Interview with General Counsel Online

The Pittsburgh Technology Council, in their weekly Techvibe radio show, interviewed Robert Kost of General Counsel Online to understand what makes this a unique offering in the business law world.   The audio is included in this post and a transcript is below.

 

So glad you’re spending your Saturday morning here with us on tech vibe radio. This is Jonathan Kersting.

And this is Audrey Russo. We always talk some of the coolest people across Pittsburgh’s tech sector people do an alternate types of things with technology. And today, I’m really excited for us to be talking to Rob Kost of General Counsel Online.

Yeah, what a cool model. I can’t wait to talk to him about that. I mean, it’s not necessarily it’s in some ways, it’s like lawyer as a service.

I think that’s but it would be it’s fun to talk to rob and see what he’s doing with all this. Because I think it’s such a cool solution. He can give us all the best details. That’s for sure.

That’s great. So let’s talk about what you’re up to coming to Pittsburgh here.

I began to think what the future held for me, given my past. And my past really is this combination of law. I’ve been a, I’ve been a lawyer for 35 years. I’ve practiced in DC and Maryland. And in New York, I worked for a big corporation for IBM. As a lawyer, I’ve been involved in a whole bunch of things. So law is one aspect of what I come to this with the other was a long history of entrepreneurship, where I’ve been involved in tech startups, since the early 90s. took one of them public on the NASDAQ, and another one with a an institutional couple of institutional rounds of investment. So I’ve been involved in, in entrepreneurship, and especially in tech entrepreneurship for a long time. And over the course of the last five or 10 years, I’ve been involved in a company dealing at the high level in matters of strategy and marketing. So I thought I’d told these different strands of experience together into an offering that I think at any rate is fairly compelling. General Counsel online, he’s an online on demand legal service, whose primary audience is small business, as a small business person over the years, I’ve been neglected by the law. They’re uninterested in me because I didn’t have beaucoup money to spend. And that was usually only in the case of an emergency, or in the case of a highly specialized need, where I called on a lawyer, not that I didn’t need and wouldn’t have won at a lawyer. I just couldn’t afford what I’m pitching myself very much at the small business person who could use help in day to day legal matters. But those needs are sporadic. Rob, you know, I’m wondering what to do about this letter, the cease and desist letter that I got wondering what to do about the lease payments that I can’t make next month? I’m wondering, should I file for a trademark or a patent? Or should I register my copyright on these on these things? Those kinds of issues? I think I’m particularly adept at dealing in and I and I’d love to help people with that. Those kind of day to day legal issues.

So Rob, it seems to me that like these are some general types of problems that like if you don’t get them solved properly, early on, they can really haunt you later down the road. So if you don’t get that trademark, when you should have, it can be two years later and all of a suddenly you’re in trouble because it’s not trademarks. So the idea that you can access and get the right advice early, I think can really help people with their successes, they build their their venture moving forward, right.

I think that’s right, Jonathan, I think, you know, most people just like, if you said to me, You only contacted your doctor, when you were in serious medical problems, I’d say you’re foolish, you really ought to be dealing with some of these health issues on a day to day to day basis to avoid the problems, the acute problems that come on later. It’s really the same thing in law. If you don’t do things right in the first place, they may well come back to haunt you. And I want to totally do I want to address that, that kind of market.

So if people are listening now, right, and they’re all firm, how my like, think about think of a situation where you might easily be able to swoop in and be helpful. Sure, a decent one. That’s good. I think every business, the lifeblood of a business, sort of the business program, if you will, analogous to a computer program is a contract. And every business person thinks they’re an expert at contracts, until something like a pandemic comes around or on Till you figure out the other party’s breached, or done something wrong here, but it wasn’t in the agreement, because you didn’t think it’s true, or, you know, it was it was highly informal, we were going to end up going to the state of Washington, I had to do this to litigate this matter, and it’s gonna cost me two more to litigate it in Washington than the matters worth. You know, could we have solved these issues right up front? is, I think I can’t I think what’s a little bit unique here is coming at these kinds of issues, from a business perspective, primarily, and asking about business priorities, business objectives, and then letting the living the legal matters flow as they will. I think lawyers, most lawyers, by and large, begin from a very law centric point of view of the universe, and aren’t really concerned with how this fits in with an overall business strategy, or how this fits in with an overall business branding and marketing approach, or whether this patent that you want to pursue has any real business value to it? Or who’s going to be looking at those sorts of things. We’re, you know, so my primary concerns here.

So Rob, tell us about about the platform and how it works, because you’ve got a neat way of combining some technologies and making this very cost efficient. Can you give us an overview how it works? Yeah, sure.

