DCT

3:22-cv-01852

Netskope Inc v. Fortinet Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 3:22-cv-01852, N.D. Cal., 12/05/2024
  • Venue Allegations: Plaintiff alleges venue is proper as Defendant’s principal place of business is within the Northern District of California, where a substantial part of the events giving rise to the claims occurred.
  • Core Dispute: Plaintiff seeks a declaratory judgment that its cloud-security platform does not infringe five of Defendant's patents related to network security, data leak prevention, and cloud storage aggregation.
  • Technical Context: The technology at issue resides in the highly competitive enterprise network and cloud security sector, focusing on methods for protecting corporate data and managing security across distributed network environments.
  • Key Procedural History: The complaint alleges extensive pre-suit licensing negotiations in which Defendant demanded sums up to $300 million without providing detailed infringement contentions. Significantly, the complaint notes that Plaintiff subsequently challenged the validity of several patents-in-suit via inter partes review (IPR) at the Patent Trial and Appeal Board (PTAB). The PTAB has issued Final Written Decisions finding all challenged claims of U.S. Patent Nos. 10,237,282; 9,280,678; and 10,084,825 to be unpatentable. Despite these outcomes, Plaintiff alleges Defendant has not withdrawn its infringement allegations, prompting this amended declaratory judgment action.

Case Timeline

Date Event
2004-03-12 ’968 Patent Priority Date
2012-06-28 ’282 Patent Priority Date
2012-12-03 ’678 Patent Priority Date
2013 Netskope releases its first product
2013-06-05 ’601 Patent Priority Date
2015-11-24 ’601 Patent Issue Date
2016-01-05 ’968 Patent Issue Date
2016-03-08 ’678 Patent Issue Date
2017-05-08 ’825 Patent Priority Date
2018-09-25 ’825 Patent Issue Date
2019-03-19 ’282 Patent Issue Date
2021-10-22 Fortinet sends initial letter accusing Netskope of infringement
2024-03-06 PTAB issues Final Written Decision finding claims of ’282 Patent unpatentable
2024-08-12 PTAB issues Final Written Decision finding claims of ’678 Patent unpatentable
2024-08-19 PTAB issues Final Written Decision finding claims of ’825 Patent unpatentable
2024-12-05 Second Amended Complaint for Declaratory Judgment filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,237,282 - "Data Leak Protection"

The Invention Explained

  • Problem Addressed: The patent addresses the risk of "accidental or intentional dissemination of confidential documents" from an enterprise network as information becomes increasingly digitized and easily distributable via the Internet (’282 Patent, col. 2:40-49, col. 3:7-10).
  • The Patented Solution: The invention proposes a network security device, such as a gateway, that implements a Data Leak Prevention (DLP) system using digital "watermarks." The device maintains a "filter database" of rules, where each rule specifies a watermark value, a set of network services (e.g., email, file sharing), and an action to be taken (e.g., block, log). When the device detects an outbound file containing an embedded watermark, it consults the database and, if a matching rule exists for the specific service being used, it performs the designated action (’282 Patent, Abstract; col. 2:62-col. 3:4). Figure 4 of the patent illustrates a graphical user interface for creating a DLP filter based on a watermark (’282 Patent, Fig. 4).
  • Technical Importance: This technology provides a method for policy-based control over the exfiltration of specific, classified documents, moving beyond more generic content filtering techniques.

Key Claims at a Glance

  • The complaint notes that the PTAB invalidated independent claims 1 and 11, along with numerous dependent claims (Compl. ¶292). The dispute now centers on the surviving dependent claims. The independent claims from which they depend are:
  • Independent Claim 1 (Method):
    • maintaining, by a network security device, a filter database with a plurality of filtering rules
    • wherein each rule specifies a watermark value, a set of network services for which the rule is active, and an action
    • receiving outbound network traffic containing a file associated with a network service
    • identifying a watermark value in the file
    • determining if a filtering rule exists that matches the identified watermark and is active for the associated network service
    • if the determination is affirmative, performing the specified action.
  • Independent Claim 11 (Non-transitory program storage device): This claim recites a storage device with instructions for performing a method largely identical to that of Claim 1.
  • The complaint alleges non-infringement of dependent claims 9-10 (depending from claim 1) and 19-20 (depending from a method claim corresponding to claim 11) (Compl. ¶¶293-294).

