Welcome to IPGovernance.com, a service of the IP Governance Task Force.
IP (Intellectual Property) Governance complements IT (Information Technology) Governance within federal regulations on Consumer Protection and IS (Information Security) Governance. IP Governance is the safeguarding of intellectual property from operational risks and operational losses, by a Board of Directors per fiduciary responsibilities, duty of care and federal regulations. A unified Information Security Governance Framework of IT Governance and IP Governance is online at ISGovernance.com, a service of the IP Governance Task Force.
The Task Force was formed in 2006 by industry thought-leaders in intellectual property from law, accounting and technology firms to organize international, federal and state regulations on phishing, identity theft, information security and COSO’s enterprise risk management model into a coordinated set of research and operational risk management services for IP Asset Fraud.
IP Asset Fraud or online corporate identity theft is defined as trademark and trade secret infringements that create privacy, security, compliance, and operational risks plus operational losses in 12 categories of identity theft per Basel. IP Asset Frauds include federal and state crimes such as phishing, man-in-the-middle attacks, fraudulent emails and web sites that use fraudulent domain names, a form of corporate identity theft and trademark infringement, to deceive, divert and defraud consumers of their identifying information which are trade secrets subject to privacy and security regulations. IP frauds impact IT systems, customers, operational losses, and reputations and pose operational risks for non-compliance with federal and state regulations on Information Security and fiduciary obligations.
Core objectives are to:
| (1) | highlight IP Governance as a complementary discipline to IT Governance within a unified Enterprise Risk Management for Information Security Governance or ISGovernance.com. Boards of Directors have a fiduciary responsibility and duty of care to safeguard intellectual property, especially in this digital age. |
| (2) | concentrate on international, federal and state regulations and standards for safeguarding the following intellectual property from corporate id theft and related phishing sites, i.e., trademarks, brands, domain names and customer identifying information. |
| (3) | analyze and rate individual banks for their degree of compliance with these regulations and standards through the IP Governance Operational Risk Management, Quantification and Rating model - a market-based solution designed for all banks including those subject to Pillar 3 of Basel II. |
| (4) | provide a turn-key Guardian IP Management service to minimize operational risks and losses associated with IP Asset Frauds while increasing consumer confidence and usage in online brands for a positive ROI. |
A summary of these IP Governance issues is shown here and analyzed below based on 3 fundamental questions for Boards of Directors and consumers:
Board of Directors | Consumers |
|
|
A frank assessment of binational phishing risks, dated October, 2006, by the US Department of Justice and Canada's Minister of PSEP states:
| 1 | Phishing continues to be one of the rapidly growing classes of identity theft scams on the Internet that is causing both short-term losses and long-term economic damage. |
| 2 | In the long run, phishing may also undermine public trust in the use of the Internet for online banking and e-commerce. |
| 3 | Phishing solicitations often use familiar corporate trademarks and tradenames, as well as recognized government agency names and logos. The use of such trademarks is effective in many cases because they are familiar to many Internet users and are more likely to be trusted without closer scrutiny by the users. |
| 4 | Companies that are victimized by phishing may not report these instances to law enforcement. Unlike some other types of Internet-based crime, such as hacking, that may be conducted surreptitiously, phishing, by its nature, involves public misuse of legitimate companies’ and agencies’ names and logos. Nonetheless, some companies may be reluctant to report all such instances of phishing to law enforcement -- in part because they are concerned that if the true volume of such phishing attacks were made known to the public, their customers or accountholders would mistrust the companies or they would be placed at a competitive disadvantage.” |
| 5 | A wide range of federally regulated financial institutions in the United States is required to file Suspicious Activity Reports (SARs) with the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), 14 whenever they encounter information that indicates a crime affecting a financial institution (including phishing) may have been committed. U.S. law enforcement agencies may access these reports for investigative purposes. |
Research by the IP Governance Task Force shows:
| (1) | banks are failing to safeguard their brands and domain names from fraudulent uses, including phishing attacks, per GLBA 501(b), thus increasing potential privacy risks for consumers. Firms own, on average, less than 7% of the universe of confusingly similar domain names for their brands with cyber criminals owning twice that level and the balance being available for registration. IP Operational Risk exposures are approximately 23% of net income for the 4thQ of 2005 for firms with total assets less than $1 billion and 12% of net income for the 4thQ of 2005 for firms with total assets more than $1 billion. Metrics on these issues are available under Operational Risks and the IP Audit Fraud Report. |