This, I saw no point in trying to invent new technology here, because I don’t want any adoption curve issues. So online at General Counsel dot online (generalcounsel.online), it’s not.com. It’s dot online, which is also my name, which is also a trademark that I’ve applied for, for the first time. First time ever just this year. booking.com got a trademark on booking.com. The trademark office had been saying no, no, no, no, no, that’s your domain name. That’s not your trademark. That’s, that’s changed. So I’m online at General Counsel online, every client who comes to me, including those I’ve met in person, the relatively few that I’ve met in person, signs up, signs a retainer agreement online, and has their own personal portal web portal, where we’re sharing all of the documents, we’re going to trade back and forth here in a highly secure environment. I’m using slack as the backbone for this. And every client comes into my website into a single sign on enters the slack application. I’m using Office 365, for document storage, document markup, document, versioning, etc, etc. I’m using zoom for conferencing, not because I have to, because slack has that built in. But people are comfortable with zoom, and I wanted to do things that people were comfortable with. And then again, there’s a single sign on document signatures, contracts, and document filings are all done online. So what I’ve tried to do is assemble piece parts that make sense and unite them into a harmonious harmonious whole.

It’s a nice composite man, I like the way you’re taking the the key pieces and making it the one solid application.

Yeah, that’s right. It’s it’s really one roof. There’s no, download this and add this to the configuration and, and do this, you know, it all happens under one roof. The business model is a subscription based business model. This starts out at a fairly affordable rate for small businesses. And for that you get me I don’t really count hours very seriously. Now you can see that you’re a lawyer, you count every hour, come on. I’m not thinking in terms of hour, I’m thinking of, you know, client objectives and the achievement of those objectives. But whatever I end up charging, it’s always a fixed price charge. So there’s none of this. Well, okay, so you think you want to say you think we need to write the client a letter? Fine. I’ll write you a letter. How much will that be? Well, I can’t really tell you right now, because I may have to do some research. And I’ll do a number of drafts on this letter. And at the end of that surprise, it’s cost you 17 $100 at a rate of $350 an hour. I instead take this as a fixed price quote. And I try and be very, very serious about, you know, how much time I’m likely to spend on this. But if I ended up end up doubling the time on this, because of some unforeseen act on my own part. Well, that’s just I swallow that. And most businesses, most real world businesses, with the exception of law, sort of adhere To that approach, you know, I bid on on what it will cost you to file a trademark, I think it’s cool, cuz you’re making it very approachable as well, too. So, you know, obviously using technology that startups and so forth are accustomed to, and then having some simple pricing structure as well allow the tour, you know what this is going to cost, and allows you to do some of that really important work upfront, so you don’t get haunted later and had as emergency calls that cost lots of money. Right.

Exactly, exactly. Right. So yeah, I’m, I’m right now, you know, I have several clients more than I had actually planned on at this point in time. It has more work to do. I, you know, this was actually conceived before COVID. And then COVID came on his load, like my, my marketing buddy here.

Yeah, exactly.

I hadn’t planned on that. So. So it’s maturing pretty nicely. And I’m having a lot of fun. And I think supplying clients with a lot of good sound, legal advice and assistance.

I think that i think that’s interesting. And I do think attorneys are going through, you know, their own shift in terms of what it means to be an attorney and billable hours. And I net, I think there’s a lot of questioning about, you know, what I mean, they’re dragging and screaming into the 21st century. Every other profession, every other major commercial enterprise is already online, whether it’s insurance, or even my doctor, or banking brokerage, the list goes on, it’s all migrated online, to where the vehicle for providing the value, and the advertising and all of the commercial relationships are all handled as online relationships.

You know, with artificial intelligence, there’s going to be a shift anyway, through pattern recognition, through contracts and things that are thriving.

I think that’s right. I’m aware of some of the Pittsburgh based startups here, and eventually do want to work together with them to kind of see what synergies when my Hey, hey, you know, that’s great. So what’s the website?

It’s it’s a general counsel, all one word. A general counsel, by the way, is, is a common title. in the corporate world. It’s not so common in the small business world. As a matter of fact, most people don’t know what a general counsel is. But as the name suggests, it’s a it’s a person who is typically one of senior management, supplying day to day counsel on legal matters. General Counsel dot online is the URL for this awesome stuff. Rob, thank you so much for hanging out with us today and wish you success with the new venture. We think it’s fantastic. leveraging a whole suite of technologies to bring the price point of legal services down and help out some of the startups and those in need with it. So great stuff all the way around. Rob, you are the best. Thanks for being part of the show today.

Hey, thank you, Jonathan. Thank you, Audrey. Great, I appreciate it.

Absolutely. I’ll be another tech vibe under our belt. And next Saturday. We’re back with more great stories like Rob’s out there and how they’re using technology to innovate. do great work right here in Pittsburgh. This has been Jonathan Kersting. And we are from the Pittsburgh Technology Council. Learn more about us at PGH tech.org. And after you do that, it’s time to have yourself a really good weekend. Thanks, everybody.

Reporting a Data Breach

This Lawgorithm is designed to help you understand what a Pennsylvania business must do if it is the subject of a data breach.

Every state in the country now has a law requiring businesses in the state to report a breach of their computer system if the breach results in personal information being compromised or stolen. Although similar, these laws often vary in detail, so we will focus on the 2006 Pennsylvania Breach of Personal Information Act (which we’ll simply call “the Act”). This Lawgorithm will walk through the steps involved in determining whether and how a business must notify others of a breach under the Act.

