Navigating Trademark and Copyright Law in Cybersecurity

Share

When it comes to cybersecurity training, authenticity is key. In other words, phishing simulations and educational presentations should resemble situations workers encounter in everyday life. Because authenticity includes using official trademarks and logos of companies found in network configurations, what follows is a discussion on cyber security trademark and copyright law. Specifically, we address the legality of displaying third-party trademarks within phishing simulations or educational presentations. 

Navigating Trademark Law in Cybersecurity

Phishing and Trademarks

Phishing simulations and educational presentations are typically created by employers through software like ThriveDX’s Award-Winning Security Awareness Training (formerly Lucy). As limited case law exists, the legality of the practice is not entirely clear. And because the inquiry is highly fact-specific, it is impossible to speak to the practice in a general sense. Instead we will speak to the trademarks and reasoning as employed by ThriveDX.

Cyber and Trademarks: Not As Straightforward As You Think

On paper, using third-party trademarks seems like a quick way to get sued for a trademark infringement or dilution claim. The reality is less clear and more nuanced than you might think. In practice, third-party logos and trademarks don’t really fit the mold of regular infringement or dilution claims. Thus, someone making such a claim would need to rely on a rather complex argument. Like any business practice, there is always a risk of legal action.

It’s possible for trademark owners to establish a prima facie case of infringement by demonstrating a likelihood of consumer confusion. Likewise, a mark owner may be able to establish a case of trademark dilution by tarnishment. 

While some risk of liability always exists, the strongest defense against infringement claims establish that using the marks is unlikely to cause confusion to consumers.  This is accomplished through conspicuous notices disclaiming any connection with or approval by the mark owner. Meanwhile, restrictions on forwarding phishing simulation emails may prevent drawing attention to trademark use by their owners.

Trademark Law in Cybersecurity - A Primer

ThriveDX provides services to employers seeking to educate their employees about cybersecurity threats. As part of these services, ThriveDX provides employers with software empowering employees to identify “phishing” emails. Phishing attacks generally describe emails fraudulently attempting to obtain sensitive information from the recipient – usually by impersonating a trusted entity.

For example, by impersonating the U.S. Internal Revenue Service (“IRS”) a sender might end up acquiring a victim’s social security number.

Phishing emails often instruct the recipient to click a link contained in the email. Doing this leads the recipient to a malicious webpage (“landing page”) closely resembling the entity’s website.

Though ThriveDX’s software is highly customizable, it breaks down into two forms of training. These two forms of training can – but do not have to be – used together:

1. Phishing Simulations:

Here, the employer sends a phishing simulation email to one or more of its employees. This email aims to mimic typical phishing emails that have been sent to employees of that employer. Like typical phishing emails, these emails typically attempt to

  • have the employee divulge sensitive information. The employer can customize the phishing simulation by including or not including the following elements in the phishing email: a. Third-party marks;

     

  • A legal disclaimer in the body of the email explaining no relationship exists between trademark owner and ThriveDX or employer. (“legal disclaimer”)

  • A conspicuous notice informing the employee after the exercise is complete that the email was part of a phishing exercise, along with content similar to that included in the legal disclaimer (“notice”);

     

  • A link in the email that leads to a landing page which may, at the choice of the employer, display third-party marks, a disclaimer, and/or a message explaining that the exercise is a phishing simulation (“landing page”); and

     

  • A training course that the employee is required to complete (as described below in (2)) (“educational presentation”).

2. Educational Presentations:

Second, the employer may require employees participate in an educational presentation on phishing attacks and how to recognize them. Similarly, the employer may customize the presentation by choosing to include or exclude the following elements in the presentation:

  1. Third-party marks;
  2. A legal disclaimer; and
  3. A notice

Employees receiving a phishing simulation email and believing it to be a real attack occasionally forward email to the mark owner. These good intentions occasionally result in trademark owners taking issue directly with Thrive DX, claiming the use amounts to trademark infringement and related causes of action.

To be clear, however, this memorandum does not address any indemnification requirements by the employer that purchased the software but focuses on the legality of using third-party marks in phishing simulations and educational presentations.

Moreover, if a phishing simulation or presentation does not use a third party’s mark or one similar thereto, it cannot engage in trademark infringement. Accordingly, the discussion of potential grounds for liability addresses only scenarios using third-party marks.

Potential Theories of Liability for Use of Third Party Trademarks in the United States

A trademark owner could potentially rely on several kinds of theories of liability. The discussion of these theories is first divided between theories of direct liability and secondary liability. 

Direct Liability for the Use of Third-Party Marks

In the United States, trademarks used in interstate commerce are protected under the Lanham Act.(1) The two most applicable bases for direct liability that a mark owner could assert under the

Lanham Act are trademark infringement and trademark dilution by tarnishment. In addition, although not considered a part of trademark law, additional laws place restrictions on the use of marks adopted by the federal government and related entities.

Infringement, dilution, and prohibitions on using government marks involves overlapping considerations. As such, their applicability to using third-party marks is also covered.

Accordingly, this section first sets forth the elements necessary to establish a claim for trademark infringement. Second, it lays out the elements of a dilution by tarnishment claim. Third, it provides an overview of the restrictions against the use of government marks. Fourth, it addresses the extent to which these theories of liability apply to the use of third-party marks in phishing simulations and educational presentations on phishing attacks—in other words, the probability that a mark owner could establish the elements of these claims. Fifth, this section addresses the applicability of certain affirmative defenses, which may apply even if a mark owner can establish the elements of her claim.

Trademark Law in Cybersecurity: Infringement

To establish a prima facie case of trademark infringement, a plaintiff mark owner(2) must demonstrate:

  1.  its ownership of a valid mark; 
  2.  that the defendant used the plaintiff’s mark (or a mark that is confusingly similar) in commerce on or in connection with the sale of its goods or services; and
  3.  that the defendant’s use of the mark resulted in a likelihood of consumer confusion.


The relevant consumer confusion could be with respect to 

  1. (a) the origin of the defendant’s goods or services (“source confusion”); 
  2. the sponsorship or approval (collectively, “endorsement”) of the defendant’s goods or services by the plaintiff; or 
  3. the affiliation, connection, or association (collectively, “affiliation”) of the defendant with the plaintiff (3) Absent consumer confusion, the use of a third-party mark cannot give rise to liability for trademark infringement (4) However, the defendant’s use of the plaintiff’s mark does not need to actually cause consumer confusion to give rise to an action for trademark infringement; it is sufficient that confusion is likely to occur.

