From Casetext: Smarter Legal Research

Finjan, Inc. v. Sophos, Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
May 24, 2016
Case No. 14-cv-01197-WHO (N.D. Cal. May. 24, 2016)

Summary

permitting the use of a "previously undisclosed reference to be used as background material" as long as the reference is "not asserted as [an] invalidating prior art reference"

Summary of this case from Slot Speaker Techs., Inc. v. Apple, Inc.

Opinion

Case No. 14-cv-01197-WHO

05-24-2016

FINJAN, INC., Plaintiff, v. SOPHOS, INC., Defendant.


ORDER ON MATTERS HEARD ON MAY 11, 2016 Re: Dkt. Nos. 135, 137, 140, 143, 146, 158, 188

INTRODUCTION

This is a patent infringement action involving technologies for computer and network security. Plaintiff Finjan, Inc. ("Finjan") accuses defendant Sophos, Inc. ("Sophos") of infringing 16 different claims from eight different patents. Over the course of March 2016, the parties filed five motions: (1) Finjan's motion to strike; (2) Sophos's motion to strike; (3) Sophos's motion for protective order; (4) Sophos's motion for partial summary judgment; (5) Finjan's motion for summary judgment. I heard argument on these motions - as well as on the joint letter the parties filed on April 1, 2016 - on May 11, 2016. This Order addresses the five motions and the joint letter.

The 16 asserted claims of the eight asserted patents are:
(1) claim 1 of U.S. Patent No. 8,141,154 ("the '154 patent");
(2) claim 22 of U.S. Patent No. 7,757,289 ("the '289 patent");
(3) claims 1, 10, 14, and 18 of U.S. Patent No. 8,677,494 ("the '494 patent"); and
(4) claim 1 of U.S. Patent No. 8,566,580 ("the '580 patent").
(5) claims 9 and 18 of U.S. Patent No. 6,804,780 ("the '780 patent");
(6) claims 1, 7, 16, and 43 of U.S. Patent No. 6,154,844 ("the '844 patent");
(7) claim 12 of U.S. Patent No. 7,613,918 ("the '918 patent");
(8) claims 18 and 22 of U.S. Patent No. 7,613,926 ("the '926 patent"); Final Election of Asserted Claims at 1 (Kastens Decl. Ex. 1, Dkt. No. 1353). Finjan accuses Sophos of: (a) directly infringing each of the asserted claims; (b) inducing infringement of claim 1 of the '494 patent, claims 1 and 7 of the '844 patent, and claim 18 of the '926 patent; and (c) contributorily infringing claim 1 of the '580 patent. Id.

BACKGROUND

I. THE DELAWARE ACTION

This is not the first patent infringement action between Finjan and Sophos. In July 2010, Finjan filed a patent infringement complaint in the United States District Court for the District of Delaware against Sophos, among other defendants, for infringement of U.S. Patent Nos. 6,092,194 ("the '194 patent") and 6,480,962 ("the '962 patent"). Similar to the asserted patents in the instant case, the '194 and '962 patents concern "systems and methods for protecting a computer and a network from hostile Downloadables." Finjan, Inc. v. Symantec Corp., No. 10-cv-00593, 2013 WL 5302560, at *2 (D. Del. Sept. 19, 2013) ("Delaware Action").

Following a 13-day trial in December 2012, the jury found that the defendants had not infringed any of the asserted claims, and that each of the asserted claims was invalid as either anticipated or obvious. The only anticipation theory presented at trial was based on SWEEP-InterCheck - specifically, version 2.72 of SWEEP and version 2.11 of InterCheck - a "combined product" developed by Sophos. See id. at *14-15.

In denying Finjan's post-trial motion for judgment as a matter of law, the district court found that there was substantial evidence that SWEEP-InterCheck was on sale in the United States before November 8, 1996, the priority date of the patents-in-suit. Id. at *15-17. It rejected Finjan's argument that Sophos's anticipation theory was flawed because it was "based on a combination of references," including different user manuals, different versions of source code, and "a third-party network interface card." Id. *17. The district court found that the user manuals and source code were presented to the jury "simply to demonstrate and support how SWEEP-InterCheck functioned at the time, not as distinct references." Id. And it found that the "third-party network interface card" was a "necessary" part of SWEEP-InterCheck. Id. at *18 ("[A]s SWEEP-InterCheck receives incoming Downloadables, a functionality that the jury observed, it is clear that a network interface would be necessary to receive [the] Downloadable[s]."). The Federal Circuit summarily affirmed on appeal. Finjan Inc. v. Symantec Corp., 577 F. Appx. 999, 1000 (Fed. Cir. 2014).

II. THE INSTANT ACTION

Finjan filed its complaint in the instant action on March 14, 2014. Dkt. No. 1. In the joint case management statement filed on June 17, 2014, the parties submitted competing proposals for "narrowing the issues" in the case by placing limitations on the number of asserted claims and prior art references. Dkt. No. 35. Following the case management conference on June 18, 2014, I entered an order adopting the limitations proposed by Sophos. Dkt. No. 36 ("Case Management Order"). The limitations required each party to submit a Preliminary Election of Asserted Claims/Asserted Prior Art, followed by a Second Election of Asserted Claims/Asserted Prior Art, and then a Final Election of Asserted Claims/Asserted Prior Art. Dkt. No. 35 at 14-15. Finjan's Final Election of Asserted Claims limits it to no more than five asserted claims per patent and no more than 16 asserted claims overall; Sophos's Final Election of Asserted Prior Art limits it to no more than six asserted references per patent and no more than 20 references overall. Id. at 15-16.

On February 12, 2016, Finjan served its Final Election of Asserted Claims, identifying the asserted claims listed in footnote 1 above. Dkt. No. 135-3 at 1. On February 19, 2016, Sophos served its Final Election of Asserted Prior Art, identifying 5 references for the '844 patent, 4 references for the '780 patent, 4 references for the '918 patent, 5 references for the '926 patent, 3 references for the '289 patent, 3 references for the '154 patent, 4 references for the '580 patent, and 4 references for the '494 patent. Dkt. No. 135-20 at 2-5. Many of the references for the asserted patents overlap, and Finjan does not dispute that Sophos's Final Election of Asserted Prior Art contains no more than 20 references overall.

The asserted claims are as follows:

'154 patent,claim 1

A system for protecting a computer from dynamically generated maliciouscontent, comprising:a content processor (i) for processing content received over a network, the contentincluding a call to a first function, and the call including an input, and (ii) forinvoking a second function with the input, only if a security computer indicatesthat such invocation is safe;a transmitter for transmitting the input to the security computer for inspection,when the first function is invoked; anda receiver for receiving an indicator from the security computer whether it is safeto invoke the second function with the input.

'289 patent,claim 22

A system for protecting a computer from dynamically generated maliciouscontent, comprising:a receiver for receiving content being sent to the computer for processing, thecontent including a call to an original function, and the call including an input;a content modifier for modifying the received content by replacing the call to theoriginal function with a corresponding call to a substitute function, the substitutefunction being operational to send the input for inspection;an input modifier for modifying the input if the input itself includes a call to asecond original function with a second input by replacing the call to the secondoriginal function with a corresponding call to a second substitute function, thesecond substitute function being operational to send the second input to thesecurity computer for inspections;a transmitter for transmitting the modified content and the modified input, ifmodified by said input modifier, to the computer.

'494 patent,claim 1

A computer-based method, comprising the steps of:receiving an incoming Downloadable;deriving security profile data for the Downloadable, including a list of suspiciouscomputer operations that may be attempted by the Downloadable; andstoring the Downloadable security profile data in a database.

'494 patent,claim 10

A system for managing Downloadables, comprising:a receiver for receiving an incoming Downloadable;a Downloadable scanner coupled with said receiver, for deriving security profiledata for the Downloadable, including a list of suspicious computer operations thatmay be attempted by the Downloadable; anda database manager coupled with said Downloadable scanner, for storing theDownloadable security profile data in a database

'494 patent,claim 14

The system of claim 10 wherein the Downloadable includes program script.

'494 patent,claim 18

The system of claim 10 wherein said Downloadable scanner comprises adisassembler for disassembling the incoming Downloadable.

'580 patent,claim 1

A system for secure communication, comprising:a first security computer comprising:a certificate creator, (i) for receiving attributes of a server computer's signedcertificate within a reply message generated by a second security computer andcommunicated to the first security computer, the signed certificate being used toauthenticate the server computer, and (ii) for creating a proxy signed certificatefrom the received attributes;a certificate cache for storing and retrieving the attributes of the servercomputer' s signed certificate; anda first SSL connector, for connecting to a client computer and for performing afirst SSL handshake with the client computer using the proxy signed certificatecreated by said certificate creator; anda second security computer communicatively coupled with said first securitycomputer via a non-SSL connection for receiving a connection request messagetherefrom, the connection request message including cached attributes of thesigned certificate, comprising:a second SSL connector, for connecting to the server computer, for receivingcurrent attributes of the signed certificate from the server computer, forperforming a second SSL handshake with the server computer using the signedcertificate, and for generating the reply message communicated to said firstsecurity computer in response to the connection request message;a certificate comparator for comparing the cached attributes of the signedcertificate with the current attributes of the signed certificate; anda protocol appender, for appending the current attributes of the signed certificatewithin the reply message communicated to said first security computer, when saidcertificate comparator determines that the cached attributes of the signedcertificate do not match the current attributes of the signed certificate.

'780 patent,claim 9

A system for generating a Downloadable ID to identify a Downloadable,comprising:a communications engine for obtaining a Downloadable that includes one or morereferences to software components required to be executed by the Downloadable;andan ID generator coupled to the communications engine that fetches at least onesoftware component identified by the one or more references, and for performinga hashing function on the Downloadable and the fetched software components togenerate a Downloadable ID.

'780 patent,claim 18

A computer-readable storage medium storing program code for causing acomputer to perform the steps of:obtaining a Downloadable that includes one or more references to softwarecomponents required to be executed by the Downloadable;fetching at least one software component identified by the one or morereferences; andperforming a hashing function on the Downloadable and the fetched softwarecomponents to generate a Downloadable ID.

'844 patent,claim 1

A method comprising:receiving by an inspector a Downloadable;generating by the inspector a first Downloadable security profile that identifiessuspicious code in the received Downloadable; andlinking by the inspector the first Downloadable security profile to theDownloadable before a web server makes the Downloadable available to webclients.

'844 patent,claim 7

The method of claim 1, wherein the Downloadable includes a JavaScript script.

'844 patent,claim 16

16. The system of claim 15, wherein the first rule set includes a list of suspiciousoperations.15. An inspector system comprising:memory storing a first rule set; anda first content inspection engine for using the first rule set to generate a firstDownloadable security profile that identifies suspicious code in a Downloadable,and for linking the first Downloadable security profile to the Downloadablebefore a web server makes the Downloadable available to web clients.

'844 patent,claim 43

An inspector system comprising:means for receiving a Downloadable;means for generating a first Downloadable security profile that identifiessuspicious code in the received Downloadable; andmeans for linking the first Downloadable security profile to the Downloadablebefore a web server makes the Downloadable available to web clients.

'918 patent,claim 12

A computer security system for a gateway computer, comprising:a receiver for receiving content including potentially malicious executable code("CODE-A"), intended for downloading at a client computer, wherein the clientcomputer manages a plurality of computer accounts for logging in to the clientcomputer, and wherein each computer account of the plurality of computeraccounts has associated therewith a security context within which an executablerunning on the client computer under such account is processed;a code profiler, coupled with said receiver, for scanning CODE-A and deriving aprofile thereof; a security context generator, coupled with said code profiler, fordetermining, based on the profile of CODE-A derived by said profiler, anappropriate computer account from among the plurality of computer accounts,under which CODE-A may be processed by the client computer;a code packager, coupled with said security context generator, for packaging(i) information about the computer account determined by said security contextgenerator and (ii) CODE-A, with (iii) executable wrapper code ("CODE-B"), intoa combined code ("CODE-C"); anda transmitter, coupled with said code packager, for forwarding CODE-C to theclient computer for processing.

'926 patent,claim 18

18. The computer-based method of claim 15 wherein the Downloadable includesprogram script.15. A computer-based method, comprising the steps of:receiving an incoming Downloadable;performing a hashing function on the incoming Downloadable to compute anincoming Downloadable ID;retrieving security profile data for the incoming Downloadable from a database ofDownloadable security profiles indexed according to Downloadable IDs, basedon the incoming Downloadable ID, the security profile data including a list ofsuspicious computer operations that may be attempted by the Downloadable; andtransmitting the incoming Downloadable and a representation of the retrievedDownloadable security profile data to a destination computer, via a transportprotocol transmission.