Of course, even in Pennsylvania, it’s not as simple as adhering to one law. There may be other state, federal and even international laws to consider, not to mention issues related to negligence, privacy and trade secrets. For example, if the business is involved in the healthcare or financial sectors, there are additional federal requirements related to notification and post-breach actions. There is also a delicate issue concerning attorney-client privilege as it relates to information learned or disclosed in the process of addressing a breach. This Lawgorithm is narrowly focused on how to comply with the Act. We’ll leave it to future Lawgorithms to dive into these other areas of concern.

At its simplest, the Act says that any entity that has a database of personal information that has been breached has an obligation to notify the individuals whose data was compromised. In order to understand whether this applies to your business, your data, and your data breach, we need to unpack a few things.

The Act governs all “entities” that maintain, store or manage computerized data that includes Personal Information. The entity can be a government agency, a political subdivision such as a town or county, a business doing business in Pennsylvania or even a natural person who is a resident of Pennsylvania. There are therefore 3 criteria determining whether you are covered by the Act:

  1. Do you maintain, store or manage data? Though not defined, the plain meaning of this phrase is broad enough to cover just about any computer-based writing or reading of data, whether the system is local or cloud-based. It even covers companies whose business is to destroy documents.
  2. Are the data computerized? The Act does not cover paper records that might be broken into or stolen. Whether it covers digital records stored, say, on disk is not clear – perhaps they only become “computerized” when attached to a computer?
  3. Lastly, do the data include personal information? Only “Personal Information” is protected by the Act, and it has a very specific definition. Personal Information is a first name (or initial) and a last name in combination with or linked to an unencrypted or unredacted social security number, driver’s license number or credit or debit card number together with an access code.

This definition of Personal Information is actually quite narrow. It does not include business, medical, financial, legal, family, location and other information we might ordinarily think of as private or confidential.

An individual’s name can be either in combination with or linked to one of the three protected types of information. This not only includes information resident in a single database, but information linked to the name by means of a foreign key in a database or a URL to an endpoint containing the information.

Lastly, the linked-to data must be unencrypted or unredacted to be Personal Information. If the information is protected by an “algorithmic process” which creates a “low probability of assigning meaning without use of a confidential process or key” it is not Personal Information, and there is therefore no reporting requirement under the Act.

The conclusion here is that, even if you have a website, an email account, a database or a business application that has been hacked or breached, you are not subject to the Act if you are not dealing in Personal Information.

But the analysis doesn’t end there. Once you have detected a breach or an intrusion, you will need to consult with your attorney to see whether your business nevertheless has reporting or other obligations. You might have reporting requirements under federal law, such as the Healthcare Insurance Portability and Accountability Act (or HIPAA), the HITECH Act related to medical records, or the Graham Leach Blily Act. You may also be bound by rules made by the Federal Reserve, the FDIC, the Federal Trade Commission or other federal agency rules. Depending on whose data was compromised, you may also have obligations under the European General Data Protection Regulation (or GDPR) or the California Consumer Privacy Act (CCPA). Lastly, you may have contractual notice obligations pursuant to confidentiality and trade secrets protection agreements you have signed.

If you Personal Information has been compromised, the next question is whether a Breach has occurred.

The Act defines a Breach as “the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.“

This run-on sentence has 5 conjunctions in it that serve to further limit the scope of the Act.

  • First, the Personal Information must have been accessed and and acquired without authorization. If it is merely accessed and not acquired – say, viewed rather than downloaded – the Act is not invoked. An intrusion without acquisition is not a Breach as defined by the Act, and therefore not subject to its reporting requirements.
  • Requirements number 2 and 5, that the data compromise must be “material” and that it be “reasonably believed” to cause loss or injury are both heavily fact-based inquires, and something to be explored with the lawyer whom you are working with on the incident.
  • Requirement 3, that the compromised Personal Information be maintained as part of a database of multiple individuals’ Personal Information further limits the scope of the Act. Compromise of a single record – say, a single email or text file – which contains or is linked to the Personal Information of an individual, would presumably not be a Breach subject to notification requirements.
  • Lastly, in requirement 5, we understand that it is only the Personal Information of Pennsylvania residents that the Act is interested in. A resident of PA is any individual whose principal mailing address – based on the computerized data itself – is in the Commonwealth of PA.

Even though the Act ultimately defines breach in a fairly narrow way, the business that is subject to a cyberattack should not assume that its notification obligations end there. For example, the GDPR defines breaches broadly to include data destruction, loss, alteration, disclosure or access. If you are collecting data on European citizens or even citizens of other states within the United States, you’ll want to think more broadly about what constitutes a breach of a data system.

The Act carves out two exceptions that exempt entities from strict compliance.

First, if a firm “maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information” that are “consistent with the requirements of the act,” it may follow its own notification policies. It is unclear how a business would safely conclude that it needn’t risk enforcement of the Act based on its own assessment of what is “consistent” with the Act.

Finally, a financial institution that complies with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the Act. A similar safe harbor is created for other entities governed by guidelines established by the entity’s “primary or functional federal regulator” – say, Health and Human Services, in the case of HIPAA compliant organizations.

If your cybersecurity incident fulfills all of the requirements of the Act so far, you must provide notification of the breach.

