By Eric Goldman
Technology & Marketing Law Blog
November 17, 2007
International Information Systems Security Certifications Consortium v.
Degraphenreed, 2:07 CV 1195 (S.D. Ohio complaint filed Nov. 16, 2007)
International Information Systems Security Certifications Consortium
("ISC2") offers a professional designation entitled "Certified
Information Systems Security Professional," or "CISSP" for short, that
individuals can earn by meeting the published requirements. The
Consortium has a federally registered certification mark (#2045256) for
the term "CISSP." The complaint alleges that Degraphenreed was once a
registered Certified Information Systems Security Professional but he
failed to satisfy the continuing standards. As a result, the complaint
alleges that Degraphenreed now describes himself as a "Chief Information
Security Systems Practitioner," also abbreviated as "CISSP," thereby
continuing to claim CISSP status without meeting the ISC2's standards.
These allegations appear to support trademark infringement and false
advertising claims, although interestingly I can't find any examples of
Degraphenreed's usage of the term "Chief Information Security Systems
Practitioner." (I got zero results in both Google and Yahoo searching
for the term "Chief Information Security Systems Practitioner."). ISC2
also alleged trademark dilution but that should be a non-starter because
I doubt CISSP will qualify as widely recognized among the general
The most interesting aspect of this case is that ISC2 also sued Google
and Yahoo for trademark infringement for hosting content that contained
Degraphenreed's impermissible CISSP usage. Specifically, the complaint
alleges that Google hosted six blogs that contained the CISSP mark (at
least 2 of which contained the term in the blog title), and that Google
refused to take down these blogs after the plaintiff's notice. The
complaint also alleges that Yahoo hosted 5 Yahoo Groups referencing
CISSP and a Flickr account containing ISC2's CISSP logo, and that after
plaintiff's notice Yahoo only removed one group and left everything else
up. The complaint claims direct (not contributory) trademark based on
>From my outsider's perspective, it looks like a significant tactical
error to bring Google and Yahoo into this lawsuit for at least four
1) The plaintiff's theories of trademark liability against Google and
Yahoo are untested and lack any useful precedent. In fact, to date we
really don't have an exemplar lawsuit discussing the liability of a
service provider for hosting trademark-infringing content, and I
can't think of a case where a service provider has been held liable a
trademark infringer for hosting user content. This claim reminds me a
little of the Jews for Jesus v. Google Blogspot lawsuit from Dec.
2005 (which ultimately settled irresolutely), where Jews for Jesus
complained about a third level domain/blog title selected by a blog
user. When that lawsuit was filed, I speculated about some of the
possible theories of liability and defenses, but the law was murky at
best. So in this case, suing Google and Yahoo makes a relatively
straightforward case much more complex and expensive.
2) Often, individual defendants in these types of cases don't hire
top-flight IP defense lawyers....but Google and Yahoo most assuredly
will. As a result, ISC2 has ensured that some very skilled attorneys
will line up on the defense to break every aspect of its case.
3) I couldn't investigate everything, but what I saw of Degraphenreed's
activities on Google and Yahoo didn't look immediately problematic.
For example, some of the blogs really lack any substance at all (see,
e.g., here), but they don't look like splogs. If anything, it looked
like ISC2 may be trying to shut down some griping. For example, two
of the Yahoo groups are entitled "cissp-clueless" and
"cissp-censorship," and the cissp-censorship group is a restricted
access group with only three members. It's not clear how this group
could possibly contribute to a trademark infringement claim. Instead,
it looks like ISC2 might be overreaching, perhaps to shut down some
unwanted commentary, and this may increase the judge's sensitivities
to the public interests at stake here.
4) The plaintiff can get all of the relief it needs just by suing
Degraphenreed. If the plaintiff wins that lawsuit, they can get an
order forcing Degraphenreed to remove the infringing material.
Further, I imagine that Google and Yahoo would happily take down any
content that a court has adjudged infringing.
Please email me  if you have any thoughts about why ISC2 decided to
go after Google and Yahoo (let me know if I can post your comments). For
now, I'm classifying it as a blunder. It will be interesting to see how
aggressively Google and Yahoo respond to this lawsuit.
Visit InfoSec News