This article addresses the legality of displaying third-party trademarks or service marks as part of an educational phishing simulation or educational presentation on phishing attacks made available for use by employers through software offered by Lucy Security AG (“Lucy”). As no case law appears to exist that is exactly on point and no exceptions to trademark rights exist specifically to address the use of marks for educational purposes in this or a similar context, the legality of the practice is not entirely clear. And because the inquiry is highly fact-specific, it is not possible to speak to the practice in a general sense, but rather as the marks are used by Lucy’s software.
In short, on paper, the use of third-party marks could give rise to a trademark infringement or dilution claim. In practice, the kind of use does not really fit the mold of regular infringement or dilution claims, and so, someone making such a claim would have to rely on a rather complex argument. And as with any business practice, there is a always a risk of legal action involved, even if there is the practice is entirely legal.
It is possible that the owner of a mark used as part of a phishing simulation and presentation could establish a prima facie case of trademark infringement by demonstrating that a likelihood of consumer confusion exists. Likewise, a mark owner may be able to establish a case of trademark dilution by tarnishment. While some risk of liability may exist regardless, the strongest defense against trademark infringement claims would be to establish that the use of the marks is not likely to cause consumer confusion. This could be accomplished through conspicuous notices that disclaim any connection with or approval by the mark owner. Meanwhile, restrictions on forwarding phishing simulation emails may prevent drawing attention to the use of the mark by its owner.
Lucy provides services to employers seeking to educate their employees about cybersecurity threats. As part of these services, Lucy provides employers with software that aims to train employees to identify “phishing” emails, which are generally defined as emails through which the sender fraudulently attempts to obtain sensitive information from the recipient by disguising itself as a trustworthy entity, such as the U.S. Internal Revenue Service (“IRS”) or Microsoft Corporation (“Microsoft”). While phishing attacks come in different forms, phishing emails often instruct the recipient to click on a link contained in the email, which leads the recipient to a webpage (“landing page”) that resembles the website of the entity that the sender purports to be.
Though Lucy’s software is highly customizable by the software purchaser (alternatively referred to in this memorandum as the “employer”), it generally breaks down into two forms of training, which can, but do not have to be used together:
(1) Phishing Simulations: Here, the employer sends a phishing simulation email to one or more of its employees. This email aims to mimic typical phishing emails that have been sent to employees of that employer. Like typical phishing emails, these emails typically attempt to
- have the employee divulge sensitive information. The employer can customize the phishing simulation by including or not including the following elements in the phishing email: a. Third-party marks;
- A legal disclaimer in the body of the email that explains that no relationship exists between the trademark owner and Lucy or between the trademark owner and the employer (“legal disclaimer”)
- A conspicuous notice informing the employee after the exercise is complete that the email was part of a phishing exercise, along with content similar to that included in the legal disclaimer (“notice”);
- A link in the email that leads to a landing page which may, at the choice of the employer, display third-party marks, a disclaimer, and/or a message explaining that the exercise is a phishing simulation (“landing page”); and
- A training course that the employee is required to complete (as described below in (2)) (“educational presentation”).
(2) Educational Presentations: Second, either independently or as part of the phishing simulation, the employer may require an employee to partake in a web-based educational presentation that teaches the employee about phishing and identifies various signs which an employee can look for to determine whether an email is a phishing attempt. Similarly, the employer may customize the presentation by choosing to include or not include the following elements in the presentation:
- Third-party marks;
- A legal disclaimer; and
- A notice.
Employees who have received a phishing simulation email and believed it to be an actual phishing attack email have occasionally forwarded that email to the mark owner. Despite that choice of whether to use of a third-party mark is ultimately made by the employer, these mark owners have taken issue directly with Lucy, claiming that the use amounts to trademark infringement and related causes of action. To be clear, however, this memorandum does not address and indemnification requirements by the employer that purchased the software, but rather focuses on the legality of using third-party marks in phishing simulations and educational presentations.
Moreover, if a phishing simulation or presentation does not use a third party’s mark or one similar thereto, it cannot engage in trademark infringement. Accordingly, the discussion of potential grounds for liability addresses only scenarios in which third-party marks are used.
POTENTIAL THEORIES OF LIABILITY FOR USE OF THIRD-PARTY MARKS IN THE UNITED STATES
A mark owner could potentially rely on several kinds of theories of liability. The discussion of these theories is first divided between theories of direct liability and secondary liability. The analysis as to each varies and so each is addressed in turn.
Direct Liability for the Use of Third-Party Marks
In the United States, trademarks used in interstate commerce are protected under the Lanham Act.1 The two most applicable bases for direct liability that a mark owner could assert under the
Lanham Act are trademark infringement and trademark dilution by tarnishment. In addition, although not considered a part of trademark law, additional laws place restrictions on the use of marks adopted by the federal government and related entities.
As infringement, dilution, and prohibitions on the use of government marks involve overlapping considerations, their applicability to the use of third-party marks is discussed together. Accordingly, this section first sets forth the elements necessary to establish a claim for trademark infringement. Second, it lays out the elements of a dilution by tarnishment claim. Third, it provides an overview of the restrictions against the use of government marks. Fourth, it addresses the extent to which these theories of liability apply to the use of third-party marks in phishing simulations and educational presentations on phishing attacks—in other words, the probability that a mark owner could establish the elements of these claims. Fifth, this section addresses the applicability of certain affirmative defenses, which may apply even if a mark owner can establish the elements of her claim.
To establish a prima facie case of trademark infringement, a plaintiff mark owner2 must demonstrate (1) its ownership of a valid mark; (2) that the defendant used the plaintiff’s mark (or a mark that is confusingly similar) in commerce on or in connection with the sale of its goods or services; and (3) that the defendant’s use of the mark resulted in a likelihood of consumer confusion. The relevant consumer confusion could be with respect to (a) the origin of the defendant’s goods or services (“source confusion”); (b) the sponsorship or approval (collectively, “endorsement”) of the defendant’s goods or services by the plaintiff; or (c) the affiliation, connection, or association (collectively, “affiliation”) of the defendant with the plaintiff.3 Absent consumer confusion, the use of a third-party mark cannot give rise to liability for trademark infringement.4 However, the defendant’s use of the plaintiff’s mark does not need to actually cause consumer confusion to give rise to an action for trademark infringement; it is sufficient that confusion is likely to occur.
