On October 10, 2019, the Patent Trial and Appeal Board (“PTAB”) issued a Final Written Decision in favor of Avepoint, Inc. (“Avepoint”) and against Onetrust, LLC (“Onetrust”) in an America Invents Act post grant review (“PGR”) of Onetrust’s U.S. Patent No. 9,691,090 B1 (“the ’090 patent”)—a patent that involves privacy management software for calculating risk. See Avepoint, Inc. v. Onetrust, LLC, PGR2018-00056, Paper 46 (PTAB Oct. 10, 2019). The court invalidated all claims as abstract under § 101.

Whereas inter partes review (“IPR”) is limited to invalidity arguments under § 102 and § 103 and only on the basis of prior art consisting of patents or printed publications, PGR is available to challenge patent claims on any ground, except for failure to disclose best mode. Here, the PTAB found that all 25 claims of the ’090 patent were directed to patent ineligible subject matter under § 101. The claims outlined steps for assessing the risk of compromised personal data, including associating certain risk factors with the data, then rating and weighing each factor to calculate overall risk level. The PTAB applied the Alice and Mayo two-step framework, guided by the United States Patent and Trademark Office’s 2019 Revised Patent Subject Matter Eligibility Guidance, to determine (1) whether the claims recite an abstract idea, (2A) if so, whether the claims are directed to a technological improvement that transforms the claims into a ‘“practical application’” of the idea, and (2B) if no practical application exists, then whether the claim elements, individually or together, amount to an ‘“inventive concept[.]’” See id. at 10, n.8.

First, the PTAB concluded that the ’090 patent claims were directed to “the long-standing and fundamental business practice of assessing and mitigating the risk of personal data being compromised” and amounted to nothing more than “a mental process that can be performed in the human mind or by a person using pen and paper” and were thus, abstract. Id. at 13–14. The PTAB equated the ’090 claims to those in Fairwarning IP, where claims were deemed abstract since they ‘“merely implement[ed] an old practice in a new environment[.]’” Id. at 15.

Second, the PTAB concluded that the ’090 patent claims were not directed to a technological improvement that amounted to a “practical application” of the idea, considering that “the ability to modify the criteria stored in the database reflects an insignificant data gathering step.” Id. at 19. The PTAB cited to the Federal Circuit’s BSG Tech decision, reemphasizing that a user’s ability to select parameters and values for information in a database ‘“improves the quality of the information added to the database, [but] an improvement to the information stored by a database is not equivalent to an improvement in the database’s functionality.”’ BSG Tech LLC v. BuySeasons Inc., 899 F.3d 1281, 1288 (Fed. Cir. 2018).

Third, the PTAB concluded that the ’090 patent claims regarding weight factors and risk ratings were well-known, routine, and conventional before the priority date. Thus, the claims did not amount to an inventive concept.

For practitioners, challengers, and patent owners, this case is a reminder that with PGR, recently issued patents are open to attack post-acceptance and on virtually any ground