2222222222

Intellectual Property Risks

Taking Down Trolls

With patent infringement litigation still going strong, companies seek methods of protection.
By: | May 6, 2015 • 8 min read

Patent trolls are a thorn in the side of many companies.

Even when infringement claims are weak, many firms opt to settle just to avoid having to spend millions defending them in court, experts said.

To be sure, the terms “patent troll” or “non-practicing entity” (NPE) are often used to paint with too broad of a brush, as some NPEs have legitimate reasons to sue for patent infringement, said Rudy Telscher, a partner at Harness Dickey & Pierce law firm in St. Louis.

Advertisement




Many individuals, smaller companies and universities that innovate don’t have an interest or resources to bring products to the market, Telscher said. Alternatively, they may have tried to make a go out of commercializing their patent, but found the competition too stiff. These entities determined that they would be better off having other companies pay them a royalty to use their invention or patented technology in their own products, and if others refuse to pay but still use their patent, then the NPEs rightfully sue.

An example of true patent troll abuse stems from when firms bought broadly worded patents that were issued by the U.S. Patent Office during the dot.com bubble of the late 1990s and early 2000s.

Those patents were analyzed by the government under less strict standards than those used today, Telscher said.

Patent trolls typically sue 20 or more companies to lower their own filing costs, then settle with individual defendants.

Rudy Telscher, partner, Harness Dickey & Pierce

Rudy Telscher, partner, Harness Dickey & Pierce

“Patent troll companies invest significant time and money to pan for gold, by trying to find these old, broadly worded patents and then assert them against industries to get royalties not reasonably owed by using the high cost of patent litigation as a coercive weapon,” he said.

Fortunately, the Supreme Court’s 2014 Octane decision made it easier for defendants to get their court fees paid by trolls if they choose to defend patent cases, Telscher said.

Moreover, the Supreme Court’s 2014 Alice decision has been used by district courts to strike down software and other patents having claims drawn to “abstract ideas,” and its 2014 Nautilus decision has been used to strike down patent claims that are vague and indefinite regarding claim scope coverage.

“While the Supreme Court cases of the last year have deterred some patent trolls from asserting the weakest of patent cases, many entities are still filing such cases,” Telscher said.

“In no case do we give NPEs any money, since we believe paying NPEs only ‘feeds the beast,’ ” — Shawn Ambwani, chief operating officer, Unified Patents

The 2011 Leahy–Smith American Invents Act (AIA), which determined how many defendants could be sued in a single case, has also had some impact on patent infringement litigation — but not as much as defendants in such cases would have liked, said Brian Howard, a legal data scientist at Lex Machina, a Menlo Park, Calif., firm that tracks district court litigation.

Insignificant Decrease in Claims

Since the new rules generally caused plaintiffs to sue defendants in separate cases rather than in a single combined case, Lex Machina counted the combinations of defendants and cases after the AIA became effective (a lawsuit by one plaintiff against three defendants is now counted as three cases for the purposes of tracking).

The company found that the new rules did not drastically reduce patent case filings. The statistics from late 2011 to mid-2013 followed a trajectory consistent with that of 2009 to early 2011. Overall, 2014 saw a steady increase in case filings through April, followed by sharp drop in May and a flat remainder of the year, leaving total filings down 21 percent from 2013.

That was “not the dramatic reduction that many were expecting,” Howard said.

Intellectual Property Insurance Services Corp., based in Louisville, Ken., offers a patent troll defense policy, said President Bob Fletcher.

If a policyholder is sued by a patent troll, the insured can solicit counsel of their choice to determine whether they would have a 51 percent chance of winning “by a preponderance of evidence,” in which case the policy would then pay for the defense. The policy covers “non-core activities” because that is the focus of many of the “bad” broadly worded patent lawsuits.

Advertisement




“Let’s say a firm has an Internet connection, a computer and they email something — a patent troll would sue for infringement,” he said. “For that kind of case we would not pay a settlement but would fight it to the end, because those patents never should have been granted and we would likely win. We want to teach trolls that when a client has insurance they will not settle, which will destroy the trolls’ livelihoods.”

London-based CFC Underwriting offers a variety of insurance products based on infringements of any type of intellectual property, including patents, said Erik Alsegard, intellectual property practice leader. The policies cover lawsuits regardless of whether it is a non-practicing entity or a competitive company that is suing the insured.

Before insuring, CFC reviews how companies operate, their patent risks, whether they work with a patent attorney and, where suitable, whether they run “freedom to operate” searches to mitigate the risk of patent infringement and intellectual property claims, Alsegard said.

