SAFECLICK V VISA INTL SERVICE ASSOC, No. 06-1182 (Fed. Cir. 2006)

Annotate this Case
Download PDF
NOTE: Pursuant to Fed. Cir. R. 47.6, this disposition is not citable as precedent. It is a public record. United States Court of Appeals for the Federal Circuit 06-1182 SAFECLICK, LLC, Plaintiff-Appellant, v. VISA INTERNATIONAL SERVICE ASSOCIATION and VISA U.S.A., INC., Defendants-Appellees. __________________________ DECIDED: October 23, 2006 __________________________ Before BRYSON, Circuit Judge, CLEVENGER, Senior Circuit Judge, and GAJARSA, Circuit Judge. CLEVENGER, Senior Circuit Judge. Plaintiff-Appellant Safeclick, LLC ("Safeclick") filed this patent infringement suit against Defendants-Appellees Visa International Service Assoc. and Visa USA, Inc. (collectively, "Visa") on December 30, 2003, in the United States District Court for the Northern District of California. Safeclick alleges that Visa's "Verified by Visa" service infringes claims 6 and 7 of U.S. Patent No. 5,793,028 ("the '028 patent"). On July 19, 2005, Visa filed a motion for summary judgment of noninfringement. The motion was granted on December 21, 2005, and judgment was thereafter entered in Visa's favor. Safeclick appeals that judgment. We affirm. I The invention of the '028 patent is an "electronic transaction security system . . . designed to substantially prevent the unauthorized use of transaction identification codes such as credit card numbers for placing transaction requests electronically via any suitable communication link, such as the Internet." '028 patent col.1 ll.43-48. So, for example, when a card-holding consumer ("transactionor") wishes to make a purchase over the Internet from an online merchant ("transactionee"), the invention attempts to ensure that the parties to the transaction are who they purport to be. In order to make a verified purchase using the invention, the transactionor sends a transaction initiation request from his or her computer to a computer operated by the transactionee. Before proceeding further with the transaction, the transactionee's computer requests verification from a computer operated by an entity such as the bank that issued the credit card ("verifier"). The verifier's computer does this by sending an acknowledgement request to the transactionor's computer. In response, the verifier's computer must receive a private identification code that uniquely identifies the transactionor's computer. If the verifier's computer does not receive the code it expects, the transaction will not be verified. Because claims 6 and 7 of the '028 patent are substantially similar, only claim 6 is reproduced here (with emphasis on the relevant claim limitation): 6. A method comprising the steps of: transmitting a transaction initiation request requesting the initiation of an electronic transaction to a transactionee computer from a transactionor computer, the transaction initiation request including a public identification code uniquely identifying the transactionor computer, and a public identification code uniquely identifying a transactionee computer; 06-1182 2 receiving by the transactionee computer the transaction initiation request; transmitting a verification request requesting verification of the transaction from the transactionee computer to a verifier computer in response to the transactionee computer receiving the transaction initiation request, the verification request including one of a private identification code and a public identification code uniquely identifying the transactionee computer and the public identification code uniquely identifying the transactionor computer; receiving the verification request by the verifier computer[;] transmitting an acknowledgement request requesting acknowledgement of the electronic transaction from the verifier computer to the transactionor computer in response to the verifier computer receiving the verification request; receiving the acknowledgement request by the transactionor computer; transmitting an acknowledgement response indicating one of a valid electronic transaction and an invalid electronic transaction from the transactionor computer to the verifier computer in response to the transactionor computer receiving the acknowledgement request, the acknowledgement response including the private identification code uniquely identifying the transactionor computer; receiving the acknowledgement response by the verifier computer; transmitting a verification response indicating one of a valid electronic transaction and an invalid electronic transaction from the verifier computer to the transactionee computer in response to the verifier computer receiving the acknowledgement response; and receiving the verification response by the transactionee computer and executing the electronic transaction in response to the transactionee computer receiving the verification response indicating a valid electronic transaction. '028 patent col.23 l.60 col.24 l.41 (emphasis added). 