From Casetext: Smarter Legal Research

Synopsys, Inc. v. Risk Based Sec.

United States Court of Appeals, Fourth Circuit
Jun 15, 2023
70 F.4th 759 (4th Cir. 2023)

Opinion

No. 22-1812

06-15-2023

SYNOPSYS, INC., Plaintiff - Appellee, v. RISK BASED SECURITY, INC., Defendant - Appellant.

ARGUED: Andrew Evan Samuels, BAKER & HOSTETLER LLP, Columbus, Ohio, for Appellant. Catherine Emily Stetson, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee. ON BRIEF: Kevin W. Kirsch, Columbus, Ohio, Michael S. Gordon, New York, New York, Christopher A. Wiech, BAKER & HOSTETLER LLP, Atlanta, Georgia; C. Dewayne Lonas, Stewart R. Pollock, MORAN REEVES CONN PC, Richmond, Virginia, for Appellant. N. Thomas Connally, Christopher T. Pickens, Tysons, Virginia, Patrick T. Michael, San Francisco, California, Sean Marotta, Johannah Walker, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee.


Appeal from the United States District Court for the Eastern District of Virginia, at Richmond. John A. Gibney, Jr., Senior District Judge. (3:21-cv-00252-JAG) ARGUED: Andrew Evan Samuels, BAKER & HOSTETLER LLP, Columbus, Ohio, for Appellant. Catherine Emily Stetson, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee. ON BRIEF: Kevin W. Kirsch, Columbus, Ohio, Michael S. Gordon, New York, New York, Christopher A. Wiech, BAKER & HOSTETLER LLP, Atlanta, Georgia; C. Dewayne Lonas, Stewart R. Pollock, MORAN REEVES CONN PC, Richmond, Virginia, for Appellant. N. Thomas Connally, Christopher T. Pickens, Tysons, Virginia, Patrick T. Michael, San Francisco, California, Sean Marotta, Johannah Walker, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee. Before AGEE and RUSHING, Circuit Judges, and Joseph DAWSON III, United States District Judge for the District of South Carolina, sitting by designation. Affirmed by published opinion. Judge Agee wrote the opinion, in which Judge Rushing and Judge Dawson joined. AGEE, Circuit Judge:

Both Risk Based Security, Inc. ("RBS") and Synopsys, Inc., identify vulnerabilities in the source code of software and share information about those vulnerabilities so they can be corrected before nefarious individuals exploit them. After RBS accused Synopsys of engaging in unlawful conduct related to the content of RBS' vulnerability database, Synopsys filed this declaratory judgment action. In relevant part, Synopsys sought a judicial declaration that it had not misappropriated RBS' trade secrets. On the merits, the district court granted Synopsys' motion for summary judgment on that claim after concluding that RBS had not come forward with evidence showing that any of its alleged trade secrets satisfied the statutory definition of that term. RBS appeals by challenging the district court's merits determination of trade secrets as well as its decisions denying RBS' motion to dismiss the case as moot, excluding testimony from two of RBS' expert witnesses, and denying its motion for partial summary judgment as to some of its trade secret claims. For the reasons set out below, we affirm the district court's judgment in favor of Synopsys.

I.

Software programs run according to their list of instructions, and those instructions are found in the programs' code. See Decision Insights, Inc. v. Sentia Grp., Inc., 416 F. App'x 324, 325 n.2 (4th Cir. 2011) (per curiam)) (describing "source code" as "a document written in computer language, which contains a set of instructions designed to be used in a computer to bring about a certain result" (citing Trandes Corp. v. Guy F. Atkinson Co., 996 F.2d 655, 662-63 (4th Cir. 1993))). Many software programs use open source code, meaning that the code is publicly accessible. Open source code allows for a greater exchange of information between all users, including the subset of users who want to identify and exploit vulnerabilities in the code for malevolent purposes. To counter the risks posed by these cyberattacks, entities like the federal government as well as private companies such as RBS and Synopsys work to identify vulnerabilities in open source code. Once identified, these vulnerabilities can be shared with the public or paying customers for their use.

