The Supreme Court’s opinion in TC Heartland LLC v. Kraft Foods Group Brands, LLC vacated years of precedent that had imputed the concept of ‘long arm’ jurisdiction under into the patent venue statue). Because TC Heartland limits where a company may be sued for patent infringement, it will have far reaching implications in patent litigation across the U.S. For those companies now defending patent cases in patentee-friendly districts such as the E.D. of Texas, TC Heartland presents an opportunity to have the case dismissed and/or transferred to the district where the accused infringer has a regular and established place of business. At least one court has held that a party waived the defense of improper venue when it did not timely raise it, even though the defense would have been contrary to controlling authority … meaning that this issue must be addressed very early in litigation. 

The patent venue statute, creates two independent tests for proper venue. Either the defendant must reside in the jurisdiction district -- that now means solely the state of its incorporation, or the defendant must have committed acts of infringement and maintained a “regular and established place of business” in the forum state. 

In an earlier case, the Federal Circuit held “the first test for venue under … with respect to a defendant that is a corporation, in light of the 1988 amendment to § 1391(c), is whether the defendant was subject to personal jurisdiction in the district of suit at the time the action was commenced.” TC Heartland reverses this holding and effectively changes the law. A corporation “resides” only in its State of incorporation for the purposes of the patent venue statute. Under the second test of § 1400(b), a company may only be sued where it is alleged to have “committed acts of infringement and has a regular and established place of business.” 

For years, patent owners, notably non-practicing entities, filed patent infringement suits in the widely-regarded patent friendly E.D. of Texas. Defendants who had very little connection with Texas could often not transfer the case as they were subject to personal jurisdiction there. That is no longer true and is likely to drastically change the dynamics of the relationship between patent holders and technology users. Now, a company must have a regular and established place of business in the state where it is sued. The fact that a defendant is authorized to do business in Texas is not controlling and will not satisfy the requirement. Likewise, having sales representatives and having a name on a building directory where the sales representative has their office will not suffice. To sustain the venue test for a regular and established place of business, the defendants must have a permanent establishment from which they regularly conduct business. Not enough time has elapsed to determine how the district courts will apply TC Heartland to pending cases. We expect a ruling from Judge Gilstrip on this issue soon and expect other judges in the Eastern district to follow his lead. For defendants lacking a regular and established place of business in Texas, cases in the early stages seem likely to be dismissed or transferred to the district in which a defendant has a regular and established place of business. Because of prudential concerns like judicial economy, the result may be different in cases in which the parties have completed discovery, claim construction or dispositive motions. Litigants should not delay discussions with our patent and litigation partners regarding seeking dismissal or transfer of pending matters. Privacy and Information Security I(‘m)SO Confused! I WannaCry! 

Peruse a technology agreement these days and you’ll face an alphabet soup of acronyms. Those references, while short, are deceptively meaty. We have put together a brief glossary of some acronyms (plus some real word terms) commonly encountered in technology agreements, especially those which address privacy and information security standards.

Standards: Technology agreements often use accepted frameworks of standards in place of (or in addition to) vague terms and phrases such as ‘standards commonly used in the industry,’ ’best practices’ and ’reasonableness’ in order to add specificity to otherwise amorphous moving targets. Independent third parties are often used to certify compliance with particular standards such as the following:  

  • COBIT: Control Objectives for Information and Related Technologies. A framework of ISACA (stands for Information Systems Audit and Control Association but now known only by its acronym) for the management of information technology systems.  
  • IEC: International Electrotechnical Commission, which prepares and publishes international standards for electrical, electronic and related technologies. These standards are often coupled with: 
  • ISO: International Organization for Standardization. It develops standards across an array of disciplines, from medical devices to social responsibility. Technology agreements often refer to those in the 27000 family of standards which address information security. 
  • PCI-DSS: Payment Card Industry Data Security Standards. Security standards issued by the PCI SSC (Payment Card Industry Security Standards Council, an independent body that was created by the major payment card brands) that promote payment card data and transaction security. The standards apply to all entities that accept, store or transmit payment card information.  

Encryption Terms. Encryption is the process of converting information into an unreadable format that can become readable again as plain text (or decrypted) with the use of an unlocking ’key.’ It has many ‘flavors’, corresponding to differing levels of cost, effectiveness and complexity. Some use of this technique is the norm for consumer and other sensitive material. 

  • Key: Something that, coupled with an algorithm (or mathematical formula), is used to decode encrypted information. It can be a password, a file, certificate or a ’token.’
  • Token: (1) A physical device that is used in place of (or in addition to) a password to gain electronic access to a system or information. (2) -ization, -isation. A mechanism whereby sensitive material (such as a credit card number) is encapsulated into an unreadable form for a very short period of time (e.g., 5 minutes) during which a transaction is completed and after which the data self-destructs. 
  • Bit: This refers to the length of the key. Common bit lengths are 40-bit, 128-bit and 256-bit. Generally, the longer the key the more difficult to unlock the encryption. 
  • Symmetric: When the same key is used to encrypt and decrypt information. The sender and recipient of information share a single key. 
  • Asymmetric: When a different key is used to decrypt the encrypted information. 
  • SSL: Secure Sockets Layer. A type of encryption used over networks for data in transit. Commonly used to conduct online transactions. SSL has been replaced by TLS (Transport Layer Security) but the term SSL continues to be used. 
  • AES: Advanced Encryption Standard. The industry standard of encryption recommended by the National Institute of Standards and Technology (NIST) for the most sensitive material. 
  • Patch: Software code developed by vendors for use in conjunction with already-installed code, in response to identified threats to security. Very prompt deployment is essential, and delayed deployment led, at least in large part, to ‘WannaCry.’