DCT
1:21-cv-00031
Peoplechart Corp v. Wintrust Bank NA
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Peoplechart Corporation (California)
- Defendant: Wintrust Bank, N.A. (Illinois)
- Plaintiff’s Counsel: Banie & Ishimoto LLP; Choken Welling LLP
- Case Identification: 1:21-cv-00031, N.D. Ill., 01/04/2021
- Venue Allegations: Venue is alleged to be proper based on Defendant committing acts of infringement and having a regular and established place of business within the Northern District of Illinois.
- Core Dispute: Plaintiff alleges that Defendant’s Cardless Cash ATM service infringes a patent related to protecting information on a computer system using multiple authentication methods.
- Technical Context: The technology concerns methods for providing secure, time-limited access to sensitive data stored in a networked computer system by requiring multiple, distinct authentication steps.
- Key Procedural History: The complaint alleges that Plaintiff sent a letter to Defendant on October 2, 2020, providing notice of the patent-in-suit and its alleged infringement, which may form the basis for a willfulness claim.
Case Timeline
| Date | Event |
|---|---|
| 2002-01-18 | ’249 Patent Earliest Priority Date |
| 2014-10-21 | ’249 Patent Issue Date |
| 2015-01-19 | Wintrust Cardless Cash Service Announced |
| 2020-10-02 | Plaintiff sent notice letter to Defendant |
| 2021-01-04 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,869,249 - "Protecting Information on a Computer System Using Multiple Authentication methods," issued October 21, 2014
The Invention Explained
- Problem Addressed: The patent addresses the security risks of storing sensitive information, such as personal medical records, on web servers that are continuously accessible via the internet. The background section notes that conventional systems with on-line databases and password files are "vulnerable to a hacker" and that this "minimal security is inadequate" for sensitive data (’249 Patent, col. 1:39-51).
- The Patented Solution: The invention proposes a system architecture that separates data storage into a secure, offline "back-end storage device" and an internet-accessible "front-end storage device." To gain access, a user must complete a multi-step authentication. Upon successful authentication, a "subset of data" is temporarily moved from the secure back-end to the front-end device for a limited period, after which it is removed. This process is intended to minimize the window of vulnerability to internet-based attacks (’249 Patent, Abstract; col. 4:21-26). Figure 1 illustrates this architecture, showing a "Back-End Server" (140) firewalled from the internet by a "Security Router" (138) and a separate "Web Server" (120) that is internet-facing.
- Technical Importance: This architectural approach sought to provide greater security for sensitive online records than standard password-protected systems by storing the bulk of the data offline and only exposing it for brief, pre-authorized sessions.
Key Claims at a Glance
- The complaint asserts independent Claim 1 (Compl. ¶8).
- The essential elements of Claim 1, a method claim, are:
- (a) receiving, for a user, first user authentication information for a first authentication method;
- (b) receiving, for the user, second user authentication information for a second, different authentication method;
- (c) upon authenticating both, moving a subset of data from a back-end storage device to a front-end storage device, where the front-end is connected to the user via a network but the back-end is not; and
- (d) allowing the user device access to the subset of data on the front-end device for a specified period of time, after which the data is removed.
- The complaint does not explicitly reserve the right to assert dependent claims, but states it "reserves the right to modify its infringement theories" (Compl. ¶17).
III. The Accused Instrumentality
Product Identification
The accused service is Wintrust's "Cardless Cash" system (Compl. ¶9.a).
Functionality and Market Context
The Cardless Cash service allows bank customers to withdraw cash from an ATM using their smartphone, eliminating the need for a physical bank card (Compl. ¶9.a). The complaint alleges the process involves the user first logging into the Wintrust mobile banking application and selecting the "Cardless Cash" feature. This is described as the first authentication step (Compl. ¶9.a). A screenshot in the complaint shows the "Cardless Cash" option within a mobile application's task menu (Compl. p. 3). The second step involves the user scanning a QR code displayed on the ATM screen with their mobile phone, which the complaint alleges is the second authentication method (Compl. ¶9.b). A representative image shows a user's phone positioned to scan a QR code on an ATM screen (Compl. p. 5). Upon completion, the system permits a cash withdrawal (Compl. ¶5.d).
