`571-272-7822
`
`
`
`
`Paper 46
`Date: October 10, 2019
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`AVEPOINT, INC.,
`Petitioner,
`
`v.
`
`ONETRUST, LLC,
`Patent Owner.
`____________
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`____________
`
`
`Before BART A. GERSTENBLITH, CARL M. DEFRANCO, and
`MATTHEW S. MEYERS, Administrative Patent Judges.
`
`DEFRANCO, Administrative Patent Judge.
`
`
`JUDGMENT
`Final Written Decision
`Determining All Challenged Claims Unpatentable
`35 U.S.C. § 328(a)
`
`OneTrust, LLC is the owner of U.S. Patent No. 9,691,090 B1, which
`
`includes twenty-five claims. Ex. 1001 (“the ’090 patent”). AvePoint, Inc.
`
`filed a petition for post-grant review of all twenty-five claims of the
`
`’090 patent. Paper 1 (“Pet.”). We instituted post-grant review of all claims
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`as challenged in the Petition. Paper 9 (“Inst. Dec.”). OneTrust filed a Patent
`
`Owner Response. Paper 20 (“PO Resp.”). AvePoint filed a Reply.
`
`Paper 24 (“Pet. Reply”). And OneTrust filed a Sur-Reply. Paper 30 (“Sur-
`
`Reply”). In addition, OneTrust moved to strike a purportedly “new” expert
`
`declaration submitted with AvePoint’s Reply. Paper 27 (“Mot. To Strike”).
`
`And AvePoint followed with its own motion to exclude the declaration of
`
`OneTrust’s expert. Paper 34 (“Mot. to Exclude”).
`
`We have jurisdiction under 35 U.S.C. § 6. An oral hearing was
`
`conducted on June 28, 2019. Paper 45 (“Tr.”). After considering the
`
`parties’ arguments and supporting evidence, we determine that AvePoint has
`
`proven, by a preponderance of the evidence, that claims 1–25 of the
`
`’090 patent are unpatentable. 35 U.S.C. § 326(e). Also, we deny
`
`OneTrust’s motion to strike and AvePoint’s motion to exclude.
`
`I. BACKGROUND
`
`A. The ’090 Patent
`
`The ’090 patent issued June 27, 2017, and claims priority to a
`
`provisional application filed April 1, 2016.1 Ex. 1001, codes (45), (60),
`
`1:10–20. The ’090 patent describes “a data processing system and method
`
`. . . for electronically receiving the input of campaign data associated with a
`
`privacy campaign, and electronically calculating a risk level for the privacy
`
`campaign based on the campaign data.” Id. at 2:59–63; see also id. at 1:24–
`
`
`1 The ’090 patent is eligible for post-grant review because AvePoint filed its
`Petition within nine months from the ’090 patent’s issue date, and the
`earliest possible priority date of the ’090 patent is after March 16, 2013 (the
`effective date for the first inventor to file provisions of the Leahy-Smith
`America Invents Act). See 35 U.S.C. § 321. OneTrust does not contest the
`eligibility of the ’090 patent for post-grant review.
`
`2
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`29 (describing essentially same). According to the ’090 patent, a “privacy
`
`campaign may be any business function, system, product, technology,
`
`process, project, engagement, initiative, campaign, etc., that may utilize
`
`personal data collected from one or more persons or entities.” Id. at 2:53–
`
`56.
`
`The “Background” section of the ’090 patent explains that certain
`
`regulations in the United States, Canada, and the European Union require
`
`companies to conduct privacy impact assessments or data protection risk
`
`assessments. Id. at 1:62–2:9. “For many companies handling personal
`
`data,” these risk assessments “are not just a best practice, they are a
`
`requirement . . . to ensure that their treatment of personal data comports with
`
`the expectations of [regulators].” Id. at 2:21–29. The ’090 patent identifies
`
`“Facebook and Google,” in particular, as being required to show that their
`
`data protection risk assessments comply with federal privacy regulations.
