Recent Articles in Intellectual Property Law from LexMonitor

adammizera

mizera@robic.com (Adam Mizera) — Thu, 11 Mar 2010 17:18:43 GMT

Extrait d’un document de formation de l’OMPI The Patent Attorney Song A patent attorney/what is he a patent attorney/what is he A patent attorney is a mystery man a person whose job nobody can tell he is the inventor’s pathfinder the interpreter of businessmen’s dreams To look for a priority to search for the novelty to claim an exclusivity that’s his ability A patent attorney is a [...]

Extrait d’un document de formation de l’OMPI

The Patent Attorney Song

A patent attorney/what is he
a patent attorney/what is he

A patent attorney is a mystery man
a person whose job nobody can tell
he is the inventor’s pathfinder
the interpreter of businessmen’s dreams

To look for a priority
to search for the novelty
to claim an exclusivity
that’s his ability

A patent attorney is a mystery man
a person whose job nobody can tell
he enjoys patentology
half law and half technology
he likes to play the rights of Monopoly!

He gets excited with oppositions
he falls in love with litigations
he feels happy with applications
he likes to write his client: we won, we won, we won

To assess patentability
to appraise originality
to advise registrability
that’s his ability

A patent attorney is a mystery man
a person whose job nobody can tell
he enjoys patentology
half law and half technology

he is an element of world’s ecology
to be protected for common welfare,
to be protected for common welfare.

The patent attorney/the best of the best
the patent attorney/the best of the yourself

Guterman Makes "Sandinista Project" Free Again

Thu, 11 Mar 2010 17:05:27 GMT

Jimmy Guterman is once again making his "The Sandinista Project" freely available for download, at least through this Sunday at midnight. His blog post links back to his reflections on the earlier limited-time offer and some of the data gathered around it.

The notion of a sustainable business model built around "give away something and entice people to buy more" isn't new. It's something of a variant on the "give away razors in order to sell blades" idea that the shaving people, and the game console people, and the desktop printer people, etc have all used. However, unlike those models where the bit you get for free is essentially useless without the additional stuff you buy, this model is one of giving away something that is useful in and of itself, and then building on that with added content.

I'm reminded of my recent experience with the Steam gaming system. Steam's desktop client is free and it lets you easily hook in non-Steam games. But it also serves as an ad platform for Steam-supplied games, some of which are offered at very low or even free prices. I got one such game and enjoyed playing it enough to put down $10 twice on DLC (downloadable content) modules for it. In addition, I've now used the Steam search/ad engine to find another cheap ($10) game that I'm planning to try out and if I like it I'll probably throw more money at it.

My informal browsing shows that game companies are doing more and more with free demo versions of games. You give people the experience, get them interested, have them invest some time in making some progress and then see if they're willing to pay money to go further. It's an interesting model and one that might be profitably adopted in other industries.

Updating the Mozilla Public License

Thu, 11 Mar 2010 16:07:09 GMT

Mozilla is updating its license, and you can participate, just as you did in the GPLv3 updating process. It'll be going on for a while, until the end of 2010, in monthly stages, and each part of the schedule will only last one month, so I'm letting you know now, even though we are all riveted to Utah and the trial at the moment, so you can begin to think about it and maybe make use of intermissions in the Utah story.

I'll Huff and I'll Puff ...

Thu, 11 Mar 2010 10:00:18 GMT

Puffing, according to Black's Law Dictionary, is defined as:

The expression of an exagerrated opinion -- as opposed to a factual representation -- with the intent to sell a good or service.

Puffing, as a legal principle, has recently received a fair amount of attention as a result of Domino's new ad campaign.

Puffing generally exists whereever ambiguous and subjective words (such as good, better, best) are used used to describe goods or services. Some of you may recall the 3DO gaming system shamelessly touted as The Most Advanced Home Gaming System in the Universe. This is a classic example of puffery.

Importantly, however, puffing isn't merely a verbal concept. It also applies to visual depictions. A rather obvious example would be the animated advertisements showing Red Bull gives you wings. Obviously, the ordinary consumer isn't going to think that a slightly odd tasting taurine beverage is going to cause wing sprouting.

This brings us to the million dollar question though: Where is the line between puffing and deception? A fair rule of thumb is that it's probably when the advertisement presents something that borders on verifiable fact which a consumer might believe. For example, implying that your orange juice is processed by squeezing oranges directly into the carton (shame on you Tropicana) could cross the line. Or, presenting your product as having verifiably superior leak protection when, in reality, it's comparable to the competition (ahem, Glad-lock) is a no-no.

In the end, staying on the right side of the puffery/deception line can probably be accomplished with the old adage of "Think before you speak."

