Many resources are being devoted to preventing data breaches and protecting privacy.  In fact, patents have issued on various approaches.  But are those approaches really patentable?   In a recent challenge to OneTrust’s patent, which is related to data privacy risk, the Patent Trial and Appeal Board (“PTAB”) found the subject matter patent ineligible.

OneTrust’s patent, U.S. Patent No. 9,691,090 (“’090 Patent”), relates to privacy management software that calculates the risk to personal data that has been collected and is being used, for example, by a business.  OneTrust explained its software platform is used by companies to comply with data privacy regulations.

AvePoint, a New Jersey company that provides data protection solutions, challenged the validity of the ‘090 Patent via a petition for post-grant review (“PGR”).  The PGR procedure for challenging the validity of a patent offers more options than the more commonly used inter partes review (“IPR”), but PGR is only available within nine months of a patent’s issue, or reissue, date and only if the patent has a priority date later than March 15, 2013.  The one exception is that PGR became available for all covered business method patents regardless of priority date on September 16, 2012.

Specifically, in challenging the ‘090 Patent, AvePoint asserted that OneTrust’s patent was invalid as an abstract idea in light of Alice v. CLS Bank.  In Alice, the Supreme Court recognized that “laws of nature, natural phenomena, and abstract ideas” are not patent-eligible subject matter under 35 U.S.C. § 101.  AvePoint argued that “assessing the risk of personal data being compromised” is analogous to the abstract idea of “mitigating risk” that was found to be “a patent-ineligible method of organizing human activity in Alice and Bilski.”  Further, “AvePoint also characterize[d] the claims as reciting a patent-ineligible ‘mental process.’”

To provide guidance for evaluating whether a patent is directed to an ineligible abstract idea, the PTAB issued the 2019 Revised Patent Subject Matter Eligibility Guidance (“Office Guidance”).  The Office Guidance “explains that abstract ideas can be grouped as, e.g., mathematical concepts, certain methods of organizing human activity, and mental processes.”  When a claim goes to one of these categories, the Office Guidance requires determining whether the abstract idea is integrated “into a practical application.”  If not, then a determination must be made as to whether it meets the “inventive concept” test.  An abstract idea failing all these tests is not patent eligible.

In OneTrust’s response rather than counter “AvePoint’s contention that the claims recite a mental process or a method of organizing human activity, OneTrust focuse[d] on the question of whether the claims are directed to a ‘technical improvement’ that integrates the abstract idea into a practical application.”  If so, the claims would be patent eligible.

In evaluating the ‘090 Patent, the PTAB explained that the patent discloses steps for assessing the risk that personal data will be compromised by associating risk factors with the data, such as “where personal data comes from, where is it stored, who is using it, where it has been transferred, and for what purpose is it being used.”  “A ‘weighting factor’ and a ‘relative risk rating’ are assigned to each of those factors.”  Those values are combined by an algorithm to determine an overall risk level for the data.

Applying the Alice framework and taking into account the Office Guidance, the PTAB considered “whether the claims recite an abstract idea, and if so, whether the claims are otherwise directed to a technological improvement that transforms them into a ‘practical application’ of the idea.”  The PTAB also considered “whether any claim elements either individually or in combination, amount to an ‘inventive concept.’”

As a result, the PTAB found that OneTrust’s approach was “nothing more than a mental process that can be performed in the human mind or by a person using pen and paper.”  Further, the PTAB stated this approach “is plainly directed to the long-standing and fundamental business practice of assessing and mitigating the risk of personal data being compromised.”

OneTrust argued that rather than being directed to an abstract idea, the “claims are directed to a ‘technical improvement’ or ‘solution’ because an organization … can customize the weighting factor and the relative risk rating to reflects the organization’s own particular needs” thus “avoiding the need for custom built or in-house solutions.”  Therefore, according to OneTrust, the ‘090 Patent is patent eligible because it “focus[es] on an improvement in computer capabilities.”

The PTAB disagreed stating the fact “[t]hat the user organization may modify the default settings in the Risk Assessment Module reflects simply a benefit to the user’s input of information, not an improvement to the database’s functionality.”   As the Federal Circuit has previously held “an improvement to the information stored by a database is not equivalent to an improvement in the database’s functionality.”  Thus, OneTrust’s ‘090 Patent did not qualify as a patent-eligible improvement in computer capabilities.

The PTAB went on to consider whether “an element or combination of elements in the claims involve ‘significantly more’ than the performance of ‘well understood, routine, conventional activities previously known to the industry.’”  AvePoint argued that the independent claims recite only “conventional and functional components incidental to implementing the abstract idea of assessing the risk of a business operation that uses personal data.”  OneTrust countered that AvePoint “fail[ed] to support its attorney argument with actual evidence.”  The PTAB agreed with AvePoint that “the generic computer components recited … are not an inventive concept.”  Further, the PTAB found the same to be true for the dependent claims.

As a result, the PTAB found that the ‘090 claims do not recite patent eligible subject matter and are thus unpatentable.  Time will tell whether other methods for protecting data privacy will be found to include inventive concepts that elevate an abstract idea to patent-eligible subject matter.