Courts generally determine whether a likelihood of confusion exists by considering a litany of factors, which vary somewhat between jurisdictions.5 However, this approach is typically applied to determine whether a likelihood of confusion exists between two different entities’ uses of similar marks for similar products or services. In cases where the use of another’s mark does not match this fact pattern, courts avoid a mechanical application of the factors and have taken a step back and employed a more practical approach in asking whether the use of a mark in a particular context could reasonably lead to consumer confusion.6
Relatedly, the use of a mark cannot amount to trademark infringement if the mark is not being used as a trademark (i.e., it is not used as a source indicator for a good or service). While trademark use is occasionally analyzed on its own, the relevant effect of non-trademark use is that it prevents a finding that consumer confusion is likely. Alternatively, trademark use is at least implicitly considered in several of the affirmative defenses addressed below in Section E.
Dilution by Tarnishment
In addition to trademark infringement, owners of “famous marks”7 may assert a cause of action for dilution by blurring or tarnishment. Dilution by tarnishment, which is more relevant here, refers to the “association arising from the similarity between a mark or trade name and a famous mark that harms the reputation of the famous mark.”8 To establish trademark dilution by tarnishment, a plaintiff must demonstrate its valid ownership of a famous mark since before the accused use began, and that the accused use is likely to cause negative associations that harms the reputation of the famous mark.9
Generally speaking, the vast majority of marks would not be considered famous and so this theory of liability would not be available to the owner of the mark. In this scenario, however, it would seem that most marks utilized as part of a phishing simulation would be famous marks, since actual phishing attacks would be more likely to use marks that recipients recognize and whose owners they trust. Thus, provided that the mark owner is able to demonstrate reputational harm, it may be able to establish tarnishment. Further, because a plaintiff is not required to demonstrate a likelihood of confusion, the owner of a famous mark would have a much easier time establishing the elements of dilution by tarnishment than classic trademark infringement.
Prohibitions on Use of Government Marks
In addition to trademark law, various statutes and regulations forbid the use of certain marks that belong or refer to governmental entities. For example, 31 U.S.C. §333 prohibits the use of, inter alia, “Department of the Treasury” or “IRS” “in connection with, or as a part of, any advertisement, solicitation, business activity, or product” in a manner which “could reasonably be interpreted or construed as conveying the false impression that such advertisement, solicitation, business activity, or product is in any manner approved, endorsed, sponsored, or authorized by, or associated” the governmental agency that uses the mark.
Similar prohibitions exist against the use of “United States Marine Corps”10 and “Olympic.”11 Other restrictions go beyond business and commercial uses and prohibit the use of terms such as “Federal Bureau of Investigation” or the initials “F.B.I.”,12 “Drug Enforcement Administration” or the initials “DEA,”13 or the Social Security Administration14 in any “advertisement, solicitation, circular, book, pamphlet, or other communication (including any Internet or other electronic communication), or a play, motion picture, broadcast, telecast, or other production.” A non-exhaustive list of these provisions is attached to this memorandum as Exhibit B.
Although we have not reviewed each provision, each of these restrictions seems to focus on uses that suggest some sort of approval, sponsorship, etc., by that governmental entity. As a result, it would seem that many of the defenses to trademark infringement where a mark is not used as a source identifier would likewise shield the user from liability. However, because these provisions are not based on the same constitutional principles as trademark law and there is very little case law interpreting the bounds of these prohibitions, the extent to which trademark infringement defenses would equally apply in this context is unclear. Accordingly, the risk of liability under these provisions is better addressed by considering whether the third-party mark is used “in a manner which could reasonably be interpreted or construed as conveying the false impression that [the phishing simulation or presentation] . . . is in any manner approved, endorsed, sponsored, or authorized by, or associated with the governmental entity.”15
Based on this language, it would appear that the same analysis would apply as when analyzing whether the use of a third-party mark results in a likelihood of consumer confusion or that suggests association—which are the same considerations involved in the trademark infringement and dilution analysis. Thus, to avoid repetition, the risk of liability based on these prohibitions will not be addressed on its own, but the analysis of liability for trademark infringement and dilution under Section D (but not the analysis of affirmative defenses under Section E) should be considered to apply to this theory of liability.
Applications of Theories of Direct Liability to the Use of Marks in Phishing Simulations and Educational Presentations
The strongest argument against direct liability for trademark infringement and dilution is that the use of third-party marks in phishing simulations and educational presentations on phishing attacks does not result in a likelihood of confusion. The strength of this argument relies on the particular ways in which the simulations and presentations are configured. Thus, before discussing a mark owner’s ability to establish the elements of her potential claims, this section first addresses the main ways in which an employer can customize the simulations and presentations, and how the choice of whether to incorporate these elements may affect a likelihood of confusion analysis.
Effect of an Employer’s Choices in Customizing Phishing Exercises and Methods of Reducing Liability Risk
Using Lucy’s software, employers can choose to include disclaimers, notify its employees that a phishing simulation or presentation did not originate from (or was endorsed by or affiliated or associated with the owner of the mark featured) in a more direct and conspicuous manner, require employees to participate in training presentations after a phishing simulation, and provide a link in phishing simulation emails that leads to a landing page. The effects on a likelihood of confusion or association finding is generally addressed in this section, and discussed more specifically in the context of phishing simulations and presentations below in Sections 2 and 3. ¨
Disclaimer: The current legal disclaimer in the body of the phishing simulation email that explains that no relationship exists between the trademark owner and Lucy or between the trademark owner and the employer would not be considered effective to prevent consumer confusion. Although the disclaimer correctly asserts that no connection exists between Lucy and the mark’s owner, courts have found that a recipient is unlikely to notice and read such disclaimer because of its inconspicuous style and location.16 A more conspicuous disclaimer, on the other hand, would defeat the purpose of the exercise, as such disclaimers would obviously not appear in an actual phishing email.
Notice: A conspicuous notice (e.g., in a separate email or company-wide announcement) that explains that the phishing simulation was indeed a simulation is much more effective at preventing a likelihood of confusion.17 While essentially the same as a disclaimer, this memorandum refers to this element as “notice” to emphasize the more conspicuous and express nature of such message, as compared to the disclaimer that is available to include at the bottom of emails and/or landing pages. Additionally, because a notice, unlike the current disclaimers, would come after a phishing simulation, its conspicuous nature would not defeat the purpose of creating a realistic simulation.
Training Presentation: Requiring employees to participate in a presentation after receiving the phishing simulation email would help instil the fact that the phishing email was a simulation and that no connection between Lucy and the mark owner exists. However, such training would not inherently dispel consumer confusion in the absence of a notice, so training without an effective, conspicuous notice would not be effective at reducing the risk of liability for an infringement claim.