U.S. Patent No. 9,197,601 - "System and Method for Providing a Single Global Borderless Virtual Perimeter Through Distributed Points of Presence"

The Invention Explained

  • Problem Addressed: The patent describes the inadequacy of traditional "fence-and-gate" perimeter security in an era where corporate data and applications are distributed across data centers and clouds, and users are increasingly remote. Managing these multiple, disparate perimeters is described as "expensive, resource intensive, and difficult" (’601 Patent, col. 1:40-42).
  • The Patented Solution: The invention discloses a "virtual perimeter" constructed from a distributed network of "Perimeter Points of Presence" (P/PoPs). These P/PoPs are nodes that contain a "plurality of selectable service area systems," such as security and network services. An organization can create a customized security policy by selecting which services to apply to its data traffic. Data flowing from or to the organization is routed through these P/PoPs, where the custom policy is enforced before the data is sent to its destination, creating a unified security boundary independent of physical location (’601 Patent, Abstract; Fig. 1).
  • Technical Importance: This architecture describes a foundational model for what is now known as a Secure Access Service Edge (SASE) platform, which unifies networking and security services into a single, cloud-delivered model.

Key Claims at a Glance

  • The complaint asserts non-infringement of independent claims 1 and 18 (Compl. ¶306).
  • Independent Claim 1 (System):
    • A network system comprising one or more Perimeter Points of Presence (P/PoP) configured to provide a virtual perimeter.
    • Each P/PoP comprises a network interface and a plurality of selectable service area systems.
    • The selectable systems can be configured to provide a customized virtual perimeter for an entity.
    • The P/PoP is configured to receive data, process it using a data processing policy defined by the selected service area systems, and transmit the processed data.
  • Independent Claim 18 (Method):
    • A method comprising accepting network connections at one or more P/PoPs.
    • Receiving a data flow at the P/PoP.
    • Processing the data flow using a data processing policy for the entity.
    • Transmitting the processed data flow as policy compliant.
  • The complaint also refers to dependent claims of claim 1 (Compl. ¶307).

U.S. Patent No. 9,231,968 - "Systems and Methods for Updating Content Detection Devices and Systems"

Technology Synopsis

The patent addresses the need to keep content detection systems (e.g., firewalls) current with the latest threat intelligence. It describes a system where a central station "pushes" updates to distributed content detection modules, often via intermediate update stations, eliminating the need for each module to "pull" or request updates individually (’968 Patent, Abstract).

Asserted Claims

The complaint indicates Fortinet previously alleged infringement of claim 4 (Compl. ¶315). The count for relief covers all claims, with independent claims being 1, 4, and 7 (’968 Patent, col. 12:1-49).

Accused Features

The complaint identifies Netskope's Threat Detection services as the accused instrumentality (Compl. ¶315).

U.S. Patent No. 9,280,678 - "Secure Cloud Storage Distribution and Aggregation"

Technology Synopsis

This patent describes a system for vendor-independent, secure cloud storage. A gateway device encrypts files, divides them into "chunks," creates searchable namespaces for the chunks, and distributes them across multiple cloud storage platforms according to a defined policy. This process is intended to provide searchable encryption while avoiding vendor lock-in (’678 Patent, Abstract).

Asserted Claims

The complaint notes that the PTAB invalidated independent claims 1 and 16, among others. The dispute concerns the surviving dependent claims 4, 5, 7, and 18-20 (Compl. ¶¶332-334).