Notice must happen “without unreasonable” delay, taking into account any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

Notice may also be delayed “if a law enforcement agency determines and advises the entity in writing specifically referencing this section that the notification will impede a criminal or civil investigation.” Whether this means that the business has a duty to first inform law enforcement of the breach is not clear, and the Act imposes no such duty, but a conservative attorney might have the business pass the breach by at least local or State law enforcement before making its notifications.

Having determined the need to notify, the only remaining questions are what form the notification will take and who must be notified.

If the cost of notifying the individuals whose records were breached will exceed $150,000, or if the number of records exceeds 175,000, or if the entity has insufficient contact information for the individuals to notify them in writing, by phone or via email, the entity may provide substitute notice.

Such substitute notice would be an email notice together with a conspicuous posting of the notice on the entity’s website and notification to state-wide media.

If substitute notice is not warranted, you must notify each Pennsylvania resident whose data was accessed and acquired. The notice can be made by email, phone or written letter to the individual’s Pennsylvania address.

If notification is made to 1,000 individuals or more at one time, notice must also be sent to all consumer reporting agencies, such as Equifax, Transunion and Experian.

With notices having been sent, your business’s obligations under the Pennsylvania Breach of Personal Information Act are fulfilled.

Responding promptly and pro-actively to a data breach requires that the business have a technical and legal “playbook” or procedures manual for the inevitable data breach. It would include the above analysis, but go well beyond it. Scrambling to understand legal requirements and technical remediation after the fact is not a good strategy. Indeed, the best strategy is to engineer your IT systems and policies so as to minimize the risk that such a playbook would ever be used.

A Guide to Open-Source Software Licenses

In this 8-minute Lawgorithm, we analyze the series of decisions you will face in adopting open source software in your business or your published work. We look at permissive and ‘copyleft’ licenses, to help you determine whether and how to incorporate open source code in your own.

From what began as a collegial protest against proprietary software among programmers in the 1990s, open-source software (“OSS”) has emerged as ubiquitous in the software engineering business.  According to one source, OSS is used in 99% of all commercial codebases across all major industries and makes up over 70% of all the code in these codebases.[i]  Although its principal uses are in operating systems, databases and development tools, OSS has also become an integral part of everyday technologies like web sites and apps, smart phones, cars, appliances and the internet of things.  OSS is a key asset of even companies whose business does not involve software development per se.

UML diagram of OSS decision flow.
Diagram: OSS Decision Flow

Consider Business Requirements and Benefits. Adopting OSS is an alternative to building or buying software. It should be considered after you have developed business requirements for the system you are designing, and it should be assessed for its suitability to these requirements.  Thereafter its benefits and detriments should be considered in the context of your business model.

    • BENEFITS.  OSS is easy and cheap (or free) to obtain, usually via the internet.  It is typically the product of hundreds or thousands of developers and millions of code hours – resources and creativity that would be difficult or impossible for the typical business to marshal.  Resources for bug-fixing and augmentation are plentiful and relatively inexpensive to acquire.  Because it is typically accompanied by source code, it is easier to maintain, extend and adapt than proprietary software, which is typically supplied as machine executable without source.  It is arguably more secure and reliable than proprietary systems, having been vetted and used by many people.
    • DETRIMENTS.  OSS may be vulnerable to malicious developer bugs and exploits.  It may also be obscure, have poor usability and require lots of configuration and supporting software libraries.  Support may be uncertain.

If the OSS fails to meet business requirements (even with anticipated modifications), or if it is of negligible business and technical value, you can exit the analysis now.  No matter how cheap or easy it may be to comply with OSS license conditions, there is little business value in adopting software that does not serve business objectives.

  1. Distributed? OSS software license conditions are triggered by distribution.  If the OSS is not distributed, there is no requirement to adhere to the license conditions, and you can exit the analysis.  Although distribution is given different definitions by different OSS license variants, distribution is generally synonymous with publication, dissemination or propagation of copies of the code to third parties.  Conveyance of the code to limited groups for limited purposes and without rights to further use or distribute is not distribution.
    • SaaS Software. As so much of software migrates online to a SaaS model based on browser or app user interfaces to run applications that reside in the cloud, it is interesting to think that using OSS in support of a SaaS application probably does not constitute distribution since copies of the running code are (in most cases[ii]) not changing hands.
    • Employees. Copying code among a company’s employees is not distribution since the copies reside with the same licensee (the company for whom the employees work).  Intra-company use of OSS for backend and other internal systems is not distribution.
    • Contractors. For analogous reasons, conveyance to individual independent contractors is probably not distribution, so long as the code is treated as confidential, limited to company machines, and required to be returned or deleted at the end of the commercial arrangement.  However, conveyance of the code to consulting and outsourcing firms probably is distribution and therefore requires further analysis below.
    • Networks. Cloud storage of the code is probably not distribution, so long as the company maintains control over the account and the virtual space in which the code resides.
    • Subsidiaries. Conveyance to a wholly owned subsidiary is probably not distribution, whereas conveyance to minority owned subsidiaries or affiliates is more likely to constitute distribution.
    • Mergers & Acquisition. Although contracts (like an OSS license) may be assigned in the course of an acquisition, and therefore not distributed according the terms of the OSS license, non-exclusive intellectual property licenses are generally not assignable, raising the possibility that an acquisition or merger might constitute distribution and therefore trigger the OSS license terms with respect to the acquiring company.