IV. Analysis of Infringement Allegations
’249 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| (a) receiving, for a user, first user authentication information for a first authentication method; | Wintrust receives a user's login credentials for its mobile banking application when the user requests "Cardless Cash." | ¶9.a | col. 2:11-18 |
| (b) receiving, for the user, second user authentication information for a second authentication method, the second authentication method being different from the first authentication method; | The system uses a second authentication method involving the generation of a QR code on the ATM which is then scanned by the user's mobile phone. | ¶9.b | col. 2:18-21 |
| (c) upon authenticating the first user authentication information and the second user authentication information, moving, by a computing device, a subset of data stored on a back-end storage device to a front-end storage device, the front-end storage device being directly connected to a user device for the user via a network and the back-end storage device not being directly connected to the network; and | Upon authentication, "information is moved from back-end storage device to a front-end storage device in order for the ATM to dispense cash." | ¶9.c | col. 2:21-23 |
| (d) allowing the user device access to the subset of data on the front-end storage device for a period of time specified to the front-end storage device by the computing device, wherein after the period of time expires, the subset of data is removed from the front-end storage device. | After the authentication via QR code scan, the system "allows the user access at the user's selected ATM device to enable cash to be dispensed." | ¶5.d | col. 2:23-26 |
Identified Points of Contention
- Architectural Questions: A central question will be whether the Wintrust banking system maps onto the claimed architecture. What evidence supports the allegation that Wintrust uses a "back-end storage device not being directly connected to the network" and temporarily moves a "subset of data" to a "front-end storage device"? The complaint makes this allegation in a conclusory manner (Compl. ¶9.c) without providing specific technical details about Wintrust's server infrastructure.
- Technical Questions: The analysis may focus on whether the transaction authorization in the accused system is functionally equivalent to "moving...a subset of data." The court may need to determine if an authorization token or a temporary transaction approval constitutes a "subset of data" as described in the patent, which provides examples of moving entire medical record documents (’249 Patent, col. 8:36-44, FIG. 5). Further, it raises the question of whether scanning a QR code is "receiving...authentication information" or merely initiating a pre-staged transaction.
V. Key Claim Terms for Construction
The Term: "back-end storage device not being directly connected to the network"
- Context and Importance: This term is foundational to the patent's purported security innovation. The infringement case depends on whether Wintrust’s system architecture includes a data store that is isolated from the network in the manner claimed. Practitioners may focus on this term because the patent contrasts this architecture with conventional, fully online web servers.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claims do not specify a particular mechanism for isolation (e.g., physical air gap vs. firewall). A party might argue any form of logical separation via a security router, as shown in Figure 1, meets the limitation.
- Evidence for a Narrower Interpretation: The patent repeatedly emphasizes the offline nature of the back-end data to distinguish itself from prior art, stating the "remainder of the time the sensitive information is stored off-line" (’249 Patent, col. 4:24-26). This could support an argument that the back-end must be truly inaccessible from the external network, not merely behind a standard corporate firewall.
The Term: "moving...a subset of data"
- Context and Importance: The definition of this term is critical to determining whether the accused transaction process performs the claimed step. The dispute may turn on whether sending a simple authorization message is equivalent to "moving" a "subset of data" like a user's account information.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The term "data" is not explicitly limited. A party could argue that any information, including a temporary session token or transaction approval code, constitutes a "subset of data."
- Evidence for a Narrower Interpretation: The specification's examples involve moving substantive user information, such as medical records or a "document log" with hyperlinks to those records (’249 Patent, col. 8:36-44; FIG. 5). This suggests the "subset of data" is more substantial than a simple authorization command and is the information the user intends to access, not just a mechanism for access.
VI. Other Allegations
- Indirect Infringement: The complaint alleges both induced and contributory infringement. It asserts that Wintrust "provided the software and technology" for the infringing method, that the method has "no substantial non-infringing uses," and that Wintrust acted with specific intent to cause infringement (Compl. ¶¶13, 16).
- Willful Infringement: The complaint alleges willfulness, citing a pre-suit notice letter sent to Wintrust on October 2, 2020, which allegedly informed Wintrust of its infringement (Compl. ¶10). This allegation appears to be based on alleged post-suit knowledge.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural mapping: Does the Wintrust Cardless Cash system employ a two-tiered "front-end" and "back-end" storage architecture where the back-end is "not being directly connected to the network" as required by the claim, or does it use a more conventional, continuously online banking infrastructure? The complaint's conclusory allegation on this point will require factual development.
- A key evidentiary question will be one of functional scope: Does the accused process of authorizing a cash withdrawal via a QR code involve "moving...a subset of data" from a secure repository to an internet-facing one, as contemplated by the patent? Or does it represent a different technical process, such as the transmission of a temporary authorization token, that falls outside the scope of the claimed method?
- A final question will be one of definitional interpretation: Can the act of a user scanning a system-generated QR code be construed as the system "receiving...second user authentication information," or is it more accurately characterized as the user providing a one-time transaction identifier?