Disney Copyright Video: Another Fair Use Provocateur Par Excellence

info@usefularts.us (Dave Wieneke) — Thu, 11 Mar 2010 07:07:56 GMT

Remember my 2010 prediction – that brand holders should beware of clowns? I think I joking called it the Coulrophobia Epidemic of 2010. Logorama did it with trademarks, and won an Oscar. Girl Talk did it with music, gaining top rankings from Rolling Stone, Blender and Time Magazine. And now Eric Faden uses the most copyrighted [...]

Remember my 2010 prediction – that brand holders should beware of clowns? I think I joking called it the Coulrophobia Epidemic of 2010.

Logorama did it with trademarks, and won an Oscar.
Girl Talk did it with music, gaining top rankings from Rolling Stone, Blender and Time Magazine.

And now Eric Faden uses the most copyrighted video anywhere, Disney® cartoons, both to explain and to demonstrate the reality of “fair use” in documentary film making. It takes the works of “the very folks we can thank for nearly endless copyright terms” and uses them to argue against longer copyrights and attacks on fair use.

To paraphrase Rosencrantz and Guildenstern, “They are using their power of Free Speech, simply to demonstrate it exists.“

Be sure to read the opening copyright un-warning, this is provocation, parody and education from the very start.

McDonald’s® must be smarting from Logorama’s use of Ronald McDonald as a Pulp Fiction-like gunman. Now Disney has its cartoon catalog used to speak against it, in a creative and highly defensible way.

Faden’s work, “A Fair(y) Use Tale” is educational, utterly transformative in its use of source material, and it in no way replaces the entertainment use of the original works. Like Disney’s works, A Fair(y) Use Tale is protected by copyright law, but in this case it is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.

I believe we’re seeing a pattern of backlash against rights holders who over claim the legal protection afforded to their brand, characters, or recording. After all, there is a value in protecting civic dialog, and this requires access to creative and corporate symbols, not for theft, but for creating richer more effective options of expression.

And yes, in a world where Ashton Kutcher is still considered a brand, these “backlash clowns” may have a wind of discontent filling their sails.

Day 3 of the Trial, Through the Eyes of the SL Tribune

Thu, 11 Mar 2010 04:59:51 GMT

Here's what the Salt Lake Tribune reports happened today at the SCO v. Novell trial, all of which it records as if it were all so. Let's see if it is, by comparing what is reported about the testimony with what we already know. Part of what Groklaw does is insist on checking facts. So, let's do that.

LA Textile Show: Your Opportunity to Source More Than Fabric!

Thu, 11 Mar 2010 03:14:28 GMT

If you are in Los Angeles and plan on sourcing fabrics or trims next week at the Los Angeles International Textile Show (also know as L.A. Textile 2010) at the California Market Center ("CMC"), I will there too!

I am honored to be speaking at the following two seminars:

On March 16, 2010 from 3:30–4:30 p.m. I will present “Legal Strategies for a Profitable Fashion Business” in CMC, suite C786; and
On March 17, 2010 from 1–2:15 p.m., I will be part of the panel “How to Plan, Merchandise & Sell Your Products in a Slow Economy,” along with Dana Fried, Ken Wengrod, Sheila Hill and Bobby Hines, and moderated by Frances Harder of Fashion Business Incorporated in CMC 13th-floor penthouse, suite 19

Please come by and say hello. This is a another good in-person networking opportunity as well as a chance for all you aspiring fashion lawyers out there to learn more about practicing fashion law.

Iowa House Passes MMA Bill 89-6

Thu, 11 Mar 2010 02:31:15 GMT

On March 9, 2010, the Iowa House passed Senate File 2286 (regulating amateur mixed martial arts) with one key amendment. Amendment H-8277 added language that puts under the auspices of the regulations any MMA event where "merchandise or refreshments are available for purchase."

The original language of SF 2286 governed any MMA event "open to the public." This was amended by the Senate to be limited to events where admission is charged or donations are requested. This was an important change because, in the absence of such language, exhibition matches at local gyms could have, unintentionally, fallen within the scope of the statute.

The new amendment by the House closes a loophole that would have allowed promoters to stage unregulated, public amateur fights by hosting them at venues where the money would be made by selling food and beer rather than tickets.

Because the House amended the bill, it now returns to the Senate. I anticipate quick passage, which would put the bill on the Governor's desk to sign. One possible snag is that some people are lobbying for an additional amendment that would remove the requirement for promoters to provide health/life insurance for fighters. If the Senate removed that requirement, the bill would then have to come back to the House as both chambers of the legislature must pass identical versions for it to ultimately become law.

Apple to Germans: Und NO NIPPLES!

