Epicor Software Corporationv.Protegrity CorporationDownload PDFPatent Trial and Appeal BoardApr 18, 201612916274 (P.T.A.B. Apr. 18, 2016) Copy Citation Trials@uspto.gov Paper No. 54 571.272.7822 Entered: April 18, 2016 UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ EPICOR SOFTWARE CORPORATION,1 Petitioner, v. PROTEGRITY CORPORATION, Patent Owner. ____________ CBM2015-00006 Patent 8,402,281 B2 ____________ Before KEVIN F. TURNER, MEREDITH C. PETRAVICK, and GREGG I. ANDERSON, Administrative Patent Judges. PETRAVICK, Administrative Patent Judge. FINAL WRITTEN DECISION Covered Business Method Patent Review 35 U.S.C. § 328(a) and 37 C.F.R. § 42.73 1 During the course of the proceeding, Petitioner separated one of its business units from Epicor Software Corporation to APTOS, Inc., where both entities are indicated as being real parties-in-interest See Paper 32. CBM2015-00006 Patent 8,402,281 B2 2 I. INTRODUCTION A. Background On October 31, 2014, APTOS, Inc. (“Petitioner”) filed a Petition2 (Paper 9, “Pet.”) requesting a review under the transitional program for covered business method patents of claims 1–60 of U.S. Patent No. 8,402,281 B2 (Ex. 1001, “the ’281 patent”). On April 21, 2015, pursuant to 35 U.S.C. § 324, we instituted this trial on the following grounds: Ground Prior Art Challenged Claims § 101 n/a 1–60 § 102 Denning 1, 2, 6, 9,17, 18, 22, and 25 Paper 16 (“Dec. to Inst.”). On June 22, 2015, Protegrity Corporation (“Patent Owner”) filed a Patent Owner’s Response. Paper 28 (“PO Resp.”). Petitioner filed a Reply to Patent Owner’s Response. Paper 41 (“Pet. Reply”). On June 22, 2015, Patent Owner also filed a Motion to Amend. Paper 29 (“Mot. Amend”). Petitioner filed an Opposition to Patent Owner’s Motion to Amend (Paper 40) and Patent Owner filed a Reply to Opposition to Motion to Amend (Paper 42). On October 13, 2015, Patent Owner filed a Motion to Exclude Evidence. Paper 44 (“Mot. Exclude”). Petitioner filed an Opposition to Patent Owner’s Motion to Exclude (Paper 47, “Opp. to Mot. Exclude”), and Patent Owner filed a Reply to the Opposition to the Motion to Exclude (Paper 50). 2 We refer to the Amended Petition for Covered Business Method Patent Review. Paper 9. CBM2015-00006 Patent 8,402,281 B2 3 On October 13, 2015, Patent Owner also filed a Motion for Observation Regarding Cross Examination of Reply Witness Mr. Bruce Schneier. Paper 45 (“Mot. Observation”). Petitioner filed an Opposition to Patent Owner’s Motion for Observation. Paper 48. An oral hearing was held on November 12, 2015. A transcript of the hearing is included in the record. Paper 52 (“Tr.”). We have jurisdiction under 35 U.S.C. § 6(c). This Final Written Decision is issued pursuant to 35 U.S.C. § 328(a) and 37 C.F.R. § 42.73. B. Patent Owner’s Request to Cancel Claims 1–32 In the Patent Owner’s Response and the Motion to Amend, Patent Owner requests cancellation of claims 1–32 of the ’281 patent. PO Resp. 2– 3; Mot. Amend 1. Patent Owner’s request to cancel these claims is not contingent on the claims being determined to be unpatentable or on the entry of the proposed substitute claims. Patent Owner’s request to cancel claims 1–32 is granted and we need not address these claims further. The remaining ground is as follows: Ground Prior Art Challenged Claims § 101 n/a 33–60 C. Related Matters Petitioner identifies Protegrity Corporation v. Epicor Software Corporation, Case No. 3:13-cv-01781(JBA) (D. Conn. Dec. 2, 2013) as a related district court proceeding. Pet. 4. Patent Owner identifies numerous other related district court matters that would be affected by a decision in CBM2015-00006 Patent 8,402,281 B2 4 this proceeding. See Paper 7, 3–5. The ’281 patent was the subject of terminated proceedings CBM2013- 00024 and CBM2014-00121. Those proceedings terminated due to settlement between the parties. The ’281 patent is also the subject of pending proceedings CBM2014-00182 and CBM2015-00010. A Final Written Decision was entered in CBM2014-00182 on March 2, 2015. The ’281 patent is a continuation of U.S. Patent No. 6,321,201 B1 (Ex. 1004, “the ’201 patent”). The ’201 patent is the subject of proceedings CBM2015-00002, CBM2015-00014, and CBM2015-00030. The ’201 patent was also the subject of Reexamination No. 90/011,364, with some originally issued claims confirmed and some cancelled, one claim amended, and several claims added. D. The ’281 Patent The ’281 patent, titled “Data Security System for a Database,” issued on March 19, 2013, based on Application No. 12/916,274, filed on October 29, 2010. Ex. 1001, [45], [54], [65]. The ’281 patent claims priority through a chain of continuation applications to the ’201 patent, filed on June 18, 1997. Id. at [63]. The ’281 patent discloses an apparatus for protecting data. Id. at Abstract. Figure 3 of the ’281 patent is reproduced below. CBM2015-00006 Patent 8,402,281 B2 5 Figure 3 schematically illustrates a “data managing system.” Id. at 5:53–54. The database management system includes multiple databases, including an operative database (“O-DB”) and an information assets manager database (“IAM-DB”). Id. at 5:49–6:22. The database management system also includes multiple modules, such as Control Module 20, also known as the information assets manager application program interface (“IAM-API”). Id. at 6:23–56. The “operative database O-DB contains data that is to be protected.” Id. at 5:62–63. The IAM-DB “contains a data element protection catalogue with protection attributes for such data element types as are associated with data element values in records in the operative database O-DB” and “is preferably physically separated from the other O-DB.” Id. at 6:7–13. With regards to the Control Module 20 or IAM-API, the ’281 patent states that “[t]he control module controls the handling of the types of data protection that the system can supply. The control module carries out the processing requested via API (Application Program Interface) programming interface.” Id. at 6:45–50. CBM2015-00006 Patent 8,402,281 B2 6 Figure 4 of the ’281 patent is reproduced below. Figure 4 “schematically shows the principle of data processing according to the invention with compelling callings to a data element protection catalogue.” Id. at 5:39–41. As shown above, the data protection catalogue (DPC) of IAM-DB associates data element types (e.g., DT1) with protection attributes (e.g., P1*) and the data element types are associated with data element values (“DV”). Id. at 6:6–11. The protection attributes state rules for processing the corresponding data element values DV. Id. at 3:58–59. For example, a protection attribute indicates the degree to which data element value DV is encrypted (id. at 7:66–8:3) or indicates that only accepted, or certified, programs are allowed to process data element value DV (id. at 9:26–33). See id. at 4:51–5:6. When a user initiates an attempt to process certain data element value DV, a compelling calling is created to data protection catalogue DPC to obtain the protection attributes associated with the data element type for data element value DV. Id. at 2:65–3:4; see also id. at Abstract, 3:59–4:2, 4:26– CBM2015-00006 Patent 8,402,281 B2 7 31, 10:53–64 (describing the compelling calling). The processing of data element value DV is then controlled in conformity with the protection attributes. Id. at 3:3–5. Thus, the individual data element or data element type becomes the controlling unit for determining the level of protection. Id. at 4:42–47. Claims 33 and 47 of the ’281 patent are illustrative of the claims at issue and read as follows: 33. A computer-implemented data processing method comprising: maintaining a database comprising a plurality of data portions, each data portion associated with a data category; maintaining a separate data protection table comprising, for at least one data category, one or more data processing rules associated with the data category that must each be satisfied before a data portion associated with the data category can be accessed; receiving a request to access a data portion associated with a first data category from a user; determining whether each of the one or more data processing rules associated with the requested data portion are satisfied; and granting the user access to the requested data portion responsive to each of the retrieved one or more data processing rules being satisfied. 47. A computer system, comprising: a database storing a plurality of data portions, each data portion associated with a data category; a data protection table comprising, for at least one data category, one or more data processing rules associated with the data category that must each be satisfied before a data portion associated with the data category can be accessed; and CBM2015-00006 Patent 8,402,281 B2 8 a processor configured to: in response to a request to access a data portion associated with a first data category from a user, determine whether each of the one or more data processing rules associated with the requested data portion are satisfied; and grant access to the requested data portion responsive to each of the retrieved one or more data processing rules being satisfied. II. ANALYSIS A. Claim Construction The Board interprets claims of unexpired patents using the broadest reasonable construction in light of the specification of the patent in which they appear. 