CURRENT MONTH (November 2021)
Supreme Court Refuses to Review 8th Circuit “Initial Interest Confusion” Decision
By John E Ottaviani, Partridge Snow & Hahn LLP
The U.S. Supreme Court has declined to hear a petition for certiorari regarding online advertising practices in the latest battle in a long-running dispute between two mattress companies. The denial lets stand a decision from the U.S. Court of Appeals for Eighth Circuit that held that the plaintiff could rely on a showing of confusion at the time of advertising, not at the time of purchase, in its trademark infringement claim. Select Comfort Corporation v. Baxter, 996 F.3d 925 (8th Cir. 2021); Dires LLC et al. v. Select Comfort Corporation et al., cert. denied, ___ U.S. ___, No. 21-212 (Nov. 22, 2021).
The “initial interest “doctrine has been a source of contention in trademark law since businesses have started using the Internet for advertising purposes. The theory is that there could be trademark infringement if consumers are confused at the initial point of advertising into choosing the website of one company over another company, even though no actual sale is completed as a result of the confusion. This typically occurs when one company uses the trademarks of a competitor in its online advertisements or website, or in “metadata” that causes the competitor’s advertisements or website to appear higher in the search results than the trademark owner’s advertisements or websites.
In this case, which began in 2012, the plaintiff and the defendant sell competing adjustable air mattresses. Select Comfort alleged that the defendants used Select Comfort’s trademarks in various online advertisements to sell its own products. The district court rejected as a matter of law Select Comfort’s reliance on an infringement theory based on initial or presale confusion. At trial, the district court also instructed the jury that infringement liability depended on a showing of a likelihood of confusion at the time of purchase. The trial resulted in a mixed verdict, and both parties appealed. On appeal, the Eighth Circuit reversed and vacated the judgment, finding that limiting the infringement instruction to require confusion at the time of purchase was error.
To date, the First, Fourth and Eleventh Circuits have rejected, limited, or refused to adopt the “initial interest confusion” doctrine. See Smartling, Inc. v. Skawa Innovation Ltd., 358 F. Supp. 3d 124, 141 n.9 (D. Mass. 2019) (noting that the “First Circuit has yet to adopt” the initial interest concept); Vital Pharm., Inc. v. Am. Body Bldg. Prods., LLC, 511 F. Supp. 2d 1303, 1318 (S.D. Fla. 2007) (noting only that the Eleventh Circuit “has not embraced” the initial interest doctrine); Lamparello v. Falwell, 420 F.3d 309, 316 (4th Cir. 2005) (“we have never adopted the initial interest confusion theory; rather, we have followed a very different mode of analysis, requiring courts to determine whether a likelihood of confusion exists by “examin[ing] the allegedly infringing use in the context in which it is seen by the ordinary consumer.”) (emphasis original to Lamparello). Other courts have applied the doctrine, at least in particular circumstances. Australian Gold, Inc. v. Hatfield, 436 F.3d 1228, 1238-39 (10th Cir. 2006) (applying the doctrine even when consumers “realize that the product is not the one originally sought” and where no sale occurs); Malletier v. Burlington Coat Factory Warehouse Corp., 426 F.3d 532, 537 n.2 (2d Cir. 2005) (distinguishing initial interest confusion from point-of-sale and post-sale confusion); Promatek Indus., Ltd. v. Equitrac Corp., 300 F.3d 808, 812 (7th Cir. 2002), (applying the doctrine “even if the customer realizes the true source of the goods before the sale is consummated”); Checkpoint Sys., Inc. v. Check Point Software Techs., Inc., 269 F.3d 270, 294 (3d Cir. 2001) (adopting presale initial confusion doctrine).
The case will now be remanded to the district court for a new trial, where the plaintiffs will be allowed to show confusion at the time of advertising.
Delaware Court of Chancery Dismisses Complaint Seeking to Hold Directors Liable for Breach of 500 Million Consumers’ Personal Information
By Lauren Dunkle Fortunato, Young Conaway Stargatt & Taylor, LLP
In Firemen’s Retirement System of St. Louis on behalf of Marriott International, Inc. v. Sorenson, 2021 WL 4593777 (Del. Ch. Oct. 5, 2021) (Will, V.C.), the Delaware Court of Chancery dismissed derivative Caremark claims brought against the directors of Marriott International, Inc. relating to a massive breach of consumer data. The Court found demand not excused because a majority of the Marriott directors did not face substantial liability for an improper-oversight claim under In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996).