It All Comes Down to Confusion

Courts generally determine whether a likelihood of confusion exists by considering a litany of factors, which vary somewhat between jurisdictions. (5) However, this approach typically applies to determine whether a likelihood of confusion exists between two different entities’ uses of similar marks for similar products or services. In cases where the use of another’s mark does not match this fact pattern, courts avoid a mechanical application of the factors and have taken a step back and employed a more practical approach in asking whether the use of a mark in a particular context could reasonably lead to consumer confusion. (6)

Relatedly, using a mark cannot amount to trademark infringement if the mark is not being used as a trademark (i.e., not being used as a source indicator for a good or service). While trademark use is occasionally analyzed on its own, the relevant effect of non-trademark use is that it prevents a finding that consumer confusion is likely. Alternatively, trademark use is at least implicitly considered in several of the affirmative defenses addressed below in Section E.

Dilution by Tarnishment

In addition to trademark infringement, owners of “famous marks”(7) may assert a cause of action for dilution by blurring or tarnishment. Dilution by tarnishment refers to the “association arising from the similarity between a mark or trade name and a famous mark that harms the reputation of the famous mark.”(8)  To establish trademark dilution by tarnishment, a plaintiff must demonstrate valid ownership of a famous mark since before the accused use began. And, that the accused use is likely to cause negative associations that harms the reputation of the famous mark.(9)

Generally speaking, the vast majority of marks are not considered famous. Therefore, this theory of liability would not be available to the owner of the mark. In this scenario, however, most marks depicted in a phishing simulation would be famous marks. Because actual phishing attacks often mimic trusted brands, phishing simulations do the same.

Thus, if the mark owner can demonstrate reputational harm, it may be able to establish tarnishment. Further, because plaintiffs are not required to demonstrate a likelihood of confusion, owners of famous marks can more easily prove tarnishment. They typically have a much tougher time proving trademark infringement.

Prohibitions on Use of Government Marks

In addition to trademark law, various statutes and regulations forbid using certain marks belonging to governmental entities.

For example, 31 U.S.C. §333 prohibits the use of, inter alia, “Department of the Treasury” or “IRS” “in connection with, or as a part of, any advertisement, solicitation, business activity, or product” in a manner which “could reasonably be interpreted or construed as conveying the false impression that such advertisement, solicitation, business activity, or product is in any manner approved, endorsed, sponsored, or authorized by, or associated” the governmental agency that uses the mark.

Similar prohibitions exist against the use of “United States Marine Corps”(10) and “Olympic.”(11) Other restrictions go beyond business and commercial uses, prohibiting terms such as “Federal Bureau of Investigation” or the initials “F.B.I.”,(12) “Drug Enforcement Administration” or the initials “DEA,”(13) or the Social Security Administration (14) in any “advertisement, solicitation, circular, book, pamphlet, or other communication (including any Internet or other electronic communication), or a play, motion picture, broadcast, telecast, or other production.” Exhibit B (attached) covers a non-exhaustive list of these provisions. 

Incorporating Governmental Agencies into Phishing Emails: Don't

Although we have not reviewed each provision, restrictions focus on uses suggesting approval or sponsorship by that governmental entity. As a result, not using a trademark as a source identifier shields the user from liability.

These provisions are not based on the same constitutional principles as trademark law. Moreover, there is insufficient case law interpreting the extent to which trademark infringement defenses would equally apply.

Accordingly, the risk of liability under these provisions is better addressed by considering something else. Specifically, whether the third-party mark is used “in a manner which could reasonably be interpreted or construed as conveying the false impression that [the phishing simulation or presentation] . . . is in any manner approved, endorsed, sponsored, or authorized by, or associated with the governmental entity.”(15)

The same analysis applies when analyzing whether using a third-party mark results in a likelihood of consumer confusion or misplaced association. These are the same considerations involved in the trademark infringement and dilution analysis.

Thus, to avoid repetition, liability risk based on these prohibitions is not addressed on its own. Instead, the liability analysis for trademark infringement and dilution under Section D (but not the analysis of affirmative defenses under Section E) should be considered to apply to this theory of liability.

Applications of Theories of Direct Liability to Trademark Law in Cybersecurity: Phishing Simulations and Educational Presentations

The strongest argument against direct liability for trademark infringement and dilution is that using third-party trademarks in phishing simulations and educational presentations does not result in a likelihood of confusion.

The strength of this argument relies on how the simulations and presentations are configured. Thus, before discussing a mark owner’s ability to establish the elements of her potential claims, this section first addresses the main ways in which an employer can customize the simulations and presentations, and how the choice of whether to incorporate these elements may affect a likelihood of confusion analysis.

Effect of an Employer’s Choices in Customizing Phishing Exercises and Methods of Reducing Liability Risk

Using ThriveDX’s software, employers can choose to include disclaimers. For instance, they can notify employees that a phishing simulation did not originate from the trademark owner, require employees to participate in training presentations after a phishing simulation, and provide a link in phishing simulation emails leading to a landing page.

The effects of finding a likelihood of confusion or association are addressed in this section. These are specifically discussed in the context of phishing simulations and presentations below in Sections 2 and 3. 

Disclaimer:

The current legal disclaimer in the body of the phishing simulation email disavowing any relationship between the trademark owner and ThriveDX or between the trademark owner and the employer would not be considered effective in preventing consumer confusion. Although the disclaimer correctly asserts that no connection exists between ThriveDX and the trademark’s owner, courts have found that a recipient is unlikely to notice and read such disclaimer because of its inconspicuous style and location. (16) A more conspicuous disclaimer, on the other hand, would defeat the purpose of the exercise, because such disclaimers would obviously not appear in an actual phishing email.

Notice:

A conspicuous notice (e.g., in a separate email or company-wide announcement) that explains that the phishing simulation was indeed a simulation is much more effective at preventing a likelihood of confusion. (17) While essentially the same as a disclaimer, this memorandum refers to this element as “notice” to emphasize the more conspicuous and express nature of such message, as compared to the disclaimer found at the bottom of emails and/or landing pages. Because a notice would, unlike the current disclaimers, follow a phishing simulation, its conspicuous nature would not defeat the purpose of creating a realistic simulation.

Training Presentation:

Requiring employees to participate in a presentation after receiving the phishing simulation email would help underscore the fact that the phishing email was a simulation, and that no connection between ThriveDX and the trademark owner exists. However, such training would not inherently dispel consumer confusion in the absence of a notice, so training without an effective, conspicuous notice would be ineffective at reducing risk of liability for an infringement claim.

Landing Page:

A landing page could have different effects, depending on its content. If it continues using the third party’s trademark, this additional use could strengthen an argument for trademark infringement or dilution. A landing page not using the trademark is not likely to have an effect either way, though the omission of the mark could make the simulation less realistic.

