similar things, for example Kanye West’s feed stated that he is “giving back to my fans”; the message from Bezos’, Barack Obama, and Joe Biden’s account said that they had “decided to give back to my community”; while Elon Musk’s account said “feeling greatful” and provided a link to a Bitcoin wallet to send money to. The tweets would indicate that they would send double the money back to a limited number of contributors.

Twitter, through its Twitter Support account notified users that an internal investigation was conducted into the matter. The investigation revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack.” Twitter’s internal system was then exploited to tweet from high-profile accounts. The attack was at least moderately successful considering the Bitcoin wallets promoted in the tweets received over 300 transactions and Bitcoin worth over $100,000.

These tweets began at about 4 P.M. (Eastern Standard Time) on Wednesday, July 16. The first wave of attacks hit the Twitter accounts of prominent cryptocurrency leaders and companies, but expanded quickly after that. Along with Vice President Biden, President Obama, Kanye West, Bill Gates, Michael Bloomberg, and Elon Musk, large company accounts were also targeted including Uber and Apple. Twitter’s initial response was to take down the offending tweets, but those were quickly replaced by new ones – – an indication that the hackers maintained access to the individual accounts.

The persistence of the attacks led to Twitter disabling some the platform services including the ability of blue-checked (verified) twitter users to tweet. The services were restored around four and a half hours after the suspicious tweets began. However, that shutdown period was not insignificant. Several National Weather Service Twitter accounts were shut down as a line of severe weather and possible tornadoes moved across the Midwest. The National Weather Service felt severely hampered in its ability to communicate with people about the impending storm.

In a tweet, Twitter’s CEO Jack Dorsey said that the company feels  “terrible this happened” and that they are “diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.” The nature of this attack is yet to be determined. The legal implications will hinge on the findings of the investigation, including whether there were sensitive direct messages accessed by the attackers. Considering the compromised accounts includes current and former heads of state (Prime Minister Benjamin Netanyahu, President Obama, and Vice President Biden), there are also questions of national security involved.

The United States does not have a comprehensive federal data breach notification scheme. These obligations are provided by the fifty states and sector-specific laws. More than 40 of the state breach notification laws contain a harm threshold pursuant to which notification is not required unless harm to affected individuals has occurred or is reasonably likely to occur. The EU’s GDPR also includes a similar assessment. As more information is disclosed, we will get a better understanding of Twitter and the attacked users’ incident response processes.


Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

Consumer Perception is Key to Registration of Generic “.com” Marks

In an 8-1 decision, the Supreme Court held in U.S. Patent and Trademark Office v. Booking.com that “generic.com” marks may be registered trademarks or service marks when consumers do not perceive them as generic.

Booking.com is a travel company that provides hotel reservations and other services under the brand “Booking.com,” which is also the domain name of its website. Booking.com filed applications to register four marks in connection with travel-related services, each containing the term “Booking.com.”

A United States Patent and Trademark Office (USPTO) examining attorney and the USPTO’s Trademark Trial and Appeal Board (TTAB) both concluded that the term “Booking.com” is generic for the services at issue and is therefore unregistrable. According to the TTAB, “Booking” means making travel reservations and “.com” signifies a commercial website. The TTAB ruled that customers would understand the term “Booking.com” primarily to refer to an online reservation service for travel, tours, and lodging. Alternatively, the TTAB held that even if “Booking.com” is descriptive, it is unregistrable because it lacks secondary meaning.

Booking.com sought review in the US District Court for the Eastern District of Virginia. Relying in significant part on new evidence of consumer perception, the district court concluded that “Booking.com”—unlike “booking”—is not generic. The “consuming public,” the court found, “primarily understands that BOOKING.COM does not refer to a genus, rather it is descriptive of services involving ‘booking’ available at that domain name.” The Court of Appeals for the Fourth Circuit affirmed the district court’s judgment.

During oral argument at the Supreme Court, the USPTO argued that the combination of a generic word and a “.com” must also be generic. The Court rejected this per se theory, ruling that whether “Booking.com” is generic turns on whether that term, taken as a whole, signifies to consumers the class of online hotel reservation services. According to the Court, if “Booking.com” were generic, one might expect consumers to understand Travelocity—another such service—to be a “Booking.com.” Additionally, one might similarly expect that a consumer, searching for a trusted source of online hotel reservation services, could ask a frequent traveler to name her favorite “Booking.com” provider. However, as noted even by the USPTO and the dissent, only one entity can occupy a particular Internet domain name at a time, so a “consumer who is familiar with that aspect of the domain-name system can infer that BOOKING.COM refers to some specific entity.”

The Court further opined that the USPTO’s fears that trademark protection for “Booking.com” could exclude or inhibit competitors from using the term “booking” or adopting domain names like “ebooking.com” or “hotel-booking.com” are unfounded. According to the Court, this is an issue for any descriptive mark and comes down to a likelihood of confusion analysis.