Thu, 11 Mar 2010 00:53:31 GMT

Apple is requiring app publishers to expunge all nudity from all apps. This particular bit of US-centric prurience isn't going over well in Germany, where Bild has a popular naked-woman tabloid feature that it turned into an iPhone app. According to the Guardian (UK) the Association of German Magazine Publishers has asked the International Federation of the Periodical Press (FIPP) to make a complaint about Apple and its censorious ways. I have a complaint or two I'd like to make, too.

Six in limine motions are denied prior to bench trial

Thu, 11 Mar 2010 00:04:45 GMT

UCB, Inc., et al. v. KV Pharmaceutical Company, Civil Action No.08-223-JJF, March 9, 2010.

Farnan, J. Plaintiffs’ three in limine motions and defendant’s three in limine motions are all denied.

The disputed technology relates to pharmaceutical dosage forms that provide a modified release of methylphenidate for the treatment of attention deficit hyperactivity disorder. Plaintiff’ request that the court preclude defendant’s newly-asserted on-sale bar defense is denied because plaintiffs have failed to show any actual harm. Plaintiffs’ motion to preclude a non-infringement argument is denied because the court finds the defense was timely asserted even if the precise argument was not provided. Plaintiffs are entitled to rely on a supplemental expert report of Dr. Byrn in the absence of a showing of prejudice. The assertions contained in the report are consistent with prior statements and was entered to address a summary judgment motion. The parties further seek to limit the proof as to the date of the invention. The patent has the burden of production to establish that the invention predated the filing of the application, and the burden of proof is on the party challenging the patent. The two dates are at issue and will require proof at trial. Defendant argues that plaintiffs’ use of the F2 similarity factor to evaluate infringement is improper. Plaintiffs first raised the intent to rely on this proof in an expert report, and it does not conflict with the court’s claim term “approximately.” The arguments regarding the probative value of this evidence does not warrant exclusion of the test altogether.

Markman rulings issue relating to electronic storage and management

Wed, 10 Mar 2010 23:45:23 GMT

Leader Technologies, Inc. v. Facebook, Inc., Civil Action No.08-862-JJF, March 9, 2010.

Farnan, J. The court construes eight terms in patent entitled “Dynamic Association of Electronically Stored Information With Iterative Workflow Changes.”

The patent-in-suit specifically relates to the management and storage of electronic information, and specifically to new structures and methods for creating relationships between users, applications, files and folders. Plaintiff contends the patent discloses a system which automatically captures environmental and tracking information on a document uploaded by a user, so that others can access a document from a central depository without knowing the document’s exact location. Defendant contends that the patent discloses a system where data is automatically tethered to the user, so that when the user moves to a new location, the data is available in the new location.

All but one evidentiary objection is overruled following bench trial

Wed, 10 Mar 2010 23:39:16 GMT

LG Display Co., LTD. v. Au Optronics Corporation, et al., Civil Action No.06-726-JJF, March 2, 2010.

Farnan, J. The Court considers certain evidentiary objections following a bench trial and overrules all but one of the parties’ objections.

This is the Court’s ruling on several evidentiary objections raised by the parties during a bench trial. Evidentiary issues at bench trial are less of a concern and typically go to the weight of the evidence and not admissibility. The parties’ various objections with regard to testimony and the admission of evidence are overruled with the exception of one objection filed by Plaintiff. Plaintiff objects to certain expert testimony and exhibits based on the lack of reference in the expert report relating the evidence to any of the four patents-in-suit. The Court previously granted plaintiff’s Motion In Limine premised on the same arguments it raises here in its objection. The Court is not persuaded that its initial decision was erroneous, and therefore, the Court will sustain the objection.

Volunteer Needed for Thursday Trial Coverage

Wed, 10 Mar 2010 21:52:17 GMT

Our scheduled reporter for Thursday and Friday is still a flu patient, and so we do need someone to cover Thursday's SCO v. Novell trial. If you can, please email me and I'll give you instructions. Trust me, you'll have fun. And the rest of us will be so grateful. Thanks!

Is Domains By Proxy Guilty of Cybersquatting? When the domain registrant hides their WhoIs contact data under proxy

Wed, 10 Mar 2010 18:44:15 GMT

We regularly get calls from companies whose trademarks are being cybersquatted on domain names where the WhoIs (domain registrant / owner) information is protected by a proxy service, such as Domains By Proxy. Typically, the proxy service is requested pursuant...