'926 patent,claim 22

A system for managing Downloadables, comprising:a receiver for receiving an incoming Downloadable;a Downloadable identifier for performing a hashing function on the incomingDownloadable to compute an incoming Downloadable ID;a database manager for retrieving security profile data for the incomingDownloadable from a database of Downloadable security profiles indexedaccording to Downloadable IDs, based on the incoming Downloadable ID, thesecurity profile data including a list of suspicious computer operations that maybe attempted by the Downloadable; anda transmitter coupled with said receiver, for transmitting the incomingDownloadable and a representation of the retrieved Downloadable security profiledata to a destination computer, via a transport protocol transmission.

I heard argument from the parties on May 11, 2016. Dkt. No. 201; see also Dkt. No. 204 ("Hearing Tr.").

LEGAL STANDARD

I. PATENT LOCAL RULES

"Patent Local Rule 3 requires patent disclosures early in a case and streamlines discovery by replacing the series of interrogatories that parties would likely have propounded without it." ASUS Computer Int'l v. Round Rock Research, LLC, No. 12-cv-02099-JST, 2014 WL 1463609, at *1 (N.D. Cal. Apr. 11, 2014) (internal quotation marks and modifications omitted). The disclosure requirements of Rule 3 are designed "to require parties to crystallize their theories of the case early in the litigation and to adhere to those theories once they have been disclosed." Nova Measuring Instruments Ltd. v. Nanometrics, Inc., 417 F. Supp. 2d 1121, 1123 (N.D. Cal. 2006). "They are also designed to provide structure to discovery and to enable the parties to move efficiently toward claim construction and the eventual resolution of their dispute." Golden Bridge Tech. Inc v. Apple, Inc., No. 12-cv-04882-PSG, 2014 WL 1928977, at *3 (N.D. Cal. May 14, 2014) (internal quotation marks omitted); see also 02 Micro Int'l Ltd. v. Monolithic Power Sys., Inc., 467 F.3d 1355, 1365-66 (Fed. Cir. 2006) ("The local patent rules in the Northern District of California [require] both the plaintiff and the defendant in patent cases to provide early notice of their infringement and invalidity contentions, and to proceed with diligence in amending those contentions when new information comes to light in the course of discovery. The rules thus seek to balance the right to develop new information in discovery with the need for certainty as to the legal theories").

Patent Local Rule 3-1 requires a party claiming patent infringement to serve a "Disclosure of Asserted Claims and Infringement Contentions." Patent L.R. 3-1. The disclosure must include "[e]ach claim of each patent in suit that is allegedly infringed by each opposing party, including for each claim the applicable statutory subsections of 35 U.S.C. § 271 asserted." Patent L.R. 3-1(a). The party must also specify "where each limitation of each asserted claim is found within each Accused Instrumentality," and "[w]hether each limitation of each asserted claim is alleged to be literally present or present under the doctrine of equivalents." Patent L.R. 3-l(c), (e).

Patent Local Rule 3-3 requires a party accused of infringement to serve invalidity contentions identifying "each item of prior art that allegedly anticipates each asserted claim or renders it obvious." Patent L.R. 3-3(a). If obviousness is alleged, the party must include "an explanation of why the prior art renders the asserted claim obvious, including an identification of any combinations of prior art showing obviousness." Patent L.R. 3-3(b). The party must also identify "where specifically in each alleged item of prior art each limitation of each asserted claim is found." Patent L.R. 3-3(c).

"Given the purpose behind [these] disclosure requirements, a party may not use an expert report to introduce new infringement theories [or] new invalidity theories . . . not disclosed in the [party's] infringement contentions or invalidity contentions." Verinata Health, Inc. v. Sequenom, Inc., No. 12-cv-00865-SI, 2014 WL 4100638, at *3 (N.D. Cal. Aug. 20, 2014) (internal quotation marks omitted). "The scope of contentions and expert reports are not, however, coextensive." Golden Bridge Tech. Inc v. Apple, Inc., No. 12-cv-04882-PSG, 2014 WL 1928977, at *3 (N.D. Cal. May 14, 2014) (internal quotation marks omitted). "In patent litigation, expert reports are expected to provide more information than . . . contentions." Digital Reg of Texas, LLC v. Adobe Sys. Inc., No. 12-cv-01971-KAW, 2014 WL 1653131, at *5 (N.D. Cal. Apr. 24, 2014). Thus, "[t]he threshold question in deciding whether to strike an expert report is whether the expert has permissibly specified the application of a disclosed theory or impermissibly substituted a new theory altogether." Id.

II. SUMMARY JUDGMENT

A party is entitled to summary judgment where it "shows that there is no genuine dispute as to any material fact and [it] is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a). A dispute is genuine if it could reasonably be resolved in favor of the nonmoving party. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). A fact is material where it could affect the outcome of the case. Id.

The moving party has the initial burden of informing the court of the basis for its motion and identifying those portions of the record that demonstrate the absence of a genuine dispute of material fact. See Celotex Corp. v. Catrett, 477 U.S. 317, 323-24 (1986). Once the movant has made this showing, the burden shifts to the nonmoving party to identify specific evidence showing that a factual issue remains for trial. Id. The nonmoving party may not rest on mere allegations or denials from its pleadings, but must "cit[e] to particular parts of materials in the record" demonstrating the presence of a factual dispute. Fed. R. Civ. P. 56(c)(1)(A). The nonmoving party need not show that the issue will be conclusively resolved in its favor. See Anderson, 477 U.S. at 248-49. All that is required is the identification of sufficient evidence to create a genuine dispute of material fact, thereby "requir[ing] a jury or judge to resolve the parties' differing versions of the truth at trial." Id. (internal quotation marks omitted). If the nonmoving party cannot produce such evidence, the movant "is entitled to . . . judgment as a matter of law because the nonmoving party has failed to make a sufficient showing on an essential element of her case." Celotex, 477 U.S. at 323.

On summary judgment, the court draws all reasonable factual inferences in favor of the nonmoving party. Anderson, 477 U.S. at 255. "Credibility determinations, the weighing of the evidence, and the drawing of legitimate inferences from the facts are jury functions, not those of a judge." Id. However, conclusory and speculative testimony does not raise a genuine dispute of material fact and is insufficient to defeat summary judgment. See Thornhill Publ'g Co., Inc. v. GTE Corp., 594 F.2d 730, 738-39 (9th Cir. 1979).

DISCUSSION

I. FINJAN'S MOTION TO STRIKE

Finjan filed its motion to strike on March 15, 2016. Dkt. No. 135 ("Mot."). The motion seeks to strike various portions of the report of Sophos's expert, Dr. Frederick Cohen, on the ground that the portions contain prior art references or invalidity theories that Sophos did not disclose in its infringement contentions or Final Election of Asserted Prior Art. The specific prior art references the motion seeks to strike from Dr. Cohen's report are: (1) certain versions of SWEEP-InterCheck; (2) certain user guides and manuals concerning SWEEP; (3) two software programs (the "Demo2 programs") created by Dr. Cohen for the purpose of demonstrating the operation of SWEEP-InterCheck; (4) certain "computer hardware and operating system products" associated with SWEEP-InterCheck; (5) various references regarding the skill and knowledge of a PHOSITA; and (6) the "Internet Component Download" ("ICD") reference.

For ease of reference, I cite each motion addressed in this Order as "Mot." when citing the motion in the section of the Order addressing it. For example, cites to "Mot." in this section of the Order are to Finjan's Motion to Strike, while cites to "Mot." in the section, "Sophos's Motion for Partial Summary Judgment," are to Sophos's Motion for Partial Summary Judgment. I take the same approach with the parties' opposition and reply briefs, citing them simply as "Oppo." and "Reply" in the relevant section of the Order.

In its briefing, Sophos agrees to withdraw the ICD reference, all lack-of-written-description and indefiniteness theories, and the invalidity theories for the '494 patent based on U.S. Patent No. 5,983,348. See Oppo. at 1 n.1 (Dkt. No. 138); Dkt. No. 168-1 at 11 n.4. I address the rest of the challenged portions of Dr. Cohen's report below.

A. Allegedly Undisclosed References

1. Versions of SWEEP-InterCheck

As in the Delaware Action, Sophos asserts the "combined product" of SWEEP-InterCheck as an invalidating reference. Its invalidity contentions identify "Sophos SWEEP-InterCheck Product & Software, 1994-2005" as a prior art reference for six of the eight asserted patents. See Corrected Invalidity Contentions at 9 ('844 patent), 14 ('780 patent), 18 ('918 patent), 24 ('926 patent), 33 ('154 patent), 42 ('494 patent) (Kastens Decl. Ex. 3, 135-3). The parties do not dispute that approximately one hundred different combinations of SWEEP-InterCheck were released between 1994 and 2005. Sophos's invalidity contentions, however, do not identify the particular combination of SWEEP-InterCheck that Sophos means to assert as prior art. See id. On September 19, 2014, Sophos served its Preliminary Election of Asserted Prior Art and again identified "SWEEP-InterCheck Product & Software, 1994-2005," again without specifying any particular combination of SWEEP-InterCheck as the asserted prior art reference. See Kastens Decl. Ex. 5 (Dkt. No. 135-3).

Finjan repeatedly requested more detail, see, e.g., Kastens Decl. Exs. 6, 7, 8 (Dkt. No. 135-3), and, following a meet and confer on May 19, 2015, Sophos sent Finjan a letter dated June 2, 2015 stating:

As agreed by the parties during the May 19, 2015 meet and confer between lead counsel, the attached chart contains the representative versions of the SWEEP-InterCheck product suite on which Sophos and its experts may rely for Sophos's invalidity challenges to Finjan's asserted patents. Sophos reserves the right to amend the attached identification of representative SWEEP-InterCheck versions if Finjan is permitted to (or ordered to) amend or supplement its infringement contentions, or in response to any new information about Finjan's infringement claims set forth in its expert reports.
Kastens Decl. Ex. 9 (Dkt. No. 135-3). The attached chart lists four different SWEEP-InterCheck combinations: (1) SWEEP-2.72 & InterCheck-2.01; (2) SWEEP-2.77 & InterCheck-2.10; (3) SWEEP-2.87 & InterCheck-2.11; and (4) SWEEP-2.95 & InterCheck-2.30. Id. The attached chart does not identify SWEEP-2.72 & InterCheck-2.11, the combination asserted in the Delaware Action. See id. On February 19, 2016, Sophos served its Final Election of Asserted Prior Art, once again identifying "SWEEP-InterCheck Product & Software, 1994-2005" without specifying any particular combination as the invalidating reference. Dkt. No. 135-20 at 2-5.

Finjan moves to strike the SWEEP-InterCheck combinations discussed in Dr. Cohen's report that were not disclosed in the June 2, 2015 letter. Mot. at 6-8. Finjan identifies two such combinations: (1) SWEEP-2.72 & InterCheck-2.11, the combination asserted in the Delaware Action; and (2) SWEEP-2.77 & InterCheck-2.01. Id. at 6.

Sophos responds that by identifying "SWEEP-InterCheck Product & Software, 1994-2005" in its invalidity contentions and Final Election of Asserted Prior Art, it adequately disclosed "all versions of SWEEP-InterCheck." Oppo. at 6. Sophos also points out that its invalidity contentions include a citation to approximately 200 pages of trial testimony from the Delaware Action, including trial testimony regarding a demonstration of the functionality of SWEEP-2.72 & InterCheck-2.11. Id.; see also Kastens Decl. Ex. 23 at 14 (Dkt. No. 134-21) (example of invalidity contentions citing to trial testimony from the Delaware Action); Cunningham Decl. Ex. 1 (Dkt. No. 138-2) ("Delaware Trial Transcript"). The citation is boilerplate - that is, the invalidity contentions include the same citation to the same approximately 200 pages of trial testimony again and again for most if not all of the claim limitations that Sophos contends is found in SWEEP-InterCheck.