37 C.F.R. § 42.300(b); In re Cuozzo Speed Techs., LLC, 793 F.3d 1268, 1278–79 (Fed. Cir. 2015), cert. granted sub nom. Cuozzo Speed Techs., LLC v. Lee, 136 S. Ct. 890 (mem.) (2016). Under the broadest reasonable construction standard, claim terms are given their ordinary and customary meaning, as would be understood by one of ordinary skill in the art in the context of the entire disclosure. In re Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007). Any special definition for a claim term must be set forth with reasonable clarity, deliberateness, and precision. In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994). CBM2015-00006 Patent 8,402,281 B2 9 i. Database Petitioner proposes that the broadest reasonable construction of database is “an organized collection of structured data.” 3 Pet. 12–13. According to Petitioner, its proposed construction is the same construction taken by Patent Owner in a district court proceeding concerning the parent ’201 patent and is consistent with the ’281 patent’s use of “database.” Id. Patent Owner argues that Petitioner’s proposal is unreasonably broad and proposes that the broadest reasonable construction of “database” is “a data processing system for managing an organized collection of structured data.” PO Resp. 20–25. Patent Owner argues that Petitioner’s proposed construction is unreasonably broad in the context of the ’281 patent because the database must be construed to allow for the database to make automatic and compelling callings to the data element protection catalogue. Id. at 22. Patent Owner argues that its construction is consistent with the ’281 patent and is supported by the testimony of its declarants Mr. Mattsson and Dr. Direen, Petitioner’s declarant Mr. Schneier, and Dr. Shamos and supported by certain database manuals and technical definitions of the era. Id at 20– 25. a. Claim Language “Claim construction begins, as it must, with the words of the claims.” Vehicular Techs. Corp. v. Titan Wheel Int'l, 141 F.3d 1084, 1088 (Fed. Cir. 3 In the Final Written Decision for CBM2014-00182, we determine that the broadest reasonable construction of “database” is “an organization of structure data.” The addition of the word “collection” to the construction we adopted in CBM2014-00182, however, provides no meaningful distinction between the constructions as an organized structure of data implies a collection of data. CBM2015-00006 Patent 8,402,281 B2 10 1998) (citing Bell Commc’ns Research, Inc. v. Vitalink Commc’ns Corp., 55 F.3d 615, 619–20 (Fed. Cir. 1995)). Independent claim 33 recites “[a] computer-implemented data processing method” that includes, among other steps, a step of “maintaining a database comprising a plurality of data portions.” Ex. 1001, 13:38–41. Similarly, independent claim 47 recites “[a] computer system” that includes, among other elements, “a database storing a plurality of data portions.” Id. at 14:47–48. As can be seen from the above, claims 33 and 47 recite that the database comprises or stores data portions. Neither of claims 33 and 47, nor any claims dependent therefrom, recites that the database performs any other function, such as producing a compelling calling to the data protection catalogue to retrieve the data processing rules. See id. at 13:38–16:29. Indeed, unlike the parent ’201 patent, none of the claims of the ’281 patent recite a compelling calling at all. See id.; Ex. 1004, Ex Parte Reexamination Certificate 1:24–51 (amended claim 8). Notably, independent claim 8 of the parent ’201 patent recite an apparatus having a database that stores data to be protected. Ex. 1004, Ex Parte Reexamination Certificate 1:24–51 (amended claim 8). Claim 8 of the parent ’201 patent was amended during reexamination to recite that the apparatus, not the database, controls the user’s processing of the data according to the data processing rules, and the apparatus, not the database, also produces the compelling calling to the data element protection catalogue. Id. at Ex Parte Reexamination Certificate 1:41–51. The words of the claims of the ’281 patent, thus, are consistent with Petitioner’s proposed construction as the broadest reasonable construction. CBM2015-00006 Patent 8,402,281 B2 11 b. Written Description The written description is “always highly relevant” in construing a claim, and “it is the single best guide to the meaning of a disputed term.” Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1582 (Fed. Cir. 1996). The written description of the ’281 patent does not contain a definition of “database.” The claimed database for storing a plurality of data portions corresponds to the O-DB database disclosed in the ’281 patent. The O-DB database is part of a larger “database management system” that includes multiple databases. Id. at 5:53–6:22; Fig. 3. Similar to the other databases, the O-DB database is described as containing data and, in particular, data to be protected. Id. at 6:62–67. Contrary to Patent Owner’s argument (PO Resp. 7–8), the ’281 patent does not describe the O-DB database, or any other database, as performing any other data processing or managing functions. In particular, the ’281 patent does not describe that the O-DB database produces the compelling calling to the data protection catalogue. See Ex. 1001, 10:48–60 (“is first collected by the system”); see id. at Abstract, 2:65–3:5, 3:59–4:2, 4:26–31, 7:63–67, 8:53–61 (describing a compelling calling to a data protection catalogue, but failing to describe the compelling calling being produced by the O-DB database). The database managing system includes not only a number of databases, but also, a number of modules. Id. at 6:23–56 (“The data system in FIG. 3 further comprises a hardware component 10, a control module 20 (IAM-API), and a program module 30 (PTY-API).”); Fig. 3. The modules include control module 20, also labeled as an Information Assets Manager Application Program Interface (“IAM-API”), which “controls the handling CBM2015-00006 Patent 8,402,281 B2 12 of the types of data processing that the system can supply” and “carries out the processing requested via API . . . programing interface.” Id. at 6:45–50, Fig. 3. Petitioner’s proposed construction as the broadest reasonable construction is consistent with the written description of the ’281 patent. c. Declarant Testimony Patent Owner proffers the testimony of declarants Mr. Mattsson and Dr. Direen in support of its proposed construction. PO Resp. 21 (citing Ex. 2047 ¶¶ 27–29; Ex. 2048 ¶¶ 58–59). Mr. Mattsson testifies that “[d]efintions vary among practitioners but, generally, a database is meant to be a collection of data whereby the data is held so that it can be retrieved, manipulated, reported on, managed, queried, and protect” and that in the context of the ’281 patent the database does more than store data, such as manage or process the data. Ex. 2047 ¶¶ 27–30. Specifically, Mr. Mattsson testifies that “the Specification describes how the first database must ‘automatically and compellingly produce[] a system calling to the data element protection catalogue” and that Petitioner’s construction “does not provide for how [a] system calling (or any calling or processing) could take place if database is only to mean the data that is managed by the system.” Id. ¶ 31. Dr. Direen’s testimony is substantially the same as Mr. Mattsson’s testimony. See Ex. 2048 ¶¶ 58–61. Mr. Mattsson’s and Dr. Direen’s testimony is unpersuasive because it is inconsistent with the ’281 patent. As discussed above, the ’281 patent describes the O-DB as one database in a larger database management system. Ex. 1001, 5:52–6:22. The ’281 patent describes the O-DB database CBM2015-00006 Patent 8,402,281 B2 13 as containing data and describes the modules of the larger database management system as performing data processing. Id. at 5:62–67, 6:23–56. The ’281 patent does not describe the O-DB database as producing the compelling calling. See Ex. 1001, 10:48–60 (“is first collected by the system”); see id. at Abstract, 2:65–3:5, 3:59–4:2, 4:26–31; 7:63–67; 8:53–61 (disclosing a compelling calling to a data protection catalogue, but failing to describe the compelling calling being produced by the O-DB database). The assertion that the compelling calling is produced by the O-DB database is only found in Patent Owner’s arguments, Mr. Mattsson’s testimony, and Dr. Direen’s testimony, and not the ’281 patent. E.g., see Ex. 2047 ¶¶ 12–16, 22, 29; Ex. 2048 ¶ 19. Extraneous features should not be read into the claim. Renishaw PLC v. Marposs Societa’ per Azioni, 158 F.3d 1243, 1249 (Fed. Cir. 1998); E.I. du Pont de Nemours & Co. v. Phillips Petroleum Co., 849 F.2d 1430, 1433 (Fed. Cir. 1988). In that regard, “extrinsic evidence may be used only to assist in the proper understanding of the disputed limitation; it may not be used to vary, contradict, expand, or limit the claim language from how it is defined, even by implication, in the specification or file history.” Bell Atl. Network Servs. v. Covad Commc'ns Grp., 262 F.3d 1258, 1269 (Fed. Cir. 2001); see Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1584 (Fed. Cir. 1996) (“expert testimony, which was inconsistent with the specification and file history, should have been accorded no weight”). Further, we give little weight to Mr. Mattsson’s testimony because Mr. Mattsson is not a disinterested witness. Mr. Mattsson is Patent Owner’s Chief Technology Officer and Co-founder (Ex. 2019, 2) and has an interest in the outcome of this proceeding. CBM2015-00006 Patent 8,402,281 B2 14 Patent Owner also argues that the testimony of Patent Owner’s declarant Mr. Schneier and the testimony of Dr. Shamos, a declarant from a related proceeding, support its proposed construction. PO Resp. 20–21 (citing Ex. 2046, 71:2–6, 71:23–72:5; Ex. 2045, 36:10–37:24). Mr. Schneier’s and Dr. Shamos’s testimony, however, does not support Patent Owner’s proposed construction, but support Petitioner’s proposed construction as the broadest reasonable construction. Mr. Schneier agreed, when questioned by Patent Owner, that a reasonable interpretation of database is “a system that includes blobs of data in the organization and structure to make that works” (Ex. 2046, 76:2–6), but Mr. Schneier also testifies that Petitioner’s proposed construction is a reasonable definition that “coincided with what the patent seemed to say” (id. at 76:16–77:2; Ex. 1002 ¶ 22). Likewise, Dr. Shamos testifies that “database” can have multiple definitions (Ex. 2045, 36:10–37:24), but Dr. Shamos also testifies that in the context of the ’281 patent and under the broadest reasonable interpretation standard “database” means an “organized collection of structure data” (id. at 37:25–38:8). The Board construes claims using the broadest reasonable construction in light of the specification of the patent in which they appear. 