DCT
1:23-cv-12055
BitSight Tech Inc v. Normshield Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: BitSight Technologies, Inc. (Delaware)
- Defendant: NormShield Inc. d/b/a Black Kite Inc. (Delaware)
- Plaintiff’s Counsel: Goodwin Procter LLP
- Case Identification: 1:23-cv-12055, D. Mass., 12/11/2023
- Venue Allegations: Venue is alleged to be proper as Defendant is a resident of the district, with its principal place of business located in Boston, Massachusetts.
- Core Dispute: Plaintiff alleges that Defendant’s cybersecurity risk management platform infringes five patents related to systems and methods for assessing and rating cybersecurity risk based on externally observable data.
- Technical Context: The technology concerns the automated assessment of an organization's cybersecurity posture by collecting and analyzing data from public internet sources to generate a quantitative security rating.
- Key Procedural History: The complaint notes that during the prosecution of the applications leading to the '331 and '524 patents, the patent applicant successfully overcame rejections under 35 U.S.C. § 101, which pertains to patent-eligible subject matter. The complaint also alleges that Defendant had pre-suit knowledge of at least the ’524 patent, having cited it during the prosecution of its own patent application in April 2020.
A. Case Timeline
| Date | Event |
|---|---|
| 2010-09-24 | Priority Date for ’331, ’524, ’976 Patents |
| 2013-09-09 | Priority Date for ’615, ’834 Patents |
| 2016-01-01 | Defendant Black Kite founded (approx.) |
| 2016-09-06 | U.S. Patent No. 9,438,615 Issues |
| 2018-05-15 | U.S. Patent No. 9,973,524 Issues |
| 2020-04-27 | Defendant allegedly cites ’524 Patent in its own patent prosecution |
| 2020-10-13 | U.S. Patent No. 10,805,331 Issues |
| 2023-05-16 | U.S. Patent No. 11,652,834 Issues |
| 2023-10-03 | U.S. Patent No. 11,777,976 Issues |
| 2023-12-11 | First Amended Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
A. U.S. Patent No. 10,805,331 - Information Technology Security Assessment System
- Patent Identification: U.S. Patent No. 10,805,331, “Information Technology Security Assessment System,” issued October 13, 2020.
1. The Invention Explained
- Problem Addressed: The patent’s background section describes traditional cybersecurity risk assessments as “slow, expensive and impractical” and notes that such audits are “not entirely predictive of the performance of the security systems” ('331 Patent, col. 1:38-42). This created a need for a more efficient and accurate method to assess third-party security risk (Compl. ¶ 35).
- The Patented Solution: The invention provides a method for creating a “composite security rating” derived from “externally observable characteristics” of a third-party computer system, which avoids the need for internal access or permission ('331 Patent, col. 1:46-56). The system uses a diverse set of internet-based sensors and services to automatically collect data about an entity, which is then processed to generate a rating indicative of its security posture (Compl. ¶ 37; ’331 Patent, col. 7:27-34). This approach is described as having a high likelihood of corresponding to an internal audit score despite relying only on external data ('331 Patent, col. 1:50-53).
- Technical Importance: The technology provided a scalable, automated way to continuously monitor the security risk of third-party vendors, a significant improvement over slow and often inaccurate manual audits (Compl. ¶¶ 38, 40).
2. Key Claims at a Glance
- The complaint asserts independent claims 1 and 29 (Compl. ¶ 123).
- Claim 1 elements include:
- Collecting information about two or more organizations from at least two sources, with some information collected automatically by computer using sensors on the Internet.
- Collecting information from sources not controlled by the organization, without the organization's permission.
- The collected information is indicative of compromises, vulnerabilities, configurations, resiliencies to recover from such events, and durations of such events.
- Processing the information by computer to form a composite rating indicative of risk.
- Claim 29 elements include:
- Collecting information about an organization, including information collected automatically from the Internet without permission.
- The information is indicative of resiliencies to recover from a security breach, with resiliencies being inversely proportional to the duration of detected malicious activity.
- Processing the information to form a composite rating that includes a measure of the resiliencies.
- Delivering a report of the composite rating through a reporting facility.
- The complaint also asserts dependent claims 2-3 and 8 (Compl. ¶ 123).
B. U.S. Patent No. 9,973,524 - Information Technology Security Assessment System
- Patent Identification: U.S. Patent No. 9973524, “Information Technology Security Assessment System,” issued May 15, 2018.
1. The Invention Explained
- Problem Addressed: The shared specification addresses the same problem as the '331 patent: the slow, expensive, and impractical nature of traditional cybersecurity audits ('524 Patent, col. 1:41-43).
- The Patented Solution: This patent focuses on the system architecture for generating a cyber-security rating. It claims a method that involves automatically using sensors to collect externally observable cyber-security data, mapping that data to specific entities via an "entity map," and deriving observations about malicious activity to generate the rating ('524 Patent, cl. 1). The specification explains that determining the "correct and complete IP address space owned by a given entity improves the reliability and robustness of a rating" ('524 Patent, col. 8:59-61).