Sophos also contends that the June 2, 2015 letter did not limit the versions of SWEEP-InterCheck it could rely on, because the letter merely "provided representative versions of SWEEP-InterCheck." Oppo. at 6. Sophos states that at the May 19, 2015 meet and confer, Finjan "agreed that different versions of SWEEP-InterCheck do not count as separate products if the different versions function the same in all relevant respects, and requested that Sophos identify representative versions of SWEEP-InterCheck." Cunningham Decl. ¶ 9 (Dkt. No. 138-1). Sophos then provided the June 2, 2015 letter "[i]n an effort to . . . resolve [the] issue." Id. At oral argument, counsel for Sophos further explained that the purpose of the June 2, 2015 letter was to inform Finjan of those versions of SWEEP-InterCheck other than SWEEP-2.72 & InterCheck- 2.11 that Sophos would rely on. See Hearing Tr. at 13-14.

Sophos's arguments on this issue are focused largely on preserving its right to rely on SWEEP-2.72 & InterCheck-2.11, not SWEEP-2.77 & InterCheck-2.01.

Sophos further argues that Finjan cannot show prejudice from the purported failure to disclose the challenged SWEEP-InterCheck combinations, because the "different versions of SWEEP-InterCheck code all function the same with respect to [the asserted patents]." Oppo. at 7. In the portions of Dr. Cohen's report that Sophos cites for this proposition, Dr. Cohen opines that there are "no material differences" between the operation of: (1) InterCheck-2.01 and InterCheck-2.10; (2) InterCheck 2.01 and InterCheck 2.11; (3) SWEEP-2.72 and SWEEP-2.77; and (4) SWEEP-2.77 and SWEEP-2.87. See Cohen Rpt. at 78, 85, 94, 97. Dr. Cohen does not state that there are no material differences between any SWEEP-InterCheck combinations, only that there are no material differences between the stated versions of SWEEP, or between the stated versions of InterCheck. See id.

I agree with Finjan that the challenged combinations of SWEEP-Intercheck were not adequately disclosed in Sophos's invalidity contentions or Final Election of Asserted Prior Art and cannot be asserted as invalidating references now. The disclosure of "Sophos SWEEP-InterCheck Product & Software, 1994-2005" was plainly insufficient given the myriad combinations of SWEEP-InterCheck released during that eleven-year time period and Finjan's repeated requests for more specificity on this issue. The boilerplate citation in the invalidity contentions to the trial testimony from the Delaware Action also falls short. The bulk of the cited testimony is not directed at the challenged combinations of SWEEP-InterCheck at all, but rather at SWEEP-InterCheck generally, or at other subjects even further afield from the challenged versions (for example, the background and qualifications of the testifying witnesses, or the integration of SWEEP and MIMEsweeper). See, e.g., Trial Tr. at 2336-38, 2403-12, 2434. The portion of the cited testimony that is focused on how SWEEP-InterCheck invalidates the patents-in-suit begins with Sophos's expert, Dr. David Klausner, displaying a slide listing "various versions of SWEEP" and "various versions of InterCheck." Id. at 2415. Dr. Klausner does not identify either of the challenged combinations of SWEEP-InterCheck by name, and it is not clear from the transcript whether they were listed on the slide. See id. Dr. Klausner then presents a demonstration of SWEEP-InterCheck based on the source code for SWEEP-2.72 & InterCheck-2.11. See, e.g., Delaware Action, 2013 WL 5302560, at *17, *17 n.13. But the demonstration is just one part of an extended excerpt of trial testimony that includes information on a variety of subjects, including SWEEP-InterCheck generally and several versions of SWEEP and InterCheck other than SWEEP-2.72 and InterCheck-2.11, including SWEEP-2.66, SWEEP-2.77, InterCheck-2.01, and InterCheck-2.10. Moreover, given Sophos's position that the analogous demonstration of SWEEP-InterCheck in this case is merely a demonstration and not an asserted prior art reference, see, e.g., Oppo. at 7, it is not clear why Finjan should have inferred from a citation to the demonstration in the Delaware Action that Sophos intended to rely on that particular combination of SWEEP-InterCheck as invalidating prior art.

This is not a case where the moving party responded to vague invalidity or infringement contentions by sitting on its hands and then moving to strike at the last minute. See, e.g., Largan Precision Co, Ltd. v. Genius Elec. Optical Co., No. 13-cv-02502-JD, 2014 WL 6882275, at *7 (N.D. Cal. Dec. 5, 2014) ("[Plaintiff] argues that this citation was too broad to give it notice of [defendant's] invalidity theory. But if [plaintiff] found the citation to be too broad, it should have asked [defendant] for more specificity before the close of discovery and - if necessary - sought intervention from the Court, instead of moving to strike [defendant's] expert report after the fact."). Far from it. Finjan repeatedly sought clarification from Sophos on which SWEEP-InterCheck combinations Sophos was asserting as prior art, until Sophos finally identified the four combinations listed in the June 2, 2015 letter.

Given that Sophos did not adequately disclose the challenged combinations of SWEEP-InterCheck in its invalidity contentions or Final Election of Asserted Prior Art - and does not identify any other time before June 2, 2015 when it informed Finjan that it intended to assert the challenged combinations as invalidating references - its attempt to characterize the June 2, 2015 letter as merely informing Finjan of those SWEEP-InterCheck combinations other than SWEEP-2.72 & InterCheck-2.11 that Sophos would rely on is not convincing. Finjan was not required to intuit that Sophos would assert the same combination of SWEEP-InterCheck in this case as it did in the Delaware Action; Sophos was required to make this clear to Finjan in its infringement contentions, or at least through the various communications between the parties on this issue. There is no basis in the record for concluding that Sophos did so. To the contrary, the record indicates that Sophos repeatedly resisted specifying which combinations of SWEEP-InterCheck it was asserting as prior art, and when it finally provided Finjan with more information on the issue, it specifically omitted both SWEEP-2.72 & InterCheck-2.11 and SWEEP-2.77 & InterCheck-2.01, thereby indicating to Finjan that it did not intend to rely on either of those combinations.

Moreover, Sophos did not plead collateral estoppel as an affirmative defense, despite the clear potential for collateral estoppel based on the Delaware Action were Sophos to rely on the same prior art to prove invalidity. At the hearing, Finjan persuasively argued that this furthered the impression that Sophos did not intend to assert SwEeP-2.72 & InterCheck-2.11 as an invalidating reference in this case. See Hearing Tr. at 46.

I am also unconvinced by Sophos's attempt to minimize the prejudice to Finjan resulting from its failure to adequately disclose the challenged combinations. Several courts in this district have granted motions to strike under the Patent Local Rules even in the absence of any showing of prejudice caused by the nondisclosure. See Largan Precision, 2014 WL 6882275, at *5 ("[Defendant] also argues that it is improper to strike [its expert's] report absent a showing of prejudice to [plaintiff] due to its failure to include this theory in its invalidity contentions. Not so."); ASUS Computer, 2014 WL 1463609, at *8; Adobe Sys. Inc. v. Wowza Media Sys., No. 11-cv-02243-JST, 2014 WL 709865, at *15 n.7 (N.D. Cal. Feb. 23, 2014). Others have held that where the party opposing the motion to strike fails to show diligence in seeking to amend its invalidity or infringement contentions to include the missing theory, then the moving party is not required to show prejudice to prevail. See Takeda Pharm. Co. v. TWi Pharm., Inc., No. 13-cv-02420-LHK, 2015 WL 1227817, at *6-8 (N.D. Cal. Mar. 17, 2015); Verinata Health, 2014 WL 4100638, at *5. Sophos has not shown that it was diligent in disclosing the challenged combinations. Just the opposite: the record indicates that Sophos repeatedly resisted specifying which SWEEP-InterCheck combinations it was asserting as prior art, and then specifically omitted the combinations Finjan now seeks to strike.

In any event, I agree with Finjan that it would be prejudiced if Sophos were permitted to rely on either SWEEP-2.72 & InterCheck-2.11 or SWEEP-2.77 & InterCheck-2.01, and in particular SWEEP-2.72 & InterCheck-2.11. At the hearing, Finjan persuasively argued that had it known that Sophos would be relying on SWEEP-2.72 & InterCheck-2.11, thereby threatening collateral estoppel based on the Delaware Action, Finjan would have asserted different claims, requested the construction of different claim language, and potentially sought discovery and moved for summary judgment on different issues. See Hearing Tr. at 47-48. In short, had Sophos adequately disclosed the challenged combinations, this case would look considerably different than it does today. Moreover, and contrary to Sophos's repeated assertions, it is not undisputed that the various SWEEP-InterCheck combinations at issue in this case are materially identical. The only evidence identified by Sophos on this point - Dr. Cohen's report - says nothing about whether the different combinations of SWEEP-InterCheck are materially identical. Meanwhile, Finjan has presented evidence indicating that at least some of the SWEEP-InterCheck combinations are considerably different, in that certain of them - including SWEEP-2.72 & InterCheck-2.11 - are in fact "incompatible . . . and would result in faulty operation." Jaeger Rpt. ¶ 185 (Kastens Decl. Ex. 38, Dkt. No. 143-40).

In sum, Sophos may not assert either SWEEP-2.72 & InterCheck-2.11 or SWEEP-2.77 & InterCheck-2.01 as prior art in this case. Finjan's motion to strike Dr. Cohen's reliance on these combinations as anticipation or obviousness references is GRANTED. Going forward, because Sophos has already maxed out its allotted overall number of asserted prior art references, it must select one combination of SWEEP-InterCheck as the allegedly invalidating combination in this case. It may select any of the four combinations it identified in the June 2, 2015 letter; it may not select either SWEEP-2.72 & InterCheck-2.11 or SWEEP-2.77 & InterCheck-2.01. Within 14 days of the date of this Order, Sophos shall file an Amended Final Election of Asserted Prior Art notifying Finjan and the Court of the combination Sophos has selected. At trial, it is possible that Sophos will be permitted to present demonstratives and evidence of other combinations "to demonstrate and support how [the selected combination] functioned," as Sophos did in the Delaware Action. See 2013 WL 5302560, at *17. But that issue is better resolved through motions in limine or other similar rulings, and I do not address it at this time.

2. Guides and User Manuals Regarding SWEEP

Dr. Cohen relies on two "Data Security Reference Guides" and three user manuals for SWEEP to support his opinions regarding SWEEP-InterCheck. See Mot. at 7-8 (citing Cohen Rpt. at 67). Finjan asserts that Sophos only disclosed one of these five documents in its invalidity contentions and that the other four should be struck. Id.

This argument fails. As the district court held in the Delaware Action, Sophos may rely on documents associated with SWEEP-InterCheck "to demonstrate and support how SWEEP-InterCheck functioned." 2013 WL 5302560, at *17. So long as the documents are not presented to the jury "as distinct references," id., they are not separate prior art references that must have been disclosed pursuant to either the Patent Local Rules or my Case Management Order. Finjan's motion to strike these documents from Dr. Cohen's report is DENIED.

This does not mean that the challenged portions of Dr. Cohen's report are necessarily admissible, only that neither the Patent Local Rules nor my Case Management Order supports striking them. Given that it is not clear which combination of SWEEP-InterCheck Sophos will select as the asserted prior art reference, there are significant questions regarding the admissibility of most, if not all, evidence regarding SWEEP-InterCheck. As stated above, these questions are better addressed through motions in limine or other similar rulings, and I do not address them here.

3. Demo2 Programs

Dr. Cohen created the Demo2 programs for the purpose of demonstrating the functionality of SWEEP-InterCheck. The programs are based on the source code for SWEEP-2.72 & InterCheck-2.11. As noted above, Sophos presented a similar demonstration of the functionality of SWEEP-InterCheck in the Delaware Action. See, e.g., Delaware Action, 2013 WL 5302560, at *17, *17 n.3. According to Finjan, Dr. Cohen uses the Demo2 programs not as demonstratives of the functionality of SWEEP-InterCheck, but as distinct prior art references, meaning that the programs should have been disclosed in Sophos's invalidity contentions and Final Election of Asserted Prior Art. See Mot. at 8-9; Reply at 6 (Dkt. No. 150-4).

Dr. Cohen obviously cannot rely on the Demo2 programs as distinct prior art references. Even apart from the alleged failure to disclose and the fact that the programs are based on SWEEP-2.72 & InterCheck-2.11, this would be improper because, as Finjan points out, the programs were created "well after the priority date of any of the asserted patents." Mot. at 9 n.6. But neither the Patent Local Rules nor the Case Management Order required Sophos to disclose all demonstratives and evidence it will offer at trial to prove invalidity. To the extent that Sophos relies on the Demo2 programs merely as demonstrations of the functionality of SWEEP- InterCheck, and not as distinct prior art references, the Patent Local Rules and Case Management Order do not support striking the programs from Dr. Cohen's report. The motion to strike them is DENIED.