37 C.F.R. § 42.300(b). d. Database Manual and Technical Encyclopedia Patent Owner also proffers a database manual and a technical entry for “database management system” of a technical encyclopedia to support its construction. PO Resp. 24–25 (citing Exs. 2051, 2052). This extrinsic evidence is also unpersuasive as both the database manual and the CBM2015-00006 Patent 8,402,281 B2 15 encyclopedia entry are directed to a database management system, as opposed to simply a database. e. Broadest Reasonable Construction of “Database” We determine that the broadest reasonable construction, in light of the specification of the ’281 patent, and the proffered evidence, of “database” is “an organized collection of structured data.” As discussed above, this construction is consistent with the words of the claims, the disclosure of the ’281 patent, the testimony of Mr. Schneier and Dr. Shamos and the position taken by Patent Owner in the related district court proceeding. We are not persuaded by Patent Owner’s arguments, Patent Owner’s declarants’ testimony, database manual, or technical encyclopedia that this construction is unreasonably broad. ii. Data Portion In our Decision to Institute, we determined that the broadest reasonable construction, in light of the specification, of “data portion” is its plain and ordinary meaning of “a part or share of the database.” Dec. to Inst. 17. Patent Owner challenges this construction and contends that the broadest reasonable construction of “data portion” is “data element value,” because the ’281 patent describes the invention as working on the “data element level.” PO Resp. 26–27. We are not persuaded by Patent Owner that we erroneously construed the term “data portion.” As we explained in the Decision to Institute, the Specification contains no lexicographic definition of “data portion” and our construction is consistent with the plain and ordinary meaning of “portion.” CBM2015-00006 Patent 8,402,281 B2 16 Dec. to Inst. 16–17; see Ex. 3001 (MERRIAM-WEBSTER’S COLLEGIATE DICTIONARY 908 (10TH ED. 1998)). Our construction is also consistent with the words of independent claims 33 and 47, which require that the data portions are part of a database. E.g., see Ex. 1001, 11:18–19 (claim 1 recites “maintaining a database comprising a plurality of data portions”). Our construction is further consistent with dependent claims 37, 38, 51, and 52, which further define the claimed data portions to be “a column of data in the database” or “a field of data in the database.” Patent Owner’s proposed construction is overly narrow and improperly attempts to import limitations from the specification of the ’281 patent into the claim. Limitations appearing in the specification but not recited in the claim are not read into the claim. E-Pass Techs., Inc. v. 3Com Corp., 343 F.3d 1364, 1369 (Fed. Cir. 2003) (claims must be interpreted “in view of the specification” without importing limitations from the specification into the claims unnecessarily) (internal quotations and citation omitted). Although the ’281 patent describes the invention as working on the cell or data element level (see Ex. 1001, 3:52–59), we see nothing in the claims, themselves, that require the data portions to be data element values. Dependent claims 37 and 51 are inconsistent with Patent Owner’s proposed construction, because they define the data portion as a column of data, which is a larger portion of data than a data element value. We determine that the broadest reasonable construction, in light of the specification of the ’281 patent, of “data portion” is a part or share of the database. CBM2015-00006 Patent 8,402,281 B2 17 iii. Data Category In our Decision to Institute, we determined that the broadest reasonable construction, in light of the specification, of “data category” is “any class or division of data sharing one or more characteristics or attributes,” as proposed by Petitioner. Dec. to Inst. 17 (citing Pet. 13–14). Patent Owner contends that the term needs no explicit construction. PO Resp. 26. For the reasons proffered by Petitioner (Pet. 13–14), the broadest reasonable construction, in light of the specification of the ’281 patent, of “data category” is any class or division of data sharing one or more characteristics or attributes. iv. Data Processing Rule In our Decision to Institute, we determined that the broadest reasonable construction, in light of the specification, of “data processing rule” is “rules for processing data,” as proposed by Petitioner. Dec. to Inst. 14–16 (citing Pet. 13). Patent Owner does not dispute this construction in its Patent Owner’s Response. For the reasons proffered by Petitioner (Pet. 14–15), the broadest reasonable construction, in light of the specification of the ’281 patent, of “data processing rules” is rules for processing data. See Dec. to Inst. 14–15. v. Other Proposed Constructions Petitioner also proposed a construction of “encryption/encrypted.” Pet. 15. For the purposes of our review of the claims of the ’281 patent, however, no explicit construction of any other claim term is needed. CBM2015-00006 Patent 8,402,281 B2 18 B. Standing to Seek Covered Business Method Patent Review Section 18 of the AIA4 provides for the creation of a transitional program for reviewing covered business method patents. Section 18 limits review to persons or their privies that have been sued or charged with infringement of a “covered business method patent,” which does not include patents for “technological inventions.” AIA §§ 18(a)(1)(B), 18(d)(1). 37 C.F.R. § 42.302 states “[c]harged with infringement means a real and substantial controversy regarding infringement of a covered business method patent exists such that the petitioner would have standing to bring a declaratory judgment action in Federal court.” Petitioner states that it was charged with infringement of the ’281 patent in Protegrity Corporation v. Phoenix Payment Systems, Inc., No. 3:13-cv-01386 (D. Conn.). Pet. 10–11. Patent Owner does not dispute this statement. i. Financial Product or Service A covered business method patent “claims a method or corresponding apparatus for performing data processing or other operations used in the practice, administration, or management of a financial product or service, except that the term does not include patents for technological inventions.” AIA § 18(d)(1). The “legislative history explains that the definition of covered business method patent was drafted to encompass patents ‘claiming activities that are financial in nature, incidental to a financial activity or complementary to a financial activity.’” Transitional Program for Covered 4 Leahy-Smith America Invents Act, Pub. L. No. 112-29, 125 Stat. 284, 329 (Sept. 16, 2011) (“AIA”). CBM2015-00006 Patent 8,402,281 B2 19 Business Method Patents—Definitions of Covered Business Method Patent and Technological Invention, 77 Fed. Reg. 48,734, 48,735 (Aug. 14, 2012) (Final Rule) (quoting 157 Cong. Rec. S5432 (daily ed. Sept. 8, 2011) (statement of Sen. Schumer)). The legislative history indicates that “financial product or service” should be interpreted broadly. Id.; see Versata Dev. Grp., Inc. v. SAP America, Inc., 793 F.3d 1306, 1323–26 (Fed. Cir. 2015). A patent need have only one claim directed to a covered business method to be eligible for review. 77 Fed. Reg. at 48,736 (Response to Comment 8). Petitioner contends that the ‘281 patent “claims a method for performing data processing or other operations that are at least incidental to the practice, administration, or management of a financial product or service” and, thus, is a covered business method patent. See Pet. 5–7. Patent Owner contends that the ’281 patent does not claim a financial service or product. PO Resp. 54–59. Patent Owner argues that “not a single word in any single claim of the ’281 Patent [] is purportedly directed to a ‘financial product or service.’” PO Resp. 58. We do not interpret the statute as requiring the literal recitation of terms of data processing of financial products or services. As recognized in the legislative history: “[t]o meet this [eligibility] requirement the patent need not recite a specific financial product or service. Rather, the patent claims must only be broad enough to cover a financial product or service.” 