06-1182 3 II More than a decade ago, Visa began development of an internet-transaction protocol known as "3-D Secure" and marketed it under the name "Verified by Visa." Like the invention of the '028 patent, Verified by Visa seeks to reduce fraud by verifying the identity of an online consumer who attempts to make a purchase using a registered Visa credit card. The details of Visa's methodology are largely unimportant to the present case. Suffice it to say, a consumer who attempts to make a purchase using the Verified by Visa system must enter a password into his or her computer and send it to the card-issuing bank's "Access Control Server" ("ACS"). Before that password is sent, however, it goes through a process called "Secure Socket Layer" ("SSL") encryption. The SSL protocol enables the two communicating computers to generate a secret key for use during the communication session. If the transmitted information is not encrypted using this key, then the receiver will be unable to decrypt the information. Consequently, the password sent from the consumer to the ACS must be the correct password, and it must have been encrypted using the appropriate key. Upon its receipt of the encrypted password, the ACS decrypts the password and cross references it with the password on file. If the message containing the password cannot be decrypted indicating a possibility that it may have been changed accidentally or deliberately in transit or if the decrypted password does not match the one on file, then the transaction will not be verified. III In the proceedings below, the district court construed "private identification code uniquely identifying the transactionor computer" as "a nonpublic code that singularly 06-1182 4 identifies the computer used by the transactionor, but not only the transactionor himself or herself." Within thirty days after the issuance of that order, Safeclick was permitted, pursuant to the Northern District of California's Patent Local Rules, to serve Visa with its Final Infringement Contentions (to replace its Preliminary Infringement Contentions, discussed infra) in the form of "[a] chart identifying specifically where each element of each asserted claim is found within each Accused Instrumentality." Patent Local Rules 3-1(c) and 3-6(a). Safeclick took advantage of the opportunity and timely served Visa with a chart in which it is asserted that The private identification code uniquely identifying the cardholder computer is the authenticating information entered by the cardholder, which includes the cardholder's password, and, in some case[s], a personal identification statement. (JA at A02948.) Visa subsequently filed a motion for summary judgment of noninfringement, arguing that there could be no literal infringement because Safeclick had not adduced any evidence that Verified by Visa meets the "private identification code" limitation as construed by the court. Safeclick answered with a detailed explanation of its theory: In Verified by Visa, the cardholder enters a password into his or her computer to verify his or her identity. Before the cardholder sends the password, the cardholder computer and issuing bank computer (Access Control Server, or ACS) share a unique cryptographic key. (Tsudik Decl. ¶¶ 10-11) The cardholder computer uses this unique key to scramble, or encrypt, the typed-in password so that only the verifier computer can read the encrypted password. (Id. ¶ 11) This encrypted password is then sent to the ACS for authentication. (Visa Br. 11-12) The Verified by Visa password is a "private identification code" as defined by the Court. It is undisputedly "nonpublic" because it is not known to the merchant, and thus is not known to all of the parties to the transaction. (Tsudik Decl. ¶¶ 13 [sic, ¶ ]; Dominguez Dep. 133:18-25[;] Mortara Decl. Ex. 5) And this Verified by Visa password singularly identifies the cardholder computer because the ACS cannot successfully process the encrypted data unless it comes from the cardholder computer. (Tsudik Decl. ¶ 11) 06-1182 5 (JA at A03395) (footnote omitted). Visa objected to this theory of infringement under Patent Local Rule 3-6(a) because it was, in Visa's opinion, a theory that had not been set forth in Safeclick's Final Infringement Contentions. Specifically, Visa characterized Safeclick's new theory that the encrypted version of the cardholder's password satisfies the "private identification code" limitation as being materially different than Safeclick's previous theory that the plaintext version of the cardholder's password (i.e., the password "entered by the cardholder") satisfies that limitation. Accordingly, Visa, in its reply, urged the court to preclude Safeclick from proceeding with its new theory. Although the court entertained additional briefing on this issue, at no time did Safeclick seek leave to amend its Final Infringement Contentions. See Patent Local Rule 3-7 (permitting amendment for good cause shown). The district court considered the summary judgment motion on the papers and concluded that Safeclick had in fact violated the local rules by deviating from its Final Infringement Contentions. In the court's view, Safeclick's old theory of infringement only required the password entered by the cardholder to singularly identify the transactionor computer, whereas Safeclick's new theory of infringement requires both the password entered by the cardholder and the encryption information to singularly identify the transactionor computer. In other words, "it is the entry and the sending of [the password] in the manner that Visa has chosen that identifies the cardholder computer." Safeclick, LLC v. Visa U.S.A., Inc., No. C 03-5865, slip op. at 15 (N.D. Cal. Dec. 21, 2005) (emphasis in original). Thus, the district court refused to consider Safeclick's new theory, and summary judgment was granted in Visa's favor. On appeal, Safeclick urges this court to find that the district court abused its discretion. 