Justice Sotomayor’s Concurrence

In a concurring opinion, Justice Sotomayor agreed that there is no per se rule against trademark protection for a “generic.com” mark. However, she cautioned the use of surveys as they can have limited probative value depending on the survey design.

Justice Breyer’s Sole Dissent

Justice Stephen Breyer, the sole dissenting justice, argued that the majority disregarded important trademark principles and sound trademark policy. According to Justice Breyer, “[t]erms that merely convey the nature of the producer’s business should remain free for all to use.” Thus, under the majority’s approach, many businesses could obtain a trademark by adding “.com” to the generic names of their products, which Justice Breyer claimed could have widespread anticompetitive effects, and the majority’s reliance on the need to prove confusion and the statutory descriptive use privilege to protect competitors, underestimates the threat of costly litigation.

Implications

The decision in Booking.com expands trademark protection for seemingly generic marks simply by adding “.com” to the mark. A registrant need only rely on the consumer’s perception of the mark, which can be shown by the use of surveys. Thus, even with Justice Sotomayor’s caution against the use of surveys, surveys are likely to become more important during the registration process and in any subsequent litigation.


Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.

For more on the Booking.com case, see the National Law Review Intellectual Property Law section.

COVID Quarantine + Surge in eCommerce = … ADA Discrimination Claims?!

While much about COVID-19 and its long-term impact on businesses and the economy is unknown, its effect of a worldwide increase in a reliance on digital means to engage in business transactions is undeniable and unlikely to decrease as we move forward.

This means all organizations – commercial businesses, nonprofits, educational institutions, healthcare entities, and professional organizations – need to consider whether this new reliance on digital means of consumer interactions creates previously unconsidered risks and liabilities to their operations.

What?! – Website Discrimination Regulations?

The Americans with Disabilities Act (ADA), which was enacted to prevent discrimination against people with disabilities in locations generally open to the public, applies to websites and other digital communication means, such as mobile sites and mobile applications.

Organizations, institutions, businesses, and other establishments with websites, mobile sites, and mobile applications that are subject to the ADA must provide accommodations to people with disabilities so that they can have the same level of access to the online digital content and services as everyone else.

Which Businesses are Subject to ADA?

Organizations, institutions, businesses, and other establishments that have either (i) 15 or more employees (Title I Employers) or (ii) offer public accommodations (regardless of the number of employees) to consumers (Title III Public Accommodations) must maintain ADA compliant websites (traditional and mobile) and mobile applications.

Many businesses with more than 15 employees are aware of the requirement to be ADA compliant in its spaces of brick and mortar public accommodations, but are unaware of the requirement and risk of not having an ADA compliant digital presence.  If an organization has more than 15 employees (public accommodations offered or not), it must have an ADA compliant website.

It is Title III – Public Accommodations – that often ensnares smaller businesses such as healthcare providers, law offices, and small or start-up businesses that have fewer than 15 employees and do not offer the traditional public accommodations (such as retail space) yet have other public accommodations such as offices or conference meeting areas.  If an organization maintains a public accommodation for its patrons (regardless of the number of employees), it must have an ADA compliant website.

What Does Compliance Require?

There is no legislation that directly sets out the technical requirements of website accessibility.  There are, however, the WCAG private industry standards, developed by technology and accessibility experts, which have been widely adopted, including by federal agencies. The current guidelines are the WCAG 2.1 Guidelines, and it contains three levels of accessibility –A, AA, and AAA accessibility.  Federal websites are required to meet level AA accessibility.

There are four Principles to WCAG accessibility for those with disabilities (e.g., hearing impairment, seeing impairment, cognitive impairment, mobility issues, etc.):

  1. Perceivable: Information and user interface components must be presented in a way that allows a user to perceive the content (e.g., recognize photos).

  2. Operable: User interface components and navigation must be operable (e.g., dropdowns identifiable).

  3. Understandable: Information and the operation of the user interface must be understandable (e.g., form completion).

  4. Robust: Content must be robust enough that it can be interpreted by a variety of user agents (e.g., assistive technologies)

It is worth noting that it is not the use or inclusion of specific technologies, such as those that amplify words or offer audible versions of content, which is required for compliance.  The requirement for compliance is that businesses offer websites and other digital platforms that are robust enough to provide equally perceivable, operable, and understandable access to all consumers through the consumer’s use of these technologies (i.e., digital platforms that will interact with these specific technologies as provided and used by the consumer).

Is Compliance Enforced?

ADA website compliance litigation is a regular occurrence and is expected to rise as all consumers become more and more reliant on websites and mobile applications to conduct business.  These cases of enforcement span a number of industries – Real Estate (Zillow), Retail (Banana Republic), Entertainers (Beyoncé), and Restaurants (Domino’s Pizza) to name a few recognizable, well-defended defendants – and many resulted in federal fines and compulsory ADA compliance.

