DCT
1:24-cv-00864
QuickVault Inc v. Broadcom
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: QuickVault, Inc. (Georgia)
- Defendant: Broadcom Inc. (Delaware)
- Plaintiff’s Counsel: OhanianIP; Hill, Kertscher & Wharton, LLP
- Case Identification: 1:24-cv-00864, W.D. Tex., 08/01/2024
- Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant Broadcom resides in the district, maintains a regular and established place of business in Austin, Texas, and has committed acts of infringement there.
- Core Dispute: Plaintiff alleges that Defendant’s Symantec Enterprise Cloud and Symantec VIP product suites infringe seven patents related to forensic data tracking, data loss prevention, and secure remote data access.
- Technical Context: The technology at issue falls within the enterprise cybersecurity domain, specifically focusing on Data Loss Prevention (DLP) and multi-factor authentication systems designed to protect sensitive data and monitor its movement across corporate networks.
- Key Procedural History: The asserted patents are part of an extended family stemming from 2014 and 2015 priority applications. Several of the patents, including the ’300 Patent, are subject to a terminal disclaimer, which may limit the enforceable term of a later-issued patent to that of an earlier-issued family member.
Case Timeline
| Date | Event |
|---|---|
| 2014-09-12 | Earliest Priority Date Asserted ('200, '092, '300, '840, '125 Patents) |
| 2015-01-01 | QuickVault creates its CloudVault® Health business unit |
| 2017-02-07 | U.S. Patent No. 9,565,200 Issues |
| 2018-05-01 | U.S. Patent No. 9,961,092 Issues |
| 2021-05-04 | U.S. Patent No. 10,999,300 Issues |
| 2023-01-31 | U.S. Patent No. 11,568,029 Issues |
| 2023-04-25 | U.S. Patent No. 11,637,840 Issues |
| 2024-01-23 | U.S. Patent No. 11,880,437 Issues |
| 2024-02-06 | U.S. Patent No. 11,895,125 Issues |
| 2024-08-01 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
Editor's Note: Of the seven patents asserted in the complaint, documents for three were provided for this analysis. The first two, U.S. Patent Nos. 10,999,300 and 11,637,840, are analyzed in full. The third, U.S. Patent No. 11,568,029, is summarized in a capsule format. The remaining four asserted patents could not be analyzed.
U.S. Patent No. 10,999,300 - Method and System for Forensic Data Tracking
Issued May 4, 2021
The Invention Explained
- Problem Addressed: The patent describes the challenge enterprises face in complying with regulations like HIPAA and PCI, where sensitive data can "leak" outside of protected environments via methods like USB drives or public cloud storage services. (’300 Patent, col. 2:28-39). Traditional network security and Data Loss Prevention (DLP) tools are described as insufficient to track or control data once it has left the enterprise's direct possession. (’300 Patent, col. 2:40-51).
- The Patented Solution: The invention proposes a "Forensic Computing Platform" comprising a cloud-based control server that communicates with software agents installed on endpoint devices. (’300 Patent, Abstract; Fig. 1). These agents scan files, and based on a central policy, classify them and send "meta logs" (e.g., file name, classification, user, endpoint ID) to the server for analysis, alerting, and reporting. (’300 Patent, col. 3:19-24, col. 5:29-41). This allows an administrator to track the location and movement of sensitive data elements across the network.
- Technical Importance: This system architecture augments traditional perimeter-based security by focusing on the data itself, providing visibility and an audit trail even as data moves between authorized and unauthorized devices. (’300 Patent, col. 2:61-67).
Key Claims at a Glance
- The complaint asserts independent claim 1. (Compl. ¶52).
- Claim 1 of the ’300 Patent recites a forensic computing platform comprising a cloud control server and modules that perform the steps of:
- Receiving a meta log from an endpoint, the meta log associated with a file and including a file name, data element tags, a date, and an endpoint ID.
- Storing the meta log in a meta database.
- Analyzing the data element tags based on a configured setting and criteria.
- Determining a data classification for the file based on that analysis.
- Predicting data breaches based on degree changes in data topology, using signals from an analytics component that consumes the meta data.
- The complaint does not explicitly reserve the right to assert dependent claims.
U.S. Patent No. 11,637,840 - Method and System for Forensic Data Tracking
Issued April 25, 2023
The Invention Explained
- Problem Addressed: The patent’s background section is substantially similar to that of the ’300 Patent, identifying the failure of existing security measures like firewalls and passwords to prevent breaches of sensitive data and the inability of conventional DLP tools to track data once it leaves a protected environment. (’840 Patent, col. 2:28-51).