- Technical Importance: The invention provides a specific technical method for attributing disparate, externally observed data points to the correct corporate entity, a foundational step for creating an accurate automated rating (Compl. ¶ 49).
2. Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶ 132).
- Claim 1 elements include:
- Maintaining an entity map that maps technical assets to respective companies or entities.
- Automatically using sensors on the Internet to collect externally observable cyber-security characterizations of the technical assets.
- Automatically deriving observations from the collected data, where the observations include (i) a number of technical assets reported to be malicious and (ii) a duration of detected malicious activity.
- Automatically generating a cyber-security rating for each entity using the entity map and the derived observations.
- The complaint also asserts dependent claims 6 and 13 (Compl. ¶ 132).
C. U.S. Patent No. 11,777,976 - Information Technology Security Assessment System
- Patent Identification: U.S. Patent No. 11777976, “Information Technology Security Assessment System,” issued October 3, 2023.
1. Technology Synopsis
The patent describes a method for generating a composite security rating by determining two separate ratings: an "internal security rating" derived from internal data sources and an "external security rating" derived from external data sources. The final composite rating is based on both the internal and external ratings (Compl. ¶ 47).
2. Asserted Claims
Independent claim 1 is asserted (Compl. ¶ 141).
3. Accused Features
The complaint alleges that the Black Kite Platform infringes the patent by providing a risk score to customers, though it describes the accused platform as relying on external data (Compl. ¶¶ 85, 140).
D. U.S. Patent No. 9,438,615 - Security Risk Management
- Patent Identification: U.S. Patent No. 9438615, “Security Risk Management,” issued September 6, 2016.
1. Technology Synopsis
The patent addresses the challenge of identifying all assets (e.g., domain names, servers, IP addresses) associated with an entity for a comprehensive risk assessment. The claimed solution is a method for generating a map between technical assets and entities, generating relationship graphs, and enabling user assistance through an interactive tool to associate assets with entities (Compl. ¶¶ 66, 69).
2. Asserted Claims
Claims 84-85 and 87-90 are asserted (Compl. ¶ 150).
3. Accused Features
The complaint alleges infringement by the Black Kite Platform, which it states uses a company's domain to discover its digital footprint and also provides users a "universal questionnaire" to provide relevant information (Compl. ¶¶ 88, 89, 149).
E. U.S. Patent No. 11,652,834 - Methods for Using Organizational Behavior for Risk Ratings
- Patent Identification: U.S. Patent No. 11652834, “Methods for Using Organizational Behavior for Risk Ratings,” issued May 16, 2023.
1. Technology Synopsis
This patent describes a specific, ordered method for mapping IP addresses to an entity to create a more complete accounting of its digital assets. The method involves a series of three distinct "back-and-forth" passive DNS queries to first identify name servers, then second-level domain names, and finally host names and IP addresses (Compl. ¶¶ 74-75).
2. Asserted Claims
Independent claim 1 is asserted (Compl. ¶ 159).
3. Accused Features
The complaint alleges infringement by the Black Kite Platform, which is described as relying on "Passive DNS servers" to find all IP address ranges and domain names belonging to a company (Compl. ¶¶ 86, 88, 158).
III. The Accused Instrumentality
A. Product Identification
- The accused instrumentality is the “Black Kite Platform,” which provides cyber risk management solutions (Compl. ¶¶ 82, 122).
B. Functionality and Market Context
- The Black Kite Platform is alleged to quantify and monitor cyber risk for third parties in a “non-invasive manner” by relying on “publicly accessible, external data” (Compl. ¶¶ 83, 85). The platform allegedly gathers data from sources including “VirusTotal, Passive DNS servers, web search engines, and other Internet-wide scanners” to generate a “Cyber Risk Score,” which is presented as a letter grade (Compl. ¶¶ 86, 89). To initiate an assessment, the platform is said to require only a company’s domain name, which it uses to search databases for associated IP address ranges and domain names (Compl. ¶ 88). A competitive comparison chart from Defendant's website, referenced as Exhibit 13, purports to compare Black Kite's offerings to competitors, including BitSight (Compl. ¶ 94).
IV. Analysis of Infringement Allegations
A. '331 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| collecting information about two or more organizations... from two or more sources, at least some of the information about each of the organizations being collected automatically by computer using sensors on the Internet... | The Black Kite Platform gathers data from multiple sources including VirusTotal, Passive DNS servers, web search engines, and Internet-wide scanners. | ¶86, ¶87 | col. 7:27-34 |
| the information from at least the one or more sources that are not controlled by the organization being collected without permission of the organization... | The platform operates in a "non-invasive manner" and relies on "publicly accessible, external data" for its assessments, initiated with only a company domain name. | ¶83, ¶85, ¶88 | col. 2:1-3 |
| the information collected about the organizations being indicative of compromises, vulnerabilities or configurations ... indicative of resiliencies ... indicative of durations of events associated with compromises or vulnerabilities or configurations... | The platform "performs contextualization and analysis to convert data into risk intelligence," which is alleged to include analyzing data for these claimed indicators. | ¶42, ¶87 | col. 2:44-48 |
| processing by computer the information from the two or more sources for each of the organizations to form a composite rating of the organization that is indicative of a degree of risk... | The platform is alleged to calculate a "Cyber Risk Score" to "generate the cyber risk rating" based on its analysis of the collected external data. | ¶88, ¶89 | col. 1:46-50 |
- Identified Points of Contention:
- Scope Questions: A central question may be whether Black Kite’s "contextualization and analysis" meets the specific claim requirement for information "indicative of resiliencies," which the patent defines functionally as being "inversely proportional to a duration of malicious behavior" ('331 Patent, col. 2:46-48). The complaint does not specify how the accused platform calculates this particular metric.