4. Computer Hardware and Operating System Products

Finjan asserts that Dr. Cohen's SWEEP-InterCheck anticipation theory with respect to the '154 and '926 patents is flawed because Dr. Cohen combines various "computer hardware and operating system products" with SWEEP-InterCheck to satisfy certain claim limitations. See Mot. at 9-10. Finjan contends that these products should been disclosed in Sophos's invalidity contentions and Final Election of Asserted Prior Art. Id. Sophos responds that the products need not have been disclosed because here, as in the Delaware Action, the products are being used merely as examples of necessary aspects of SWEEP-InterCheck, not as distinct prior art references. See Oppo. at 10-11; see also Delaware Action, 2013 WL 5302560, at *18 ("[A]s SWEEP-InterCheck receives incoming downloadables, a functionality the jury observed, it is clear that a network interface would be necessary to receive [the] downloadable[s]."). I agree with Sophos that, in light of how the products will be used at trial, they need not have been disclosed pursuant to the Patent Local Rules or my Case Management Order. The motion to strike these portions of Dr. Cohen's report is DENIED.

5. References Regarding the Skill and Knowledge of a PHOSITA

Dr. Cohen's report includes a significant amount of information about the skill and knowledge of a PHOSITA, especially with respect to the '154, '580, '780, and '844 patents. See Cohen Rpt. at 16-50 (general background), 110-14 ('844 patent), 144-49 ('780 patent), 253-56 ('154 patent), 273-76 ('580 patent). In some instances, the information is a particular product or patent, or some other specific item or document. In other instances, the information is a general concept that Dr. Cohen asserts a PHOSITA would have been familiar with at the relevant time. Finjan accuses Dr. Cohen of using this information as a means of bringing in previously undisclosed prior art references to support its obviousness theories. See Mot. at 11. Finjan highlights that much of the information is organized in the form of limitation-by-limitation analyses for the '154, '580, '780, and '844 patents. Sophos responds that Dr. Cohen uses the limitation-by-limitation organization merely "to aid in his analysis," not as a means of introducing "new obviousness combinations," and that he will rely on the information only for "background and foundational purposes." Oppo. at 21.

Courts in this district have generally, though not uniformly, declined to strike previously undisclosed references where they are being used only as "background" material, and not as anticipation or obviousness references. See Verinata Health, 2014 WL 4100638, at *5 (striking reference "from the expert report to the extent that [the expert] relies on it as prior art that allegedly renders the asserted claims . . . obvious," but allowing the expert to rely on the reference "as foundational or background material"); Digital Reg of Texas, LLC v. Adobe Sys., Inc., No. 12-cv-01971-CW, 2014 WL 4090550, at *9 (N.D. Cal. Aug. 19, 2014) (admitting certain references "to the extent that [they] are supporting documents to explain further how the chosen prior art references disclose required limitations;" excluding certain references "which disclose other required limitations not covered by the chosen prior art references"); ASUS Computer, 2014 WL 1463609, at *8 (prohibiting use of reference "as an anticipation or obviousness reference," but allowing expert to use the reference "for other purposes, e.g., to show the knowledge of a PHOSITA"); Genentech, Inc. v. Trustees of Univ. of Pennsylvania, No. 10-cv-02037-PSG, 2012 WL 424985, at *3 (N.D. Cal. Feb. 9, 2012) ("The fact that a reference to a particular clinical trial was not disclosed in the invalidity contentions does not render it unusable for laying an historical foundation to research that was disclosed."); but see Life Technologies Corp. v. Biosearch Technologies, Inc., No. 12-cv-00852-WHA, 2012 WL 4097740, at *1-2 (N.D. Cal. Sept. 17, 2012) (rejecting argument that references were admissible as background material; stating that "courts have rejected such attempts to elude patent local rules by defining material as 'background' or 'context'").

I recognize that the line between when a reference is used as background material, and when it is used as an anticipation or obviousness reference, can be difficult to draw. Nevertheless, I will continue to follow the approach of allowing previously undisclosed references to be used as background material, so long as they are not asserted as invalidating prior art references. Accordingly, the motion to strike the undisclosed references regarding the skill and knowledge of a PHOSITA is GRANTED to the extent that the references are being used as invalidating prior art references. To the extent that the references are being used merely as background material, the motion is DENIED. Sophos is advised that this ruling prohibits it from using previously undisclosed references to show that the prior art disclosed "other . . . limitations not covered by [the] prior art references" disclosed in its invalidity contentions and listed in its Final Election of Asserted Prior Art. Digital Reg, 2014 WL 4090550, at *9.

B. Allegedly Undisclosed Invalidity Theories

1. VIRIDENT.DAT and VIRPATS.SB

Finjan moves to strike Dr. Cohen's use of two source code files, "VIRIDENT.DAT" and "VIRPATS.SB," to support his opinion that SWEEP-InterCheck invalidates claim 1 of the '494 patent, claims 1 and 16 of the '844 patent, and claims 18 and 22 of the '926 patent. Mot. at 17. Sophos contends that the files were properly disclosed because the trial testimony from the Delaware Action it cites in its infringement contentions includes testimony about how SWEEP-InterCheck "uses VDL.C [and VDL] to find suspicious operations." Oppo. at 14 (citing Delaware Trial Tr. at 2437-39, 2432-36, 2342-54, 2386-92). Sophos states that, according to Dr. Cohen's analysis, "VDL.C uses VDL to detect suspicious operations, and VIRIDENT.DAT contains examples of [the] VDL used by [VDL.C]." Id. Thus, Sophos argues, Dr. Cohen relies on VIRIDENT.DAT "merely [to] explai[n] where in the source code the VDL can be found." Id. at 15. Sophos does not explicitly argue the same about VIRPATS.SB, but Dr. Cohen also describes VIRPATS.SB as "contain[ing]" VDL. See Cohen Rpt. at 121.

This motion is DENIED. In light of Dr. Cohen's description of the relationship between VDL.C, VIRIDENT.DAT, and VIRPATS.SB, the discussion of VDL.C in the cited testimony from the Delaware Action is sufficient to allow Dr. Cohen to rely on VIRIDENT.DAT and VIRPATS.SB to support his invalidity opinions (insofar as the Patent Local Rules and my Case Management Order are concerned). In contrast with the issue of which SWEEP-InterCheck combinations Sophos intended to assert as prior art, there is no indication that Finjan sought more specificity from Sophos on which particular aspects of SWEEP-InterCheck discussed in the cited testimony Sophos intended to rely on for its invalidity theories. If Finjan was unclear as to how the cited testimony supported Sophos's invalidity opinions, "it was [Finjan's] responsibility to work with [Sophos], informally or through motion practice, to clarify the issue." Fenner Investments, Ltd. v. Hewlett-Packard Co., No. 08-cv-00273, 2010 WL 786606, at *3 (E.D. Tex. Feb. 26, 2010); accord Largan Precision, 2014 WL 6882275, at *7.

2. Ji '348 for the '844 patent

Dr. Cohen relies on portions of U.S. Patent No. 5,983,348 to Ji ("Ji '348") (Kastens Decl. Ex. 39, Dkt. No. 135-22) for his invalidity theories for claims 7 and 16 of the '844 patent. Cohen Rpt. at 129. While Sophos disclosed Ji '348 in its invalidity contentions and Final Election of Asserted Prior Art, Finjan contends that Dr. Cohen is now relying on different portions of the reference, to support different theories, than Sophos disclosed in its invalidity contentions. Mot. at 18.

Specifically, with respect to claim 7, Sophos's invalidity contentions assert that Ji '348 discloses the element, "wherein the Downloadable includes a JavaScript script," because Ji '348's specification describes the use of "application programs, e.g., Java applets." Dkt. No. 135-5 at 5. Dr. Cohen, on the other hand, opines that Ji '348 discloses the element because claim 5 of Ji '348 "explicitly identifies Java applets, thus differentiating them from other applets." Cohen Rpt. at 129. According to Dr. Cohen, this means that the general description of application programs (i.e., applets) elsewhere in Ji '348 must extend to applets including a JavaScript script, as required by claim 7. See id.

Finjan points out in its briefing that, despite their similar names, "Java and JavaScript are completely different programming languages." Mot. at 18.

With respect to claim 16, Sophos's invalidity contentions assert that Ji '348 discloses the element, "wherein the first rule set includes a list of suspicious operations," at 5:16-27 and 7:08-28 of the reference. Dkt. No. 135-5 at 9-10. Dr. Cohen, on the other hand, cites to the "Java.IO.File.list" disclosed at 5:28-29. Cohen Rpt. at 132.

Neither of these slight discrepancies warrant striking the challenged portions of Dr. Cohen's report. With respect to claim 7, both Sophos's invalidity contentions and Dr. Cohen's report reflect the theory that Ji '348 discloses the "wherein the Downloadable includes a JavaScript script" element because of Ji '348's disclosure of applets. The portion of Ji '348 cited in the invalidity contentions uses "Java applets" as an example, not as the exclusive type of application program. With respect to claim 16, the additional two lines from Ji '348 cited by Dr. Cohen (5:28-29) immediately follow the lines cited in the invalidity contentions (5:16-27) and appear to describe "[a]n example" of the functionality disclosed in the preceding paragraph. See Ji '348 at 5:27-29 ("An example of such a suspicious Java function is 'Java.IO.File.list," which may list the contents . . ."). I am satisfied that the targeted portions of Dr. Cohen's report reflect permissible specifications of previously disclosed theories, not articulations of new ones. Accordingly, Finjan's motion to strike the portions is DENIED.

3. Ji '600 for the '844 patent

Dr. Cohen relies on U.S. Patent No. 5,623,600 to Ji ("Ji '600") (Kastens Decl. Ex. 40, Dkt. No. 135-22) for his invalidity opinions for claims 1, 15, and 43 of the '844 patent. Cohen Rpt. at 133-35, 137, 139. As with Ji '348, Sophos disclosed Ji '600 in its invalidity contentions and Final Election of Asserted Prior Art but did not identify the particular portion of the reference cited in Dr. Cohen's report. Specifically, Sophos's invalidity contentions assert that Ji '600 discloses the element in claims 1, 15, and 43 of "linking . . . the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients," at the following portions of Ji '600: abstract, 2:06-65, 3:04-07, 7:50-65, and 8:04-19, or some subset of these portions. Dkt. No. 135-6 at 4, 8-10, 18-19. Dr. Cohen cites none of these portions of Ji '600 and instead relies on a previously unidentified portion of the reference, 10:25-11:60. See Cohen Rpt. at 133-35 (claim 1), 137 (claim 15), 139 (claim 43).

Sophos attempts to argue that 10:25-11:60 of Ji '600 reflects a process that is "essentially the same" as the process it previously relied on, but in doing so it tacitly concedes that the process is not actually the same, and that Dr. Cohen's reliance on 10:25-11:60 of Ji '600 constitutes a new invalidity theory, not a more specific articulation of an old one. See Oppo. at 19. Finjan's motion to strike Dr. Cohen's reliance on this portion of Ji '600 is GRANTED.

4. SWEEP-InterCheck for the '780 Patent

Finjan asserts that Dr. Cohen relies on previously unidentified aspects of SWEEP- InterCheck for his invalidity opinion for claim 9 of the '780 patent and moves to strike these portions of Dr. Cohen's report. Mot. at 19-20. This motion is DENIED. With respect to the element, "a communications engine for obtaining a Downloadable that includes one or more references to software components required to be executed by the Downloadable," Dr. Cohen relies on the InterCheck source code file "INTER.ASM." Cohen Rpt. at 150-51. Finjan asserts that this theory was not disclosed in Sophos's invalidity contentions. As Sophos points out, however, the cited testimony from the Delaware Action includes testimony regarding INTER.ASM. See Dkt. No. 134-13 at 29, 117-18; Delaware Trial Tr. at 2386, 2455. Likewise, Dr. Cohen's reliance on a "web browser perform[ing] tasks through the Windows networking mechanisms" as the "communications engine" required by claim 9 does not violate the Patent Local Rules, because the cited testimony from the Delaware Action also covers this aspect of SWEEP-InterCheck. See Delaware Trial Tr. at 2420-26. The citation to the trial testimony could have been more clear, but as discussed above with respect to VIRIDENT.DAT and VIRPATS.SB, this is not an issue Finjan sought to clarify before moving to strike.

