Cybersecurity Litigation Tactics: Venue 

This article expands on “Tactic No. 2: Argue that venue is improper” from our previously published article “Five Tactics for Cybersecurity Companies to Defeat Patent Infringement Claims.”  

By taking a closer look at patent-specific venue law and Rule 12(b)(3) motions, cybersecurity companies can better understand how to push back against lawsuits filed in unfavorable jurisdictions and strengthen their overall litigation posture.  

Here, we outline the legal framework governing venue in patent cases, discuss how courts apply the current standard, and offer practical strategies for cybersecurity companies both before and after they are sued. 

Key points 

• Venue in patent infringement cases is governed by the patent-specific venue statute 28 U.S.C. § 1391, which courts have interpreted narrowly.  
• Establishing a “regular and established place” of business for venue purposes can be tricky for plaintiffs, as cybersecurity companies often have no physical presence in the districts in which they are sued.  
• Defendants can dispute venue through a Rule 12(b)(3) motion, but timing is critical.  

Venue basics in patent litigation 

Venue determines the proper federal judicial district in which a plaintiff may bring a lawsuit. It is distinct from personal jurisdiction; even if a court has authority over a defendant, the case must still be filed in a proper venue. 

In patent infringement cases, venue is governed not by the general venue statute, 28 U.S.C. § 1391, but by the patent-specific venue statute 28 U.S.C. § 1400(b). The Supreme Court reaffirmed this in TC Heartland, LLC v. Kraft Foods Group Brands, LLC, 581 U.S. 258 (2017), holding that § 1400(b) “is the sole and exclusive provision controlling venue in patent infringement actions” and must be applied independently of § 1391. Under § 1400(b), a patent infringement case may be brought: 

1. In the district where the defendant resides — for a domestic corporation, this means its state of incorporation, TC Heartland, 581 U.S. at 262.
2. In a district where the defendant has committed acts of infringement and has a regular and established place of business. 

This narrower venue rule has significantly curtailed plaintiffs’ ability to forum-shop in patent cases — a practice that had become routine before TC Heartland. 

If the court finds venue improper, it has discretion either to dismiss the case or to transfer it under 28 U.S.C. § 1406 to a district where venue is proper. 

Defining a “regular and established place of business” 

The most heavily litigated question in modern venue disputes is what qualifies as a “regular and established place of business” under § 1400(b). The Federal Circuit’s leading decision In re Cray, Inc., 871 F.3d 1355 (Fed. Cir. 2017), sets out three requirements: 

1. There must be a physical place in the district. The statute requires a physical, geographical location in the district from which the defendant’s business is carried out, not merely a virtual presence or electronic communications. 
2. The physical place must be a regular and established place of business. The place must operate in a steady, continuous, and non-transient manner; temporary or sporadic activity is insufficient. 
3. The physical place must be the place of the defendant. The location must be established or ratified by the defendant and under its possession or control, not simply the result of an employee’s independent actions. 

Each requirement must be satisfied. If even one is missing, venue is improper under § 1400(b). 

Common venue pitfalls in cybersecurity cases 

Because cybersecurity companies often operate in the cloud and sell products and services remotely, they frequently face venue disputes in districts where they have no physical presence. Plaintiffs may try to base venue on facts that appear substantial but fail one or more of the Cray factors: 

1. Third-party data centers. Leasing rack space or server capacity in a third-party facility does not establish venue where the defendant lacks possession or control over the site. In re Google LLC, 949 F.3d 1338 (Fed. Cir. 2020).
2. Remote employees. Employees working from home in the district generally do not establish venue unless the defendant requires them to be there, advertises the location, or otherwise holds it out as a place of business. Cray, 871 F.3d 1355. 
3. Storage of lab equipment and products in employee home. Supplying remote employees with lab equipment or product samples to support local customers does not establish venue without evidence the defendant controls or ratifies the location as its own. Monolithic Power Sys., Inc. v. Bel Power Sols. Inc., 50 F.4th 157 (Fed. Cir. 2022). 

Understanding these pitfalls is key to crafting effective Rule 12(b)(3) motions and structuring business operations to limit venue exposure. 

Timing a Rule 12(b)(3) motion 

A motion to dismiss for improper venue under Rule 12(b)(3) must be filed before the defendant submits an answer to the complaint. Failure to raise improper venue in a pre-answer motion or initial responsive pleading waives the defense. Prompt filing preserves the issue and allows the court to address venue before the case progresses to costly discovery. 

Example 

Consider a cybersecurity company incorporated in Delaware and headquartered in San Jose, California. The company has no offices in the Western District of Texas but employs two full-time sales engineers who live in the district, store demo equipment and marketing materials in their homes, and regularly visit customer sites there. The company also leases space in a third-party data center in the district to host servers supporting its nationwide security platform, but it does not own or control the facility. 

The company is sued for patent infringement in the Western District of Texas and moves to dismiss for improper venue under Rule 12(b)(3). It argues that it does not “reside” in that district and that neither the employees’ home offices nor the servers constitute a “regular and established place of business” under § 1400(b). If the court agrees that the company lacks a physical place it owns or controls in the district, it may dismiss the case or transfer it to a proper venue, such as the District of Delaware or the Northern District of California. 

Strategic considerations for cybersecurity companies 

Cybersecurity companies can consider the following proactive steps to potentially limit their venue exposure: 

1. Avoid establishing or advertising physical locations in jurisdictions where the company wants to minimize litigation risk. 
2. Carefully structure relationships with third-party data centers to limit control and possession over facilities in plaintiff-friendly districts. 
3. Refrain from directing employees to work from specific locations unless necessary and avoid publicly presenting their home offices as company locations. 
4. Draft contracts and marketing materials carefully to avoid suggesting that the company maintains offices or facilities in a district where it does not. 

Once sued, cybersecurity companies can consider the following additional steps:  

1. Move quickly to file a Rule 12(b)(3) motion before responding to the complaint on the merits. 
2. Use venue discovery strategically to rebut plaintiff claims that a company location exists in the district. 
3. Combine a venue challenge with a § 1404(a) motion to transfer as a fallback if venue is found proper but inconvenient. 
4. Coordinate arguments across cases to maintain consistency and avoid positions that could undermine venue defenses in future litigation. 

Takeaways 

Because TC Heartland narrowed the scope of proper venue in patent litigation, Rule 12(b)(3) motions have become a more useful tool for defendants — particularly in the cybersecurity sector, where companies often operate nationally or globally without physical footprints in plaintiff-friendly districts. By understanding how courts interpret the “regular and established place of business” requirement and taking proactive steps to minimize venue exposure, cybersecurity companies can significantly reduce the risk of litigating in unfavorable forums and strengthen their overall litigation strategy. 

For a broader discussion of additional tactics cybersecurity companies can use to defeat patent infringement claims, see “Five Tactics for Cybersecurity Companies to Defeat Patent Infringement Claims.”