In 2016, Marriott purchased Starwood Hotels and Resorts Worldwide, Inc., including Starwood’s guest information system. In 2018, Marriott discovered a malware security breach of the Starwood system that had begun in 2014 and exposed 500 million guests’ personal information. Marriott’s stock dropped 12% in the following weeks.
The plaintiffs sought to hold the Marriott directors responsible as a violation of their fiduciary duty to oversee Marriott’s cybersecurity. The complaint alleged that the directors (1) failed to remedy Starwood’s deficient data system, (2) permitted non-compliance with industry standards (including PCI standards, tokenization and point-to-point encryption), and (3) consciously disregarded red flags that the company was violating positive law (including the FTC Act and consumer data-protection laws).
The Court found these allegations did not suggest conscious and bad-faith decisions by the directors warranting Caremark liability. Non-compliance with non-binding industry standards was not enough, and the complaint’s positive law allegations were inadequate. The complaint failed to identify specific laws and failed to allege the directors’ knowledge of both the legal requirements and Marriott’s violation.
Ultimately, the directors had in place a cybersecurity reporting system, and management reported on remedial plans. While that remedial process could have been quicker, the Court concluded there was no alleged bad faith by the directors relating to the data breach.
GAO Recommends Cybersecurity Plan Update for K-12 Education Sector
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Government Accountability Office recently issued a report assessing cybersecurity for the K-12 sector as part of the government’s Critical Infrastructure Protection. The report assesses the extent to which federal agencies assist schools to protect against cyber threats and indicates that a subsequent report will focus on states’ use of federal assistance with respect to cybersecurity. The report discusses threats and recent incidents affecting K-12 schools, a $760 billion sector that serves more than 50 million students. With its plan to address cybersecurity risks dating back to 2010, the Department of Education needs to target updates necessary to address changes in cyber threats, including those tied to the increase in remote learning. The report recommends the Secretary of Education meet with the Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to update the education sector’s cybersecurity plan, with a focus on federal actions to assist K-12 schools against cyber attacks, and to determine whether to issue guidance specific to the education sector.
CISA/FBI Release Reminder for Critical Infrastructure (and Other Businesses) to Stay Vigilant Against Threats During Holidays and Weekends
By Alan S. Wernick, Esq., Aronberg Goldgehn
On November 22, 2021, the Cybersecurity & Infrastructure Security Agency (“CISA”) issued a reminder for critical infrastructure and other businesses to stay vigilant against cyber threats during holidays and weekends. “Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways – big and small – to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” the reminder noted. CISA and the FBI “strongly urge all entities – especially critical infrastructure partners – to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats.” Specifically, CISA and the FBI urge users and organizations to take the following protective actions:
- Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
- Implement multi-factor authentication for remote access and administrative accounts.
- Mandate strong passwords and ensure they are not reused across multiple accounts.
- If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
- Remind employees not to click on suspicious links, and conduct exercises to raise awareness.
The above is not an exhaustive list of protective actions. In addition, depending on your business and regulatory compliance obligations, there are other steps to help protect the business or organization including: make sure your business is promptly updating its software and applying security patches/fixes.
According to the reminder, CISA and the FBI also recommend businesses and government agencies remain vigilant against the types of techniques cybercriminals use to gain access to networks and computer systems, including:
- Phishing scams, such as unsolicited emails posing as charitable organizations.
- Fraudulent sites spoofing reputable businesses – it is possible malicious actors will target sites often visited by users doing their holiday shopping online.
- Unencrypted financial transactions.
Consider reviewing available incident response guidance, such as the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide, the Public Power Cyber Incident Response Playbook, and the new Federal Government Cybersecurity Incident and Vulnerability Response Playbooks.
The bottom line is that, in order to reduce the risk of a severe business/functional degradation should your business fall victim to a ransomware attack, you should, among other things, periodically (and, in particular, before holidays) review and, if needed, update your incident response and communication plans. These plans, tailored to your business, should, at a minimum, include a checklist of actions to take – and important contacts to reach out to – should your organization be impacted by a ransomware incident or other cybersecurity event.
For additional information, you can view the CISA/FBI alert concerning Ransomware Awareness for Holidays and Weekends here.
© 2021 Alan S. Wernick and Aronberg Goldgehn.