5. Kirtland for the '780 Patent

Dr. Cohen relies on a July 1996 article by Mary Kirtland, "Safe Web Surfing with the Internet Component Download Service" ("Kirtland") (Kastens Decl. Ex. 41, Dkt. No. 135-22), to support his invalidity opinions for claims 9 and 18 of the '780 patent. Cohen Rpt. at 65, 155-57. Dr. Cohen points to the disclosure of "SIGNCODE" in Kirtland as satisfying the "ID generator" limitation the claims. Id. at 156. Finjan contends that this theory was not disclosed in Sophos's invalidity contentions and should be struck. Mot. at 20-21. I agree. While Sophos's invalidity contentions include a general citation to pages 2-6 of Kirtland (a page range that encompasses nearly every page of the reference), Sophos does not dispute that the text from those pages actually excerpted in its invalidity contentions says nothing about SIGNCODE. See Oppo. at 19-20. That text discusses the "Windows Trust Verification Service" disclosed in Kirtland, not SIGNCODE. See Dkt. No. 135-8 at 8-9. Finjan's motion to strike Dr. Cohen's reliance on SIGNCODE in Kirtland is GRANTED.

6. SWEEP-InterCheck for the '494 Patent

a. CONTROL.ASM

Finjan faults Dr. Cohen for relying on the "CONTROL.ASM" file of SWEEP-InterCheck to show that SWEEP-InterCheck satisfies certain limitations of claims 1 and 10 of the '494 patent. See Mot. at 21 (citing Cohen Rpt. at 198-99, 202-03). As with the INTER.ASM file discussed above, the trial testimony from the Delaware Action cited in Sophos's invalidity contentions for the relevant limitations of claims 1 and 10 includes testimony regarding CONTROL.ASM. See Dkt. No. 134-21 at 36; Dkt. No. 134-22 at 96; Delaware Trial Tr. at 2456-60. This motion is DENIED.

b. "Authorized Checksum List" and "Hash Table"

Finjan moves to strike Dr. Cohen's reliance on an "authorized checksum list" as the "database" required by claims 1 and 10 of the '494 patent. See Mot. at 21-22. This motion is GRANTED. Sophos contends that it adequately disclosed the "authorized checksum list" theory in its invalidity contentions because it cited the "SWEEP.C" file and the "authorisation file" of SWEEP-InterCheck, and also included the Delaware trial testimony regarding CONTROL.ASM. See Oppo. at 16; see also Dkt. No. 134-21 at 36; Dkt. No. 134-22 at 96. But Sophos fails to offer a coherent explanation of how Dr. Cohen's "authorized checksum list" theory fits within the scope of these citations. On this record, I agree with Finjan that the "authorized checksum list" theory was not adequately disclosed.

On the other hand, Finjan's motion to strike Dr. Cohen's allegedly new "hash table" theory for claim 10 of the '494 patent is DENIED. Finjan does not dispute that the "hash table" functionality is contained in the VDL.C file, which Sophos cited in its invalidity contentions for the relevant claim limitation. See Oppo. at 17 (citing Cohen Rpt. at 86-87); see also Reply at 13.

7. SWEEP-InterCheck for the '926 Patent

Finjan asserts that Dr. Cohen's report also includes a previously unidentified "hash table" theory for claims 15 and 22 of the '926 patent. See Mot. at 23-24 (citing Cohen Rpt. at 172-73, 181). The parties do not identify any relevant distinctions between this "hash table" dispute and the one discussed immediately above, and the parties' arguments on the two "hash table" issues, as well as the relevant portions of Sophos's invalidity contentions and Dr. Cohen's report, appear to be materially identical. See id.; Oppo. at 17; Reply at 14. Accordingly, this motion is also DENIED.

8. Smith for the '580 Patent

Claim 1 of the 580 patent includes an element requiring "a certificate cache for storing and retrieving the attributes of the server computer's signed certificate." Sophos's invalidity contentions for this element cite to U.S. Patent Application Publication 2006/0143442 to Smith ("Smith") (Kastens Decl. Ex. 44, Dkt. No. 135-23) - specifically, figures 2-3 and paragraphs 6-7, 26-36, 40, 76, 80, and 100-110 of Smith. Dkt. No. 135-13 at 5-9. Dr. Cohen cites to none of these portions of the reference and instead relies on figure 8 and paragraph 139, which Dr. Cohen describes as disclosing the process of "setting a short time-to-live to ensure that it is easy to revoke existing certificates." Cohen Rpt. at 285. There is no dispute that Sophos did not identify this particular aspect of Smith in its invalidity contentions. Sophos asserts that the "time-to-live" theory is nevertheless acceptable, because it "simply narrows" the theory it did disclose in its invalidity contentions. Oppo. at 19. But Sophos fails to coherently explain how this is the case; the portion of Dr. Cohen's report Sophos cites for this assertion, Cohen Rpt. at 285, does not address the relationship between the previously identified aspects of Smith and the "time-to-live" theory, and Sophos's single-sentence explanation in its briefing is not sufficient to establish that the "time-to-live" theory is a permissible specification of what was previously disclosed. See Oppo. at 20. Finjan's motion to strike Dr. Cohen's reliance on the previously unidentified portions of Smith is GRANTED.

II. SOPHOS'S MOTION TO STRIKE

Sophos moves to strike portions of the reports of Finjan's experts, Drs. Eric Cole, Michael Mitzenmacher, and Nenad Medvidovic. Mot. at 1 (Dkt. No. 158). Sophos identifies two basic problems with the reports: (1) the voluminous source code tables attached as exhibits to the reports of Drs. Cole and Mitzenmacher; and (2) the allegedly new infringement theories asserted by Drs. Cole and Mitzenmacher and relied on by Dr. Medvidovic. See id.

A. Source Code Tables

Drs. Cole and Mitzenmacher's reports are accompanied by tables listing claim limitations in the left-hand column and source code citations in the right hand column. See Dkt. No. 155-24; Dkt. No. 156-8. The tables are attached as "Exhibit 3" to both reports. The table attached to Dr. Cole's report is 2,308 pages long; the one attached to Dr. Mitzenmacher's report is 1,489 pages long. See Dkt. No. 155-24 at 2,308; Dkt. No. 156-8 at 1,489. For every element of every asserted claim discussed in the reports, Drs. Cole and Mitzenmacher include the following boilerplate language (or its substantial equivalent): "Further support for this element can be found in the attached exhibits, which include support found in documents, deposition testimony, and source code." Cole Rpt. ¶¶ 861, 891 (Cunningham Decl. Ex. A, Dkt. No. 158-2); see also, e.g., Mitzenmacher Rpt. ¶¶ 219, 251 (Cunningham Decl. Ex. C, Dkt. No. 158-4).

Sophos argues that the tables should be struck for failure to comply with Federal Rule of Civil Procedure 26(a)(2)(B) and Federal Rule of Evidence 702. It contends that the tables provide "no meaningful analysis," and, moreover, include citations to whole directories of source code (containing up to hundreds of thousands of source code files each) without specifying which particular source code files within the directories are relevant to proving infringement. Mot. at 8. It states that the tables "contain nearly limitless combinations of source code that [Drs. Cole and Mitzenmacher] can pick and choose from to develop their infringement theories during trial." Reply at 1 (Dkt. No. 194).

Finjan offers a half-hearted (and unconvincing) defense of the level of analysis provided by the tables, but its principal counterargument is that the tables are not supposed to disclose "standalone infringement theories." Oppo. at 4 (Dkt. No. 186). Rather, Finjan explains, the tables are designed merely to provide "further evidentiary support for the infringement theories [described] in the body of [Drs. Cole and Mitzenmacher's] report[s]." Id. Finjan states that the tables were submitted as exhibits, "as opposed to within the body of the reports, simply to make [the] reports more readable." Id.

To the extent that Finjan concedes that the source code tables are not sufficient on their own to support "standalone infringement theories," the parties are largely in agreement on this issue. At trial, Drs. Cole and Mitzenmacher may not rely on the tables to articulate new infringement theories not disclosed in their reports. They may, however, rely on those portions of the tables that are specifically identified in their reports. Sophos's motion to strike those portions of the tables is DENIED. Its motion to strike all other portions of the tables is GRANTED.

By "specifically identified," I mean discussed or cited in a way that allows a reader to discern, with reasonably certainty and without unreasonable difficulty, the particular portion or portions of the table the expert is referring to. For example, the table citation in paragraph 363 of Dr. Mitzenmacher's report complies with this standard, while the table citation in paragraph 182 of the report does not. See Mitzenmacher Rpt. ¶¶ 182, 363.

B. Allegedly New Infringement Theories

Sophos also moves to strike a number of allegedly new infringement theories from the expert reports of Drs. Cole, Mitzenmacher, and Medvidovic. See Mot. at 12-18. This portion of Sophos's motion is DENIED. It is DENIED AS MOOT with respect to the '289 and '918 patents because, as discussed below, Sophos is entitled to summary judgment of noninfringement of those patents. It is DENIED with respect to the '494, '780, '844, and '926 patents because I agree with Finjan that, to the extent that the challenged portions of the expert reports reflect previously undisclosed information, they are merely more specific descriptions of the same infringement theories set out in Finjan's infringement contentions. This is permissible under the Patent Local Rules.

III. SOPHOS'S MOTION FOR PROTECTIVE ORDER

Sophos moves for a protective order pursuant to Federal Rules of Civil Procedure 26, 33, 34, and 36 finding that its responses to certain discovery requests - specifically, Finjan's First Set of Requests for Admissions ("RFAs"), Eighth Set of Interrogatories, and Fifth Set of Requests for Production - were timely served. Mot. at 1 (Dkt. No. 137). In the alternative, it asks for an order pursuant to Federal Rule of Civil Procedure 36(b) permitting amendment of its responses to the RFAs to conform to the responses it served on December 2, 2015. Id.

Finjan served the discovery requests at issue by email on October 14, 2015. Although the parties had agreed that documents served electronically should be served on all counsel of record for Sophos, Dkt. No. 35 at 10, Finjan sent the email to only six of the lawyers representing Sophos. Grasso Decl. ¶ 3 (Dkt. No. 137-1). Due to a typographical error, it also sent the email to an employee of a different law firm not involved in this case, instead of to the Sophos attorney then tasked with responding to Finjan's discovery emails. Id. Sophos states that because the attorneys and staff responsible for calendaring and responding to discovery requests were not included on the email, Sophos did not respond to the discovery requests until December 2, 2015, the day after Finjan brought them to Sophos's attention. Mot. at 5; Grasso Decl. ¶¶ 4-5.

Finjan does not dispute that it did not serve the discovery requests on all counsel of record for Sophos, that it inadvertently sent the email to an employee of a different law firm, or that Sophos diligently responded to the discovery requests once Finjan brought them to Sophos's attention. See Oppo. at 5 (Dkt. No. 161). Instead, Finjan dedicates the bulk its opposition brief to accusing Sophos of various instances of "unreasonable, bad faith discovery conduct" and "less than professional" behavior (such as characterizing Finjan as a "patent troll") over the course of this litigation. See, e.g., id. at 2-4, 6-7. Much of the alleged conduct has nothing to do with the discovery requests and responses at issue here. See id.

Even more so than the other issues addressed in this Order, this dispute exemplifies the parties' apparent penchant for filing extensive briefing over issues that should have been at a short meet and confer. Sophos's motion is GRANTED to the extent that it seeks amendment of Sophos's responses to the RFAs to conform to the responses it served on December 2, 2015. See Fed. R. Civ. P. 36(b) ("[T]he court may permit withdrawal or amendment [of an admission] if it would promote the presentation of the merits of the action and if the court is not persuaded that it would prejudice the requesting party in maintaining or defending the action on the merits."). The admissions Sophos seeks to amend "go directly to core issues in the litigation, including the ultimate question of liability," Douglas v. Banks, No. 09-cv-03191-LHK, 2011 WL 577419, at * 1 (N.D. Cal. Feb. 7, 2011); accord O'Neal v. City of Pac., No. 11-cv-00231, 2013 WL 247727, at *4 (W.D. Wash. Jan. 23, 2013); Quality Inv. Properties Santa Clara, LLC v. Serrano Elec., Inc., No. 09-cv-05376-PSG, 2011 WL 2846555, at *1 (N.D. Cal. July 18, 2011); Salisbury v. Ward, No. 06-cv-02993-BZ, 2007 WL 1982754, at *2 (N.D. Cal. July 2, 2007), and Finjan has not shown that it will be prejudiced by amendment, see Conlon v. United States, 474 F.3d 616, 622-24 (9th Cir. 2007) (discussing the Rule 36(b) prejudice inquiry). Sophos's explanation for its approximately two-week delay in responding to the RFAs adds further support for allowing amendment here. See id. at 625 (where both Rule 36(b) requirements are satisfied, "the district court may consider other factors [in deciding whether to allow withdrawal or amendment of an admission], including whether the moving party can show good cause for the delay and whether the moving party appears to have a strong case on the merits").