RBS has been in the business of identifying and disclosing open source code vulnerabilities for over a decade. In 2011, it acquired a publicly available vulnerability database and used the data it contained to create a private database known as "VulnDB." It then invested years of research and development into expanding VulnDB's content far beyond the originally acquired public database. RBS then commercially licensed VulnDB to companies including some of its competitors.

One such licensed competitor was Black Duck Software, Inc., which is now a wholly owned subsidiary of Synopsys. RBS and Black Duck entered into a license agreement permitting Black Duck certain uses of VulnDB beginning in 2014. During the time this agreement was in force, Black Duck developed its own databases to manage and store information about open source code vulnerabilities. Believing that Black Duck violated the license agreement and misappropriated VulnDB content to undertake that initiative, RBS revoked Black Duck's license in 2018 and also filed a complaint against it in Massachusetts state court. That complaint has since languished in the Massachusetts courts, but in late 2021, RBS filed a second amended complaint naming Synopsys—which acquired Black Duck in 2017—as a new defendant in the case. To date, the Massachusetts litigation has not been resolved.

As noted earlier, the parties here are not the only entities interested in identifying vulnerabilities in open source code. The U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency sponsor programs for this purpose as well, one of which is the Common Vulnerabilities and Exposures ("CVE") Program. As part of this program, certain entities—CVE Numbering Authorities ("CNA")—are authorized to "assign unique identifier numbers [("CVE Identifiers")] to vulnerabilities in open source security software and publish information about the vulnerabilities in the CVE Program's public catalogs." Synopsys, Inc. v. Risk Based Sec., Inc., No. 3:21cv252, 2022 WL 3005990, at *2 (E.D. Va. July 28, 2022). Only CNAs can assign CVE Identifiers, which are unique, alphanumeric identifiers referring to a specific vulnerability that are then made available to the public for use in cataloging information about and evaluating that specific vulnerability.

In late March 2021, Synopsys became a CNA and announced its designation in a press release. Shortly after that announcement, RBS sent Synopsys a cease and desist letter stating that Synopsys' work as a CNA would constitute a "severe escalation of the wrongful conduct engaged in by Black Duck, and now Synopsys" because, in RBS' view, it necessarily involved VulnDB data that Black Duck had unlawfully obtained. J.A. 58. RBS asserted that Synopsys' work as a CNA would "at a minimum" constitute several violations of state and federal law, including misappropriation of trade secrets. J.A. 58. It thus demanded in the cease and desist letter that Synopsys and its affiliates:

Both the cease and desist letter and the complaint identified multiple alleged violations of state and federal law, all of which have been resolved before this appeal and none of which are contested in this appeal. Accordingly, we do not address them and focus instead on the allegation of misappropriated trade secrets under Virginia and federal law.

1. Immediately cease the unauthorized use, distribution, and modification of RBS's intellectual property, including but not limited to the VulnDB database, all vulnerabilities identified therein, and all vulnerabilities discovered by Black Duck or Synopsys by copying or misappropriating information in the VulnDB database.

2. Immediately commit, in writing, to refrain from identifying vulnerabilities to CVE until the full resolution of the Massachusetts litigation against Black Duck.
J.A. 58 (emphases added). The letter expressly reserved RBS' "right to seek an appropriate remedy in the event this matter is not expeditiously resolved." J.A. 59.

In April 2021, Synopsys filed this declaratory judgment action in the U.S. District Court for the Eastern District of Virginia. Against the backdrop of the cease and desist letter's accusations and demands, the complaint sought a declaration that Synopsys had not misappropriated RBS' trade secrets.

Although Synopsys filed the declaratory judgment complaint, the district court identified the parties based on their relative positions in a misappropriation-of-trade-secrets claim, with RBS as the "plaintiff" alleging that "defendant" Synopsys had violated the pertinent statutes. This opinion adopts the same approach, discussing the misappropriation claims as if RBS were the "plaintiff" and Synopsys were the "defendant."

