Scott Godes talks with Ken Suzan about cybersecurity threats to intellectual property. The EPO has announced plans for the annual fees for the European patent with unitary effect. And we proudly announce that we are co-host of the Meet the Bloggers event during the INTA Annual Meeting in San Diego.
Rolf Claessen and Kenneth Suzan
Episode 25 – April 3, 2015
RC = Rolf Claessen
KS = Kenneth Suzan
SG – Scott Godes
Hi. This is Gene Quinn. I am a patent attorney and the founder of ipwatchdog.com and you are listening to IP Fridays.
KS: Hello and welcome to this episode of IP Fridays. Our names are Ken Suzan and Rolf Claessen and this is THE podcast dedicated to intellectual property. It does not matter where you are from, in-house or private practice, novice or expert, we will help you stay up-to-date with current topics in the fields of trademarks, patents, design and copyright, discover useful tools and much more.
RC: Welcome to the 25th episode of IP Fridays. As our listeners already know, we are hosting an IP Fridays Meet-Up during the INTA meeting in San Diego on the May 5th so if you want to sign up for that, please send us an e-mail and you will get an invitation for this Meet-Up. Also, we are host to the Meet the Bloggers Event on May 4th. If you want to learn more about the Meet the Bloggers Event, where you can meet relevant bloggers in the fields of trademarks, you can go to www.ipfridays.com/meetthebloggers. We would be happy to see you at either one of these events and it would be great to see you at both events.
So what has happened in the intellectual property field? The EPO has finally proposed levels of renewal fees for the Unitary Patent and I will tell you more about this. But before I tell you about the renewal fees, we have a special guest today, which is Scott Godes of Barnes & Thornburg LLP. He is a partner in charge of insurance and cyber security threats and he is telling us about the risk of intellectual property being stolen in cyber-attacks and how the insurance industry is responding to that threat. So Ken, take it away…
KEN SUZAN’S INTERVIEW WITH SCOTT GODES:
KS: Rolf, today I am joined by Scott Godes who is a veteran trial lawyer with experience in insurance coverage matters and technology issues. He is a partner in Barnes & Thornburg LLP’s Washington, D.C. office and is a member of the firm’s Litigation Department, the Policyholder Insurance Recovery and Counseling Group, and the Internet & Technology Law Group.
Scott has assisted a variety of clients over the years to obtain more than $1 billion in insurance coverage. In one of his most significant matters, he was co-lead counsel in a landmark class action trial. It was the first case of its kind to determine that insurance coverage was available, without aggregate limits, for thousands of asbestos claims.
Scott is also a co-chair of the American Bar Association’s Computer Technology Subcommittee of the Insurance Coverage Litigation Committee of the Section of Litigation.
Scott regularly represents clients facing cybersecurity, data breach, cyberattack, privacy and other technology-related claims. He has litigated and advised clients regarding insurance coverage for data breaches and cybersecurity issues.
Scott, welcome to IP Fridays.
SG: Thanks Ken. It’s great to join you.
KS: Scott, what should companies think about when it comes to their intellectual property and cybersecurity?
SG: Ken, we are in an age where companies know that intellectual property is the most valuable thing that they have and we are far, far away now from days when people were most concerned about risks of bodily injury and so companies are beginning to think about things like destruction of their intellectual property and at the most basic, non-headline grabbing level, there are many examples of IT personnel leaving companies but hacking back into the system. Then they go and they destroy data servers and intellectual property which means that there are huge costs to try to rebuild the systems or rebuilt and replace the data and the intellectual property while continuing to run the day-to-day operations of the business when you have found yourself hamstrung and unable to get to the most essential things that you need.
Then, of course, at the headline grabbing level, which we have been seeing much more of lately, are the allegations and suspicions that former employees have helped third parties hack into networks and directed the third parties to the most sensitive and embarrassing IP that the company has. Even without thinking about patents and thinking about it more large in terms of intellectual property that make a business run and what can be sold to consumers or otherwise.
Then, of course, at the nation/state level, companies are starting to understand that there is rampant theft of their intellectual property in ways that benefit foreign competitors, governments or otherwise and that companies have reported seeing their design plans on computers and servers in large countries with lots of people in the far east of here. They reported things like secrets for better manufacturing and the plans for upcoming products and more which is really eye-opening and disturbing on multiple levels. T
Beyond the pure intellectual property questions, you have the privacy related questions which relates to the electronic information and electronic data that is held. What has made the headlines more regularly is when the hackers get access to other information such as payment card numbers or other types of information that are held in vast troves on servers where the hacker can get in and get the keys to the kingdom the amount of information that can be stolen is astronomical.