Landing Page: A landing page could have different effects, depending on its content. If it continues using the third party’s mark, this additional use could strengthen an argument for trademark infringement or dilution. A landing page that does not use the mark is not likely to have an effect either way, though the omission of the mark may make the simulation less realistic. Providing notice on the landing page could help avoid consumer confusion or an inference of association. However, providing notice on a landing page, alone, would not be fully effective because of the possibility that the recipient could open the email but not click on the link that leads to the landing page. And like in emails, an inconspicuous disclaimer would not be considered effective to preventing consumer confusion
The main purpose of a phishing simulation is to illustrate how phishing attacks seek to impersonate legitimate entities, including by using their marks, to mislead people into divulging sensitive information. Thus, although Lucy provides its services for a beneficial purpose, by simulating these attacks, it nevertheless engages in the unauthorized use of another’s mark. Consequently, a myopic application of the likelihood of confusion factors might not accurately evaluate whether a likelihood of confusion exists. Accordingly, the analysis of whether a likelihood of confusion exists is based on the totality of circumstances in each scenario.
A mark owner could potentially argue that the use of the mark in either a phishing simulation or presentation leads to a likelihood of confusion as to (1) the source of the email or presentation; (2) the mark owner’s sponsorship or approval of Lucy’s services; or (3) an affiliation between Lucy and the mark owner. The probability of these outcomes depends on how the email would be viewed by a recipient. A recipient of a phishing simulation email would likely interpret it in one of three ways: (a) believe the email to be a legitimate communication from the owner of the mark; (b) believe it to be a phishing email from a third party; or (c) recognize it as a phishing simulation. Each situation is discussed below, using an example in which a recipient would receive a phishing simulation email that purports to be sent from Microsoft, uses the MICROSOFT mark, and solicits sensitive information from the recipient. To aid in clarity, the flowchart attached as Exhibit A to this memorandum outlines the possible arguments that could be made for why the practice may result in consumer confusion or tarnishment, and is accompanied by comments and potential solutions.
Even if no consumer confusion or inference of association could take place in a particular scenario, however, that does not preclude liability for infringement or dilution, as there is no guarantee that the recipient would perceive the email in that particular manner. Thus, to minimize the risk of liability, regardless of how the phishing simulation is interpreted by the recipient, it should not result in a likelihood of confusion or give rise to a reasonable inference of association.
Scenario 1: Recipient Believes Email Sent from Mark Owner
To illustrate how the use of third-party marks in phishing simulations could be viewed as trademark infringement or dilution, it is helpful to first consider how the use of a third-party mark in an actual phishing attack would provide grounds for an infringement claim.
The purpose of using third-party marks in phishing attacks is to mislead the recipient into believing that the communication was sent by the mark’s owner. Thus, for a phishing attack to be successful, consumer confusion must necessarily take place. For instance, if a consumer receives an email that purports to be from Microsoft’s technical support team and asks for sensitive information to fix an issue with their Windows or Office account, the recipient is not likely to respond if she does not believe that the email came from Microsoft. Although Microsoft does not use its mark to send phishing emails, providing technical support services would fall within—or at least be sufficiently related to—the goods and services offered by Microsoft. Thus, although the phishing email does not, in itself, use the MICROSOFT18 mark in the sale of a product or service, a recipient who is tricked into believing that the email originated from Microsoft could reasonably view it as part of its services.
The reason for using third-party marks in phishing simulations is to create a realistic scenario for the recipient. If, as a result, the recipient believes that the phishing simulation email originated
from Microsoft, then the same reasoning for grounds for infringement applies. Additionally, Microsoft could articulate a tarnishment claim by asserting that the use of an exact replica of its mark (or a highly similar mark) necessarily creates an association between the two marks and damages its reputation by causing recipients to believe that Microsoft would send emails that ask for sensitive information, making consumers less trusting of the company. To prevent such effect, notice to the recipient that the email was a phishing simulation and disclaiming any connection with Microsoft would reduce or eliminate the risk of consumer confusion or an inference of association. Additional training would help reinforce this notion.
Scenario 2: Recipient Believes Email is a Phishing Attack
If the recipient believes that the email is a phishing attack, then by definition, she would not believe that the email originates from Microsoft. Accordingly, the use of the mark cannot establish liability for trademark infringement based on this scenario because no consumer confusion exists and an inference of association with the actual MICROSOFT mark would be unreasonable.19
Nevertheless, because reviewing such emails places a toll on Microsoft’s resources, Microsoft may nonetheless threaten or bring legal action. Microsoft would argue that even though there might not be consumer confusion in this particular scenario, this scenario provides only one of three possible reactions by the recipient. And since a mark owner does not need to prove actual confusion, but instead a likelihood of confusion, it could still make out a claim for trademark infringement based on a likelihood of confusion that stems from Scenario 1 or 3. It is also worth noting that even if a mark owner is unlikely to succeed on a claim for infringement or dilution, if that mark owner is particularly opposed to the use of its mark in phishing simulations, it may still assert such claims in hope that the potential cost of litigation would put an end to the use.
Thus, to any extent it would be feasible, the most effective way of reducing legal risk would be to implement a measure that prevents email forwarding to the mark owner. Although some strategies for accomplishing this seem available,20 they may not be available for all email platforms utilized by purchasers of Lucy’s software.
Scenario 3: Recipient Recognizes Email as Phishing Simulation
Third, the recipient could correctly recognize the email as a phishing simulation, but may think that the phishing simulation is part of a service offered by Microsoft or by a third-party such as Lucy. If the former, then Microsoft could have a claim for infringement, particularly as Microsoft provides phishing simulations and training as part of Office 365.21 In addition, Microsoft could have a claim for dilution by tarnishment if it can demonstrate harm to the MICROSOFT brand—e.g., if Lucy’s phishing simulation were inferior to Microsoft’s.
If the recipient correctly recognizes that the phishing simulation is part of a product or service offered by Lucy, there would be no consumer confusion as to the origin of the goods or services. Although the reasonableness of such assumption is questionable,22 it is possible that the use of (citing 4 McCarthy on Trademarks and Unfair Competition §23:11.50 (4th ed.) (“[I]f the defendant does not use the accused designation as defendant’s own identifying trademark, then confusion will usually be unlikely. Then there are not the requisite two similar marks confusing the viewer into believing that the two marks identify a single source.”)).