During discovery, however, RBS sent Synopsys a covenant not to sue and a withdrawal letter, which it also filed in the district court. Based on those documents, RBS moved to dismiss the complaint as moot. As expounded on below, the district court held that the declaratory judgment action was not moot because "RBS has not demonstrated that the covenant remedies or prevents the injuries Synopsys alleges." Synopsys, Inc. v. Risk Based Sec., Inc., No. 3:21cv252, 2022 WL 107184, *1 (E.D. Va. Jan. 11, 2022).

Around the same time, RBS added Synopsys as a defendant in the pending Massachusetts litigation.

In January 2022, RBS was acquired by Flashpoint for [Redacted].

Upon the close of discovery, each party moved to exclude certain testimony from the other's experts and for summary judgment (Synopsys in full and RBS partially). The district court addressed the motions in a single order. Relevant to this appeal, the district court granted Synopsys' motion to exclude one of RBS' expert witnesses in toto and one in part, concluding that "each conveys improper legal conclusions, speculation, or factual narrative." Synopsys, Inc., 2022 WL 3005990, at *5 (footnotes omitted). In addition, the district court granted Synopsys' motion for summary judgment after determining that RBS had failed to come forward with proof sufficient to show that the alleged "trade secrets" it accused Synopsys of misappropriating met the legal definition of that term. As relevant to the court's determination, the definition of "trade secret" common to Virginia and federal law requires proof of something (here, data or information) that "[d]erives independent economic value" from its secrecy, id. at *15 (alteration in original) (quoting Va. Code § 59.1-336 and citing 18 U.S.C. § 1839(3)), and that its owner had undertaken "reasonable efforts to maintain the secrecy of its asserted trade secrets," id. at *16; Va. Code § 59.1-336; 18 U.S.C. § 1839(3)(A). The district court concluded RBS' evidence was deficient as to both aspects of a trade secret. Accordingly, it granted Synopsys summary judgment for a declaration that the company had not misappropriated RBS' trade secrets. Lastly, the district court held that regardless of its ruling on Synopsys' motion for summary judgment, it would have separately denied RBS' motion for partial summary judgment.

After the parties resolved the remaining claims and procured the district court's entry of final judgment, RBS noted a timely appeal. The Court has jurisdiction under 28 U.S.C. § 1291.

II.

Before proceeding to the merits, we must assure ourselves that the district court correctly determined that the parties' dispute was not moot.

A.

Article III limits a federal court's jurisdiction to actual "cases" and "controversies," and the parties' dispute must "be extant at all stages of review, not merely at the time the complaint is filed." Campbell-Ewald Co. v. Gomez, 577 U.S. 153, 160, 136 S.Ct. 663, 193 L.Ed.2d 571 (2016) (citations omitted). To account for this requirement, the mootness doctrine recognizes that some "intervening circumstance[s] deprive[ ] the plaintiff of a personal stake in the outcome of the lawsuit, [such that] the action can no longer proceed." Id. at 160-61, 136 S.Ct. 663 (cleaned up). "A case becomes moot, however, only when it is impossible for a court to grant any effectual relief whatever to the prevailing party." Id. at 161, 136 S.Ct. 663 (cleaned up). "As long as the parties have a concrete interest, however small, in the outcome of the litigation, the case is not moot." Id. (citation omitted).

Article III's case and controversy requirement—and the attendant doctrine of mootness—is "no less strict under the Declaratory Judgment Act than in case of other suits." Altvater v. Freeman, 319 U.S. 359, 363, 63 S.Ct. 1115, 87 L.Ed. 1450 (1943) (internal citation omitted). In MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 127 S.Ct. 764, 166 L.Ed.2d 604 (2007), the Supreme Court held that a declaratory action is available when the totality of the circumstances "show[s] that there is a substantial controversy, between parties having adverse legal interests, of sufficient immediacy and reality to warrant the issuance of a declaratory judgment." Id. at 127, 127 S.Ct. 764 (citation omitted). This means that the parties' dispute must be "definite and concrete, touching the legal relations of parties having adverse legal interests," it must be "real and substantial," and it must be amenable to "specific relief through a decree of a conclusive character, as distinguished from an opinion advising what the law would be upon a hypothetical state of facts." Id. (citation omitted).