Most recently, a case against Domino’s Pizza made clear:

  • ADA applies to websites and mobile applications as public accommodations.
  • Businesses have been “on notice” since 1996 that their websites must be in ADA compliance and effectively communicate with people with disabilities.
  • The lack of specific requirements does not absolve a business from its obligations.

What are the Best Ways to Mitigate Risk?

When building a website, or assessing an existing one for compliance, use the WCAG 2.1 Guidelines and its four principles.  Many marketing professionals and website hosting platforms can provide templates that will assist with ADA compliance.  There are also companies that specialize in accessibility compliance that can review and test the website, mobile site, and application.  Businesses should regularly assess their website for compliance as it is updated, and content and features are added.


© 2020 Ward and Smith, P.A.. All Rights Reserved.

For more on website ADA compliance, see the National Law Review Communications, Media & Internet law section.

Leveraging Your Microsoft Assets in this Remote Access World

The COVID-19 pandemic has led to an enormous increase in remote work. Organizations without remote access capabilities have adapted and implemented new solutions, while organizations with existing solutions have been forced to evaluate new capacity requirements and scale their solutions accordingly. You may be surprised to learn that your existing Microsoft assets include functionalities for remote access, and you can get rid of redundant or more costly solutions. Your Microsoft subscription, license, operating system, software, service, etc. should all be reviewed in some capacity at this time.

“In recent years, Microsoft has made a multitude of investments and changes to its portfolio and offerings,” says Scott Riser, Director of Microsoft and Data Management Services at Plan B Technologies, Inc. (PBT). “Some of these changes are quickly noticed during renewals or annual reviews, such as Microsoft Server Operating Systems licensing. However, many changes have happened ‘in the background’ and could easily be missed by organizations,” Riser says. “Make sure you’re taking advantage of your existing Microsoft assets, and know your entitlements – especially now.”

Most of these changes go beyond the typical Microsoft portfolio of Office products and Operating Systems. Microsoft has placed significant focus in the areas of security, video and audio conferencing, VOIP, virtual desktop, artificial intelligence, and cloud computing. Many of these Microsoft assets, which are likely already in your organization, are gaining additional functionality for your remote workforce. This can be done with minimal management overhead and reduced implementation costs over competitive third parties. So how do you ensure that your organization is properly leveraging its current Microsoft assets?

Know What You Have

Leveraging Microsoft assets to the fullest starts with knowing what your organization has purchased, and to what it is entitled. This goes beyond Microsoft assets alone and a full inventory of software, services, and features within your environment should be performed sooner rather than later. This full evaluation serves three purposes. First is that of an internal audit to ensure your organization has the proper number of licenses for each product and to correct licensing infractions before you incur hefty true-up costs or additional licensing fees. The second purpose is educational, as it provides technical staff and administration an understanding of the entitlements each software or service provides. This is particularly valuable since Microsoft 365 cloud subscriptions now include licenses for some on-premise systems. The third purpose of this evaluation is to identify overlaps in features and functionality among products to lower costs, simplify management of the environment, and promote productivity.

Failure to perform a review of current entitlements can result in a significant overspend and an overly complicated environment that is more difficult to manage. For example, your organization could be using a third-party Multi-Factor Authentication (MFA) provider when an already purchased Microsoft subscription has MFA built in, or you may have purchased an MDM solution that overlaps with an existing entitlement to System Center and Windows Intune.

With information from these internal audits, organizations are better suited to make impactful decisions while controlling cost. Once your organization understands what it is entitled to within your existing environment, you must then determine situational awareness for future planning and sustainability. Items that should be included in planning for the future include (but are not limited to) security, management, user workflow and communication.

Secure the Environment

If your workforce is now remote, has your organizational data gone remote as well? Now that most organizations have been required to provide users with remote access, either through Virtual Desktop infrastructure (VDI), cloud-based applications or internet portals, the attack surface for exploitation by bad actors has never been larger. This puts organizations at greater risk of a security breach. Knowing this, Microsoft has invested billions of dollars to protect their product offerings and combat cyber criminals.

Microsoft now has a full portfolio of security offerings, and buildings full of teams dedicated to securing their services and platforms as well as assisting criminal investigations. User identity has become the new perimeter for data as organizations move to cloud-based technologies and a remote workforce. This has been the case for years as VPNs and firewalls have limited preventive impact when a bad actor has credentials to access them. Microsoft has been active in making user identity more secure with easily implemented tools and access policies while also integrating artificial intelligence and improved reporting. These products and features include Windows Hello, Azure Multifactor Authentication, Conditional Access, Credential Guard, and User Sign-in Risk Reporting/Alerting amongst others.

Identity of course is only one attack vector that can be exploited. Therefore, it is essential to secure end user devices and the infrastructure where data is located. Microsoft Defender and Advanced Threat Protection (ATP) is ideally suited to protect servers and end user devices when implemented properly. Plus, it’s included in many Microsoft 365 subscriptions.