Sophos's motion is DENIED to the extent that it seeks a protective order pursuant to Federal Rules of Civil Procedure 26, 33, 34, and 36. To the extent that Finjan's opposition brief can be reasonably construed as a request for sanctions, see Oppo. at 8-11, the request is DENIED for failure to comply with Civil Local Rule 7-8. See Finjan, Inc. v. Proofpoint, Inc., No. 13-cv-05808-HSG, 2015 WL 7959890, at *4 n.1 (N.D. Cal. Dec. 4, 2015) (denying Finjan's request for sanctions "for failure to comply with Civil Local Rule 7-8").

IV. JOINT LETTER

The parties'joint letter concerns two issues. See Dkt. No. 146 ("Ltr."). The first is whether Peter Lammer may testify at trial. Sophos disclosed Lammer for the first time in its Third Amended Initial Disclosures, which it served on January 29, 2016, over two months after the November 16, 2015 fact discovery cutoff. Ltr. Ex. 1. The Third Amended Initial Disclosures state that Lammer "may have relevant knowledge regarding the history of Sophos and its products." Id. Sophos had previously disclosed two other witnesses, Tim Twaits and Dr. Jan Hruska, as having relevant knowledge regarding the same subject matter. Ltr. at 2.

At a meet and confer on February 9, 2016, Sophos informed Finjan that it had disclosed Lammer because Dr. Hruska had recently suffered a stroke, raising the possibility that it would need to substitute Lammer for Dr. Hruska at trial; Dr. Hruska lives in the United Kingdom and is currently under doctor's orders not to travel. Id. at 2, 4. Finjan states that it had "no problem" with the substitution given the health issue, and that it simply asked that Sophos inform it about one month before trial whether the substitution was still needed, so that it could then depose Lammer. Id. at 2. According to Finjan, Sophos rejected this proposal on the ground that it was reserving the right to call both Lammer and Dr. Hruska at trial. Id. Finjan contends that this demonstrates that Lammer "is not truly a substitute witness," and that Sophos "is attempting to use Dr. Hruska's condition as a basis for the untimely disclosure of Mr. Lammer." Id. Finjan asks that Lammer be precluded from testifying at trial. Id. at 3. Sophos responds that it is reserving the right to call both witnesses because of "the possibility that Dr. Hruska will be able to cover some but not all of the topics of his intended testimony," and that its untimely disclosure of Lammer was both substantially justified and harmless. Id. at 5.

Finjan's request to preclude Lammer from testifying at trial is DENIED. There is no dispute that Lammer's tardy disclosure was triggered by Dr. Hruska's stroke. In light of Dr. Hruska's medical condition, and in line Finjan's initial proposal, Sophos has until one month before trial to inform Finjan whether it will call Lammer as a witness. If it will, then Finjan must have an opportunity to depose Lammer. If, due to Dr. Hruska's medical condition, Sophos intends for Dr. Hruska to testify on certain topics and for Lammer to testify on others, then Sophos must also disclose to Finjan the specific topics each witness will cover. Lammer and Dr. Hruska will not be allowed to testify on the same topics at trial.

At the hearing, Sophos raised the possibility of Hruska testifying via live video feed. See Hearing Tr. at 35 (Dkt. No. 204). If the parties are unable to resolve this issue through the meet and confer process, they should raise it in their motions in limine.

The second issue in the joint letter is whether Sophos may rely on three documents it produced after the close of fact discovery. Two of the challenged documents are located at 1197SOPHOS_0179868-69; the third is located at 1197SOPHOS_01749964-65. Ltr. at 3. Sophos produced the documents on December 11, 2015 following a meet and confer on December 10, 2015 at which Finjan requested that Sophos supplement certain of its interrogatory responses. Ltr. at 3-4; see also Dkt. No. 137-20 (letter from Sophos to Finjan regarding December 10, 2015 meet and confer); Dkt. No. 137-19 (email from Finjan to Sophos regarding December 10, 2015 meet and confer stating, "[W]e look forward to receiving . . . supplemental responses to Interrogatories Nos. 18 and 24 by tomorrow."). Finjan states that the parties agreed at the meet and confer that Sophos would "supplement its laundry list citation of documents . . . and specifically explain what was responsive," not that Sophos would "add new and different information which it could have identified previously during discovery." Ltr. at 3-4.

The parties did not attach copies of the documents to the joint letter.

Finjan's request to exclude these documents is GRANTED. Sophos does not dispute that the documents are responsive to requests for production served by Finjan in May and October 2014. See Ltr. at 3, 5-6. Accordingly, the burden is on Sophos to show that its disclosure of the documents in December 2015, more than a year after the requests were served, was substantially justified or harmless. See Fed. R. Civ. P. 37(c)(1). Sophos appears to argue that the disclosure was substantially justified because it was made in response to Finjan's request that Sophos supplement certain of its discovery responses. See Ltr. at 6. But nothing in the record indicates that Finjan asked or authorized Sophos, in supplementing its discovery responses, to produce additional documents it could have produced earlier. Indeed, Sophos does not dispute Finjan's characterization of the December 10, 2015 meet and confer - i.e., that the parties agreed that Sophos would "supplement its laundry list citation of documents . . . and specifically explain what was responsive," not that Sophos would "add new and different information which it could have identified previously during discovery." Ltr. at 3-4.

Sophos contends that the untimely production of 1197SOPHOS_01749964-65 was substantially justified because the document is "a spreadsheet created at the direction of counsel to rebut positions taken for the first time by Finjan's damages expert in her expert report." Ltr. at 6. According to Finjan, however, the allegedly new positions in the expert report were already well known to Sophos, see Hearing Tr. at 37, and the parties have not provided me with sufficient information to assess which of them is more accurately characterizing the expert report. Moreover, given that Sophos does not dispute that the information reflected in 1197SOPHOS_01749964-65 should have been produced in response to the May and October 2014 requests for production, it is not clear why it matters whether the document was created to rebut new positions in an expert report.

Sophos also asserts that the untimely disclosure is harmless because the challenged documents are merely "updated versions of documents [it] produced in the [Delaware Action] and reproduced in this case well before the [discovery cutoff]." Ltr. at 6. But Sophos fails to explain how the relationship between the challenged documents and those from the Delaware Action makes the untimely disclosure harmless. See id. The one citation Sophos provides in support of its harmlessness argument is to one of its supplemental interrogatory responses; the cited response says nothing about 1197SOPHOS_01749964-65 and does not provide an adequate basis for finding that 1197SOPHOS_0179868-69 are merely updated versions of previously produced documents. See Ltr. Ex. 2 at 6-7. Meanwhile, Finjan asserts, and Sophos does not dispute, that Sophos's own damages expert could not understand 1197SOPHOS_0179868-69 without the help of Sophos employees, and that the documents include data fields that Sophos never explained in any of its interrogatory responses. See Ltr. at 4.

Sophos has not shown that its untimely production of the challenged documents was either substantially justified or harmless. It will not be able to use them at trial.

V. SOPHOS'S MOTION FOR PARTIAL SUMMARY JUDGMENT

Sophos moves for summary judgment that: (A) Finjan is collaterally estopped from disputing that SWEEP-InterCheck was on sale in the United States before November 8, 1996, that certain limitations of the asserted claims are "invalid" in light of SWEEP-InterCheck, or that the '494 patent is wholly invalid light of SWEEP-InterCheck; (B) Sophos does not infringe the asserted method claims, because there is no evidence that all steps of those claims have been practiced in the United States; (C) "Sophos Live Cloud Service" (which Sophos refers to as "SophosLabs") does not infringe any of the asserted patents, because the accused Sophos Live Cloud Service activities occur exclusively outside the United States; (D) Sophos does not infringe the '289 patent, because its products do not transmit modified content to the computer they protect; (E) Sophos does not infringe the '844 patent, because its products do not link a Downloadable to a Downloadable security profile before a web server makes that Downloadable available to web clients; and (F) Sophos does not infringe the '918 patent because its products do not use wrapper code that is executable. Mot. at 1-2 (Dkt. No. 140).

A. Collateral Estoppel

The Federal Circuit's "review of a collateral estoppel determination is generally guided by regional circuit precedent, but [it] appl[ies] [its] own precedent to those aspects of such a determination that involve substantive issues of patent law." Ohio Willow Wood Co. v. Alps S., LLC, 735 F.3d 1333, 1342 (Fed. Cir. 2013). Under Ninth Circuit precedent, collateral estoppel is appropriate where: (1) the issue is identical to an issue raised in a prior action; (2) the issue was actually litigated in the prior action, meaning that there was "full and fair opportunity to litigate the merits of [the] issue;" and (3) the determination of the issue in the prior action was "a critical and necessary part of the judgment." Littlejohn v. United States, 321 F.3d 915, 923 (9th Cir. 2003). In line with these requirements, "a general jury verdict can give rise to collateral estoppel only if it is clear that the jury necessarily decided a particular issue in the course of reaching its verdict." United Access Techs., LLC v. Centurytel Broadband Servs. LLC, 778 F.3d 1327, 1331 (Fed. Cir. 2015). "When there are several possible grounds on which a jury could have based its general verdict and the record does not make clear which ground the jury relied on, collateral estoppel does not attach to any of the possible theories." Id.

Sophos's collateral estoppel arguments are all predicated on the combination of SWEEP-InterCheck asserted in this action being the same as the one it asserted in the Delaware Action, i.e., SWEEP-2.72 & InterCheck-2.11. See Mot. at 5-9. As discussed above, Sophos cannot rely on that combination as prior art in this case. Accordingly, to the extent that its motion for partial summary judgment is based on collateral estoppel, the motion is DENIED.

B. Method Claims

Finjan accuses Sophos of infringing four method claims: claim 1 of the '494 patent, claims 1 and 7 of the '844 patent, and claim 18 of the '926 patent. Oppo. at 12. n.8 (Dkt. No. 165). Sophos moves for summary judgment of noninfringement of these claims, arguing that Finjan "has no evidence that Sophos or anyone else has practiced each step of the . . . claims in the United States." Mot. at 10.

Sophos is not entitled to summary judgment on this issue. To establish infringement of the asserted method claims, Finjan must show that each step of the claims was practiced within the United States. See Finjan, Inc. v. Secure Computing Corp., 626 F.3d 1197, 1206 (Fed. Cir. 2010) ("To infringe a method claim, a person must have practiced all steps of the claimed method."). This requires Finjan to show more than the mere sale of the accused products in the United States. See Meyer Intellectual Properties Ltd. v. Bodum, Inc., 690 F.3d 1354, 1366 (Fed. Cir. 2012) ("Where, as here, the asserted patent claims are method claims, the sale of a product, without more, does not infringe the patent."). But the mere sale of the accused products is not the only evidence on record here. Indeed, Sophos does not dispute that Finjan has presented evidence indicating that Sophos not only sells the accused products in the United States, but also has United States offices and training centers where it "develops," "tests," "operates," "services," "supports," and "demonstrates" the accused products. See Reply at 8 (Dkt. No. 181); see also Oppo. at 13.

Sophos asserts that such evidence still falls short because the allegedly infringing features of the accused products can be "turned off." Reply at 8. However, the only evidence Sophos cites for this argument is the report of Dr. Cole, who states that in analyzing the accused products for the '494 and '844 patents, "[t]esting was performed with the features turned off to observe that the executable was made available to the user if not protection was in place." Cole Rpt. ¶¶ 36, 39. Sophos does not provide any further explanation of the statement, and it is not at all clear from the statement itself whether it was only the infringing features of the accused products, or rather the accused products themselves, that were "turned off." See id. Moreover, in the same paragraphs of the report, Dr. Cole explains that when "[t]he system was turned on and . . . properly configured . . . , the executable was properly blocked and . . . the infringing features [were] observed." Id. ¶¶ 36, 39; see also Toshiba Corp. v. Imation Corp., 681 F.3d 1358, 1365 (Fed. Cir. 2012) ("[W]here an alleged infringer designs a product for use in an infringing way and instructs users to use the product in an infringing way, there is sufficient evidence for a jury to find direct infringement."). Whether the accused products infringe the method claims remains a question for the jury. Sophos's motion for summary judgment on this issue is DENIED.