One aspect of mootness associated with declaratory judgment actions arises when a party unilaterally covenants not to sue the other party, thus raising the question of whether that covenant sufficiently alters the circumstances so as to render the case moot. These actions fall within the doctrine's broader recognition that a party "cannot automatically moot a case simply by ending its unlawful conduct once sued." Already, LLC v. Nike, Inc., 568 U.S. 85, 91, 133 S.Ct. 721, 184 L.Ed.2d 553 (2013). And a party "claiming that its voluntary compliance moots a case bears the formidable burden of showing that it is absolutely clear the allegedly wrongful behavior could not reasonably be expected to recur." Id. (emphases added) (citation omitted). In assessing whether a particular covenant not to sue renders the declaratory judgment action moot, the Court looks to the claims and relief sought in the complaint as compared to the scope of the covenant not to sue. E.g., Revolution Eyewear, Inc. v. Aspex Eyewear, Inc., 556 F.3d 1294, 1297 (Fed Cir. 2009) ("Whether a covenant not to sue will divest the trial court of jurisdiction depends on what is covered by the covenant."); Caraco Pharm. Lab'ys, Ltd. v. Forest Lab'ys, Inc., 527 F.3d 1278, 1297 (Fed. Cir. 2008) (observing that if, after the covenant has been issued, "a substantial controversy . . . of sufficient immediacy and reality to warrant the issuance of a declaratory judgment" still exists, then the case is not moot (quoting MedImmune, 549 U.S. at 127, 127 S.Ct. 764)).

B.

RBS asserts that "in reliance on" certain representations made during the pretrial proceedings, it covenanted not to sue Synopsys and withdrew its cease and desist letter. J.A. 581, 583. In particular, both the covenant and the withdrawal letter hinged on certain representations Synopsys allegedly made in the pending litigation, such as that its continuing work as a CNA would be "the product of its independent research and not based on any vulnerability database at all, let alone VulnDB." J.A. 580-81. In express "good faith reliance" on those representations, J.A. 581, RBS asserted that it withdrew the cease and desist letter "and any subsequent assertion concerning Synopsys' use or potential use of VulnDB in its role as a CNA," J.A. 583. RBS viewed the covenant not to sue and the withdrawal letter as "finally resolv[ing] any dispute over Synopsys's conduct as a CNA related to VulnDB®" and urged that the case be dismissed as moot because these documents "conclusively end[ed] this litigation." J.A. 581.

The district court disagreed and declined to dismiss the declaratory judgment action. Relying on the Supreme Court's seminal decision in Already, LLC v. Nike, Inc., the court determined that RBS' unilateral covenant not to sue did not satisfy its " 'formidable' burden of showing that the injury Synopsys seeks to remedy and prevent 'could not reasonably be expected' to recur." Synopsys, Inc., 2022 WL 107184, at *7 (quoting Already, 568 U.S. at 91, 133 S.Ct. 721). In particular it observed that the covenant was limited to Synopsys' "role as a CNA related to VulnDB," and thus "does not sufficiently protect Synopsys's other commercial conduct," which it had sought to protect "in its complaint [through] repeated[ ] refer[ences] to its business relationships." Id. Acknowledging that Synopsys' CNA activities formed the backdrop for the litigation, the district court observed that this ultimately was one "example of the conduct [Synopsys] s[ought] to protect in its remaining claims, [and] the relief it s[ought] for each claim demonstrate[d] that it did not refer to this conduct in a vacuum" given the "financial and reputational harm that" it desired to avoid by seeking a declaratory judgment. Id. at *8. "[G]iven the narrowly-tailored protection the covenant provide[d]," and the broader scope of the complaint's alleged harms and claim for relief, the district court concluded the case had not been rendered moot under Already's standards. Id.