KS: What sort of liabilities arise after such incidents that we have been reading about and are hearing about?
SG: Sure, that’s a great question. There is a myriad of potential liabilities both under statute and under potential common law questions. So, in the context of a data breach of personally identifiable information or payment card numbers or protected health information, companies have to be thoughtful about whether any of the 47 different states data breach notification statutes will require them to send out notifications to their customers. They will be concerned, of course, about reputational harm and the loss of business as a result of the reputational damage that they suffer as a result of being in the news for all the wrong reasons of actually being the victim of a crime. They will face inquiries from states attorneys’ general, they will face inquiries perhaps from the FTC, perhaps from the Department of Health and Human Services, and very likely enterprising plaintiff’s lawyers are not shy about filing purported class actions, punitive class actions, to give some sort of relief to the people whose information allegedly was exposed. So, that is all in addition to the costs incurred for having to hire a forensic investigator to figure out what happened, when this happened, how and why it happened and how long it has been going on and what was stolen because, unlike a time when you could say I know exactly how this happened because the safe door was blown off sometime between Friday when you locked the door and turned off the lights and Monday morning when you came back in and saw that your money was gone, we are now in a spot where companies quite frequently have no idea that they have been infiltrated for some time and scramble to determine exactly how long it has been going on for and what was seen or what was taken.
KS: Yes. Now, focusing on the United States, what is the government here in the U.S. doing about this?
SG: Well, there are suspicions that the U.S. government is actually launching its own cyber vectoring. It is definitely working overtime to catch cyber criminals and they have been taking steps to bring hackers to justice, particularly if the hackers happen to travel internationally and get into a country where there is the ability to extradite them. But most recently, in fact just this week, the government created a new agency called The Cyber Threat Intelligence Integration Center, which is an interesting development in that there were thoughts that there was really no single government entity that was responsible for determining and figuring out who was responsible for these cyber-attacks and making a coordinated effort to respond and analyze them. The agency is being described as being intended to fill these gaps and so it will be a fascinating development to see how things move forward with this new agency and to see what results we can appreciate after the coordination of the U.S. government’s efforts into one location.
KS: You mentioned cyber vectoring, what is that exactly so our listeners can understand that term?
SG: Sure, there are suspicions that after one of the more recent headline grabbing attacks on an entertainment company, there are questions as to whether the U.S. government was involved with or supported or was happy to see happen, the alleged outage of Internet service in North Korea. There are also suspicions that have been hinted at by former high-level government personnel that efforts were made to disable the nuclear power plant and nuclear armament programs of foreign countries via cyber-attacks and so there are suspicions readily confirmed directly that our government is doing things outside of the headlines to take steps to stop others that have been seen as or suspect as causing problems for U.S. businesses and otherwise.
KS: That is fascinating. Can companies solve this problem by hiring smarter chief information security officers? Would that be a fix here?
SG: Yes and no. The chuckle I have is that there are times when the chief information security officer, particularly for smaller firms, can actually end up being the problem when that person leaves in a disgruntled fashion. Where I have seen those people, they know how to get back into the system and based on information and belief have gone back in and destroyed information they were able to access after leaving. But that is more the outlier rather than the rule. The rule is hiring a smarter chief information security officer is a great start because it means that the company is devoting more resources to the context of protecting intellectual property and protecting electronic data and the things that are the keys to the kingdom of the company. So, notwithstanding that, notwithstanding those efforts, the problem that companies face today is that a hacker seemingly is always one step ahead of efforts by the company to secure its systems. Companies should think about this from the context of let’s do as much as we can to keep the hackers out, but perhaps just as important let’s figure out what we can do when the hackers get in. So, do we have things like appropriate risk transfer in place? Do we have things in place that would mean if a hacker got in, could that hacker get access to every single thing at all levels of the company, or are there multiple stages of security within the company that would prevent that from happening?
KS: You know, this really is an important issue for companies throughout the world. What should companies do to safeguard their IP and other critical data?