- Technical Questions: What evidence does the complaint provide that the accused platform’s general risk score calculation performs the specific functions required by the claim, such as generating a metric indicative of "resiliencies to recover" from a breach?
B. '524 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| maintaining an entity map that maps technical assets to respective companies or other entities... | The platform is alleged to maintain a system that associates IP address ranges and domain names with a company, starting from the company's domain. | ¶88 | col. 6:13-14 |
| automatically using sensors on the Internet to collect externally observable cyber-security characterizations of the technical assets... | The platform is alleged to rely on "Internet-wide scanners" and other external sources to gather data. | ¶86 | col. 8:27-33 |
| automatically deriving observations about the technical assets from the collected cyber-security characterizations, wherein the derived observations comprise (i) a number of technical assets that have been reported to be malicious and (ii) a duration of detected malicious activity associated with the technical assets... | The platform is alleged to perform "contextualization and analysis to convert data into risk intelligence," which the complaint alleges meets this two-part requirement. | ¶45, ¶87 | col. 2:44-48 |
| automatically generating a cyber-security rating for each of the entities using the entity map and the derived observations. | The platform is alleged to use its collected and analyzed data to "generate the cyber risk rating," which it calls a "Cyber Risk Score." | ¶88, ¶89 | col. 12:41-47 |
- Identified Points of Contention:
- Scope Questions: A point of contention may be whether the process described in the complaint—using a domain name to find associated IP ranges—constitutes "maintaining an entity map" as understood in the patent.
- Technical Questions: Does the "contextualization and analysis" performed by the Black Kite Platform specifically involve the two-part derivation required by the claim: identifying a number of malicious assets and a duration of malicious activity? The complaint's allegations are general on this technical point.
V. Key Claim Terms for Construction
- The Term: "resiliencies" (from '331 Patent, cl. 1)
- Context and Importance: This term appears central to defining the invention's technical contribution beyond simple vulnerability scanning. The scope of "resiliencies" will be critical for determining if the accused platform's general risk score calculation infringes.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification provides a functional definition, stating resilience "may be inversely proportional to a duration of malicious behavior" ('331 Patent, col. 2:46-48), which could be read broadly on any system that penalizes longer-lasting security incidents.
- Evidence for a Narrower Interpretation: Claim 1 recites "resiliencies of the organizations to recover from such compromises," suggesting the term may be limited to a specific measurement of an organization's recovery capability, rather than just the duration of a negative event.
- The Term: "entity map" (from '524 Patent, cl. 1)
- Context and Importance: This term defines the core mechanism for associating observed data with a company. Whether the accused platform's alleged method of discovering assets from a domain name meets this definition will be a key issue.
- Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the "Entity Map" functionally as that which "maps data back to an entity" ('524 Patent, col. 6:13-14), which could support a broad reading on any system that associates data with a company.
- Evidence for a Narrower Interpretation: The specification describes the entity map as part of a structured "entity database" that holds "all of the information about an entity" and is populated by various methods ('524 Patent, col. 6:10-23). A defendant may argue this requires a more formal, persistent database structure than what is alleged against the accused platform.
VI. Other Allegations
- Indirect Infringement: For all asserted patents, the complaint alleges induced infringement under 35 U.S.C. § 271(b), stating that Defendant’s website and instructional videos intentionally encourage and instruct customers to use the Black Kite Platform in a manner that infringes the patents (e.g., Compl. ¶¶ 125, 134).
- Willful Infringement: The complaint alleges willful infringement based on both pre-suit and post-suit knowledge. It alleges pre-suit knowledge dating to at least April 27, 2020, when Defendant cited the ’524 patent to the USPTO during the prosecution of its own patent application (Compl. ¶ 93). It further alleges knowledge of all asserted patents since the filing of the original complaint (Compl. ¶ 92).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of functional equivalence: Does the accused platform’s general process of "contextualization and analysis" perform the specific, multi-part technical functions required by the asserted claims, such as calculating "resiliencies" ('331 Patent) or "deriving observations" based on both the number of malicious assets and the duration of malicious activity ('524 Patent)?
- A key legal question will be one of definitional scope: Can terms like "resiliencies" and "entity map," which are described with both broad functional language and more specific examples in the patents, be construed to cover the functionality of the Black Kite Platform as described in the complaint?
- A central factual question for willfulness will be the effect of pre-suit knowledge: Can Plaintiff demonstrate that Defendant's citation of the '524 patent during its own prosecution establishes not only knowledge of that patent but also a deliberate or willfully blind intent to infringe the broader portfolio of asserted patents?