Over the years on Taft’s Privacy and Data Security Insights, we have written on the risk of data breaches and the specific impact on privacy, or the compromise of confidentiality of personally identifiable information. However, many clients forget to also consider the value in other information they possess, specifically proprietary information, information subject to trade secret, and intellectual property. Today we will discuss how failing to account for intellectual property in your data security program can be costly, especially in the event of a data breach.
Intellectual property and specifically patent protection is a critical component for the success of many U.S. businesses, both large and small. As the desire to obtain patent protection grows, so too does the occurrence of data theft and other data breaches. Therefore, companies need to know whether an invention is still patentable if the propriety information underlying the invention is the subject of a data breach or other cyber security failure. The question applies whether a data breach is accidental or malicious and whether it is perpetrated by an outside source or by an employee of the company. The answer is the same: the patent rights are likely forfeited.
On March 16, 2013, the U.S. patent law switched from a “first-to-invent” system to a “first inventor-to-file” system, which is now known as the America Invents Act, or the AIA. Under the AIA, a person or company “shall be entitled to a patent unless . . . the claimed invention was . . . in public use, on sale, or otherwise available to the public” prior to the filing of a patent application. See 35 U.S.C. § 102(a)(1). An exception is available for a disclosure made “one year or less” before the filing date “if the disclosure was made by the inventor or joint inventor or by another who obtained the subject matter disclosed directly or indirectly from the inventor . . . .” See 35 U.S.C. § 102(b)(1)(A). When initially passed into law, the exact boundaries of the grace period were uncertain and not yet addressed by federal courts, which left unanswered questions for U.S. companies. For example, does an unauthorized public disclosure destroy patent rights, or does it constitute a disclosure of subject matter “obtained . . . directly or indirectly from the inventor,” such that the post-AIA § 102(b) grace period is triggered?
Prior to the AIA, it was “well settled that the ‘on sale’ bar [preventing patentability] applie[d] to sales made by the inventor or another, with or without the inventor’s consent.” Pennwalt Corp. v. Akzona Inc., 740 F.2d 1573, 1580 (Fed. Cir. 1984) (citing Andrews v. Hovey, 124 U.S. 694, 719, 8 S.Ct. 676, 31 L.Ed. 557 (1888). See also ResQNet.com, Inc. v. Lansa, Inc., 594 F.3d 860, 866 (Fed. Cir. 2010) (stating that “[a]n offer for sale, sale, or public use, if more than one year before the patent application was filed, will bar patenting of the product, even if the sale was not authorized by the patentee.” Although well settled in the pre-AIA era, this issue had rarely been revisited by federal courts under the current AIA regime. However, in 2019, a Texas district court determined that the above mentioned Pennwalt and ResQNet.com Federal Circuit decisions and the Andrews Supreme Court decision were still good law under the AIA system. See SFMC Techs., Inc. v. OneSubsea IP UK Ltd., 412 F. Supp. 3d 706, 712 (S.D. Tex. 2019) (citing each of the above-mentioned excerpts).
Based on these court cases, companies should reasonably expect that if their propriety information is maliciously misappropriated or even accidentally leaked and made publically available, there will be a bar to obtaining patent rights based on that information. These Courts’ decisions and their consequences may seem harsh, but they are meant to reinforce the Federal Circuit’s public policy position “encouraging early filing of patent applications.” See In re Caveney, 761 F.2d 671, 676 (Fed. Cir. 1985); id. (finding that “policy favoring early filing of patent applications justif[ies] application of the ‘on sale’ bar….”).
So what to do? The following are but a few steps a company can take to assert applicable rights and controls over such information and reduce the risk of unauthorized or premature disclosure.
- Data classification. Companies should have a system in place to properly identify propriety information and new inventions as early as possible in their ideation phase.
- Administrative safeguards. For any such information subject to a potential patent application or trade secret, the company should have written policies and procedures to ensure such materials are marked, processed and used in accordance with company policy to maintain proper confidentiality and secrecy. To the degree appropriate, the company should have agreements in place with any individuals or third parties that might have access to such information ensuring appropriate safeguards are taken with such information.
- Technical safeguards. Alongside those administrative safeguards, a company should apply appropriate and reasonable technical safeguards to keep such information confidential and limit use only to those company individuals with a business “need to know.” Such controls can include access controls, strong authentication and encryption.
- Physical safeguards. Likewise, the company should implement physical safeguards to limit physical access to such sensitive information whenever possible. Such safeguards can include passkeys, locks, screen locks on computer screens, visitor management policies and possibly surveillance.
- Timely filing. Regardless, patent applications should be filed on this propriety information as soon as possible to avoid potential loss of patent rights resulting from a data breach, misappropriation, or other cybersecurity failure.
As with all things security and intellectual property-related, this is not an exhaustive list. Always consult legal counsel to ensure you preserve as many rights and options as you can. Taft’s Privacy & Data Security Practice and Intellectual Property Practice are poised to be of assistance.