“In the past, Defender has received a stigma of being unreliable and faulty,” says Scott Riser, “but Defender has since become one of the most reliable pieces of security software available today. Why? According to Microsoft, over 1 billion devices are currently running the Windows 10 operating system, providing trillions of telemetry data points to continuously improve all Microsoft security services. And as a result, Microsoft has the largest security footprint in the world.”

The data provided by Defender from these devices is reported to artificial intelligence algorithms as well as Microsoft security teams to patch security flaws and update anti-virus definitions at unparalleled levels in the industry. It is also important to note that Microsoft Server Operating systems utilize Defender and the Defender platform can be upgraded to Defender ATP software to enhance built-in capabilities and provide additional security for on-premise data.

With an increasingly remote workforce, many organizations have moved their data to Exchange Online, SharePoint Online, and OneDrive for Business. Microsoft has built-in security solutions for these platforms as well. Depending on the Microsoft subscription that you’ve purchased, Exchange Online Protection, Azure Information Protection, Microsoft Advanced Threat Protection and Azure Advanced Threat Protection, can all be utilized to secure data stored in these locations. Furthermore, Microsoft understands that some organizations require more control over their data and systems in Infrastructure as a Service solutions such as Azure and AWS. For this, a combination of Defender ATP and Azure Sentinel can provide real time analytics and automated responses for detected breaches based on custom workbooks in a pay-as-you-go model.

All these security measures protect against bad actors attempting to breach an organization’s data. This of course does not protect an organization from internal threats, such as disgruntled employees or the inevitable human error. Organizations must now secure data from exfiltration which is not as simple as preventing all data from leaving the organization. The problem is more nuanced. A full lockdown, though simpler, would prevent your organization from essential collaboration with its staff and clients. Failing to protect data internally may result in proprietary data inadvertently shared with a client, or competitor, or being lost entirely. In healthcare and financial services, it can result in a loss of personal identifiable data, or banking information, which carry hefty fines from regulatory bodies.

Microsoft Data Loss Prevention (DLP) is the solution to this issue. With DLP, custom policies can be defined by an organization to determine data that should not leave the organization. It can also remind a user to review data being sent as it could possibly be confidential. DLP continues to gain traction in Microsoft 365 settings as the need to protect cloud-based collaboration platforms such as Teams and OneDrive grows. DLP can also be implemented in some areas of on-premise infrastructure. Exchange has built-in DLP features that often go overlooked. Organizations tend to use Mimecast, Proofpoint, and other third-party vendors for these solutions while the built-in functionality remains unconfigured.

Device Management and Compliance

Another challenge of a remote workforce is the ability to maintain and manage devices, both corporate-owned and user-owned. Multiple organizations have made significant investments in System Center Configuration Manager (SCCM), only to find that policies and updates have not applied to end user devices unless they are on the network or connected via a VPN. Organizations can expand their SCCM environment to include cloud distribution and management points for devices that are not on-premise.  But this is not always an ideal solution as it requires additional infrastructure and configuration with SCCM. This has led to a rise in the use of Mobile Device Management and Mobile Application Management solutions such as Microsoft Intune. Through co-management, organizations can continue to utilize SCCM in conjunction with Intune for management of all devices regardless of corporate connectivity. This was further emphasized by the recent integration of the license offerings to provide Intune subscriptions for those with SCCM Client licensing and vice versa.

Collaboration and Communication

Securing and managing a remote work environment is important but ensuring users can communicate and collaborate on work that was previously performed in the office is one of, if not the biggest, challenges. Daily interactions between corporate users should be considered since the ability for face to face interaction through office meetings, business lunches, and other personal touches has significantly declined. These interactions are now being held through chat programs and conference calls. External communication is one of the primary reasons that Microsoft is still considered the industry leader for collaboration software with many companies utilizing the Microsoft Office suite.

A frequently overlooked solution included in your Microsoft 365 subscription is Microsoft Teams which provides instant messaging, document collaboration and audio/video teleconferencing. Furthermore, Microsoft Teams is integrated with and supported by other Microsoft products. It’s also governed by Advanced Threat Protection and Data Loss Prevention services to provide a more secure platform than its competitors with minimal (if any) additional investment. Microsoft Office can be customized based on the needs of the user and can easily be secured and managed when used in combination with other Microsoft offerings.

Getting the Results

Challenges continue to present themselves as users work remotely and organizations refine how they operate. With a vast majority of organizations utilizing Microsoft products in some way, it is important that entitlements are understood to reduce costs and complexities. Organizations can improve their return on investment (ROI) or make new investments once this is understood. Leveraging Microsoft service offerings can be optimized beyond the traditional use of Office products and Operating Systems, to provide a secure, managed, agile, and accessible environment for users regardless of their location. The result will be a streamlined, cost effective, collaborative environment that strengthens your organization’s bottom line.


© 2020 Plan B Technologies, Inc. All Rights Reserved.

For more on technological solutions for law firms and other industries, see the National Law Review Law Office Management section.