Providing notice on the landing page could help avoid consumer confusion or an inference of association. However, providing notice on a landing page, alone, would not be fully effective because the recipient could still theoretically open the email but not click on the link leading to the landing page. And like in emails, an inconspicuous disclaimer would not be considered effective to preventing consumer confusion.

Phishing Simulations

The main purpose of a phishing simulation is to illustrate how phishing attacks seek to impersonate legitimate entities, including by using their marks, to mislead people into divulging sensitive information. Thus, although ThriveDX provides its services for a beneficial purpose, by simulating these attacks, it nevertheless engages in the unauthorized use of another’s mark. Consequently, a myopic application of the likelihood of confusion factors might not accurately evaluate whether a likelihood of confusion exists.

Accordingly, the analysis of whether a likelihood of confusion exists is based on the totality of circumstances in each scenario. A mark owner could potentially argue that the use of the mark in either a phishing simulation or presentation leads to a likelihood of confusion as to:

  • The source of the email or presentation
  • The mark owner’s sponsorship or approval of ThriveDX’s services; or ThriveDX and the mark owner.

 

The probability of these outcomes depends on how a recipient views the email. A recipient of a phishing simulation email would likely interpret it in one of three ways:

  1. Believe the email to be a legitimate communication from the owner of the mark;
  2. Believe it to be a phishing email from a third party; or
  3. Recognize it as a phishing simulation.

 

Each situation is discussed below, using an example where a recipient receives a phishing simulation email purporting to be from Microsoft, uses the MICROSOFT mark, and solicits sensitive information from the recipient.

To illustrate, the flowchart attached as Exhibit A to this memorandum outlines the possible arguments supporting a finding of consumer confusion or tarnishment, accompanied by comments and potential solutions.

It’s possible that no consumer confusion or inference of association takes place in a particular scenario. Still, that doesn’t preclude liability for infringement or dilution because there is no guarantee the recipient perceives the email in that particular manner. Thus, minimizing liability risk requires the phishing simulation not result in a likelihood of confusion or give rise to a reasonable inference of association.

Navigating Trademark and Copyright Law in Cybersecurity

Scenario 1: Recipient Believes Email Sent from Mark Owner

To illustrate how marks could be viewed as trademark infringement or dilution, let’s consider how using a third-party mark in an actual phishing attack provides grounds for an infringement claim.

The entire purpose of using third-party trademarks in phishing attacks is to mislead the recipient into believing a real company sent the email. In other words for a phishing attack to be successful, consumer confusion must necessarily take place.

For instance, if a consumer receives an email purporting to be from Microsoft’s technical support team asking for sensitive information to fix an issue with their Windows or Office account, the recipient is not likely to respond if she does not believe that the email came from Microsoft. Although Microsoft doesn’t use its mark to send phishing emails, providing technical support services would fall within—or at least be sufficiently related to—the goods and services offered by Microsoft.

Thus, although the phishing email does not use the MICROSOFT(18) mark, a recipient tricked into believing that the email originated from Microsoft might reasonably view it as part of its services.

The reason for using third-party marks in phishing simulations is to create a realistic scenario for the recipient. If, as a result, the recipient believes the phishing email originated from Microsoft, then the same reasoning for grounds for infringement applies.

Additionally, Microsoft could articulate a tarnishment claim by asserting that using an exact replica of its trademark (or a highly similar mark) necessarily creates an association between the two marks. This association damages its reputation by causing recipients to believe that Microsoft would send emails asking for sensitive information, increasing consumer distrust of the company.

To prevent this, notice to the recipient that the email was a phishing simulation and disclaiming any connection with Microsoft would reduce or eliminate the risk of consumer confusion or an inference of association. Additional training would help reinforce this notion.

Scenario 2: Recipient Believes Email is a Phishing Attack

If the recipient believes that the email is a phishing attack, then by definition, she would not believe that the email originates from Microsoft. Accordingly, the use of the mark cannot establish liability for trademark infringement based on this scenario because no consumer confusion exists and an inference of association with the actual MICROSOFT mark would be unreasonable. (19)

Nevertheless, because reviewing such emails places a toll on Microsoft’s resources, Microsoft may nonetheless threaten or bring legal action. Microsoft would argue that even though there might not be consumer confusion in this particular scenario, this scenario provides only one of three possible reactions by the recipient. And since a mark owner does not need to prove actual confusion, but instead a likelihood of confusion, it could still make out a claim for trademark infringement based on a likelihood of confusion that stems from Scenario 1 or 3.

While a mark owner is unlikely to succeed on a claim for infringement or dilution, he or she may still assert claims in hopes of litigation putting an end to the use.  

Thus, the most effective way of reducing legal risk is implementing measures to prevent email forwarding to the mark owner. Although strategies for accomplishing this are available,(20) they may not be available on all email platforms used by ThriveDX customers.

Scenario 3: Recipient Recognizes Email as Phishing Simulation

Third, the recipient could correctly recognize the email as a phishing simulation while believing it part of a service offered by Microsoft or a third party like ThriveDX. If the former, then Microsoft could have a claim for infringement, particularly as Microsoft provides phishing simulations and training as part of Office 365. (21) In addition, Microsoft could have a claim for dilution by tarnishment if it can demonstrate harm to the MICROSOFT brand—e.g., if ThriveDX’s phishing simulation were inferior to Microsoft’s.

If the recipient correctly recognizes that the phishing simulation is part of a product or service offered by ThriveDX, there would be no consumer confusion as to the origin of the goods or services. Although the reasonableness of such assumption is questionable, (22) it is possible that the use of (citing 4 McCarthy on Trademarks and Unfair Competition §23:11.50 (4th ed.) (“[I]f the defendant does not use the accused designation as defendant’s own identifying trademark, then confusion will usually be unlikely. Then there are not the requisite two similar marks confusing the viewer into believing that the two marks identify a single source.”)).

MICROSOFT in a phishing simulation email could suggest that Microsoft endorses ThriveDX’s product or that an affiliation or association exists between ThriveDX and Microsoft. For example, the recipient could believe Microsoft purposefully used its own mark to train users of its goods and services to identify phishing attacks sent from Microsoft vs. a competitor.

Once again, the best approach to preventing consumer confusion would be by providing conspicuous notice, and ensuring that the recipient is made aware that the phishing simulation is part of a product offered information security training program by ThriveDX (and not Microsoft), that it is not endorsed by Microsoft, and that there is no affiliation between ThriveDX and Microsoft or association between the mark as used and the MICROSOFT mark. If the training is accompanied by adequate notice, it reinforces that no connection between the services or entities exists. In other words, using third-party trademarks may dispel consumer confusion. (23) However, like with Scenario 1, training on its own would be unlikely to prevent it.

