Blog
Patent Litigation Tactics for Cybersecurity Companies: Challenge Patent Eligibility
Fish & Richardson
Authors
-
- Name
- Person title
- Principal
This article expands on “Tactic No. 4: Attack the legal sufficiency of the plaintiff’s patent” from our previously published article “Five Tactics for Cybersecurity Companies to Defeat Patent Infringement Claims.”
By taking a closer look at patent eligibility doctrine under 35 U.S.C. § 101 and the two-step test the Supreme Court established in Alice Corp. v. CLS Bank International, 573 U.S. 208 (2014), cybersecurity companies can better understand how to challenge software patents early and dispose of infringement claims before the cost of discovery mounts.
Here, we outline the legal framework governing patent eligibility, walk through how courts apply the Alice test, discuss why software-heavy cybersecurity patents are especially vulnerable to eligibility challenges, and offer practical strategies for cybersecurity companies both before and after they are sued.
Key points
- Section 101 limits the categories of inventions that may be patented and excludes abstract ideas, laws of nature, and natural phenomena.
- Courts apply the two-step Alice test to decide whether a patent claims eligible subject matter, an inquiry that often turns on whether the claim recites an “inventive concept” beyond a generic computer implementation.
- Because many cybersecurity patents describe software functions performed on conventional hardware, they are frequent targets of Rule 12(b)(6) motions raising patent ineligibility, a powerful early-stage tool for defendants.
The basics of patent eligibility under § 101
Section 101 of the Patent Act defines the categories of patent-eligible subject matter as any “new and useful process, machine, manufacture, or composition of matter,” or any new and useful improvement thereof. The Supreme Court has long held that this provision contains implicit exceptions: laws of nature, natural phenomena, and abstract ideas are not patentable. These exceptions exist because such fundamental tools of scientific and technological work are not, by themselves, eligible for patent protection.
A patent eligibility challenge is most often raised through a motion to dismiss for failure to state a claim under Rule 12(b)(6), a motion for judgment on the pleadings, or a motion for summary judgment. Because eligibility is a question of law that can, in appropriate cases, be resolved on the pleadings, § 101 challenges offer defendants a path to early dismissal before the expense of claim construction and discovery.
The two-step Alice test
In Alice, the Supreme Court set out the now-controlling two-step test for patent eligibility. The test asks:
Alice step one: Is the claim directed to a patent-ineligible concept? The court first determines whether the claim is “directed to” a law of nature, natural phenomenon, or abstract idea. In the software context, this typically means asking whether the claim is directed to an abstract idea such as a fundamental economic practice, a method of organizing human activity, or a mathematical concept. Courts examine the claim’s focus or character as a whole, not merely whether it happens to invoke an abstract idea at some level of generality.
Alice step two: Does the claim recite an “inventive concept”? If the claim is directed to an abstract idea, the court proceeds to step two and searches for an “inventive concept” — an element or combination of elements “sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself.” Alice, 573 U.S. at 217-18. Critically, simply reciting generic computer components or instructing that an abstract idea be implemented on a general-purpose computer is not enough to supply an inventive concept.
Why cybersecurity patents are vulnerable to § 101 challenges
Patented cybersecurity inventions often are implemented entirely in software running on conventional servers, endpoints, and cloud infrastructure. That technical reality makes them frequent targets of § 101 challenges because plaintiffs must show that the claims do more than apply an abstract idea using generic computing components.
Several recurring themes appear in successful eligibility challenges against cybersecurity patents:
- Claims framed as conventional data processing. Patents that describe collecting, analyzing, comparing, or flagging data — e.g., monitoring network traffic and generating an alert — are often characterized as abstract ideas of data manipulation when the claims do not specify a concrete technological improvement.
- Functional, result-oriented claiming. Claims that recite a desired outcome — e.g., detect the intrusion, block the threat, authenticate the user — without reciting a specific technical means for achieving it are especially exposed at step two because they tend to lack an inventive concept tied to how the result is accomplished.
- Generic hardware recitations. Reciting processors, memory, servers, or “a computer network” does not save an otherwise abstract claim because those components are conventional and perform their ordinary functions.