SG: Well, of course, the starting point is thinking about risk management from the perspective of taking steps to engage in the best practices that are available for securing systems and, again, there are multiple standards or guidelines out there for companies to consider such as the NIST framework and for companies that accept payment cards, payment card industry compliance. But none of those things are a silver bullet or any sort of guaranty by any means that you can prevent a hacker from getting in. In fact, virtually all of the retailers that have been in the news as having been hacked for payment card data had followed quite stringent requirements set by the payment card industry itself as to what to do, how to do it, and had been certified by a third party as having met the rules. These certifications usually take a month or more to gain and take a lot of work. It is not a box checking exercise. So, if you recognize that, that there is only so much that you can do to prevent a hacker from getting in, then ask yourself what can I do if a hacker does get in in terms of prudent risk management. Just like we have a fire insurance policy for any enterprise, and think about the last time you had a fire at work. You want to do the same thing in terms of cybersecurity and understanding what your insurance program is and so take a close look at what your insurance portfolio entails for the current year and figure out whether the risks that we have talked about would be covered under what you have. Also be thoughtful about your contractual risk transfer. For those companies that have the leverage with their contracting partners to require that the contracting partners carry cyber insurance or take on the risks of dealing with privacy incidents and the like, that is a way of changing the risk and the financial impact on a company. Think about limitations of liability and how those might apply and, using traditional concepts if you will, about risk transfer and risk management, and putting them into place in the context of cyber security and intellectual property.
KS: Scott, let’s talk about trends. Do you think that we will see even more hacks in the coming years?
SG: Absolutely. There is no doubt in my mind. This is where the money is and it’s the spot where as companies have more and more data and companies are getting larger and so that data is being held in repositories that, again if you use the phrase “gotten the keys to the kingdom,” the amount of data that you can extract or that the hacker can extract and use for financial benefit or otherwise is mindboggling. So, as the ability to store more either onsite or in the cloud and the ability to leverage big data continues to grow, that means that there is more data that is held or accessible and that is just irresistible to people that want to get into the system. So I don’t see this going away anytime soon.
KS: Scott, could you offer our listeners three tips for evaluating an insurance program for cyber security risks?
SG: Of course. I would be happy to do that. The big picture question is do you have any coverage for cyber risks at all as it stands, as sort of an initial point? That takes a careful review of an insurance program so I work with clients quite frequently where we sit down and we say let’s see what you have and often times there are insurance policies that they may have been told are “traditional policies” or were not marketed as providing coverage for cyber risk but buried within there are provisions that by endorsement or otherwise do provide coverage and that could be a good resource for them. Then, be thoughtful about what specific insurance policies you have as to cyber and privacy risk. So when evaluating a cyber-insurance policy, in particular, big picture-wise, probably the most important thing is thinking about what types of coverages are we talking overall in terms of first and third party coverages? What I mean by that is third party coverages in the insurance world traditionally has meant that somebody has sued you and so if there was a class action filed against the company as a result of a privacy incident and people allege that their information was compromised and the things that they allege with that, would the policy cover that? Frequently cyber-insurance policies do. Then, in addition to that, would there be coverage for a regulatory investigation? So as the FTC and other agencies ramp up their investigations and inquiries in this area, how would the policy cover those inquiries? Then, in terms of first party coverage, not talking about the notification letters and the analysis done and the investigation costs, that is crucial and probably part of every policy, but then also the question of in terms of business interruption and extra expense, are you buying coverage for that? So that if your business was interrupted or your intellectual property were stolen, would you be able to get insurance to pay for the losses resulting from that incident as it relates to your own particular losses. So that is something that is starting to be purchased with some more regularity but a big picture question that sometimes gets overlooked is people think they need to buy cover for breach notification costs which certainly is an important thing, but not the end of the inquiry.
The second thing, in terms of a cyber-program and cyber-insurance policy, is to really understand what are appropriate limits, sub-limits and retentions. What I mean by those insurance-geeky terms are limits are pretty straight forward terms; it is basically how much insurance are you buying in terms of your ultimate number? But then in terms of sub-limits, those are more difficult and more of a problem for companies in that when you thought you bought a $10 million insurance policy, perhaps one section says well we will only give you $250,000 of coverage for losses in connection with this type of payment that you are making and that is an eye opening problem when you think you have $10 million of coverage available and you are limited to $250,000 for certain things which can be far more expensive than that. In terms of retentions, many insurers are starting to add in multiple retentions to the policy so where you might start out saying well in terms of my investigation it’s only $50,000 retention and that is great, all I need to worry about is $50,000 and then everything is on the insurance company’s dime, and then you have a lawsuit filed against you and all of the sudden you realize that you have a $1 million dollar retention that applies totally separately catching you off guard and by surprise.