MICROSOFT in a phishing simulation email could suggest that Microsoft endorses Lucy’s product or that some affiliation or association exists between Lucy and Microsoft. For example, the recipient could believe Microsoft purposefully used its own mark in order to train users of its goods and services to identify phishing attacks that purport to be sent from Microsoft, and not some other company.
Once again, the best approach to preventing consumer confusion would be by providing conspicuous notice, and ensuring that the recipient is made aware that the phishing simulation is part of a product offered by Lucy (and not Microsoft), that it is not endorsed by Microsoft, and that there is no affiliation between Lucy and Microsoft or association between the mark as used and the MICROSOFT mark. If the training is accompanied by adequate notice, it is likely to reinforce the notion that no connection between the services or entities exists and the use of other third-party marks may dispel consumer confusion.23 However, like with Scenario 1, training on its own would not be likely to adequately prevent it.
Unlike in Scenario 1, where the mark is used in what could be viewed as part of a commercial transaction (i.e., used in commerce), it is less clear in this scenario whether the mark is “used in commerce” as is required for an infringement or dilution claim.24 One could argue that the recipient of the email is not a consumer whose perception would matter for the purposes of an infringement or dilution analysis, as the recipient would not be the target purchaser of the service. Rather, under this reasoning, the relevant consumer would be the employer, which could not be reasonably confused as to the source of the service or infer an association because it would be the employer that made the choice of including the mark in its phishing simulation.
In all three situations, requiring employers that purchase Lucy’s software to provide conspicuous notices to recipients of phishing simulation emails would have a significant effect on reducing potential liability, as it would reduce or eliminate the likelihood of confusion or inference of association. Even so, as long as recipients are able to forward the emails to the mark owners, risk of a legal dispute remains since that seems to be what draws attention to the practice. Thus, to any extent it would be feasible, implementing a measure that prevents email forwarding to the mark owner would likely have a more immediate, practical impact on reducing the frequency of mark owner complaints.
It is highly unlikely that a reasonable consumer would interpret that the use of a third-party mark in an educational presentation on phishing attacks would serve to indicate the source of the presentation. This presumes, however, that the mark is not displayed in a manner that a trademark would typically appear on a presentation that does use a third-party mark as a source identifier (e.g., on the corner of each slide; on the first and/or last slide where creator or presenter’s information would typically appear; etc.). Nevertheless, including a conspicuous notice or disclaimer as part of the presentation would help demonstrate Lucy’s efforts for preventing consumer confusion or an inference of association, especially where the presentation follows a phishing simulation.
Even if a plaintiff can establish a prima facie case of infringement, a defendant can still avoid liability if she can establish that an affirmative defense applies. While the following affirmative defenses were largely developed by courts to preclude liability for trademark infringement claims, they apply to claims of trademark dilution, as well.25 However, as noted above, these defenses have not been recognized to apply to claims based on laws prohibiting the use of government marks.
The Fair Use Doctrine is fundamentally based on the statutory text of the Lanham Act, which provides that use of another’s mark will not give rise to liability if the use of a mark is descriptive and the mark is used “fairly and in good faith only to describe the goods or services of such party.”26 Courts have recognized two forms of fair use: classic and nominative.
Classic Fair Use
Classic fair use “occurs where the defendant uses the plaintiff’s mark to describe the defendant’s own product.”27 For instance, even if a candy manufacturer might acquire trademark rights in CHEWY or LEMON-FLAVORED to serve as a source identifier for its candy, that manufacturer cannot prevent other candy manufacturers from using the words “chewy” or “lemon flavored” to describe their own products.28 Neither the phishing simulation nor the presentation uses third-party marks to refer to Lucy’s products, so this affirmative defense would not apply.
Nominative Fair Use
“Nominative” fair use is said to occur “when the alleged infringer uses the [trademark holder’s] product, even if the alleged infringer’s ultimate goal is to describe his own product. Nominative fair use also occurs if the only practical way to refer to something is to use the trademarked term.”29 For nominative fair use to apply, the user of the mark must meet three conditions: (1) the product or service in question must be one not readily identifiable without use of the trademark; (2) only so much of the mark or marks may be used as is reasonably necessary to identify the product or service; and (3) the user must do nothing that would, in conjunction with the mark, falsely suggest sponsorship or endorsement by the trademark holder.30
While the factors may seem applicable to a broad range of uses, courts have applied the doctrine where it is necessary to refer to a mark or its corresponding product or services (e.g., a car mechanic’s use of VOLKSWAGEN in an advertisement describing the types of cars he repairs)31 or comment on them (e.g., a commercial relaying survey results showing that people prefer COCA-COLA to PEPSI).32
It is possible that a court could look at the fundamental goal of the phishing simulations and, upon recognizing that they serve to reduce consumer confusion by teaching how to identify phishing emails, apply a more wholistic approach to determine that fair use applies. However, there does not appear to be a case on point that applies fair use in this manner. And when analyzing the applicability of the factors as they have been applied in other cases, the analysis does not point to a finding of fair use.
With respect to the first factor, the main purpose of using third-party marks in phishing simulations is not to comment or refer to the actual mark or corresponding product or service, but to make the simulation realistic. Moreover, while one may argue that such use is necessary to make the simulations realistic, this necessity is not the same as that described in cases in which fair use was applied. Although the simulations generally require the use of well-known mark, it is not strictly necessary to use any particular well-known mark.33 For instance, the simulations will be as realistic regardless of whether they use MICROSOFT, APPLE, the IRS, or another well-known mark. By contrast, a mechanic that specializes in repairing VOLKWAGEN cars cannot instead use MERCEDES-BENZ to accurately describe his services.
As to the third factor, phishing emails purposefully falsely suggests sponsorship or endorsement by the trademark holder to mislead the recipient. By using third-party marks to make the simulation realistic, phishing simulations likewise do not appear to satisfy the third nominative fair use factor. Thus, it does not appear as if the practice would constitute fair use based on the factors considered by courts.
Although the same arguments as to why the use of a third-party mark does not satisfy the first fair use factor may also apply to its use in a presentation on phishing, there is a somewhat stronger argument that the presentation at least comments on the marks. Specifically, a mark’s use in a presentation asserts that marks like MICROSOFT or IRS are frequently used in connection with phishing attacks. This assertion is more readily discernable from a presentation than a simulation, alone. And assuming that the marks are not used in a manner that is typical of trademark use (as discussed above), the use of the mark would not suggest sponsorship or endorsement of the presentation or Lucy. At most, an audience may guess that the marks were used with permission, but incorporating a clear notice that no express consent was granted for the use of the marks would prevent this from occurring.