Accused Features

The complaint identifies Netskope's Cloud Encryption service and related services on its Cloud Security Platform as the accused instrumentalities (Compl. ¶327).

U.S. Patent No. 10,084,825 - "Reducing Redundant Operations Performed by Members of a Cooperative Security Fabric"

Technology Synopsis

The patent addresses inefficiencies in networks with multiple security appliances performing redundant tasks. The solution is a "cooperative security fabric" (CSF) where a network appliance checks for a "flag" in incoming traffic. This flag indicates whether the traffic has already been processed by another CSF member, allowing the current appliance to skip redundant security operations (’825 Patent, Abstract).

Asserted Claims

The PTAB invalidated independent claim 1 and numerous other claims. The dispute concerns the surviving dependent claims 8 and 9 (Compl. ¶¶346-347).

Accused Features

The complaint identifies Netskope's Security Cloud services as the accused instrumentality (Compl. ¶341).

III. The Accused Instrumentality

Product Identification

The accused instrumentality is Netskope's cloud-security platform, which provides a range of services including Data Loss Prevention (DLP), threat detection, cloud encryption, and its "NewEdge" network architecture (Compl. ¶¶11, 287, 302, 315, 327, 341).

Functionality and Market Context

Netskope's platform is designed to help businesses secure their applications and data as they migrate to the cloud (Compl. ¶9). Its DLP services aim to protect confidential information from exfiltration (Compl. ¶13), and its NewEdge services provide a Secure Access Service Edge (SASE) architecture (Compl. ¶307). The complaint asserts Netskope is a market leader, citing a Gartner Magic Quadrant for Cloud Access Security Brokers that places Netskope in the "Leaders" quadrant while not including Fortinet (Compl. ¶¶31-32, p. 6).

IV. Analysis of Infringement Allegations

10,237,282 Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
maintaining, by a network security device...a filter database containing a plurality of filtering rules... Netskope's DLP services, which include filtering rules. ¶287 col. 15:30-34
wherein each filtering rule of the plurality of filtering rules specifies a watermark value, a set of network services for which the filtering rule is active and an action to be taken... Netskope alleges its DLP services include at least one filtering rule (e.g., a default profile) that does not specify a watermark value and/or network services. ¶293 col. 15:35-41
identifying, by the network security device, a watermark value embedded within the file... The complaint does not provide sufficient detail for analysis of this element. --- col. 15:45-47
determining...whether there exists a filtering rule...specifying a watermark value matching the watermark value...and for which the filtering rule is active for the particular network service... As Netskope's rule allegedly does not specify a watermark value, this determination cannot be made as claimed. ¶293 col. 15:48-55
  • Identified Points of Contention:
    • Procedural Question: The primary issue is that independent claim 1 has been found unpatentable by the PTAB (Compl. ¶292). The dispute is limited to whether Netskope infringes the surviving dependent claims. This raises the question of the viability of any infringement case built upon an invalidated independent claim.
    • Technical Question: A key factual dispute will be whether Netskope's DLP "default profile" rule meets the claim requirement of "specif[ying] a watermark value." The complaint alleges it does not, which, if true, would appear to defeat a literal infringement allegation (Compl. ¶293).

9,197,601 Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
A network system comprising: one or more Perimeter Points of Presence (P/PoP) configured to provide a virtual perimeter... Netskope's NewEdge services, which the complaint alleges constitute a Secure Access Service Edge system, not a virtual perimeter. ¶307 col. 17:1-3
the one or more P/PoP comprising: ...a plurality of selectable service area systems... The complaint does not provide sufficient detail for analysis of this element. --- col. 17:5-6
wherein the selectable service area systems...can be configured to provide a customized virtual perimeter for an entity... Netskope's architecture allegedly does not provide a "customized virtual perimeter" as claimed. ¶308 col. 17:9-11
process the data using at least one of the service area systems...configured as a data processing policy for the entity... The complaint does not provide sufficient detail for analysis of this element. --- col. 17:15-18
  • Identified Points of Contention:
    • Scope Questions: The central dispute will be one of claim construction. Does the term "virtual perimeter," as described in the patent in the context of P/PoPs with "selectable service area systems," read on Netskope's modern "Secure Access Service Edge" (SASE) architecture? The complaint posits a technical distinction that will be a key focus for the court (Compl. ¶¶307-308).