Unlike in Scenario 1, where the mark is used in what could be viewed as part of a commercial transaction (i.e., used in commerce), it is less clear in this scenario whether the mark is “used in commerce” as is required for an infringement or dilution claim.(24) One could argue that the recipient of the email is not a consumer whose perception would matter for the purposes of an infringement or dilution analysis, as the recipient would not be the target purchaser of the service.

Rather, under this reasoning, the relevant consumer would be the employer, which could not be confused by the source of the service or infer an association because it would be the employer that made the choice of including the mark in its phishing simulation.

In all three situations, requiring employers purchasing ThriveDX’s software provide conspicuous notices to recipients of phishing simulation emails would have a significant effect on reducing potential liability, as it would reduce or eliminate the likelihood of confusion or inference of association. Even so, if recipients can forward the emails to the mark owners, risk of a legal dispute remains since it draws attention to the practice. Thus, to any extent it would be feasible, preventing email forwarding to the trademark owner would have a more immediate, practical impact on reducing the frequency of mark owner complaints.

Educational Presentations

It is highly unlikely that a reasonable consumer would interpret that the use of a third-party mark in an educational presentation on phishing attacks would serve to indicate the source of the presentation. This presumes, however, that the mark is not displayed in a manner that a trademark would typically appear on a presentation that does use a third-party mark as a source identifier (e.g., on the corner of each slide; on the first and/or last slide where creator or presenter’s information would typically appear; etc.).

Nevertheless, including a conspicuous notice or disclaimer as part of the presentation would help demonstrate ThriveDX’s efforts for preventing consumer confusion or an inference of association, especially where the presentation follows a phishing simulation.

Affirmative Defenses

Even if a plaintiff can establish a prima facie case of infringement, a defendant can still avoid liability if she can establish that an affirmative defense penetration tester tools applies. While the following affirmative defenses were largely developed by courts to preclude liability for trademark infringement claims, they apply to claims of trademark dilution, as well.(25) However, as noted above, these defenses have not been recognized to apply to claims based on laws prohibiting the use of government marks.

Fair Use

The Fair Use Doctrine is fundamentally based on the statutory text of the Lanham Act. This provides that use of another’s mark will not give rise to liability if the use of a mark is descriptive and the mark is used “fairly and in good faith only to describe the goods or services of such party.”(26) Courts have recognized two forms of fair use: classic and nominative.

Classic Fair Use

Classic fair use “occurs where the defendant uses the plaintiff’s mark to describe the defendant’s own product.”(27) For instance, even if a candy manufacturer might acquire trademark rights in CHEWY or LEMON-FLAVORED to serve as a source identifier for its candy, that manufacturer cannot prevent other candy manufacturers from using the words “chewy” or “lemon flavored” to describe their own products.(28) Neither the phishing simulation nor the presentation uses third-party marks to refer to ThriveDX’s products, so this affirmative defense would not apply.

Nominative Fair Use

“Nominative” fair use is said to occur “when the alleged infringer uses the [trademark holder’s] product, even if the alleged infringer’s ultimate goal is to describe his own product. This also occurs if the only practical way to refer to something is to use the trademarked term.”(29) For nominative fair use to apply, the user of the mark must meet three conditions: (1) the product or service in question must be one not readily identifiable without use of the trademark; (2) only so much of the mark or marks may be used as is reasonably necessary to identify the product or service; and (3) the user must do nothing that would, in conjunction with the mark, falsely suggest sponsorship or endorsement by the trademark holder.(30) 

While the factors may seem applicable to a broad range of uses, courts have applied the doctrine where it is necessary to refer to a mark or its corresponding product or services (e.g., a car mechanic’s use of VOLKSWAGEN in an advertisement describing the types of cars he repairs)(31) or comment on them (e.g., a commercial relaying survey results showing that people prefer COCA-COLA to PEPSI).(32)

Phishing Simulation

It is possible that a court could look at the fundamental goal of the phishing simulations and phish training, upon recognizing that they serve to reduce consumer confusion by teaching how to identify phishing emails, apply a more holistic approach to determine that fair use applies. However, there does not appear to be a case on point that applies fair use in this manner. And when analyzing the applicability of the factors as they have been applied in other cases, the analysis does not point to a finding of fair use.

With respect to the first factor, the main purpose of using third-party marks in phishing simulations is not to comment or refer to the actual mark or corresponding product or service, but to make the simulation realistic. Moreover, while one may argue that such use is necessary to make the simulations realistic, this necessity is not the same as that described in cases in which fair use was applied.

Although the simulations generally require the use of well-known mark, it is not strictly necessary to use any particular well-known mark.(33) For instance, the simulations will be as realistic regardless of whether they use MICROSOFT, APPLE, the IRS, or another well-known mark. By contrast, a mechanic that specializes in repairing VOLKSWAGEN cars cannot instead use MERCEDES-BENZ to accurately describe his services.

As to the third factor, phishing emails purposefully and falsely suggest sponsorship or endorsement by the trademark holder to mislead the recipient. By using third-party marks to make the simulation realistic, phishing simulations likewise do not appear to satisfy the third nominative fair use factor. Thus, it does not appear as if the practice would constitute fair use based on the factors considered by courts.

Educational Presentation

Although the same arguments as to why the use of a third-party mark does not satisfy the first fair use factor may also apply to its use in a presentation on phishing, there is a somewhat stronger argument that the presentation at least comments on the marks. Specifically, a mark’s use in a presentation asserts user security training that marks like MICROSOFT or IRS are frequently used in connection with phishing attacks.

This assertion is more readily discernable from a presentation than a simulation, alone. And assuming that the marks are not used in a manner that is typical of trademark use (as discussed above), the use of the mark would not suggest sponsorship or endorsement of the presentation or ThriveDX. At most, an audience may guess that the marks were used with permission, but incorporating a clear notice that no express consent was granted for the use of the marks would prevent this from occurring.

Non-Commercial Speech

The use of a third-party trademark or copyright cannot give rise to liability for trademark dilution if that use is noncommercial.(34) Speech is considered not commercial if it “does more than propose a commercial transaction.”(35) Even when some money is exchanged, it is usually insufficient to transform non-commercial use into commercial where the financial transaction is ancillary to the use of the mark.(36) However, even if a user has noncommercial elements, it may be considered commercial where it also promotes the user’s own goods or services, though the contours of what that entails is not always clear.(37)

In determining whether speech is commercial, courts consider several factors:

  1. whether the speech is an advertisement;
  2. whether speech refers to specific products or services;
  3. whether the speaker has an economic motivation for the speech; and
  4. “the viewpoint of the listener,” i.e., whether the listener would perceive the speech as proposing a transaction.(38)

Depending on the content of the phishing simulation email, it might be considered a proposal to engage in a commercial transaction and thus, constitute commercial speech that does not qualify for this defense. Even if the presentations are sold for profit as part of ThriveDX’s software, however, this would not necessarily render them commercial, as it would be difficult to view them as proposing a commercial transaction. Accordingly, this defense may be available against a dilution claim based on the use of a third-party mark in a presentation on phishing, but it is less clear whether it would apply to phishing simulations.