`
`Id.
`
`With that in mind, the ’090 patent provides “a system for
`
`operationalizing privacy compliance.” Id. at 2:46–47. As described, the
`
`system is comprised of “servers and client computing devices that execute
`
`one or more software modules that perform functions and methods related to
`
`the input, processing, storage, retrieval, and display of campaign data
`
`related to a privacy campaign.” Id. at 2:48–52 (emphasis added). “The
`
`system presents on one or more graphical user interfaces a plurality of
`
`prompts for the input of campaign data related to the privacy campaign.” Id.
`
`at 3:1–4. Then, “[u]sing a microprocessor, the system calculates a ‘Risk
`
`Level’ for the campaign based on the campaign data, . . . and digitally stores
`
`the risk level.” Id. at 3:2–21. The system calculates the risk level based on
`
`3
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`risk factors, which the background of the ’090 patent lists as “where
`
`personal data comes from, where is it stored, who is using it, where it has
`
`been transferred, and for what purpose is it being used.” Id. at 2:29–34. A
`
`“weighting factor” and a “relative risk rating” are assigned to each of those
`
`factors. Id. at 4:44–64. “Based on weighting factors and the relative risk
`
`rating for each of the plurality of [risk] factors,” the system “may use an
`
`algorithm” to calculate the risk level, for example,
`
`as the sum of a plurality of: a weighting factor multiplied by the
`relative risk rating of the factor (i.e., Risk Level for campaign =
`(Weighting Factor of Factor 1) * (Relative Risk Rating of
`Factor 1) + (Weighting Factor of Factor 2) * (Relative Risk
`Rating of Factor 2) + . . . (Weighting Factor of Factor N) *
`(Relative Risk Rating of Factor N).
`
`
`
`Id. at 4:64–5:7.
`
`B. The Challenged Claims
`
`The ’090 patent has two independent claims—method claims 1 and
`
`21—which recite essentially the same steps for calculating a risk level for a
`
`privacy campaign.2 Claim 1 is representative and recites:
`
`1. A computer-implemented data processing method for
`electronically receiving the input of campaign data related to a
`privacy campaign and electronically calculating a risk level for
`the privacy campaign based on the data input, comprising:
`
`
`
`displaying on a graphical user interface a prompt to create
`an electronic record for a privacy campaign, wherein the privacy
`campaign utilizes personal data collected from at least one or
`more persons or one or more entities;
`
`
`
`receiving a command to create an electronic record for the
`privacy campaign;
`
`
`
`
`2 Claim 21 merely adds the step of “initiating electronic communications to
`facilitate the input of campaign data by the one or more users.”
`
`4
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`creating an electronic record for the privacy campaign and
`digitally storing the record;
`
`
`
`presenting on one or more graphical user interfaces a
`plurality of prompts for the input of campaign data related to the
`privacy campaign;
`
`
`
`
`
`electronically receiving campaign data input by one or
`more users, wherein the campaign data comprises each of:
`a description of the campaign;
`an identification of one or more types of personal
`data collected as part of the campaign;
`at least one subject from which the personal data
`was collected;
`a storage location where the personal data is to be
`stored; and
`data indicating who will have access to the personal
`
`data;
`
`
`
`processing the campaign data by electronically associating
`the campaign data with the record for the privacy campaign;
`digitally storing the campaign data associated with the
`record for the campaign;
`
`
`
`
`
`using one or more computer processors, calculating a risk
`level for the campaign based on the campaign data and
`electronically associating the risk level with the record for the
`campaign, wherein calculating the risk level for the campaign
`comprises:
`
`
`
`electronically retrieving, from a database, the
`campaign data associated with the record for the
`campaign;
`electronically determining a weighting factor for
`each of a plurality of risk factors, wherein the plurality of
`risk factors includes:
`a nature of the personal data associated with
`the campaign;
`a physical location of the personal data
`associated with the campaign;
`a number of individuals having access to the
`personal data associated with the campaign;
`
`5
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`a length of time that the personal data
`associated with the campaign will be retained in
`storage;
`a type of individual from which the personal
`data associated with the campaign originated; and
`a country of residence of at least one subject
`from which the personal data was collected;
`
`
`
`
`
`electronically determining a relative risk rating for
`each of the plurality of risk factors; and
`electronically calculating a risk level for the
`campaign based upon, for each respective one of the
`plurality of risk factors, the relative risk rating for the
`respective risk factor and the weighting factor for the risk
`factor; and
`digitally storing the risk level associated with the record
`for the campaign.