If OSS is not distributed (and will not ever be distributed), the analysis can end there because the terms of the OSS license have not been triggered.

  1. Permissive or Copyleft?  Although there are literally hundreds of different and often idiosyncratic OSS licenses, they bifurcate into Permissive licenses (notice only) and the so-called Copyleft license (source + notice).
    • Permissive.[iii] If OSS is acquired under a permissive license, license conditions are straightforward and easy to accommodate: include a notice with the downstream binary or source code you distribute.  For the contemporary software development and publishing world, to “distribute” often means to put on GitHub or a similar versioning system.  The license will typically reside in source comments or in a “LICENSE” or “COPYING” file in the root of the repository and should exist for every version and every publicly available build.  The notice is short and includes the OSS author name, copyright notice, and disclaimer on liabilities and warranties.[iv]  Having included notice with the distribution, you’ve complied with your obligation and can exit this Lawgorithm.
    • Copyleft.[v] Copyleft licenses are more complex.  Notice is required, as with Permissive licenses, but Copyleft adds conditions: 1) the program and any derivative works must be made available free of charge under the same license under which the program was originally acquired; 2) if a binary is distributed, source of the program and any derivative works must also be made available; and 3) the distributor of the program (you) can impose no restrictions on the exercise of the license conveyed with the OSS program.
  1. Distribute Derivative Code. In cases where you make modifications to the Copyleft open-source program, your modifications are “derivative works[vi] which are subject to the Copyleft notice and source distribution requirements (in 3 (b) above).
  2. Distribute Aggregated Code. Aggregated code is separate and distinct programs that remain separate and distinct in distribution and use.  They are, for purposes of distribution, merely packaged together in the same container.  For example, suppose your proprietary interface Program X opens a connection to an unmodified open-source database program and fetches the results of queries made by the user of the interface.  Program X then renders the results.  Under these circumstances, each program will be distributed subject to its own license terms and Program X users may have a proprietary license from you and a separate Copyleft license from the Copyleft author with respect to the database program.
  3. Distribute Integrated Code. However, many Copyleft licenses will view the integration of OSS programs with proprietary programs as conferring derivative work status on both the original OSS code and on any proprietary code that integrates with the OSS code, and can therefore cause the integrated code to be subject to the Copyleft license terms.  Whether integrated code constitutes a single derivative work program depends on some controversial distinctions among the way integration might happen.  On the one hand, it is fairly clear that a plug-in is not a derivative work of the OSS code but that the wholesale incorporation of OSS modules into another program is.

It is in the “boundary” cases that there is considerable uncertainty whether the relationship between two programs is such that a derivative work has been created and that, therefore, a requirement to publish as the resultant source code, for free and subject to the same non-proprietary license.  For example, it is unknown whether there is a distinction between static linking (the import of libraries into memory at program load) is distinguishable from dynamic linking (loading libraries at runtime) for purposes of discerning whether a derivative work has been created.

Perhaps it is useful to think of these different kinds of integrations as being on a continuum, as pictured above, from a Composition (a mixture in which members have a part-of kind of association to one another, as a hand or foot is a part-of a person) to Aggregation (a collection without an association among the members).  Thus, the closer the two codebases get to being a Composition, the more likely they are to be regarded as a derivative work and the entirety of the now singular program subject to Copyleft.  The Free Software Foundation, the source of the GNU operating system and the original open-source software consortium, draws the line at linking – integration occurring through communications protocols, remote procedure calls and the like are not considered derivative works.

Compliance with OSS licenses can be of extreme importance to your business.  If a licensor believes that you have breached the conditions of their license, they can bring a copyright action for damages (for unlicensed use) or to enjoin you from distributing or using their (and potentially your) software.

[i] Synopsys 2020 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT, https://www.synopsys.com/software-integrity/resources/analyst-reports/2020-open-source-security-risk-analysis.html?cmp=pr-sig.  According to this study, 67% of all codebases have licensing conflicts, which is an interesting finding in light of the topic of this article.

[ii] Even the SaaS line is blurring.  Angular, Node and other JavaScript based constructs run in and are distributed to the user’s browser in response to server messages.

[iii] The principal examples of permissive licenses include the MIT and BSD licenses.  The Blue Oak Council (blueoakcouncil.org) counts over 150 permissive licenses currently in use.

[iv] Here is a copy of the MIT license (permissive): MIT License

Copyright (c) 2021

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

[v] Copyleft licenses include the AGPL (Affero General Public License), the GPL (General Public License), the LGPL (Lesser General Public License), and the Eclipse, Mozilla and Common Development and Distribution licenses.  See: https://blueoakcouncil.org/copyleft.

[vi] Copyleft licenses generally adopt the Copyright Law’s definition of “derivative work”: “a work based on one or more pre-existing works … in which a work may be recast, transformed or adapted.”  17 USC §101.

