Preventing a Patent LawsuitHow the Apple-Samsung Verdict Should Keep CISOs on Their Toes
As a result of the recent Apple-Samsung verdict, CISOs - whether they work for government or the private sector - need to be mindful of where the software their enterprises use is being sourced from.
See Also: Top 50 Security Threats
The reason, says patent attorney Jim Denaro of the CipherLaw Group, is that patent holders who have intellectual property rights covering various aspects of information security systems may be inspired by the results of the case to undertake their own enforcement actions.
"It's not necessarily to get such a massive award as we have in this case, but it does suggest that there are victories to be had in a very public way," Denaro says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
On Aug. 24, a federal jury found Samsung guilty of willfully infringing on Apple patents in creating its own mobile products. Samsung says it would appeal the verdict, which recommends damages exceeding $1 billion.
To prepare for the potential threat of a patent lawsuit, chief information security officers need to understand the source of the software they're using. "If you use free and open-source software that's totally unsupported, then you're the bag holder, the last person who could be possibly liable for using a product that might possibly infringe a patent," Denaro explains.
However, if an organization is using a security solution provided by a vendor, that company representing the product will most likely be the one willing to take responsibility, although "the company still could be sued for patent infringement," he says.
In the interview, Denaro:
- Offers advice he would give CISOs and others charged with developing mobility security programs at end-user organizations because of the verdict;
- Explains why the court victory by Apple against Samsung could spark innovation by innovators to create IT security wares;
- Discusses how the verdict could destabilize the mobile-device marketplace.
Denaro leads the intellectual property practice at the CipherLaw Group. His practice focuses on strategic patent prosecution and counseling, patent portfolio management and patent litigation. He has particular experience in cybersecurity, computer engineering, communications, and software technologies.
Apple-Samsung Verdict: Lessons for CISOs
ERIC CHABROW: If you were advising chief information security officers at a hospital, bank or retailer - any industry for that matter - about this verdict and how it could affect their organization's mobile device policies, what would you tell them?
JIM DENARO: I would tell them that this verdict increases the likelihood that some additional patent enforcement actions will be taken in connection with information security innovation. When you look at the verdict, it's sizeable. A billion dollars is a lot of money, and there's a lot at stake. This shows a tremendous success on the part of the patent holder in this case, Apple. In light of this, other patent holders who have intellectual property rights covering various aspects of information security systems are likely to be emboldened to undertake their own enforcement actions, not necessarily to get such a massive award as we have in this case but it does suggest that there are victories to be had - and of course in patents - in a very public way. For those who are in the position of selecting what types of information security solutions to provide and to deploy, there are some basic steps that can be taken to reduce the chances that you either would be sued for patent infringement or ultimately held liable for damages if infringement is found.
CHABROW: What are those steps to be taken?
DENARO: One of the most basic steps to be taken is to be mindful of where your software is being sourced from. For example, if you use free and open source software that's totally unsupported, then in those situations you're the bag holder if you will, the last person who could be possibly liable for using a product that might possibly infringe a patent. So in those cases, the deployer of the solution is the most likely person who could be sued for patent infringement if an enforcement action is initiated.
However, if the solution being deployed is a solution that's adequately supported by some vendor in some capacity, then while the company still could be sued for patent infringement, at least there's another company standing behind that product who's willing to take responsibility for that patent infringement, and who is willing to pay the damages if any damages are actually awarded due to that patent infringement.
Impact to End-Users
CHABROW: How likely is it that an end-user organization in a case like this would be sued?
DENARO: It's a very good question. It actually is quite possible for end-users to be sued for patent infringement for using widely-available open-source solutions for information security products. For example, there's a company by the name of TQP Development that has sued over the last three years hundreds of end-users on their central cryptography patent. In that case, we see the end-users being sued. However, in most cases the end-users are not typically targeted. Usually the developer of the software is the one who's targeted, and in those cases if the patent sued against the developer is successful then the product may be discontinued or support may no longer be available or the product may just simply be redesigned to account for the patent case.
CHABROW: In this case, would it be unlikely that Apple would go after purchasers of these Android devices?