A Closer Look at the PCI Compliance and Encryption Requirements of Nevada's Security of Personal Information Law

Wed, 10 Mar 2010 17:51:35 GMT

Since approximately 2005, the state of Nevada has had a fairly comprehensive data privacy law on its books: the Nevada Security of Personal Information Law (the “Law”). Prior to 2009, the Law imposed various requirements concerning the protection of personal information of Nevada residents, including requirements concerning security breach notice, the implementation of reasonable security measures and the destruction of records containing personal information. In 2009, the Nevada legislature materially amended the law by passing Nevada Senate Bill 227 (“SB 227” or “SB 227 Amendment”). The SB 227 Amendment added two significant (but mutually exclusive) data security obligations: (1) a requirement to comply with the Payment Card Industry Data Security Standard (“PCI”); and (2) requirements to encrypt personal information in certain contexts. The SB 227 Amendment became effective on January 1, 2010. This article summarizes the requirements of the SB 227 Amendment, addresses various compliance issues posed by it, and discusses its “safe harbor.”

The Interplay Between the Law’s PCI Compliance and Encryption Obligations

To understand the requirements of SB 227, it is important to first understand the interplay between the PCI obligations set forth in subsection 1. and the encryption requirements of subsection 2. Significantly, it appears that a data collector that complies with PCI (as required under subsection 1. of SB 227) need not comply with the personal information encryption requirements of subsection 2. This “either/or” dynamic creates a strange compliance situation.

Subsection 1. of SB 227 provides:

1. If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

Subsection 2. of SB 227 provides:

2. A data collector doing business in this State to whom subsection 1 does not apply shall not:

(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or

(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.
(emphasis supplied).

The current version of PCI (v 1.2.1 – July 2009 ) references encryption with respect to certain cardholder related data while stored and in transit. Section 3.4. of PCI requires companies to render a payment card’s PAN’(“Primary Account Number’”) unreadable, including through the use of strong encryption. Compliance under section 3.4 is also possible through other measures, including truncation, index tokens and pads, and “compensating controls.” Section 4.1. of PCI mandates the use of strong encryption of “cardholder data” during transmission over open or public networks. Cardholder data as defined under PCI includes PAN, Cardholder Name, Service Code, and Expiration Date as defined with respect to PCI.

However, the definition of “personal information” under the Law is much broader than “PAN” or “cardholder data” under PCI. Personal information includes information that is wholly unrelated to credit cards, including social security numbers, driver’s license numbers, identification card numbers and bank account numbers. PCI does not require encryption of these elements while transmitted electronically. Moreover, PCI does not require any personal information to be encrypted while stored. Rather, it only requires that the PAN be encrypted in storage (and even here encryption is not an absolute requirement -- PCI allows for other methods to render PANs unreadable and allows for "compensating controls"). Finally, since the encryption that happens around PCI relates to payment processing only, it does not appear that PCI-compliant companies would have to address encryption in other contexts, including for example e-mails containing personal information.

In short, PCI compliance allows an entity to avoid the obligation to encrypt personal information (except for "Cardholder Data") on data storage devices or while in transit, as required under subsection 2. of SB 227, and would appear to undermine the broader purposes of the Law. Stated differently, companies that are already PCI compliant would appear to have diminished obligations when it comes to encrypting Personal Information than those companies that are not subject to PCI.

Issues Surrounding the Law’s PCI Compliance Obligations

Nevada is the first state to incorporate the entire PCI Standard into law. The PCI Standard is an industry standard contractually imposed by the payment card networks on merchants and service providers that store, process or transmit cardholder data. In essence, the Nevada legislature has ceded its legislative authority to a group of private companies whose interests and concerns in creating and updating the standard may not be aligned with the goals of the Law. It has given PCI the weight of law, backed by attorney general enforcement and potential statutory liability, despite the fact that PCI is typically imposed in a negotiated contractual setting. As such, tying PCI to the Law raises several interesting issues and poses additional challenges:

PCI is always changing. One of the biggest problems with the PCI compliance requirement under SB 227 is that PCI is constantly being changed and updated. PCI is currently on version 1.2.1 (the fourth version in four years) and is currently soliciting comments concerning potential modifications in 2010. This makes the Law a moving target. On a certain level this makes sense – the PCI standard and good security evolves as the risks and technology changes. However, from a compliance standpoint constant vigilance is required to ensure compliance. Under the Nevada law this is especially true since non-compliance can result in an attorney general action.

PCI is ambiguous. Unfortunately the PCI standard is ambiguous as written in many sections and as applied in many circumstances. This is due in part to the one-size-fits-all nature of the standard. The problem is exacerbated, however, because there are multiple sources of interpretation, including the PCI Council, merchant banks, the card brands and qualified security assessors. Even within the PCI Council itself multiple methods of interpretation exist, including guidelines, FAQs, prioritized approaches, and email answers provided by the PCI Council provided on an ad hoc basis. Moreover there is no set interpretative hierarchy between potentially competing interpretations. For example it is not clear whether PCI Council guidance document would trump an FAQ, or the interpretation of a merchant bank.