Whether and How to Register a Federal Trademark


This Lawgorithm will help you decide whether and when to register a trademark with the federal government.  It will help you think about the business and legal advantages of a federal trademark, and help you decide whether, when and how to obtain the fabled “® “.

Here’s a common scenario.  After weeks of brainstorming, you’ve come up with just the right name for your product or service.  It is a clever name, and distinguishes you from other competitors in the market.  Once your product is “out there,” you are committed to the name, and you know that — eventually — it may become an essential business asset.   Now what?  Should you register it?  Can you register it?  What are the benefits of doing so?

https://youtu.be/Jk2Pmo4FQhc

 

Should your business pursue trademark protection for a brand name, logo, or other way of uniquely identifying your product or service?

A trademark is “any word, name, symbol, or device, or any combination used, or intended to be used, in commerce to identify and distinguish the goods of one manufacturer or seller from goods manufactured or sold by others, and to indicate the source of the goods. In short, a trademark is a brand name.”[1]  The question is, should your business file to obtain a federal trademark?

  1. Assess the Business Value. Brands enable a company to distinguish a product or service from those of the competitors, and to create a lasting impression in the minds of consumers.  They are also business assets.
    1. Although a brand serves as a proper name for a product or service (and is therefore “denotative”), its value is often connotative: it signifies or betokens quality, dependability, price and other positive mental associations between the name or symbol and the product.  You may want to use this connotation to drive adoption and repeat sales.
    2. The primary purpose of trademark is to distinguish your goods or services from others’.  In crowded or commodity markets, differentiation may be essential to get through the ‘noise’ and clutter.  In a long list of products on the internet, for example, it may be to your great advantage if you have a visually interesting and appealing logo.
    3. Asset Value. A trademark is an intangible asset of the business, forming part of goodwill on the balance sheet.  Brand equity can often exceed the capital value of the underlying physical plant or contracts.  By one estimate, 70% of the $13 billion acquisition price for Whole Foods by Amazon was attributable to goodwill.[2]  A trademark can be licensed, sold and hypothecated (as a security).

If the brand you are considering trademark for has a strong business value under one or more of the above criteria, you should then assess the benefits of trademark to your business.

  1. Consider the Legal Benefits. The legal benefits of trademark are significant and include exclusivity (only you can use the mark), notice (would-be infringers are on notice of your ownership), priority (you own the trademark from the time it is first used in commerce) and import protection (a trademark owner can invoke the power of the US Customs and Border Patrol to prevent goods from entering the United States.   NOTE that, even if you decide that the business value and legal benefits of registering a trademark are not warranted, if you nevertheless intend to use the mark, it may behoove you to determine whether you are risking a trademark infringement lawsuit by using the mark – if you run afoul of another with trademark rights, you could be forced to stop selling your product, impound or destroy products that use the mark, or pay the owner money damages.  Therefore, it advisable that you conduct a defensive search (indicated in the diagram by the dashed line).
  1. Product or Service? Is the brand the name of a product or service?  If it is only the name of your business – i.e., your tradename – then it is not eligible for federal trademark protection.  Instead, you should seek to register it in your state as a ‘fictitious name’ – a name used to identify your business (something you may wish to do regardless of, and in addition to, trademark considerations). ä   Note, however, that it is not difficult to make the case that your company’s name is also the name of its product or service.  “Coca Cola” is the brand of a soft drink as well as the name of the company that makes it.
  1. Interstate Commerce?  The federal government gains its power to issue and enforce trademarks from the Commerce Clause of the US Constitution, which requires that commerce affect interstate commerce in order for the federal government to regulate or otherwise legislate concerning it.   Your product or service must be offered in interstate commerce.  “For goods, ‘Interstate commerce’ involves sending the goods across state lines with the mark displayed on the goods or the packaging for the goods. With services, ‘Interstate commerce’ involves offering a service to those in another state or rendering a service that affects interstate commerce (e.g. restaurants, gas stations, hotels, etc.).”[3]
    1. Intent to Use. However, even if your product is not yet in interstate commerce (or perhaps even available to the public), you may nevertheless file for a trademark under an “intent to use” basis, provided that you subsequently actually offer the good in commerce and prove it with the US Patent & Trademark Office (“USPTO”).
    2. State Trademark. If your product or service is likely never to be in interstate commerce, you may nevertheless seek State trademark protection.  In Pennsylvania, a simple filing detailing the mark provides 5 years of protections against others using the mark in-State.
  1. Assess Strength and Eligibility of the Mark. Not all names and symbols are good trademarks, or for that matter, trademark-able.
    1. Arbitrary? The strongest trademarks – from both a legal and (I would venture) a business and marketing perspective – are arbitrary with respect to the thing signified (“Apple” for computers, “Gap” for clothing, “Ford” for cars). If your mark is arbitrary, you can confidently move to the next step of the analysis and investigate whether it is a unique mark, or confusingly similar to another.
    2. Fanciful? Fanciful marks are strong and likely to be approved by the Trademark Office (all things equal).  Often, these are neologisms – words that have never before existed – XEROX, Intel, Kleenex, Tylenol, etc.
    3. Suggestive? Suggestive marks, such as “At-a-Glance” for calendars, “Nice ‘n Easy” for hair products, or “Redi-Whip” for foods, are registrable, but their scope may be limited (you may find your mark alongside other permitted variations or the same mark alongside many other classifications).
    4. Descriptive. Descriptive marks, as the name suggests, portray some attribute of the product – “Speedy Repair” or “Reliable Aviation.”  Descriptive marks are generally not registrable, without showing that a mark has, through long use, become a well-known moniker for the product (indicated by the dashed line running from the “Descriptive?” decision). ä
    5. None of the Above? If your mark is not arbitrary, fanciful or suggestive, then it is likely to be not  Generic names (names for the thing being named) are not registrable; “Bicycle” may work as the name of a card deck, but not as the name of a two-wheeled, pedaled transportation vehicle.  Nor are surnames trademark-able, absent a showing that they have acquired distinctiveness (such as “McDonalds”, “Ford”, and “Dell”). ä
  1.  Every mark is classified according to one or more of 45 classes of goods and services (1 to 34 for goods; 35 to 45 for services).  You will choose which class(es) your mark belongs to and which coordinate classes might also apply (a mark might, for online learning for example, be for both “computer, scientific and legal services” and “education and entertainment services”).  The same trademark can exist in different categories (“Apple” computers can co-exist with “Apple” hotels), and classification serves to both limit the scope of a given mark and limit the search for relevant variations on the word.
  1. Both the applicant and the USPTO will conduct a search of the federal Trademark Electronic Search System (“TESS”) database, looking for marks for which there is a “likelihood of confusion” with your own in the class(es) in which you are registering.[4]  It is advisable to also search other databases, including Google/Bing and internet domain name registrars to determine if there are perhaps unregistered, but nevertheless temporally prior uses of similar marks.
  1. Assess: is there a Likelihood of Confusion? As the last step before filing for a federal trademark (and spending $225 to $275 and more), you and your lawyer should make a determination of a likelihood of confusion and therefore a likelihood that the application will be rejected.  If you decide to file, it makes sense to do so as soon as practicable – perhaps even filing an “intent to use” application if you’ve just developed the mark and haven’t yet used it in commerce.  If, only the other hand, your mark is too similar to another in your class, you may want to avoid the USPTO and attorney fees and go back to the drawing board with the mark.
  2. The actual registration process is quite simple and done entirely online (except in limited cases).  The registration fee is non-refundable.  It will take about 3 months before an examining attorney is assigned by the US Patent & Trademark Office.  It will take another 2 to 3 months before there is an Office Action.  Changes to the application will have to take place through amendments, which are subject to their own processes and fees.

