by Mike Oliver | Jul 22, 2019 | Data Privacy, Privacy Law
Question: How do cost your company £80,000 with one relatively small computer error?
(Short) Answer: You misconfigure an FTP (file transfer protocol) server . . . and forget and leave it running.
This was the lesson Life at Parliament View Limited recently learned when the Information Commissioner’s Office (https://ico.org.uk) fined it £80,000 for violating the 7th principle of the Data Protection Act 1998 (“DPA”). See https://ico.org.uk/media/action-weve-taken/mpns/2615396/mpn-life-at-parliament-view-limited-20190717.pdf. ICO could have fined it £500,000 (the maximum under that act) – but chose to only implement 16% of the maximum fine.
What happened? Life at Parliament needed to mass transfer personal data – though not particularly sensitive data (note1) – to a data processor, and chose to use an FTP server. They intended to use a feature of this server to require a username and password, but the technicians misunderstood the server documentation from Microsoft, and ended up putting the server in Anonymous Authentication mode. In addition, “The FTP server was further misconfigured in that whilst approved data transfers were encrypted, personal data transmitted to non-approved parties was not. As such, transfers of personal data over FTP to non- approved parties had the potential to be compromised or intercepted in transit.” (Though not explained in the opinion, this was likely a fallback setting that allowed the server to transmit over a non encrypted channel if the receiving party did not have a secure channel available). The server was left in this condition for just shy of 2 years. Computer logs showed over 500,000 anonymous data requests. Eventually a hacker (well, really a person with ordinary computer skill who located the open FTP server) who had obtained the data, began extorting Life at Parliament.
While the failure of basic computer security is plain in this case, it is noteworthy that ICO also found the following violations:
- Post configuration of the server, LVPL failed to monitor access logs, conduct penetration testing or implement any system to alert LPVL of downloads from the FTP server, which would have facilitated early detection and containment of the breach;
- Failure to provide staff with adequate and timely training, policies or guidance either in relation to setting up the FTP server, or information handling and security generally.
ICO has been very active in the general data protection space and issuing fines, and this decision – while an easy one in light of the poor computer security practices – is telling because ICO found secondary violations in post implementation failures to detect and train.
The same tendency is happening in the US – the FTC and State Attorney Generals are increasing their oversight of data protection, and several states (e.g. California’s CCPA) are enacting new data protection and data oversight requirements. While the FTC has had some wins (see a recent order against a car dealer, no fine but consent order, where unencrypted data was exposed for 10 days – https://www.ftc.gov/news-events/press-releases/2019/06/auto-dealer-software-provider-settles-ftc-data-security), and at least one major set back in its efforts against LabMD (http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf), it is likely that the government regulators will start going after companies that have engaged in less egregious data security violations, but nevertheless have lax training or monitoring set up, and probably also pursue smaller businesses who may not have the resources to have a robust security system and training.
For more information on our data security and privacy practice contact Mike Oliver.
_______________________
(note 1): The data consisted of “The types of personal data potentially compromised included names, phone numbers, e-mail addresses, postal addresses (current and previous), dates of birth, income/salary, employer details (position, company, salary, payroll number start date, employer address & contact details), accountant’s details (name, email address & phone number). It also contained images of passports, bank statements, tax details, utility bills and driving licences of both tenants and landlords.”
by Mike Oliver | May 1, 2019 | Firm Matters
Another year passes as quickly as the last – it seems they come and go more rapidly the older we become. Kim and I embarked on this adventure 6 years ago to the day – literally, it was a Wednesday – a typical work day for most people. Back then it was nothing even close to a regular work day for us. Looking forward back then there were a lot of unknowns – office space, staff needs, what clients would come with us?, what software would we use?, what 401k provider, payroll processing, accountant, insurance firms? and on and on . . . it was one thing after another we forgot or did not realize or had to scramble to fix. By us going through all the pain of a true new business startup it has helped us understand the obstacles and issues faced by our most typical client, the entrepreneur.
Six years in, of course, all of that uncertainty is gone, we have firm operations down to a science so to speak, and at this point we are just tweaking and making small adjustments. Our practice has grown but not in giant increments, more in steady increments (our trademark practice has grown significantly however). Our goal has never been growth, but rather finding ways to be as responsive as we can to clients, who ever more frequently want faster and more efficient service.
While we do not set formal goals, every year we look forward and back and see what we did well and not so well, and ask how can we improve in the future to do more things better, and avoid our past mistakes. This has been a challenge because our practice focus – intellectual property, data privacy and security, and corporate law all change as fast as technology is changing. It is just a lot of work.
Rapid legal changes and our general workload explains why we have been busy working, and not really able to do much in the way of blogging, marketing or sending email newsletters. Our patent practice, however, has recently opened a new site at www.baltimorepatent.com where we will make an effort to post more content in the patent law area to help our clients and referral sources better understand the benefits and costs of securing patents.
We again thank all of our clients, referral sources, employees and our family and friends – without all of you we could not have made it this far, and without you we would have no future. We truly do look forward to many years to come helping our clients navigate in these complex and challenging areas of law.
by Mike Oliver | Aug 31, 2018 | Client Spotlight
Oliver & Grimsley would like to congratulate Donna Stevenson Robinson of Oliver & Grimsley’s client Early Morning Software, Inc (EMS) and PRiSM Compliance Management (PRiSM) on being named one of Maryland’s Top 100 Women by The Daily Record. Nominees are judged by business professionals and past winners based on their professional abilities, commitment to their communities, and their role with mentoring.