C.

On appeal, RBS renews its argument that the case is moot, urging the Court to vacate the district court's judgment on the merits and dismiss the case for want of jurisdiction. It contends that the complaint's factual allegations pertained solely to Synopsys' role as a CNA and that the relief sought here similarly relates solely to that role. RBS maintains that its covenant not to sue and withdrawal of the cease and desist letter resolved the entirety of the parties' dispute because in them RBS agreed not to sue Synopsys based on its performance of that role. And it asserts the district court improperly looked outside Synopsys' actions as a CNA to determine the case was not moot because that conduct falls outside the scope of the parties' dispute.

We review de novo this issue of the federal courts' jurisdiction. Porter v. Clarke, 852 F.3d 358, 363 (4th Cir. 2017).

D.

Under the governing legal principles outlined above, our review centers on the scope of the covenant not to sue and the withdrawal of the cease and desist letter when read in tandem with the complaint. That review leads us to conclude that RBS did not meet its "formidable burden" by unilaterally withdrawing the cease and desist letter and covenanting not to sue. Already, 568 U.S. at 91, 133 S.Ct. 721 (citation omitted). This is so for at least three reasons. First, the complaint's broader background and prayer for relief addressed a dispute larger than Synopsys' specific role as a CNA, and the covenant not to sue and withdrawal letter only partially addressed the entire dispute. Second, the language of the covenant not to sue and the withdrawal letter were vaguely conditioned on Synopsys' future performance and thus did not make it "absolutely clear" that RBS' "allegedly wrongful behavior could not reasonably be expected to recur." Id. (citation omitted). Third, and relatedly, because RBS' unilateral change relied on certain conditions about how Synopsys undertook its role as a CNA, the withdrawal letter and covenant not to sue were revocable at its discretion and thus fell further short of the high benchmark established in Already.

Synopsys contends that RBS' characterizations of certain statements made during the litigation—which form part of the recitals giving rise to the covenant and withdrawal letter—misrepresent its position in this case. If true, this too would be problematic, though we have ample basis for rejecting RBS' mootness arguments without needing to delve into the record to resolve that aspect of the parties' arguments on appeal.

At the outset, RBS' mid-litigation course reversal only partially addressed the parties' underlying dispute, as evidenced by the language of both the cease and desist letter and—more importantly—the complaint. Although the cease and desist letter's immediate factual foundation was RBS' belief that Synopsys would misuse VulnDB content in its role as a CNA, the letter articulates the dispute more broadly. RBS demanded that Synopsys "[i]mmediately cease the unauthorized use, distribution, and modification of RBS's intellectual property, including but not limited to the VulnDB database, all vulnerabilities identified therein, and all vulnerabilities discovered by Black Duck or Synopsys by copying or misappropriating information in the VulnDB database." J.A. 58 (emphases added). Given that the cease and desist letter spurred Synopsys to file the complaint, this broader demand supports the district court's conclusion that what Synopsys sought to protect in the complaint, including its specific prayer for relief, went beyond clarifying the parties' rights solely as to Synopsys' CNA activities. As recounted throughout the complaint, Synopsys sought—in relevant part—declarations that it "has not copied or misappropriated any of RBS' purported" trade secrets, and thus has not violated federal or Virginia law in any capacity; not just as a CNA. J.A. 37 (emphasis added); see also J.A. 54 (prayer for relief). These requests are untethered to Synopsys' specific role as a CNA or its use of VulnDB in that role, and thus support the district court's conclusion that RBS' covenant not to sue Synopsys "for any and all existing or future claims based on Synopsys's role as a CNA related to VulnDB®" did not conclusively show the parties' dispute had been resolved. J.A. 581. As we have previously recognized, "the bar for maintaining a legally cognizable claim is not high: 'As long as the parties have a concrete interest, however small, in the outcome of the litigation, the case is not moot.' " Grimm v. Gloucester Cnty. Sch. Bd., 972 F.3d 586, 604 (4th Cir. 2020) (quoting Chafin v. Chafin, 568 U.S. 165, 172, 133 S.Ct. 1017, 185 L.Ed.2d 1 (2013)).