How Law Firms Can Prevent Phishing and Malware

Law firms harbor information directly linked to politics, public figures, intellectual property, and sensitive personal information. Because lawyers rely on email to manage cases and interact with clients, hackers exploit technical vulnerabilities and people via email. After cybercriminals infiltrate a law firm’s systems in a successful phishing or malware attack, they leverage breached information for financial gain.

Starting with email, law firms must control the availability, confidentiality, and integrity of data. Or they will suffer breaches that bring increased insurance premiums, loss of intellectual property, lost contract revenue, and reputational damage.

Law firms aren’t securing their cloud technology

As lawyers adapt with best practices in technology, they’re moving client data and confidential documents from on-premise to cloud-hosted databases. 58% of firms use cloud technology to manage their clients and run their firms, according to the 2019 Legal Technology Survey Report on Cybersecurity and Cloud Computing from The American Bar Association’s Legal Technology Resource Center.

Migrating data to the cloud is a good thing, despite concerns about its availability. Data is more secure when stored in a system with modern infrastructure and security protocols, instead of stored locally on an outdated system no longer supported by vendors — such as a desktop device still running Windows 7 software, rather than Windows 10.

Even though the cloud is safe, law firms inevitably fall victim to cloud-based cyberattacks like phishing and malware.

26% of lawyers reported a security breach at their firm. TECHREPORT’s other findings explain why the breach rate is so high:

  • Fewer than half (41%) of all respondents changed their security practices after migrating to the cloud.

  • Only 35% of lawyers adopt more than one standard security measure — like encryption, anti-malware, anti-phishing, and network security.

  • 14% of respondents using cloud-based technology to manage their firm do not have any preventative security measures in place.

Changes to your firm's security policies.

Source: 2019 ABA TECHREPORT

How law firms can prevent phishing and malware

Lawyers know data breaches create downtime, loss of billable hours, and reputational harm. But they’re less aware of how to prevent those outcomes.

Phishing explained

Phishing happens via email, when hackers impersonate trusted senders to trick recipients into divulging sensitive or confidential information. Most often, phishers trick victims to click a malicious URL and interact with spoofed login pages. Microsoft is the most spoofed brand in the world, because it is the hub for organizations to collaborate and exchange information. If a lawyer enters their Office 365 credentials onto a spoofed login page, the username and password go directly to the hacker’s server.

Most common brands in phishing attacks.

Source: TechRadar

Successful credential-harvesting phishing attacks allow hackers to access data-dense services like Office 365, online banking, and practice management software. Stolen credentials lead to account takeover scenarios that result in further exploits, including network infiltration, database infiltration, and data exfiltration.

3 common characteristics of phishing attacks

  1. Subject lines that appear highly urgent

Many subject lines in phishing emails are in all-caps to pressure the recipient. Beware of subject lines that say “URGENT” or “Are you available?” An infographic from cybersecurity firm KnowBe4 reveals the top phishing email subject lines from 2019.

Top-clicked phishing tests.

Source: KnowBe4

  1. Spelling errors, grammar errors, and awkward language

Hackers need to deceive language parsing technology like Optical Character Recognition (OCR) that identifies suspicious content and blocks the message. To bypass anti-phishing algorithms, they’ll intentionally misspell words, use special characters that look like letters, and replace letters with lookalike numbers. Phishing URLs are often misspelled, or the domain name does not match the content of the page. Carefully read every URL to see if the words and letters match the content of the page.

  1. Unexpected or unusual requests for documents or money.

Phishers can spoof the sender name and domain of trusted contacts’ email addresses to lull recipients into a false sense of trust and compliance. Requests for sensitive information (bank routing numbers, trust account numbers, login credentials, document access, etc.) should be confirmed over the phone or any other communication channel besides that same email thread.

6 ways to prevent phishing at your law firm

  1. Check if email addresses associated with the firm were involved in high-profile breaches

Have I Been Pwned is a website that identifies compromised email addresses and passwords across online services that have been breached so that victims can change their password and prevent account access. Set up alerts through the website to monitor any future breaches.

 Check if you have an account that has been compromised in a data breach.

Source: HaveIBeenPwned.com

  1. Install password managers

The best passwords don’t need to be memorized. 25% of people reuse the same password for everything, according to OpenVPN. Password manager services like 1Password (paid) and LastPass (free) use browser plug-ins and mobile applications to create, remember, and autofill complex, randomly-generated passwords. They identify weak or reused passwords across websites, and run a program to simultaneously rewrite and save new passwords on those sites.

LastPass password management software

Source: LastPass.com

  1. Make Multi-Factor authentication (MFA) mandatory at the firm

Multi-factor authentication, a secure login method using two or more pieces of confirmation, adds another step to the login process to prevent account takeover and the breach of confidential data. When username and password credentials are submitted to the login page, MFA generates and sends a unique alphanumeric code to the account holder’s email or phone for use as a secondary password. Unless this code is submitted on the follow-up login screen in a timely manner, it will expire.

Because email accounts and cell phone numbers are publicly available and can be compromised, use app-based and hardware-based MFA instead.

