Finjan, Inc. v. Sophos Inc.

Full title: FINJAN, INC., Plaintiff, v. SOPHOS, INC., Defendant.

Court: UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

Date published: Mar 14, 2017

244 F. Supp. 3d 1016 (N.D. Cal. 2017)

Opinion

Case No. 14–cv–01197–WHO

03-14-2017

FINJAN, INC., Plaintiff, v. SOPHOS, INC., Defendant.

Paul J. Andre, Hannah Yunkyung Lee, James R. Hannah, Kristopher Benjamin Kastens, Lisa Kobialka, Kramer Levin Naftalis & Frankel LLP, Menlo Park, CA, Benu C. Wells, Cristina Lynn Martinez, Shannon Hedvat, Kramer Levin Naftalis and Frankel LLP, New York, NY, Yuridia Caire, Menlopark, CA, for Plaintiff. Amy H. Walters, John Allcock, Kathryn Riley Grasso, Sean C. Cunningham, Jacob Daniel Anderson, David Rae Knudson, Peter Patrick Maggiore, DLA Piper LLP, San Diego, CA, Summer Kristen Torrez, Eduardo J. Blanco, DLA Piper LLP, Palo Alto, CA, Andrew Neal Stein, DLA Piper LLP, Washington, DC, Jeffrey Reuben Cole, Todd Scott Patterson, DLA Piper LLP, Austin, TX, Krista Anne Celentano, Summer Krause, DLA Piper LLP, East Palo Alto, CA, for Defendant.

William H. Orrick, United States District Judge

Paul J. Andre, Hannah Yunkyung Lee, James R. Hannah, Kristopher Benjamin Kastens, Lisa Kobialka, Kramer Levin Naftalis & Frankel LLP, Menlo Park, CA, Benu C. Wells, Cristina Lynn Martinez, Shannon Hedvat, Kramer Levin Naftalis and Frankel LLP, New York, NY, Yuridia Caire, Menlopark, CA, for Plaintiff.

Amy H. Walters, John Allcock, Kathryn Riley Grasso, Sean C. Cunningham, Jacob Daniel Anderson, David Rae Knudson, Peter Patrick Maggiore, DLA Piper LLP, San Diego, CA, Summer Kristen Torrez, Eduardo J. Blanco, DLA Piper LLP, Palo Alto, CA, Andrew Neal Stein, DLA Piper LLP, Washington, DC, Jeffrey Reuben Cole, Todd Scott Patterson, DLA Piper LLP, Austin, TX, Krista Anne Celentano, Summer Krause, DLA Piper LLP, East Palo Alto, CA, for Defendant.

ORDER RE POST–TRIAL MOTIONS

William H. Orrick, United States District Judge

INTRODUCTION

In this patent case, plaintiff Finjan, Inc. ("Finjan") accuses Sophos, Inc. ("Sophos") of infringing five of Finjan's patents in the malware security software space. Following a two week trial, a jury found that Sophos infringed all five of Finjan's asserted patents and awarded damages of $15 million for the life of the patents. The parties have filed five post-trial motions: Finjan filed a Motion for Attorneys' Fees and Costs, a Motion for a New Trial, or in the Alternative, Remittitur, and a Motion to Amend the Judgment and for an Injunction; and, Sophos filed a Renewed Motion for Judgment as a Matter of Law and a Motion for a Partial Judgment and Finding of Fact. All five motions are DENIED, with the exception that Finjan's request for Pre- and Post–Judgment Interest is GRANTED. Pre- and Post–Judgment interest will be awarded at the treasury bill rate.

MOTION FOR ATTORNEYS' FEES

BACKGROUND

Finjan moves for Attorneys' Fees and Costs under 35 U.S.C. § 285 of the Patent Act, which permits courts to award attorneys' fees in "exceptional cases." Finjan asserts that this is an "exceptional case" because Sophos: (1) pursued objectively unreasonable invalidity defenses premised on egregious litigation misconduct; (2) pursued meritless non-infringement defenses; (3) engaged in pre-trial misconduct by refusing to streamline issues for trial; (4) engaged in discovery misconduct related to its production of source code; and (5) improperly delayed document production and produced irrelevant documents. After reviewing the parties' briefs and the facts presented, I conclude that this is not an exceptional case warranting attorneys' fees and costs.

LEGAL STANDARD

Section 285 permits a court to award attorneys' fees only in "exceptional cases" or ones that are "uncommon, rare, or not ordinary." Octane Fitness, LLC v. ICON Health & Fitness, Inc. , ––– U.S. ––––, 134 S.Ct. 1749, 1756, 188 L.Ed.2d 816 (2014). A case is exceptional when it "stands out from others with respect to the substantive strength of a party's litigating position (considering both the governing law and the facts of the case) or the unreasonable manner in which the case was litigated." Id. "District courts may determine whether a case is 'exceptional' in the case-by-case exercise of their discretion, considering the totality of the circumstances." Id. Relevant factors in assessing whether a case is exceptional include "frivolousness, motivation, objective unreasonableness (both in the factual and legal components of the case) and the need in particular circumstances to advance considerations of compensation and deterrence." Id. at 1756, n.6. Most courts awarding attorneys' fees post- Octane "have generally cited egregious behavior." Aylus Networks, Inc. v. Apple, Inc. , No. 13-cv-4700-EMC, 2016 WL 1243454, at *7 (N.D. Cal. Mar. 30, 2016).

DISCUSSION

I. SOPHOS'S INVALIDITY DEFENSES

Finjan first argues that Sophos engaged in egregious litigation misconduct by putting forward meritless invalidity defenses. It asserts that Sophos relied on a trial demonstrative and third-party components that were not prior art to satisfy claim elements of its Asserted Sweep–InterCheck Art. Review of the record undermines Finjan's claims.

A. The Demo2 Demonstrative

Finjan asserts that Sophos improperly relied exclusively on "Demo2", a trial demonstrative, to show certain elements of Claim 7 of the '844 Patent, Claim 18 of the '926 patent, and Claim 14 of the '494 Patent ("the Script Claim Elements") that were necessary to its anticipation argument. Because Demo2 was created as a trial demonstrative, it is not prior art and could not be used as direct evidence of anticipation. Indeed, in my May Order on Finjan's summary judgment motion for validity, I noted that "Dr. Cohen obviously cannot rely on the Demo2 programs as distinct prior art references." Dkt. No. 205 at 18. Finjan asserts that Sophos violated this order because for the Script Claim Elements Dr. Cohen directed the jury only to his slides on the Demo2 demonstrative and not to any actual source code. Finjan argues that this is serious misconduct and makes this an exceptional case. See, z4 Techs., Inc. v. Microsoft Corp. , No. 6-c-142, 2006 WL 2401099, at *23 (E.D. Tex. Aug. 18, 2006), aff'd , 507 F.3d 1340 (Fed. Cir. 2007) (awarding fees where defendant submitted false declaration to beat summary judgment).

Despite Finjan's assertions, the trial record shows that Sophos did not attempt to rely on Demo2 as prior art. Dr. Cohen was clear that Demo2 was a "program that is compiled from a source code program that [he] wrote that is intended to demonstrate the things that we're talking about SWEEP–InterCheck doing." Trial Tr. at 1369:7–13. He added that Demos 2 was used to "test that [his] analysis of the code was correct." Trial Tr. at 1461:18–19. When asked by Finjan's counsel whether Demo2 satisfied a limitation of the asserted claims Dr. Cohen responded that "SWEEP–InterCheck is the thing that meets the limitations." Trial Tr. at 1495:7–10.

As the record shows, Dr. Cohen used Demo2 as a demonstrative to help explain and demonstrate his analysis of SWEEP–InterCheck. That Dr. Cohen pointed to his slides from the Demo2 presentation when asked about the Script Claim Elements does not indicate that Dr. Cohen attempted to use Demo2 itself as prior art. Given the full context of Dr. Cohen's testimony it appears that Dr. Cohen was referring the jury generally to his testimony and analysis on SWEEP–InterCheck and the portions of his Demo2 demonstration that helped illustrate the testimony most relevant to the Script Claim Elements. Dr. Cohen's use of Demo2 as a demonstrative was appropriate and not misconduct.

B. Demo2's Programming and Reference to JavaScript

Finjan next argues that Sophos engaged in misconduct because Dr. Cohen programmed Demo2 to display words referencing "JavaScript" or "script." Finjan contends that this misleadingly gave the impression that SWEEP–InterCheck can execute JavaScript, when it cannot, and that Sophos relied on this misimpression to argue that SWEEP–InterCheck was able to receive and inspect Downloadables, even when "the Downloadable includes JavaScript script." Ex. 3 Trial Tr. at 1407:24–1408:13; 1483:22–1484:1. It argues that because the Asserted Sweep Art could not execute JavaScript, Sophos's attempt to show that it was able to receive and inspect JavaScript Downloadables was frivolous and misleading.

Sophos's attempt to show that SWEEP–InterCheck satisfied this claim element was not misleading. Sophos did not attempt to argue that SWEEP–InterCheck could execute JavaScript—instead it argued that the claim did not require that the product "execute JavaScript" but merely receive and inspect it. This is a reasonable, plain language interpretation of the claim and does not demonstrate any kind of misconduct. Further, Dr. Cohen was clear to explain that SWEEP–InterCheck does not execute JavaScript. Oppo. to Fees Mot. at 6. When asked whether he had tried to show that SWEEP can execute a JavaScript program, Dr. Cohen testified, "No, that's not what I said. What I said was pretty clear, that the executable program contained JavaScript, that it printed it, that it wasn't interpreted or run in anyway. It just included it. That's what the patent says." Trial Tr. at 1463:18–25. Dr. Cohen's inclusion of the "JavaScript" language in his Demo2 program was reasonable and was not part of a scheme to mislead the jury about SWEEP's ability to execute a JavaScript program. Dr. Cohen's programming does not make this an exceptional case.

C. Ethernet Cards and Web Browsers

Finally, Finjan argues that Sophos's invalidity arguments were frivolous because Dr. Cohen testified that an Ethernet and Web Browser satisfied certain elements of the patents for the purposes of anticipation, but these items were not part of the Asserted Sweep Art source code. Mot. for Fees at 12. Sophos rebuts that it did not attempt to argue that the Ethernet and Web Browser were prior art, but that SWEEP–InterCheck is prior art and necessarily requires these outside elements to work. Oppo. to Fees at 7.

"A prior art reference may anticipate without disclosing a feature of the claimed invention if that missing characteristic is necessarily present, or inherent, in the single anticipating reference." Schering Corp. v. Geneva Pharm. , 339 F.3d 1373, 1377 (Fed. Cir. 2003). Sophos argues, "Just as a computer is necessary to run SWEEP–InterCheck, an Ethernet Card and Microsoft operating system are necessary components of the computer system." Oppo. to Fees at 7. Notably, in the prior case between Finjan and Sophos, the Delaware court permitted Sophos to rely on these outside elements in asserting its prior art. Id. ; Finjan, Inc. v Symantec Corp. , 2013 WL 5302560, at *18 (D. Del. Sept. 19, 2013) ( JMOL Order ) ("[A]s SWEEP–InterCheck receives incoming Downloadables, a functionality that the jury observed, it is clear that a network interface would be necessary to receive that Downloadable.").

Sophos did not engage in misconduct by arguing that SWEEP–InterCheck included an Ethernet Card and Web Browser. It has made a plausible showing that SWEEP included an Ethernet Card and operating system even though these elements are not disclosed in the claimed invention. Further, because Sophos successfully made this argument before the Delaware court, it was not objectively frivolous or unreasonable for it to assert the same argument here. Sophos's reliance on the Ethernet and Web Browser as part of its anticipation argument does not make this an exceptional case.

II. NON–INFRINGEMENT DEFENSE

A. Mr. Klausner's Construction of the term "database"

Finjan argues that Sophos acted extraordinarily because its non-infringement expert, Mr. Klausner, offered an unreasonable interpretation of the term "database." Mot. for Fees at 12. At claim construction, I construed the term "database" to mean "[a] collection of interrelated data organized according to a database scheme to serve one or more applications." Dkt. No. 73 at 3. (emphasis added). At trial, and previously in his expert report, Klausner opined that the requirement to "serve one or more applications" required a database to serve at least two applications. Trial Tr. at 1241:18–19. Finjan asserts that this opinion is a frivolous perversion of the English language and so entitles them to fees and costs.

Although Klausner's interpretation of "database" was not particularly convincing, this single aspect of his opinion does not render this an extraordinary case. First, Klausner's non-infringement opinion did not hinge on this interpretation. As he testified at trial, he did not base his non-infringement opinion on whether a database "has to be more than one application." Indeed the issue was only raised by Finjan on cross examination for impeachment purposes. Trial Tr. 1241:4–6. The focus of Klausner's non-infringement opinion was instead that Sophos's accused products do not have "databases" within the meaning of the patent because they do not have a "database manager" and because they do not store information. For example, he explained that Sophos's Blackboard system does not have a database manager and does not store information because when it receives a downloadable security profile system "it just sits in memory, just for the scan of that one particular file, and then goes away." Trial Tr. at 1222:3–14. Mr. Klausner's interpretation that "database" must serve more than one application was irrelevant to this testimony.

While Klausner's interpretation that a "database" must serve more than one application was not persuasive, his non-infringement opinion did not rely on this interpretation. This minor aspect of his opinion had virtually no impact on the case. If anything, Klausner's interpretation of "database" provided Finjan a strong line of attack on Klausner's credibility, an issue that Finjan successfully emphasized on cross-examination and in closing arguments. Klausner's interpretation of "database" does not make this an exceptional case.

B. Klausner relied on the Delaware case

Finjan asserts that Sophos acted unreasonably because its infringement expert Mr. Klausner relied on and referenced the Delaware action in his expert report. Mot. for Fees at 8. Finjan claims that this was improper because the Delaware action involved different patents and different products and so was irrelevant to the claims here. Id. While I have previously expressed skepticism that the Delaware action is relevant to the issues of infringement and invalidity in this case, Klausner did not engage in gross misconduct by referencing it in his report. An expert is entitled to rely on anything typically relied on by experts in their field. Fed. R. Evid. 703. The '194 patent, asserted in the Delaware case, is directly related to four of the patents asserted in this case, and the accused products and technology are similar in both cases. Klausner's attempt to draw parallels to the Delaware case was not unreasonable and does not justify awarding attorneys' fees.

III. STREAMLINING ISSUES

Finjan argues that Sophos acted unreasonably because it refused to narrow its election of SWEEP–InterCheck products early in the litigation. Mot. for Fees at 15. Early in the case, Sophos asserted hundreds of versions of Sweep and InterCheck as prior art, despite requests from Finjan to elect particular versions and combinations. Sophos maintained that it was unnecessary for it to elect particular versions of SWEEP and InterCheck because there were no substantive differences between individual versions. When Sophos's expert Dr. Cohen used previously undisclosed versions of the products in his expert report, Finjan filed a motion to strike his opinions, which I granted. I subsequently ordered Sophos to elect a single combination of SWEEP–InterCheck to assert as prior art, which it then did. Finjan argues that Sophos's failure to elect a single version of prior art earlier in the litigation, or otherwise narrow its election to fewer versions, caused Finjan to waste considerable time and expense and was unreasonable.

Sophos's position that SWEEP–InterCheck is a single product and that it was therefore not necessary for it to elect particular versions was not wholly unreasonable. There is no evidence that Sophos engaged in misconduct by failing to narrow its election of particular SWEEP–InterCheck versions earlier in the litigation. Sophos's failure to comply with Finjan's request does not make this an exceptional case.

IV. SOURCE CODE

Finjan asserts that Sophos engaged in misconduct by attempting to obfuscate its source code productions. It contends that Sophos required Finjan to pay to have the source code transferred from Texas to California; that it produced source code that was organized in a confusing way with no discernible directory structure; that it pointed Finjan to a particular directory containing 29,000 files that it later admitted did not have relevant code; that Sophos's engineers testified that the source code production did not appear to be organized the way it was organized in the ordinary course; that Sophos presented a "blueprint" of the source code that failed to make the code discernible; that Sophos eventually gave Finjan access to its Perforce system where Finjan could see previously unviewable comments and references to Finjan that later disappeared; and that Sophos produced highly relevant source code near the end of discovery. Mot. for Fees at 17–19.