- The Patented Solution: The invention is a method for forensic data tracking implemented by a computing system. The system receives meta data about a file at an endpoint and analyzes it against a policy to determine a classification. (’840 Patent, Abstract). The key inventive step is "further determining" that the file is unauthorized based on a "pattern of data use that constitutes a deviation from normal behavior," which then triggers a responsive action like deleting or encrypting the file. (’840 Patent, col. 36:40-48).
- Technical Importance: The method provides a dynamic, behavior-based approach to data security, moving beyond static rules to identify and remediate policy violations based on anomalous user or system activity. (’840 Patent, col. 7:4-9).
Key Claims at a Glance
- The complaint asserts independent claim 1. (Compl. ¶62).
- Claim 1 of the ’840 Patent recites a computer-implemented method comprising the steps of:
- Receiving meta data associated with an electronic file at an endpoint.
- Analyzing the meta data based on a configured setting and policy.
- Determining a data classification for the file.
- Further determining that the file is unauthorized "due to a pattern of data use that constitutes a deviation from normal behavior," where the deviation is a discovery that the endpoint has increased a total number of files by a certain percentage.
- Performing one or more responsive actions in response to the determination of unauthorized status.
- The complaint does not explicitly reserve the right to assert dependent claims.
Multi-Patent Capsule: U.S. Patent No. 11,568,029
- Patent Identification: U.S. Patent No. 11,568,029, Method and System for Remote Data Access, issued January 31, 2023.
- Technology Synopsis: The patent addresses secure remote access to data, particularly through multi-factor authentication that involves a mobile device. It describes a system where a user on a PC must use a separate mobile device (with a dedicated software application) to authenticate before being granted access to data on a remote server, adding a security layer beyond a simple PC-based password. (’029 Patent, Abstract; col. 3:9-20).
- Asserted Claims: The complaint asserts independent claim 1. (Compl. ¶92).
- Accused Features: The complaint accuses Broadcom’s Symantec VIP product, which it describes as a "multifactor authentication system for managing user and administrator access," of infringing the ’029 Patent. (Compl. ¶7, 90).
III. The Accused Instrumentality
Product Identification
- The complaint names two product suites: (1) Broadcom's Symantec Enterprise Cloud, which includes Symantec Data Loss Prevention and Symantec CloudSOC, and (2) Symantec VIP. (Compl. ¶5, 7).
Functionality and Market Context
- The complaint alleges that Symantec Enterprise Cloud provides "information security protection across endpoints, network, cloud, and storage." (Compl. ¶5). Its central function is described as the deployment of "agent software on endpoints to detect, classify, and track data as well as to enable remote administrators to monitor and remediate policy violations." (Compl. ¶6). This functionality is accused of infringing patents related to forensic data tracking, such as the ’300 and ’840 Patents. (Compl. ¶50, 60).
- Symantec VIP is identified as a "multifactor authentication system for managing user and administrator access." (Compl. ¶7). This functionality is accused of infringing patents related to remote data access, such as the ’029 Patent. (Compl. ¶90).
- No probative visual evidence provided in complaint.
IV. Analysis of Infringement Allegations
The complaint references claim-chart exhibits that are not provided. The narrative infringement theories for the lead patents are summarized below.
’300 Patent Infringement Allegations
- The complaint alleges that Broadcom’s Symantec Enterprise Cloud practices every limitation of claim 1 of the ’300 Patent. (Compl. ¶52). While the detailed claim chart was not provided, the narrative theory suggests that the Symantec Enterprise Cloud functions as the claimed "forensic computing platform," with its endpoint agents generating data analogous to the claimed "meta log" and its central console performing the claimed "analyzing," "determining," and "predicting" steps. (Compl. ¶6, 50-52).
’840 Patent Infringement Allegations
- The complaint alleges that Broadcom and its customers, under Broadcom's direction and control, perform the method steps of claim 1 of the ’840 Patent using the Symantec Enterprise Cloud. (Compl. ¶62). The narrative theory suggests that the accused product performs the steps of receiving file data ("meta data"), analyzing it against policies, determining a classification, identifying a "deviation from normal behavior," and performing a responsive action like deleting or encrypting the file. (Compl. ¶4, 6, 60-62).