Solo and small/medium firms should use the Google Authenticator app, which continuously creates dynamic codes that swap out every 30 seconds and are unique to the device on which the app was installed.

Larger firms should adopt physical MFA. These “keys” plug into your laptop, tablet, or mobile device ports to authenticate access to software — and even the device itself. Because the keys are unique, hackers can’t access accounts supported by hardware MFA keys like Yubico’s YubiKey, which is used by every Google employee. If the key is lost, account access can be gained through backup codes or MFA codes delivered via email, mobile, or authentication apps.

Make Multi-Factor authentication mandatory at the law firm.

YubiKeys (Source: Wired Store)

  1. Participate in phishing awareness training programs

These software programs regularly educate and train employees on the characteristics of spam, phishing, malware, ransomware, and social engineering attack methods. Microsoft’s Attack Simulator and KnowBe4 offer free programs that train users not to interact with phishing attempts and give visibility into how well they’re trained, based on their click rate during the attack simulations. The 2019 Verizon Data Breach Investigation Report found that lawyers and other professional service workers were the third most likely group to click on phishing emails.

2019 Verizon Data Breach Investigation Report

Source: 2019 Verizon Data Breach Investigation Report, Figure 45

  1. Only connect to secure WiFi

Connecting to public WiFi in a cafe, airport, or hotel is dangerous. Malicious worms can transfer from one device to another if they are connected on the same network. When traveling, use a virtual private network (VPN) to extend a remote private network across the public network and secure the WiFi connection.

  1. Report suspicious emails

Popular email clients like Office 365 and Google Gmail offer suspicious message reporting. Use this built-in tool to improve their anti-phishing algorithm. If applicable, contact the IT team or cybersecurity staff at the firm so they can update security configurations in the email client or third-party security tool they may use.

What is malware?

Malware is any malicious file that launches scripts to hijack a device, steal confidential data, or launch a Distributed Denial of Service (DDoS) attack. Most malware is delivered via email. The 2019 Verizon Data Breach Investigation Report found that 51% of phishing attacks involve malware injections into a network. These malicious scripts are usually injected via spoofed DocuSign and Adobe attachments, or fraudulent billing and invoicing documents.

Ransomware is a subset of malware that hackers use to hold information or access hostage until a ransom is paid. Ransomware exploits frequently involve blackmailing tactics, and “sextortion” phishing emails (in which hackers purport to have footage of the victim watching pornography) are gaining popularity.

The 2019 ABA TECHREPORT noted that 36% of firms have had systems infected, and about a quarter (26%) of firms were unaware if they’ve been infected by malware. Larger firms, which tend to use on-premise software because of the up-front work associated with cloud migration, are the least likely to know if they’ve suffered a malware attack.

3 ways to prevent malware

  1. Monitor and update outdated software and hardware 

Application updates are necessary and should not be treated as optional. These software upgrades implement essential security features to ward off new strains of attacks. Not updating software and hardware provides short term savings, but will be very costly in the long run.

Be aware that:

  • Windows 7 is no longer supported since January 2020.

  • MS Office 2010 will no longer be supported as of October 2020.

  • Support for Adobe Acrobat X Reader/Standard/Pro, Adobe Acrobat XI, and Reader XI has ended. 88% of attorneys continue to use these highly-vulnerable Adobe programs, according to the 2019 ABA TECHREPORT.

  1. Monitor email for links and executables (including macro-enabled Office docs)

Executable files automatically launch actions, based on the code in the file. Apply software restrictions on your device to prevent executable files from starting up without your consent. Microsoft found that 98% of Office-targeted threats use macros. In 2016, Microsoft pushed a macro-blocking feature in Word to prevent malware infection.

Block macros and prevent malware in Microsoft Office Word.

Source: Microsoft Security Blog

  1. Hire a Managed Service Provider (MSP) for cybersecurity

MSPs offer an affordable portfolio of solutions to manage cyber risk across firm operations.

The solution: control the login process and data access in cloud-based apps

Lawyers are obligated to protect sensitive client information from phishing, malware, and ransomware. As breaches continue to make headlines, clients are selecting firms based on their data security. Law firms educated on confidentiality, security, and data control will be able to reassure security-conscious clients.

Cloud security — especially in email and document storage — relies on identity and access management. Establish a secure login process, govern user privileges in applications, and ensure that everyone at the firm can spot suspicious emails and attachments.

Choose cloud providers with a reputation for secure software and identify third-party security vendors for anti-phishing, anti-malware, and MFA.


© Copyright 2020 PracticePanther

Written by Reece Guida of PracticePanther.
For more on cybersecurity for legal and other businesses, see the National Law Review Communications, Media & Internet law section.