Sophos rebuts that it did not do anything improper and that Finjan's trouble with understanding its source code does not amount to misconduct on the part of Sophos. It responds to Finjan's accusations by explaining that it produced its source code as it was kept in the ordinary course and only altered the code by dividing it into three top-level folders for the purposes of production; that Sophos provided Finjan with information on where the master build files were in its source code so that it could make sense of the code and offered to help Finjan's reviewer find the master build files; that it provided Finjan with access to its internal Perforce source code repository which includes both released code and code that is still in development—something that most technology companies would never provide access to; that it did not restrict Finjan's access to comments and references to Finjan in the Perforce system and demonstrated during the deposition of Robert Cook that it was still possible to access these files using Finjan's credentials; and that the code produced near the end of discovery was updated versions of the code Finjan already had that had previously not been available for production. Oppo. to Fees at 10–12.

Discovery of complex information, such as source code, is expensive and difficult and often requires substantial time and energy from all parties. Finjan highlights a number of problems in making sense of the Sophos source code and some hiccups in the production process, but these sorts of problems are to be expected during complex discovery. There is no evidence that Sophos intentionally obfuscated its code. All relevant code was produced by the discovery deadline. The conduct here does not rise to the level of misconduct: Sophos did not refuse to produce relevant information, did not violate any court orders, and did not display a "shifting litigation position." Juniper Networks, Inc. v. Toshiba Am., Inc. , No. 5-c-479, 2007 WL 2021776, at *3–5 (E.D. Tex. July 11, 2007) ; Fleming v. Escort, Inc. , No. 9–c–105, 2014 WL 713532, at *2 (D. Idaho Feb. 21, 2014) ; Trs. of Bos. Univ. v. Everlight Elecs. Co. , No. 12-c-11935, 2016 WL 3976603, at *3–4 (D. Mass. July 22, 2016). Sophos's conduct was reasonable and does not evidence misconduct.

V. DOCUMENT PRODUCTION

Finally, Finjan argues that Sophos acted unreasonably by producing over ten thousand pages of irrelevant documents; by producing thousands of spam emails; and by producing a substantial number of documents late in the discovery period, even though it had printed many of those documents many months earlier. Mot. for Fees at 21.

Sophos acknowledges that it inadvertently produced some irrelevant documents, but notes that these documents represented a fraction of the total documents produced and asserts that this does not make this an exceptional case. Vehicle IP, LLC v. Gen. Motors Corp. , No. 07-c-345, 2008 WL 2273682, at *4 (W.D. Wis. June 2, 2008) (the production of irrelevant documents was "not so unusual (unfortunately) as to make this an exceptional case"). It explains that it produced the "spam" emails because these emails were responsive to specific search-term requests Finjan had made and it was trying to comply with those requests. Oppo. to Fees at 14. Finally, it notes that it produced all responsive documents before the close of fact discovery and asserts that a minor discovery dispute, such as this, does not make this an exceptional case. Indus., Inc. v. Kari–Out Club, LLC , No. 08-c-5349, 2013 WL 4730653, at *3 (D.N.J. Sept. 3, 2013) ("[P]edestrian discovery disputes of the type concomitant with intellectual property litigation" do not make a case exceptional). Sophos's conduct during document production appears to have been reasonable and does not make this an exceptional case.

As Finjan's arguments reveal, this was a hard fought and zealously litigated case. Finjan has pointed to various disputes between the parties that arose during the two years of this litigation but has failed to identify any conduct by Sophos that would rise to the level of misconduct necessary to find this an "exceptional case" and award attorneys' fees under Section 285. I conclude that attorneys' fees are not appropriate. Finjan's motion for attorneys' fees and costs is DENIED.

MOTION FOR NEW TRIAL

BACKGROUND

Sophos moves for a new trial, or in the alternative, remittitur. Mot. for New Trial (Dkt. No. 423). It argues that it is entitled to a new trial on invalidity because (1) collateral estoppel should apply to the issue of anticipation by SWEEP–InterCheck; (2) the jury's verdict was against the clear weight of the evidence; (3) and Finjan intentionally presented evidence of post-grant proceedings at trial in violation of an in limine order. Id. at 2. It also contends that it is entitled to a new trial on infringement because the jury's verdict was against the clear weight of the evidence. Id. In the alternative, Sophos asserts that it is entitled to a remittitur on damages because Finjan improperly included fictional revenue in its royalty base. As discussed below, Sophos has failed to show that collateral estoppel applies to this case or that the jury's verdict was against the clear weight of the evidence. It has also failed to show that the jury's damage award included SophosLabs revenues. Sophos's motion for a new trial or a remittitur is denied.

LEGAL STANDARD

Under Federal Rule of Civil Procedure 59(a), a court may grant a new trial to any party on some or all issues after a jury trial. Fed. R. Civ. P. 59(a)(1). In patent cases, the local Circuit's law on Rule 59 governs the standard for granting a new trial. Finisar Corp. v. DirecTV Grp., Inc. , 523 F.3d 1323, 1328 (Fed. Cir. 2008). In the Ninth Circuit, a "district court can grant a new trial under Rule 59 on any ground necessary to prevent a miscarriage of justice." Experience Hendrix L.L.C. v. Hendrixlicensing.com Ltd. , 762 F.3d 829, 842 (9th Cir. 2014). DISCUSSION

I. NEW TRIAL ON INVALIDITY

A. Collateral Estoppel

Sophos asserts that it is entitled to a new trial on invalidity because collateral estoppel should apply to the issue of anticipation by SWEEP–InterCheck. Mot. for New Trial at 3. It contends that this exact issue was litigated in the prior Delaware action between the parties. Id. Collateral estoppel applies where (1) the issue to be resolved is identical to an issue raised in the prior litigation; (2) the issue was actually litigated in the prior litigation; and (3) the determination of the issue in the prior litigation was a necessary part of the judgment in that action. Littlejohn v. United States , 321 F.3d 915, 923 (9th Cir. 2003).

Sophos argues that collateral estoppel applies because "a jury in Delaware found all asserted claims of Finjan's '194 patent anticipated by SWEEP–InterCheck." Mot. for New Trial at 4. The '194 patent was not asserted in this case but is related to four of the five asserted patents: the '494, '844, '780, and '926 patents. Id. These four patents and the '194 patent all claim priority to the same provisional patent application (No. 60/30,639) and the four patents asserted in this case incorporate the '194 patent by reference. Because of the close relationship between the '194 patent and the patents asserted here, Sophos contends that many of the anticipation arguments for the asserted patents are collaterally estopped by the Delaware judgment.

Sophos previously raised this issue in its motion for partial summary judgment. It argued that collateral estoppel should apply because it was asserting the same combination of SWEEP–InterCheck in this case that it had asserted in the Delaware case—SWEEP–2.72 & InterCheck–2.11. However, I ruled that Sophos could not assert the SWEEP–2.72 & InterCheck–2.11 combination because it did not timely elect and disclose that combination in this case. Dkt. No. 205 at 34. Because Sophos's collateral estoppel argument hinged on the fact that it was asserting combination SWEEP–2.72 & InterCheck–2.11, and I ruled it could not assert that combination, I rejected its collateral estoppel argument. Id. In this case Sophos ultimately elected SWEEP–2.72 & InterCheck–2.01. Sophos argues that, despite my prior ruling, collateral estoppel should apply because (1) there is no legal requirement that a party assert an identical version of prior art to sustain a finding of invalidity; (2) there is no functional difference between the combinations of SWEEP–2.72 & InterCheck–2.11 and SWEEP–2.71 & InterCheck–2.01; and (3) it actually asserted SWEEP–2.72 & InterCheck–2.01 in the Delaware case.

First, Sophos contends that it is irrelevant that it asserted a different combination of SWEEP–InterCheck in the Delaware case than the combination asserted here because "all that is required is that the prior art product be the same in both cases, not the particular version of the product." Mot. for New Trial at 3. Sophos cites to Leader Techs. v. Facebook, Inc. , 678 F.3d 1300, 1307 (Fed. Cir. 2012), in which the Federal Circuit upheld an invalidity verdict based on evidence presented of a post-critical date version of the asserted prior art software reasoning that the patentee failed "to point to any contemporaneous evidence in the record that indicates that [a prior version] was substantively different from the post-critical date software." Sophos seems to argue that Leader Technologies establishes a legal rule that all versions of software are interchangeable for the purposes of prior art. But this argument is unsupported by the case: the Leader Technologies court did not conclude that all versions of software are inherently interchangeable as a matter of law, but that the relevant versions of software in that case were not substantively different. Id. Indeed, the court acknowledged that "as a general matter a computer scientist can easily modify and change software code and that two versions of the same software product may function differently." Id. Whether two versions of software are identical or interchangeable for the purposes of prior art is a factual issue, not a legal one. As the party asserting collateral estoppel it is Sophos's burden to show that the combination of SWEEP–InterCheck asserted in the Delaware case is interchangeable with the combination asserted here.

Sophos next addresses this exact issue, arguing that the version of SWEEP–InterCheck asserted in the Delaware case is materially identical to the combination asserted here. Sophos made this same argument in its motion for partial summary judgment, asserting that it was "undisputed" that the combination of SWEEP–2.72 & InterCheck–2.11 is materially identical to all other combinations of SWEEP–InterCheck. In my May 24 Order I responded to this argument as follows:

[C]ontrary to Sophos's repeated assertions, it is not undisputed that the various SWEEP–InterCheck combinations at issue in this case are materially identical. The only evidence identified by Sophos on this point—Dr. Cohen's report—says nothing about whether the different combinations of SWEEP–InterCheck are materially identical. Meanwhile, Finjan has presented evidence indicating that at least some of the SWEEP–InterCheck combinations are considerably different, in that certain of them—including SWEEP–2.72 & InterCheck–2.11 —are in fact "incompatible ... and would result in faulty operation." Jaeger Rpt. ¶ 185 (Kastens Decl. Ex. 38, Dkt. No. 143–40)

Sophos does not cite to any additional evidence demonstrating the similarity between the combination of SWEEP–InterCheck asserted in the Delaware case and the one asserted here and again relies exclusively on evidence that InterCheck 2.01 and 2.11 are substantively similar to each other. As I concluded in my prior order, this evidence does not address the similarity between the asserted combinations. Finjan has presented evidence that different combinations of SWEEP–InterCheck, including the SWEEP–2.72 & InterCheck–2.11 combination may be materially different from other asserted combinations. Jaeger Rpt. ¶ 185 (Kastens Decl. Ex. 38, Dkt. No. 143–40). Sophos has not demonstrated that the combination of SWEEP–2.72 & InterCheck–2.11 is materially identical to SWEEP–2.72 & InterCheck–2.01.

Finally, Sophos argues that SWEEP–2.72 & InterCheck–2.01, the combination asserted in this case, was also asserted in the Delaware case. It points to a reference from the Delaware court's JMOL order in which the court noted that "Mr. Klausner testified specifically as to which release he used in his invalidity analysis, stating that he relied on SWEEP version 2.72 and InterCheck version 2.11, as well as on InterCheck versions 2.01 and 2.10, which were earlier versions of the program incorporated into version 2.11." JMOL Order , 2013 WL 5302560 at *17. While this reference does suggest that Mr. Klausner considered the SWEEP–2.72 & InterCheck–2.01 combination, the Delaware court's discussion indicates that Sophos did not rely on this combination and instead relied exclusively on the SWEEP–2.72 & InterCheck–2.11 combination in pursuing its invalidity defense. The court noted that "the specific prior art reference on which Sophos and Websense rel[ied] [was] version 2.72 of Sweep and version 2.11 of Intercheck." Id. at *14. It also explained that "Sophos notes that its citations to source code were to a single version of SWEEP (version 2.72) and a single version of InterCheck (version 2.11), which were sold together as a single software product." Id. at *17. Despite Sophos's argument that it relied on the SWEEP–2.72 & InterCheck–2.01 combination in the Delaware case, the Delaware court's JMOL Order indicates that, in fact, it relied exclusively on the SWEEP–2.72 & InterCheck–2.11 combination.

Sophos has failed to show that collateral estoppel should apply in this case. It did not rely on the same combination of SWEEP–InterCheck in the Delaware case and has failed to present evidence that the combination of SWEEP–2.72 & InterCheck–2.01 (asserted here) and the combination of SWEEP–2.72 & InterCheck–2.11 (asserted in the Delaware case) are substantively identical. As a result, Sophos has failed to demonstrate that this case involves identical factual issues to the ones actually litigated in the Delaware action and collateral estoppel does not apply.

B. Clear and Convincing Evidence

Sophos next argues that it is entitled to a new trial on invalidity because it proved, by clear and convincing evidence, that its asserted SWEEP–InterCheck Art (1) was a single anticipatory reference; (2) was publicly available in the United States before 1995; and (3) satisfied every claim element of the asserted patents. As addressed below, Finjan presented evidence on all three of these issues that would have given the jury a reasonable basis for declining to find invalidity.

1. Single Anticipatory Reference

Sophos argues that it proved by clear and convincing evidence that SWEEP–InterCheck is a single prior art reference for anticipation purposes because Sophos witnesses testified that (1) after InterCheck was released, it was provided with SWEEP at no extra charge; (2) although SWEEP could work on its own, InterCheck was developed to work with SWEEP and could not function as a separate product; and (3) SWEEP–InterCheck was a single product. Mot. for New Trial at 15.

In response, Finjan asserts that there were substantial doubts that SWEEP–InterCheck was a single product because it presented evidence that (1) the programs were developed and released at different times; (2) had different source code repositories; (3) were distributed to customers on separate disks; (4) and that SWEEP could work separately from InterCheck. Oppo. to New Trial at 16 (Dkt. No. 16).

Although Sophos presented evidence in support of its claim that SWEEP–InterCheck was a single product, Finjan provided sufficient evidence to raise doubts and give the jury a reasonable basis to conclude that SWEEP–InterCheck was not a single product.

2. Available in the United States

Sophos next argues that it presented clear and convincing evidence that SWEEP–InterCheck was available in the United States prior to November 8, 1995 because (1) Sophos's witness Dr. Lammer testified that it was "impossible to imagine" that SWEEP–2.72 & InterCheck–2.01 were not sent to the United States before that time; (2) it presented a 1993 press release that announced a worldwide license between Sophos and the U.S.–based company Digital Equipment Corporation; (3) it showed that the backups for the SWEEP–2.75 & InterCheck–2.01 programs predate November 8, 1995; (4) it demonstrated that the server code for a 1994 version of SWEEP–InterCheck includes a comment indicating that Dr. Lammer made an adjustment "for a U.S. customer" indicating that SWEEP–InterCheck was being sent to the United States prior to 1995; (5) it presented Sophos's Data Security Reference Guide from March of 1995, which indicated that SWEEP–InterCheck was available for sale and listed Sophos's U.S. distributer for Sophos products; (6) it presented evidence that Sophos took steps to promote its products in the United States starting in March of 1995; and (7) it presented a contract showing that Sophos sold SWEEP–InterCheck to the World Bank in Washington, D.C. in August, 1995 following negotiations that likely began prior to June 1995. Mot. for New Trial at 15–18.

In response, Finjan argues that Sophos failed to present clear and convincing evidence on this point because (1) not a single Sophos witness had actual knowledge of whether InterCheck 2.01 was actually sent to any U.S. customers; (2) Sophos did not have any sales or shipping record evidencing sales of InterCheck 2.01 or shipments of InterCheck 2.01 to U.S.-based customers; and (3) Dr. Lammer testified that the August 1995 contract with the World Bank only applied to later versions of SWEEP–InterCheck and not to the asserted SWEEP–2.71 & InterCheck–2.01 combination. Oppo. to New Trial at 16–17.

