Date: December 13, 2022

Speakers:

• Richard Lane, Chief Security Officer of the World Intellectual Property Organization (WIPO).
• Prof. Tal Zarsky, Dean and a Professor of Law at the University of Haifa’s Faculty of Law.

Moderator:

• Prof. Manuel Desantes, Professor of Law at the University of Alicante.

Objectives of the session:

Before, during, and further to the COVID Crisis, the complex interaction between Intellectual Property (IP) and Cybersecurity issues steadily developed: which cybersecurity strategies and business models are protected within IP? Which cybersecurity for IP? How must we keep IP assets protected against cybersecurity breaches? What is the relationship between cybersecurity and WIPO, and why it may matter for WIPO? Why is cybersecurity essential for innovative IP business? How does IP relate to privacy and other related areas while considering cybersecurity issues? New models are being developed and are in urgent need of clarity as to their interaction with classical IP. Speakers from Europe, Israel, and WIPO (Australia/UK and Switzerland) provided a worldwide picture of the future of IP and Cybersecurity, including re-imagining IP in this area in favor of both fair business and consumers/society

Prof. Laurent Manderieux considered that cybersecurity, a key topic for the international community, must be further put in relation with Intellectual Property development. He pointed at the next topics on the discussion, including addressing questions related to cybersecurity and how to keep IP protected from breaches; why does cybersecurity may matter for the World Intellectual Property Organization? And how it relates to IP and data protection issues in general?

Prof. Javier Fernandez Lasquetty pointed out that cybersecurity is part, or should be part of our lives, in order to protect IP assets and trade secrets. He opened the discussion for the moderator and panelists.

Prof. Manuel Desantes laid the foundation by raising the issue of an appropriate balance in the relation between cybersecurity and IP.

Question 1: What is the relationship between cybersecurity and WIPO? Why is it important for WIPO?

According to Mr. Richard Lane, this relationship is fundamental for how the organization works. WIPO is the custodian of the data of the customers, be it, for instance, patents, industrial designs or any other information regarding IP filings. The focus is the protection of the information. The impact of an incident could be catastrophic, depending on the incident. WIPO has identified cybersecurity risk as the top risk to the Organization. If we do not protect the information entrusted to us adequately, a cybersecurity incident could have catastrophic consequences for WIPO, but also for inventors, companies and other stakeholders who trust the organization.

Prof. Tal Zarsky added that there is a need for a global initiative. Being an international organization, WIPO can bring about knowledge and expertise. WIPO has an inventory of vast information (public, private and personal). Regarding international organizations, such as ICANN, there should be a debate on how much information should be kept secret or opened up to the public, or perhaps only to its essential extent, since an excess of information could, for instance, work as an enabler for other cyberattacks. Every balance of every institution is unique and leads to interesting questions about policy in WIPO.

Mr. Richard Lane replied that WIPO is governed by IP international treaties such as the Protocol relating to the Madrid Agreement concerning the International Registration of Marks and the Patent Cooperation Treaty (PCT), where the level of protection, what data is kept and for how long is established. In this context, WIPO cannot decide by itself those aspects; on the contrary WIPO has to follow the treaties.

Question 2: What about innovative IP businesses? Has cybersecurity become an issue also for them?

To answer this question, Prof. Tal Zarsky argued that it is necessary to ask ourselves what is the needed environment for having a successful innovative society? Data privacy and data security are essential. If operators are subject to privacy or security breaches, this will clearly have an impact on innovation. For instance, attacks may bring different operators under scrutiny and potentially cause mockery which may hamper innovation. Hacks at zero cost have the potential to decrease the initiatives to innovate. This being said, there should be a correlation between innovation and cybersecurity. Entities interested in innovation should also be interested in cybersecurity to promote a secure environment.

Mr. Richard Lane responded stating that security is an enabler for innovation and business. The mentality of security divisions regarding cybersecurity has changed over years to become a trusted advisors for innovators that help to protect the business from the risk of exposure and other threats to innovation. Cybersecurity must be seen not as a blocker, but as a protective enabler.