That said, ineligibility is far from a foregone conclusion. Patented cybersecurity claims that recite a specific, non-conventional technical solution to a problem arising in computer networks — e.g., improved encryption techniques, novel architectures for isolating malicious code, or specific methods that improve the functioning of the computer itself — can satisfy Alice.
Timing and procedural considerations
Unlike Rule 12(b)(2) and Rule 12(b)(3) motions, § 101 challenges are not waived by failing to raise them before an answer; eligibility goes to the validity of the patent and can be raised throughout the litigation. Even so, the strategic value of a § 101 motion is greatest at the pleading stage, where a successful motion can end the case before the parties incur the substantial cost of claim construction and discovery.
Two procedural wrinkles deserve attention. First, although eligibility is ultimately a question of law, the Federal Circuit has recognized that step two can involve underlying questions of fact — e.g., whether particular claim elements were well-understood, routine, and conventional to a skilled artisan. Where the complaint or the patent itself raises a plausible factual dispute on that point, a court may decline to resolve eligibility on the pleadings. Second, some courts prefer to construe the claims before deciding eligibility, which can push the § 101 question past the motion-to-dismiss stage. Defendants should be prepared to explain why claim construction is unnecessary or to propose a construction that does not save the claims.
Example
Consider a cybersecurity company sued for patent infringement by a competitor that holds a patent describing a method for detecting suspicious activity by collecting log data from networked devices, comparing it against a set of rules, and generating an alert when a rule is matched. The asserted claims recite these steps performed by “a processor” and “a server” on “a computer network,” but do not specify any particular technical mechanism for collecting, comparing, or alerting beyond conventional computing operations.
The defendant moves to dismiss under Rule 12(b)(6), arguing as follows that the claims are ineligible under § 101:
- At Alice step one, the claims are directed to the abstract idea of collecting information, analyzing it against rules, and reporting the result, a familiar category of data-processing abstractions that courts have repeatedly found ineligible.
- At Alice step two, the claims add nothing inventive because they recite only generic processors, servers, and a network performing their ordinary functions, with no specific, non-conventional technical improvement to how the computer or network operates.
- Because the claims neither improve the functioning of the computer itself nor solve a problem rooted in computer-network technology, they amount to an abstract idea implemented on a generic computer.
If the court agrees that the claims are directed to an abstract idea and lack an inventive concept, and that no factual dispute or claim-construction issue precludes resolution on the pleadings, it may find the asserted claims ineligible under § 101 and dismiss the case.
Strategic considerations for cybersecurity companies
Cybersecurity companies facing or anticipating patent litigation can take the following steps to make the most of a § 101 defense:
- Evaluate eligibility at the outset. As soon as a complaint arrives, assess whether the asserted claims are vulnerable under Alice and whether a Rule 12(b)(6) motion could end the case early.
- Build the abstract-idea characterization carefully. Frame the claim’s focus at the right level of generality and identify analogous claims that courts have already found abstract while anticipating the plaintiff’s effort to recast the claims as a specific technological improvement.
- Anticipate the factual-dispute argument. Be ready to show, from the patent and the complaint themselves, that the recited components were conventional so that the plaintiff cannot manufacture a fact dispute to defeat an early motion.
Takeaways
The two-step Alice test gives cybersecurity defendants a powerful and often case-dispositive tool for challenging software patents at the earliest stage of litigation. Because patented cybersecurity inventions are so frequently implemented in software on conventional hardware, asserted claims are often vulnerable to the argument that they do no more than apply an abstract idea using a generic computer. By evaluating eligibility early, framing the abstract-idea inquiry carefully, and anticipating the plaintiff’s factual and claim-construction arguments, cybersecurity companies can use § 101 to dispose of weak infringement claims before the cost of full-blown litigation mounts.
For a broader discussion of additional tactics cybersecurity companies can use to defeat patent infringement claims, see “Five Tactics for Cybersecurity Companies to Defeat Patent Infringement Claims.”
The opinions expressed are those of the authors on the date noted above and do not necessarily reflect the views of Fish & Richardson P.C., any other of its lawyers, its clients, or any of its or their respective affiliates. This post is for general information purposes only and is not intended to be and should not be taken as legal advice. No attorney-client relationship is formed.