157 Cong. Rec. S1365 (daily ed. Mar. 8, 2011) (Statement of Sen. Schumer). In this regard, claim 33 recites a “computer-implemented data processing method” and includes a step of “determining whether each of the CBM2015-00006 Patent 8,402,281 B2 20 one or more data processing rules associated with [a] requested data portion are satisfied.” The ’281 patent discloses that protection attributes (i.e., the claimed data processing rules) are used to protect against unauthorized access of a data portion in a database (see Ex. 1001, 4:35–47) and that banking is a field where protection against unauthorized access to databases that are used for administering and storing sensitive information is desired. Id. at 1:35–39. Banking is a financial activity. The ’281 patent, further, discloses an example of a user interface that is used to alter protection attributes in the data protection catalogue. Id. at 11:9–15; see also Fig. 5 (depicting the user interface.). In the example, “Housing allowance” and “Social allowance” are data element types or data categories. Id. at 11:8–10; Fig. 5. Figure 5 of the ’281 patent depicts a Financial Manager as a person authorized to access the Social allowance data. Allowances and a Financial Manager are financial in nature. Likewise, Patent Owner’s declarant Dr. Direen testifies that “[t]he standard examples, which are examples of market concern, are protecting data items such as credit card numbers and social security number.” Ex. 2048 ¶ 27 (emphasis added). Dr. Direen’s testimony discusses such an example. Id. ¶¶ 11, 14, 27–53; Figs. 1–15. In Dr. Direen’s example, the data portions include credit card numbers, credit card PIN numbers, and salary information; the data categories include credit card number and salary; and the data processing rules include credit card protection attributes and salary protection attributes. E.g., see id. ¶¶ 32, 35, 46; Figs. 1, 9. Credit card number, credit card PIN numbers, and salary are all data financial in nature. Although not sufficient on its own the ’281 patent is classified in CBM2015-00006 Patent 8,402,281 B2 21 705/51 of the Office’s patent classification system. See 77 Fed. Reg. at 48,739; see Versata at 1324, n.14 (noting that while Class 705 “apparently served as the original template for the definition of a ‘covered business method,’ . . . [it] was thought to be too narrow”) (citation omitted); Pet. 6. Class 51—“Usage protection of distributed data files” is a subclass indented under subclass 705/50—“Subject matter including cryptographic apparatus or methods uniquely designed for or utilized in . . . the processing of financial data.” We are persuaded by Petitioner that a preponderance of the evidence shows that at least claim 33 encompasses activities that are financial in nature, incidental to a financial activity, or complementary to a financial activity. We are not persuaded by Patent Owner’s argument that previous Board decisions demonstrate that the ’281 patent is not a covered business method patent. PO Resp. 56–58 (citing PNC Fin. Servs Grp., Inc. v. Intellectual Ventures I, LLC, Case CBM2014-00032, slip. op. at 10 (PTAB May 22, 2014) (Paper 13); J.P. Morgan Chase & Co. v. Intellectual Ventures II LLC, Case CBM2014-00160, slip op. at 11 (PTAB Jan. 29, 2015) (Paper 11); Salesforce.com Inc. v. Applications in Internet Time, LLC, Case CBM2014-00162, (PTAB Feb. 2, 2015) (Paper 11).) The cited previous Board decisions are not precedential and are not binding on this panel. Nonetheless, we have reviewed the allegedly conflicting decisions. Our review of these decisions, however, reveals that the determination of whether the patent is a covered business method patent rests upon the specific facts of those proceedings. For example, in PNC Financial Services, the Board determined that a showing that the patent was asserted CBM2015-00006 Patent 8,402,281 B2 22 against a financial service in an infringement proceeding was not enough to establish that the patent was a covered business method patent. See PNC Fin. Servs, CBM2014-00032, Paper 13 at 14. The Board stated that whether an allegedly infringing product was a financial service was just one factor and that the Petitioners had not shown how “the ’298 patent, either through its claims, Specification, or prosecution history, encompasses ‘activities that are financial in nature, incidental to a financial activity, or complementary to a financial activity.’” Id. at 13–14. Similarly, in J.P. Morgan and Salesforce, the Board determined whether the patent was a covered business method patent based upon the particular facts of those proceedings. Patent Owner does not establish that the facts in those proceedings are sufficiently similar to the facts in this proceeding. As discussed above, we determined, based upon the facts in this proceeding, that the ’281 patent is a covered business method patent. We are also not persuaded by Patent Owner that the ’281 patent is not a covered business method patent, because “the entire reason behind the invention contradicts any allegation that the invention of the ’281 Patent is incidental to a financial service or product.” PO Resp. 59. According to Patent Owner, the Swedish Data Inspection, AB, mandated protection legislation for personally-identifiable information to protect students and “[t]hey did not, however, mandate data protection solely for financial institutions.” Id. (citing Ex. 2022, ¶¶ 14–16 (testimony of Mr. Mattsson); Ex. 2040 (U.S. Patent No. 5,606,610, which allegedly discloses Patent Owner’s first attempt to comply with the Swedish legislation)). The ’281 patent makes no mention of the Swedish legislation or that the legislation was for the protection of students. The ’281 patent makes no CBM2015-00006 Patent 8,402,281 B2 23 mention of students at all. Notably, U.S. Patent No. 5,606,610, which Patent Owner argues was also the result of the Swedish legislation, likewise fails to mention the Swedish legislation or the need to protect student data, but does disclose that banking is a sector where it is essential that stored data be protected against unauthorized access. See Ex. 2040, 1:13–15. We are persuaded by Petitioner that a preponderance of the evidence shows that at least claim 33 of the ’281 patent encompasses a method or corresponding apparatus for performing data processing or other operations used in the practice, administration, or management of a financial product or service. ii. Technological Invention The definition of “covered business method patent” in Section 18(d)(1) of the AIA does not include patents for “technological inventions.” To determine whether a patent is for a technological invention, we consider “whether the claimed subject matter as a whole recites a technological feature that is novel and unobvious over the prior art; and solves a technical problem using a technical solution.” 37 C.F.R. § 42.301(b). Both prongs must be satisfied in order for the patent to be excluded as a technological invention. The following claim drafting techniques, for example, typically do not render a patent a “technological invention”: (a) Mere recitation of known technologies, such as computer hardware, communication or computer networks, software, memory, computer-readable storage medium, scanners, display devices or databases, or specialized machines, such as an ATM or point of sale device. (b) Reciting the use of known prior art technology to CBM2015-00006 Patent 8,402,281 B2 24 accomplish a process or method, even if that process or method is novel and non-obvious. (c) Combining prior art structures to achieve the normal, expected, or predictable result of that combination. 77 Fed. Reg. 48,756, 48,763–64 (Aug. 14, 2012). a. A Technological Feature that is Novel and Unobvious over the Prior Art Petitioner argues that the ’281 patent is not for a technological invention because none of the claims recite a technological feature that is novel and nonobvious over the prior art. Pet. 7–10. According to Petitioner, “the ’281 Patent claims as a whole do not recite any technological feature that is novel or nonobvious.” Pet. 9. Patent Owner argues that “[t]he evidence demonstrates that the claims of the ’281 Patent recite technological features that were novel and nonobvious over the prior art at the time of the invention.” PO Resp. 60. We are persuaded by Petitioner that the ’281 patent is not for a technological invention because at least claim 33 does not satisfy the first prong of the test. Claim 33 does not recite a technological feature that is novel or unobvious over the prior art. Claim 33 recites a data processing method that is computer-implemented and includes maintaining a database of data portions and maintaining a separate data protection table comprising data processing rules associated with a data category for a data portion. Data processing computers having separate databases, which store associated data and associated rules, were known at the time of filing the ’281 patent. See Ex. 1001, 1:28–33; Ex. 1002 ¶ 18; Ex. 1005, 192–194, 202, 213 (describing relational databases); Pet. 21–22. Claim 33 also recites steps of receiving a request to access a data CBM2015-00006 Patent 8,402,281 B2 25 portion, determining whether the data processing rules are satisfied, and granting the user access in response to each of the data processing rules being satisfied. Claim 33 is silent as to how these steps are computer- implemented. Claim 47, however, specifies that a processor is configured to perform these steps. A processor is a known computer element. See Ex. 1002 ¶ 18. Patent Owner argues that “[t]he evidence demonstrates that the claims of the ’281 patent recite technological features that were novel and nonobvious over the prior art.” PO Resp. 60. Patent Owner, however, does not specify which claimed technical features are allegedly novel and unobvious. See PO Resp. 60–62. Patent Owner may be arguing that the novel and unobvious technological features are a database comprising data element values and a data protection table because, according to Patent Owner, claim 33’s database must be a data processing system for managing an organize collection of data and for making a compelling calling to the data protection table and claim 33’s data portion must be a data element value so that protection is a data element level. See PO Resp. 62–63, n.22. Patent Owner’s argument, however, is unpersuasive because, as discussed in section II(A) above, when a database and data portion are given their broadest reasonable construction, in light of the ’281 patent, claim 33 does not require these alleged features. We are persuaded by Petitioner that a preponderance of the evidence shows that at least claim 33 does not recite a technological feature that is novel or unobvious over the prior art and does not satisfy the first