Question 3: Cybersecurity has grown in importance. How to keep IP assets protected against cybersecurity breaches?

Mr. Richard Lane stated that there is no silver bullet to keep everything secure. The main answer is: it depends on the environment, applicable legislation, the industry in which a company is, the threats landscape… For instance, pharmaceutical research’s main threat is industrial espionage. There is no one-size-fits-all solution.

The key is the end users, since the team (of individuals) is the first line of defense. One could say that the security is as strong as the weakest link and the users are the weakest link, however if they really are the weakest link, we as cybersecurity professionals are failing them by not providing to such users the appropriate tools to identify, understand and manage cyber risks. A company may set up firewalls, incident response policies, other policies of hundreds of pages; however, if end users do not know how to behave in a secure manner, security firewalls, incident response management or other policies would become useless.

When building a security structure, one may also consider that establishing too much security may be a killer. From the threat landscape, one of the biggest is ransomware. In the case of WIPO, if the assets are held to ransom and then published, the reputational damage for WIPO would be existential and all the inventors or stakeholders would also be damaged, for instance, by an earlier disclosure of protected information.

Prof. Tal Zarsky wondered about the role of regulation. Regulation (EU) 2016/679 on the protection of personal data (General Data Protection Regulation) promotes cybersecurity in the EU in different ways. One is by setting cybersecurity standards, since it is mandatory to implement state of the art security standards. If a company fails to implement appropriate security standards and there is a data breach, a company can be subject to a fine. The second aspect is the concept of breach notifications, which is not only applicable to privacy law. To what extent is this helpful to promote incentives to protect IP? The prospect of reporting the breaches may intimidate a creator or innovator which will be incentivized to put in place cybersecurity measures.

Regarding the reaction to ransomware, there is a substantial risk. Any company may be locked out of its own systems. My advice would be not to leave it all in the hands of the lawyers, security experts or the management alone. People dealing with IP need to be brought on board for this reaction to an attack. How to respond? Bringing in real time insight from IP people. Their opinions are important to assess the real value of the assets.

Mr. Richard Lane agreed affirming that bringing all the stakeholders on board is essential. He would advise to engage also with external companies. Do not just pay. Over 65% of people who pay over the last twelve months are subject to another attack. They may be considered as a cash cow target.

Question 4: Let us approach the matter now in reverse. How can IP protect innovation enterprises and cybersecurity?

Prof. Tal Zarsky maintained that cybersecurity has very specific traits as a field, is quickly changing and people have specific skills. For these reasons, the classical tools of promoting IP such as patents, trademarks or copyright may not be the best fit. Other tools such as trade secrets may play a greater role, since they may protect aspects that are key for innovation enterprises and cybersecurity. 

For Mr. Richard Lane, there is lack of agility in some tools connected to copyrights, patents or designs (e.g. Hague registration for industrial designs). It could be interesting to further discuss this in another opportunity.

Question 5: Let’s address now the elephant in the room: privacy. How does IP relate to privacy in the cybersecurity sphere? Any potential conflicts between cybersecurity and privacy?

Mr. Richard Lane responded stating that as Data Protection Officer for WIPO, he does not see privacy and cybersecurity are conflicting. Security controls are there to protect information. IP laws are more conflicting, since there are concepts to be considered such as publication and data retention. The requirements to publish may be conflicting with the right to be forgotten. On the other hand, the right to portability can be handled easily. In any case, it may facilitate going to other authorities. How to balance this with General Data Protection Regulation is a nice question that may deserve further discussion.

Prof. Tal Zarsky added that the General Data Protection Regulation right to be forgotten contains exemptions and derogations. It is possible that such derogations even apply in this context.

This being said, there are other tensions since integrity of databases may require changes and WIPO is in an interesting position. WIPO is in a grey area regarding General Data Protection Regulation, such as the Red Cross. They are organizations who must promote justice and human rights. They have to find the proper balance and lay more towards integrity of the data, even at the price of compromising data protection of individuals.