Donna serves as president and CEO of EMS – her firm develops and publishes PRiSM – a secure, web-based portal that tracks contract spending while producing corporate, federal, state, and local program reports that facilitates both private, federal, and custom diversity program management.
Congratulations Donna from the entire Oliver Grimsley team!
by Mike Oliver | Jul 13, 2018 | In the News, Intellectual Property, Trademarks
If you search for books with the word “COCKY” in the title, the romance genre offers a large selection. One author in particular appears to be building a series of books with titles created as a play on words based on the main characters’ last names, Cocker. Thus, the books feature titles with the word “COCKY,” including titles such as “Cocky Roomie” and “Cocky Senator”.
The term “COCKY” is the subject of a recently registered trademark that has spurred quite the controversy. In April, romance author Faleena Hopkins, through her company Hop Hop Productions Inc., received a certificate from the United States Patent and Trademark Office (USPTO) granting her a trademark registration for use of the word “COCKY” in connection with goods for “a series of books and downloadable e-books in the field of romance.” Under U.S. Trademark laws,15 U.S.C. §§1051, 1052, and 1127, more than one book is required in order to apply for a trademark for the title of a book series. See also TMEP 1208 et seq. The title of a single creative work is not registrable on either the Principal or Supplemental Trademark Register. Herbko Int’l, Inc. v. Kappa Books, Inc., 308 F.3d 1156, 1162, 64 USPQ2d 1375, 1378 (Fed. Cir. 2002) (“the title of a single book cannot serve as a source identifier”).
Since obtaining the U.S. Trademark Registration Certificate for COCKY, Hopkins has been asserting her registered trademark in cease and desist letters and threatening litigation against novelists in romance and other genres in order to force them to change the titles of their respective books. The world of romance e-books is mostly filled with self-published authors – generally meaning that these authors don’t have the commercial revenue to fight lawsuits, or design new cover art and promotional materials in order to comply with demands or risk their works being removed from online retailers such as Amazon.
Romance Writers of America hired an intellectual property lawyer to assist authors affected by the “COCKY” owner’s recently issued trademark and aggressive enforcement tactics. Retired lawyer turned writer Kevin Kneupper filed a Petition for Cancellation with the USPTO. In response to this action, Hopkins, through her attorneys, filed for a preliminary injunction and a temporary restraining order in the Southern District of New York against Kneupper and writers Tara Crescent and Jennifer Watson, authors accused of violating the trademark. Hopkins argued that the social media tirade against her has resulted in popular hashtags, such as #CockyGate and #ByeFaleena, and has directly affected her sales and income. On June 1st, a federal judge denied Hopkins’ motion and dismissed Kneupper from the lawsuit.
Hop Hop Productions, Inc. is also asserting ownership of a second “COCKY” trademark, a stylized design wordmark featured in the cover art title of the books. The font used was allegedly created by Set Sail Studios, which is owned by graphic designer Sam Parrett. Parrett recently sent a cease and desist letter to Hopkins and asserted ownership claims in connection with the font. At this time, Hop Hop Productions, Inc. remains the registered owner of this trademark in the USPTO. However, the USPTO provides means for parties to contest ownership, such as by procedural means of opposition of allowed trademarks or cancellation of registered trademarks.
Trademark rights provide an owner with a right to stop unauthorized third-parties from using the same or similar mark on similar or related goods in order to reduce the likelihood of consumer confusion. Trademark owners should seek legal counsel on evaluating enforcement methods and tactics prior to taking any action. Challenges or consequences may exist, such as third parties taking actions to oppose allowed trademarks or cancel registered trademarks, along with posts made to social media related to a matter.
***For more information on this topic or other trademark matters, please contact Pamela K. Riewerts, Esq., a partner at Oliver & Grimsley, LLC at: pamela@olivergrimsley.com.
by Mike Oliver | May 31, 2018 | Client Spotlight, In the News, Intellectual Property
Constellation Rum is a speciality project from Tobacco Barn Distillery that started in 2016, when the distillery first hauled barrels containing 100 gallons of rum into the ship hold of the U.S.S. Constellation, docked in Baltimore’s Inner Harbor. Working together with the Historic Ships in Baltimore organization, the Distillery made the idea come to life–to make a rum entirely of Maryland ingredients and aged under natural seaboard conditions fo
r a year’s time, instilling an exclusive flavor profile characteristic to the product. The ebb and flow of the harbor tide provides constant movement, sloshing the rum throughout the bourbon soaked barrels, and with the Baltimore weather – the rum is exposed to an extreme range of temperatures ranging between approximately 10 and 100 degrees. After a year’s time, the barrels are unloaded from the historic ship and returned to the Distillery, where the rum is bottled, labeled, and fitted for sale.
This aging process has become an annual tradition for the distillery.
Every March, barrels are loaded and unloaded each year and and prepared for sale in May, just in time for spring. Tobacco Barn donates a generous portion of the rum sale proceeds to the Historic Ships organization in support of their mission to preserve Maritime heritage.
Tobacco Barn Distillery is located in Southern Maryland and crafts various whiskies and rums. For more information on Tobacco Barn’s products and where to find them, you can view their website here.
Oliver & Grimsley, LLC, a Baltimore area intellectual property law firm, has been instrumental in securing trademarks for Tobacco Barn Distillery and advancing the Distillery’s branding endeavors which impacts valuation for the business. Please contact Oliver & Grimsley for more information on investigating, securing, and enforcing your business’ intellectual property.