Cybersec Patents: Mitigate the RisksSteps Organizations Can Take to Avoid Legal Battles
With many new security solutions in the marketplace, patent law is a concern for organizations that are creating solutions and one they need to address. What are the top risks to organizations, and how can they respond to them?
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Attorney James Denaro, a partner with the CipherLaw Group firm in greater Washington D.C., says the top risks organizations need to pay attention to include being sued for patent infringement and missing the opportunity to patent their own products.
"We've ... seen a substantial increase in the number of patent lawsuits being filed where patents covering information security are at stake," Denaro says in an interview with Information Security Media Group's Tom Field [transcript below].
So how can organizations address patent challenges? According to Denaro, the most important thing to do is to be proactive and have a defense strategy in place. "For companies that are innovating in information security, they can use the patent process to their advantage in a lot of cases," he says.
Entities that are able to obtain patents can license their inventions and use them as a revenue source. They can also use patents defensively if their company is threatened with a patent infringement action, Denaro explains.
Secondly, organizations need to monitor the patent landscape, "especially before bringing out new products," Denaro says. "Before using certain information security technology, they should look and see if that technology is covered by existing patents."
In an interview about cybersecurity and U.S. patent litigation, Denaro discusses:
- Common misunderstandings about patents;
- How organizations may be at risk;
- Questions organizations need to be asking themselves in light of new federal legislation.
Denaro leads the intellectual property practice at the CipherLaw Group. His practice focuses on strategic patent prosecution and counseling, patent portfolio management, and patent litigation. He has particular experience in computer engineering, communications, and software technologies.
He has successfully prosecuted patents for many Fortune 100 companies in a wide range of cutting-edge technologies. He handles all phases of patent prosecution, beginning with the initial drafting of the patent application. Denaro also has experience representing applicants at the Board of Appeals at the Patent Office and conducting informal interviews with Patent Examiners. He has particular expertise in the cybersecurity industry.
TOM FIELD: Just to start out with, why don't you introduce yourself, your firm and talk a little about your current work, please?
JAMES DENARO: I'm a partner with a law firm called CipherLaw, and we provide strategic intellectual property counseling to companies in the information security space. As part of that work, we do things like draft new patent applications for companies that are developing proprietary technology. For companies that already have a patent portfolio, we advise them on how to monetize those existing patents through licensing, and we also do risk analysis work. For example, a company might receive a notice alleging that they infringed somebody else's patent. In that case, we could help them work out a defensive strategy with the goal being to avoid costly litigation as much as possible. To do that, I have degrees in computer engineering and law and I've been working in information security technology for the last couple of years. Recently I passed the CISSP exam and have technical certifications from the Cloud Security Alliance and CISCO Systems. We kind of think of ourselves as technologists who also practice law.
Common Misunderstandings about Patents
FIELD: This is a new topic for a lot of people in our audience. Maybe you can give us just a quick primer, please, on the patent process, and at the same time dispel any common misconceptions or misunderstandings of patents.
DENARO: I think that would be very helpful. Patents are procured from the U.S. Patent and Trademark Office, and that process is typically called patent prosecution or patent procurement. There are three basic parts - the typical patent that you're likely to see. Those being the figures - the nice pictures that are very carefully drawn, a written description of the invention which can go on for one or two pages or tens of pages, and finally at the end of the patent a set of claims, typically around 20, and these claims are what's defined the exclusive right of the patented owner.
In a typical scenario, an inventor would work with a patent attorney who would draft a patent application and then file it at the patent office. The patent office reviews the application and responds by either allowing the application to issue as a patent or requiring further narrowing of those claims at the end that define the exclusive right. The patent process can take a few years. At the moment, the PTO is taking about two years from the date of filing to giving the first review back to the applicant. To actually get the patent issued from the patent office and have the actual patent number and certificate, that can take another year after that for that process to be completed, after all the back and forth takes place. There are some expedited processes available that can bring that time closer to a year, but at least a year in any case. Once the patent is granted then the term is 20 years from the date of filing. So if applicants are able to identify some technology that has really long-term value in the present and if that value can be monetized for several years, then patents can really be quite valuable.
The key misunderstanding that people have about patents is what exactly the right is. It's worth noting that patents do not actually grant a right to practice the claimed invention. Rather, patents just give you a right to exclude somebody else from practicing the claimed invention. So you could have a patent on something, yet actually be blocked from practicing that invention to which you have a patent. A good example would be an improvement on a process that somebody else invented. If the underlying core process is already patented, if your improvement requires that underlying process, your improvement could not be implemented without both your patent and the underlying patents.
Cybersecurity and Patents
FIELD: That's a great overview. Now up front, we talked about cybersecurity and patents. Where do these topics come together and what do you find is most misunderstood about cybersecurity and patents?
DENARO: It's an interesting question and I think the answer goes beyond just the patent and intellectual property. I'm sure you've noticed there's a lot of attention on cybersecurity now as a "new" area. There's a great deal of venture capital coming in and there's a heightened public perception of the need for cybersecurity after various high-profile breaches such as Zappos, most recently, and WikiLeaks and others like that. So, while there's a great public perception of it being a new issue, it's actually not new at all and there are plenty of people who have been doing it for several decades who are happy to explain how far back this industry actually goes. As an established area, there are actually many players in the business that have been out there for a long time and they've been getting patents that are still relevant today.
Risks for Organizations
FIELD: What are some examples of how organizations could be at risk if they don't have the right protections in place?