`
`
`
`
`Ex. 1001, 34:34–35:32 (emphases added).
`
`C. The Asserted Grounds of Unpatentability
`
`AvePoint asserts the following grounds in challenging the
`
`patentability of claims 1–25 (Pet. 13–14):
`
`Challenged Claims 35 U.S.C.
`1–25
`§ 101
`
`
`
`Basis
`
`1–25
`
`§ 103
`
`McQuay,3 Hunton,4 Clayton,5 and
`Belani6
`
`
`3 U.S. Patent No. 8,966,575 B2, iss. Feb. 24, 2015 (Ex. 1005, “McQuay”).
`4 Hunton & Williams, CENTER FOR INFORMATION POLICY LEADERSHIP, The
`Role of Risk Management in Data Protection, 31 pp. (Nov. 23, 2014)
`(Ex. 1008, “Hunton”).
`
`5 U.S. Patent No. 6,904,417 B2, iss. June 7, 2005 (Ex. 1007, “Clayton”).
`6 U.S. Patent App. Pub. No. US 2012/0110674 A1, pub. May 3, 2012
`(Ex. 1006, “Belani”).
`
`6
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`1–25
`
`§ 103
`
`AvePoint’s Software Product7 alone
`or in combination with McQuay,
`Hunton, Clayton, and/or Belani
`
`A. Claim Construction
`
`II. ANALYSIS
`
`We give claim terms in an unexpired patent their broadest reasonable
`
`interpretation in light of the specification of the patent in which they appear.
`
`37 C.F.R. § 42.200(b) (2017). Here, AvePoint proposes a construction for
`
`the claimed steps of “determining a weighting factor,” “determining a
`
`relative risk rating,” and “calculating a risk level.” Pet. 24–28. According
`
`to AvePoint, the combination of those steps means
`
`each risk factor is given a relative risk rating based on known
`risk associated with that factor, a weight is given to each risk
`factor based on known risk associated with that factor, and the
`only calculation described is an algorithm multiplies the relative
`risk rating by the weighting factor to obtain a value for each risk
`factor that indicates the security risk for that attribute of personal
`data, then the algorithm adds together all the values for the risk
`factors to calculate an overall risk level for the campaign.
`
`
`
`Id. at 28 (emphases added).
`
`OneTrust responds that AvePoint’s proposed construction “conflates
`
`the two steps into one,” and “reads out the requirement of separate
`
`‘weighting factors’ and ‘relative risk ratings’” for each of the respective risk
`
`factors. PO Resp. 31–32. As such, OneTrust asserts that we “should give
`
`the claim language its plain and ordinary meaning, which requires a separate
`
`‘weighting factor’ and ‘relative risk rating’ for each respective risk factor.”
`
`Id. at 34.
`
`
`7 AVEPOINT PRIVACY IMPACT ASSESSMENT USER GUIDE (Ex. 1023).