Although Sophos presented a considerable amount of circumstantial evidence that InterCheck 2.01 may have been used by customers in the United States prior to November 8, 1995, it did not present any direct testimony or direct evidence confirming this point. The jury could have found the lack of sales and shipping records or Dr. Lammer's inability to remember whether InterCheck 2.01 was actually mailed to any U.S. customers compelling. Further, although Sophos presented a range of evidence showing that SWEEP–InterCheck was generally available in the U.S. prior to November 8, 1995, it presented very little evidence on the availability of version 2.01 of InterCheck specifically. Without specific corroborating evidence about this particular version of InterCheck, the jury was asked to rely heavily on Dr. Lammer's somewhat speculative testimony that it was "impossible to imagine" that InterCheck 2.01 was not mailed to any U.S. customers. As the Federal Circuit has held, "uncorroborated oral testimony, particularly that of interested persons recalling long-past events," is not clear and convincing evidence. Woodland Trust v. Flowertree Nursery, Inc. , 148 F.3d 1368, 1369, 1371–73 (Fed. Cir. 1998). Given the uncertainty of Dr. Lammer's testimony and the lack of direct evidence that InterCheck 2.01 was sent to any U.S. customers, the jury had a reasonable basis to conclude that Sophos's asserted combination of SWEEP–InterCheck was not publically available in the United States prior to November 8, 1995.

3. Anticipation

Finally, Sophos argues that it presented clear and convincing evidence that SWEEP–InterCheck meets every claim element of the asserted patents and directs the court to various excerpts of trial testimony from its invalidity expert, Dr. Cohen who opined that SWEEP–InterCheck anticipated each of the prior patents. Mot. for New Trial at 18.

In response, Finjan explains, at length, that there were numerous ways that Sophos failed to show that SWEEP–InterCheck meets the various claim elements. Finjan notes that it presented evidence that: (1) SWEEP–InterCheck did not meet the '844 patent's "generating" element because the technology was limited to byte-matching to identify known viruses and could not broadly identify suspicious code and did not meet the '844 patent's "linking" requirement because the "linking" does not occur before a web server makes the Downloadable available to web clients; (2) SWEEP–InterCheck did not satisfy various elements of the '494 patent including the "downloadable scanner" limitation (because the source code Dr. Cohen introduced did not include a list of suspicious operations) and the "database manager" limitation (because Dr. Cohen did not show that the hash table he presented included a schema); (3) SWEEP–InterCheck did not satisfy the '926 patent's "receiving an incoming Downloadable" limitation (because SWEEP searches for known viruses) and the '926 patent's "transmit an incoming Downloadable" limitation (because InterCheck forwards unknown files to the SWEEP server, which never sends them back to InterCheck); (4) SWEEP–InterCheck did not meet the '780 patent's "communications engine that obtains Downloadables" limitation (because SWEEP–InterCheck only scans local file systems, not Downloadables from the Internet, and did not have the ability to fetch software components); and, finally, (5) SWEEP–InterCheck did not satisfy the '154 patent's "dynamically-generated malicious content" element (because SWEEP–InterCheck only checks for known viruses).

In its reply, Sophos engages these issues more deeply. It attempts to rebut each of Finjan's arguments by explaining that SWEEP–InterCheck either does meet each element that Finjan describes, and/or that the claim elements do not require the specific details that Finjan claims Sophos failed to show. Reply for New Trial at 9–12.

This case involved complex patents and technologies. Substantial evidence regarding the issue of invalidity was presented by both sides. The parties dispute both what the patent claims required and what SWEEP–InterCheck actually does. While Sophos presented expert testimony and evidence asserting that SWEEP–InterCheck anticipated all five of the asserted patents, Finjan presented conflicting expert testimony asserting that SWEEP–InterCheck failed to meet a number of necessary elements of each patent. Sophos, unsurprisingly, asserts that Finjan's evidence was meritless and that Sophos's evidence should have been credited instead. But there is no reasonable dispute that Finjan presented sufficient evidence on the issues of invalidity to provide the jury with a reasonable basis to conclude that SWEEP–InterCheck did not anticipate the '844, '494, '926, '780, and '154 patents.

There was a reasonable basis for the jury to conclude (1) that SWEEP and InterCheck were not a single product; (2) that the elected combination of SWEEP–2.72 & InterCheck–2.01 was not publicly available in the United States prior to November 8, 1995; and (3) that SWEEP–InterCheck did not meet each and every element of the asserted patents. Each of these issues provided the jury an independent basis to conclude that SWEEP–2.72 & InterCheck–2.01 did not anticipate the asserted patents. Because the jury's verdict on invalidity was supported by substantial evidence, its verdict was not against the clear weight of the evidence. Sophos is not entitled to a new trial on invalidity on this basis.

C. Use of Post–Grant proceedings

Sophos argues that it is entitled to a new trial on invalidity because Finjan violated an in limine ruling excluding evidence on post-grant proceedings before the patent office. Mot. for New Trial at 19. Prior to trial Sophos moved to preclude Finjan from presenting "evidence or argument about post-grant proceedings before the United States Patent & Trademark Office." Dkt. 217 at 19. I granted the motion and ruled that the parties could not produce any evidence related to post-grant proceedings explaining "it would take a significant amount of time and effort to adequately explain the relevance and limitationsof the PTO proceedings to the jury and because I believe there is a substantial risk that the jury will improperly substitute its own judgment for the PTO decisions." Dkt. No. 291 at 25.

At trial, in attempting to show that SWEEP–InterCheck was considered by the patent office, Finjan briefly displayed two slides that were excerpts from the prosecution history of the '844 patent reexamination filed by a different company, Proofpoint, and asked Dr. Cohen four to five questions related to whether the patent office considered the SWEEP–InterCheck product. Trial Tr. at 1471:15–1473:2. Sophos contends that this was an intentional violation of the in limine order. Finjan responds that Sophos had "opened the door" to evidence related to the post-grant proceedings by stating in its opening statement that "The Patent Office did not know about the software code that you're going to see and the demonstrations that you're going to see of how our product operated before their system, before their patents were filed." Trial Tr. at 137:24–138:5.

As I stated during trial outside the presence of the jury, Finjan's line of questioning on this issue and display of the reexamination slides, without giving prior notice to Sophos or the court, was improper. Finjan "stepped over [the] line" established by the in limine ruling on this issue. Id. at 1532:16–20. Although Sophos requested that I instruct the jury that "there's been no evidence that the Patent Office considered the SWEEP–InterCheck Product," I instead issued the following instruction: "The parties dispute the extent to which SWEEP and InterCheck was considered by the Patent and Trademark Office before some of the patents were issued, if at all. And you should not consider the questions asked on this subject yesterday of Dr. Cohen, his responses, or any documents that were shown during his testimony related to that." Id. at 1579:4–9. Then, when the issue came up regarding what statements could be made during closing arguments, I stated that "we would say nothing—well, nothing would be said with respect to the PTO, and [Sophos] couldn't make an argument that no evidence has been shown." Id. at 1643:3–5. Similarly, I said that "Finjan may not use [the lack of evidence on the PTO] as a shortcoming in [Sophos's] opening or the evidence." Id. at 1644:17–18. Sophos argues that "[t]he net effect of Finjan's intentional violation of the Court's in limine order was to discredit a key theme of Sophos's defense—that the jury was the first to consider the SWEEP–InterCheck source code and demonstrations in determining the validity of Finjan's patents." Mot. for New Trial at 21.

Sophos's inability to rely on the lack of evidence presented with regards to the PTO proceedings was a consequence of its successful motion in limine. Sophos wanted an instruction from the court, or alternatively to make the argument itself, that there had been no evidence that SWEEP–InterCheck was considered by the patent office. But as Finjan attempted to show with its slides from the '844 patent reexamination, SWEEP–InterCheck was submitted to the patent office as prior art. The parties therefore disputed whether the patent office "considered" this evidence, but all of Finjan's potential evidence on the issue was excluded by the in limine ruling. Allowing Sophos to argue that there was no evidence that the patent office considered SWEEP–InterCheck would have been unfair and prejudicial to Finjan, since this was only true because Sophos successfully moved to exclude that evidence.

Sophos explained to the court that it sought its in limine ruling and made its opening argument because it knew that "Under the reexam, under the initial thing, the SWEEP–InterCheck product was not considered [by the PTO]." Trial Tr. at 1539: 12–14. If Sophos was confident in its evidence on this issue, and intended to rely on this fact for a major theme of its case, it should have attempted to resolve the issue on summary judgment or in some other format—not through a motion in limine. Id. at 1644:4–6. Instead of attempting to definitively resolve this fact issue in its favor in advance of trial, Sophos successfully moved to exclude all of Finjan's potential evidence on the issue. Then, because none of Finjan's evidence disputing Sophos's position would be admissible, it planned to make the argument at trial that no evidence was presented that the patent office considered SWEEP–InterCheck. While Sophos was not able to follow through with its theme that the jury was the first to consider the SWEEP–InterCheck source code and demonstration, this result was largely a self-created issue resulting from Sophos's strategic maneuvering.

Although Finjan overstepped by displaying evidence related to the '844 patent reexamination proceedings, this error was addressed with an instruction that the jury was not to consider any evidence or testimony related to whether the PTO office considered SWEEP–InterCheck. My ruling prevented Sophos from emphasizing in its closing that the jury was the first to consider the SWEEP–InterCheck source code and demonstration; it did not prevent the jury from actually considering the SWEEP–InterCheck source code and demonstration and assessing the evidence on the merits. Because the only prejudice Sophos identifies is that it was not able to carry-through on one of its themes, and because this issue arose predominantly as the result of Sophos's own choices and trial strategy, Finjan's use of the post-grant proceedings evidence did not result in a miscarriage of justice and does not justify a new trial on the issue of invalidity.

II. NEW TRIAL ON INFRINGEMENT

Sophos argues that it is entitled to a new trial on the issue of infringement because the jury's verdict was against the great weight of the evidence. It incorporates by reference its Motion for Judgment as a Matter of Law ("JMOL"). Mot. for New Trial at 21. For the reasons set forth in my discussion of Sophos's JMOL motion, there was a reasonable basis for the jury's verdict on infringement and Sophos is not entitled to a new trial on this basis.

III. REMITTITUR

Sophos asserts that it is entitled to a remittitur because Finjan improperly included revenue related to SophosLabs in its royalty base, a service that Sophos asserts earns no revenue and operates entirely outside the United States. Mot. for New Trial at 21. It is undisputed that SophosLabs is not a separate product and does not generate separate revenue for Sophos. Trial Tr. at 1076:2–7; 1077:4–20. Sophos contends that any indirect value for SophosLabs is captured by the revenue for Sophos's UTM and Endpoint products and so the inclusion of additional proxy revenue for SophosLabs was improper. Mot. for New Trial at 22.

At trial, Finjan's damages expert, Dr. Layne–Farrar testified that, although SophosLabs does not generate revenue, it still provides value to Sophos by enhancing all of Sophos's products and so its value should be captured in some way in a reasonable royalty analysis. Oppo. to New Trial at 21. Layne–Farrar used a proxy to capture SophosLabs's value: she multiplied the number of Endpoint Users that had enabled Sophos Live Protection, the infringing technology of SophosLabs, by the price Sophos charged for the Live Protection technology. Id. at 21. Sophos asserts that this value is already included in the Endpoint revenues and so the additional value attributable to SophosLabs is duplicative and unsupported by evidence.

There is a strong argument that the value that SophosLabs adds to Endpoint and the UTM was already captured by the Endpoint and UTM revenues. However, Layne–Farrar testified that her understanding, based on the expert opinions of Finjan's technical experts, was that SophosLabs adds value to all Sophos products. Trial Tr. at 833:1–7. There is no reason that the Endpoint and UTM revenues would account for the value that SophosLabs adds to Sophos's other products. Nevertheless, even if Sophos is correct, and the value of SophosLabs is fully captured by the Endpoint and UTM revenues, I cannot conclude that the jury's verdict improperly incorporated SophosLabs revenues.

It is unclear how the jury calculated its award and whether it factored SophosLabs revenues into its damages calculation. The jury was not required to outline its method of calculating the award on the verdict form and simply indicated that it was awarding damages of $15 million for the life of the asserted patents. Sophos argues that the jury must have attributed revenue to SophosLabs because the jury's verdict was greater than Layne–Farrar's damage calculation without SophosLabs. Mot. for New Trial at 22. Layne–Farrar opined that Finjan was entitled to a total reasonable royalty of $8.7 to $16.1 million composed of (1) $1.7–$2.2 million for the UTM products; (2) $5.1–$10.2 million for the Endpoint products; and (3) $1.9–$3.7 million for the SophosLabs product. Trial Tr. 842:14–843:24. Sophos argues that Layne–Farrar's maximum royalty without SophosLabs would only be $12.4 million so the jury's award of $15 million must have included SophosLabs revenues.

There are two primary problems with Sophos's argument. First, Sophos mischaracterizes Layne–Farrar's $16.1 million figure ($12.4 without the SophosLabs revenues) as her maximum royalty. At trial, Layne–Farrar repeatedly emphasized that her reasonable royalty opinion was a conservative estimate and testified that she was "defining what the floor is for damages. My reasonable royalty number should be the bottom line." Id. at 833:22–24. Layne–Farrar explained various ways that her calculations were conservative, including that her royalty calculation was significantly less than amounts Finjan had received in particular licensing deals or from other jury awards. Id. at 844:10–22. Layne–Farrar's testimony and opinion, and the underlying evidence on which she relied, provided the jury with evidence to support a damage award above her "maximum" royalty amounts and so could support a $15 million figure even excluding SophosLabs revenues.

Second, it is not clear that the jury adopted Layne–Farrar's opinion. While the jury's $15 million award was within the range Layne–Farrar presented, it does not line up with any of her precise figures. It is possible that the jury adopted a modified version of Layne–Farrar's analysis, but it is also possible that they jury based its damage award on the fact evidence presented or the expert testimony of Sophos's expert, Brian Napper. For example, the parties presented a substantial amount of factual evidence on damages including evidence of Finjan's prior jury verdicts and licenses involving the Asserted Patents. 213:13–20; 818:20–821:20; 844;18–19; TX–152; TX–2491; TX–3051; TX–13; TX–3052. The jury could have used this licensing information to determine what a hypothetical license between Sophos and Finjan would have looked like. Its $15 million award is well within the range of Finjan's prior licensing agreements and jury awards, which, on the high end, range from $39–$85 million.

LaserDynmaics, Inc. v. Quanta Computer, Inc. , which Sophos cites, does not support remittitur or a new trial. 694 F.3d 51 (Fed. Cir. 2012). In LaserDynamics , the Federal Circuit ordered a new trial on damages following a jury award of $8.5 million dollars. Id. at 78. The evidence supporting the jury's verdict was the opinion of LaserDynamics' expert, who calculated a $10.5 million royalty using a 6 percent royalty rate. Id. at 65. Because the Federal Circuit concluded that the 6 percent royalty rate was "untethered from the patented technology at issue" and because comparable licensing agreements were all for lump sums of no more than $1 million, the court concluded that "[a] new trial is required because the jury's verdict was based on an expert opinion that finds no support in the facts in the record."

In LaserDynamics, it was clear that the jury relied on LaserDynamics' expert's opinion to support its verdict as no other evidence was presented that would have justified an $8.5 million award, and the award far exceeded all of LaserDynamics' prior licensing agreements. Here it is less clear how the jury calculated its award; whether it relied on part or all of Layne–Farrar's opinion, or Napper's, or whether it calculated its royalty rate using only the fact evidence presented. Since the jury could have calculated its award using Finjan's prior licensing agreements as a reference, and because its $15 million award is well within the range of Finjan's prior licensing agreements, I cannot conclude that the jury's verdict is not supported by substantial evidence. Sophos's request for a remittitur is DENIED.