First Amendment Defense

Courts also developed what has become known as the Rogers Test to permit use of a trademark in an expressive work.(39) If a defendant makes a threshold showing that the accused use is part of an “expressive work,” then, the plaintiff must prove not only that it owns a valid, protectable mark and that a likelihood of confusion exists, but that the defendant’s use of the mark either (1) is not artistically relevant to the underlying work or (2) explicitly misleads consumers as to the source or content of the work.(40)(41)

Although only a minimum amount of “artistic relevance” is required to satisfy the first prong, the defense is limited to the use of the mark in “expressive” works,(42) and “artistic relevance” has generally been recognized where the use of the mark promotes artistic goals (in a conventional sense) rather than “pragmatic” or “functional” purposes, such as education. Accordingly, the defense would not apply to the use of third-party marks in presentations.

And while courts have applied the defense where a third-party mark is used “to create a realistic experience” in media like games and movies,(43) each of those applications involved a use that was ultimately for an “artistic” rather than “pragmatic” purpose. Although it does not appear as if courts previously encountered a situation where a mark was used to create a realistic experience for the purposes of an educational simulation, courts’ emphasis on “artistic” purposes suggest that the defense would not apply to the use of third-party marks in educational phishing simulations.

Parody

Courts also permit the use of third-party marks for purposes of parody. The defense applies when a plaintiff’s mark (or a confusingly similar mark) is used to comment on or criticize the mark, the owner, or the goods or services for which the mark is used. This is typically more successful when the message expressed is comical.(44) Here, neither the phishing simulation nor the presentation would likely be viewed as commenting on any of the above in a manner that would be viewed as parodic.

Secondary Liability Under the Lanham Act

Because ThriveDX provides the software that organizations use for phishing simulations and presentations, a mark owner could alternatively argue that even if employers purchasing the software are technically liable for any infringement, ThriveDX is secondarily liable for providing the software that enables the employers’ acts. However, neither basis for secondary liability likely applies.

Contributory Infringement

Although not typical in trademark infringement cases, some courts have recognized that liability may exist based on contributory infringement. In essence, a defendant may be liable for contributory trademark infringement if it “intentionally induces another to infringe a trademark,” or “supplies its product to one whom it knows or has reason to know is engaging in trademark infringement.” This would include a defendant willfully blind to the infringement.(45) For a party to be liable for contributory infringement, direct infringement must exist. 

Here, a mark owner may argue that ThriveDX contributorily infringed its mark by supplying employers with software allowing and encouraging the unauthorized use of its mark in phishing training exercises. However, even where employers engage in the unauthorized use of another’s mark, they do so as part of an “internal communication” to their employees. Internal communication is not considered to be “use in commerce” and thus does not amount to infringement.(46) And since a defendant cannot be liable for contributory infringement in the absence of direct infringement,(47) this theory of liability would not likely apply.

Vicarious Liability

“Vicarious liability for trademark infringement requires a finding that the defendant and the infringer have an apparent or actual partnership, have authority to bind one another in transactions with third parties or exercise joint ownership or control over the infringing product.”(48) The theory of vicarious liability would not apply in this scenario because the relationship between ThriveDX and its employers is not one in which ThriveDX exercises control.(49)

Trademark and Copyright Law in Cybersecurity: Europe

The European trademark system is a dual system. It consists of the EU-wide system and the national systems of EU member states. While the nuances of the trademark laws of member states and other European nations are outside the scope of this memorandum, the trademark laws of EU member states have been coordinated through EU directives. EU marks are governed by EU regulations.

Both the EU trademark regulations and directives provide limitations that mirror fair classic and nominative fair use. Specifically, both provide that a trademark owner cannot prohibit another from using [1] “signs or indications . . . which concern the kind, quality, quantity, intended purpose, value, geographical origin, the time of production of goods or of rendering of the service, or other characteristics of the goods or services” and [2] the registered mark “for the purpose of identifying or referring to goods or services as those of the proprietor of that trade mark, in particular, where the use of that trade mark is necessary to indicate the intended purpose of a product or service, in particular as accessories or spare parts.”(50)

Earlier cases supported the existence of a comparable nominative fair use doctrine. Particularly, this was the case in the context of aftermarket parts and repairs.(51) For instance, the European Court of Justice (“ECJ”) found the use of BMW was permissible where it was used by a party to indicate that he sells, repairs, and maintains BMW vehicles.(52) Additionally, the Court found a lack of infringement by the use of a mark that was similar to a registered one where other factors existed to negate a likelihood of confusion.(53)

Navigating Trademark and Copyright Law in Cybersecurity

A Shift Occurring

More recent ECJ decisions, however, have expanded mark owner rights with boundaries of fair use.

For example, the Court held that where the OPEL mark was used on toy cars to create a “faithful reproduction of the original vehicles” and did not serve a source indicator, the owner of the OPEL mark could still prevent this use on the basis that it could affect the other functions of a trademark or, alternatively, that the use takes advantage of the reputation of the mark.(54)

The ECJ strengthened this precedent, explaining that the use of a third-party mark is not considered fair where “there is clear exploitation on the coat-tails of the mark with a reputation.”(55) It further found that even when no likelihood of confusion exists, the connection that is created through the use of a mark similar to another causes harm to the latter and thus may permit the latter’s owner to prohibit the use of the former.(56)

The shift also appeared in national courts. For instance, an appellate court in the UK found the use of BMW’s logos and the terms TECHNOSPORT – BMW, when used on a repair van by a BMW repair specialist, amounted to trademark infringement, as it suggested a formal connection between Technosport and BMW. (57)

The ECJ did find, however, that Google does not engage in trademark “use” by providing a keywords advertising infrastructure for advertisers, explaining that the use, by a third party of a sign identical with, or similar to, the proprietor’s trademark implies, at the very least, that that third party uses the sign in its own commercial communication. A referencing service provider allows its clients to use signs which are identical with, or similar to, trademarks, without itself using those signs. (58)

