Data breach

The USPTO’s Breach of Trust: Practitioner Response and Reporting Requirements

The USPTO has once again disclosed confidential information of applicants—this time for patent applicants.  Previously, the USPTO has disclosed confidential information of trademark applicants, including a breach of home addresses.  However, many practitioners have wondered—what are their obligations with respect to the USPTO’s actions.

Duty to Communicate with Clients

When the USPTO breaches its duty to protect confidential information, patent practitioners have a heightened responsibility to communicate to their clients. This includes:

  • Prompt Notification: Practitioners should consider immediately informing their clients of the data breach, explaining what information was compromised, and the potential risks involved.  Moreover, they should potentially explain the rights and remedies available against the USPTO, including under the Federal Tort Claims Act.
  • Risk Assessment: Work with the client to assess the potential harm caused by the exposure of confidential information by the USPTO. This may involve identifying sensitive data, evaluating the likelihood of misuse, and determining the potential impact on the client’s business.
  • Mitigation Strategies: Develop a plan to mitigate the risks associated with the data breach. This could include steps such as monitoring for unauthorized use of the information, implementing additional security measures, and considering alternative filing strategies.

Duty to Report Misconduct

The USPTO’s repeated failures to protect confidential information raise serious concerns about oversight within the USPTO, as well as various duties under the USPTO Rules of Professional Conduct, including competence, and the duty of supervision.   This in turn may create a potential duty to report the misconduct of the USPTO’s officers and employees under 37 CFR 11.803(a) (“A practitioner who knows that another practitioner has committed a violation of the USPTO Rules of Professional Conduct that raises a substantial question as to that practitioner’s honesty, trustworthiness or fitness as a practitioner in other respects, shall inform the OED Director and any other appropriate professional authority.”).  Moreover, people in leadership positions, according to the USPTO’s Office of Enrollment and Discipline (OED) court filings, have a duty to supervise even the most minute of issues, including the entering of signatures in patent or trademark applications.  See, e.g., 37 CFR 11.501 and 11.503.  Therefore, the failure to supervise and implement protections for statutorily protected information under federal law may be the basis for discipline of USPTO employees.  See 35 U.S.C. § 122.

While reporting such breaches can be daunting, ABA Model Rule 8.3 emphasizes the importance of self-regulation within the legal profession. According to Comment [1], “Self-regulation of the legal profession requires that members of the profession initiate disciplinary investigations when they know of a violation of the Rules of Professional Conduct.” This ensures that isolated incidents are investigated for potential patterns of misconduct.  Therefore, practitioners should carefully assess whether the breach warrants reporting and determine the appropriate agency, such as the USPTO’s OED or the Department of Commerce’s Office of Inspector General. See ABA Model Rule 8.3 Cmt. [3[ (“A report should be made to the bar disciplinary agency unless some other agency, such as a peer review agency, is more appropriate in the circumstances. Similar considerations apply to the reporting of judicial misconduct.”).

Additional Considerations

  • Client Counseling: Provide clients with guidance on how to protect their intellectual property, in light of the USPTO’s disclosure. This may include recommendations limiting the disclosure of confidential information to the USPTO, and exploring alternative protection options.
  • Monitoring for Misuse: Implement procedures to monitor for any unauthorized use of the compromised information. This may involve conducting regular searches, analyzing patent or trademark filings, and maintaining close communication with clients.
  • Documentation: Maintain detailed records of all communications and actions taken in response to the USPTO’s breach.

The USPTO’s failure to protect confidential information is a serious matter with far-reaching consequences. By understanding their obligations and taking proactive steps, practitioners (registered or otherwise) can help mitigate the risks for their clients and contribute to improving the profession.

 

4 thoughts on “The USPTO’s Breach of Trust: Practitioner Response and Reporting Requirements”

  1. This calls attention to a problematic ambiguity in Rule 8.3. Any lawyer following this knows there was some kind of failure to supervise violation. I mean, I know with near certainty a lawyer violated this duty. I have no idea who it was. The plain language of the rule would still require met to report. It seems ridiculous and futile. Maybe every person who knows about this issue should file a Bar complaint and they will fix the rule.

    1. That is a great point. Most people hesitate to file a report under Rule 8.3, unless it helps them (or their client). That is not the correct standard.

      To your point, that is where Rules 11.501 and 11.503 come in.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top