MOTION TO AMEND JUDGMENT

BACKGROUND

Finjan moves to amend the judgment, issue an injunction, and for pre- and post-judgment interest. Mot. to Amend (Dkt. No. 424). After a 10–day trial, a jury found Sophos liable for infringing five of Finjan's patents and awarded Finjan damages of $15 million for the life of the patents. Dkt. No. 398 at 4. Judgment was entered for "damages payable as a lump sum for the life of the asserted patents." Dkt. No. 407. Finjan argues that because the only Sophos revenue information, expert opinion, and argument presented to the jury went through December 22, 2017, the judgment should be amended to "correct the time period covered by the damages award from 'the life of the asserted patents' to ending on December 22, 2017." Mot. to Amend at 2. It asserts that if the judgment is amended, as it requests, the court should enjoin Sophos from infringing the '154 patent from December 22, 2017 through its expiration on December 12, 2025 to prevent irreparable harm to Finjan's core business activities, reputation, and goodwill. Id. at 2–3. Finally, it contends that it is entitled to pre-judgment interest at the prime rate and to post-judgment interest. Id. at 2.

LEGAL STANDARD

Federal Rule of Civil Procedure 59(e) permits amendment to a judgment. Fed. R. Civ. P. 59(e). "Since specific grounds for a motion to amend or alter are not listed in the rule, the district court enjoys considerable discretion in granting or denying the motion." McDowell v. Calderon , 197 F.3d 1253, 1255 n.1 (9th Cir. 1999). However, amending a judgment is considered an "extraordinary remedy which should be used sparingly." Allstate Ins. Co. v. Herron , 634 F.3d 1101, 1111 (9th Cir. 2011). "In general, there are four basic grounds upon which a Rule 59(e) motion may be granted: (1) if such motion is necessary to correct manifest errors of law or fact upon which the judgment rests; (2) if such motion is necessary to present newly discovered or previously unavailable evidence; (3) if such motion is necessary to prevent manifest injustice; or (4) if the amendment is justified by an intervening change in controlling law." Id. A district court may nevertheless amend a judgment in other circumstances if appropriate. Id.

DISCUSSION

I. MOTION TO AMEND JUDGMENT

Finjan contends that it is entitled to an amended judgment because it has not been fully compensated for Sophos's infringement of its patents. Mot to Amend at 9. It argues that this is clear because the jury's verdict, awarding $15 million for the life of the patents, is inconsistent with the evidence and expert opinions presented at trial. Id.

Prior to trial I issued an Order preventing Finjan's damage expert, Dr. Layne–Farrar, from presenting an opinion that projected Sophos's future revenues on infringing sales through December 12, 2025, the date of expiration for the '154 patent. Id. at 4. The evidence was excluded as overly speculative and unreliable because Layne–Farrar simply presumed steady sales without any reference or reliance on evidence regarding the future of the malware software market, Sophos's business position in the market, or other information that would support a conclusion of constant sales over a nearly ten-year period. Dkt. No. 250 at 7–8. The functional result of this ruling was that Finjan did not present an expert damage theory that accounted for sales beyond December 22, 2017. Mot. to Amend at 4.

Sophos's damages expert, Brian Napper, also did not present a damage theory that accounted for the full life of the patents. Napper presented two different reasonable royalty opinions, but both were limited to the two year period from the start of the litigation through trial. His first opinion was based on the "use" of the accused technology. He concluded that Sophos's accused SAV Engine blocked .6 percent of malware and so he applied a .6 percent royalty rate to Sophos's revenues for the two year period to calculate a royalty of $1.1 million. Trial Tr. at 1314:2–1315:4. For his second opinion, he used Finjan's prior licensing agreements to estimate what a Finjan–Sophos license would look like. Id. at 1279:15–24. He compared Sophos's relevant market share to that of Finjan's existing licensees and then adjusted Finjan's licensing agreements to reflect Sophos's relative size. Id. Finally, because Finjan's licenses are generally one-time lump sum agreements that run for 10–15 year periods, Napper adjusted his royalty calculation to limit it to the approximately two year period of the litigation and opined that approximately $2 million was appropriate for this shortened time period. Id. at 1302:4–1303:3.

Following the close of evidence the parties submitted their proposed verdict forms. At the charging conference Finjan took issue with Sophos's inclusion of a "one-time payment for the life of the patents" on the damages sheet, arguing that because "Napper was very clear that he actually did not give an opinion for the life of the patents, that he only gave it up through either the March or the September date ... that particular question actually doesn't work as written because it's not for the life of the patents." Id. at 1651:20–1652:2. In defending the inclusion of the "one-time payment" option, Sophos contended that "there is also testimony in the record about Finjan's licenses, the other licenses they have, that are for a lump sum, and so the jury could certainly decide something else based on that testimony and evidence." Id. at 1652:13–17. After the parties briefly conferred on this issue Finjan conceded that there might be facts that "[Sophos] can stitch together, right. So I guess I wouldn't—I wouldn't oppose it, if that's what they are going to be doing." Id. at 1653:3–5.

During closing arguments, Finjan attempted to present a "summation" of the evidence that offered a new theory for calculating damages for the life of the asserted patents: Finjan noted that there are 3.9 million Sophos end users, that for a 24 month period these users are charged $21.60 per user, and that Finjan's technical expert, Dr. Medvidovic, had testified that a 50 percent apportionment, based on the value-added of the accused technology, was appropriate for Sophos's products. Finjan then proposed that the jury could multiply 3.9 million by .5($21.60) to get $42.12 million. Id. at 1732:18–1733:21. Sophos objected because Finjan was presenting a new theory not in the evidence. After a discussion at sidebar, I sustained the objection and Finjan was not permitted to continue its argument on this issue. Id. at 171733:22–1738:7. Finjan's closing argument was limited to discussing the damage theory its expert, Layne–Farrar presented, which only went through December 22, 2017.

Finjan submits that because it was not permitted to present evidence, expert opinion, or argument about a reasonable royalty through the life of the patents, the jury verdict and judgment, which purport to award damages through the life of the Asserted Patents, are inconsistent with the evidence and that Finjan has not been awarded a reasonable royalty as required by 35 U.S.C. § 284.

Although Finjan asserts that no evidence was presented on which the jury could have based an award through the life of the patents, there was substantial evidence in the record to support the jury's finding. Both parties presented evidence demonstrating that in a hypothetical negotiation, Finjan and Sophos likely would have agreed to a one-time lump sum payment. For example, Napper testified that "I think they would strike a one-time lump-sum payment" and Layne–Farrar testified that "[Finjan's license agreements] were all lump sums." Trial Tr. at 1292:11–13; 874:4–875:9.

Both parties also presented evidence of Finjan's prior licensing agreements. Napper discussed and analyzed these agreements in detail as part of one of his damage theories. Id. at 1279:15–24 (calculating an estimated royalty by adjusting Finjan's prior licensing agreements to account for Sophos's size relative to Finjan's other licensees). He explained that he used the prior licensing agreements to calculate what a hypothetical Finjan–Sophos licensing agreement would look like, but, because actual Finjan licensing agreements are lump sum agreements that cover 10–15 year periods, at the very end of his analysis he adjusted his final royalty calculation to represent a payment for a two-year period only (as Sophos had only asked him to calculate a royalty for the two year duration of the litigation). Id. at 1302:4–1303:3.

Based on this testimony, and the underlying evidence, the jury easily could have calculated an appropriate one-time lump sum payment by working backwards from Napper's two-year royalty amount to calculate an appropriate royalty for a 15–year, lump sum licensing agreement. Because Napper testified that a $2 million royalty was reasonable for a two-year span, under Napper's analysis, $15 million would be a reasonable royalty for a 15 year span. The jury's lump sum award of $15 million is entirely consistent with Napper'sopinion and is well supported by the evidence in the record.

Finjan cites three cases to support its claim that it has not been compensated for future damages. None of these cases support Finjan's position. First, it cites to Finjan, Inc. v. Secure Computing Corp. , 626 F.3d 1197, 1213 (Fed. Cir. 2010), in which the Federal Circuit stated that a "patentee is not fully compensated if the damages award did not include future lost sales." The Secure Computing court concluded that Finjan was entitled to additional damages based on future sales that the jury did not consider. Id. However, Secure Computing is easily distinguishable because in that case the verdict form required the jury to list a royalty rate, royalty base, and total royalty amount, so it was clear from the verdict form both how the jury calculated its award and that the jury did not include future sales in its calculation. Id. at 1209. In contrast, in this case the verdict form did not require the jury to select a particular royalty base or royalty rate, did not require the jury to calculate its award by multiplying a royalty rate by a royalty base, and did not require the jury to show how it calculated its award. As a result, it is rank speculation to conclude that the jury did not include future sales in its analysis. The jury could have projected future sales and included those in a royalty base, or it could have calculated its award without using a royalty base at all, for example, by calculating a single lump sum payment based on Finjan's past licensing agreements. Secure Computing does not support amending the judgment.

Whitserve, LLC v. Computer Packages, Incorporated , 694 F.3d 10 (Fed. Cir. 2012) and Telcordia Technologies, Incorporated v. Cisco Systems Incorporated , 612 F.3d 1365 (Fed. Cir. 2010) are similarly not analogous. In Whitserve , the Federal Circuit concluded that the jury had not awarded a fully paid-up license where the jury did not indicate on its verdict form that its award was meant to cover future damages and the trial court interpreted the jury's award as not covering future damages. Whitserve , 694 F.3d at 35. Likewise, in Telcordia , it was "unclear whether the jury compensated Telcordia only for Cisco's past infringement or for both past and ongoing infringement" as the verdict form only asked the jury to "identify the amount of monetary damages that will compensate Telcordia for Cisco's infringement" and the jury did not indicate anything other than an amount of $6,500,000. Telcordia , 612 F.3d at 1377–78. As a result, the Federal Circuit concluded that the district court did not abuse its discretion by concluding that the award was only for past infringement. Id. at 1378.

In contrast, here the jury was instructed that it could award damages through September, 2016, through December, 2017, or for the life of the patents. Faced with these choices the jury deliberately chose to award damages for the life of the patents and indicated so on the verdict form. While the intent of the juries in Whitserve and Telcordia was ambiguous, here there is no reasonable dispute that the jury intended to award a lump sum payment for the life of the patents.

Because the jury's intention to award Finjan a lump sum fee for the entire life of the patents is clear from the face of the verdict form, and because the jury's award is supported by substantial evidence in the record, the "extraordinary remedy" of an amended judgment is not appropriate. Allstate , 634 F.3d at 1111. Finjan's motion to amend the judgment is DENIED.

II. INJUNCTION

Finjan asks, contingent on its requested amendment to the judgment, that the court enjoin Sophos from infringing the '154 patent from December 22, 2017 through its expiration on December 12, 2025. Mot. to Amend at 13. Because an injunction would only be possible if the judgment were amended, and because, as discussed above, amendment is not appropriate in this case, Finjan's request for an injunction is DENIED.

III. PRE- & POST–JUDGMENT INTEREST

A. Pre–Judgment Interest

Under 35 U.S.C. § 284, "[u]pon finding for the claimant the court shall award the claimant damages adequate to compensate for the infringement ... together with interest and costs as fixed by the court." Awarding prejudgment interest to a prevailing patentee is "the rule, not the exception." Crystal Semiconductor Corp. v. TriTech Microelectronics Int'l, Inc. , 246 F.3d 1336, 1361 (Fed. Cir. 2001). "[P]rejudgment interest should be awarded under [ 35 U.S.C.] § 284 absent some justification for withholding such an award." Gen. Motors Corp. v. Devex Corp. , 461 U.S. 648, 657, 103 S.Ct. 2058, 76 L.Ed.2d 211 (1983).

District courts have discretion to determine the rate of prejudgment interest. Uniroyal, Inc. v. Rudkin–Wiley Corp. , 939 F.2d 1540, 1545 (Fed. Cir. 1991). Courts often award interest at the prime rate "where there is evidence that the plaintiff would have been spared from borrowing money at the prime rate during the infringement period had the infringer been paying royalties, and thus, prejudgment interest is necessary to compensate for 'the forgone use of the money.' " Finjan, Inc. v. Blue Coat Sys., Inc. , No. 13-cv-03999-BLF, 2016 WL 3880774, at *18 (N.D.Cal. July. 18, 2016). Courts have declined to use the prime rate where the plaintiff does "not present any evidence that it needed to borrow money because it was deprived of the damages award." Apple, Inc. v. Samsung Elecs. Co., Ltd. , 67 F.Supp.3d 1100, 1122 (N.D. Cal. 2014) (emphasis in original); Laitram Corp. v. NEC Corp. , 115 F.3d 947, 955 (Fed. Cir. 1997) (finding the prime rate may not be appropriate if there is no "causal connection between any borrowing and the loss of the use of money awarded as a result of [ ] infringement").

Sophos argues that Finjan is not entitled to any prejudgment interest because it unduly delayed in bringing its suit. Gen. Motors Corp. v. Devex Corp. , 461 U.S. 648, 655, 103 S.Ct. 2058, 76 L.Ed.2d 211 (1983) (prejudgment interest may not be appropriate where the plaintiff unduly delayed in prosecuting the case). Sophos suggests that because Finjan previously brought suit against Sophos in 2010 for similar patents and products, "Finjan necessarily was aware of a possible claim for infringement as to four of the asserted patents by 2010." Oppo. to Mot. to Amend at 20 (Dkt. No. 441). Finjan responds that this claim of delay is not based on any evidence or facts and asserts that it did not know of Sophos's infringement until October or November of 2013. It filed suit against Sophos only a few months later. Caire Decl. Ex. 4 (Dkt. No. 445–5). Since Sophos's argument that Finjan delayed in bringing suit is based on speculation and Finjan has presented evidence that it brought suit with due diligence, I cannot conclude that Finjan unduly delayed in bringing suit. Finjan is entitled to prejudgment interest.

Next I must decide how prejudgment interest will be calculated. Finjan argues that it is entitled to prejudgment interest at the prime rate because it entered into financing deals during the period of Sophos's infringement at rates above the prime rate. Mot. to Amend at 22. Finjan notes that, in particular, on May 6, 2016, it secured $10.2 million in a round of Series A investment financing at a rate higher than the prime rate. See Harstein Decl. ¶ 8, Ex. 3 (Dkt. No. 422–4); Mot. to Amend at 23. In his declaration, Harstein claims that Finjan was required to obtain this financing at unfavorable terms as a result of Sophos's failure to pay a royalty and as a result of expenses incurred in bringing the action against Sophos to enforce Finjan's patent rights. Harstein Decl. ¶ 7–8.

Sophos contends that Finjan has failed to show that it needed to obtain unfavorable financing as a result of Sophos's infringement, Oppo. to Mot. to Amend at 21. It notes that Finjan does not indicate whether more favorable financing options were available to it, such as lines of credit, bank loans, or rejected settlement offers. It also challenges the assertion that Finjan's need for financing is the result of litigation costs incurred in its suit against Sophos. Sophos notes that Finjan has chosen to simultaneously sue a number of entities, has fought to lift stays in other cases thereby incurring immediate litigation costs that could have been postponed, and brought a second suit against Blue Coat before recovering its substantial judgment against that entity. Id. at 21–22. Sophos notes that Finjan has secured tens of millions of dollars in verdicts and licensing agreements during the two years of this litigation and argues that it is unlikely that Finjan's case against Sophos specifically put it into a position that required it to borrow money. Id. at 22. Accordingly, Sophos submits that the treasury rate should apply to any interest.

Finjan has failed to demonstrate that Sophos's infringement required it to borrow money at the prime rate. The treasury rate is appropriate. Finjan's request for prejudgment interest is GRANTED. Prejudgment interest will be calculated at the treasury rate compounded annually.

B. Post–Judgment Interest

Finjan asserts that it is entitled to post-judgment interest, calculated using the "weekly average 1–year constant maturity Treasury yield ... compounded annually" pursuant to 28 U.S.C. § 1961. Sophos does not dispute that Finjan is entitled to post-judgment interest. Finjan's request for post-judgment interest is GRANTED and will be awarded at the treasury rate compounded annually.