While Regulation (EU) 2017/1001 and Directive (EU) 2015/2436 replaced the previous directives and regulations, the language pertaining to limitations on trademark rights remains largely intact. However, recitals in both assert that the “[u]se of a trademark by third parties for the purpose of artistic expression should be considered as being fair as long as it is at the same time in accordance with honest practices in industrial and commercial matters.”(59)

They likewise instruct the Directive “should be applied in a way that ensures full respect for fundamental rights and freedoms.”(60) However, neither this “artistic expression” defense nor consideration for full fundamental rights and freedoms appears in the body of either the Regulation or Directive. Accordingly, they are not binding law, but may be used to interpret the provisions pertaining to the limitations on trademark rights. (61)

Cybersecurity Trademark Law in Europe - a Bit Murkier

Given the direction in which European case law has been heading with respect to fair use, the legality of using third-party marks as part of phishing simulations and educational presentations is less clear under EU law than U.S. law. Under the recent trend, it seems possible that a mark owner could establish a prima facie case of infringement or dilution by arguing that the use of its mark allows ThriveDX to ride “on the coat-tails of the mark with a reputation,” (62) even if the mark is not used as a source indicator. (63)

On the other hand, although it is not expressly evident from the text of the more recent ECJ opinions, it seems that the approach taken by the Court in these cases may have been based heavily on the extent to which the Court sensed that the practice is somehow unfair and usurped the mark owner’s investment in its mark by drawing attention to the user’s own goods or services.

For example, in Opel, the Court found that the use of the OPEL mark did not “constitute use of an indication concerning a characteristic of those scale models,” as asserted by the defendant. (64) As the trademark appeared on toy cars that not produced by Opel, it is difficult to imagine what “characteristic” this might be.

As such, this finding was not surprising. A more reasonable explanation for the use is that a toy car with a recognizable mark was more appealing to consumers than a “generic” toy car. In that sense, the defendant did take advantage of the consumer recognition of the OPEL mark without compensating its owner through licensing fees.

Trademark Use: A Well-Reasoned Argument

By contrast, ThriveDX does not use third-party marks to increase the appeal of its security software by having consumers conjure up that other brand. Rather, the trademarks appear because they occur in actual phishing attacks and so the use involves a more pragmatic purpose of creating a realistic simulation and providing actual examples in presentations. At the same time, it would not be entirely surprising if the Court finds that ThriveDX indirectly profits from the renown of the marks displayed in the simulation and presentation and thus would require a license for their use.

It is possible that under the more recent Directive and Regulation, the ECJ will adopt a broader view of the rights of third parties to use the marks of another. However, the deadline for the Directive becoming national law passed in January and whether the Court changes its approach remains unclear. Further, as the substantive text of the Directive and Regulation remains essentially the same as that interpreted in earlier opinions, a change in course would have to be based on the new recitals.

Regardless, the use of marks in comparable situations has not been addressed by the Court, so its stance would be difficult to predict, particularly as the practice does not neatly fit within the exceptions articulated in the Directive and Regulation. Thus, absent a licensing agreement with the mark owner, the legality of using third-party marks in phishing simulations and presentations is currently unclear. Though, as in the United States, the use of conspicuous notices and, to the extent possible, the implementation of a mechanism that would prevent the forwarding of phishing simulation emails to the mark owners, would have the strongest effect on reducing the risk of liability

Conclusion

Liability risk from using third-party marks in phishing presentations is generally lower than its use in phishing attacks. This is due to a higher likelihood of consumer confusion or brand association n the latter scenario. Express notice disclaiming any such connection and disavowing any implied relationship between ThriveDX and the mark’s owner is most effective at reducing this risk.

Yet absent the mark owner’s permission, some risk continues to exist, particularly if the mark owner’s main concern is diverting resources to investigate phishing attacks that are actually simulations. Thus, to reduce attention and complaints, requiring  employers implement measures to prevent phishing simulation emails from being forwarded is a worthwhile endeavor. 

For more information on ThriveDX’s Security Awareness Training, please visit here.

Footnotes

 1 15 U.S.C. §§1051 et seq.

2 For simplicity, this memorandum uses the term “plaintiff” to refer to a mark owner. “Defendant” to refer to the user of another’s mark. This is not to suggest, however, that all uses of another’s trademark result in litigation. Indeed, as explained throughout this memo, various grounds for the legal use of another’s mark exist.

3 15 U.S.C. §§1114(1)(a), 1125(1)(A). Since source confusion is the most common basis for trademark infringement. And dilution by tarnishment generally is accompanied by confusion as to endorsement or association. This memorandum’s discussion of liability based on trademark infringement focuses mainly on source confusion. While discussing sponsorship and affiliation more in the context of tarnishment.

4 Facenda v. N.F.L. Films, Inc., 542 F.3d 1007, 1018 (3d Cir. 2008); Sazerac Brands, LLC v. Peristyle, LLC, No. 3:15-CV-00076-GFVT, 2017 WL 4558022, at *5 (E.D. Ky. July 14, 2017), aff’d, 892 F.3d 853 (6th Cir. 2018).

5 Despite variations, the tests are not fundamentally different. They tend to consider the strength of the mark, the similarity of the marks, the proximity of the goods. The similarity of the parties’ marketing channels, evidence of actual confusion, the defendant’s intent in adopting the mark. The quality of the defendant’s product, and the sophistication of the buyers. See Am. Soc’y for Testing & Materials v. Public.Resource.Org, Inc., 896 F.3d 437, 456 (D.C. Cir. 2018).

6 The Shell Co. (Puerto Rico) v. Los Frailes Serv. Station, Inc., 605 F.3d 10, 22 (1st Cir. 2010) (“There is no need to go through a mechanical application of the multi-factor list.”); Tennessee Walking Horse Breeders’ & Exhibitors’ Association v. National Walking Horse Association, 528 F. Supp. 2d 772, 782–83 (M.D. Tenn. 2007); WHS Entm’t Ventures v. United Paperworkers Int’l Union, 997 F. Supp. 946, 950–51 (M.D. Tenn. 1998)

7 A famous mark is generally defined as one that is “widely recognized by the general consuming public of the United States as a designation of source of the goods or services of the mark’s owner.” 15 U.S.C. §1125(c)(2)(A).

8 15 U.S.C. §1125(c)(2)(C).

9 VIP Prod., LLC v. Jack Daniel’s Properties, Inc., 291 F. Supp. 3d 891, 900 (D. Ariz. 2018); see 15 U.S.C. §1125(c)(1); adidas Am., Inc. v. Skechers USA, Inc., 890 F.3d 747, 758 (9th Cir. 2018); Radiance Found., Inc. v. N.A.A.C.P., 786 F.3d 316, 330 (4th Cir. 2015).