The use of a third-party mark cannot give rise to liability for trademark dilution if that use is noncommercial.34 Speech is considered not commercial if it “does more than propose a commercial transaction.”35 Even when some money is exchanged, it is usually insufficient to transform non-commercial use into commercial where the financial transaction is ancillary to the use of the mark.36 However, even if a use has noncommercial elements, it may be considered commercial where it also promotes the user’s own goods or services, though the contours of what that entails is not always clear.37
In determining whether speech is commercial, courts consider several factors: (1) whether the speech is an advertisement; (2) whether speech refers to specific products or services; (3) whether the speaker has an economic motivation for the speech; and (4) “the viewpoint of the listener,” i.e., whether the listener would perceive the speech as proposing a transaction.38
Depending on the content of the phishing simulation email, it might be considered a proposal to engage in a commercial transaction and thus, to constitute commercial speech that does not qualify for this defense. Even if the presentations are sold for profit as part of Lucy’s software however, this would not necessarily render them commercial, as if would be difficult to view them as proposing a commercial transaction. Accordingly, this defense may be available against a dilution claim based on the use of a third-party mark in a presentation on phishing, but it is less clear whether it would apply to phishing simulations.
First Amendment Defense
Courts also developed what has become known as the Rogers Test to permit the use of a trademark in an expressive work.39 If a defendant makes a threshold showing that the accused use is part of an “expressive work,” then, the plaintiff must prove not only that it owns a valid, protectable mark and that a likelihood of confusion exists, but that the defendant’s use of the mark either (1) is not artistically relevant to the underlying work or (2) explicitly misleads consumers as to the source or content of the work.40
Although only a minimum amount of “artistic relevance” is required to satisfy the first prong,the defense is limited to the use of the mark in “expressive” works,42 and “artistic relevance” has generally been recognized where the use of the mark promotes artistic goals (in a conventional sense) rather than “pragmatic” or “functional” purposes, such as education. Accordingly, the defense would not apply to the use of third-party marks in presentations. And while courts have applied the defense where a third-party mark is used “to create a realistic experience” in media like games and movies,43 each of those applications involved a use that was ultimately for an “artistic” rather than “pragmatic” purpose. Although it does not appear as if courts previously encountered a situation where a mark was used to create a realistic experience for the purposes of an educational simulation, courts’ emphasis on “artistic” purposes suggest that the defense would not apply to the use of third-party marks in educational phishing simulations.
Finally, while courts also permit the use of third-party marks for purposes of parody, the defense applies when a plaintiff’s mark (or a confusingly similar mark) is used to comment on or criticize the mark, the owner, or the goods or services for which the mark is used, and is typically more successful when the message expressed is comical.44 Here, neither the phishing simulation nor the presentation would likely be viewed as commenting on the third-party mark, its owner, or the goods or services sold in a manner that would be viewed as parodic.
Secondary Liability Under the Lanham Act
Because Lucy provides the software that organizations use for phishing simulations and presentations, a mark owner could alternatively argue that even if the employers who purchase the software are technically the ones that are directly liable for any infringement, Lucy is secondarily liable for providing the software that enables the employers’ acts. However, neither basis for secondary liability likely applies.
Although not typical in trademark infringement cases, some courts have recognized that liability may exist based on contributory infringement. In essence, a defendant may be liable for contributory trademark infringement if it “intentionally induces another to infringe a trademark,” or “suppl[ies] its product to one whom it knows or has reason to know is engaging in trademark infringement,” including if the defendant is willfully blind to the infringement.45 For a party to be liable for contributory infringement, direct infringement must exist.
Here, a mark owner may argue that Lucy contributorily infringed its mark by supplying its employers with software that would allow and encourage the unauthorized use of its mark in phishing training exercises. However, even where employers engage in the unauthorized use of another’s mark, they do so as part of an “internal communication” to their employees, which is not considered to be “use in commerce” and thus, does not amount to infringement.46 And since a defendant cannot be liable for contributory infringement in the absence of direct infringement,47 this theory of liability would not likely apply.
“Vicarious liability for trademark infringement requires a finding that the defendant and the infringer have an apparent or actual partnership, have authority to bind one another in transactions with third parties or exercise joint ownership or control over the infringing product.”48 The theory of vicarious liability would not apply in this scenario because the relationship between Lucy and its employers is not one in which Lucy exercises control.49
LEGALITY OF USING THIRD-PARTY MARKS IN EUROPE
The European trademark system is a dual system, consisting of the EU-wide system and the national systems of EU member states. While the nuances of the trademark laws of member states and other European nations are outside the scope of this memorandum, the trademark laws of EU member states have been largely harmonized through EU directives and EU marks are governed by EU regulations.