C. SophosLabs

1. Infringement of the Asserted Method Claims by SophosLabs

Sophos makes a more targeted push for summary judgment of noninfringement of the asserted method claims with respect to SophosLabs / Sophos Live Cloud Service (hereinafter, "SophosLabs," unless otherwise indicated). The parties dispute the nature, the location, and, oddly, even the name of SophosLabs. Sophos describes it as a "team of analysts and threat researchers," operating in England, Canada, Australia, Hungary, and India, who "create detection rules for malware." Klausner Rpt. ¶ 486; see also Harris Depo. at 12 (Dkt. No. 139-34). According to Sophos, the name of this team is "SophosLabs." See Reply at 8-9. According to Finjan, Sophos's description is "incomplete and inaccurate." Oppo. at 3. Finjan characterizes the team as just one part of "Sophos Live Cloud Service," a "cloud-based . . . security ecosystem" comprised of "thousands of servers, many of which are in the United States." Id. Finjan asserts that this "security ecosystem" includes "automatic systems for processing content," including automatic systems that "detect if . . . content is suspicious or malicious and provide updates to . . . customers through Sophos's SXL technology." Id.

Sophos contends that Finjan cannot show that SophosLabs practices each step of the asserted method claims within the United States, because the SophosLabs activities accused of infringement occur outside the country. Mot. at 10. Sophos identifies two such activities: (1) the process of storing a file in the SophosLabs database; and (2) the SophosLabs file submission process. Id. at 11 (citing Cole Rpt. ¶¶ 303-06, 752-53). Finjan responds by citing to evidence indicating that both of these activities in fact occur on servers located inside the United States. See Oppo. at 14. Sophos asserts that the servers identified by Finjan "are SXL servers, not SophosLabs servers," Reply at 8-9, but Sophos fails to point to any evidence conclusively establishing that the SXL servers are not properly characterized as part of SophosLabs, as Finjan contends they are. Absent such evidence, Sophos has not shown that it is entitled to summary judgment on this issue. Its motion for summary judgment of noninfringement of the asserted method claims by SophosLabs is DENIED.

2. Infringement of the Asserted System Claims by SophosLabs

Sophos also moves for summary judgment of noninfringement of the asserted system claims by SophosLabs. See Mot. at 11-14. In light of the material factual dispute described above regarding the proper characterization of the SXL servers, and the parties' conflicting positions on "the place where control of [SophosLabs] is exercised and beneficial use of [SophosLabs] obtained," NTP, Inc. v. Research In Motion, Ltd., 418 F.3d 1282, 1317 (Fed. Cir. 2005), this motion is DENIED.

D. '289 Patent

Claim 22 of the '289 patent describes a system for "protecting a computer from dynamically generated malicious content;" the system requires both (1) "a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;" and (2) "a transmitter for transmitting the modified content . . . to the computer." '289 patent at 20:28-46. Sophos moves for summary judgment of noninfringement of the '289 patent on the ground that Finjan has not produced sufficient evidence that the accused products include either of these elements. Mot. at 14-17.

I agree that Finjan has not presented sufficient evidence of the claimed "transmitter for transmitting the modified content . . . to the computer" in the accused products. Finjan identifies two scenarios for how the modified content is transmitted in the accused products: (1) to SophosLabs through the SophosLabs file submission process, see, e.g., Mitzenmacher Rpt. ¶ 451; and (2) to SXL servers for "SXL lookups," see, e.g., id. ¶ 450. The problem with these scenarios is that Finjan has not presented evidence from which a juror could reasonably conclude that the computer to which the modified content is transmitted in either scenario is the computer being "protect[ed] [from] dynamically generated malicious content." In the SophosLabs file submission process, the modified content is transmitted from the computer being protected to SophosLabs, not vice versa. See Klausner Rpt. ¶¶ 858-860. Similarly, an "SXL lookup" occurs when "a scan on an endpoint computer identifies a file as suspicious but cannot resolve the file as either clean or malicious . . . , [and] certain file data . . . is sent to Sophos to allow further analysis." Mitzenmacher Rpt. ¶ 134.

Finjan contends that claim 22 of the '289 patent does not require that the modified content be transmitted to the computer being protected. See Oppo. at 18-20. But its principal argument on this point is that the preamble of claim 22 is not limiting. See id. I agree with Sophos that this is a case where "limitations in the body of the claim rely upon and derive antecedent basis from the preamble," such that "the preamble may act as a necessary component of the claimed invention." Pacing Techs., LLC v. Garmin Int'l, Inc., 778 F.3d 1021, 1024 (Fed. Cir. 2015) (internal quotation marks omitted). This conclusion is supported not only by the language and structure of claim 22, but also by the specification: Finjan does not dispute that in every embodiment disclosed in the '289 patent, the modified content is transmitted to the computer being protected by the claimed system. See Mot. at 16 (raising this point); see also, e.g., '289 patent at abstract, 8:51-9:03, fig. 2.

Finjan argues in the alternative that, even assuming that claim 22 requires that the modified content be transmitted to the computer being protected, Finjan has presented evidence showing that the accused products operate in this way. See Oppo. at 19. I disagree. Finjan's only argument on this point is to emphasize that the accused products transmit the modified content to SXL servers. See id. Because Finjan does not cite any evidence indicating that SXL servers can be reasonably characterized as the computers being protected by the accused products, this argument does not help Finjan's case. See id. Sophos's motion for summary judgment of noninfringement of claim 22 of the '289 patent is GRANTED.

E. '844 Patent

Claims 1, 7, 16, and 43 of the '844 patent all require that there be a "linking" between a "Downloadable security profile" and a "Downloadable," and that the "linking" occur "before a web server makes the Downloadable available to web clients." See '844 patent at 11:13-21 (claim 1), 11:34-35 (claim 7), 12:03-04 (claim 16), 14:34-42 (claim 43). Sophos moves for summary judgment of noninfringement of the '844 patent on the ground that the accused products perform the claimed linking between a Downloadable security profile and a Downloadable only after a web server makes the Downloadable available to web clients, not before. See Mot. at 17-22; Reply at 12-14 (Dkt. No. 179-4).

Sophos is not entitled to summary judgment on this ground. Sophos's position appears to be that the accused products themselves are the web clients described in the asserted claims, or at least that a Downloadable is made available to web clients within the meaning of the asserted claims whenever a Downloadable is made available to anyone over the internet. That is, Sophos's position appears to be that the accused products perform the claimed linking only after a web server makes the Downloadable available to web clients because the accused products receive the Downloadable from the internet, meaning that the Downloadable must have already been made available to web clients. See, e.g., Mot. at 21 ("For either system to have received a Downloadable, it must have already been made available by a web server to web clients, or [the system] would have never received it."). Finjan, on the other hand, asserts that it would be "nonsensical" for the accused products to qualify as the web clients described in the asserted claims. Oppo. at 21. It argues that the web clients in the accused products are the end users, not the accused products themselves. Id. at 22. It points to Dr. Cole's report, which describes the accused products not as web clients, but as "inspector systems" that analyze Downloadables "before [they are] made available to web clients." Cole Rpt. ¶ 215.

In another patent infringement action brought by Finjan, Judge Gilliam recently found that an essentially identical dispute over the defendant's alleged infringement claim 1 of the '844 patent precluded summary judgment. See Finjan, Inc. v. Proofpoint, Inc., No. 13-cv-05808-HSG, 2016 WL 1427492, at *2 (N.D. Cal. Apr. 12, 2016). I see no reason to reach a different conclusion here. Sophos's motion for summary judgment of noninfringement of the '844 patent is DENIED.

F. '918 Patent

Sophos contends that it is entitled to summary judgment of noninfringement of claim 12 of the ' 918 patent because Finjan has not presented evidence that the accused products satisfy the "executable wrapper code" limitation. Mot. at 22-25. Sophos does not dispute that the accused products use the claimed wrapper code - its position is that Finjan has not identified any wrapper code in the accused products that is executable. See id.

Finjan responds that "there is nothing [in the '918 patent] that requires the CODE-B to be executable." Oppo. at 24. Alternatively, it contends that Dr. Cole's report identifies components of the accused products that constitute wrapper code that is executable. Id. at 24-25.

Sophos plainly has the better of these arguments. In the same Judge Gilliam order cited above, Judge Gilliam also ruled that the "unambiguous claim language" of claim 12 of the '918 patent "at a minimum require[s] [the] CODE-B to be executable." Finjan, 2016 WL 1427492, at *6-7. I agree with this reading of claim 12 and apply it here. Further, I am not convinced by Finjan's attempts to extract from Dr. Cole's report meaningful evidence of wrapper code that is executable in the accused products. Nowhere in any of the cited paragraphs of the report does Dr. Cole use the word "executable," or any variation of that word, to describe what he identifies as the "CODE-B" in the accused products. See Cole Rpt. ¶¶ 509-10, 565-72. Finjan asserts that the "HTTP header information" in the accused products is the claimed "CODE-B," and that the "HTTP header information is . . . executed at the destination to determine the correct processing of the content." Oppo. at 24 (emphasis in original). But the paragraph of Dr. Cole's report that Finjan cites for this assertion, Cole Rpt. ¶ 567, says nothing about the HTTP header information being "executed," or anything analogous. Similarly, Finjan asserts that the "engine package" in the accused products is a "binary file" that satisfies the "executable wrapper code" limitation, Oppo. at 24, but it fails to provide a coherent explanation of how the cited paragraph of Dr. Cole's report, Cole Rpt. ¶ 568, supports this conclusion.

Finjan has not presented evidence from which a jury could reasonably conclude that the accused products satisfy every limitation of claim 12 of the '918 patent. Accordingly, Sophos's motion for summary judgment of noninfringement of the ' 918 patent is GRANTED.

VI. FINJAN'S MOTION FOR SUMMARY JUDGMENT

Finjan moves for summary judgment on two infringement issues and two validity issues. It contends that it is entitled summary judgment that: (A) Sophos's UTM Products infringe claim 22 of the '926 patent by including "Selective Sandboxing" technology; (B) SophosLabs (or Sophos Live Cloud Service) infringes claim 10 of the '494 patent through its use of Sophos's WarZone technology; (C) the '154, '494, '780, '844, and '926 patents are valid over SWEEP-InterCheck; and (D) three of the prior art publications asserted by Sophos were not publicly accessible at the relevant times.

A. Infringement of Claim 22 of the '926 Patent by the UTM Products

Sophos opposes summary judgment of noninfringement of claim 22 of the '926 patent on the grounds that Finjan has not conclusively established that the UTM Products include: (1) a "database" that includes a "list of suspicious computer operations" and that is "indexed according to Downloadable IDs," or (2) that the UTM Products transmit data to a "destination computer." See Oppo. at 16.

I agree with Sophos that summary judgment on this issue is not appropriate, at least because of a material factual dispute over the presence of a database including a list of suspicious computer operations in the UTM Products. Finjan identifies four different components in the UTM Products that satisfy this limitation: (1) "Zone File," (2) "Dynamo DB," (3) "L1 cache," and (4) "L2 cache." See Mot. at 11-13 (Dkt. No. 143). Sophos contends that "Zone File" does not include a list of suspicious computer operations because it stores only "malware identity names," which, according to Dr. Klausner, are not "computer operations." Oppo. at 19-20. Similarly, with respect to "Dynamo DB," "L1 cache," and "L2 cache," Sophos asserts that the components store only "URLs" and "file reputation data," which Dr. Klausner characterizes as distinct from "computer operations." Id. at 20. According to Finjan, the makeup of both the "malware identity names" stored in "Zone File," and the "URLs" and "file reputation data" stored in the other components, is such that all of the components are properly characterized as including a list of suspicious computer operations. Reply at 6 (Dkt. No. 180). But Finjan has not conclusively proved that this is the case. Accordingly, its motion for summary judgment of infringement of claim 22 of the '926 patent is DENIED.