Identified Points of Contention
- Scope Questions: A central issue for the ’300 Patent may be whether the term "predicting data breaches," as used in the patent, can be construed to cover the alerting and reporting functions of the accused Symantec product. The analysis may turn on whether the accused product is merely reactive to policy violations or if it performs a forward-looking, predictive analysis as contemplated by the claim. For the ’840 patent, a question is whether a system that enforces pre-set, static rules (e.g., "no credit card numbers in this folder") performs the claimed step of identifying a "deviation from normal behavior," which may imply a dynamic, baseline-driven analysis.
- Technical Questions: An evidentiary question for the ’300 Patent will be what technical mechanism within the Symantec Enterprise Cloud performs the function of analyzing "degree changes in data topology" to "predict" breaches. For the ’840 Patent, a key question will be what evidence the complaint provides that the accused product establishes a baseline of "normal behavior" for a user or endpoint and then detects a "deviation" from it, as opposed to simply flagging a violation of a static policy rule.
V. Key Claim Terms for Construction
The Term: "predicting data breaches" (’300 Patent, Claim 1)
- Context and Importance: This term is critical because it defines a high-level function of the claimed system. Practitioners may focus on this term because the dispute may hinge on whether the accused product’s alerting on current, anomalous activity constitutes "predicting" a future breach, or if it is merely a reactive monitoring system.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent states that the "Prophet" component "predicts data breaches based on degree changes in data topology," suggesting a specific functional module. (’300 Patent, col. 15:4-6). The background also frames the invention in the context of augmenting security by "focusing on the actual data" and its context, which may support a broader functional interpretation beyond simple rule-matching. (’300 Patent, col. 2:61-64).
- Evidence for a Narrower Interpretation: The detailed descriptions of system operations, such as in the sequence diagrams (e.g., Fig. 7), show steps of "analyze log data" and "create alert." A defendant may argue these depict a conventional reactive alerting system, not a predictive one, thereby narrowing the scope of "predicting." (’300 Patent, Fig. 7).
The Term: "deviation from normal behavior" (’840 Patent, Claim 1)
- Context and Importance: The infringement analysis for the ’840 Patent will likely depend on the construction of this phrase. Practitioners may focus on this term because its definition will determine whether a simple rule-based policy engine infringes, or if the claim requires a more sophisticated, dynamic, baseline-driven anomaly detection system.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the "Analytics Component" as being operable to answer questions like, "Have any Authorized Internal Users recorded a spike in data transmission... compared to their prior behavior or the average user behavior?" (’840 Patent, col. 7:4-9). This language supports an interpretation based on comparing current activity to historical baselines.
- Evidence for a Narrower Interpretation: The patent also describes configuring "alert thresholds" in a settings table, which could be interpreted as implementing static, predefined rules. (’840 Patent, col. 8:61-63). A defendant could argue that "deviation from normal behavior" requires a specific type of statistical anomaly detection that is distinct from merely exceeding a pre-set threshold.
VI. Other Allegations
Indirect Infringement
- The complaint alleges active inducement of infringement for all asserted patents. The factual basis alleged is that Broadcom provides its products to customers and publishes websites and other materials that instruct and encourage customers to use the products in an infringing manner. (Compl. ¶35-37, 45-47, 55-57, 65-67, 75-77, 85-87, 95-97). For method claims, the complaint also alleges infringement under a theory of direction and control. (Compl. ¶62, 80, 90).
Willful Infringement
- The complaint does not use the word "willful" but alleges that Broadcom has knowledge of the asserted patents and its infringement "at least as of the service and filing of this Complaint." (Compl. ¶36, 46, 56, 66, 76, 86, 96). This allegation forms a basis for potential post-suit enhancement of damages. The prayer for relief additionally seeks a finding that the case is "exceptional" under 35 U.S.C. § 285. (Compl. p. 28).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the functional term "predicting data breaches" in the ’300 Patent be construed to read on the accused product’s system of analyzing data and alerting on policy violations, or is there a fundamental mismatch between predictive and reactive security models?
- A key evidentiary question will be one of functional operation: does Broadcom’s Symantec Enterprise Cloud platform technically operate by establishing a dynamic baseline of "normal behavior" and detecting a "deviation" from it as required by the ’840 Patent, or does it enforce static, pre-configured policy rules that fall outside the claim’s scope?
- A central question of technical mapping will be whether the specific authentication and data validation steps performed by the Symantec VIP product meet the sequence of limitations recited in the asserted claims of the remote data access patents, such as the ’029 Patent.