`
`7
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`We do not view AvePoint’s proposed construction in the manner
`
`OneTrust would have us. In our view, AvePoint makes clear in the Petition
`
`that “[e]ach particular risk factor is assigned a weighting factor . . . as well
`
`as a risk rating.” Pet. 24; see also id. at 28 (“each risk factor is given a
`
`relative risk rating . . . a weight is given to each risk factor”). Indeed,
`
`AvePoint points expressly to the ’090 patent’s description of the weighting
`
`factor being multiplied by the risk rating to produce a single value for each
`
`risk factor. Id. at 25 (citing Ex. 1001, 5:1–7). Those assertions show that
`
`AvePoint fully recognizes the distinction in assigning both a “weighting
`
`factor” and a “risk rating” to each risk factor in the calculation of a risk
`
`level. In any event, AvePoint subsequently made clear in its Reply that it
`
`agrees with OneTrust’s proposed construction. Pet. Reply 4–5. Thus, we
`
`adopt OneTrust’s construction that the claim language “requires a separate
`
`‘weighting factor’ and ‘relative risk rating’ for each respective risk factor.”
`
`PO Resp. 31, 34; see also Ex. 1001, 4:59–5:15, 20:30–35 (supporting that
`
`the claimed “weighting factor” and “relative risk rating” are distinct
`
`“numerical” values).
`
`That said, however, we reject any attempt by OneTrust to limit the
`
`meaning of the claimed “weighting factor” and “relative risk rating” to
`
`values that are only “customizable.” PO Resp. 34 (citing Ex. 1001, 18:58–
`
`67, 20:10–55). Neither the claim language nor the Specification support
`
`such a narrow construction. Indeed, the Specification provides expressly
`
`that the weighting factor may encompass “default settings . . . or
`
`customizations.” Ex. 1001, 20:13–16 (emphasis added). Likewise, as
`
`described, the relative risk rating may encompass either “default values . . .
`
`or . . . customized values.” Id. at 20:26–28 (emphasis added); see also id. at
`
`8
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`20:47–50 (“the privacy campaign may be assigned based on the following
`
`criteria, which may be either a default or customized setting”) (emphasis
`
`added). In both instances, the default values are “based on privacy laws.”
`
`Id. at 20:13–50. Thus, when properly construed in light of the Specification,
`
`the weighting factor and relative risk rating may include customizable values
`
`or pre-assigned default values.
`
`B. AvePoint’s Challenge Under 35 U.S.C. § 101
`
`AvePoint asserts that the challenged claims do not recite patent
`
`eligible subject matter under 35 U.S.C. § 101. Pet. 28–40. OneTrust
`
`disagrees. PO Resp. 69–93. Section 101 of the patent statute defines patent-
`
`eligible subject matter as “any new and useful process, machine,
`
`manufacture, or composition of matter, or any new and useful improvement
`
`thereof.” 35 U.S.C. § 101. Laws of nature, natural phenomenon, and
`
`abstract ideas, however, are not patentable. Alice Corp. v. CLS Bank Int’l,
`
`573 U.S. 208, 217 (2014) (“Alice”) (citing Mayo Collaborative Servs. v.
`
`Prometheus Labs., Inc., 566 U.S. 66, 77–78 (2012) (“Mayo”), and Bilski v.
`
`Kappos, 561 U.S. 593, 601–02 (2010) (“Bilski”)). Here, AvePoint relies on
`
`the judicial exception of abstract ideas to argue that the challenged claims
`
`are patent ineligible. Pet. 28–40; Pet. Reply 8–18.
`
`In evaluating whether the challenged claims are “directed to” an
`
`abstract idea, we are guided by the framework set forth in Alice and Mayo.
`
`Alice, 573 U.S. at 217–27 (citing and quoting Mayo throughout).8 Under the
`
`
`8 We are also guided by Office’s 2019 Revised Patent Subject Matter
`Eligibility Guidance (“Office Guidance”), which outlines the Alice/Mayo
`framework in terms of a three-part inquiry. 84 Fed. Reg. 50, 53–56 (Jan. 7,
`
`9
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`Alice/Mayo framework, we consider, first, whether the claims recite an
`
`abstract idea, and, if so, whether the claims are otherwise directed to a
`
`technological improvement that transforms them into a “practical
`
`application” of the idea.9 Mayo, 566 U.S. at 77–78, 84–85 (quoting
`
`Gottschalk v. Benson, 409 U.S. 63, 71 (1972)); see also Alice, 573 U.S. at
`
`221–24 (evaluating whether computer implementation of a mathematical
`
`formula is “the sort of ‘additional featur[e]’ that provides any ‘practical
`
`assurance that the process is more than a drafting effort designed to
`
`monopolize the [abstract idea] itself’”) (alteration in original) (quoting
`
`Mayo, 566 U.S. at 77); Diamond v. Diehr, 450 U.S. 175, 187 (1981) (“It is
`
`now commonplace that an application of a law of nature or mathematical
`
`formula to a known structure or process may well be deserving of patent
`
`protection.”). As a final safeguard, we consider whether any claim elements,
`
`either individually or in combination, amount to an “inventive concept,” in
`
`other words, something “significantly more” than “well-understood, routine,
`
`conventional activities previously known to the industry.”10 Alice, 573 U.S.