| (2) | the banks that are failing to safeguard their IP (domain names and customer identifying information) per GLBA 501 (b) are also failing, in their regulatory obligations under GLBA 503 - Consumer Privacy Act, to "ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer." A number of banks are also posting inaccurate privacy and security statements indicating they are in compliance with federal standards for safeguarding customer information when in fact they are not safeguarding their IP per GLBA 501(b). Details are available under Privacy Security Rating. |
| (3) | banks can safeguard their brands, reputations and customers from fraudulent web sites, including phishing attacks, for an average of 00.05% of their net income for 2004 and 2005 or approximately 8.00% of their operational risks and 3.00% of their estimated operational losses. |
Two unique services from the IP Governance Task Force for these risks include the IP Operational Risk Management, Quantification and Rating Model and Guardian IP Management services. The first service quantifies, for audit committees and senior management, operational risk exposure, net of insurance, to potential civil and/or regulatory litigation due to non-compliance with state and/or federal regulations on IP information security issues. This includes a 5-dimensional analysis and remediation program focused on:
| (1) | Online Brand Risks: The Online Brand Rating model measures exposure to current and future corporate identity fraud, including phishing, based on GLBA 501(b) Information Security Standards. Corporate identity fraud is defined as confusingly similar domain names, owned or available for registration by unauthorized parties, that seek to deceive, divert and/or defraud consumers. Metrics for determining domain names at risk include relevant trademark rights and historical Uniform Domain Name Dispute Resolution Policy cases. Brands that have significant exposure to corporate identity fraud earn the “F” Online Brand Rating. Brands that have minimal exposure to this class of risk earn the “A” Online Brand Rating.
Online Brand Ratings for international, money center, and regional banks plus banks operating primarily in Florida, Tennessee, Ohio, Missouri, Maine and California are available, as a Pillar 3 service under Basel II, at www.onlinebrandrating.com. Pillar 3 is designed to provide disclosures on risk profiles, in this case on IP information security risks. The Online Brand Ratings are designed for Boards of Directors, senior management, as well as consumers, who need to understand the degree of exposure for individual banks to fraudulent domain names that divert, deceive and defraud consumers, contrary to federal standards and regulations.
Online Brand Ratings are also available on Google Finance for specific firms. |
| (2) | Operational Risks and Losses: This analysis quantifies:
| (A) | exposure to operational risks and losses for failing to safeguard intellectual property, i.e., brands, domain names and customer identifying information, from fraudulent attacks per GLBA, duty of care and fiduciary responsibilities, ID Theft Red Flag Rules, and Basel II. "Operational Risk", in Basel II, is defined as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. This definition of operational risk includes legal risk – which is the risk of loss (including litigation costs, settlements, and regulatory fines) resulting from the failure of the bank to comply with laws, regulations, prudent ethical standards, and contractual obligations in any aspect of the bank’s business – but excludes strategic and reputational risks.” Research shows IP Operational Risk exposures range between 5% and 36% of net income for the 4thQ of 2005. See (1) and (2) below. | | (B) | a range of remediation budgets tied to Online Brand Ratings of "F" to "A". IP Audit Fraud case studies show the level of IP investment required to reach an "A" Online Brand Rating is approximately:
| (1) | 00.36% or 36 basis points of net income for 2005 and 2004 for firms with total assets less than $1 billion. | | (2) | 00.05% or 5 basis points of net income for 2005 and 2004 for firms with total assets more than $1 billion. | | (3) | 00.66% of marketing expense for 2005 and 2004. | | (4) | 8% of operational risks. | | (5) | 3% of operational losses. |
|
|
| (3) | Privacy & Security Statements: This analyzes the accuracy of Privacy and Security statements by financial firms. The model categorizes current privacy and security statements into 1 of 5 Privacy Security Ratings. Banks stating they exceed or comply with federal standards for safeguarding customer information earn, respectively, a 1 and 2 Privacy Security Rating. Banks with either a 1 or 2 Privacy Security Rating plus an “F” Online Brand Rating are posting inaccurate privacy and security statements for consumers. Source: www.PrivacySecurityRating.com. |
| (4) | Guardian IP Management: This is a turn-key service whereby members of the IP Governance Task Force serve, on an interim basis, as a Chief Brand Officer to assist the Board, CIO, CFO, CEO and CLO in managing and correcting IP operational risks. Members provide 24x7 monitoring for new risks, legal advice and remediation of infringing domain names, analysis of IP insurance policies, monthly board reports on IP Governance exposures plus current Online Brand Ratings as part of a fixed-premium service agreement. |
| (5) | ProtectingConsumersOnline.com: Firms reaching and maintaining an “A” Online Brand Rating are featured in this portal. Consumers seeking financial firms that are safeguarding their brands from fraudulent web sites and thus making the internet a safer environment are encouraged to visit this portal. |
|