prong of the test. The ’281 patent, thus, is a covered business method patent that is not a technological invention. CBM2015-00006 Patent 8,402,281 B2 26 b. Solves a Technical Problem with a Technical Solution Petitioner argues that the ’281 patent is not for a technological invention because none of the claims solve a technical problem using a technical solution. Pet. 9–10. According to Petitioner, the ’281 Patent is directed to the problem of granting access to data only if associated rules are satisfied, which is solved by maintaining a database of data and a separate data protection table that has rules. Id. at 9. Petitioner argues that such a use of a data processing computer with databases is known technology. Id. Patent Owner argues that the ’281 patent is for a technological invention, because it solves a technical problem with a technical solution. PO Resp. 30–38, 60–63. According to Patent Owner, the ’281 patent solves three problems: 1) to provide separation of duties and prevent database administrators from accessing the data (id. at 37); 2) “the ability to implement data protection on the data element level in the database without requiring application-level changes to the various computer programs and application that were seeking to retrieve protected data from the database” (id.); and 3) “providing data element level protection across many brands of databases that a company might be using in-house” (id.). See id. at 30–38. The alleged solution is “data to be protected in a first database, while the rules for protection were stored outside that database and thus outside the purview of the DBA [database administrator].” Id. at 38; see id. at 30–38. Patent Owner, points the testimony of Petitioner’s declarant, Mr. Schneier, as purportedly admitting that the ‘281 patent solves a technical problem. Id. at 60. CBM2015-00006 Patent 8,402,281 B2 27 We are persuaded by Petitioner that the ’281 patent does not solve a technical problem with a technical solution. See Pet. 10–11. The ’281 patent discloses that its objective is “to increase the protection against unauthori[z]ed access to sensitive information.” Ex. 1001, 2:29–33; see also id. at 2:10–25, 1:23–24 (describing that the ’281 patent “concerns . . . a method and apparatus for data processing . . . for accomplishing increased protection against unauthorized processing of data.”). The solution to this problem was achieved by the claimed methods and apparatuses. Id. at 2:49– 52. None of the three technical problems identified by Patent Owner are described in the ’281 patent. See PO Resp. 16–21, 27–35. The ’281 patent makes no mention of a need to protect data from a database administrator, to eliminate application-level changes to the various computer programs and applications that were seeking to retrieve protected data from the database, or to provide protection across many brands of databases. Id. Likewise, the ’281 patent does not describe the technical solution, alleged by Patent Owner, because the ’281 patent does not describe a first database that calls out to the second database. The claims of the ’281 patent also do not require the alleged technical solution. Neither claim 33 nor any other claim requires a first database that calls out to a second database or, indeed, any other compelling calling. Further, the cited testimony of Mr. Schneier does not support Patent Owner’s argument. See PO Resp. (citing Ex. 2046, 90:15–91:9). First, Mr. Schneier’s testimony is directed to the ’201 patent and not the ’281 patent. See Ex. 2046, 90:15–91:9. The claims of the ’201 patent recite features not required by the claims of the ’281 patent. See Ex. 1004. Second, Mr. CBM2015-00006 Patent 8,402,281 B2 28 Schneier testimony is directed to whether features not required by the claims of the ’281 patent, such as “format preserving encryption,” are a technical solution. Ex. 2046, 89:29–91:9. Claim 33 does not require format preserving encryption or any other encryption of the data. We are persuaded by Petitioner that a preponderance of the evidence shows that at least claim 33 does not solve a technical problem using a technical solution, and, thus, at least claim 33 also does not satisfy the second prong. The ’281 patent, thus, is a covered business method patent that is not a technological invention. For the reasons discussed above, we are persuaded by Petitioner that the ’281 patent is eligible for covered business method patent review. C. 35 U.S.C. § 101 i. Section 101 Subject Matter Eligibility For claimed subject matter to be patentable eligible, it must fall into one of four statutory classes set forth in 35 U.S.C. § 101: a process, a machine, a manufacture, or a composition of matter. The Supreme Court recognizes three categories of subject matter that are ineligible for patent protection: “laws of nature, physical phenomena, and abstract ideas.” Bilski v. Kappos, 130 S. Ct. 3218, 3225 (2010) (internal quotations and citation omitted). A law of nature or an abstract idea by itself is not patentable; however, a practical application of the law of nature or abstract idea may be deserving of patent protection. Mayo Collaborative Servs. v. Prometheus Laboratories, Inc., 132 S. Ct. 1289, 1293–94 (2012). To be patentable, however, a claim must do more than simply state the law of nature or abstract idea and add the words “apply it.” Id. CBM2015-00006 Patent 8,402,281 B2 29 In Alice Corp. Pty, Ltd. v. CLS Bank Int’l, 134 S. Ct. 2347 (2014), the Supreme Court recently clarified the process for analyzing claims to determine whether claims are directed to patent-ineligible subject matter. In Alice, the Supreme Court applied the framework set forth previously in Mayo, “for distinguishing patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent-eligible applications of those concepts.” Alice, 134 S. Ct. at 2355. The first step in the analysis is to “determine whether the claims at issue are directed to one of those patent-ineligible concepts.” Id. If they are directed to a patent- ineligible concept, the second step in the analysis is to consider the elements of the claims “individually and ‘as an ordered combination’ to determine whether the additional elements ‘transform the nature of the claim’ into a patent-eligible application.” Id. (quoting Mayo, 132 S. Ct. at 1298, 1297). In other words, the second step is to “search for an ‘inventive concept’ — i.e., an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself.’” Id. (alteration in original) (quoting Mayo, 132 S. Ct. at 1294). Further, the “prohibition against patenting abstract ideas ‘cannot be circumvented by attempting to limit the use of the formula to a particular technological environment’ or adding ‘insignificant postsolution activity.’” Bilski, 130 S. Ct. at 3230 (quoting Diamond v. Diehr, 450 U.S. 175, 191–92 (1981)). Accordingly, utilizing this framework, we review Petitioner’s contention that claims 33–60 of the ’281 patent are directed to ineligible subject matter. CBM2015-00006 Patent 8,402,281 B2 30 ii. Ineligible Concept Petitioner contends that the claims of the ’281 patent are merely directed to an abstract idea of determining whether access to data should be granted based on whether one or more rules are satisfied. Pet. 16–19. Patent Owner disputes that the claims of the ’281 patent are directed to an abstract idea. See PO Resp. 29–46. According to Patent Owner, “protection of data in a first database through rules stored in a second database” provides a solution to a problem “necessarily rooted in computer technology.” Id. at 30; see id. at 32–38 (citing DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245 (Fed. Cir. 2014)). Claims 33–46 recite data processing methods, and claims 47–60 recite corresponding computer systems. Nominally, the claimed methods and system fall within the process or machine categories, respectively, of statutory subject matter. Statutory class, however, is not by itself determinative of whether a claim is directed to patent eligible subject matter. “Regardless of what statutory category (‘process, machine, manufacture, or composition of matter,’ 35 U.S.C. § 101) a claim's language is crafted to literally invoke, we look to the underlying invention for patent-eligibility purposes.” CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1374 (Fed. Cir. 2011). See Alice, 134 S. Ct. 2358–59; Bancorp Servs. v. Sun Life Assurance Co., 687 F.3d 1266, 1275 (Fed. Circ. 2012). Independent claim 33 recites a data processing method that grants access to a requested data portion if the rules associated with a data category that is associated with the requested data portion is satisfied. Ex. 1001, 13:38–54. Claim 33 requires a database that comprises the data portions and requires a separate data protection table comprising data processing rules CBM2015-00006 Patent 8,402,281 B2 31 that must be satisfied before the data portion can be accessed. Id. The data processing rules are associated with the data category. Id. Independent claim 47 recites a corresponding computer system. Id. at 14:47–63. Independent claims 33 and 47, thus, recite a method or system that grants access to a requested data portion if the rules associated with a data category that is associated with the requested data portion are satisfied. Ex. 1001, 13:38–54. Given the above, we are persuaded by Petitioner that the claims are directed to the abstract idea of determining whether access to data should be granted based on whether one or more rules are satisfied. We are not persuaded by Patent Owner that the claims are not directed to an abstract idea, because Patent Owner’s argument is based upon elements not required by the claims. See PO Resp. 29–38. Given our construction of “data portion” and “database” in section II (A) above, the claims do not require protection on the data element