`
`at 221–22, 225 (internal quotations, brackets, and citations omitted).
`
`
`2019) (describing “Step 2A” as including “Prong One” and “Prong Two,”
`followed by “Step 2B”).
`
`9 This step of the Alice/Mayo framework is recounted in the Office Guidance
`as “Revised Step 2A . . . Prong One: Evaluate Whether the Claim Recites a
`Judicial Exception . . . [and] Prong Two: If the Claim Recites a Judicial
`Exception, Evaluate Whether the Judicial Exception is Integrated Into a
`Practical Application.” 84 Fed. Reg. at 54.
`
`10 This step of the Alice/Mayo framework is recounted in the Office
`Guidance as “Step 2B: If the Claim is Directed to a Judicial Exception,
`Evaluate Whether the Claim Provides an Inventive Concept.” 84 Fed. Reg.
`at 56.
`
`10
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`1. Whether the Claims Recite an Abstract Idea
`
`AvePoint asserts that the claims of the ’090 patent are directed to
`
`“assessing the risk of personal data being compromised.” Pet. 34; see also
`
`id. at 9 (characterizing the claims as directed to “determining the risk of
`
`personal data being compromised”). Even more specifically, according to
`
`AvePoint, the claims recite the steps of determining an overall risk level for
`
`a privacy campaign “by assessing . . . certain well-known risk factors and
`
`assigning values to the risk factors depending on the type of personal data
`
`entered as part of the campaign.” Pet. 9; see also Pet. Reply 15–16 (“The
`
`key components of the ’090 claims are the processor and the human mental
`
`processes, with the latter dictating the weight and risk values and the former
`
`tallying the inputs.”). AvePoint analogizes “assessing the risk of personal
`
`data being compromised” to the abstract idea of “mitigating risk” held to be
`
`a patent-ineligible method of organizing human activity in Alice and Bilski.
`
`Pet. 31–32; see also id. at 10 (same). AvePoint also characterizes the claims
`
`as reciting a patent-ineligible “mental process.”11 Id. at 33; see also Pet.
`
`Reply 9–10 (conforming its assertions to “Groupings of Abstract Ideas” as
`
`defined in the Office Guidance).
`
`Rather than respond to AvePoint’s contention that the claims recite a
`
`mental process or a method of organizing human activity, OneTrust focuses
`
`on the question of whether the claims are directed to a “technical
`
`improvement” that integrates the abstract idea into a practical application.
`
`
`11 AvePoint further asserts that the claims are directed to yet a third category
`of abstract ideas—“mathematical concept.” Pet. Reply 10 (citing Office
`Guidance). We need not reach that question for we decide that the claims
`more aptly recite an abstract idea in the form of either a mental process or a
`method of organizing human activity.
`
`11
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`PO Resp. 69, 75, 79; Sur-Reply 20. But before considering that question,
`
`we must first determine if the claims recite an abstract idea such that we can
`
`then properly inquire whether the claims otherwise recite “additional
`
`features” that transform them into a “practical application” of the idea itself.