The broader context in which the covenant was issued bolsters our conclusion, though it's unnecessary to reach it. Shortly after issuing the covenant and withdrawal letter, RBS added Synopsys as a party defendant to the pending Massachusetts litigation also involving alleged misappropriation of VulnDB and its data. While the state case involves different claims against Black Duck and Synopsys, it still demonstrates RBS' ongoing belief that Synopsys is liable to it for conduct relating to VulnDB. To the extent that Synopsys sought a determination in this case that particular allegations and claims of misconduct relating to VulnDB were untrue apart from the limited context of its role as a CNA, those remained a live controversy as RBS intends to continue pursuing its core theory that some portion of Black Duck and Synopsys' ongoing work improperly originates from VulnDB. Thus, there's a "live" controversy and Synopsys continues to have a "legally cognizable interest in the outcome" of this action. See Already, 568 U.S. at 91, 133 S.Ct. 721 (citation omitted).

Two more reasons apparent on the face of the covenant and withdrawal letter make clear that their issuance did not affect the justiciability of Synopsys' action: conditionality and revocability. Each document is conditioned on lengthy fact-specific recitals purporting to serve as the basis for RBS' willingness to issue them. For example, they cite Synopsys' counsel "unequivocal[ly] represent[ing] that its conduct as a CNA is not and will not be based on VulnDB" "or any other vulnerability database" and they note RBS' "good faith reliance" on these statements as the basis for RBS' willingness to covenant not to sue and withdraw the cease and desist letter. J.A. 580-81. These reservations expressly condition RBS' issuance of both documents on Synopsys' alleged representations, and thus implicitly condition RBS' future obligation to adhere to them as well. Nothing in either document would prevent RBS from unilaterally determining at some future date that Synopsys had violated the basis for its own obligations and thus arguing that it was not bound by the covenant not to sue.

The absence of language unequivocally disavowing future litigation or other action against Synopsys makes the covenant not to sue here a far cry from the one at issue in Already. In that case, Nike "unconditionally and irrevocably covenant[ed] to refrain from making any claim(s) or demand(s) . . . against Already or any of its . . . related business entities . . . on account of any possible cause of action based on or involving" any of the claims or any of the current or previous products at issue, including colorable imitations of them. 568 U.S. at 93, 133 S.Ct. 721 (second and third alterations in original). In discussing why Nike's covenant satisfied the burden of showing that its unilateral issuance made it "absolutely clear [Nike's] allegedly wrongful behavior could not reasonably be expected to recur," id. at 91, 133 S.Ct. 721 (citation omitted), the Court pointed to it being "unconditional and irrevocable"; it prohibited not just "filing suit," but also "making any claim or any demand"; it extended beyond Already itself to include affiliates; and "it covers not just current or previous designs, but any colorable imitations." Id. at 93, 133 S.Ct. 721. In short, the covenant "encompass[ed] all of [Nike's] allegedly unlawful conduct," id. at 94, 133 S.Ct. 721, meaning that "Already [was] free to sell its shoes without any fear of" Nike acting against it, id. at 96, 133 S.Ct. 721, and Already had not come forward with any argument to the contrary, id. at 95, 133 S.Ct. 721.