RENEWED MOTION FOR JUDGMENT AS A MATTER OF LAW

BACKGROUND

At the close of Finjan's infringement case, Sophos moved for judgment as a matter of law under Federal Rule of Civil Procedure 50(b). Sophos now renews its motion, arguing that the jury's verdict, finding that Sophos infringed all five of Finjan's asserted patents, is not supported by substantial evidence. For the reasons outlined below, Sophos's motion is DENIED.

LEGAL STANDARD

A court should grant a motion for judgment as a matter of law following a jury trial where "the evidence, construed in the light most favorable to the nonmoving party, permits only one reasonable conclusion, and that conclusion is contrary to that of the jury." InTouch Techs., Inc. v. VGO Commc'ns, Inc. , 751 F.3d 1327, 1338 (Fed. Cir. 2014). "[T]o set aside the verdict, there must be an absence of substantial evidence—meaning relevant evidence that a reasonable mind would accept as adequate to support a conclusion—to support the jury's verdict." Emblaze Ltd. v. Apple Inc. , No. 11-c-01079-PSG, 2015 WL 396010, at *3 (N.D. Cal. Jan. 29, 2015). DISCUSSION

I. THERE WAS SUBSTANTIAL EVIDENCE THAT SOPHOS PRACTICED METHOD CLAIMS IN THE UNITED STATES

Sophos claims that judgment as a matter of law is warranted for Finjan's method claims because Finjan did not present any evidence that Sophos practiced each step of the asserted method claims in the United States.

A. Finjan was required to show Sophos performed every step of the method claims

First, the parties dispute whether the law requires Finjan to show that Sophos itself practiced every step of Finjan's method claims, or whether Finjan may rely on evidence that Sophos's customers practiced the elements of the method claims. Sophos contends that "to infringe a method claim, a person must have practiced all steps of the claimed method." Secure Computing , 626 F.3d at 1206 ; see also Ericsson, Inc. v. D–Link Sys., Inc. , 773 F.3d 1201, 1221 (Fed. Cir. 2014) ("the direct infringer must actually perform the steps in the method claim") (emphasis in original); France Telecom S.A. v. Marvell Semiconductor Inc. 82 F.Supp.3d 987, 993 (N.D. Cal. 2015) ("A defendant can only directly infringe a method claim ... by 'using' the method within the United States, which requires that the defendant practice every step of the method within the United States").

Finjan responds that, under the Federal Circuit's recent decision in Akamai Techs., Inc. v. Limelight Networks, Inc. , 797 F.3d 1020 (Fed. Cir. 2015), it can sustain its method claims against Sophos by showing vicarious use of the method steps by Sophos's customers. Oppo. to JMOL at 4 (Dkt. No. 440). In Akamai IV , the Federal Circuit held that a party that does not personally perform all elements of a method claim may still be held liable for direct infringement of those claims if the "alleged infringer conditions participation in an activity or receipt of a benefit upon performance of a step or steps of a patented method and establishes the manner or timing of that performance." 797 F.3d at 1023. Finjan argues that because Sophos's products perform all of the steps of the method claims, "Sophos conditioned the ability of its customers to receive the benefit of the UTM and Endpoint Products upon their use of these products in the infringing manner." Oppo. to JMOL at 2.

Finjan misapplies the Akamai IV court's divided infringement ruling to this case. As the Akamai IV court explained, its divided infringement analysis applies "[w]here more than one actor is involved in practicing the steps" of the asserted method claim. Akamai IV , 797 F.3d at 1022. This is not a divided infringement case. Finjan asserts that a single actor satisfies all of the steps of the method claims by operating Sophos's UTM and Endpoint products. Finjan is attempting to show direct infringement by demonstrating that Sophos's customers perform all of the steps of the method claims: this is an indirect infringement claim, not a divided direct infringement claim, and Akamai IV does not apply to these facts. Because Akamai IV does not apply, and because Finjan voluntarily dismissed its indirect infringement claims, Finjan was required to show that Sophos itself performed all of the steps of the method claims.

B. There was Substantial Evidence that Sophos Personally Performed the Steps of the Method Claims

Finjan presented substantial evidence that Sophos performed every step of Finjan's method claims in the United States. First, Finjan presented overwhelming evidence demonstrating that operating the UTM and Endpoint products satisfies each and every method of the method claims. Trial Tr. 330:11–334:12; 386:12–21; TX–2173 at 1197SOPHOS_00407505. Sophos does not dispute that use of its products meets every method of the method claims or that Finjan established this fact at trial. Finjan also presented substantial evidence that Sophos is a Massachusetts corporation with its principal place of business in the United States, that it sells its UTM and Endpoint Products in the United States, and that these products have millions of users in the United States. Trial Tr. at 116:13–15; Trial Tr. at 834:4–7, 834:11–835:19. These facts are similarly, not disputed.

To establish that Sophos itself practices the method claims in the United States, Finjan presented internal Sophos documents demonstrating that Sophos developed and performed troubleshooting on its infringing products, in the United States. Finjan presented Trial Exhibit 120, a Sophos internal document of PowerPoint slides dated February 2010, which appears to indicate that Sophos's SXL technology, which had previously been used on Sophos's OEM and mail gateway products, will be implemented on Sophos's Endpoint products. TX–120 at 1197SOPHOS_01737110. To illustrate how this will impact the user interface in Endpoint, the exhibit includes images of a Sophos employee changing the configuration in a "Sophos Endpoint Security and Control" screen so that the Endpoint product will "automatically send field data, such as checksums." TX–120 at 1197SOPHOS_01737097 (internal Sophos document showing screen grabs of a user navigating a Sophos Endpoint Security and Control system). The exhibit then provides details on how to troubleshoot the implementation of the SXL on the Endpoint products. TX–120 at 1197SOPHOS_ 01737115 ("Verify that SXL DNS lookups are working correctly within the customer's environment"). It also shows examples of performing these troubleshooting steps which show running SXL lookups on the "01" SXL server located in Miami. TX–120 at 1197SOPHOS_01737116. This document offers strong evidence that Sophos used its own Endpoint products in the United States around February 2010 as it appears it must have used the products to develop troubleshooting instructions and to prepare the document slides and images seen in Exhibit 120.

Trial Exhibit 120 also provides evidence that Sophos used and tested its UTM product in the United States. Trial Exhibit 120 shows Sophos employees running a program called "Wireshark" on Sophos's "02" server located in Phoenix, Arizona. TX–120 at 1197SOPHOS_01737119. At trial, Finjan's expert Dr. Cole testified that Wireshark is a tool that security professionals use to capture the information moving in and out of a computer system during testing and that he personally used Wireshark to test the Sophos UTM product. Trial Tr. 380:16–381:20. He explained that he set up and used a Sophos UTM box at a facility in the United States and that by using the Wireshark program in conjunction with the UTM he could see how the UTM was working and that it was communicating with SXL servers in the United States. Id.

Dr. Cole's testimony and Trial Exhibit 120 demonstrate that Sophos had the means and tools to test its UTM products within the United States using the Wireshark program and that this type of testing would have involved Sophos using the UTM product. Further, Trial Exhibit 120 establishes that Sophos employees tested how its SXL technology functioned on its Endpoint product. Since the UTM also uses SXL technology, Trial Exhibit 120, offers substantial evidence that Sophos would have run similar tests on the UTM products. Trial Exhibit 120 demonstrates that Sophos tested and used its Endpoint and UTM products within the United States.

Sophos challenges the value of Trial Exhibit 120, noting that it is dated years before the infringement period. To rebut the idea that Sophos may have stopped testing its products after 2010, Finjan presented Trial Exhibit 125, dated October 7, 2015, which shows that Sophos continued to perform testing and troubleshooting on its products in 2015. TX–125. Similarly, Finjan's evidence that Sophos is a Massachusetts company with millions of customers in the United States supports the inference that Sophos would have continued to test and use its products during this period as such testing would have been necessary to develop new features and improvements, market and sell its products, and troubleshoot for existing customers.

Sophos also challenges the evidentiary weight of Exhibits 120 and 125 because they relate primarily to testing of the SXL technology, which Sophos asserts is irrelevant to the Endpoint and UTM products. But Finjan demonstrated that both Endpoint and the UTM use SXL technology and communicate with the SXL servers as part of the Live Cloud or Sophos Cloud function of the products. Trial Tr. 378:19–379:21 ("[B]oth the UTM and the Endpoint product do utilize the Sophos Cloud in a similar manner. The UTM would receive a downloadable from the Internet. And if it needed additional information, it would take a hash of that downloadable, and it would go to the SXL server and do a lookup to say, is there any additional information from the cloud?"). Testing of the SXL technology would involve testing whether Sophos's products that use the Live Cloud feature are properly communicating with the SXL servers and running SXL lookups. Therefore SXL testing in the United States, especially in the context of Exhibit 120, offers substantial evidence that Sophos would have tested and used its Endpoint and UTM products in the United States.

Because Finjan presented overwhelming evidence that using Sophos's UTM and Endpoint products infringes the method claims and substantial evidence that Sophos tested and used the UTM and Endpoint products in the United States, there was substantial evidence to support the jury's finding that Sophos directly infringed Finjan's method claims.

II. THERE WAS SUBSTANTIAL EVIDENCE THAT SOPHOS LIVE CLOUD INFRINGED THE ASSERTED SYSTEM CLAIMS

Sophos asserts that Finjan has failed to show that Sophos's "Sophos Live Cloud" service infringes the asserted patents because (1) it presented no evidence that Sophos Live Cloud actually exists and Sophos presented evidence that Sophos Live Cloud was not a real product; (2) and it failed to show that Sophos Live Cloud was used in or imported into the United States. Mot. for JMOL at 5–6 (Dkt. No. 421).

A. Substantial Evidence Demonstrates that Sophos Live Cloud is Real

Finjan presented substantial evidence that the cloud service that it called "Sophos Live Cloud" at trial is a real service that runs on servers in the United States. Drs. Cole and Mitzenmacher testified that Sophos's "cloud" servers analyze, detect, and block against malicious code and are located in various locations around the United States. Trial Tr. at 329:19–21 ("Sophos Live Cloud are servers out on the Cloud ... it's just servers at an outsource facility that are accessible form the Internet"); 548:17–20 ("Sophos Live Cloud consists of multiple components, multiple servers."). They explained that Sophos Live Cloud consists of the Sophos SXL Servers, Sample Servers, and the automation systems of LabRules and Warzone in SophosLabs, which all communicate and interact with each other. Id. at 329:6–331:14; 389:2–390:8; 548:15–549:4; 585:24–587:3; TX–2065; TX–2150; TX–2252.

Although Sophos showed that the term "Sophos Live Cloud" is not one that Sophos uses internally and was adopted by Finjan's experts for the purposes of this litigation, it did not rebut Finjan's evidence that the servers and processes that Finjan has tried to encompass with the term "Sophos Live Cloud" are real. Indeed, two of Sophos's witnesses testified about the component servers that Finjan references when it uses the term "Sophos Live Cloud" and confirmed that they are real servers. Trial Tr. at 1079:5–1080:16; 1153:18–1154:15; 1161:8–1166:11. Finjan presented substantial evidence that the "Sophos Live Cloud" technology its experts described is not a fiction.

B. Substantial Evidence Demonstrates that Sophos Live Cloud was Used in the United States

Finjan claims that it demonstrated that Sophos Live Cloud was "used" in the United States. Oppo. to JMOL at 10. At first look it is not entirely clear where Sophos Live Cloud is "used" as there are elements of the system located in the United States—where various Sophos servers are located and where U.S. customers operate UTM and Endpoint products—and in the United Kingdom—where "SophosLabs" is located. Finjan asserts that under NTP, Inc. v. Research In Motion, Ltd. , 418 F.3d 1282, 1317 (Fed. Cir. 2005), a patentee may prove direct infringement of a system claim for a multinational system—one with elements located in multiple countries—by showing that "the place at which the system as a whole is put into service, i.e. the place where control of the system is exercised and beneficial use of the system obtained" is within the United States.

Sophos argues that Finjan's reliance on NTP is improper because NTP only applies to indirect infringement claims. NTP was an indirect infringement case and the jury found that the defendant's customers, and not the defendant itself, directly infringed. Id. at 1317 n.13. But Sophos offers no explanation why the logic of NTP and the benefit-and-control factors would not apply equally to a direct infringement claim on a multinational system. The NTP holding directly undermines Sophos's position. To affirm the indirect infringement claims in NTP, the Federal Circuit necessarily found that one may directly infringe a system claim even when certain parts of the system are located outside the United States, so long as the system is controlled or benefits those in the United States. Id. (affirming the jury's finding that defendants' customers directly infringed the system claims). The only difference in a direct infringement claim is that a patentee must show that the defendant itself, rather than its customers, infringed the claim. There is no reason that the benefit-and-control factors of NTP do not apply to a direct infringement claim and Sophos offers no explanation. I conclude that NTP applies to direct infringement multinational system claims.

Sophos argues that, even if NTP applies, Finjan did not show that Sophos Live Cloud is controlled from the United States. Reply to JMOL at 7 (Dkt. No. 448). There is competing evidence on this point. Finjan's experts testified that the material components of Sophos Live Cloud are located in the U.S., including the SXL Servers and Sample Servers. Trial Tr. at 382:1–385:6; 548:17–549:4. Cole testified that Sophos Live Cloud is controlled by the UTM and Endpoint products (many of which are located in the United States) because these products generate requests that are sent to the Cloud servers and because the Sophos Live Cloud service cannot do anything unless a UTM box or Endpoint product tells it what to do. Trial Tr. 389:2–390:8. He also testified that the benefit of Sophos Live Cloud runs to the United States because "the company or person sitting behind [a] UTM in the U.S. receives the direct benefit of that service" because "it allow[s] [a] system to be protected and [the] system not to get infected by malware." Id. at 390:23–391:4. In opposition, Sophos presented evidence that Sophos Live Cloud is controlled from the United Kingdom because file submissions via Sophos Live Cloud cannot happen unless SophosLabs creates a "wanted poster" for malware samples, thereby requesting submissions from users' UTM or Endpoint products. Trial Tr. at 1161:8–1166:11.

In short, the parties both presented plausible evidence as to where Sophos Live Cloud is controlled: Finjan presented evidence that the system cannot work if it does not receive requests from UTM and Endpoint products, which may be located in the United States, and Sophos produced evidence showing that the UTM and Endpoint products do not send any files to the Sophos Live Cloud unless SophosLabs, in the UK, has requested specific types of files. This was a close factual issue but there was substantial evidence to support the jury's conclusion that Sophos Live Cloud is controlled from and benefits those in the United States.

Finally, Sophos argues that even if the benefits and control standard applies, Finjan has failed to prove direct infringement because it only presented evidence that customers used and directed the processes of Sophos Live Cloud from the United States but did not present any evidence that Sophos itself benefitted from or directed the use of Sophos Live Cloud. Reply to JMOL at 7. For the reasons outlined above in Section I.B, Finjan has presented substantial evidence that Sophos used and tested its own products in the United States. As Finjan presented evidence that use of the UTM and Endpoint products controls Sophos Live Cloud, and leads to the benefit of Sophos Live Cloud being felt in the United States, there is substantial evidence on which the jury could have concluded that Sophos benefitted from and controlled Sophos Live Cloud from the United States.

III. FINJAN PRESENTED SUBSTANTIAL EVIDENCE THAT SOPHOS'S PRODUCTS SATISFY EVERY LIMITATION OF EACH ASSERTED CLAIM

A. The '844 Patent

Sophos asserts that Finjan failed to demonstrate that its accused products perform the "linking" element of the '844 patent, which requires "linking by the inspector the first Downloadable security profile to the Downloadable before a Web server makes the Downloadable available to Web clients." Mot. for JMOL at 7. Sophos does not dispute that its products perform a linking function, but claims that this does not happen "before a Web server makes the Downloadable available to Web clients" because the accused products are themselves web clients and so can only perform the necessary linking after the Downloadable has been made available to them. Id. It also argues that web servers like CNN.com make Downloadables available to web clients as soon as they place the Downloadables on their servers and, since Sophos's products can only inspect Downloadables that have been made available to the general public, they do not perform the linking function until after the Downloadables have been made available to web clients in the general public.