`
`Mayo, 566 U.S. at 77–78, 84–85 (quoting Gottschalk, 409 U.S. at 71); see
`
`also Alice, 573 U.S. at 221–24 (considering whether computer
`
`implementation of the abstract idea is “the sort of ‘additional featur[e]’ that
`
`provides any ‘practical assurance that the process is more than a drafting
`
`effort designed to monopolize the [abstract idea] itself’”) (quoting Mayo,
`
`566 U.S. at 77).
`
`At the outset, we note that OneTrust does not dispute that the claims
`
`recite the idea of risk assessment—“we do not dispute that this claim
`
`involves risk assessment. That is the industry and the purpose of this
`
`software. But what the software is claiming is an improved method of
`
`implementing a risk assessment that uses two different factors in order to
`
`enable the software to be customized.” Tr. 50:15–19; see also PO Resp. 74
`
`(“There is no dispute that privacy risk assessments had been performed on
`
`computers prior to the ’090 patent.”). More specifically, according to
`
`OneTrust, the claimed method “determine[s] a risk level for a privacy
`
`campaign (i.e., a project or process that may utilize personal data) based on
`
`two separate metrics—a ‘weighting factor’ and a separate ‘relative risk
`
`rating’ for each of a plurality of risk factors.” PO Resp. 74–75. Indeed,
`
`claims 1 and 21 include steps that relate directly to conducting a privacy risk
`
`assessment—
`
`(1) “receiving campaign data input by one or more users,”
`
`(2) “determining a weighting factor for each of a plurality
`of risk factors” associated with the campaign data,
`
`12
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`(3) “determining a relative risk rating for each of the
`plurality of risk factors,” and
`
`(4) “calculating a risk level for the campaign based upon
`. . . the relative risk rating for the respective risk factor and the
`weighting factor for the risk factor.”
`
`Ex. 1001, 34:34–35:32.
`
`Those steps of assessing the risk of personal data being compromised
`
`by associating certain risk factors with the data and then rating and weighing
`
`each factor to generate an overall “risk level,” as recited in claims 1 and 21,
`
`amount to nothing more than a mental process that can be performed in the
`
`human mind or by a person using pen and paper. For instance, the
`
`“receiving” step can be performed by a person who simply reads the
`
`personal data and records certain items of information from the data. The
`
`“determining” steps can be performed by a person who associates risk
`
`factors with the chosen data and writes a value “from 1–10” on paper in
`
`rating each risk factor (see, e.g., Ex. 1001, 20:30–33) and writes a value
`
`“from 1–5” on paper in weighing each risk factor. See id. at 19:21–23,
`
`20:19–22, 20:30–33. Lastly, the “calculating” step can be performed by a
`
`person who simply multiplies and adds the assigned values for each risk
`
`factor, be it on paper or in her head, to arrive at an overall risk level for the
`
`personal data. See id. at 4:64–5:7, 36:35–37. Notably, OneTrust’s own
`
`expert confirmed that each of these steps can be performed mentally.
`
`Ex. 1030, 48:9–50:1412 (confirming that a “person” may determine and enter
`
`the “relative risk rating” and “weighting factor,” then “multiply” one by the
`
`other, “and then add them together”).
`
`
`12 Citations for Exhibit 1030 are to original page numbers of the deposition
`transcript.
`
`13
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`Moreover, this series of steps is plainly directed to the long-standing
`
`and fundamental business practice of assessing and mitigating the risk of
`
`personal data being compromised. Indeed, the ’090 patent acknowledges as
`
`much in the “Background” section—
`
`Many regulators recommend conducting privacy impact
`assessments, or data protection risk assessments along with data
`inventory mapping. For example, the GDPR [European Union’s
`General Data Protection Regulation] requires data protection
`impact assessments. Additionally, the United Kingdom ICO’s
`office provides guidance around privacy impact assessments.
`The OPC in Canada recommends personal information
`inventory, and the Singapore PDPA specifically mentions
`personal data inventory mapping.
`Thus, developing operational policies and processes may
`reassure not only regulators, but also an organizations customers,
`vendors, and other business partners.