V. Key Claim Terms for Construction

  • For the ’282 Patent:

    • The Term: "specifies a watermark value"
    • Context and Importance: Netskope's non-infringement argument for the surviving dependent claims rests on its assertion that its "default profile" does not "specify" a watermark value (Compl. ¶293). The definition of "specifies" will be critical; practitioners may focus on whether this requires an explicit, affirmative declaration of a value in a rule, or if it can be met implicitly.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The claim language itself, "specifies a watermark value," does not explicitly forbid a rule that applies to all watermarks or to a default state (’282 Patent, col. 15:35-36).
      • Evidence for a Narrower Interpretation: The patent's specification, particularly Figure 4, depicts a GUI for creating a new DLP filter where a user can select "Watermark" as the "Filter By" criterion, suggesting an explicit and specific value is intended to be defined for a rule to operate (’282 Patent, Fig. 4).

  • For the ’601 Patent:

    • The Term: "virtual perimeter"
    • Context and Importance: This term is at the heart of the infringement dispute for this patent. Netskope contends its SASE architecture is not a "virtual perimeter" (Compl. ¶307). The case will depend heavily on whether the court construes this term broadly enough to cover modern SASE systems or limits it to the specific P/PoP architecture described.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The patent abstract defines the invention broadly as providing a "virtual perimeter through distributed points of presence," a high-level concept that could arguably describe various distributed security architectures (’601 Patent, Abstract).
      • Evidence for a Narrower Interpretation: The claims repeatedly tie the "virtual perimeter" to P/PoPs that comprise a "plurality of selectable service area systems" which are configured to create a "customized virtual perimeter" (’601 Patent, col. 17:1-11). This suggests the term is not generic but is defined by the specific modular, selectable service architecture detailed in the specification.

VI. Other Allegations

  • Indirect Infringement: The complaint states that Netskope’s products and services do not indirectly infringe the patents-in-suit, but does not provide sufficient detail regarding any specific allegations by Fortinet to support such a claim (Compl. ¶¶289, 295, 309, 321, 335, 348).
  • Willful Infringement: The complaint alleges that Fortinet has asserted Netskope has "full knowledge of infringement" (Compl. ¶¶286, 301). This assertion appears to be based on pre-suit communications, including an initial letter from Fortinet dated October 22, 2021, and subsequent extensive correspondence (Compl. ¶48).

VII. Analyst’s Conclusion: Key Questions for the Case

This declaratory judgment action presents several critical issues for judicial determination, framed by an unusual procedural history involving extensive PTAB review.

  • A central threshold issue is one of case viability: Following the PTAB's invalidation of the foundational independent claims and numerous dependent claims of the '282, '678, and '825 patents, a key question for the court will be whether Fortinet can present a viable infringement theory based on the narrow, surviving dependent claims, particularly as they rely on invalidated parent claims for context.
  • The case also presents a core question of definitional scope: For the '601 patent, the dispute will likely turn on claim construction. Can the term "virtual perimeter," rooted in the patent's specific architecture of P/PoPs with "selectable service area systems," be construed broadly enough to read on Netskope's modern "Secure Access Service Edge" (SASE) platform, or are they fundamentally different technologies as the complaint alleges?
  • Finally, the case raises a question of technical and factual mismatch: For the specific, surviving claims across several patents, the dispute appears to center on direct operational facts. The court will need to resolve whether Netskope's platform actually performs the claimed functions—such as using "flags" for cooperative processing ('825 patent) or "chunking" files before encryption ('678 patent)—or if there is a fundamental mismatch in technical operation as Netskope alleges.