10 10 U.S.C. §8921.

11 36 U.S.C. §220506.

12 18 U.S.C. §709.

13 Id.

14 42 U.S.C. §1320b-10.

15 See 31 U.S.C. §333.

16 Elec. Arts, Inc. v. Textron Inc., No. C 12-00118 WHA, 2012 WL 3042668 (N.D. Cal. July 25, 2012) (Disclaimer on packaging of video game does not dispel possible confusion. Teenage users who rip open the package are unlikely to see it.); Cartier, Inc. v. Deziner Wholesale, L.L.C., No. 98 CIV. 4947 (RLC), 2000 WL 347171 (S.D.N.Y. Apr. 3, 2000).  Disclaimer in print that is 16 times smaller than defendant’s use of plaintiff’s trademark is not effective to offset likely confusion.

(16 cont’d) Pebble Beach Co. v. Tour 18 I, Ltd., 942 F. Supp. 1513, 1551 (S.D. Tex. 1996), aff’d on point, 155 F.3d 526, (5th Cir. 1998) (“inconspicuous disclaimers” were not sufficient to eliminate golfers’ confusion that defendant golf course look-alike holes were sponsored or approved by plaintiff golf courses); Toho Co., Ltd. v. William Morrow and Co., 33 F. Supp. 2d 1206 (C.D. Cal. 1998) (the single word “unauthorized” on the front cover of a book is not a disclaimer adequate to prevent confusion even though a further detailed disclaimer was on the back cover of the book).

17 Public.Resource.Org, Inc., 896 F.3d at 457–58; Patsy’s Italian Restaurant, Inc. v. Banas, 658 F.3d 254, 273–274 (2d Cir. 2011); TrafficSchool.com, Inc. v. Edriver Inc., 653 F.3d 820, 829 (9th Cir. 2011); A & H Sportswear Co., Inc. v. Victoria’s Secret Stores, Inc., 57 F. Supp. 2d 155 (E.D. Pa. 1999), aff’d on point as to impact of disclaimer to negate direct confusion. Rev’d as to reverse confusion, 237 F.3d 198 (3rd Cir. 2000).

18 Note: capitalization is used to denote a reference to a trademark or service mark. As well as to differentiate between a reference to a mark and the mark owner that uses that term as a name.

19 See, e.g., Toyota Motor Sales, U.S.A., Inc. v. Tabari, 610 F.3d 1171, 1176 (9th Cir. 2010) (“Unreasonable, imprudent and inexperienced web-shoppers are not relevant.”).

20 See, e.g., <https://www.makeuseof.com/tag/prevent-emails-forwarded-outlook-gmail/>.

21 See <https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator>.

22 Louis Vuitton Malletier S.A. v. Warner Bros. Entm’t Inc., 868 F. Supp. 2d 172, 180–81 (S.D.N.Y. 2012)

23 Pirone v. MacMillan, Inc., 894 F.2d 579, 585 (2d Cir. 1990) (“In the context of such a compilation [specifically, photographs of one ballplayer among the many featured in the calendar], an ordinarily prudent purchaser would have no difficulty discerning that these photos are merely the subject matter of the calendar and do not in any way indicate sponsorship.”).

24 See Aitken v. Commc’ns Workers of Am., 496 F. Supp. 2d 653, 663–64 (E.D. Va. 2007) (discussing commercial character in the context of speech).

25 See 15 U.S.C. §1125(c)(3)

26 15 U.S.C. §1115(b)(4).

27 Century 21 Real Estate Corp. v. Lendingtree, Inc., 425 F.3d 211, 214 (3d Cir. 2005) (citing New Kids on the Block v. News America Pub., Inc., 971 F.2d 302, 308 (9th Cir.1992)).

28 U.S. Shoe Corp. v. Brown Grp., Inc., 740 F. Supp. 196, 199 (S.D.N.Y.), aff’d 923 F.2d 844 (2d Cir. 1990); see also Kozinski, J., Trademarks Unplugged, 68 N.Y.U. L. Rev. 960, 973 (1993) (opining that calling a product “the Rolls Royce of its class” as a metaphor. To describe it as a top-of-the-line product would constitute classic fair use)

29 Lendingtree, 425 F.3d 211; KP Permanent Make–Up, Inc. v. Lasting Impression I, Inc., 328 F.3d 1061, 1072 (9th Cir. 2003) (quotations omitted), rev’d. on other grounds, 543 U.S. 111.

30 Tabari, 610 F.3d at 1175–76; New Kids, 971 F.2d at 308 & n.7. Under the test applied by the Third Circuit, the first factor requires that “[t]he defendant’s use of the plaintiff’s mark is necessary to describe both plaintiff’s product or service and defendant’s product or service.” Lendingtree, Inc., 425 F.3d 211.

31 Volkswagen Aktiengesellschaft v. Church, 411 F.2d 350 (1969); see Keurig, Inc. v. Strum Foods, Inc., 769 F. Supp. 2d 699 (D. Del. 2011).

32 New Kids, 971 F.2d at 308 & n.7 (9th Cir. 1992).

33 See Brown v. Elec. Arts, Inc., 724 F.3d 1235, 1244 (9th Cir. 2013) (citing Am. Dairy Queen Corp. v. New Line Prods., Inc., 35 F. Supp. 2d 727 (D. Minn. 1998)).

34 15 U.S.C. §1125(c)(4)(B)

35 Mattel, Inc. v. MCA Records, Inc., 296 F.3d 894, 906 (9th Cir. 2002)

36 See Handsome Brook Farm, LLC v. Humane Farm Animal Care, Inc., 700 F. App’x 251, 261–62 (4th Cir. 2017); Edward Lewis Tobinick, MD v. Novella, 848 F.3d 935, 952 (11th Cir.); Universal Commc’n Sys., Inc. v. Lycos, Inc., 478 F.3d 413, 424 (1st Cir. 2007).