[1] https://www.uspto.gov/learning-and-resources/trademark-faqs#type-browse-faqs_1223  Although this definition speaks in terms of “goods,” trademark also applies to services – a “service mark” is a trademark for services.

[2] https://www.cnbc.com/2018/02/06/amazon-10-billion-goodwill-balance-shows-whole-foods-strategy.html

[3] https://www.uspto.gov/learning-and-resources/trademark-faqs#type-browse-faqs_1223

[4] “Likelihood of confusion” is Based on criteria developed in Polaroid Corp. v. Polarad Electronics Corp., 287 F.2d 492 (2d Cir. 1961).

When and How Should Your Business Register a Copyright?



Almost every business these days produces information that may be a copyrightable work of authorship.  The question is: when and how should the business register a copyright?  This becomes a question of the value of information product the business has produced and how copyright registration supports that value.

This Lawgorithm looks at the question from a business-oriented perspective, asking:

    • is copyright protection available for the work?
    • what role does the work perform in the business?
    • what kind of protection might be most appropriate to its role?
    • what benefits does copyright registration offer?
    • how do I register?

This Lawgorithm is designed to help businesses decide whether to register a copyrighted work with the US Copyright Office.

Registering a copyright is a relatively simple and inexpensive process that creates a record of copyright ownership with the Copyright Office, a part of the federal Library of Congress.

You do not need to register a copyright in order to own it.  You own a copyright in a work of authorship[1] the moment you create it and record it in “a tangible medium of expression” – i.e., write it on paper or on a computer, photograph it, audio or video record it, etcetera.  And, because of this claim to ownership, you can bring a lawsuit in federal court to enforce your copyright, even if you had never previously registered the work (you will ultimately have to register to bring suit).

However, there are some very compelling benefits to registration.  Whether registration is right for you will depend on a number of factors: a) whether the item is copyrightable in the first place, b) what role it plays and what value it has in the business and c) on whether the benefits are worth it to you.

1.     What is Copyrightable?

If an item is not copyrightable, you cannot register it.  Most original expression is copyrightable, but there are certain types that are not:

    1. Ideas are abstract concepts that have not been reduced to particular, concrete expression.  A general ‘rags to riches’ storyline is not protectable; a biography of Andrew Carnegie is.
    2. Methods, algorithms, processes, procedures and systems.  Of particular note for software authors: copyright does not protect the algorithm (patent might, if the algorithm enacts a patentable process) any more than it does a recipe.
    3. Unoriginal works.  Customer lists, white pages telephone listings, log files and other works lacking a “modicum of creativity” are not copyrightable.  Compilations of facts may be copyrightable if they introduce original sequence, structure or organization, but the underlying facts are not.
    4. Personal and business names, titles (including book and song titles), fonts (except as part of a logo, design, etc.), fashion design, blank forms, short phrases or slogans.  In some cases, the item does not rise to the level of ‘de minimus’ originality; in other cases, trademark or patent law is the appropriate form of protection.