PCI is contractual in nature. Typically a merchant will enter into a “merchant agreement” with a merchant bank or processor so it can accept credit cards. That merchant agreement will mandate that the merchant comply with PCI. If there is an ambiguity, since the merchant’s obligations are derived by contract, naturally the “best” source to resolve those ambiguities is with the merchant bank that is party to the agreement. If the merchant bank “gets it wrong” or agrees to a PCI interpretation that is not compliant, while it may have sufficed for the contractual relationship, under the Law it could result in a legal violation.

PCI is one-size-fits-all. PCI is made up of over 200 individual requirements/sub-requirements. For small businesses it may be difficult, if not impossible, to comply with (from a resource standpoint). Yet the Law does not make any exception or allowance for this. As a result, on day one many businesses (especially smaller and medium companies) are likely to be non-compliant with the Nevada law.

New independent and direct duty for service providers to comply with PCI? Typically, under the PCI regulatory scheme, service providers that store, handle or transmit cardholder only have a direct obligation to comply with PCI if they are contractually required to do so. They have no independent legal duty to comply with PCI under normal circumstances. SB 227, however, may provide a direct duty for service providers to comply with PCI. Service providers appear to fall into the definition of “data collectors” because they typically “handle, collects, disseminates or otherwise deals with nonpublic personal information.” The issue becomes whether, under subsection 1. of SB 227, a service provider storing, processing or transmitting cardholder data for another “accepts a payment card in connection with a sale of goods or services.” If the language in subsection 1. read “accepts a payment card for a sale of its goods or services,” then it would appear to be limited to merchants. However, the “in connection” language arguably extends the duty to service providers. For example, some might argue that payment gateways directly “accept” payment card numbers from customers online on behalf of merchants in connection with the merchant’s sale of goods and services.

Issues Surrounding the Law’s Encryption Obligations

The Encryption Obligations: Electronic Transmission and Data Storage Devices.

If a data collector doing business in Nevada does not have an obligation under subsection 1., then it must comply with the encryption requirements of subsection 2. SB 227 requires encryption in two areas: personal information transmitted electronically (subsection 2.(a) of SB 227) and encryption of personal information stored on certain data storage devices (subsection 2.(b) of SB 227).

A data collector doing business in Nevada, subject to exceptions discussed below, may not transfer personal information outside of its secure systems through an electronic transmission, unless encrypted. Again, a drafting quirk may pose some interesting interpretations of this obligation. By using the term “secure system” (undefined), it appears that this encryption requirement does not apply to personal information transmitted from an “insecure system.” Note that the probable intent of the “secure system” language was to eliminate the need to encrypt personal information while in transit within the internal networks of an organization (or at least that is one interpretation).

Drafting mistakes aside, SB 227 sets forth some significant exceptions to this encryption requirement. The electronic transmission encryption requirement does not apply to:

electronic voice transmissions or facsimile transmissions;

telecommunication providers conveying communications of other people; or

data transmissions over secure private communications channel for: (1) approval or processing of negotiable instruments, EFT transfers or similar payment methods; (2) issuance of reports regarding account closures due to fraud, substantial overdrafts; or (3) abuse of ATM machines or related information regarding a customer.

Data collectors must also encrypt data stored on a data storage device if the device goes beyond the logical or physical controls of the data collector or its data storage contractor. The concept of going beyond the physical controls (e.g. facilities of the data collector) is fairly clear. However, it is uncertain exactly what the intent is behind the “logical controls” reference. It could mean that if the data storage device is protected by the same “logical controls” as data storage devices that are part of the data collector’s internal networks, then encryption is not required. Or it could be tying back into the concept of secure internal environments. However, more research is necessary to ascertain how the “logical control” reference should be interpreted.

The Encryption Standard.

To comply with the Law, data collectors must use an encryption technology that renders such personal information indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data, which has been adopted by an established standards setting body, including for example, the Federal Information Process Standards published by the National Institute of Standards and Technology.

Encryption under the law also requires sound key management processes and safeguards. Specifically, data collectors must utilize appropriate management and safeguards with respect to cryptographic keys in order to protect the integrity of its encryption process. The data collector’s key management procedures and safeguards must be consistent with guidelines set forth by an established standards setting body, including for example, the National Institute of Standards and Technology.

While one might quibble with the requirement that the encryption technology render personal information indecipherable (all encryption is theoretically capable of being broken), the reference to FIPS and NIST standards provides solid guidance. However, the Law does not indicate what constitutes an “established standards setting bodies” in the event a data collector would like to use an encryption standard that is not based on FIPS or NIST.

