[E-trademarks] IG Report - A 3-Year Exposure of Privacy Act-Protected Data Revealed USPTO Mismanagement in Safeguarding the Sensitive PII of Trademark Filers

Fri Jul 5 16:19:14 UTC 2024

Unfortunately, this is just the stuff we know about.  The USPTO’s security protocols have been a train wreck for quite some time.  See, e.g., this report from 2017: “U.S. PATENT AND TRADEMARK OFFICE Inadequate Security Practices, Including Impaired Security of Cloud Services, Undermine USPTO’s IT Security Posture”  https://www.oig.doc.gov/OIGPublications/OIG-17-021-A.pdf

The PTO apparently responded to the OIG report.  There’s an article about it in the WTR but I’m not a subscriber, and I can’t find anything online in the way of a formal reply.

Kevin Grierson
[cid:image001.png at 01DACED5.8AC1E610]
[Mobile:]
  757-726-7799<tel:757-726-7799>
[Fax:]
  866-521-5663<fax:866-521-5663>
[Email:]
  kgrierson at cm.law<mailto:kgrierson at cm.law>

From: E-trademarks <e-trademarks-bounces at oppedahl-lists.com> On Behalf Of Tim Ackermann via E-trademarks
Sent: Friday, July 5, 2024 12:01 PM
To: For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks at oppedahl-lists.com>
Cc: Tim Ackermann <tim at ackermannlaw.com>
Subject: Re: [E-trademarks] IG Report - A 3-Year Exposure of Privacy Act-Protected Data Revealed USPTO Mismanagement in Safeguarding the Sensitive PII of Trademark Filers

EXTERNAL EMAIL
Oh, you missed your deadline by over two months? No problem!
  The Department’s breach notification plan states that bureaus and operating units must notify individuals whose data was exposed within 30 days or as expeditiously as practicable and without unreasonable delay. However, USPTO did not notify affected trademark filers for more than 3 months (105 days) after discovery of the PII exposure on February 24, 2023.
Who could possibly know about editing the URL to access information? Oh... everybody? Well, it is against the ToS! I'm sure it's fine!
  USPTO leadership repeatedly stated that access to domicile addresses through URL manipulation would violate the system’s user agreement. However, the user agreement did not absolve USPTO of its responsibility to protect domicile addresses from unauthorized access through URL manipulation, a basic and well-known technique used by bad actors
Oh, and we also disclosed other stuff like attorney information, lol! Yes, we promised to keep that masked... Sorry, did we not tell you about that?
  In addition to domicile addresses, other data including attorney information, email addresses, and Internet Protocol (IP) addresses were also exposed during this 3-year period. USPTO’s Trademarks Organization did not calculate the number of filers affected by the exposure of this additional data nor did the office consider this number when addressing the incident.
Oh, and we did it again! Lmao, we're so much fun!
  On April 19, 2024, after the conclusion of our evaluation, USPTO discovered that 14,359 domicile addresses that should have been hidden from public view were inadvertently exposed during the transition to a new IT system. Also exposed during this incident was the bar information of 16,548 attorneys and the email addresses of 33,501 trademark owners. USPTO concluded that this data was exposed between August 23, 2023, and April 19, 2024.

Tim Ackermann
The Ackermann Law Firm

E:  tim at ackermannlaw.com<mailto:tim at ackermannlaw.com>
P:  817.305.0690
F:  214.453.0810
W: ackermannlaw.com<http://ackermannlaw.com/>
O: 1701 W. Northwest Hwy. Ste. 100
     Grapevine TX 76051

On Fri, Jun 28, 2024 at 10:43 AM Pamela Chestek via E-trademarks <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>> wrote:
I just learned of this report:

"We found that USPTO mishandled the required reporting and notification
to the affected trademark filers after domicile addresses had been
exposed for 3 years. We also found that USPTO leadership allowed
domicile addresses to remain publicly accessible after they were aware
of the exposure, risking unauthorized disclosures in violation of the
Privacy Act. Additionally, USPTO did not report that additional
sensitive PII was exposed during the incident or notify the affected
filers that additional data had been exposed."

https://www.oversight.gov/report/DOC/3-Year-Exposure-Privacy-Act-Protected-Data-Revealed-USPTO-Mismanagement-Safeguarding

Pam

Pamela S. Chestek
Chestek Legal
300 Fayetteville Street
Unit 2492
Raleigh, NC 27602
pamela at chesteklegal.com<mailto:pamela at chesteklegal.com>
(919) 800-8033
www.chesteklegal.com<http://www.chesteklegal.com/>

--
E-trademarks mailing list
E-trademarks at oppedahl-lists.com<mailto:E-trademarks at oppedahl-lists.com>
http://oppedahl-lists.com/mailman/listinfo/e-trademarks_oppedahl-lists.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240705/7529bec1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3100 bytes
Desc: image001.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240705/7529bec1/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 285 bytes
Desc: image002.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240705/7529bec1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 452 bytes
Desc: image003.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240705/7529bec1/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 394 bytes
Desc: image004.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240705/7529bec1/attachment-0003.png>