level based on rules stored in a separate database, where the first database calls out to the second database. Patent Owner’s argument is not commensurate with the scope of the claims. iii. Inventive Concept Next, we look for additional elements that can “transform the nature of the claim” into a patent-eligible application of an abstract idea. That is, we determine whether the claims include an “inventive concept,” i.e., an element or combination of elements sufficient to ensure that the patent in practice amounts to significantly more than a patent on the abstract idea itself. Alice, 134 S. Ct. at 2357. The Supreme Court in Alice cautioned that CBM2015-00006 Patent 8,402,281 B2 32 merely limiting the use of abstract idea “to a particular technological environment” or implementing the abstract idea on a “wholly generic computer” is not sufficient as an additional feature to provide “practical assurance that the process is more than a drafting effort designed to monopolize the [abstract idea] itself.” Alice, 134 S. Ct. at 2358. a. Independent Claims 33 and 47 Petitioner argues that the claims contain “only inconsequential limitations that are insufficient to render them patent-eligible.” Pet. 21. In this regard, Petitioner argues that the claims recite only generic computer elements and functions that were well-known and conventional. Id.; see id. at 19–22. Petitioner argues that the steps of maintaining a database of data portions and maintaining a separate data protection table are simply data- gathering steps and that receiving a request to access a data portion and granting access to a data portion are insignificant pre- and post-solution activity. Id. at 21. Petitioner, further, argues that even when the claimed steps are considered as an ordered combination, they do “require nothing more than the routine and conventional use of a computer, having a database and a processor.” Id. at 22. Taking claim 33 as representative, claim 33 requires that the method is “computer-implemented.” Ex. 1001, 13:48. Merely reciting a generic computer cannot transform a patent-ineligible abstract idea into a patent- eligible invention. Alice, 134 S. Ct. at 2358. Claim 33 also requires a step of maintaining a database comprising data portions, associated with a data category and a step of maintaining a separate data protection catalogue comprising a plurality of data processing CBM2015-00006 Patent 8,402,281 B2 33 rules associated with a data category. Ex. 1001, 13:40–46. Data processing computers having separate databases, which store associated data and associated attributes, were well-known and conventional at the time of filing the ’281 patent. See Ex. 1002 ¶ 18; Ex. 1005, 192–194, 202, 213 (describing relational databases). Storing data and associated rules in separate databases is nothing more than routine data gathering and does not transform the abstract idea into a patent-eligible invention. See CyberSource, 654 F.3d at 1370. Claim 33 further requires a step of receiving a request to access a data portion and a step of determining whether the data processing rules associated with the request data portion are satisfied. Ex. 1001, 13:47–51. This is well-understood, routine, conventional activity that does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298; see Pet. 19–21; Ex. 1005, 192–194 (discussing decision rules). Claim 33 finally requires a step of granting the user access to the requested data portion in response to the data processing rules being satisfied. Ex. 1001, 13:52–54. Claim 47 recites that a processor is configured to perform these steps. A processor is a known computer element. See Ex. 1002 ¶ 18. Such granting of access to a user is merely a conventional post-solution activity. Conventional post-solution activity is not sufficient to transform the abstract idea into patent-eligible subject matter. See Parker v. Flook, 437 U.S. 584, 590–92 (1978). Even when the claim elements are considered as a combination, they add nothing that is not already present when the elements are considered separately. Alice, 134 S. Ct. at 2359. Claims 33 and 47 convey nothing more meaningful than the fundamental concept of determining whether CBM2015-00006 Patent 8,402,281 B2 34 access to data should be granted based on whether one or more rules are satisfied. Upon review of Petitioner’s analysis and supporting evidence and taking into account Patent Owner’s arguments, discussed below, we are persuaded by Petitioner that independent claims 33 and 47 do not recite additional elements that transforms the claim into a patent-eligible application of an abstract idea. We are not persuaded by Patent Owner’s arguments that the claims require additional elements that transform that abstract idea into a patent eligible application (PO Resp. 46–54) because they are based upon an overly narrow construction of the claimed elements, as discussed in section II (A) above, and based on additional elements not recited or required by the claims, as discussed in section II (B)(ii) above. In addition, we are not persuaded by Patent Owner’s argument regarding DDR Holdings, LLC v. Hotels.com, LP., 773 F.3d 1245 (Fed. Cir. 2014). See PO Resp. 30–32. Unlike the claimed combination of elements in DDR Holdings, the claims of the ’281 patent appear to combine elements according to their known functions to achieve routine and conventional results. See DDR Holdings¸ 773 F.3d at 1257–58. Patent Owner proffers declarations from Mr. Bill Schmidt (Ex. 2049), Mr. Kurt Pachik (Ex. 2050), and Mr. Ulf Mattsson (Ex. 2047) to demonstrate that the ’281 patent provides a novel and nonobvious solution to a problem deeply rooted in computer technology. PO Resp. 35–38. The declarations allegedly show that the invention of the ’281 patent was used to protect the formula for Coca-Cola from unauthorized access by database administrators or system administrators. Id. Mr. Schmidt’s, Mr. Pachik’s, CBM2015-00006 Patent 8,402,281 B2 35 and Mr. Mattsson’s declarations, however, fail to establish a relationship between the system provided to Coca-Cola and the claims of the ’281 patent. Mr. Schmidt makes no mention of the ’281 patent and provides no details as to the system implemented by Coca-Cola. See Ex. 2049. Mr. Pachik, a former employee of Patent Owner, testifies that he “assisted in implementing the solution provided in U.S. Patent Nos. 6,321,201 and 8,402,281 [] for Coca-Cola” but provides no details of the system. See Ex. 2050 ¶ 5. Mr. Mattsson, Chief Technology Officer of Patent Owner, testifies generally to the technology disclosed in the ’281 patent, but makes no mention of the system implemented by Coca-Cola. See Ex. 2047. We, thus, are not persuaded by the declarations of Mr. Schmidt, Mr. Pachik, and Mr. Mattsson that the ’281 patent provides a novel and nonobvious solution to a problem deeply rooted in computer technology. b. Dependent Claims 34–36, 41, 42, 48–50, 55, and 56 Petitioner argues that the dependent claims do not “contribute significant or material limitations to the abstract idea, or tie to any specific computer the abstract idea of rule-based data access.” See Pet. 22–23. According to Petitioner, these dependent claims recite fundamental and well-known concepts of limiting access within a computer system and, thus, do not add anything significant to the abstract idea. Id. Patent Owner argues that these claims are “necessarily rooted in computer technology” because each of them incorporate concrete limitations of the independent claims. PO Resp. 52–53. Dependent claims 34–36, 41, 42, 48–50, 55, and 56 further define the claimed data processing rules. Claims 34, 41, 48, and 55 further define the CBM2015-00006 Patent 8,402,281 B2 36 data processing rules as restricting access to a user, group of users, or users that are owners of a subset of data. Ex. 1001, 12:55–58, 14:15–18, 64–67, 15:27–31. Restricting access to data based upon a user is a well-known and conventional activity. See Ex. 1002 ¶ 5; Ex. 1005, 192–194 (textbook discussing user based access rules, including based upon ownership). Claims 35, 36, 49, and 50 further define the data processing rules as restricting access to a program, a group of programs, or a specified version of a program. Ex. 1001, 12:59–67, 15:1–10. Restricting access to data based upon a program or version of a program is a well-known and conventional activity. See Ex. 1002 ¶20; Ex. 1005, 192–193, Fig. 4 (textbook illustrating access right based on processes P1 and P2). We are persuaded by Petitioner that claims 34–36, 41, 42, 48–50, 55, and 56 further define the data processing rules as well-understood and conventional data access rules. Well-understood, routine, conventional activity does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298. c. Dependent Claims 37, 38, 42, 51, 52, and 56 Dependent claims 37, 38, 51, and 52 require that the data portion be a column or field in a database. Ex. 1001, 14:1–4, 15:10–15. Petitioner argues that these additional elements provide no meaningful limitation to the abstract idea. Pet. 22–23. Patent Owner disputes that the additional elements provide no meaningful limitation. PO Resp. 52–53. We are persuaded by Petitioner that the additional elements of dependent claims 37, 38, 51, and 52 provide no meaningful limitation to the abstract idea. Restricting access to columns or fields of databases is well- CBM2015-00006 Patent 8,402,281 B2 37 understood and conventional activity. See Ex. 1002 ¶ 36; Ex. 1005, 194, 214 (discussing access right to column and fields within records). Well- understood, routine, conventional activity does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298. d. Dependent Claims 39, 40, 43–46, 53, 54, and 57–60 Petitioner argues that the dependent claims do not “contribute significant or material limitations to the abstract idea