Look beyond the DTSA for a cybersecurity response
The recently enacted Defend Trade Secrets Act (DTSA) creates a federal cause of action and establishes new remedies for trade
But while the DTSA should help companies protect their trade secrets from wrongdoing by employees or competitors, it adds little to their efforts to protect electronic assets from hackers and other cybersecurity threats, says Mark Joy, a member in Leydig’s Chicago office.
“The DTSA is a very positive development – as far as it goes,” Joy says. “But not all electronic information qualifies as a trade secret; the DTSA and its remedies may simply be inapplicable in many data breaches.”
As such, data breach victims will need to look elsewhere to formulate an effective response.
Steps to take after a data breach
“An optimal response to a cybersecurity breach varies with the circumstances of each incident, but should never be delayed,” says John B. Conklin, a member in Leydig’s Chicago office. “Immediate action is required to mitigate any damage caused by the breach. The damage may not be immediate or obvious, but should not interfere with or delay a response.”
Within the first 24 hours:
- Contain the breach – Remove the intruder from the network and involve third-party forensic experts immediately. Their expertise will be critical for locating indicators of compromise, containing the breach, and helping with other specialized tasks, such as malware reverse engineering. Experts can also preserve evidence and help develop short- and long-term action plans. Companies should consider taking certain communications offline until they verify that the
- hacker no longer has network access.
- Seek legal counsel – Identify legal notification obligations and minimize litigation risks, which may include actions by state and federal authorities, as well as civil claims by affected consumers. Counsel should advise public relations professionals to ensure the company delivers a clear and consistent message to consumers and government authorities. Throughout the incident response, counsel should work closely with forensic investigators and IT personnel to review security gaps and develop future action plans. One benefit of involving legal counsel is that communications may be under privilege.
- Alert key internal personnel – Alert all incident response team members and appropriate company executives immediately.
- Document everything – Keep detailed records of the date and time the breach was discovered and reported; who discovered and reported it; the type of breach; and the names of anyone who may know of the breach.
- Preserve data – “The stronger the preservation efforts, the clearer the picture of the hacker’s actions and extent of data exfiltration,” Joy advises. In addition, data preservation efforts will provide useful feedback for patching security holes, and will be looked upon favorably by regulatory bodies, which may be considering penalties or other adverse actions as a result of the breach.
- Prepare remediation – Remediation should include both short- and long-term plans. The short-term plan should focus on the current incident, such as removing malware, implementing security patches, blocking IP addresses, and rebuilding infected systems. In the long term, an incident can shed light on both specific and systematic security gaps, providing a unique opportunity to fortify network systems.
- Identify required notification – “Notification obligations can be one of the most vexing aspects of a data breach,” Conklin says. “A complex web of state and federal law governs notification, and those obligations can also vary by industry.” Notification to consumers and regulatory bodies, such as a state attorney general or the FBI, may be required. Companies should consider working with legal counsel to prepare notification templates before an incident.
- Manage communications – The PR damage after a data breach may eclipse any financial loss in court. Companies should therefore manage internal and external communications carefully to ensure a consistent and accurate message. Time statements to the public appropriately and track any media coverage. Customer service and other front-line personnel should receive specialized training tailored to the incident. It may not be possible to control the internal rumor mills, but remind employees that statements made on social media may exacerbate the harm.
- Review the incident – Once the dust settles, a company should thoroughly analyze the root cause of the breach, review its incident response, and use lessons learned to prevent future incidents. A forensic investigation may provide valuable feedback regarding network vulnerabilities, effective response elements, and areas for improvement.
Proactive steps before a breach
“Companies should not wait until a breach occurs before taking action,” Joy says. Develop a cross-functional incident response plan. To execute the plan, assemble and train an incident response team, involving technical, legal, and business personnel before a crisis hits so that sufficient time is available to test procedures and improve the response. Companies should conduct a risk assessment, preferably by an independent third party, which can lay the foundation for a comprehensive, dynamic plan and be refined through periodic tabletop exercises and simulation.
For further guidance, companies should look to the recently published NIST framework and guidelines at https://www.sba.gov/managing-business/cybersecurity.