Finjan asserts that Sophos is relying on an overly broad interpretation of the term "web client." It submits that a "web client" within the meaning of the patent is an end user that is actually using a Sophos product or other inspector device. The term is not meant to include all computers, such as an inspector computer or computers in the general public not employing a malware security system. It contends that the relevant question is whether Sophos's products perform the linking element before making the Downloadable available to end users actually using Sophos's products, not whether any user anywhere is able to access the Downloadable before Sophos's product performs the linking function.

Both of Sophos's arguments rest on a broad interpretation of "web client" that the jury reasonably could have rejected in favor of Finjan's position that Sophos's products act as the "inspector," not a web client, and that "web client" refers only to computers using Sophos's products or similar inspector devices. As there is no dispute that Sophos's products perform this linking function, the jury's finding that Sophos's accused products meet the linking element of the '844 Patent is supported by substantial evidence.

B. The '926 Patent

Sophos contends that Finjan failed to show that its accused products meet the '926 patent's element of "transmitting the incoming Downloadable and a representation of the retrieved Downloadable security profile data to a destination computer" because Finjan did not show that this information is transmitted to the end-user computers. Mot. for JMOL at 9. It asserts that a "destination computer" must be the end-user computer because this is consistent with the patent's specification. Id. ; TX–6, '926 patent at 7:63–65 ("[a] suitable information-destination or 'user device' can further include one or more devices or processes (such as email, browser or other clients))." It adds that if the "destination computer" can be any kind of computer then the word "destination" would be redundant because the element already requires a transmission.

Finjan asserts that "destination computer" does not refer exclusively to an end-user computer. Oppo. to JMOL at 15. It argues that Sophos's reading would exclude certain embodiments of the '926 patent that do not require the "destination computer" to be an end-user device. Id. ; TX–6 Col. 7, 11. 2–6 ("other configuration of interconnected elements might also be utilized (e.g. peer-peer, routers, proxy servers, networks, converters, gateways, services, network reconfiguration elements, etc.) in accordance with a particular application"). It adds that it presented substantial evidence that Sophos's products transmit the Downloadable security profiles to various destination computers. See, e.g. , Trial Tr. at 633:7–636:16, TX–95 (Mitzenmacher testifying that the UTM product submits downloadable security profiles to a sample submission server, which stores the content and the threat identity on the SXL server).

Sophos's argument that Finjan's interpretation of "destination computer" would read "destination" out of the claim is plausible but not conclusive. Even under Finjan's reading the word "destination" adds something—it emphasizes that the computer to which the downloadable is being transmitted is not any computer, but rather a particular computer. Further, Finjan has presented evidence that "destination computer" may have many meanings under the '926 patent. Finjan has presented substantial evidence that Sophos's products transmit downloadable security profiles to particular designated servers that act as the "destination computer" for the purposes of this claim element. The jury's conclusion that Sophos's products infringe the '926 patent is supported by substantial evidence.

C. The '780 Patent

Sophos argues that Finjan failed to show that Sophos's products meet two limitations of the '780 patent: "obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable" and "fetching at least one software component identified by the one or more references." Mot. for JMOL at 10–11.

Sophos asserts that the term "fetching" requires the infringing product to go out and acquire code that was not originally included in the Downloadable. Mot. for JMOL at 10. It asserts that Finjan's evidence shows that the Sophos products only "fetch" code that was already included in the Downloadable and so do not meet this limitation. Id. Sophos also contends that these "fetched" components are not "required to be executed" because Finjan did not show that they "needed to run or complete the corresponding page."Id.

Finjan presented substantial evidence that Sophos's products meet both of these limitations. Oppo. to JMOL at 16. Mitzenmacher testified that the SAV engine in the UTM and Sophos Live Cloud products fetches multiple components while processing the content, computes hashes for this content, and then divides the components up into individual streams. Trial Tr. at 568:23–569:8; 571:15–21, TX–2228 at 1197SOPHOS_00388944. He also testified that Sophos's products fetch "dropped" files, which are "outside code that would be downloaded also and is needed to run or complete the corresponding page." Trial Tr. at 563:6–14.

The parties have different interpretations of what the "fetching" and "required to be executed" terms require, but Finjan's interpretations are plausible and the jury reasonably could have adopted them. Finjan presented substantial evidence to demonstrate that Sophos's products meet the '780 patent limitations.

D. The '154 Patent

Sophos argues that Finjan failed to meet three different elements of the '154 patent.

1. Whether the second function is invoked using the same input as the first function

The '154 patent requires that the content processor receive content that includes a "call to a first function and the call including an input," and invoke "a second function with the input." TX–4. The parties agree that the claim requires that the input included in the first function be the same input invoked in the second function. Mot. for JMOL at 12; Oppo. to JMOL at 17. Sophos contends that this element is not met because, as Mitzenmacher testified, for Sophos's accused products, the input to the accused first function is a "highly obfuscated URL" but the input to the accused second function is the "de-obfuscated URL." Trial Tr. at 658:8–659:18; 664:3–15; 666:13–23.

Finjan rebuts by emphasizing that the URLs in the first and second function are the same except that the first one is "obfuscated" and the second one has been de-obfuscated so that it may be read. Oppo. to JMOL at 17. Whether these two inputs are sufficiently similar to qualify as the same input is a close fact question and the jury reasonably could have adopted either interpretation. The jury's apparent conclusion that these were the same input is substantially supported by the undisputed evidence.2. Whether the accused products invoke the second function "only if" a security computer indicates it is safe

The '154 patent requires that the "second function" be invoked "only if a security computer indicates that such invocation is safe." Sophos contends that its products do not meet this limitation because the second function must be run to trigger a check of the security computer and so is always invoked. Mot. for JMOL at 13; Trial Tr. at 665:4–66:5; 739:4–10.

Finjan asserts that this was a disputed fact question at trial and that it presented substantial evidence in support of its claim that the second function is only invoked when it is safe. Oppo. to JMOL at 18. It notes that Mitzenmacher testified that the invocation only occurs if the SXL server, or the "security computer," indicates that the invocation is safe. Trial Tr. at 663:24–664:17. He also testified that the SAV engine processes the content and prevents the execution of malicious code if the SXL server determines that the content is not safe. Id. ; 671:13–674:25; TX–2808. Finjan presented substantial evidence to demonstrate that Sophos's products meet this claim limitation.

3. Whether Sophos's products receive content with a call to a substitute function

Sophos asserts that the '154 patent requires that the claimed first function be a "substitute function" and that the claimed second function be the "original function." It points to language from the patent explaining that "the present invention operates by replacing original function calls with substitute function calls within the content, at a gateway computer, prior to the content being received at the client computer." TX–4, '154 patent at 4:57–60; Verizon Servs. Corp. v. Vonage Holdings Corp. , 503 F.3d 1295, 1308 (Fed. Cir. 2007) ("When a patent thus describes the features of the 'present invention' as a whole, this description limits the scope of the invention.")

Finjan rebuts that this is a new construction of the term and does not comport with a plain and ordinary reading of the claims as nothing suggests s "first function" must be a "substitute function" in the claim itself. Oppo. to JMOL at 19. It notes that Mitzenmacher's opinion was based on testimony from Sophos's engineers and documents, and that he concluded that Sophos's products infringed this element under its plain and ordinary meaning. Trial Tr. at 657:25–666:12, TX–2150 at 2; TX–2831 at 223.

Finjan presented substantial evidence that Sophos's products infringed the '154 patent under a plain and ordinary reading of Claim 1. This is sufficient to support the jury's verdict.

E. The '494 Patent

Sophos contends that Finjan failed to meet two elements of the '494 patent.

1. Whether the accused products run Downloadables on destination computers

Sophos argues that Finjan failed to show that Sophos's products run a "Downloadable" on a destination computer. The court construed "Downloadable" to mean "an executable application program, which is downloaded from a source computer and run on the destination computer." Dkt. No. 73. Cole testified that for this patent, the destination computer is the end-user computer that makes the initial request. He testified that Sophos's UTM "block[s] [the downloadable] from ever making it to the user." Trial Tr. 359:13–19. He also testified that if SophosLabs determines that a Downloadable is malicious "it will be blocked" and will not be executed on the destination computer. Id. at 332:19–333:3. Sophos contends that because these applications are blocked before they run on the destination computer, they do not meet the claim construction definition of "Downloadable." To meet the definition, it argues, the applications must actually be run on the destination computer.

Finjan asserts that Sophos's argument is based on a "twisted interpretation" of the term Downloadable. Oppo. to JMOL at 21. It submits that the term Downloadable refers to a category of content, including JavaScript, JavaApplets, and ActiveX components and that content of this kind remains a "Downloadable" even when it is not actually run on a destination computer. Id. at 20. It also notes that even Sophos's experts testified that a product that prevents a Downloadable from running on the destination computer may satisfy this claim. Trial Tr. 1404:24–1405:12; 1405:11–12.

The question of whether a Downloadable must be run on a destination computer to be a Downloadable, or whether it needs only to be able to run, was a question raised by the jury. Dkt. No. 394. After discussing the issue with counsel, and concluding that there was no agreed-upon interpretation, I instructed the jury to read the term "Downloadable" in the context of the claims. Id. The jury's assessment of the term and ultimate conclusion that Sophos's products infringed the '494 claim were reasonable and well supported by the evidence.

2. Whether the accused products "store" security profile data in a "database"

Sophos asserts that Finjan failed to present evidence that Sophos's products "store" data and therefore did not show that Sophos's products contain a "database" within the court's construction of the term. Mot. for JMOL at 15.

Finjan responds that it presented substantial evidence to demonstrate that Sophos's Genes, Blackboard, Scanners, S3, Warzone, and SOFA databases are databases under the Court's construction. Oppo. to JMOL at 23. It notes that Cole testified that the Genes Database stores information used during processing. Trial Tr. at 431:5–432:6. He also testified that the Blackboard Database stored information related to the processing of SXL responses, including the Downloadable security profiles. Trial Tr. at 350:15–351:6; 405:18–411:1; TX–2242 at 1197SOPHOS_00872234 ("The Blackboard is a database which stores structured data."). Finjan also presented evidence that Sophos's Scanners, Warzone, S3, and SOFA databases meet the "database" construction. Trial Tr. at 378:9–380:11 ("[Sophos Live Cloud] will go through that and create that threat profile that contains those different suspicious activities. It will then store that in the Warzone database. And then that database also updates a Sophos database, a scanners and a Warzone."); see also id. at 390:17–391:16, 406:21–407:13; 418:3–7.

Finjan presented substantial evidence that Sophos's databases are "databases" under the court's claim construction. The jury's verdict is supported by substantial evidence.

Sophos's Motion for JMOL is DENIED.

MOTION FOR PARTIAL JUDGMENT

BACKGROUND

Sophos seeks partial judgment and a finding of fact that (1) collateral estoppel applies to its invalidity case; and (2) that the '494 and '844 patents are invalid under 35 U.S.C. § 101. Mot. for Partial Judgment at 2, 9 (Dkt. No. 429). As discussed with regard to Sophos's motion for a new trial, Sophos has not demonstrated that collateral estoppel applies to this case. I will address Sophos's Section 101 argument below. Because I conclude that the '494 and '844 patents are not invalid under Section 101, Finjan's motion for a partial judgment and finding of fact is DENIED.

LEGAL STANDARD

35 U.S.C. § 101 states that "[w]hoever invents or discovers any new and useful process, machine of composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title." The Supreme Court has determined that section 101 has an implicit exception and that "[l]aws of nature, natural phenomena, and abstract ideas are not patentable." Ass'n for Molecular Pathology v. Myriad Genetics, Inc. , ––– U.S. ––––, 133 S.Ct. 2107, 2116, 186 L.Ed.2d 124 (2013) (internal quotation marks and citation omitted).

In Alice Corp. Pt. Ltd. v. CLS Bank Int'l , ––– U.S. ––––, 134 S.Ct. 2347, 189 L.Ed.2d 296 (2014), the Supreme Court established a two-step framework to assess whether a particular patent falls within this exception. Step one is to "determine whether the claims at issue are directed to a patent-ineligible concept" such as an abstract idea. Id. at 2355. If a patent is not directed at a patent ineligible concept the court's inquiry ends and the patent is presumed valid. If a patent's claims are directed at an ineligible concept, the court moves on to step two and "consider[s] the elements of each claim both individually and as an ordered combination to determine whether the additional elements transform the nature of the claim into a patent-eligible application." Id. If the patent has additional inventive concepts that transform it into a patent-eligible application, it is presumed valid. But if the patent's claims are directed at an ineligible concept and the patent does not contain additional elements that transform the nature of the claim into a patent-eligible application, the patent is invalid under Alice.

The Federal Circuit has outlined how Alice applies in the specific context of software patents. In applying step one, the court has concluded that claims relating to receiving and categorizing data are generally abstract. See Elec. Power Grp., LLC v. Alstom S.A. , 830 F.3d 1350, 1353 (Fed. Circ. 2016) ("we have treated collecting information, including when limited to particular content (which does not change its character as information), as within the realm of abstract ideas."). In contrast, claims that are directed at a particular improvement in computer technology are generally not abstract. See Enfish, LLC v. Microsoft Corp. , 822 F.3d 1327, 1335 (Fed. Cir. 2016) ("[C]laims purporting to improve the functioning of the computer itself, of improve an existing technological process" are not directed at abstract ideas.).

In Enfish , the Federal Circuit concluded that claims directed to a specific type of self-referential table were not abstract because they constituted a "solution to a problem in the software arts" and were "non-abstract improvements to computer technology." Id. at 1339. In McRo, Inc. v. Bandai Namco Games Am. Inc. , 837 F.3d 1299, 1314 (Fed. Cir. 2016) the court concluded that patents directed at automating existing methods for creating 3–D facial animations were not abstract because they "focused on a specific asserted improvement in computer animation, i.e., the automatic use of rules of a particular type." The McRo court noted that the claims outlined a particular process and set of rules for achieving a particular improvement in computer technology, and explained that "[i]t is the incorporation of the claimed rules, not the use of the computer, that 'improved [the] existing technological process' by allowing the automation of further tasks." Id. at 1314.

As it did in McRo , the Federal Circuit has repeatedly emphasized that a patent is not directed at patent-eligible concepts simply because it uses or is directed at computer technology. Claims that simply use "existing computers as tools in aid of processes focused on abstract ideas" rather than outlining "computer-functionality improvements" are still abstract. Elec. Power Grp. , 830 F.3d at 1354 ; see also Affinity Labs of Texas, LLC v. DIRECTV, LLC , 838 F.3d 1253, 1262 (Fed. Cir. 2016) (claims were abstract where they were directed to the "general concept of out-of-region delivery of broadcast content through the use of conventional devices, without offering any technological means of effecting that concept."); BASCOM Glob. Internet Servs., Inc. v. AT & T Mobility LLC , 827 F.3d 1341, 1348 (Fed. Cir. 2016) (claims involving a system for Internet content filtering were abstract because "filtering content ... is a longstanding, well-known method of organizing human behavior, similar to concepts previously found to be abstract"); Intellectual Ventures I LLC v. Symantec Corp. , 838 F.3d 1307, 1314 (Fed. Cir. 2016) ("Characterizing e-mail based on a known list of identifiers is no less abstract" than "for people receiving paper mail to look at an envelope and discard certain letters, without opening them, from sources from which they did not wish to receive mail based on characteristics of the mail.").

If a patent is directed at an abstract idea, courts must determine at Alice step two whether the claims "both individually and as an ordered combination" as well as any "additional features" in the claims amount to an "inventive concept" sufficient to make the claims patent-eligible. Alice , 134 S.Ct. at 2357. An inventive concept "cannot simply be an instruction to implement or apply the abstract idea on a computer" and "must be significantly more than the abstract idea itself." BASCOM , 827 F.3d at 1349. Claims that "require an arguably inventive set of components or methods" and claims that detail "how the desired result is achieved" may constitute an inventive concept. Elec. Power Grp. , 830 F.3d at 1355.