The SB 227 Amendment’s “Safe Harbor”

While SB 227 arguably imposes significant encryption obligations on certain data collectors (at least those that are not already PCI-compliant), it also provides a “reward” for companies that meet its mandates. Subsection 3. of SB 227 provides a “safe harbor”:

3. A data collector shall not be liable for damages for a breach of the security of the system data if:
(a) The data collector is in compliance with this section; and
(b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

This “safe harbor” may provide significant protection to compliant companies that suffer a personal information breach, even beyond the Law itself. Some may argue that the safe harbor protects the organization from all damages no matter what context or theory of liability (e.g. common law negligence, contract, negligent misrepresentation, etc.). Support for this theory can be found where SB 227 references a very limited list of liabilities theories (“gross negligence and intentional misconduct”), which arguably implies that other theories of liability can be barred by the safe harbor. Moreover, since the Law itself does not explicitly provide any damage remedy against a data collector that suffers a security breach, it would appear to be referring to liability outside of the Law.

For example, assume the case of a merchant that suffered a payment card breach. It would typically have a contract in place whereby it agreed to indemnify its merchant bank in the event of a payment card breach. Under SB 227, as long as the merchant was PCI compliant at the time of the breach (and therefore compliant with subsection 1. of SB 227), it could argue that it should be immune from contractual liability. This is significant because there is no legal mechanism currently in place under PCI that provides this legal protection. Please note that this argument is far from settled and additional research and analysis is necessary in order to validate the intent of Nevada’s legislature.

Beyond its potential broad scope, the safe harbor language in SB 227 arguably creates some incongruities between SB 227 and the Law. For example, the Law requires data collectors to implement certain “reasonable” security measures around personal information, which typically include measures beyond encryption (e.g. background checks, firewalls, virus protection, security policies, etc.). However, the safe harbor applies to all security breaches as long as the data collector complied with SB 227, even if it implemented “unreasonable” (but not “grossly negligent”) security.

An illustration may assist here. Assume a data collector made a mistake in configuring its firewall, which allowed a hacker to steal one million unencrypted personal information records while in transit on the data collector’s internal systems. One might argue that this data collector violated the section of the Law requiring “reasonable security measures” by providing such access. Nonetheless, as long as the data collector complied with SB 227 by encrypting data in transit externally or in data storage devices taken off premises, and it was not grossly negligent, it appears it would not be liable for the security breach under the Law (and otherwise). In other words, with the safe harbor, the requirements of SB 227 could be argued to override more stringent requirements of the Law around security.

Conclusion

Nevada’s Security of Personal Information Law, including the SB 227 Amendment, may pose some challenges for organizations. Its scope is arguably wider than Nevada companies because it appears to apply to any business that stores or processes personal information of Nevada residents, even those without a physical presence in Nevada. It employs a one-size-fits all approach that requires either PCI compliance or encryption of data in transit or on data storage devices, regardless of feasibility, or the resources or sophistication of the company. Moreover, by incorporating the payment card industry’s data security standard directly into the law, it gives PCI “the force of law.” This may be problematic for several reasons, the least of which is that PCI is frequently amended and presents a “moving target,” and is often ambiguous as written and as applied.

However, in addition to the new obligations posed by SB 227, it may offer some benefits and protection to organizations. First, companies that are already PCI compliant do not need to go the extra step under SB 227 and encrypt personal information in transit or on data storage devices. This is true despite the fact that the encryption requirements of PCI are limited in scope. Second, SB 227 provides a safe harbor that arguably bars liability arising out personal information security breaches that were not intentional or grossly negligent. In all, it will be interesting how companies react to the Law, how it is enforced by regulators, used by litigants involved in security breach litigation, and interpreted by courts.

Reed Elsevier v. Muchnick: Copyright Registration is Not a Jurisdictional Requirement

Wed, 10 Mar 2010 14:16:02 GMT

Last week, the Supreme Court issued its highly-anticipated decision in Reed Elsevier v. Muchnick. The decision arose out of a class action settlement between publishers and authors following the Supreme Court’s holding affirming copyright infringement in New York Times, Co. v. Tasini. The Southern District of New York certified the settlement, but the Second Circuit reversed, holding that pursuant to §411(a) of the Copyright Act, the Court lacked subject-matter jurisdiction to approve the settlement because the settlement covered both registered and unregistered works. The Supreme Court reversed, holding that the registration requirement of §411(a) was a claim processing rule and not a jurisdictional requirement. It left open, however, the question of how strictly §411(a) should be applied.