DENARO: There are two primary sources of risk that companies are facing today. The first one is being sued for patent infringement. We've done research that has identified a number of patents that have been issued recently, and we've also found that there are quite a few relevant patents in information security that have been around for a long time and are just now being asserted. For example, Maxim Integrated Products, this semi-conductor manufacturer based out of Sunnyvale California, recently sued Starbucks, Expedia and several banks alleging infringement of four patents that cover secure transactions on mobile devices. The earliest of these patents was filed at the PTO in 1996 and then issued in 1999. If you can imagine what your cell phone looked like in 1996, it's very interesting to see that patents from that era can still be asserted today. Of course, these patents are still in litigation. It remains to be seen how the case plays out, but at least these patents are being asserted as relevant to this technology.
This risk of being sued for patent infringement is heightened in particular when new industries are being developed and new products become successful. A good example of this is what happened with Vonage. In the mid-2000s, Vonage was sued by Verizon, Sprint Nextel and AT&T on a bunch of patents that were alleged to cover Vonage's VoIP products. Vonage paid about $200 million in damages total as a result of these patent cases. What had happened was Vonage successfully figured out how to productize a VoIP technology that other companies hadn't really figured out how to use. As a result of that, they ended up using technology that others had apparently already invented. That risk happens here when more and more companies are coming into the cybersecurity industry, they may find themselves running a foul of intellectual property rights that are held by some of the companies that have been in this industry before.
Another way companies may face some risk is by missing their chance to patent their proprietary technology as the prior art universe expands. Let me explain a little. The laws for patent prosecution state that you can receive a patent for your invention so long as it is novel and unobvious. In other words, that means if someone else has invented it first or written about your invention first and that information is available, then you will not be granted a patent for that same technology for that same invention. As we were saying, more and more companies are coming into the space, there are more conferences all the time, more papers being published, a lot more media attention, that's expanding the universe prior art a very high rate. So as that prior art universe expands, that reduces the area that's available for patenting.
FIELD: I know you've been speaking about a number of trends. You've been talking to different groups. What are some of the key trends that you're especially tracking today?
DENARO: We're tracking trends in both patent prosecution and patent litigation. Our research shows a significant up-tick in the number of patents being granted in the information security space between 2006 and 2011. In fact, what we're seeing is an increase of about 150 percent. Looking at the litigation side, we've also seen a substantial increase in the number of patent lawsuits being filed where patents covering information security are at stake. We're tracking trends in both patent litigation and patent prosecution.
The patent prosecution side, we've seen an increase of about double the number of patents granted on information security inventions between 2006 and 2011. The number went up from just about 2400 in 2006 to 4800 in 2011. Looking at the litigation side, we've also seen a substantial increase in the number of patents being asserted there as well. In 2000 there were only 16 information security patents asserted in the United States and in 2010 we saw that number go up to 89.
FIELD: In another direction, back in September President Obama signed into the lobby America Invents Act. How has this act impacted information security companies?
DENARO: As we were discussing, the pressure on information security IT has been increasing through the increase in the number of patents being granted and through the enforcement efforts, and the America Invents Act that was signed into law in September has only really served to increase that pressure. The Act is of course the most significant patent reform that we've seen in this country in many decades. The key change that it introduced being that we're moving from a first-to-invent system to a first-to-file system. This change will take effect in March of 2013.
We have about one year to kind of get things in order, but it's going to make a big difference for how small companies operate. It used to be that the day you conceived of your invention in your head and started working through to reduce it to practice was your date of invention. Now it's not going to work that way anymore. Your key date will be the date when you actually file your patent application at the PTO. For large companies that already have invention disclosure processes in place and they've got sort of a patent machine that works to get inventions to the patent office, they'll be affected a little bit less. They may need to speed things up a little bit, but it shouldn't substantially change what their operations look like. For small companies that don't have any infrastructure in place to assess proprietary technology and make determinations about whether or not to file for patent applications, then it's going to be a little bit more problematic because it will require them to put these structures in place and more importantly to put the money upfront sooner than they might necessarily want to under the existing system.
Steps to Tackle the Challenges
FIELD: You've outlined a number of issues. How do you advise organizations to tackle these challenges, especially the ones that relate to information security patents?
DENARO: There are a few things companies can do. I think the most important thing is to be proactive and for a lot of companies that means having some kind of a defensive strategy in place. What sort of actions you take depends a little bit on what type of company you are, whether you're a consumer of information security or a producer of information security solutions.
So for companies that are innovating in information security, they can use the patent process to their advantage in a lot of cases. Companies that are able to get patents on their inventions can license those inventions and use those inventions as a revenue source. They can also use them defensively as well if a company is threatened with a patent infringement action, in some cases a cross-license can be worked out if both companies have intellectual property rights that are of interest to the other company. Having patents creates the possibility of having that kind of opportunity.
The other thing companies can do, especially if they're not innovating in information security, if they're consuming information security technology, is to monitor the patent landscape essentially before bringing out new products. Before using certain information security technology, they should look and see if that technology is covered by existing patents. It's possible to do a patent search and find out if other companies already have patents covering the technology that you're planning to use.
FIELD: Final question for you. What are the questions that organizations really need to be asking themselves now when it comes to information security and patents?
DENARO: One of the key questions that I think people need to ask, that they're probably not asking enough, is, "Where is my software coming from?" A lot of times people are very quick to use free and open-source software and I think people need to watch and know who's standing behind that software, if anybody, and what sort of indemnification options might be out there. If you're using software that's basically backed by nobody and it turns out that the software runs into some patent infringement problems, the end user will be responsible for whatever infringement is bound to take place. However, if you use software that's backed by some organization that has agreed to indemnify for any infringement or to make good on any changes that need to be made to the software in light of those allegations of infringement, that can really put you in a much better position.