Patent Infringement Suits Target Smaller BanksWhat Steps Should They Be Taking to Minimize Risks?
Patent infringement suits are a growing concern for banking institutions, as response to our recent coverage related to patent disputes proves.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
These stories, Patent Lawsuits Target Eight Banks and 5 Banks Sued for Patent Infringement, also have revealed contractual challenges for smaller institutions.
So many community banks are being hit, and it's a growing concern because of emerging technology.
The primary challenge: Community banks and credit unions need indemnification provisions in the contracts they sign with third-party service providers and other vendors.
The recent onslaught of patent infringement lawsuits against these institutions has raised new awareness about the need for indemnification clauses. Under such clauses, vendors are liable for infringement if a suit over a patent succeeds.
Sadly, few community and regional institutions have taken necessary steps to ensure their contracts include those provisions, and that has opened the door for payouts when patent-holding companies file infringement suits against those institutions.
Now, those community and regional institutions are asking for help. And regulators and banking associations have roles to play, by ensuring these smaller institutions are educated about their patent rights and their vendors' liabilities.
Many of these lawsuits, filed by patent-holding companies more commonly known as patent trolls, are slamming banks and credit unions for their use of mandated and/or regulated technology and services. How can they be liable for infringing patents linked to technologies they are required to deploy?
But community institutions are not equipped to defend themselves when a patent-holding company claims infringement. So instead of litigating, like larger institutions, they often just agree to pay a royalty or settle - and the fees are getting increasingly expensive.
Smaller banks and credit unions have been voicing concerns to regulators, and regulators are listening. But it's hard to know what role, if any, regulators should play in helping to protect the institutions they oversee.
"So many community banks are being hit, and it's a growing concern because of emerging technology," says one banking executive, who asked not to be named.
As banks and credit unions invest in emerging security technologies, such as stronger authentication, transaction encryption, device identification and biometrics, their chances of being sued over some type of patent infringement increases.
This is why community banks and credit unions need to follow the lead of larger institutions and make sure that they're protected by indemnification provisions in the contracts they sign with security vendors.
Rash of Infringement Suits
In recent months, the industry has seen patent-holding companies target institutions in certain states, demanding they pay fees for using technology to comply with a specific security mandate, such as the Payment Card Industry Data Security Standard.
Steps have been taken at the state level in an attempt to curb some of these lawsuits. In May, Vermont's Attorney General sued MPHJ Technology, a Delaware-based patent-holding company, alleging that the company engaged in unfair and deceptive acts under Vermont's Consumer Protection Act. The complaint alleges that MPHJ sent deceptive letters to Vermont businesses, including banking institutions, claiming they had infringed on patents held by MPHJ and, in some cases, demanded thousands of dollars were owed for the infringement.
In July, Nebraska's attorney general ordered Texas-based law firm Farney Daniels PC, which is representing MPHJ, to stop sending letters to Nebraska businesses claiming patent infringement. The state argued that the letters violate its consumer protection laws.
And in August, Minnesota's attorney general reached a settlement with MPHJ after the state asked the firm to sign an Assurance of Discontinuance agreement to stop targeting Minnesota businesses claiming basic office equipment used to scan documents infringed a patent owned by MPHJ.
Meanwhile, community banks and credit unions are settling with patent holders because they don't have indemnification provisions included in the contracts they have with the vendors that provide the technology or service in question.
One executive at a community bank, who asked to remain anonymous, says holding service providers accountable has proven to be challenging. "There has to be some responsibility on those providing a service to banks," the executive says. "True infringement [should fall on the] company selling the service, not the user. ... But solutions to this problem are difficult to find, and, whatever the solution, it must protect patent holders and address those who directly benefit from the infringement."
Larger institutions have been demanding these provisions for years, says Matt Speare, who oversees security for Buffalo-based M & T Bank Corp., the nation's 17th largest bank holding company. M&T is among the 13 large institutions that have been that have been accused of patent infringement by patent holder Intellectual Ventures.
"Many of us already took steps in every contract to include clauses that state if the bank is sued, the company providing that software or service should then be responsible for indemnifying the results of litigation," Speare says.
M&T has made indemnification clauses mandatory. "We won't purchase the software if the vendor does not agree to the indemnification," Speare says.
But Speare acknowledges that most regional and community banking institutions haven't taken this step. "Many institutions are not sure they should be asking for these clauses," he adds.
And getting those provisions written into existing and new contracts is easier said than done.
Doug Johnson of the American Bankers Association says chief information security officers should be mindful of the technologies and solutions that patent-holding companies, such as Intellectual Ventures, are targeting, as well as "attempts by third-party technology providers to shift the legal risk for patent defenses, through contractual indemnification provisions, to the bank."
But associations, including the ABA and Independent Community Bankers Association need to do more. For example, they need to educate community institutions about why they need to review contracts and ask that indemnification provisions be included
So what's the most effective way associations can help these smaller institutions? I'd like to know what you think.