If the work is not copyrightable, consider whether it is nevertheless valuable and protectable by trade secrets law or patent law.  ä

2.     How to Evaluate Business Value?

The value and importance of a work is a function of its role in the business.  In general, an information product can perform 4 different kinds of roles in business.

    1. SecretThe information derives its principal value from its being secret.  If this is the case, and the business has been and will be diligent in keeping the information secret, copyright registration should not be pursued.  Instead, a separate inquiry into the creation and maintenance of trade secret rights should be explored, and we exit the analysis. ä
    2. ProductThe work is the item for sale.  It alone or in combination with other resources (like labor) is what the business has to sell.  The business is typically an author or publisher of a Work.  It is selling a book, a movie, a computer program, a newspaper, a game, a song, etc.   These businesses comprise the “intellectual property industry,” generate over $6 trillion in gross sales, and make up over 38% of the US Gross Domestic Product.[2]
    3. AssetThe work provides the business with a competitive advantage of some sort.  It may even be counted ‘on the books’ as an intangible asset of the business.  Advertising is perhaps the preeminent example, but other copyright assets might include studies, reports, surveys, software tools and infrastructure, and knowledge in the form of employee presentations and publications.
    4. AncillaryThe work plays a ‘supporting’ role internal to the operation of the business.  Employee manuals, procedures manuals, memoranda, company signage and internal publications are examples of these kinds of works.

The business importance of a work, and the benefit of registering a copyright, is in general greatest with Products, followed by Assets and then Ancillary works.

There are some works that of relatively little business value of any kind – ephemeral meeting minutes, emails, voicemails, etc.  In this case, there is little need to consider copyright registration, and you can exit the analysis.

3.     What are the Business Benefits of Copyright Registration?

Copyright registration offers key advantages to the copyright owner, which are of greatest importance when the business value of the Work is the greatest.

    1. Statutory Damages.  If your Work is infringed, you’ll have to prove actual damages, which is most often measured in terms of lost profits.  These can be very speculative and difficult to prove.  Registering your copyright, on the other hand, may entitle you to instead seek statutory damages.  These damages are fixed by statue and range from $750 to $30,000 for all infringements of a single work.  In the case of willful infringement, statutory damages may be as much as $150,000.  Statutory damages require registration within 3 months of publication, or before infringement occurs.
    2. Presumption of Valid Ownership.  Registration also serves as prima facie evidence of the validity and date of the copyright, meaning that the burden is on the defendant to prove the works do not belong to you.  Ordinarily, this burden would be on the copyright owner.  You may not have time for these legal measures if you are seeking an injunction to stop harm that is occurring now or imminently. If the work registered within five years of publication, the copyright ownership is also presumed valid.
    3. Import Protection.  The copyright registration can be recorded with U.S. Customs and Border Protection, which will seize and detain infringing copies of a work being imported into the US.  The copyright owner can also petition the International Trade Commission to exclude infringing goods from import in the first place.
    4. Record and Notice.  Registration creates a searchable public record.  Not only are potential infringers on notice (and therefore potentially liable for willful infringement), but parties seeking to contact the copyright owner (for licensing) are able to contact them.
    5. Pre-Requisite to Suit.  As previously mentioned, the work must be registered with the Copyright Office before suit can be brought in federal court.  Because registration may take 3 to 12 months, this delay could be decisive if you are seeking to address imminent harm to your business.

4.     What if a Copyrighted Work also has Utility Value?

In addition to their value as products, assets or ancillary material, certain works may have utilitarian value.  They perform a useful function.  This is particularly true of computer software, where the written code is not only an original “literary work” (as described by the Copyright Office), but embodies a new “process, machine, manufacture, or composition of matter.”  The software may solve problems in the field of computer and data science that are independently worthy of protection by US Patent Law.  In this case, you should consider filing a patent on the software in addition to registering it with the Copyright Office.  Bear in mind that an inventor has one year from the date that an invention is publicly used, sold or described, and that registering a Work with the Copyright office will set this clock ticking.

5.     How to Register a Copyright?

Registering the copyright is not difficult and can be done online or through the mail.  Registration requires that complete an application, pay a fee and deposit two copies of the “best edition” of the work with the Copyright Office.  If a work is digital-only, the two-copy rule obviously does not apply.  “Best edition” refers to criteria that the Library of Congress determines for the deposit to be suitable for its purposes. Generally, if a work exists in digital and also in physical form, the best edition is the physical version.

_________

[1] “Work of Authorship” or just “work” is the term of art that copyright law uses for a particular original, creative or communicative expression.  It can be a literary, artistic, educational, musical, software, etc.

[2] US Department of Commerce, Intellectual Property and the US Economy, 2016.  https://www.uspto.gov/sites/default/files/documents/IPandtheUSEconomySept2016.pdf