Moreover, it is undisputed that the current versions of the UTM Products do not use "Dynamo DB," "L1 cache," and "L2 cache." See Oppo. at 20; Reply at 7 n.3. Finjan asserts that Sophos has plans to incorporate these components into the UTM Products, and that the UTM Products thus use the components "at least through [Sophos's] current testing and development," but Finjan cites no evidence of the alleged testing and development. See Reply at 7 n.3

B. Infringement of Claim 10 of the '494 Patent by SophosLabs

Like claim 22 of the '926 patent, claim 10 of the '494 patent requires a "database" that includes a "list of suspicious computer operations." '494 patent at 22:08-16. Sophos argues that there is a material factual dispute over whether SophosLabs, like the UTM Products, contains the claimed database including a list of suspicious computer operations. Oppo. at 18-21.

I agree. Finjan identifies five different components in SophosLabs that satisfy this limitation: "Zone File," "L1 cache," and "L2 cache," (i.e., the same components discussed above with respect to the UTM Products), and also "S3 Buckets" and "MongoDB." As discussed above, whether "Zone File," "L1 cache," and "L2 cache" include a list of suspicious computer operations is a question for the jury. The parties appear to agree that "S3 Buckets" are materially identical to "Zone File" with respect to this limitation, meaning that there is also a material factual dispute with respect to the presence of a list of suspicious computer operations in "S3 Buckets." See, e.g., Oppo. at 20; Reply at 6. With respect to "MongoDB," Finjan asserts that the component includes a list of suspicious computer operations because it stores the results of Sophos's WarZone technology, Mot. at 17, but, according to Dr. Klausner, Warzone "does not derive lists of suspicious instructions or operations," Klausner Rpt. ¶ 724. In Dr. Klausner's opinion, Warzone performs "checks," the results of which may include "system changes" and "events," which are different from suspicious operations. Id. Finjan disagrees, but it has not shown that Dr. Klausner's analysis is deficient as a matter of law. Accordingly, its motion for summary judgment of infringement of claim 10 of the '494 patent is DENIED.

C. Validity of the '154, '494, '780, '844, and '926 patents over SWEEP-InterCheck

Finjan contends that the '154, '494, '780, '844, and '926 patents are valid as a matter of law over SWEEP-InterCheck because (1) the prior art reference Sophos identifies as SWEEP-InterCheck improperly incorporates a number of different hardware and software components, such as the Demo2 programs and "computer hardware and operating system products" discussed above with respect to Finjan's motion to strike; and (2) Sophos cannot establish that any combination of SWEEP-InterCheck was publicly available in the United States before the priority dates of these patents. Mot. at 18-23. Finjan also raises an argument specific to the validity of claim 7 of the '844 patent, contending that Sophos has not presented evidence that SWEEP-InterCheck discloses the "Downloadable includ[ing] a JavaScript script" required by the claim. Id. at 20-21.

Finjan's first argument appears to be a reiteration of the argument it raises in its motion to strike, i.e., that Dr. Cohen improperly relies on items other than SWEEP-InterCheck itself to support his invalidity opinions based on SWEEP-InterCheck. As discussed above, Dr. Cohen may not rely on these items as invalidating references in and of themselves, but he might be able to rely on them "to demonstrate and support how SWEEP-InterCheck functioned at the time," Delaware Action, 2013 WL 5302560, at *17, or as examples of "necessary" aspects of SWEEP-InterCheck, id. at *18. This disposes of Finjan's first argument. Finjan's argument regarding the validity of claim 7 of the '844 patent fails for the same reason, as that argument is also predicated on the notion that Dr. Cohen cannot use the Demo2 programs to support his invalidity opinions. See Mot. at 20-21.

As noted above, given the uncertainty over which combination of SWEEP-InterCheck Sophos will select, there are significant questions regarding the admissibility of most, if not all, evidence and demonstratives regarding SWEEP-InterCheck.

This leaves Finjan's argument regarding the public availability of SWEEP-InterCheck. See Mot. at 21-23. Sophos's response to this argument is focused exclusively on collateral estoppel flowing from its use of SWEEP-2.72 & InterCheck-2.11 as an invalidating reference in the Delaware Action. See Oppo. at 11. Because Sophos cannot assert SWEEP-2.72 & InterCheck-2.11 as prior art in this case, this response is meritless. Sophos offers no other basis for finding that any combination of SWEEP-InterCheck was publicly available in the United States before the priority dates of the '154, '494, '780, '844, and '926 patents. See id.

Nevertheless, because Sophos briefed this issue before I had ruled that it could not rely on SWEEP-2.72 & InterCheck-2.11, and because it has not yet selected the particular combination of SWEEP-InterCheck it will assert in this case, I will not rule on this issue at this time. On the same date that Sophos files its motions in limine, Sophos shall file a supplemental brief of no more than 10 pages regarding whether its selected combination of SWEEP-InterCheck was publicly available before the priority dates of the '154, '494, '780, '844, and '926 patents. The supplemental brief may be accompanied by no more than 30 pages of exhibits. Finjan shall file a response - also of no more than 10 pages and no more than 30 pages of exhibits - on the same date it files its oppositions to Sophos's motions in limine. There will be no reply. I will address this aspect of Finjan's motion for summary judgment of validity of the '154, '494, '780, '844, and '926 patents over SWEEP-InterCheck after reviewing the parties' supplemental filings. In all other respects, the motion is DENIED.

Sophos's "Administrative Motion to Strike New Theories in [Finjan's] Reply in Support of its Motion for Summary Judgment or, in the Alternative, for Leave to File Surreply," Dkt. No. 188, is DENIED AS MOOT.

D. Public Accessibility of the MIMEsweeper Administrator Guide, Nachenberg, and ICD Reference

Finjan moves for summary judgment that three of the prior art publications relied on by Dr. Cohen were not publicly accessible at the relevant times. Mot. at 23-25. The publications are: (1) "MIMEsweeper Administrator Guide," Version 1.0d, Integralis Ltd. (the "MIMEsweeper Administrator Guide"); (2) Cary S. Nachenberg, A New Technique for Detecting Polymorphic Computer Viruses ("Nachenberg"); and (3) the ICD reference. In its opposition brief, Sophos agrees to withdraw the ICD reference, see Oppo. at 11 n.4, leaving only the MIMEsweeper Administrator Guide and Nachenberg at issue.

1. MIMEsweeper Administrator Guide

Finjan is entitled to summary judgment with respect to the public accessibility of the MIMEsweeper Administrator Guide. Sophos's only argument to the contrary is that the jury in the Delaware Action necessarily found that the "MIMEsweeper product" was publicly available before November 8, 1996, and that Finjan is thus collaterally estopped from disputing the public availability of the MIMEsweeper Administrator Guide. See Oppo. at 12-13. The fatal flaw in this argument is that the prior art reference at issue in the Delaware Action was the "MIMEsweeper product," not the MIMEsweeper Administrator Guide asserted here. See Delaware Action, 2013 WL 5302560, at *4-10. While the MIMEsweeper Administrator Guide and other product manuals were introduced as exhibits in the Delaware Action, they were used only as "evidence of how the products themselves functioned" - "it was the products," not the product manuals, "that were the basis of [the expert's] obviousness opinions." Delaware Action, 2013 WL 5302560, at *8; see also Oppo. at 13 (quoting same). Here, on the other hand, Sophos elected to take the opposite approach and to assert the MIMEsweeper Administrator Guide as a prior art reference, not the MIMEsweeper product. See Final Election of Asserted Prior Art at 2-3. Accordingly, the Delaware jury's finding of obviousness based on the MIMEsweeper product does not provide a basis for collateral estoppel. As Sophos presents no other evidence of the public accessibility of the MIMEsweeper Administrator Guide, Finjan's motion for summary judgment on this issue is GRANTED.

2. Nachenberg

Finjan is also entitled to summary judgment with respect to the public accessibility of Nachenberg. Nachenberg is a master's thesis written by Carey Nachenberg while studying at UCLA. Kastens Decl. Ex. 44 (Dkt. No. 143-46). Sophos asserts it as prior art against only the '494 patent. Final Election of Asserted Prior Art at 5. The reference includes a copyright date of 1995. Kastens Decl. Ex. 44. The only other meaningful evidence on record regarding the public accessibility of Nachenberg before the priority date of the '494 patent (November 8, 1996) is the following trial testimony from the Delaware Action:

Q: And what happened to that master's thesis once you wrote it?

[Nachenberg:] This was submitted to the university and published in the university library, and it may be published elsewhere, I don't know.
Grasso Decl. Ex. A (Dkt. No. 169-3). Sophos also submits a screenshot of a UCLA "Library Catalog Search" listing Nachenberg as "Published/Distributed" in 1995, but the screenshot is from April 5, 2016, and Sophos provides no explanation of the significance of the "Published/Distributed" date. See Grasso Decl. Ex. O (Dkt. No. 169-18).

The parties do not dispute that the issue of the public accessibility of Nachenberg was not actually litigated or determined in the Delaware Action, and Sophos does not assert collateral estoppel with respect to this issue.

I agree with Finjan that this evidence is not sufficient to create a triable issue on the public accessibility of Nachenberg. An alleged printed publication qualifies as publicly accessible for the purposes of 35 U.S.C. § 102(b) when there is

a satisfactory showing that such document has been disseminated or otherwise made available to the extent that persons interested and ordinarily skilled in the subject matter or art exercising reasonable diligence, can locate it and recognize and comprehend therefrom the essentials of the claimed invention without need of further research or experimentation.
Bruckelmyer v. Ground Heaters, Inc., 445 F.3d 1374, 1378 (Fed. Cir. 2006) (internal quotation marks omitted). In Application of Bayer, 568 F.2d 1357 (C.C.P.A. 1978), a graduate thesis in a university library was not catalogued or placed on the shelves, and only three faculty members knew about it. The Federal Circuit determined that "the thesis did not constitute a printed publication because a customary search would not have rendered the work reasonably accessible even to a person informed of its existence." SRI Int'l, Inc. v. Internet Sec. Sys., Inc., 511 F.3d 1186, 1196 (Fed. Cir. 2008) (discussing Bayer).

Similarly, in In re Cronyn, 890 F.2d 1158 (Fed. Cir. 1989), the graduate theses at issue were placed in a chemistry department library and indexed by the author's name. The Federal Circuit found no public accessibility because the theses "had not been either cataloged or indexed in a meaningful way." Id. at 1161. The court explained:

Although the titles of the theses were listed on 3 out of 450 cards filed alphabetically by author in a shoebox in the chemistry department library, such 'availability' was not sufficient to make them reasonably accessible to the public . . . [T]he only research aid was the student's name, which, of course, bears no relationship to the subject of the student's thesis.
Id.

Sophos offers no basis for distinguishing this case from Bayer and Cronyn. Although the trial testimony from the Delaware Action indicates that Nachenberg was published in the UCLA library at some point, there is no evidence of when exactly that occurred or how exactly the reference was catalogued at the relevant time. Absent such evidence, no juror could reasonably conclude that Nachenberg was publicly accessible within the meaning of 35 U.S.C. § 102(b). Finjan's motion for summary judgment on this issue is GRANTED.

CONCLUSION

The matters heard on May 11, 2016 are decided as stated above. Pursuant to Civil Local Rule 72-1, the parties are referred to Chief Magistrate Judge Joseph C. Spero for a settlement conference on July 25, 2016. The parties will be advised of the exact time and place of the settlement conference by Judge Spero. Dated: May 24, 2016

The parties filed a remarkable number of administrative motions to file under seal in connection with the matters addressed above. I will address those administrative motions in a separate order. For now, I note only that the motions are DENIED to the extent that they seek to seal any information specifically referenced in this Order. That information is plainly unsealable under either the compelling reasons or good cause standard. --------

/s/_________

WILLIAM H. ORRICK

United States District Judge


Summaries of

Finjan, Inc. v. Sophos, Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
May 24, 2016
Case No. 14-cv-01197-WHO (N.D. Cal. May. 24, 2016)

permitting the use of a "previously undisclosed reference to be used as background material" as long as the reference is "not asserted as [an] invalidating prior art reference"

Summary of this case from Slot Speaker Techs., Inc. v. Apple, Inc.
Case details for

Finjan, Inc. v. Sophos, Inc.

Case Details

Full title:FINJAN, INC., Plaintiff, v. SOPHOS, INC., Defendant.

Court:UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

Date published: May 24, 2016

Citations

Case No. 14-cv-01197-WHO (N.D. Cal. May. 24, 2016)

Citing Cases

Slot Speaker Techs., Inc. v. Apple, Inc.

Ex. 11 at pp.75-99 to Halpern Decl. The court orders Apple to amend its contentions to specifically state…

Finjan, Inc. v. Symantec Corp.

Two fundamental disputes exist as to the proper construction of the claim limitation "before a web server…