There is a recent example from the Irish Data Protection Authority on the Instagram case, enabling collection of personal data from children. This collection enabled a data security breach because Meta failed in its duty to engage in privacy by design. This example demonstrates how in many cases privacy and data security are aligned.

There are also possible clashes along the right to have access to a database. It is a basic right within data protection, which is also a potential breach of cybersecurity. For instance, the more difficult it is to access, the more secure, however it may also compromise privacy.

Question 6: A question from the audience: About the case of Colonial Pipeline. They suffered a cyberattack and they paid the ransom, due to the timing and urgency. What would have been your advice?

Mr. Richard Lane expressed that there are different problems with paying ransom, such as the fact that the attackers may retain a copy of the content. It depends on the specific context, and an ad hoc analysis should be conducted regarding whether to pay or not. In the UN generally, the policy is not to pay ransom. 

Prof. Tal Zarsky recalled that it was interesting to realize that in the mentioned case Colonial Pipeline paid but, since it was cooperating with the Federal Bureau of Investigation (FBI), the FBI were able to track the money and get back part of the amount. Here the key was to work together with a governmental entity. In any case, the most important aspect to fight against ransom is to enhance global cooperation.

Question 7: A question from the audience: More and more startups rely now on trade secrets. Obviously once stolen, they are not secret anymore. What would be the alternatives or recommendations you would make to startups to fight this cybersecurity risk?

Mr. Richard Lane considered that many companies, particularly startups, have some difficulties to gain the traction to be able to implement robust cybersecurity systems. Some of the most relevant aspects are to ensure that data is encrypted and the keys are kept secure. He would recommend, particularly startups, to evaluate whether to leverage on cloud providers since they normally invest vast amounts of money in cybersecurity and may be at a more advanced stage than startups. 

Prof. Tal Zarsky added that if one looks at data privacy and data protection, some insights may be extracted from data minimisation, meaning that only sharing or keeping strictly necessary data. In addition, cloud providers have more incentives to have cyber secure systems. However, it was recently found that most cybersecurity issues in the cloud environment come from errors in the difficult configuration in the integration phase. Therefore, paying attention in the last part to have the system up and running is also very important.

Mr. Richard Lane argued that the training of technology experts is key in order to have a secure environment, as most of the publicized breaches in the Cloud are attributed to human errors such as misconfiguration. In addition, if some startups do not have the resources to hire a robust group of technology experts, cloud providers also have some resources at their clients’ disposal.

Question 8: A question from the audience: What is your opinion on the US SEC proposal for new rules on cybersecurity governance and incident disclosure? Do you see this as a trend among the regulators worldwide?

Prof. Tal Zarsky responded that we see as a trend is breach notification. Is breach notification a good policy? It depends on the purpose of establishing breach notifications. His feeling is that the purpose of US SEC breach notification is an ex ante tool to incentivize entities to take additional data security measures because they fear the repercussions of the breach. However, sometimes a breach may result from a nation-state action and therefore the punishment of the entity that is subject to the breach is too excessive, which may make it necessary to establish some exceptions to this obligation. 

Mr. Richard Lane shared that it is definitely a trend. One key risk to organizations is supply chain risk, or third party supplier risk. WIPO has been a recipient of breach notifications in the recent past, and they are a very useful tool for recipients of the notification to start assessing what happened to avoid side effects and collateral damages. In any case, breach notifications are a positive aspect and organizations should adopt this at least at a best practice.

Prof. Manuel Desantes (Moderator) asked for a quick conclusion on this topic from the panelists.

Mr. Richard Lane stated that cybersecurity is an enabler, it is not the blocker it used to be. It is important to collaborate with security and technology teams to have a safe environment. In addition, do not be afraid to ask for help.

Prof. Tal Zarsky concluded that in the near future we will see how IP can promote cybersecurity, and observe that there will be more cybersecurity in IP departments and more innovation in this field in the coming years.

Prof. Laurent Manderieux provided final conclusions, wrapping up and congratulating the participants.

Report written for the Global Digital Encounters by Rubén CANO PÉREZ and Francisco Javier LÓPEZ GUZMÁN