The objective of our evaluation was to assess USPTO’s actions in response to the exposure of domicile addresses to determine whether USPTO complied with federal and U.S. Department of Commerce (the Department) information technology (IT) security standards.We found that USPTO mishandled the required reporting and notification to the affected trademark filers after domicile addresses had been exposed for 3 years. We also found that USPTO leadership allowed domicile addresses to remain publicly accessible after they were aware of the exposure, risking unauthorized disclosures in violation of the Privacy Act. Additionally, USPTO did not report that additional sensitive PII was exposed during the incident or notify the affected filers that additional data had been exposed. Lastly, the Department’s Chief Privacy Officer (CPO) did not assist USPTO in responding to this incident because of a lapse in the Department reporting process. See appendix B for a timeline of the events discussed in our findings.USPTO’s exposure of trademark filer data may not only reduce public confidence, but also may have equipped bad actors with additional data that could be used to defraud trademark holders. Bad actors could aggregate the pieces of exposed data to convincingly create official-looking USPTO correspondence or impersonate a filer’s attorney. Despite these risks, USPTO leadership did not comply with federal, departmental, and USPTO incident response reporting requirements and knowingly allowed domicile addresses to remain publicly accessible during incident mitigation. USPTO must improve its efforts in safeguarding trademark filers’ personal data to rebuild public trust and honor trademark holders’ privacy.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | Yes | $0 | $0 | ||
| 1. We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office align USPTO policy with departmental requirements to have all USPTO employees report all IT security incidents, including PII exposure, immediately (within 1 hour) once an incident is suspected or confirmed. | |||||
| 5 | Yes | $0 | $0 | ||
| 5. We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office hold USPTO leadership accountable to comply with USPTO risk acceptance policies and procedures. | |||||
| 6 | Yes | $0 | $0 | ||
| 6. We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office establish a requirement within USPTO risk acceptance policies and procedures to consider violations of the Privacy Act during IT security incidents. | |||||
| 7 | Yes | $0 | $0 | ||
| 7. We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office reassess the non-mission-critical designation of TSDR and other systems supporting the trademark process. | |||||
| 8 | Yes | $0 | $0 | ||
| 8. We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office update USPTO policy to meet the federal minimum standard of 2 years and 6 months of log retention. | |||||
| 9 | Yes | $0 | $0 | ||
| 9. We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office fully implement log retention controls for USPTO systems according to departmental requirements. | |||||
| 10 | Yes | $0 | $0 | ||
| 10. We recommend that the Deputy Assistant Secretary for Administration direct the Office of Privacy and Open Government Director to implement compensating controls and redundant procedures for receiving incidents reported to the Department Chief Privacy Officer. | |||||