or to tie to any specific computer the abstract idea of rule-based data access.” See Pet. 22–23. According to Petitioner, as an example, claims 45, 53, and 58 “add limitations directed to basic aspects of data encryption that serve as meaningless pre- and post-processing steps that do not limit the abstract idea being claimed.” Id. Patent Owner disputes that the additional limitations provide no meaningful limitation. PO Resp. 52–53. Patent Owner argues that claim 45 “specifically requires the cryptographic key [ ] be provided to a requesting entity” and claim 58 “restrict[s] access to a data portion, or one or more parts of a data portion, based on whether users or programs possess one or more specific cryptographic keys.” Id. at 52. Claims 43, 44, 57, and 58 require that access to a first or second data portion is restricted to a user or program that possess a first or second cryptographic key. Ex. 1001, 14:25–40, 16:7–22. Claims 46 and 60 recite “wherein at least one data portion comprises encrypted data.” Ex. 1001, 14:45–46, 16:28–29. Claims 45 and 59 require that “granting access to the requested data portion comprises providing the cryptographic key to a requesting entity.” Id. at 14:41–44, 16:23–27. Encrypting data using a CBM2015-00006 Patent 8,402,281 B2 38 cryptographic key and providing the key to authorized users is well- understood and conventional activity. See Ex. 1002 ¶ 36; Ex. 1005, 178, 206, 213, 229–230. Encrypting on a field level was also known. Ex. 1005, 151. Encrypting data using cryptographic keys is well-known conventional activity. Well-understood, routine, conventional activity does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298. e. Dependent Claims 39, 40, 42, 53, 54, and 56 Claims 42 and 56 further define the data processing rules as restricting access based on whether activity logging is occurring. Ex. 1001, 14:19–24, 16:1–6. Claims 39, 40, 53, and 54 further define the access rules as restricting access to users or programs that use a specified level of encryption to subsequently store or transmit the accessed data. Id. at 14:5– 14; 15:54–31. Petitioner argues that the dependent claims do not “contribute significant or material limitations to the abstract idea or to tie to any specific computer the abstract idea of rule-based data access.” See Pet. 22–23. The Petition, however, does not contain sufficient evidence to establish that the additional limitations required by dependent claims 39, 40, 42, 53, 54, and 56 are not significant or material. Unlike the other dependent claims, Petitioner’s evidence does not establish sufficiently that data processing rules, as defined by these dependent claims, are well-understood, routine, conventional activity that does not add significantly more to the abstract idea. We, thus, determine that Petitioner fails to establish by a preponderance of the evidence that claims 39, 40, 42, 53, 54, and 56 are patent-ineligible under 35 U.S.C. § 101. CBM2015-00006 Patent 8,402,281 B2 39 III. MOTION TO EXCLUDE Patent Owner moves to exclude Exhibit 1002, Declaration of Mr. Bruce Schneier, from the record. Mot. Exclude. Patent Owner contents that the Schneier Declaration should be excluded because Mr. Schneier’s declaration is improper under Federal Rule of Evidence (“FRE”) 702 because his declaration is incomplete and based on another expert’s opinion and that Mr. Schneier’s declaration is substantially more prejudicial than probative under FRE 403 due to the lack of credibility. Mot. Exclude at 1. We are not persuaded by Patent Owner’s argument that Mr. Schneier’s declaration should be excluded under FRE Rule 702 or 403. Patent Owner’s arguments attack the sufficiency and credibility of Mr. Schneier’s testimony. As the Board has noted in numerous cases, “the Board, sitting as a non-jury tribunal with administrative expertise, is well- positioned to determine and assign appropriate weight to the evidence presented in this trial, without resorting to formal exclusion that might later be held reversible error.” See e.g. Liberty Mutual Insurance Co. v. Progressive Casualty Insurance Co. (CBM2012-00002, Paper 66, January 23, 2014); Gnosis S.P.A., et al. v. S. Alabama Medical Science Foundation, (IPR2013-00118, Paper 64 June 20, 2014); S.E.C. v. Guenthner, 395 F. Supp. 2d 835, 842 n.3 (D. Neb. 2005); Opp. to Mot. Exclude 4. We, thus, are not persuaded by Patent Owner to exclude Exhibit 1002 and Patent Owner’s Motion to Exclude is denied. Nonetheless, we address Patent Owner’s arguments regarding the credibility of Mr. Schneier’s testimony because Patent Owner makes similar arguments in its Patent Owner Response. See PO Resp. 44–45. Patent CBM2015-00006 Patent 8,402,281 B2 40 Owner argues that we should give no weight to Mr. Schneier’s testimony because Mr. Schneier’s declaration does not provide a complete list of references that he relied upon. Id. at 44. We find this argument unpersuasive, because as Petitioner point outs, Petitioner provided a list in response to Patent Owner’s objections, as provided for by 37 C.F.R. § 42.64(2). Opp. to Mot. Exclude 1–2. Further, although Mr. Schneier testifies that he did review Dr. Shamos’ testimony, Mr. Schneier’s testimony indicates that his testimony is based upon his review of the prior art, in particular Denning, and that his testimony is similar to Dr. Shamos’ testimony because his testimony “had a lot of similarities to the book we relied upon.” Ex. 2043, 150:3–151:10. We are also not persuaded that Mr. Schneier is unqualified to testify as an expert. As Petitioner points out, Mr. Schneier has a Master’s Degree in Computer Science and holds over 79 patents relating to cryptology, computer security, and electronic commerce. Opp. to Mot. Exclude 3–4; See Ex. 1002 ¶¶ 1–7 (discussing additional credentials and qualifications). Given this, we are persuaded that Mr. Schneier is qualified to testify as an expert as to what a person of ordinary skill in the art would know or understand during the relevant time frame. IV. MOTION FOR OBSERVATIONS On October 13, 2015, Patent Owner filed a Motion for Observation Regarding Cross Examination of Reply Witness Mr. Bruce Schneier. Mot. Observation. Patent Owner’s observations comment on the cross- examination testimony of Petitioner’s declarant Mr. Bruce Schneier (Ex. 2046) given on June 12, 2015. Id. at 1. The Motion for Observation CBM2015-00006 Patent 8,402,281 B2 41 indicates that it was filed pursuant to authorization in the Scheduling Order (Paper 17). Mot. Observation 1. The scheduling order states “[a] motion for observations on cross- examination provides the parties with a mechanism to draw the Board’s attention to relevant cross-examination testimony of a reply witness because no further substantive paper is permitted after the reply” and refers to the Office Patent Trial Practice Guide. Paper 17, 3–4. The Trial Practice Guide states: In the event that cross-examination occurs after a party has filed its last substantive paper on an issue, such cross- examination may result in testimony that should be called to the Board’s attention, but the party does not believe a motion to exclude the testimony is warranted. The Board may authorize the filing of observations to identify such testimony and responses to observations, as defined below. 77 Fed. Reg. at 48768 (emphasis added). The scheduling order authorizes the filing of such a motion for observations regarding cross- examination of a reply witness by Due Date 4. 77 Fed. Reg. at 48768 (emphasis added). Mr. Schneier cross-examination testimony was given on June 12, 2015, prior to Patent Owner filing its Patent Owner’s Response, on June 22, 2105. The cross-examination did not occur after Patent Owner filed its last substantive paper. Patent Owner’s Motion for Observation, thus, is improper. The Scheduling Order did not authorize Patent Owner to file a Motion for Observation of cross-examination that occurred prior to Patent Owner filing its last substantive paper on an issue, the Patent Owner’s Response and Patent Owner did not seek other authorization for such. The improper observations are akin to an unauthorized sur-reply to argument made in CBM2015-00006 Patent 8,402,281 B2 42 Petitioner’s Reply. We, thus, expunge Patent Owner’s unauthorized observations from the record. See 37 C.F.R. § 42.7(a). V. MOTION TO AMEND Patent Owner’s Motion to Amend seeks to substitute new claims 61– 68 for challenged claims 2 and 5–18. Mot. Amend. For the reasons discussed below, Patent Owner’s Motion to Amend is denied. Section 326(d)(3) of the Statute states that “[a]n amendment under this subsection may not enlarge the scope of the claims of the patent or introduce new matter.” Similarly, Rule 42.221(2) provides that a motion to amend may be denied where the amendment does not respond to a ground of unpatentability involved in the trial and where the amendment seeks to enlarge the scope of the claims of the patent or introduces new subject matter. Rule 42.20(c) places the burden on the patent owner, as the moving party, to establish that it is entitled to the requested relief. See Microsoft Corp. v. Proxyconn, Inc.¸ 789 F.3d 1292, 1306 (Fed. Cir. 2015) (affirming the Board’s denial of a motion to amend claims where the patent owner failed to establish the patentability of the substitute claims over the prior art of record). Patent Owner, thus, must show that the proposed substitute claims are responsive to a ground of patentability, do not enlarge the scope of the claims of the patent, or introduce new matter. i. Proposed Substitute Claims Patent Owner proposes to substitute independent claims 61 and 65 for challenged independent claims 1 and 17, respectively. Mot. Amend 16–25, Appendix A. Patent Owner also proposes to substitute dependent claims 62, CBM2015-00006 Patent 8,402,281 B2 43 63, 64, 66, 67, and 68 for challenged dependent claims 12, 14, 16, 28, 30 and 32, respectively. Id. Proposed substitute claim 61 is illustrative and reproduced below with markings showing the differences with original claim 1. Deletions are shown in brackets and additions are underlined. 