Even accepting that a covenant not to sue may not need to contain such extensive language as used in Already, it's readily evident here that RBS' covenant falls well short of meeting its initial burden under the Supreme Court's high standard. Its conditioned terms and revocability are both fatal to satisfying the requirements set forth in Already. See Porter, 852 F.3d at 364 ("The Supreme Court has held that a defendant satisfies [its] heavy burden when, for example, it enters into an 'unconditional and irrevocable' agreement that prohibits it from returning to the challenged conduct." (citation omitted)); ArcelorMittal v. AK Steel Corp., 856 F.3d 1365, 1370 (Fed. Cir. 2017) (concluding that a covenant not to sue had not rendered the case moot because it had not "unconditionally assure[d] Defendants and their customers that it would never assert [the challenged] claims . . . against them"); Lewis Bros. Bakeries Inc. v. Interstate Brands Corp. (In re Interstate Bakeries Corp.), 751 F.3d 955, 960-61 (8th Cir. 2014) (declining to dismiss the action as moot where the defendant—unlike Nike in Already—"ha[d] not given ironclad assurances about the License Agreement" and, "[e]specially in light of the lengthy and ongoing dispute between the parties over [that agreement], the record d[id] not foreclose a reasonable possibility that [the owner of the disputed mark would] maintain that the agreement is executory," which was the "precise dispute in th[e] case"). We have previously recognized that "[w]henever 'a defendant retains the authority and capacity to repeat an alleged harm, a plaintiff's claims should not be dismissed as moot.' " Courthouse News Serv. v. Schaefer, 2 F.4th 318, 323 (4th Cir. 2021) (quoting Wall v. Wade, 741 F.3d 492, 497 (4th Cir. 2014)). RBS retained such authority and capacity by issuing a covenant premised on its interpretation of Synopsys' representations and future conduct in accordance with those understandings.

This case does not require us to determine what distance exists between the particular covenant not to sue at issue in Already and a less comprehensive covenant not to sue that nonetheless meets the Already standard. But we note that other courts have recognized at least some distance is permissible. See, e.g., ABS Glob., Inc. v. Cytonome/ST, LLC, 984 F.3d 1017, 1021-22 (Fed. Cir. 2021) (concluding that a covenant that was "unquestionably narrower than the covenant not to sue in Already" still satisfied Already's standard because the disavowal was "coextensive with the asserted injury," allowing the plaintiff to continue operating, and prohibiting the defendant from asserting liability against it for doing so not just for the products at issue but also for those that were "essentially the same" as the ones at issue (citation omitted)).

In sum, the documents RBS issued mid-litigation do not meet Already's standards because they are partial, conditional, and revocable. Accordingly, we reject RBS' contention that the case should have been dismissed as moot following RBS' issuance of the covenant not to sue and its withdrawal of the cease and desist letter. The district court appropriately concluded that it retained jurisdiction to consider the merits.

III.

We next turn to whether the district court erred in granting Synopsys' motion for summary judgment on whether it had misappropriated RBS' trade secrets and the related question of whether the court abused its discretion in excluding testimony from RBS' expert witnesses.

A.

Failing to prove the existence of a "trade secret" dooms a misappropriation claim. Trandes Corp., 996 F.2d at 661 (observing that a plaintiff does not satisfy his burden by identifying something that "could qualify as trade secrets," but also must come forward with "evidence that these items met the definition of a trade secret" (emphasis added)); see also MicroStrategy Inc. v. Li, 268 Va. 249, 601 S.E.2d 580, 588 (2004) (stating that the relevant Virginia statute has two elements—"the existence of a 'trade secret' and its 'misappropriation' by the defendant" —and that "if a plaintiff fails to prove either required element, the plaintiff is not entitled to relief" (citation omitted)). The Virginia and federal definitions of "trade secret" are of a piece, applying to all sorts of things—including information and compilations of information—bearing two characteristics. First, a trade secret must "[d]erive[ ] independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use." Va. Code § 59.1-336; accord 18 U.S.C. § 1839(3)(B) (containing materially identical language). Second, a trade secret must be "the subject of efforts that are reasonable under the circumstances to maintain its secrecy." Va. Code § 59.1-336; accord 18 U.S.C. § 1839(3)(A) (requiring that "the owner thereof has taken reasonable measures to keep such information secret"). For ease of reference, we refer to the two elements of the trade secret definition by the shorthand requirements of "independent economic value" and "reasonable secrecy."

Although the existence of a trade secret "ordinarily presents a question of fact to be determined by the fact finder from the greater weight of the evidence," MicroStrategy Inc., 601 S.E.2d at 589, summary judgment can still be appropriate when the record does not create a genuine issue of material fact as to the necessary elements.

