Square Inc v. Protegrity Corp

1. Case Identification

• Case #: CBM2014-00182
• Patent #: 8,402,281
• Filed: August 29, 2014
• Petitioner(s): Square, Inc.
• Patent Owner(s): Protegrity Corporation
• Challenged Claims: 1-60

2. Patent Overview

• Title: Data Security System For a Database
• Brief Description: The ’281 patent relates to a system for protecting data in a database against unauthorized access. The system uses a separate data protection table that stores a plurality of data processing rules which must each be satisfied before a corresponding portion of data can be accessed.

3. Grounds for Unpatentability

Ground 1: Patent Ineligibility under 35 U.S.C. §101 - Claims 1-60 are invalid as directed to an abstract idea.

• Core Argument for this Ground: Petitioner argued that all claims of the ’281 patent are directed to the abstract idea of rule-based data access—determining whether to grant access to data based on satisfying one or more rules. Petitioner asserted this is a fundamental and long-standing concept, analogous to protecting sensitive financial data, which has long been prevalent in commerce.
  • Prior Art Mapping: The claims were alleged to merely require generic computer implementation of this abstract idea, reciting conventional components like a "database" and a "processor" performing their ordinary functions. Petitioner contended that the claim limitations, viewed individually or as an ordered combination, failed to add an inventive concept sufficient to transform the abstract idea into a patent-eligible application. Dependent claims were argued to add only well-known and routine limitations, such as restricting access based on user identity, program type, time of day, or the use of conventional encryption, none of which tie the abstract idea to a specific, inventive technological implementation.

Ground 2: Anticipation by Denning - Claims 1, 2, 5, 6, 9, 10, 12-18, 21, 22, 25, 26, 28-34, 37, 38, 41, 43-48, 51, 52, 55, and 57-60 are anticipated under 35 U.S.C. §102 by Denning.

• Prior Art Relied Upon: Denning (Cryptography and Data Security, 1982).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner asserted that Denning, a foundational text on data security, taught every element of the challenged claims. Denning described an "access-matrix model" for controlling access to objects (data portions) in computer and database systems. This model explicitly disclosed maintaining a database with a plurality of data portions, maintaining a separate table (the access matrix) containing "decision rules" for each data portion, receiving a request to access data, determining if the associated rules are satisfied, and granting access based on that determination. Denning further disclosed applying these access controls to specific database columns and fields, restricting access based on user identity, and implementing encryption in the context of access control systems.

Ground 3: Obviousness over Denning and FIPS - Claims 7, 8, 12-14, 16, 23, 24, 28-30, 32, 39, 40, 43-46, 53, 54, and 57-60 are obvious over Denning in view of FIPS PUB 140-1.

• Prior Art Relied Upon: Denning (Cryptography and Data Security, 1982) and FIPS PUB 140-1 (Security Requirements for Cryptographic Modules, 1994).

• Core Argument for this Ground:

  • Prior Art Mapping: Denning provided the foundational system for rule-based access control. FIPS PUB 140-1, a widely known federal standard for cryptographic security systems, taught the specific limitations related to encryption recited in the dependent claims. This included defining multiple security levels for cryptographic modules, requiring role-based or identity-based authentication to access data, and specifying methods for cryptographic key distribution and storage.
  • Motivation to Combine: A person of ordinary skill in the art (POSITA), when implementing the general data security principles taught in Denning, would combine its teachings with a well-known, authoritative standard like FIPS PUB 140-1 to implement robust and standardized encryption features. Denning itself was presented as a survey of the field that encourages consulting other references for specific implementations.
  • Expectation of Success: A POSITA would have a reasonable expectation of success in combining the general access-control framework of Denning with the specific encryption standards of FIPS PUB 140-1. This combination represented a predictable application of known technologies to achieve the expected result of a more secure data access system.

• Additional Grounds: Petitioner asserted an alternative obviousness challenge for the claims challenged under Ground 2 based solely on Denning, arguing that even if the reference did not explicitly anticipate every limitation, combining teachings from different chapters of the single reference would have been obvious to a POSITA.

4. Key Claim Construction Positions

• Database: Petitioner argued for a broad construction of "database" to include "any organization of structured data," consistent with a position taken by the Patent Owner in related district court litigation.
• Data Processing Rules: The term was proposed to broadly refer to rules for processing data, where "processing" includes any form of reading, printing, altering, coding, moving, or copying data, as defined in the ’281 patent’s specification.
• Data Category: Based on the prosecution history of the parent patent, Petitioner argued "data category" should be construed to mean "data element type" and to broadly include any class or division of data that shares one or more characteristics or attributes.
• Encryption/Encrypted: Under the broadest reasonable construction, these terms were argued to refer to any conversion of data into a non-interpretable form, including methods like hashing, as explicitly defined in the specification.

5. Relief Requested

• Petitioner requested institution of a Covered Business Method Patent Review and cancellation of claims 1-60 of the ’281 patent as unpatentable.