Both the EU trade mark regulations and directives provide limitations that mirror fair classic and nominative fair use. Specifically, both provide that a mark owner cannot prohibit another from using (1) “signs or indications . . . which concern the kind, quality, quantity, intended purpose, value, geographical origin, the time of production of goods or of rendering of the service, or other characteristics of the goods or services” and (2) the registered mark “for the purpose of identifying or referring to goods or services as those of the proprietor of that trade mark, in particular, where the use of that trade mark is necessary to indicate the intended purpose of a product or service, in particular as accessories or spare parts.”50 Earlier cases supported the existence of a comparable nominative fair use doctrine, particularly in the context of aftermarket parts and repairs.51 For instance, the European Court of Justice (“ECJ”) found the use of BMW was permissible where it was used by a party to indicate that he sells, repairs, and maintains BMW vehicles.52 Additionally, the Court found a lack of infringement by the use of a mark that was similar to a registered one where other factors existed to negate a likelihood of confusion.53
More recent ECJ decisions, however, have expanded mark owner rights and the boundaries of fair use under these provisions have become less clear. For example, the Court held that where the OPEL mark was used on toy cars to create a “faithful reproduction of the original vehicles” and did not serve a source indicator, the owner of the OPEL mark could still prevent this use on the basis that it could affect the other functions of a trademark or, alternatively, that the use takes advantage of the reputation of the mark.54 The ECJ strengthened this precedent, explaining that the use of a third-party mark is not considered fair where “there is clear exploitation on the coat-tails of the mark with a reputation.”55 It further found that even when no likelihood of confusion exists, the connection that is created through the use of a mark similar to another causes harm to the latter and thus may permit the latter’s owner to prohibit the use of the former.56
The shift was also felt in national courts. For instance, an appellate court in the UK found the use of BMW’s logos and the terms TECHNOSPORT – BMW when used on a repair van by a BMW repair specialist amounted to trademark infringement, as it suggested a formal connection between Technosport and BMW.57
The ECJ did find, however, that Google does not engage in trademark “use” by providing a keywords advertising infrastructure for advertisers, explaining that
the use, by a third party, of a sign identical with, or similar to, the proprietor’s trade mark implies, at the very least, that that third party uses the sign in its own commercial communication. A referencing service provider allows its clients to use signs which are identical with, or similar to, trade marks, without itself using those signs.58
While Regulation (EU) 2017/1001 and Directive (EU) 2015/2436 replaced the previous directives and regulations, the language pertaining to limitations on trademark rights remains largely the same as before. However, recitals in both assert that the “[u]se of a trade mark by third parties for the purpose of artistic expression should be considered as being fair as long as it is at the same time in accordance with honest practices in industrial and commercial matters.”59 They likewise instruct that the Directive and Regulation “should be applied in a way that ensures full respect for fundamental rights and freedoms.”60 However, neither this “artistic expression” defense nor the consideration for full fundamental rights and freedoms appears in the body of either the Regulation or Directive. Accordingly, they are not binding law, but may be used to interpret the provisions pertaining to the limitations on trademark rights.61
Given the direction in which European case law has been heading with respect to fair use, the legality of using third-party marks as part of phishing simulations and educational presentations is less clear under EU law than U.S. law. Under the recent trend, it seems possible that a mark owner could establish a prima facie case of infringement or dilution by arguing that the use of its mark allows Lucy to ride “on the coat-tails of the mark with a reputation,”62 even if the mark is not used as a source indicator.63
On the other hand, although it is not expressly evident from the text of the more recent ECJ opinions, it seems that the approach taken by the Court in these cases may have been based heavily on the extent to which the Court sensed that the practice is somehow unfair and usurped the mark owner’s investment in its mark by drawing attention to the user’s own goods or services. For example, in Opel, the Court found that the use of the OPEL mark did not “constitute use of an indication concerning a characteristic of those scale models,” as asserted by the defendant.64 As the mark was affixed to toy cars that were not produced by Opel, it is difficult to imagine what “characteristic” this might be. As such, this finding was not surprising. A more reasonable explanation for the use is that a toy car with a recognizable mark was more appealing to consumers than a “generic” toy car. In that sense, the defendant did take advantage of the consumer recognition of the OPEL mark without compensating its owner through licensing fees.
By contrast, Lucy does not use third-party marks in order to increase the appeal of its security software by having consumers conjure up that other brand. Rather, the marks are utilized because they are often used in actual phishing attacks and so the use involves a more pragmatic purpose of creating a realistic simulation and providing actual examples in presentations. At the same time, it would not be entirely surprising if the Court finds that Lucy indirectly profits from the renown of the marks displayed in the simulation and presentation and thus would require a license for their use.
It is possible that under the more recent Directive and Regulation, the ECJ will adopt a broader view of the rights of third parties to use the marks of another. However, the deadline for the Directive to be transposed into national law passed in January and whether the Court changes its approach remains to be seen. Further, as the substantive text of the Directive and Regulation remains largely the same as that which has been interpreted in earlier opinions, a change in course would likely have to be based on the new recitals. Regardless, the use of marks in comparable situations has not been addressed by the Court, so its stance would be difficult to predict, particularly as the practice does not neatly fit within the exceptions articulated in the Directive and Regulation. Thus, absent a licensing agreement with the mark owner, the legality of using third-party marks in phishing simulations and presentations is currently unclear. Though, as in the United States, the use of conspicuous notices and, to the extent possible, the implementation of a mechanism that would prevent the forwarding of phishing simulation emails to the mark owners, would have the strongest effect on reducing the risk of liability.
The risk of liability based on the use of third-party marks in educational presentations on phishing attacks is generally lower than the liability based on the use of those marks in phishing simulations, as a greater chance of creating a likelihood of consumer confusion or implying an association exists in the latter scenario. Express notice that disclaims any such connection and accurately describes the lack of a relationship between Lucy’s software and the mark or its owner would be most effective at reducing this risk. However, absent the mark owner’s permission, some risk may continue to exist, particularly if the mark owner’s main concern is the need to divert resources to investigating reports of phishing attacks that are actually simulations. Thus, to reduce attention and prevent complaints, it would be worthwhile exploring the possibility of requiring the employers that utilize the software to implement a mechanism that prevents phishing simulation emails from being forwarded outside the company.
1 15 U.S.C. §§1051 et seq.
2 For simplicity, this memorandum uses the term “plaintiff” to refer to a mark owner and “defendant” to refer to the user of another’s mark. This is not to suggest, however, that all uses of another’s trademark result in litigation. Indeed, as explained throughout this memo, various grounds for the legal use of another’s mark exist.
3 15 U.S.C. §§1114(1)(a), 1125(1)(A). Since source confusion is the most common basis for trademark infringement, and dilution by tarnishment generally is accompanied by confusion as to endorsement or association, this memorandum’s discussion of liability based on trademark infringement focuses mainly on source confusion, while discussing sponsorship and affiliation more in the context of tarnishment.
4 Facenda v. N.F.L. Films, Inc., 542 F.3d 1007, 1018 (3d Cir. 2008); Sazerac Brands, LLC v. Peristyle, LLC, No. 3:15-CV-00076-GFVT, 2017 WL 4558022, at *5 (E.D. Ky. July 14, 2017), aff’d, 892 F.3d 853 (6th Cir. 2018).
5 Despite variations, the tests are not fundamentally different. They tend to consider the strength of the mark, the similarity of the marks, the proximity of the goods, the similarity of the parties’ marketing channels, evidence of actual confusion, the defendant’s intent in adopting the mark, the quality of the defendant’s product, and the sophistication of the buyers. See Am. Soc’y for Testing & Materials v. Public.Resource.Org, Inc., 896 F.3d 437, 456 (D.C. Cir. 2018).