The Second Circuit Decision

During proceedings before the Second Circuit in Reed Elsevier, the court sua sponte asked the parties to brief the issue of whether §411(a) was a jurisdictional requirement. In response, all parties filed briefs asserting that the district court had subject-matter jurisdiction to approve the settlement. The Second Circuit ruled that the district court lacked the subject-matter jurisdiction necessary to certify the settlement because some of the works at issue were unregistered. Certiorari was granted to resolve the question of whether §411(a) restricts the subject-matter jurisdiction of federal courts. Because no party’s brief supported the Second Circuit’s holding that the court lacked subject-matter jurisdiction, the Supreme Court assigned an amicus to draft the brief in support of the Second Circuit’s holding.

The Supreme Court Distinguishes Claim Processing Rules from Jurisdictional Requirements

At the outset, the Supreme Court noted that jurisdictional rules are generally “prescriptions delineating the classes of cases (subject-matter jurisdiction) and the persons (personal jurisdiction) implicating that authority.” The Court recognized the difficulty of distinguishing “jurisdictional” conditions from claim-processing rules, and cited to its 2006 holding in Arbaugh v. Y & H that a statutory requirement is a jurisdictional requirement only if Congress identifies it as such. Because the registration requirement of §411(a) is not identified as a jurisdictional requirement, it is not, and instead works as a claim-processing rule. The Court continued by noting that the registration requirement in §411(a) has qualities of a claim processing rule:

it imposes a precondition to filing a claim that is not clearly labeled jurisdictional,
it is not located in a jurisdiction-granting statutory provision, and
it admits several congressionally authorized exceptions.

Unanswered Questions

The Supreme Court decision confirmed that courts can adjudicate disputes involving unregistered works. Even so, the Court declined to address the question of whether the registration requirement of §411(a) is satisfied by filing an application, or whether the Copyright Office must either grant or reject the application before a claim for infringement may be brought.

Circuit courts are divided on this issue. For example, the Fifth Circuit held in Positive Black Talk v. Cash Money Records that simply filing an application is adequate, as long as all required elements are deposited with the Copyright Office. This view has been called the “Application Approach.” Conversely, the Tenth Circuit in La Resolana Architects, PA v. Clay Realtors Angel Fire held that simply filing all the required elements of an application is not enough to satisfy §411(a), and that either a rejection or an acceptance must be received by applicant in order for a party to bring an infringement claim. This has been called the “Registration Approach.”

While the Second Circuit has yet to address the issue, three recent district court cases in the Southern District of New York have applied the Registration Approach. In Do Denim v. Fried Denim, Judge Swain granted defendant’s motion to dismiss the copyright infringement claim for lack of subject matter jurisdiction under §411. Do Denim had filed its deposit, application, and fee with the Copyright Office prior to filing suit, but it had yet to receive either a grant or refusal. Two other Southern District decisions have followed Do Denim in support of dismissal of the claim of infringement of an unregistered copyright: DMBJ Productions v. TMZ TV, and Lewinson v. Henry Holt and Company, LLC.

Inconsistent application of §411(a) has been a concern of copyright litigators for some time, and other blogs have addressed the split between circuits. In fact, the ABA Section of Intellectual Property Law recently wrote to the Senate suggesting legislation adopting the Application Approach.

While Muchnick abrogates cases describing §411(a) as “jurisdictional,” calling the section a claim-processing rule does not provide instruction on how strictly courts should apply the rule. As such, filing an infringement suit based solely on a pending application may risk dismissal in courts inclined to apply the Registration Approach. Even in a jurisdiction that adopted the Application Approach, obtaining a registration first may be advantageous, particularly in a preliminary injunction case where the presumptions flowing from registration may be important.

Nancy J. Mertzel is a Director in the Gibbons Intellectual Property Department. Lucy E. Emhardt, an Associate in the Gibbons Intellectual Property Department, assisted in the preparation of this post.

USPTO Launches Electronic Newsletter for Independent Inventors

Wed, 10 Mar 2010 12:29:01 GMT

What inventors need to know…

Inventors Eye is a new electronic publication by the U n ited States Patent and Trademark Office for and about America’s independent and small entity inventor community.

Inventors can find information about working with the USPTO; events, organizations and meetings of interest to the community; issues that impact independent and small entity inventors; and stories about successful inventors.

The first issue had a few great articles and links under the titles Advice, Events and Network:

Patent Reform: An Open Letter to the Independent Inventor and Small Business Communities from Under Secretary of Commerce and USPTO Director David Kappos
Protect Your Innovation: Avoid Scams, By Ronald Jaicks : Office of the Solicitor
Spark of Genius: The Spiral Eye Needle, By John Calvert: Inventors Assistance Center
Advice: Do Your Homework
Events: Where Independent Inventors Meet
Network: Organizations for Inventors

Inventors Eye will appear every other month on the USPTO web page.