Florida’s Legislature to Consider Consumer Data Privacy Bill Akin to California’s CCPA

Florida lawmakers have proposed data privacy legislation that, if adopted, would impose significant new obligations on companies offering a website or online service to Florida residents, including allowing consumers to “opt out” of the sale of their personal information. While the bill (SB 1670 and HB 963) does not go as far as did the recent California Consumer Privacy Act, its adoption would mark a significant increase in Florida residents’ privacy rights. Companies that have an online presence in Florida should study the proposed legislation carefully. Our initial take on the proposed legislation appears below.

The proposed legislation requires an “operator” of a website or online service to provide consumers with (i) a “notice” regarding the personal information collected from consumers on the operator’s website or through the service and (ii) an opportunity to “opt out” of the sale of certain of a consumer’s personal information, known as “covered information” in the draft statute.

The “notice” would need to include several items. Most importantly, the operator would have to disclose “the categories of covered information that the operator collects through its website or online service about consumers who use [them] … and the categories of third parties with whom the operator may share such covered information.” The notice would also have to disclose “a description of the process, if applicable, for a consumer who uses or visits the website or online service to review and request changes to any of his or her covered information. . . .” The bill does not otherwise list when this “process” would be “applicable,” and it nowhere else appears to create for consumers any right to review and request changes.

While the draft legislation obligates operators to stop selling data of a consumer who submits a verified request to do so, it does not appear to require a description of those rights in the “notice.” That may just be an oversight in drafting. In any event, the bill is notable as it would be the first Florida law to require an online privacy notice. Further, a “sale” is defined as an exchange of covered information “for monetary consideration,” which is narrower than its CCPA counterpart, and contains exceptions for disclosures to an entity that merely processes information for the operator.

There are also significant questions about which entities would be subject to the proposed law. An “operator” is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from Florida residents, and purposefully directs activities toward the state. That “and” is assumed, as the proposed bill does not state whether those three requirements are conjunctive or disjunctive.

Excluded from the definition of “operator” is a financial institution (such as a bank or insurance company) already subject to the Gramm-Leach-Bliley Act, and an entity subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Outside of the definition of “operator,” the proposed legislation appears to further restrict the companies to which it would apply, to eliminate its application to smaller companies based in Florida, described as entities “located in this state,” whose “revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services,” and “whose website or online service has fewer than 20,000 unique visitors per year.” Again, that “and” is assumed as the bill does not specify “and” or “or.”

Lastly, the Department of Legal Affairs appears to be vested with authority to enforce the law. The proposed legislation states explicitly that it does not create a private right of action, although it also says that it is in addition to any other remedies provided by law.

The proposed legislation is part of an anticipated wave of privacy legislation under consideration across the country. California’s CCPA took effect in January and imposes significant obligations on covered businesses. Last year, Nevada passed privacy legislation that bears a striking resemblance to the proposed Florida legislation. Other privacy legislation has been proposed in Massachusetts and other jurisdictions.


©2011-2020 Carlton Fields, P.A.

For more on new and developing legislation in Florida and elsewhere, see the National Law Review Election Law & Legislative News section.

CISA Releases “Cyber Essentials” to Assist Small Businesses Updated

On November 6, 2019, the Department of Homeland Security (“DHS”), Cybersecurity & Infrastructure Security Agency (“CISA”) released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.

The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness,” specifically:

  • Yourself – driving awareness, strategy, and investment to build and sustain a culture of cybersecurity.
  • Your Staff – developing awareness and vigilance because your staff is often the first line of defense.
  • Your Systems – protecting your information and critical assets and applications.
  • Your Surroundings – limiting access to your digital environment.
  • Your Data – having a contingency plan to recover systems, networks, and data from trusted backups.
  • Your Actions Under Stress – planning and conducting drills for cyberattacks to bolster readiness to respond, limit damage, and restore operations in the event of an attack.

The final section of the guide provides a list of steps that small businesses can take immediately to increase organizational preparedness against cyber risks. These include backing up data (automatically and continuously), implementing multi-factor authentication (particularly for privileged, administrative, and remote access users), enabling automatic updates, and deploying patches quickly.

CISA’s Cyber Essentials guide is just the most recent example of a user-friendly resource aimed at assisting small businesses seeking lower-cost cybersecurity solutions. Recognizing that investing in cybersecurity may be difficult for some small businesses, Government agencies are making an effort to help small businesses understand the importance of cybersecurity.

For example, the U.S. Small Business Administration (“SBA”) has a page dedicated to providing information and resources for small business cybersecurity. It outlines common threats, risk assessment, and cybersecurity best practices. It also provides a list of upcoming training and events related to small business cybersecurity. Other entities, including the National Institute of Standards and Technology, the Federal Trade Commission, and the Federal Communications Commission also provide similar resources specifically tailored to small businesses.

The main takeaway here is that all organizations – regardless of size or resources – should take basic steps to improve their cybersecurity resilience.


Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

ARTICLE BY Jonathan E. Meyer, Townsend L. Bourne and Nikole Snyder a Law Clerk in Sheppard, Mullin, Richter & Hampton LLP’s Washington, D.C. office.