37 See id.

38 Radiance Found., Inc. v. N.A.A.C.P., 786 F.3d 316, 331–32 (4th Cir. 2015)

39 See Rogers v. Grimaldi, 875 F.2d 994, 999 (2d Cir. 1989).

40 Gordon v. Drape Creative, Inc., 897 F.3d 1184, 1190 (9th Cir. 2018)

41 E.S.S. Entm’t 2000, Inc. v. Rock Star Videos, Inc., 547 F.3d 1095, 1100 (9th Cir. 2008)

42 Brown, 724 F.3d at 1241; Facenda, 542 F.3d at 1011; McCarthy on Trademarks and Unfair Competition §10:22 (5th ed.).

43 Fortres Grand Corp. v. Warner Bros. Entm’t Inc., 947 F. Supp. 2d 922, 931–32 (N.D. Ind. 2013), aff’d, 763 F.3d 696 (7th Cir. 2014); Brown, 724 F.3d at 1243; Facenda, 542 F.3d at 1018; Novalogic, Inc. v. Activision Blizzard, 41 F. Supp. 3d 885, 900–01 (C.D. Cal. 2013); Dillinger, LLC v. Elec. Arts Inc., No. 1:09-CV-1236-JMS-DKL, 2011 WL 2457678 (S.D. Ind. June 16, 2011); Roxbury Entm’t v. Penthouse Media Grp., Inc., 669 F. Supp. 2d 1170, 1175–76 (C.D. Cal. 2009); Romantics v. Activision Pub., Inc., 574 F. Supp. 2d 758, 766, 770 (E.D. Mich. 2008); The Romantics v. Activision Pub., Inc., 532 F. Supp. 2d 884, 890 (E.D. Mich. 2008).

44 Louis Vuitton Malletier S.A. v. Haute Diggity Dog, LLC, 507 F.3d 252, 268 (4th Cir. 2007); Jordache Enterprises, Inc. v. Hogg Wyld, Ltd., 828 F.2d 1482, 1486 (10th Cir. 1987); cf. Mutual of Omaha Ins. Co. v. Novak, 836 F.2d 397 (8th Cir. 1987); Lettuce Entertain You Enters., Inc. v. Leila Sophia AR, LLC, 703 F. Supp. 2d 777, 782 (N.D. Ill. 2010)

45 Inwood Labs., Inc. v. Ives Labs., Inc., 456 U.S. 844, 854 (1982); Tiffany (NJ) Inc. v. eBay Inc., 600 F.3d 93, 104–110 (2d Cir. 2010); Hard Rock Cafe Licensing Corp. v. Concession Servs., Inc., 955 F.2d 1143, 1148–50 (7th Cir. 1992)

46 1-800 Contacts, Inc. v. WhenU.Com, Inc., 414 F.3d 400, 409 (2d Cir. 2005) (“A company’s internal utilization of a trademark in a way that does not communicate it to the public is analogous to an individual’s private thoughts about a trademark. Such conduct simply does not violate the Lanham Act, which is concerned with the use of trademarks in connection with the sale of goods or services in a manner likely to lead to consumer confusion as to the source of such goods or services.”); Simmons v. Cook, 701 F. Supp. 2d 965, 988 (S.D. Ohio 2010).

47 Suntree Techs., Inc. v. Ecosense Int’l, Inc., 693 F.3d 1338, 1345–46 (11th Cir. 2012); Georgia-Pac. Consumer Prod. LP v. Myers Supply, Inc., No. 6:08-CV-6086, 2009 WL 2192721 (W.D. Ark. July 23, 2009), aff’d, 621 F.3d 771 (8th Cir. 2010).

48 Perfect 10, Inc. v. Visa Int’l Serv. Ass’n, 494 F.3d 788, 807–08 (9th Cir. 2007) (internal quotations omitted).

49 Cf. Am. Tel. & Tel. Co. v. Winback & Conserve Program, Inc., 42 F.3d 1421, 1430–31 (3d Cir. 1994).

50 Regulation (EU) 2017/1001 of the European Parliament and of the Council of 14 June 2017 on the European Union trademark, Art. 14, see <https://data.europa.eu/eli/reg/2017/1001/oj>; Directive (EU) 2015/2436 of the European Parliament and of the Council of 16 December 2015 to approximate the laws of the Member States relating to trademarks, see <https://data.europa.eu/eli/dir/2015/2436/oj>.

51Case C-228/03, The Gillette Co. v. LA-Labs Ltd., 2005 E.C.R. I-02337; Case C-63/97, Bayerische Motorenwerke AG (BMW) v. Deenik, 1999 E.C.R I-0905.

52 Case C-63/97, Bayerische Motorenwerke AG (BMW) v. Deenik, 1999 E.C.R I-0905.

53 Case C-251/95, Sabel BV v. Puma AG & Rudolf Dassler Sport, 1997 E.C.R. 1-6191, [1998] 1 C.M.L.R. 445 (1998).

54 Case C-48/05, Adam Opel AG v. Autec AG., 2007 E.C.R. I-01017.

55 Case C-487/07, L’Oréal SA v. Bellure NV, 2009 E.C.R. I-05185.

56 Id.

57 Bayerische Motoren Werke Aktiengesellschaft v Technosport London Limited, 2017 EWCA Civ 779.

58 Joined Cases C-236/08 to C-238/08, Google France SARL v. Louis Vuitton Malletier SA (C-236/08), Google France SARL v. Viaticum SA (C-237/08) and Google France SARL v. Centre national de recherche en relations humaines (CNRRH) SARL (C-238/08), 2010 E.C.R. I-02417.

59 Regulation (EU) 2017/1001, Recital 21; Directive (EU) 2015/2436, Recital 27.

60 Regulation (EU) 2017/1001, Recital 21; Directive (EU) 2015/2436, Recital 27.

61 See, e.g., Jens Schovsbo, “Mark My Words”-Trademarks and Fundamental Rights in the Eu, 8 UC Irvine L. Rev. 555 (2018)

62 See Case C-487/07, L’Oréal SA v. Bellure NV, 2009 E.C.R. I-05185.

63 See Case C-48/05, Adam Opel AG v. Autec AG., 2007 E.C.R. I-01017.

64 Id.

 

Best Security Awareness Training for Employees: E-Learning Guide

Palo Stacho has been an entrepreneur, public speaker and thought leader in the IT industry. He holds a Swiss Federal Diploma in Computer Science and a postgraduate degree in Corporate Governance from the HSG. After spending several years working in cybersecurity, Palo joined Lucy Security as a Co-Founder to help build the company in 2015. As a project manager and solution consultant, Palo has experience from dozens of cybersecurity awareness projects, be it at Lufthansa, Bosch, Mobiliar Insurance, OMV, Swisscom and more. In 2022, Lucy Security was acquired by ThriveDX’s SaaS division and has remained on as an Advisor to the company. 

Protect Your Organization from Phishing

Share

Explore More Resources

Pharming vs. Smishing vs. Vishing: Can you identify these common phishing techniques?
In cybersecurity awareness training, authenticity is key. Let's take a look at navigating trademark law in cybersecurity.
SOX Act requirements reshaped corporate governance and financial reporting. Learn how it affects you in 2022.

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Contact ThriveDX Partnerships


Connect with us at the ASU + GSV Summit

If you are looking to connect with someone from our team on-site, please leave your contact information here and we will connect with you directly during the conference.

Skip to content