6 The Shell Co. (Puerto Rico) v. Los Frailes Serv. Station, Inc., 605 F.3d 10, 22 (1st Cir. 2010) (“There is no need to go through a mechanical application of the multi-factor list.”); Tennessee Walking Horse Breeders’ & Exhibitors’ Ass’n v. Nat’l Walking Horse Ass’n, 528 F. Supp. 2d 772, 782–83 (M.D. Tenn. 2007); WHS Entm’t Ventures v. United Paperworkers Int’l Union, 997 F. Supp. 946, 950–51 (M.D. Tenn. 1998)
7 A famous mark is generally defined as one that is “widely recognized by the general consuming public of the United States as a designation of source of the goods or services of the mark’s owner.” 15 U.S.C. §1125(c)(2)(A).
8 15 U.S.C. §1125(c)(2)(C).
9 VIP Prod., LLC v. Jack Daniel’s Properties, Inc., 291 F. Supp. 3d 891, 900 (D. Ariz. 2018); see 15 U.S.C. §1125(c)(1); adidas Am., Inc. v. Skechers USA, Inc., 890 F.3d 747, 758 (9th Cir. 2018); Radiance Found., Inc. v. N.A.A.C.P., 786 F.3d 316, 330 (4th Cir. 2015).
10 10 U.S.C. §8921.
11 36 U.S.C. §220506.
12 18 U.S.C. §709.
14 42 U.S.C. §1320b-10.
15 See 31 U.S.C. §333.
16 Elec. Arts, Inc. v. Textron Inc., No. C 12-00118 WHA, 2012 WL 3042668 (N.D. Cal. July 25, 2012) (Disclaimer on packaging of video game does not dispel possible confusion: Teenage users who rip open the package are unlikely to see it.); Cartier, Inc. v. Deziner Wholesale, L.L.C., No. 98 CIV. 4947 (RLC), 2000 WL 347171 (S.D.N.Y. Apr. 3, 2000) (disclaimer in print that is 16 times smaller than defendant’s use of plaintiff’s trademark is not effective to offset likely confusion); Pebble Beach Co. v. Tour 18 I, Ltd., 942 F. Supp. 1513, 1551 (S.D. Tex. 1996), aff’d on point, 155 F.3d 526, (5th Cir. 1998) (“inconspicuous disclaimers” were not sufficient to eliminate golfers’ confusion that defendant golf course look-alike holes were sponsored or approved by plaintiff golf courses); Toho Co., Ltd. v. William Morrow and Co., 33 F. Supp. 2d 1206 (C.D. Cal. 1998) (the single word “unauthorized” on the front cover of a book is not a disclaimer adequate to prevent confusion even though a further detailed disclaimer was on the back cover of the book).
17 Public.Resource.Org, Inc., 896 F.3d at 457–58; Patsy’s Italian Restaurant, Inc. v. Banas, 658 F.3d 254, 273–274 (2d Cir. 2011); TrafficSchool.com, Inc. v. Edriver Inc., 653 F.3d 820, 829 (9th Cir. 2011); A & H Sportswear Co., Inc. v. Victoria’s Secret Stores, Inc., 57 F. Supp. 2d 155 (E.D. Pa. 1999), aff’d on point as to impact of disclaimer to negate direct confusion, rev’d as to reverse confusion, 237 F.3d 198 (3rd Cir. 2000).
18 Note: capitalization is used to denote a reference to a trademark or service mark, as well as to differentiate between a reference to a mark and the mark owner that uses that term as a name.
19 See, e.g., Toyota Motor Sales, U.S.A., Inc. v. Tabari, 610 F.3d 1171, 1176 (9th Cir. 2010) (“Unreasonable, imprudent and inexperienced web-shoppers are not relevant.”).
20 See, e.g., <https://www.makeuseof.com/tag/prevent-emails-forwarded-outlook-gmail/>.
21 See <https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator>.
22 Louis Vuitton Malletier S.A. v. Warner Bros. Entm’t Inc., 868 F. Supp. 2d 172, 180–81 (S.D.N.Y. 2012)
23 Pirone v. MacMillan, Inc., 894 F.2d 579, 585 (2d Cir. 1990) (“In the context of such a compilation [specifically, photographs of one ballplayer among the many featured in the calendar], an ordinarily prudent purchaser would have no difficulty discerning that these photos are merely the subject matter of the calendar and do not in any way indicate sponsorship.”).
24 See Aitken v. Commc’ns Workers of Am., 496 F. Supp. 2d 653, 663–64 (E.D. Va. 2007) (discussing commercial character in the context of speech).
25 See 15 U.S.C. §1125(c)(3)
26 15 U.S.C. §1115(b)(4).
27 Century 21 Real Estate Corp. v. Lendingtree, Inc., 425 F.3d 211, 214 (3d Cir. 2005) (citing New Kids on the Block v. News America Pub., Inc., 971 F.2d 302, 308 (9th Cir.1992)).
28 U.S. Shoe Corp. v. Brown Grp., Inc., 740 F. Supp. 196, 199 (S.D.N.Y.), aff’d 923 F.2d 844 (2d Cir. 1990); see also Kozinski, J., Trademarks Unplugged, 68 N.Y.U. L. Rev. 960, 973 (1993) (opining that calling a product “the Rolls Royce of its class” as a metaphor to describe it as a top-of-the-line product would constitute classic fair use)
29 Lendingtree, 425 F.3d 211; KP Permanent Make–Up, Inc. v. Lasting Impression I, Inc., 328 F.3d 1061, 1072 (9th Cir. 2003) (quotations omitted), rev’d. on other grounds, 543 U.S. 111.
30 Tabari, 610 F.3d at 1175–76; New Kids, 971 F.2d at 308 & n.7. Under the test applied by the Third Circuit, the first factor requires that “[t]he defendant’s use of the plaintiff’s mark is necessary to describe both plaintiff’s product or service and defendant’s product or service.” Lendingtree, Inc., 425 F.3d 211.
31 Volkswagenwerk Aktiengesellschaft v. Church, 411 F.2d 350 (1969); see Keurig, Inc. v. Strum Foods, Inc., 769 F. Supp. 2d 699 (D. Del. 2011).
32 New Kids, 971 F.2d at 308 & n.7 (9th Cir. 1992).
33 See Brown v. Elec. Arts, Inc., 724 F.3d 1235, 1244 (9th Cir. 2013) (citing Am. Dairy Queen Corp. v. New Line Prods., Inc., 35 F. Supp. 2d 727 (D. Minn. 1998)).