Manufacturing contract does not trigger on-sale bar, Federal Circuit says
A generic drug company’s contract with a manufacturing services company was not a “commercial sale” of the patented product that would trigger the on-sale bar as defined prior to the America Invents Act (AIA), the Federal Circuit ruled recently.
The court’s July en banc decision in The Medicines Co. v. Hospira, Inc. is a victory for companies that may not have the in-house resources to manufacture products themselves, says Salim A. Hasan, a member in Leydig’s Chicago office.
“This decision levels the playing field a bit,” Hasan says. “So long as the contract is properly written, a company can outsource its manufacturing without worrying about the on-sale bar.”
This may particularly benefit smaller companies, such as pharmaceutical companies that perform research but do not have the capacity to scale up manufacturing, Hasan adds.
Prior case law already established that an invention could not be patented if it was ready for patenting and was subject to a commercial sale or offer for sale more than one year before the application was filed because of the on-sale bar under 35 U.S.C. §102(b). In Medicines, the Federal Circuit considered the requirements for a commercial sale or offer for sale.
The Federal Circuit held that for a sale to trigger the on-sale bar, the sale must be “one that bears the general hallmarks of a sale under the Uniform Commercial Code.” The court concluded that “the mere sale of manufacturing services by a contract manufacturer to an inventor to create embodiments of a patented product for the inventor does not constitute a ‘commercial sale’ of the invention.”
Hasan says patent holders should ensure that their manufacturing contracts are explicit about the purpose of the agreement.
“If you are going to have your product manufactured by a third-party, the contract language should make it very clear that it is for the sale of services, not the sale of the patented product,” he advises.
Hasan also cautions that the subject matter of the patent claims may be important to the analysis.
“The claims at issue in Medicines were directed to the product,” Hasan says. “If the claims were directed to a method of manufacture, the court may very well have ruled differently.”
Supreme Court affirms broad USPTO authority on two key IPR issues
In a June decision addressing two important aspects of inter partes review (IPR) practice before the Patent Trial and Appeal Board (PTAB), the Supreme Court held that the decisions as to whether to institute an IPR are “final and nonappealable” and that the board can continue to use the “broadest reasonable interpretation” standard in claim construction.
The Cuozzo Speed Technologies, LLC v. Lee decision reflects significant deference to the U.S. Patent and Trademark Office (PTO) in its administration of post-grant proceedings under the America Invents Act (AIA), says Aaron R. Feigelson, a member in Leydig’s Chicago office.
“Based on the AIA’s broad grant of authority to the PTO over IPR proceedings, the court left the PTAB with more flexibility in its construction of claims terms than might be found in a district court,” Feigelson says. “It provides some cover to the PTO in its decision-making.”
In reaching its conclusion, the court relied on the AIA’s grant of rule-making authority to the PTO to issue “regulations ... establishing and governing inter partes review.” The court concluded that the PTO’s “broadest reasonable interpretation” standard “represents a reasonable exercise of the rule-making authority that Congress delegated to the patent office.”
Relying on the plain language of the AIA, which states that PTAB decisions as to whether to institute IPR proceedings “shall be final and nonappealable,” the court also held that the AIA limits appellate review of such institution decisions. The court’s holding regarding appellate review for institution decisions should serve as a reminder, says Wesley O. Mueller, a member in Leydig’s Chicago office.
“If your petition for an IPR is denied, Cuozzo confirms that you may be left with few, if any, viable options to challenge that decision,” Mueller says.
ITC chucks some of Converse’s trademark claims
The International Trade Commission (ITC) recently ruled against Converse on two out of three trademark infringement claims related to its well-known Chuck Taylor sneakers. While the decision means that other companies can import and sell shoes with many of Chuck Taylor’s design elements, it also acts as a wholesale bar on the sale and future importation of any knockoffs that contain protected elements.
While a mixed result for Converse, its one victory is a reminder of the powerful remedies that the ITC can provide to a successful trademark infringement claimant, says Michelle L. Zimmermann, a member in Leydig’s Chicago office.