The last tip is more generalized in terms of looking for exclusions that are specific to the impact they would have on your company and the way that it does business. For example, if you are a company that has a lot of vendor contracts and makes promises in terms of indemnification, does the insurance policy say anything, exclude or possibly include coverage for your contractual indemnity obligations? Those are handled quite differently from policy to policy.
KS: This is fascinating, Scott. How can our listeners get in contact with you?
SG: They can always find my bio on the Barnes & Thornburg Website. I am a heavy user of LinkedIn so you can find me, Scott Godes on LinkedIn and they can reach me at my e-mail address of email@example.com. That is the best way of finding me.
KS: Excellent. Thank you Scott so much for joining us today on IP Fridays.
SG: Thanks so much Ken.
RC: Thank you Scott and Ken for this very interesting aspect of intellectual property.
In the beginning, I promised to tell you more about the EPO renewal fees for the Unitary Patent. There is a blog that I read on a regular basis. It is called the IPKat. Some people call it the IPKat but in fact I was told by the Master Cat that it was really called the IPKat. So the IPKat published a blog article in the beginning of March saying that it has received a certain document from the president from several sources so it seems that the sources are reliable. In this document, the EPO is proposing two different fee models for the renewal fees for the Unitary Patent. Here is what it boils down to…in the years 3-5 the level of the renewal fees will be the internal renewal fees of the EPO. This does not come as a real surprise since most applications are still pending within this timeframe. In the years 6-9 there is a transitional period where the levels will rise. Starting from year 10, there will be a level equivalent to the total sum of the national renewal fees that are payable in the states in which the European Patents are most frequently validated.
While most patent practitioners hoped for the top three offices, so the level would be corresponding to the sum of the renewal fees for the countries with the top three filings, the lowest level that is proposed are the top four countries so the renewal fees starting from the 10th year will be the sum of the current renewal fees for the top four countries where European patents are validated at the moment. The alternative proposal is the top five fees, so the renewal fees as a sum of the renewal fees of the top five filing countries that are currently being validated after grant. To reduce the pain a little bit, the EPO suggests to reduce the renewal fees for the first ten years by 25% for a certain category of patentees, namely small and medium sized entities, natural persons, non-profit organizations, universities and public research organizations.
So, what does it mean? In the top four level renewal fee scheme, it would mean that the total cost for 20 years of patent renewals would add up to 37,995 Euros and in the top five scheme it would mean that the regular renewal fees would add up to 43,625 Euros during 20 years. The reduced level for the entities that I just named would be a total of 41,655 Euros. As we all know, most patents don’t live longer than about 10, 11 or 12 years so for most patentees the second proposal would be nearly the same except for the entities that have to pay reduced fees – small and medium sized entities, natural persons, non-profit organizations, universities and public research organizations. So for these entities, the second proposal, so the top five proposal, would actually be cheaper if the average lifetime of a patent, let’s say 10 years, would be typical for these entities.
The article in the IPKat blog is quite detailed so if you want to read everything, you can go to www.ipfridays.com/unitarypatentrenewalfees.
Thanks for listening and I hope to see you in San Diego.
KS: That’s it for this episode. If you liked what you heard, please show us your love by visiting http://ipfridays.com/love and tweet a link to this show. We would be so grateful if you would do that. It would help us out to get the word out. Also, please subscribe to our podcast at ipfridays.com or on iTunes or Stitcher.com. If you have a question or want to be featured in one of the upcoming episodes, please send us your feedback at http://ipfridays.com/feedback. Also, please leave us a review on iTunes. You can go to http://ipfridays.com/itunes and it will take you right to the correct page on iTunes. If you want to get mentioned on this podcast or even have comments within the next episode, please leave us your voicemail at http://ipfridays.com/voicemail .
You have been listening to an episode of IP Fridays. The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by their respective law firms. None of the content should be considered legal advice. The IP Fridays podcast should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents of this podcast are intended for general informational purposes only and you are urged to consult your own lawyer on any specific legal questions. As always, consult a lawyer or patent or trademark attorney.
All rights reserved.