34 15 U.S.C. §1125(c)(4)(B)
35 Mattel, Inc. v. MCA Records, Inc., 296 F.3d 894, 906 (9th Cir. 2002)
36 See Handsome Brook Farm, LLC v. Humane Farm Animal Care, Inc., 700 F. App’x 251, 261–62 (4th Cir. 2017); Edward Lewis Tobinick, MD v. Novella, 848 F.3d 935, 952 (11th Cir.); Universal Commc’n Sys., Inc. v. Lycos, Inc., 478 F.3d 413, 424 (1st Cir. 2007).
37 See id.
38 Radiance Found., Inc. v. N.A.A.C.P., 786 F.3d 316, 331–32 (4th Cir. 2015)
39 See Rogers v. Grimaldi, 875 F.2d 994, 999 (2d Cir. 1989).
40 Gordon v. Drape Creative, Inc., 897 F.3d 1184, 1190 (9th Cir. 2018)
41 E.S.S. Entm’t 2000, Inc. v. Rock Star Videos, Inc., 547 F.3d 1095, 1100 (9th Cir. 2008)
42 Brown, 724 F.3d at 1241; Facenda, 542 F.3d at 1011; McCarthy on Trademarks and Unfair Competition §10:22 (5th ed.).
43 Fortres Grand Corp. v. Warner Bros. Entm’t Inc., 947 F. Supp. 2d 922, 931–32 (N.D. Ind. 2013), aff’d, 763 F.3d 696 (7th Cir. 2014); Brown, 724 F.3d at 1243; Facenda, 542 F.3d at 1018; Novalogic, Inc. v. Activision Blizzard, 41 F. Supp. 3d 885, 900–01 (C.D. Cal. 2013); Dillinger, LLC v. Elec. Arts Inc., No. 1:09-CV-1236-JMS-DKL, 2011 WL 2457678 (S.D. Ind. June 16, 2011); Roxbury Entm’t v. Penthouse Media Grp., Inc., 669 F. Supp. 2d 1170, 1175–76 (C.D. Cal. 2009); Romantics v. Activision Pub., Inc., 574 F. Supp. 2d 758, 766, 770 (E.D. Mich. 2008); The Romantics v. Activision Pub., Inc., 532 F. Supp. 2d 884, 890 (E.D. Mich. 2008).
44 Louis Vuitton Malletier S.A. v. Haute Diggity Dog, LLC, 507 F.3d 252, 268 (4th Cir. 2007); Jordache Enterprises, Inc. v. Hogg Wyld, Ltd., 828 F.2d 1482, 1486 (10th Cir. 1987); cf. Mutual of Omaha Ins. Co. v. Novak, 836 F.2d 397 (8th Cir. 1987); Lettuce Entertain You Enters., Inc. v. Leila Sophia AR, LLC, 703 F. Supp. 2d 777, 782 (N.D. Ill. 2010)
45 Inwood Labs., Inc. v. Ives Labs., Inc., 456 U.S. 844, 854 (1982); Tiffany (NJ) Inc. v. eBay Inc., 600 F.3d 93, 104–110 (2d Cir. 2010); Hard Rock Cafe Licensing Corp. v. Concession Servs., Inc., 955 F.2d 1143, 1148–50 (7th Cir. 1992)
46 1-800 Contacts, Inc. v. WhenU.Com, Inc., 414 F.3d 400, 409 (2d Cir. 2005) (“A company’s internal utilization of a trademark in a way that does not communicate it to the public is analogous to an individual’s private thoughts about a trademark. Such conduct simply does not violate the Lanham Act, which is concerned with the use of trademarks in connection with the sale of goods or services in a manner likely to lead to consumer confusion as to the source of such goods or services.”); Simmons v. Cook, 701 F. Supp. 2d 965, 988 (S.D. Ohio 2010).
47 Suntree Techs., Inc. v. Ecosense Int’l, Inc., 693 F.3d 1338, 1345–46 (11th Cir. 2012); Georgia-Pac. Consumer Prod. LP v. Myers Supply, Inc., No. 6:08-CV-6086, 2009 WL 2192721 (W.D. Ark. July 23, 2009), aff’d, 621 F.3d 771 (8th Cir. 2010).
48 Perfect 10, Inc. v. Visa Int’l Serv. Ass’n, 494 F.3d 788, 807–08 (9th Cir. 2007) (internal quotations omitted).
49 Cf. Am. Tel. & Tel. Co. v. Winback & Conserve Program, Inc., 42 F.3d 1421, 1430–31 (3d Cir. 1994).
50 Regulation (EU) 2017/1001 of the European Parliament and of the Council of 14 June 2017 on the European Union trade mark, Art. 14, see <http://data.europa.eu/eli/reg/2017/1001/oj>; Directive (EU) 2015/2436 of the European Parliament and of the Council of 16 December 2015 to approximate the laws of the Member States relating to trade marks, see <http://data.europa.eu/eli/dir/2015/2436/oj>.
51Case C-228/03, The Gillette Co. v. LA-Labs Ltd., 2005 E.C.R. I-02337; Case C-63/97, Bayerische Motorenwerke AG (BMW) v. Deenik, 1999 E.C.R I-0905.
52 Case C-63/97, Bayerische Motorenwerke AG (BMW) v. Deenik, 1999 E.C.R I-0905.
53 Case C-251/95, Sabel BV v. Puma AG & Rudolf Dassler Sport, 1997 E.C.R. 1-6191,  1 C.M.L.R. 445 (1998).
54 Case C-48/05, Adam Opel AG v. Autec AG., 2007 E.C.R. I-01017.
55 Case C-487/07, L’Oréal SA v. Bellure NV, 2009 E.C.R. I-05185.
57 Bayerische Motoren Werke Aktiengesellschaft v Technosport London Limited, 2017 EWCA Civ 779.
58 Joined Cases C-236/08 to C-238/08, Google France SARL v. Louis Vuitton Malletier SA (C-236/08), Google France SARL v. Viaticum SA (C-237/08) and Google France SARL v. Centre national de recherche en relations humaines (CNRRH) SARL (C-238/08), 2010 E.C.R. I-02417.
59 Regulation (EU) 2017/1001, Recital 21; Directive (EU) 2015/2436, Recital 27.
60 Regulation (EU) 2017/1001, Recital 21; Directive (EU) 2015/2436, Recital 27.
61 See, e.g., Jens Schovsbo, “Mark My Words”-Trademarks and Fundamental Rights in the Eu, 8 UC Irvine L. Rev. 555 (2018)
62 See Case C-487/07, L’Oréal SA v. Bellure NV, 2009 E.C.R. I-05185.
63 See Case C-48/05, Adam Opel AG v. Autec AG., 2007 E.C.R. I-01017.