DENARO: It's usually not the case that you see the end-user being targeted because patent lawsuits are expensive. If a patent owner pursues dozens, or hundreds even, of individual end-users the cost goes up dramatically very quickly. Usually it's more efficient to sue the developer of the software product in question.
Effect on Security, Marketplace
CHABROW: How does the verdict like this one destabilize the marketplace, and how could that create flux in providing adequate security to devices that the courts could bar from being sold?
DENARO: There's a really interesting policy question behind all of this which is are patents which are granted an exclusive right essentially bad for information security to the extent that certain key technologies could be held to be proprietary and companies could be barred from using those products entirely or they could be forced to pay substantial royalties for using those products. There's the argument that as a result of patent lawsuits being brought against companies who are innovating the price of the end product produced by that company will be effectively increased by this.
In the case here with Apple and Samsung, Samsung will - if the verdict is upheld - need to pay Apple a substantial sum of money. In that case, it's quite possible that Samsung may ultimately raise the price of its product in order to accommodate that. The patent system creates a system where ultimately end-users pay more for the use of certain technologies and the monetary beneficiary of that is the inventor or the patent holder, and of course that's the system that we work with in this country where this country we have an understanding that innovation is something that's very important and it will be rewarded and the way it's rewarded is by forcing users, other users of that innovation, to pay royalties as a result of court decision.
CHABROW: Let's talk a little bit about innovation. You mentioned how a ruling like this could promote innovation in areas of technology and information security. How so?
DENARO: Often time's necessity is a great driver of innovation. In some sense, it's very easy to copy products that are successful. Sometimes successful partners and successful products are covered by patents, so copying a successful product is risky in so far as it runs a valid patent, but it's also relatively safer to make something that's also likely to be successful.
However, sometimes when companies are forced to go outside of the box and develop new technologies that aren't covered by any patents, great products can come out of that. That's the hope here that if certain information security solutions are covered by patents and perhaps maybe avoided because of that, perhaps something even better can be developed and certainly there's a lot of area for innovation in information security right now. While there are some patent lawsuits pending on various information security solutions, we expect to see continued innovation in this space and it doesn't seem that the pace of innovation will evade it all. The more likely scenario is that additional companies will be motivated to innovate in this space in some part so that they can obtain their own patents on technology and possibly license those patents or at least use those patents to protect their own innovation.
CHABROW: Without a verdict like this one, the marketplace itself isn't sufficient to create that innovation?
DENARO: The market doesn't need verdicts like this to support innovation. Innovation requires a certain amount of protection for that innovation, to the extent that companies are out there investing a lot of money in developing innovative solutions to problems. Those companies need to understand that another company cannot come along and simply copy that innovation without paying a fair price for that innovation. The legal system is not designed to give companies a huge windfall when their patents are infringed. It's designed to compensate them fairly for the value of that innovation.
In the Apple case, there's a lot of money at stake because the market has recognized that these mobile devices are incredibly important to the way we use computers today, a fundamental part of a lot of things that we're doing in business. It's not surprising to see a large value placed on that, in part because there aren't a lot of other solutions to some of the problems that are being solved that can help drive up the price of the verdict.
Apple v. Google
CHABROW: In this lawsuit, Apple took aim at Samsung but Apple's real target appears to be Google, creator of the Android operating system used by Samsung and other manufacturers. What happens next?
DENARO: What can happen next can vary. It's really largely in Apple's court at this point. There's still the outstanding issue of whether or not an injunction will be issued barring the sale of some of the products that are at issue in the lawsuit. In most cases, in the information security context, it's a little bit less common to see an injunction being granted for these types of technologies. Most of the companies that have patents in this space are looking to license their patents rather than actually stop other companies from doing it.
There are some cases where you'll see two competitors who are locked in a patent battle and it's part of the leverage in that litigation, the parties are seeking to actually prevent the sale of each other's products, but in most cases if you're simply an end-user of a product that happens to infringe a patent and you find yourself in a patent lawsuit over the use of that, typically the patent owner is simply looking for a license agreement and it's not seeking to even go to court. Most patent cases are settled before they actually go to trial, except in cases where the stakes are extremely high or you have direct competitors that are seeking to actually stop the other competitor and shut that competitor down entirely.