06-1182 6 IV The Northern District of California, like every other district court, has its own set of local rules for litigants. However, presumably due to the volume of patent cases brought there, the Northern District also has a special set of Patent Local Rules. Pursuant to those rules, a party claiming patent infringement generally the plaintiff must provide the following: Not later than 10 days after the Initial Case Management Conference, a party claiming patent infringement must serve on all parties a "Disclosure of Asserted Claims and Preliminary Infringement Contentions." Separately for each opposing party, the "Disclosure of Asserted Claims and Preliminary Infringement Contentions" shall contain the following information: ... (c) A chart identifying specifically where each element of each asserted claim is found within each Accused Instrumentality, including for each element that such party contends is governed by 35 U.S.C. § 112(6), the identity of the structure(s), act(s), or material(s) in the Accused Instrumentality that performs the claimed function; (d) Whether each element of each asserted claim is claimed to be literally present or present under the doctrine of equivalents in the Accused Instrumentality[.] Patent Local Rule 3-1. The plaintiff is not locked into these Preliminary Infringement Contentions. The Patent Local Rules allow for amendment in two ways: If a party claiming patent infringement believes in good faith that (1) the Court's Claim Construction Ruling or (2) the documents produced pursuant to Patent L.R. 3-4 so requires, not later than 30 days after service by the Court of its Claim Construction Ruling, that party may serve "Final Infringement Contentions" without leave of court that amend its "Preliminary Infringement Contentions" with respect to the information required by Patent L.R. 3-1(c) and (d). Patent Local Rule 3-6(a). 06-1182 7 Amendment or modification of the Preliminary or Final Infringement Contentions or the Preliminary or Final Invalidity Contentions, other than as expressly permitted in Patent L.R. 3-6, may be made only by order of the Court, which shall be entered only upon a showing of good cause. Patent Local Rule 3-7. Our standard of review for a district court's application of such rules is very deferential. In Genentech, Inc. v. Amgen, Inc., we stated: "[U]nlike the liberal policy for amending pleadings, the philosophy behind amending claim charts . . . is decidedly conservative and designed to prevent the 'shifting sands' approach to claim construction." Atmel Corp. v. Info. Storage Devices, Inc., 1998 U.S. Dist. LEXIS 17564, 1998 WL 775115, at *2 (N.D. Cal. Nov. 5, 1998). Furthermore, this court defers to the district court when interpreting and enforcing local rules so as not to frustrate local attempts to manage patent cases according to prescribed guidelines. In reviewing a district court's exercise of discretion, this court determines "whether (1) the decision was clearly unreasonable, arbitrary, or fanciful; (2) the decision was based on an erroneous conclusion of law; (3) the court's findings were clearly erroneous; or (4) the record contains no evidence upon which the court rationally could have based its decision." In re Cambridge Biotech Corp., 186 F.3d 1356, 1369, 51 USPQ2d 1321, 1329 (Fed. Cir. 1999). . . . [Even where] the record shows ample reasons for the district court to permit [a party] to amend its claim chart, our standard of review on this issue does not require reversal in the presence of reasons to permit amendments. Even a determination that the district court's ruling was erroneous does not require reversal. Only if the ruling is found to be clearly erroneous is reversal mandated. Genentech, 289 F.3d 761, 774 (Fed. Cir. 2002). Safeclick argues that the district court clearly erred in finding that "Safeclick did not disclose the act of 'sending' the password in its Final Infringement Contentions" because the claim language itself provides for the act of "transmitting" the private identification code, and furthermore, because Safeclick explained in its contentions that "the cardholder enters required authentication information and presses the 'Purchase' or similar button in the browser window to transmit that information." Appellant's Br. at 3738 (emphasis amended). 06-1182 8 Safeclick's argument mischaracterizes the district court's reasoning. The act of transmitting (or sending) the information is not the part of the theory that changed after service of the Final Infringement Contentions, but rather it was the content of what gets transmitted (or sent) that changed. Safeclick explained in its Final Infringement Contentions that information entered by the user (e.g., a password) is transmitted. In subsequent briefing, however, Safeclick went beyond the statement in its final contentions. It explained that the private identification code was not merely the password entered by the user but that password as mathematically transformed for transmission by the SSL features of the user's web browser. This new argument had the advantage of indicating how the merchant's computer could in some sense "identify[]" the consumer's computer as required by the claim. When the password is considered outside its SSL wrapping, the only entity identified is the cardholder, not any particular computer. While it might have been reasonable for the district court to interpret Safeclick's latest infringement contentions as a restatement of its earlier infringement contention with a mere change of "scope and clarity," see Orion IP, LLC v. Staples, Inc., 407 F. Supp. 2d 815 (E.D. Tex. Jan. 9, 2006), it was also reasonable for the district court to interpret Safeclick's latest contentions as impermissibly different than its previous contentions. Consequently, we are unable to conclude that the district court erred by adopting one of two reasonable interpretations. See Genentech, 289 F.3d at 774 ("[Even where] the record shows ample reasons for the district court to permit [a party] to amend its claim chart, our standard of review on this issue does not require reversal in the presence of reasons to permit amendments."). 