Virtual Marking: Guidance on Doing It Right

Despite the fact that virtual patent marking was introduced nearly a decade ago, jurisprudence addressing virtual marking issues has been quite limited. Recent guidance from U.S. district courts, however, paints a clearer picture of the patent marking statute’s requirements to (a) associate the patented article with the number of the patent; (b) place either “patent” or “pat.” together with a website address on the product; and (c) ensure the marking is “substantially consistent and continuous.”

Since 1952, the patent marking statute (“Marking Statute”) has encouraged patentees to give public notice of a patented article through physical application of the patent number to the article, which assists the public and helps mitigate innocent infringement. 35 U.S.C. § 287; Nike, Inc. v. Wal-Mart Stores, Inc., 138 F.3d 1437, 1443 (Fed. Cir. 1998). Giving effect to this goal, the marking statute provides a financial disincentive for patent owners who do not mark their products (i.e., a patentee is precluded from recovering damages for infringement of unmarked articles prior to notice of infringement). Once marked, a patent owner’s marking must be “substantially consistent and continuous.” Id. at 1446.

Since the AIA’s passage in 2011, however, patentees have been able to inform the public that an article is patented through “virtual marking” (i.e., use of the word “patent” or the abbreviation “pat.” together with the URL of a website address where the actual patent number may be found). 35 U.S.C. § 287. As opposed to physically marking a patent number on a product, virtual marking allows a patent owner to quickly update its patent data website page without the costs of modifying product tooling or packaging (e.g., for newly issued, expired, or invalidated patents). In relevant part, the Marking Statute provides:

“Patentees . . . may give notice to the public that the same is patented . . . by fixing thereon the word ‘patent’ or the abbreviation ‘pat’ together with an address of a posting on the Internet, . . . that associates the patented article with the number of the patent.” 35 U.S.C. § 287(a) (emphasis added).

The Delaware District Court recently clarified what does, and does not, constitute adequate association, concluding that a “website itself must do more than simply list the patentee’s patents.” Mfg. Res. Int’l v. Civiq Smartscapes, LLC, Case No. 17-269, 2019 U.S. Dist. LEXIS 146060, at *3 (D. Del. Aug. 28, 2019)(emphasis added). Citing the statute’s “plain language,” the court reasoned that “[s]imply listing all patents that could possibly apply to a product or all patents owned by the patentee” “merely creates a research project for the public,” as opposed to giving public notice. Id. at *30-31. The court described why this would be the case by pointing to two examples lacking the association necessary “as a matter of law to meet the requirements of virtual marking”:


View larger image

Id.

The Court concluded that Plaintiff’s examples did “nothing to ‘associate’ any specific product it has marked with the patents which cover it.” Id. at 31. The Court was not persuaded by Plaintiff’s arguments that proper association was met in view of (1) Plaintiff’s statement that “[o]ne or more of the above listed MRI patents may be used by LG-MRI products under license from MRI, Inc.”, and (2) Plaintiff’s clarification of “the patent category (LCD Display Patents)”. Id. Accordingly, Plaintiff’s website failed to “provide ‘a ready means of discerning the status of the intellectual property embodied in an article of manufacture or design,” and no damages were awarded for infringement that occurred prior to the notice that was provided by the filing of the suit. Id., citing Bonito Boats, Inc. v. Thunder Craft Boats, Inc., 489 U.S. 141, 162 (1989).

Beyond the association requirement, courts also have found that a website address lacking the words “patent” or “pat.” does not provide constructive notice, A to Z Machining Serv., LLC v. Nat’l Storm Shelter, LLC, 2011 U.S. Dist. LEXIS 149387 (W.D. Okla. 2011), and that evidence supporting consistent marking of substantially all products may include (a) documentary evidence concerning the timeframe in which the website has operated; (b) engineering and assembly drawings or the actual product depicting virtual mark placement; and (c) testamentary evidence concerning the frequency of the virtual mark’s use on products. See Asia Vital Components Co. v. Asetek Danmark A/S, 377 F. Supp. 3d 990, 1024-25 (N.D. Cal. 2019), citing SEB S.A. v. Montgomery Ward & Co., 594 F.3d 1360, 1378 (Fed. Cir. 2010).

Notably, the burden remains on the patentee to demonstrate that its patent marking practices are effective and appropriate. In view of recent court guidance, consider the following points for creating an effective virtual marking strategy:

  • Include either “pat.” or “patent” together with the website address where the actual patent number may be found.
  • Place the patent owner’s website address on all patented products and clearly correlate each product that is covered by at least one claim of a specific patent on that website address for a patented product.
  • Periodically review the patent website page to ensure that it is current, accurate, and complete (e.g. reflecting new products; updating issued, expired, or invalidated patents).
  • Create and preserve records that demonstrate that the virtual marking was consistent and continuous. This may entail keeping a written log of updates to the patent website address, and preserving evidence that it was continually maintained

© 2019 Brinks Gilson Lione. All Rights Reserved.