The Federal Circuit has found an inventive concept in several software patent cases. In DDR Holdings, LLC v. Hotels.com, L.P. , the Federal Circuit concluded that claims that addressed the Internet problem of ads that "lure ... visitor traffic away" from the host website had an inventive concept. 773 F.3d 1245, 1248, 1259 (Fed. Cir. 2014). The court noted that the claims "specify how interactions with the Internet are manipulated to yield a desired result" because they laid out a specific means of resolving this issue: creating a composite website that used the visual elements of the host website but included the third-party advertising content. Id. at 1248, 1259.

The court also found an inventive concept in BASCOM. 827 F.3d at 1350. There, the claims involved "install[ing] a filtering tool at a specific location, remote from the end-users, with customizable filtering features specific to each end user." Id. The BASCOM court noted that "an inventive concept can be found in the non-conventional and non-generic arrangement of known conventional pieces" and explained that this applied because the claims used a technical feature of a network to outline a "specific method of filtering Internet content." Id. And, recently in Amdocs (Israel) Ltd. v. Openet Telecom, Inc. , the Federal Circuit concluded that claims involving managing accounting and billing data amounted to an inventive concept because they had specific enhancing limitations that "necessarily incorporate[d] the invention's distributed architecture—an architecture providing a technological solution to a technological problem." 841 F.3d 1288, 1301 (Fed. Cir. 2016).

Finally, because the Alice analysis is quite complex, courts often do several sanity checks when assessing whether a patent or claim is patent eligible. First courts consider whether a claim is so abstract that it would "pre-empt use of [the claimed] approach in all fields, and would effectively grant a monopoly over an abstract idea." Bilski v. Kappos , 561 U.S. 593, 612, 130 S.Ct. 3218, 177 L.Ed.2d 792 (2010). If so, the claim is not patent eligible. Id. Similarly, courts may ask whether the "claims [ ] are so result-focused, so functional, as to effectively cover any solution to an identified problem." Affinity Labs , 838 F.3d at 1265. Such claims are similarly patent ineligible.

DISCUSSION

Sophos argues that Finjan's '494 patent and '844 patent are invalid under Section 101. They assert that these patents fail the Alice two-step analysis because their claims are directed at abstract ideas and they do not contain any inventive concepts. Mot. for Partial Judgment at 9–18.

This is not the first time that the '494 and '844 patent have been challenged under section 101. In two separate cases between Finjan and Blue Coat Systems, Judge Freeman analyzed the '844 patent and the '494 patent to determine whether they were patent eligible under the Alice two-step test. In Finjan, Inc. v. Blue Coat Sys., Inc. No. 13-cv-03999-BLF, 2015 WL 7351450, at *10 (N.D. Cal. Nov. 20, 2015) ( Blue Coat I ), Judge Freeman concluded that the '844 patent was not directed at an abstract idea because it "has important and specific limitations about providing pro-active protection [that] provide meaningful boundaries on the invention." And, more recently, in Finjan, Inc. v. Blue Coat Sys., LLC , No. 15-cv-03295-BLF, 2016 WL 7212322, at *11 (N.D. Cal. Dec. 13, 2016) ( Blue Coat II ), Judge Freeman concluded that the '494 patent was patent eligible because, although its claims are directed at abstract ideas, the claims, "taken as an ordered combination, recite an inventive concept sufficient to render them patent eligible" because they provide "both spatial and temporal alterations" to traditional virus protection programs.

Judge Freeman's analysis of each patent is instructive. As discussed below, I conclude that both the '494 and '844 patents are patent-eligible. I agree with Judge Freeman's conclusion in Blue Coat II that, although the '494 patent is directed at abstract ideas, it contains inventive concepts and is therefore patent eligible. I similarly conclude that the '844 patent is directed at abstract ideas, but like the '494 patent, contains inventive concepts that make it patent eligible. Notably, this is not the same conclusion Judge Freeman reached in Blue Coat I , where she held that the '844 patent is not directed at an abstract-idea because it has specific limitations that place meaningful boundaries on the invention. 2015 WL 7351450, at *10. However, in her more recent Blue Coat II order, she acknowledged that her analysis of the '844 patent may no longer hold given the intervening precedent from the Federal Circuit. My analysis of the '844 patent defers to the more recent Federal Circuit cases and Judge Freeman's analysis with regard to the '494 patent.

I. THE '494 PATENT

A. Background

In Blue Coat II , Judge Freeman provided a detailed background and explanation of the '494 patent. For ease of reference, I incorporate her factual background here:

Finjan owns the '494 patent, which is entitled "Malicious Mobile Code Runtime Monitoring System and Methods." The '494 patent was filed on November 7, 2011 and issued on March 18, 2014, but belongs to a long line of continuation and continuation-in-part applications which originated from patent applications filed in 1996. One of these parent

applications resulted in U.S. Patent No. 6,092,194 (the "'194 patent''), which the '494 patent identifies in its specification and states is "incorporated by reference." '494 patent, col. 1 ll. 33–38.

The '494 patent generally relates to systems and methods for protecting devices on an internal network from code, applications, and/or information downloaded from the Internet that perform malicious operations. Id. , Abstract. According to the '494 patent, at the time of invention, virus protection strategies for networked computers "met with limited success at best" because virus scanning was localized and reactive: virus protection programs were installed on individual computers and only protected against known viruses. Id. , col. 2 ll. 11–21. Because of this, these "program[s] [would] inevitably [be] surmounted by some new virus," at which point they would need to be updated or replaced and the cycle would begin again. Id. In addition, certain types of viruses were "not well recognized or understood, let alone protected against." Id. , col. 2 ll. 22–24. This included viruses that were hidden in executable programs such as "Downloadables." Id. , col. 2 ll. 23–30. "Accordingly, there remains a need for efficient, accurate, and flexible protection of computers and other network connectable devices from malicious Downloadables." Id. , col. 2. Ll. 45–48.

The '494 patent purports to address this problem by detecting whether downloadable content contains potentially malicious code before it is allowed to be run on the destination computer. See id. , col. 5 l. 60–col. 6 l. 6. At a high level, the disclosed embodiments describe a protection engine that generally resides on a network server and inspects incoming downloads for executable code. See id. , col. 2 l. 20–col. 3 l. 4; '194 patent, col. 3 ll. 10–21. The claims are directed to a narrow aspect of this, which involve a solution consisting of three basic steps that appear to be most closely detailed in the '194 patent :

First, an incoming Downloadable is intercepted. '494 patent, col. 21 l. 20, col. 22 l. 8. The '194 specification describes an "Internal Network Security System" which sits in between an external computer network and the internal computer network and "examines Downloadables received from external computer network 105, and prevents Downloadables deemed suspicious from reaching the internal computer network 115." '194 patent, col. 3 ll. 10–13.

Second, the Downloadable is scanned and "security profile data," which includes "a list of suspicious computer operations that may be attempted by the Downloadable," is derived. '494 patent, col. 21 ll. 21–23, col. 22 ll. 10–13. The '194 specification discloses a "code scanner" component that scans through a Downloadable and generates the "security profile data" (also referred to as "Downloadable Security Profile (DSP) data," '194 patent, col. 4 ll. 17–18). '194 patent, col. 5 ll. 41–42. Figure 7 of the '194 specification illustrates this process:

Id. , Fig. 7. At the beginning of the process, the code scanner "disassemble[s] the machine code of the Downloadable." Id. , col. 9 ll. 23–24. Next, the code scanner iterates through the machines code, (1) resolving the next command in the machine code, (2) "determin[ing] whether the resolved command is suspicious," and, if so, (3) "decod[ing] and register[ing] the suspicious command and its command parameters as DSP data." Id. , col. 9 ll. 20–42. The format of the DSP data is "based on command class (e.g., file operations, network operations, registry operations, operating system operations, resource usage thresholds)." Id. , col. 9 ll. 38–42. Examples of operations deemed potentially hostile include:



File operations: READ a file, WRITE a file; Network operations: LISTEN on a socket, CONNECT to a socket, SEND data, RECEIVE data, VIEW INTRANET; Registry operations: READ a registry item, WRITE a registry item; Operating system operations: EXIT WINDOWS, EXIT BROWSER, START PROCESS/THREAT, KILL PROCESS/THREAD CHANGE PROCESS/THREAD PRIORITY, DYNAMICALLY LOAD A CLASS/LIBRARY, etc.; and Resource usage thresholds: memory, CPU, graphics, etc.

Id. , col. 5 l. 59–col. 6 l. 4.

Third, the "security profile data" is stored in a database. '494 patent, col. 21 ll. 24–25, col. 22 ll. 14–16. The '194 specification discloses that, after DSP data is generated, it is stored in a "DSP data" data object according to the Downloadable's ID. '194 patent, col. 6 ll. 9–10 ("[t]he code scanner 325 then stores the DSP data into DSP data 310 (corresponding to its Downloadable ID)"). The DSP data is then stored in "security database 240," along with other data such as security policies, a list of known Downloadables, and a list of known Certificates. See id. , col. 3 ll. 47–50, col. 4 ll. 15–18.

The '194 specification discloses that DSP, data stores in the database can be compared, along with other information, against a security policy to determine whether the Downloadable should be permitted to be run on the destination computer. See id. , col. 6 ll. 13–20. However, the claims themselves do not recite this, nor any subsequent use of the security profile data, after it gets stored in the database. '494 patent, col. 21 ll. 22–23, col. 22 ll. 8–17.

Finjan currently asserts claims 1, 10, 14, [ ] and 18. [ ] Independent claims 1 and 10 recite:

1. A computer-based method, comprising the steps of: Receiving an incoming Downloadable; Deriving security profile data for the Downloadable, including a list Of suspicious computer operations that may be attempted by the Downloadable; and Storing the Downloadable security profile data in a database.

10. A system for managing Downloadables, comprising: a receiver for receiving an incoming Downloadable; a Downloadable scanner coupled with said receiver, for deriving security profile data for the Downloadable, including a list of suspicious computer operations that may be attempted by the Downloadable; and a database manager coupled with said Downloadable scanner, for storing the Downloadable security profile data in a database.

Id. , col. 21 ll. 22–23, col. 22 ll. 8–17. Claim 14 additionally requires that the Downloadable include a program script. Id. , col. 22 ll. 26–27.... Claim 18 requires that the Downloadable scanner comprise a disassembler. Id. , col. 22 ll. 37–39.

Blue Coat II , 2016 WL 7212322, at *1–3.

B. Scope of Review

As Judge Freeman explained in Blue Coat II , when assessing the scope of a patent the Section 101 inquiry must focus on the language of the Asserted Claims themselves. Id. at *7. "[T]he complexity of the implementing software or the level of detail in the specification does not transform a claim reciting only an abstract concept into a patent-eligible system or method." Accenture Glob. Servs., GmbH v. Guidewire Software, Inc. , 728 F.3d 1336, 1345 (Fed. Cir. 2013). "Nevertheless, the specification, as a helpful tool in understanding claim scope, is not to be ignored entirely." Blue Coat II , 2016 WL 7212322, at *7 ; see also Enfish , 822 F.3d at 1335 ("The 'directed to' inquiry applies a stage-one filter to claims, considered in light of the specification, based on whether their character as a whole is directed to excluded subject matter.") (internal quotation marks and citation omitted).

Accordingly, Judge Freeman did not review the '494 claims in a vacuum, but reviewed them in the context of the '494 specification and the specification for the '194 patent, which the '494 patent incorporates by reference. Blue Coat II , 2016 WL 7212322, at *8 ("[I]n assessing patent eligibility here, the Court must restrict itself to the language of the asserted claims of the '494 patent, which recite, in relatively broad terms only three basic functions: receiving, deriving, and storing. Nevertheless, each of these functions should be read in light of the specification, including its detailed descriptions of how a 'Downloadable' is 'receiv[ed]' or how 'security profile data' is deriv[ed].' "). Further because Finjan was the non-moving party, Judge Freeman construed the claims in the light most favorable to Finjan, which meant "err[ing] on the side of incorporating more-not-less-particularities from the specification into its understanding of the claims, while still refraining from importing limitations from the specification into the claim." Id.

Judge Freeman's analysis applies equally here: while the review must be limited to the claims of the '494 patent, these claims should be read in the context of the patent's specifications, as well as the '194 patent's specifications. Id. (Concluding that the entire '194 patent is incorporated into the '494 patent because the '494 patent "indicates that it is incorporating the entire '194 patent, and provides enough information for the reader to locate this information.'')

C. Alice Step One

Sophos argues that the '494 Patent is invalid because its claims are directed at the abstract ideas of "receiving data, extracting information from that received data, then storing that information." Mot. for Partial Judgment at 10. It adds that the claims do not "recite any specific way" of accomplishing these steps and so the claims would "prohibit all other persons from making the same thing by any means whatsoever." Id. at 11.

Finjan responds that the '494 patent is not directed at an abstract idea because it is "deeply rooted in computer technology, improves computer functionality and addresses the specific problem of malicious Downloadables which were non-existent prior to the claimed inventions." Oppo. to Mot. for Partial Judgment at 16 (Dkt. No. 438). Finjan asserts that Sophos fails to look at the claims as a whole and improperly analyzes and overgeneralizes each step. Id. at 17. It argues that the '494 claims, "by covering the generation of a list of suspicious computer operations related to the Downloadable, are directed to an improvement to computer functionality and are different from prior, conventional antivirus technology." Id. at 21.

I agree with Sophos that the '494 claims are directed at an abstract idea. While the claims are meant to be utilized in the particular context of malware protection, the asserted claims themselves only list the abstract ideas of "receiving data, extracting information from that received data, then storing that information." Mot. for Partial Judgment at 10. As Judge Freeman noted in Blue Coat II , this remains true even when the claims are viewed in the context of the details outlined in the '194 patent. Blue Coat II , 2016 WL 7212322, at *9 ("At their heart, they claim nothing more than a solution that scans through data (e.g., the disassembled code from the code scanner, '194 patent, col. 5 ll. 41–45, col. 9 ll. 20–42), identifies certain characteristics (e.g., the operations that match its pre-existing list of operations, '194 patent, col. 5 l. 45–col. 6 l. 4), and stores the results of the analysis (e.g., the list of suspicious operations encountered, stored as formatted DSP data, '194 patent, col. 6 ll. 9–10)".) These steps are similar to the way a person could categorize and sort elements in a non-computer context—for example, a clerk in a mailroom may perform conceptually similar tasks. And, while the specific claims (1, 10, 14, and 18) provide some limitations on the context in which this process is performed, the overall purpose and focus of the claims remains directed at the abstract idea of receiving and analyzing data, and storing that information.

This analysis is in line with Federal Circuit precedent, which makes clear that claims that utilize computer technology as a tool to perform an abstract idea, but do not themselves improve computer function, remain abstract. See e.g. , BASCOM , 827 F.3d at 1348 (claims related to filtering content on the Internet were directed to an abstract idea); Intellectual Ventures I , 838 F.3d at 1314 (claims related to filtering email for viruses and unwanted spam were directed at an abstract idea). The '494 claims place the abstract idea of receiving, analyzing, and storing data into the computer context but do not outline a specific improvement to the way computers operate. Elec. Power Grp. , 830 F.3d at 1354. "They recite use of generic computer components to perform data collection and analysis generally. They do not recite an improvement to a particular computer technology used in malware detection—they do not, for example, claim an improvement to a specific, preexisting malware detection algorithm or recite special data structures that fundamentally improve the process of detecting malware." Blue Coat II , 2016 7212322, at *10. Under Alice step-one, the '494 claims are directed at an abstract idea. Alice , 134 S.Ct. at 2355.

D. Alice Step Two

Under step two the court considers whether the claim elements, "both individually and as an ordered combination" recite an "inventive concept" which "transform[s] the nature of the claim into a patent-eligible application." Id. at 2355.