`For many companies handling personal data, privacy
`audits, whether done according to AICPA Generally Accepted
`Privacy Principles, or ISACA’s IT Standards, Guidelines, and
`Tools and Techniques for Audit Assurance and Control
`Professionals, are not just a best practice, they are a
`requirement.
`
`
`
`Ex. 1001, 2:9–26 (emphases added). That description in the ’090 patent
`
`shows that, for many organizations, assessing the risk of personal data being
`
`compromised is not only a generally accepted business practice, but a legal
`
`requirement. Indeed, OneTrust’s own expert testifies that risk assessments
`
`include “basic steps that have been around” since well before the 2016
`
`priority date of the ’090 patent. Ex. 1030, 25:24–30:19. She likewise
`
`confirms that “risk assessments” of “privacy campaign[s]” are common in
`
`the “business process” and “have been around for many, many years.” Id. at
`
`53:9–22. That the fundamental business practice of assessing the risk of
`
`personal data being compromised is an abstract idea comports fully with the
`
`14
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`“fundamental economic practice” of “hedging, or protecting against risk”
`
`determined to be an abstract idea in Bilski (561 U.S. at 611–12), as well as
`
`the “mitigat[ing] settlement risk” determined to be an abstract idea in Alice
`
`(573 U.S. at 219–20).
`
`
`
`The claims here are not unlike the claims held to be abstract in
`
`FairWarning IP, LLC v. Iatric Systems, Inc., 839 F.3d 1089, 1095 (Fed. Cir.
`
`2016). In that case, the claims were held to be abstract because they “merely
`
`implement an old practice in a new environment,” i.e., “the concept of
`
`analyzing records of human activity to detect suspicious behavior,” while
`
`doing so on a computer. Id. at 1093–94 (citing Alice, 573 U.S. at 220). Like
`
`the case here, the claimed method in FairWarning included the general steps
`
`of collecting information that included personal data, processing and
`
`analyzing the information according to certain rules and criteria to determine
`
`unauthorized access of the data, and storing the determination for purposes
`
`of notifying users. Id. at 1093, 1095. While the claims in FairWarning
`
`recited using one of a few possible rules to analyze the personal data, they
`
`nonetheless were held to be abstract because “the claimed rules ask . . . the
`
`same questions (though perhaps phrased with different words) that humans
`
`in analogous situations detecting fraud have asked for decades, if not
`
`centuries.” Id. at 1095. That is also the case here. As such, we determine
`
`that the claims recite an abstract idea.13
`
`
`13 Our determination is consistent with the Office Guidance’s identification
`of “mitigating risk” as a “method of organizing human activity” and
`“concepts performed in the human mind” as “[m]ental processes,” each of
`which is an abstract idea. 84 Fed. Reg. at 52 n.13 (citing Alice and Bilski),
`n.14 (citing CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366
`(Fed. Cir. 2011)).
`
`15
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`
`2. Whether the Claims Include Additional Elements that Integrate the
`Abstract Idea into a Practical Application
`
`Having determined that the claims recite an abstract idea, we now
`
`consider whether the claims include “additional features” that transform the
`
`idea into a “practical application.” Mayo, 566 U.S. at 77–78, 84–85 (quoting
`
`Gottschalk, 409 U.S. at 71). Additional features indicative of a practical
`
`application typically reflect “a specific improvement to the way computers
`
`operate” or “a specific implementation of a solution to a problem in the
`
`software arts,” which go beyond invoking a computer “merely as a tool.”
`
`Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1336, 1339 (Fed. Cir. 2016).