“However, risk management and IP searches can’t 100 percent prevent claims, so that’s why insurance is really important,” he said. “The lawmakers and the courts are trying to change the behavior of patent trolls, but it is unlikely to entirely remove this risk to operating companies as the more sophisticated entities will adapt.”

Often companies will ask their suppliers to indemnify them on patent infringement lawsuits based on the product they supply, but the ability to transfer such indemnity to a supplier will depend on the strength of each party in the negotiation.

Erik Alsegard, intellectual property practice leader, CFC Underwriting

Erik Alsegard, intellectual property practice leader, CFC Underwriting

“Smaller companies are less likely to be able to negotiate away risk through contracts,” Alsegard said. “On the other hand, if a company does have to indemnify its customers, then this contractual indemnity can be insured so in a sense the insurance works as a business enabler.”

Mary Castiglia, a senior vice president at Hub International Ltd. in San Francisco, said that in the past she had been unsuccessful getting her clients to consider coverage because it had been a “fairly cumbersome underwriting process.” But now there are more options in the marketplace and firms have eased both the underwriting and claims processes. Castiglia typically works with RPX Insurance Services in San Francisco, which offers a holistic insurance and claims-settling service solution.

“We’re starting to see more interest in the marketplace to offer this type of insurance because more people are getting hit with letters from trolls,” she said.

Unified Patents in Los Altos, Calif., protects technology companies from NPE assertions using various tools, challenging patents they consider invalid using the AIA’s new “inter partes review” process, said Shawn Ambwani, chief operating officer. Since starting the challenges in 2012, United has invalidated two patents and has settled two others in which the NPEs agreed to not sue Unified’s members.

“In no case do we give NPEs any money, since we believe paying NPEs only ‘feeds the beast,’ ” Ambwani said.

Problems for Startups

Lori Johnson, a shareholder and intellectual property lawyer in the Atlanta office of law firm Chamberlain Hrdlicka, works with several large companies that budget for patent infringement claims by trolls and other entities rather than buy insurance.

However, startups should consider buying insurance, because many troll suits target the software within their websites.

“The asserted patents may have little to do with the underlying business the startup is engaged in,” Johnson said.

“It’s very easy to name call and put everyone in the same category,” he said. “But we say, hold on a second! Let’s not throw away 225 years of patenting innovations that have built value in the economy.” — Phil Hartstein, president and chief executive officer, Finjan Holdings Inc.

Startups should also consider requesting indemnification from their web development company, she said. If the development company is using off-the-shelf software, they may feel comfortable providing indemnity, but if they’re using cutting-edge software, “it’s a red flag if they do not even want to talk indemnification.”

“Most firms don’t want to indemnify if they can help it, but if they’re not even willing to talk about it, that would make me nervous,” Johnson said. “I would recommend shopping for another web developer that might be more willing to indemnify or more capable of handling a suit.”

One NPE that is fighting against the patent troll stigma is Finjan Holdings Inc. in East Palo Alto, Calif., said Phil Hartstein, president and chief executive officer. Finjan was formed in 1997 first as a software company and then as a hardware company, raising $65 million in capital over a number of rounds between 1998 and 2006 to develop content inspection technologies.

In 2005, the company struck its first licensing deal with Microsoft, without having to litigate, Hartstein said. Finjan ultimately divested the technology company. Today, it’s a publicly traded entity that seeks first to make licensing deals with companies using its patents before litigating. Major funds and companies have invested in Finjan, including Cisco Systems Inc.

Advertisement




“It’s very easy to name call and put everyone in the same category,” he said. “But we say, hold on a second! Let’s not throw away 225 years of patenting innovations that have built value in the economy. Let’s focus instead on giving those that exhibit positive, ethical behaviors the freedom to continue down this road.”

Finjan has posted four core values and seven best practices based on such behaviors on its website, and is working with the American Intellectual Property Law Association and the Licensing Executives Society to build certification programs for licensing entities. The American National Standards Institute has agreed to be the governing body for the “LES Standards Pilot Program.”

“If there is an opportunity for us to participate in establishing credibility in the licensing industry by disseminating best practices, that enables us to move out of the shadows of litigation arbitrage and back into the credible exchange of ideas for invested capital,” Hartstein said.

05012015_02_risk_focus_sidebar

Katie Kuehner-Hebert is a freelance writer based in California. She has more than two decades of journalism experience and expertise in financial writing. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.

Advertisement




In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.

Advertisement




Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”

Advertisement




How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.

Advertisement




One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]