Sophos argues that the '494 patent simply recites the basic steps of "receiving," "deriving," and "storing" performed with a "receiver," "scanner" and "database manager" and that there is "nothing inventive about these routine computer functions and components, either alone or in an ordered combination." Mot. for Partial Judgment at 16. Finjan responds that the claims recite an inventive concept because they are "directed to providing a concrete and inventive solution to a real world problem by addressing the need for behavior-based detection of malicious code in Downloadables (i.e. downloaded executable application), as opposed to signature-based techniques or other types of files." Oppo. to Mot. for Partial Judgment at 22.

I agree with Finjan (and Judge Freeman in Blue Coat II ) that the claims recite an inventive concept when taken as an ordered combination and considered in context. The '494 patent notes that, prior to its invention, malware protection programs were only able to detect and protect against known viruses and were installed on particular user computers. '494 patent, col. 2 ll. 11–21. The '494 patent details a new kind of virus protection: one that is located on a network computer, rather than the end-user computer, and which is able to detect unknown viruses by identifying suspicious components in unique and novel code. The '494 patent therefore includes a "non-conventional and non-generic arrangement of known, conventional pieces" such that, when taken as an ordered combination, it recites an inventive concept. BASCOM , 827 F.3d at 1350.

While viewing the '494 patent in the light most favorable to Finjan, the patent is innovative because, instead of conducting malware analysis on an end-user computer, the '494 patent describes a system where malware scanning take place on a separate, intermediate network. In Blue Coat II , Judge Freeman acknowledges that this is not made explicit by the '494 claims themselves, but explains that the patent specifications make clear that the claim steps take place on a network. Blue Coat II , 2016 WL 7212322, at *11 ("All embodiments of the protection engines disclosed in the '494 and '194 specifications reside on a network server." See '494 patent, col. 2 l. 20–col. 3 l. 4; '194 patent, col. 3 ll. 10–21. In addition, the '194 specification discloses that the code scanner, the particular component that performs the analysis to derive the data security profile, resides in the Internal Network Security System, which sits in between the external computer network and end-user computers. '194 patent, Fig. 1; col. 3 ll. 10–13.). As Judge Freeman concluded, this arrangement represents a novel use of specific computer systems in a "non-conventional and non-generic arrangement" to improve malware protection systems for computer networks. Id. ; BASCOM , 827 F.3d at 1350.

Further, the '494 patent is innovative because it describes a method of scanning and extracting particular suspicious elements of a file rather than scanning only entire files. Again, in Blue Coat II , Judge Freeman explains that this is not laid out explicitly in the claims, but that a person of ordinary skill in the art would understand the claims to detail this process:

"[D]eriving security profile data," if construed in a light most favorable to Finjan, at least requires a process of parsing through a Downloadable and creating a list of all potentially suspicious computer operations. The claims themselves recite that "security profile data" must include "a list of suspicious computer operations that may be attempted by the Downloadable." '494 patent col. 21 ll. 22–23, col. 22 ll. 11–12. By necessity, then, "deriving" must include some means of extracting and identifying these operations. Only the '194 specification uses the phrase "downloadable security profile data," and the only embodiment of deriving security profile data that it discloses involves a precise process of decomposing code and extracting operations. '194 patent, col. 9 ll. 20–42, Fig. 7. Thus, a person of ordinary skill in the art would understand "deriving security profile data" to refer to this type of process.

Blue Coat II , 2016 WL 7212322, at *11. This process is innovative because it allows a malware detection program to detect new viruses, previously unknown files that contain suspicious operations, rather than identifying only known viruses. '494 patent, col. 2 ll. 56–64.

Looking at the '494 patent as a whole, the claims recite an inventive concept because they detail a system that involves scanning malware on an intermediate network, rather than an end-user computer, and because they detail a process for identifying unknown viruses by extracting specific suspicious operations from files. The '494 patent is not patent-ineligible under Alice .

II. THE '844 PATENT

Sophos moves for a finding that the '844 patent is not patent-eligible under section 101. I conclude that the '844 patent is patent eligible because, although its claims are directed at abstract ideas, it contains inventive concepts.

A. Background on '844 patent

Finjan owns the '844 patent, entitled "System and Method for Attaching a Downloadable Security Profile to a Downloadable." The '844 patent was filed on December 22, 1997 and issued on November 28, 2000. The '844 patent is part of the family of patents derived from the '194 patent. As with the '494 patent, the '844 patent incorporates the '194 patent by reference. '844 patent, col. 1 ll. 12–15.

Generally, the '844 patent relates to methods and systems for protecting computer networks from malicious Downloadables. Id. col. 1 ll. 62–65. As the '844 patent explains, at the time of its invention, virus protection software was relatively effective at identifying and blocking Internet computer viruses but was unable to identify viruses "attached to or configured as Downloadable application programs." Id. col. 1 ll. 41–45. A Downloadable is an "executable application program" such as Java applets, JavaScript, and plugins. Id. col. 1 ll. 45–56. Downloadables are "typically requested by an ongoing process such as by an Internet browser or web client" or may "add to the functionality of an already existing application program." Id. col. 1 ll. 47–48; ll. 55–56. Because Downloadables are necessary to run many applications, "a system and method are needed to protect a network from hostile Downloadables." Id. col. 1 ll. 58–59. The '844 patent attempts to assist in addressing this problem by detailing a system in which an "inspector" analyzes particular elements of Downloadables to assess whether they contain suspicious code or operations. '844 patent at col. 2 ll. 3–19. The inspector then generates a Downloadable security profile ("DSP")—detailing the suspicious operations of the Downloadable, and then links this DSP to the Downloadable. Id. The DSP may include a list of suspicious operations or a list of suspicious code patterns, and may include a certificate identifying the content inspection engine that created the DSP. Id.

Finjan asserts claims 1, 15, and 16 against Sophos. Independent claims 1 and 15 read as follows:

1. A method comprising:

receiving by an inspector a Downloadable; generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable; and linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients.

15. An inspector system comprising:

memory storing a first rule set; and a first content inspection engine for using the first rule set to generate a first Downloadable security profile that identifies suspicious code in a Downloadable, and for linking the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients.

Id. , col. 11 ll. 13–20; col. 11 11. 62–col. 12 ll. 2. Claim 16 additionally requires that the inspector system include a list of suspicious operations. Id. , col. 12 ll. 3–4.

B. Alice step-one

Sophos argues that the '844 patent is directed at an abstract idea of "receiving data, extracting information from that received data, and linking that information to the received data." Mot. for Partial Judgment at 18. It asserts that the three steps of "receiving", "generating a security profile" and "linking" are entirely abstract and do not identify any specific means or method for accomplishing the claimed linking. Id. at 19. It acknowledges that in Blue Coat I , Judge Freeman concluded that the '844 patent is not directed at an abstract idea, but contends that this conclusion was incorrect.

Finjan responds that Sophos is improperly second guessing Judge Freeman's decision from Blue Coat I . Oppo. to Mot. for Partial Judgment at 12. It asserts that the '844 patent is not directed at an abstract idea because it is "directed to a non-abstract idea and improvement of computer technology related to the protection of a computer system from malicious code found on the Internet." Id.

In assessing this issue in Blue Coat I , Judge Freeman found a hypothetical patentable claim published by the USPTO particularly persuasive. Blue Coat I , 2015 WL 7351450, at *9. The hypothetical claim involved "receiving an electronic communication," "storing the communication," and "extracting ... malicious code from the electronic communication to create a sanitized electronic communication." Id. The USPTO's guidance explained its understanding that this hypothetical claim was not directed at an abstract idea:

The claim is directed towards physically isolating a received communication on a memory sector and extracting malicious code from that communication to create a sanitized communication in a new data file. Such action does not describe an abstract concept, or a concept similar to those found by the courts to be abstract ... the invention claimed here is directed towards performing isolation and eradication of computer viruses, worms, and other malicious code, a concept inextricably tied to computer technology and distinct from the types of concepts found by the courts to be abstract."

Id. at *10.

However, as Judge Freeman acknowledged in Blue Coat II , this analysis may not line up with the Federal Circuit cases that have been published since the Blue Coat I decision. Blue Coat II , 2016 WL 7212322, at *10 (noting that Blue Coat I "predated many of the Federal Circuit decision that now guide the Court's step one analysis" and that "[i]f, to any extent, the Court's reasoning in [ Blue Coat I ] conflicts with Federal Circuit precedent, Federal Circuit precedent controls).

As Enfish , McRo , Electric Power Group , BASCOM , and Intellectual Ventures I , all published after Blue Coat I , make clear, a patent does not pass step-one of Alice simply because it involves concepts inextricably tied to computer technology. See, e.g. , Enfish , 822 F.3d at 1336. The court must ask "whether the focus of the claims is on the specific asserted improvement in computer capabilities ... or, instead, on a process that qualifies as an 'abstract idea' for which computers are invoked merely as a tool." Id.

In light of Judge Freeman's more recent analysis in Blue Coat II , and the intervening Federal Circuit cases, I conclude that the '844 patent is directed at an abstract idea. As with the '494 patent, although the receiving, generating, and linking steps are used in the particular context of malware protection software, they remain familiar and general abstract concepts. Blue Coat II , 2016 WL 7212322, at *9 ("These are fundamental concepts germane to any type of content analysis."). Intellectual Ventures I , 838 F.3d at 1314 ("The Supreme Court has held that 'fundamental ... practice[s] long prevalent' are abstract ideas"). The claims identify a process of scanning data; identifying particular characteristics of that data and creating a "profile"; and then linking that profile to the data. '844 patent, col. 2 ll. 49–53. As with the '494 patent, this process is similar to how a human might process potentially suspicious mail—for example, a mail inspector might analyze a threatening letter, make a note explaining the particularly suspicious elements of the letter, and link this note to details about the sender. The inspector could then refer to the note in the future when receiving additional mail from the same address.

The '844 claims are similar to those found abstract in BASCOM and Intellectual Ventures I. BASCOM , 827 F.3d at 1348 (claims that filtered Internet content were directed at abstract idea); Intellectual Ventures I , 838 F.3d at 1314 (claims that filtered email for viruses and spam were directed at abstract idea). That the '844 claims relate to computer technology, and specifically, malware protection, does not mean that they are not directed at abstract ideas. "[A]s a whole" the process described in the '844 patent is focused on the abstract idea of data collection and analysis, and does not present a specific improvement to computer operations. Enfish , 822 F.3d at 1335. Accordingly, under Alice step-one, I conclude that the '844 claims are directed at an abstract idea.

C. Alice step-two

Under Alice step two I must assess whether the claims "individually and as an ordered combination" outline an "inventive concept" sufficient to "transform the nature of the claim into a patent-eligible application." Alice , 134 S.Ct. at 2355.

Finjan asserts that the '844 claims are inventive because they are "directed to the concrete idea of protecting a computer system against malicious code from the Internet." Oppo. to Mot. for Partial Judgment at 13. It explains that the claims detail the process of "receiving a downloadable and inspecting it before it is downloaded onto a computer," "(2) generating a security profile that identifies suspicious code," and "linking the Downloadable security profile to the Downloadable before it is made available to web clients."

Sophos rebuts that there is nothing about "protection" in the claims, which only recite the basic steps of "receiving a file, generating the security profile and linking it to the file at a particular time." Reply to Mot. for Partial Judgment at 15 (Dkt. No. 447).

I agree with Finjan that the '844 patent claims, when taken as an ordered combination, recite an inventive concept. As the '844 patent notes, at the time of its invention, malware security programs were not configured to recognize viruses attached to or configured as Downloadables. '844 patent, col. 1 ll. 41–45. Because Downloadables are common and provide significant functionalities and value, "a system and method are needed to protect a network from hostile Downloadables." Col. 1 ll. 58–59.

The '844 patent aims to supply such a method and system. It outlines a process of receiving a Downloadable, generating a downloadable security profile, and linking this profile to the Downloadable before the Downloadable is made available to the end-user. Id. col. 11 ll. 13–20. It also outlines a system that includes a content inspection engine that uses a first rule set to identify suspicious code in a Downloadable, generate a Downloadable security profile, and link that security profile to the Downloadable before it is made available to web clients. Id. col. 11 ll. 61–col. 12 ll. 2.

The '844 patent claims harness specific network architecture and use it in non-conventional ways. The claims implement an "inspector" system that receives the Downloadable, generates a Downloadable security profile, and links this profile to the Downloadable before the Downloadable is made available to web clients. Id. col. 11 ll. 61–col. 12 ll. 2. Although not made explicit in the claims, because the inspector must link the Downloadable security profile to the Downloadable before it is made available to web clients, the inspector must necessarily be remote from end-users. By performing these scanning and linking steps at a remote location, the '844 patent outlines a system that helps protect the end-user by scanning hostile Downloadables before they are downloaded onto an end-user computer. As virus scanning historically was done on end-user computers, this use of a remote inspector helps make the '844 patent inventive.

The '844 patent also outlines a system for identifying new and known hostile Downloadables. The claims require the inspector to generate a Downloadable security profile. As discussed above, and as Judge Freeman explained in Blue Coat II , this "at least requires a process of parsing through a Downloadable and creating a list of all potentially suspicious computer operations." Blue Coat II , 2016 WL 7212322, at *11. This process allows a system to identify unknown hostile Downloadables by scanning for suspicious or hostile operations rather than scanning only entire viruses. The claims also require the inspector to link the security profile to the Downloadable before the Downloadable is made available to web clients. This linking step establishes a system that allows inspectors, in future scans of the Downloadable, to identify known or previously scanned Downloadables and to compare the Downloadable security profile to a security policy. The system therefore allows future inspectors to identify hostile Downloadables without scanning the Downloadable for suspicious operations and generating a new security profile. Because, as the '844 patent explains, early security software was not configured to recognize Downloadables, the process outlined in the '844 patent of scanning Downloadables for suspicious operations and setting up a system to allow for future identification of known hostile Downloadables is a novel technical solution to a previously unaddressed issue.

Taking the '844 patent as a whole, the claims recite an inventive concept because they detail a specific technical solution to assist in protecting computer networks from hostile Downloadables, something security systems were previously not configured to do. Although the '844 patent uses well-known systems, "an inventive concept can be found in the non-conventional and non-generic arrangement of known, conventional pieces." BASCOM , 827 F.3d at 1350. The '844 patent's specific applications to scanning and analyzing Downloadables, and non-conventional use of a remote inspector to perform scanning and linking of a security profile before the Downloadable is made available to web clients, represent an "inventive concept" because the patent describes a "specific technical solution beyond simply using generic computer concepts in a conventional way." Id.

The '844 patent does not "pre-empt use of [the claimed] approach in all fields" or "effectively grant a monopoly over an abstract idea." Bilski , 561 U.S. at 612, 130 S.Ct. 3218. The claim elements are specifically limited to scanning Downloadables, generating Downloadable security profiles, and linking those profiles to the Downloadables. These claims do not preclude use of the scanning, generating data, and linking elements outside the malware security software field and so do not pre-empt all uses of these abstract ideas. Further, the claims are not "so result-focused, so functional, as to effectively cover any solution to an identified problem." Affinity Labs , 838 F.3d at 1265. The '844 patent claims outline one technical solution to the problem of protecting computer networks from hostile Downloadables but leave room for many others. Viewing the '844 patent in the light most favorable to the non-movant, Finjan, I conclude that the claims describe an inventive concept, and that the claims are patent eligible.

Because the '494 patent and '844 patent include inventive concepts they are not patent ineligible. Sophos's Motion for a Partial Judgment and Finding of Fact is DENIED.

CONCLUSION

As outlined above, Finjan's Motion for Attorneys' Fees and Costs is DENIED; Sophos's Motion for a New Trial, or in the Alternative, Remittitur is DENIED; Finjan's Motion to Amend the Judgment and for an Injunction is DENIED, however its request for Pre- and Post–Judgment Interest is GRANTED and will be awarded at the treasury bill rate; Sophos's Renewed Motion for Judgment as a Matter of Law is DENIED; and Sophos's Motion for a Partial Judgment and Finding of Fact is DENIED.

IT IS SO ORDERED.