61. A computer-implemented data processing method for protecting data in a database comprising: maintaining [[a]] the database comprising a plurality of protected data [[portions]] element values, each protected data element value associated with a data element type; maintaining a separate data protection table comprising, for each [[of one or more of the]] data [[portions]] element type, a plurality of data processing rules associated with the data [[portion]] element type that must each be [[satisfied before]] applied to the protected data [[portion]] element value associated with the data element type before the data element value can be accessed; receiving at the database a request to access a protected data [[portions]] element value stored in the database; [[determining]] automatically calling from the database to the separate data protection table to collect [[whether]] each of the [[one or more]] plurality of data processing rules associated with the data element type associated with the requested protected data [[portions are satisfied]] element value; and [[granting access to]] controlling the accessing of the requested data [[portion responsive to]] element value in conformity with each of the [[one or more]] collected plurality of data processing rules associated with the data element type associated with the requested protected data [[portion being satisfied]] element value. CBM2015-00006 Patent 8,402,281 B2 44 Notably, proposed substitute claim 61 is amended to add a limitation that requires “automatically calling from the database to the separate data protection table to collect each of the plurality of data processing.” Proposed substitute claim 61 is also amended to delete the limitation that requires “determining whether each of the one or more plurality of data processing rules associated with the request data portion are satisfied.” Proposed substitute claim 65 contains corresponding amendments. ii. Enlarging the Scope of the Claims and Non-Responsive Pursuant to 37 C.F.R. § 42.221(a)(2)(i), a proposed substitute claim is not responsive to an alleged ground of unpatentability of a challenged claim if it does not either include or narrow each feature of the challenged claim being replaced. A patent owner may not seek to broaden a challenged claim in any respect, in the name of responding to an alleged ground of unpatentability. A proper substitute claim under 37 C.F.R. § 42.221(a)(2)(i) must only narrow the scope of the challenged claim it replaces. Similarly, under 37 C.F.R. § 42.221(a)(2)(ii), a substitute claim may not enlarge the scope of the challenged claim it replaces by eliminating any feature. See Idle Free Systems, Inc. v. Bergstrom, Inc., Case IPR2012-00027, slip op. at 5 (PTAB June 11, 2013) (Paper 26). As can be seen from proposed substitute claim 61 above, Patent Owner substantially rewrote the step of “determining whether each of the one or more data processing rules associated with the requested data portions are satisfied” (Ex. 1001, 11:26–28) to “automatically calling from the database to the separate data protection table to collect each of the plurality of data processing rules associated with the data element type associated CBM2015-00006 Patent 8,402,281 B2 45 with the requested protected data element value” (Mot. Amend 27). This effectively eliminated the determining limitation from the claim. “A proposed substitute claims in not responsive to a ground of unpatentability of a challenged claim if it removes any feature of the challenged claim being replaced.” Nichia Corp. v. Emcore Corp., Case IPR2012-00005, slip op. at 53 (PTAB Feb. 11, 2014) (Paper 68). Further, no other limitation in the proposed substitute claims requires determining whether each of the one or more data processing rules associated with the requested data portions is satisfied. Patent Owner also substantially rewrote the step of “granting access to the requested data portion responsive to each of the one or more data processing rules associated with the requested data portion being satisfied” (Ex. 1001, 11:29–31) to “controlling the accessing of the requested data element value in conformity with each of the collected plurality of data processing rules associated with the data element type associated with the requested protected data element value” (Mot. Amend 28). Amending the claims to require controlling access in conformity with the collected data processing rules instead of requiring granting access to the protected data if the data rules are satisfied impermissibly enlarges the scope of the challenged claims. Controlling the access encompasses not only granting, but also denying access. Patent Owner, thus, fails to show that the proposed substitute claims are responsive to a ground of patentability and do not enlarge the scope of the claims of the patent, as required by 35 U.S.C. § 326(d)(3) and 37 C.F.R. § 42.221(2). CBM2015-00006 Patent 8,402,281 B2 46 iii. New Subject Matter New or amended claims which introduce elements or limitations which are not supported by the original disclosure of the patent fail to satisfy the written description requirement of 35 U.S.C. § 112, first paragraph.5 Section 112, first paragraph, requires that the “specification shall contain a written description of the invention . . . .” To satisfy the written description requirement, the disclosure must reasonably convey to skilled artisans that the patentee possessed the claimed invention as of the filing date. Ariad Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010) (en banc). Although the description requirement under § 112 does not demand (1) any particular form of disclosure or (2) that the specification recite the claimed invention verbatim, a description that merely renders the invention obvious does not satisfy the requirement. Id. at 1352 (citations omitted). The proposed substitute claims require automatically calling from the database to the separate data protection table to collect each of the plurality of data processing rules. Mot. Amend 27. Patent Owner argues that “[t]he ’281 Patent’s original disclosure and specification clearly define ‘automatically calling from the database to the separate data protection table’” and points to column 3, line 59 through column 4, line 2 of the ’281 patent for support. Mot. Amend 3–4. Patent Owner additionally points to page 4, lines 3–5 and 14–21; page 6, lines 6–9 and 17–25; page 6, line 35– page 7, line 8; and page 10, line 15–32 of the original disclosure. Mot. Amend 4–5. 5 We refer to the pre-AIA version of the 35 U.S.C. § 112, first paragraph, due to the date of the ’281 patent. CBM2015-00006 Patent 8,402,281 B2 47 The ’281 patent and its original disclosures, however, do not “clearly” define or describe a calling from the database to the separate date protection table. Although the ’281 patent describes a calling to collect the data protection attributes, it does not describe that the calling is from the database. See Ex. 1001, 10:48–60 (“is first collected by the system”); see id. at Abstract, 2:65–3:5, 3:59–4:2, 4:26–31, 7:63–67, 8:53–61 (describing a compelling calling to a data protection catalogue, but failing to describe the compelling calling being produced by the O-DB database). As discussed in section II (A) above, we are persuaded that one of ordinary skill in the art would know from the ’281 patent that control module 20 provides the compelling calling (see Ex. 1014 ¶¶ 15–21) and not the database and we are not persuaded by the testimony of Mr. Mattsson and Dr. Direen to the contrary (see Ex. 2045 ¶¶ 27–29; Ex. 2046 ¶¶ 58–59; Ex. 2078 ¶¶ 11–12; Ex. 2079 ¶ 8). Patent Owner, thus, fails to show that the proposed substitute claims are adequately supported by the written description and do not add new matter to the claims, as required by 35 U.S.C. § 326(d)(3) and 37 C.F.R. § 42.221(2). V. CONCLUSION We determine that Petitioner demonstrates by a preponderance of the evidence that claims 33–38, 41, 43–52, 55, and 57–60 are unpatentable under 35 U.S.C. § 101 as being directed to non-statutory subject matter and fails to demonstrate by a preponderance of the evidence that claims 39, 40, 42, 53, 54, and 56 are unpatentable under 35 U.S.C. § 101 as being directed to non-statutory subject matter. CBM2015-00006 Patent 8,402,281 B2 48 We also determine that Patent Owner fails to demonstrate that proposed substitute claims 61–68 are patentable. This is a Final Written Decision of the Board under 35 U.S.C. § 328(a). Parties to the proceeding seeking judicial review of this Decision must comply with the notice and service requirements of 37 C.F.R. § 90.2. VI. ORDER In consideration of the foregoing, it is hereby: ORDERED that claims 33–38, 41, 43–52, 55, and 57–60 of U.S. Patent No. 8,402,281 B2 are unpatentable; FURTHER ORDERED that Patent Owner’s Motion to Exclude is denied; FURTHER ORDERED that Patent Owner’s Motion for Observation (Paper 45) is expunged from the record; FURTHER ORDERED that Patent Owner’s Motion to Amend is granted as to its request to cancel claims 1–32 of U.S. Patent No. 8,402,281 B2; and FURTHER ORDERED that Patent Owner’s Motion to Amend is denied as to its request to add proposed substitute claims 61–68. PETITIONER: William J. Cass Herbert M. Bedingfield CANTOR COLBURN LLP wcass@cantorcolburn.com hbedingfield@cantorcolburn.com CBM2015-00006 Patent 8,402,281 B2 49 PATENT OWNER: Woodrow H. Pollack Michael J. Colitz, III GRAYROBINSON, P.A. woodrow.pollack@gray-robinson.com michael.colitz@gray-robinson.com Copy with citationCopy as parenthetical citation