And The Oscar Goes To...Overbranding?

Wed, 10 Mar 2010 12:00:00 GMT

While watching the Academy Awards on Sunday night, the winner of the Animated Short Films category definitely caught my attention. The winner was Logorama - a 16-minute French anumation created around the use of 3,000 well-known trademarks.

The plot is described as a police chase through Los Angeles which includes a machine gun-toting Ronald McDonald who is a fugitive running from the police, played by the Michelin men. Every inch of the picture is made up of a trademark, logo or character, instantly causing sensory overload (see a prior blog by Brent Lorentz titled Sensory Overload here). According to Wikipedia, the creators described the film as the presentation of “an over-marketed world” where “logotypes are used to describe an alarming universe (similar to the one that we are living in) with all the graphic signs that accompany us everyday in our lives.” During his Oscar acceptance speech, the producer opened by thanking "the 3,000 unofficial sponsors" and assured them that "no logos were harmed in the making of the project."

Talk about Logorama is heating up on the Internet with most people wondering how they got away with it. In a brief clip, I noticed sporadic use of the registration symbol. One blog includes a quote from one of the creators after the film aired at Sundance, noting "no brand owners had objected yet," but "we hope there is no CEO of McDonalds here tonight." While everyone has a right to present artistic commentary, it will be interesting to see if any brand owners object now that the film has received so much press.

Another interesting tidbit - when I tried to watch a YouTube video clip on one website, it had been removed due to a copyright claim.

Apple to Developers: "Und You Vill LIKE IT!"

Wed, 10 Mar 2010 11:58:32 GMT

The EFF have posted an updated version of the agreement that all Apple iPhone developers must sign in order to get their apps into the official App store. I particularly like the no compete clause - if you sell in the app store you can't sell your app anywhere else. Because we all know how dangerous competition can be, kids! (Did I mention I own a Droid? Right, this is why.)

Copyright Suit Dismissed With 30 Days to Prove Standing

david.donoghue@hklaw.com (R. David Donoghue) — Wed, 10 Mar 2010 10:48:13 GMT

Rudnicki v. WPNA 1490 AM, No. 04 C 5719, Slip. Op. (N.D. Ill. Dec. 10, 2009) (Pallmeyer, J.).

Judge Pallmeyer granted plaintiff summary judgment of copyright registration of six of his Polish radio broadcasts. The Court also granted defendants summary judgment that plaintiff lacked standing to bring his copyright infringement suit. But the Court gave plaintiff thirty days to seek reconsideration if he was able to get an assignment of plaintiff's radio broadcasts from his employer RadioZET during that time. The Court also granted in part defendants' motion to strike plaintiff's summary judgment declarations.

As an initial matter, the Court held that pursuant to the Berne Convention, Polish law controlled copyright ownership issues as the country most closely related to the work and that U.S. law controlled infringement issues.

Copyright Ownership

The Court held that plaintiff's radio news reports were protectable pursuant to Polish law, although the reported facts were not protectable. Furthermore, plaintiff's reports dealt with political issues which is a type of reporting Polish law specifically provided should be compensated. Plaintiff's six copyrighted broadcasts, therefore, were protectable and the copyrights were owned by plaintiff or his assignee.

Standing

Plaintiff's contract with RadioZET provided a transfer of rights to RadioZET in plaintiff's broadcasts that was "unlimited in time and space." Based upon that contract, plaintiff was not the exclusive copyright holder either in Poland or anywhere in the world where a copyright was held, including in the United States. The Court, however, gave plaintiff thirty days to get an assignment from RadioZET and seek reconsideration of the standing decision based upon the assignment.

Entitlement to Damages

Plaintiff's deposition statement that he did not incur economic loss from defendant's alleged infringement did not prevent plaintiff from an award of actual damages. The Court noted that actual damages could be determined in the range of $20-$38 per broadcast based upon what plaintiff was originally paid for his reports, including the copyrighted reports. If plaintiff proved all 53 alleged infringements that would result in damages of $1,060 to $2,014. The Court did not consider whether statutory damages were available.

Copyrighted Works

The Court held that plaintiff had properly registered his copyright in the six broadcasts deposited with the Copyright Office.

Motion to Strike

The Court did not strike the declaration of a previously undisclosed witness because the witness was only required because the equipment required to playback recordings of the broadcasts at issue unexpectedly failed.

The Court did, however, strike portions of two declarations by plaintiff's RadioZET supervisors. There was no evidence that the supervisors drafted or negotiated the contract. The fact that the witnesses were not disclosed in Rule 26 disclosures was not relevant, however, because they were disclosed during plaintiff's deposition.