`
`OneTrust relies heavily on this prong of the § 101 analysis to argue
`
`that the claims are not directed to a patent ineligible abstract idea. PO
`
`Resp. 74–87; Sur-Reply 17–22; Tr. 49:13–51:20, 64:19–65:16. According
`
`to OneTrust, rather than being directed to an abstract idea, the claims are
`
`directed to a “technical improvement” or “solution” because “an
`
`organization (or operational unit within an organization) can customize the
`
`weighting factor and the relative risk rating to reflect the organization’s own
`
`particular needs.” PO Resp. 75. “Unlike prior software for performing
`
`privacy impact assessments,” OneTrust explains, “the claimed methods
`
`allow OneTrust’s software tool to be adjusted for different users’ particular
`
`privacy sensitivities, thereby avoiding the need for custom built or in-house
`
`solutions.” Id. As such, OneTrust surmises that the claims of the
`
`’090 patent “focus on an improvement in computer capabilities—namely, an
`
`improvement in the capabilities of software for performing privacy impact
`
`assessments to be customized for particular customer risk sensitivities or for
`
`different privacy regimes.” Id. at 76 (emphasis added); see also id. at 77
`
`(“Again, the claims are specifically directed to a method that improves the
`
`16
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`functionality of a computer by allowing the software to be adjusted for
`
`different user needs or preferences regarding the relative risks posed by
`
`different risk factors.” (emphasis added)).
`
`But OneTrust’s argument relates to “user customizations” of
`
`information stored in the database—namely, the “weighting factors” and
`
`“risk rating”—for use by a “Risk Assessment Module” in calculating the
`
`overall risk level. Ex. 1001, 20:10–35. In that regard, the Specification
`
`explains that the “Risk Assessment Module,” which determines the overall
`
`risk level, “may have default settings” or “[t]he organization may also
`
`modify these settings in the Risk Assessment Module.” Id. at 19:25–32.
`
`Elaborating further, the Specification states that those settings “may be
`
`customized from organization to organization, and according to different
`
`applicable laws.” Id. at 18:58–67. In other words, the user may modify the
`
`default settings of the risk rating and weighting factor according to the
`
`particular needs of the organization conducting the privacy campaign.
`
`That the user organization may modify the default settings in the Risk
`
`Assessment Module reflects simply a benefit to the user’s input of
`
`information, not an improvement to the database’s functionality. As the
`
`Federal Circuit has held, while the ability of a user to select “classifications,
`
`parameters, and values” for information within a database “improves the
`
`quality of the information added to the database, an improvement to the
`
`information stored by a database is not equivalent to an improvement in the
`
`database’s functionality.” BSG Tech LLC v. BuySeasons Inc., 899 F.3d
`
`1281, 1288 (Fed. Cir. 2018). In the end, AvePoint’s claimed invention
`
`merely “results in better user input, but the database serves in its ‘ordinary
`
`capacity’ of storing the resulting information.” Id. (citing Enfish, 822 F.3d
`
`17
`
`
`
`PGR2018-00056
`Patent 9,691,090 B1
`
`at 1336). Thus, we agree with AvePoint that claims 1 and 21 are not
`
`directed to a technological improvement to database functionality, but rather
`
`any benefit flows from performing the abstract idea in conjunction with the
`
`entry of long-standing criteria for risk assessments.
`
`Moreover, that a “weighting factor” and a “risk rating” are long-
`
`standing criteria in assessing the risk to data privacy is borne out by
`
`testimony from both parties’ experts. For instance, AvePoint cites
`
`persuasive testimony from its expert that assigning “weight” and “rating”
`
`values to various risk factors was “part of the state of the art.” See, e.g.,
`
`Ex. 1002 ¶¶ 49–51 (citing Exs. 1005–1008). Indeed, one of the prior art
`
`patents cited by AvePoint’s expert expressly describes a “[c]onfiguration
`
`module” that allows an administrator to configure various parameters of
`
`reporting/scoring software,” such as “weighting” factors and “degree of
`
`risk” ratings in scoring data privacy protections. Ex. 1005 (“McQuay”),
`
`7:60–67, 8:66–9:13, 11:24–30. And, like the Risk Assessment Module in
`
`the ’090 patent, McQuay’s “configuration module” is “configured to allow
`
`an administrator to modify the model used by reporting/scoring software . . .
`
`[and] define new models.”14 Id. at 9:14–26