“If you get a general exclusion order from the ITC, it is not just effective against one or two companies as it would be in a civil infringement suit; it applies to everyone, including non-parties,” Zimmermann says. “It can be used to block imports from present and future infringers in one fell swoop.”
Converse filed its complaint with the ITC in October 2014. At approximately the same time, it filed 22 separate trademark infringement lawsuits in federal court against 31 companies, most of which have been settled. The ITC complaint asserted infringement claims relating to three trademarked design elements of the Chuck Taylor shoe, including its diamond-patterned outsole.
In November 2015, an ITC administrative law judge found that all three of Converse’s marks were being infringed and recommended that the ITC issue a “general exclusion order” prohibiting the importation of all footwear products that infringed those trademarks.
In June 2016, the judge’s decision was upheld as to the outsole but reversed as to the other two marks.
Zimmermann advises trademark holders to keep in mind the option of bringing an action before the ITC when facing an infringement threat.
“The ITC may not be the right forum in all instances, but it should be seriously considered as a powerful tool,” she says.
BPCIA’s 180-day marketing notice is mandatory for all biosimilar applicants
Biosimilar applicants who may have hoped to get their products on the market quicker by participating in the “patent dance” had those hopes dashed by the Federal Circuit in July when it held that the 180-day commercial marketing notice required under the Biologics Price Competition and Innovation Act (BPCIA) is mandatory for all biosimilar applicants.
The court’s unanimous decision in Amgen v. Apotex followed in the footsteps of its 2015 holding in Amgen v. Sandoz that the notice provision was mandatory for an applicant that opted not to participate in the BPCIA’s information exchange process (the “patent dance”). In Apotex, the court held that notice was required even if the applicant participated in the patent dance.
“For those considering whether or not to do the dance, Apotex means that you will have that six-month wait even if you do,” says Jamaica P. Szeliga, a member in Leydig’s Washington, D.C., office. “If you were thinking that investing in the dance would pay off by getting you to market earlier, Apotex puts that idea to bed.”
The Sandoz court had also held that a biosimilar applicant “may only give effective notice of commercial marketing after the FDA has licensed its product.” Since the BPCIA provides that a license “may not be made effective” by the FDA until the 12-year data exclusivity period expires, this means that the period is effectively 12½ years. Apotex argued that this was not Congress’ intent and was against public policy.
The court noted that there was nothing to stop the FDA from issuing the license before the 12 years had run, so long as it was not “effective” until the end of that period. It concluded that “the 180-day notice of commercial marketing [could] be sent as soon as the license issues, even if it is not yet effective.”
“The Apotex court was making a strong suggestion to the FDA that it could or should issue ‘tentative’ licenses prior to the end of the exclusivity period so that applicants could get their products on the market the minute the 12-year period expires,” says Ashlee B. Szelag, a member in Leydig’s Chicago office.
A petition for certiorari remains pending in the Sandoz case.
- The Supreme Court will consider whether parties can continue to use laches as a defense in patent infringement cases. In May, the court granted certiorari in SCA Hygiene Products AB v. First Quality Baby Products LLC, agreeing to review an en banc Federal Circuit decision that the defense remains available under the Patent Act, notwithstanding the high court’s ruling relating to the film “Raging Bull” which involved laches as a defense in copyright infringement cases.
- The question of when design elements of useful articles (apparel) can be protected by copyright law will be addressed by the Supreme Court in its fall term. Granting certiorari in Star Athletica v. Varsity Brands, the court agreed to review a 6th Circuit decision in which designs used on cheerleading uniforms were found to be “separable” from the uniforms’ utilitarian aspects and thus copyrightable under the Copyright Act.
Northern California Super Lawyers has named Arthur J. Bobel a 2016 Rising Star.
- Associate Enes Ovcina holds a law degree from the University of Michigan Law School. He has an undergraduate degree in biological sciences from DePaul University.
- Associate Tara N. Goodarzi holds a law degree from DePaul University College of Law. She has an undergraduate degree in molecular and cellular biology from the University of Illinois.
- Associate Helena O. Berezowskyj holds a law degree from Loyola University Chicago School of Law. She has an undergraduate degree in molecular and cellular biology from the University of Illinois.