06-1182 9 Safeclick argues in the alternative that even if it did violate the Patent Local Rules, "a case-ending sanction is not appropriate when the opposing party suffers no prejudice." Appellant's Br. at 42. According to Safeclick, the Patent Local Rules at issue here are intended to supplement the disclosures required by Fed. R. Civ. P. 26, and because it is impermissible for local rules to conflict with the Federal Rules of Civil Procedure, the district court should have looked to Rule 37 which is the mechanism by which courts enforce Rule 26 for the proper remedy to Safeclick's infraction. Rule 37 provides in relevant part: A party that without substantial justification fails to disclose information required by Rule 26(a) or 26(e)(1), or to amend a prior response to discovery as required by Rule 26(e)(2), is not, unless such failure is harmless, permitted to use as evidence at a trial, at a hearing, or on a motion any witness or information not so disclosed. Fed. R. Civ. P. 37(c)(1) (emphasis added). Had the district court followed the mandates of this rule, Safeclick contends that it would have been able to show that Visa was not prejudiced by Safeclick's failure to disclose its new theory of infringement. As such, the district court would not have struck Safeclick's theory. Safeclick further argues that the district court was required to provide notice that it was considering striking Safeclick's theory altogether. The court need not address the Rule 37 issue because Safeclick did not present that argument to the district court. Sage Prods., Inc. v. Devon Indus., Inc., 126 F.3d 1420, 1426 (Fed. Cir. 1997) (explaining that "this court does not 'review' that which was not presented to the district court"); Ecological Rights Found. v. Pac. Lumber Co., 230 F.3d 1141, 1154 (9th Cir. 2000) ("It is to assure two-level consideration that issues usually cannot be raised in appellate courts in the first instance, but instead are waived 06-1182 10 (or reviewed only for plain error) if not raised before the district court."). To be sure, Safeclick did point out in its sur-reply brief that "Visa does not even allege that it suffered prejudice in this respect." (JA at A04132.) This single sentence simply does not suffice to show that Safeclick raised Rule 37 before this appeal. At best, that sentence was merely a make-weight argument to support the broader argument that Visa was on notice of Safeclick's theory of infringement. Moreover, although we do not decide here whether Safeclick had a duty to seek leave to amend its Final Infringement Contentions pursuant to Patent Local Rule 3-7, we do note that Safeclick's failure to do so was another foregone opportunity make its Rule 37 argument to the district court. The Ninth Circuit precedent cited by Safeclick stating that purely legal issues may sometimes be considered for the first time on appeal is of no consequence in this case. See, e.g., In re Am. W. Airlines, Inc., 217 F.2d 1161, 1165 (9th Cir. 2000); Bolker v. C.I.R., 760 F.2d 1039, 1042 (9th Cir. 1985). Assuming arguendo that we would abide by our sister circuit's precedent in this context, the question of whether there must be a showing of prejudice (or, to be more precise, a showing of harmlessness) is a factual issue that is not appropriate for us to resolve on appeal. The plain language of Rule 37 requires the district court to first find that the offending party was "without substantial justification" for its noncompliance with the discovery rules. Although Safeclick certainly attempted to shift the blame by arguing that Visa's discovery responses were inadequate (JA at A04132-33), the district court's written opinion is devoid of any findings with regard to substantial justification. Therefore, it would be inappropriate for us to make findings regarding the question of prejudice 06-1182 11 (harmlessness) when that highly factual issue has not been presented to, or addressed by, the district court. As to Safeclick's further argument that the district court should have provided notice that it was considering striking Safeclick's theory altogether, we disagree. Safeclick was provided with notice. On August 26, 2005, Visa argued in its reply brief that the district court should not consider Safeclick's latest infringement contentions for failure to comply with the local rules. Safeclick was then given an opportunity to file a sur-reply brief, which it did on November 8, 2005. Thus, Safeclick's claim that the district court's action was somehow "out of the blue" is demonstrably false. V Accordingly, we hold that the district court did not abuse its discretion by refusing to consider Safeclick's new infringement contention. The judgment of the district court is affirmed. 06-1182 12