B.

In the district court, RBS repeatedly altered the number of trade secrets that it alleged Synopsys purportedly misappropriated. For most of the case, it asserted 150 and as many as 160 trade secrets were at issue. By the summary-judgment stage, however, RBS had cut the number to seventy-five. Broadly speaking, its alleged trade secrets consisted of vulnerability data collected over certain periods of time or in certain file locations, including structures, mapping, and relationships contained in VulnDB as well as compilations and methods of analyzing and documenting identified vulnerabilities. E.g., J.A. 4682 (Trade Secret 1: "RBS's vulnerability references from January through May of 2016 contained in ossAvailability2016.csv (cited in BD-RBS-000006741)."); J.A. 4692 (Trade Secret 26: "The compilation of software vulnerability data contained in base_credits.csv (RBS-00003368)."); J.A. 4699 (Trade Secret 68: "VulnDB software vulnerability data structure contained in BD-RBS-181790-91.").

The district court concluded RBS failed to come forward with proof that could show that the seventy-five alleged trade secrets satisfied both statutory requirements—independent economic value and reasonable secrecy. Synopsys, Inc., 2022 WL 3005990, at *15-17. In short, the court held that RBS failed to establish that its trade secrets had independent economic value because it had not "established a connection between" RBS' mid-litigation acquisition price, its "revenues, VulnDB, and any particular trade secret." Id. at *15. It observed the acquisition price did not provide a relevant marker of any asserted trade secret's value because RBS had not shown how a value for the entire company on the date of its recent sale reflected the value of any of the trade secrets. In particular, it observed that since that date, RBS had cut the number of alleged trade secrets by almost half, yet it had not adjusted its asserted value for the remaining trade secrets. As for reasonable secrecy, the district court concluded that although RBS had required nondisclosure agreements from some of its customers, it had not done so consistently or comprehensively, including pertinent gaps in agreements with major customers.

The court's conclusions on the merits of RBS' trade secrets claims rested in part on its exclusion of testimony from RBS' expert witnesses, observing that they had improperly incorporated "legal conclusions, speculation, or factual narrative" into their written reports. Id. at *5 (footnotes omitted). Only one of the witnesses—Adam Shostack—opined on independent economic value and the court excluded that and other portions of his proposed testimony. In explaining that decision, the court observed that Shostack's testimony did not "demonstrate that he individually evaluated RBS's claimed trade secrets" in reaching his opinion that the seventy-five alleged trade secrets collectively had independent economic value. Id. at *7. The court then observed that it didn't need to decide whether grouping of trade secrets was permissible in an expert-opinion report because before reaching such an opinion the expert would still be required to individually evaluate each trade secret to know how to group them and determine that they indeed had independent economic value. In excluding the other challenged witness's testimony (Steven Kursh), the court pointed to many instances where he described incomplete or missing data from Synopsys files, and yet usurped the court's function by making adverse credibility assessments from those gaps and drawing conclusions against Synopsys without adequate comparison of the underlying data.

C.

On appeal, RBS challenges all four determinations, that is, both substantive conclusions supporting summary judgment and the attendant exclusion of its two expert witnesses' testimony. We review the grant of summary judgment de novo, undertaking the same review as the district court. Goodman v. Diggs, 986 F.3d 493, 497 (4th Cir. 2021). Summary judgment should be granted "only if, taking the facts in the best light for the nonmoving party, no material facts are disputed and the moving party is entitled to judgment as a matter of law." Id. at 497-98 (citation omitted); see Fed. R. Civ. P. 56(a). When there's a "failure of proof concerning an essential element of a plaintiff's case," summary judgment is appropriate. Haulbrook v. Michelin N. Am., Inc., 252 F.3d 696, 702 (4th Cir. 2001) (cleaned up). As for the district court's evidentiary determination, we review the decision to exclude expert testimony for abuse of discretion. Sardis v. Overhead Door Corp., 10 F.4th 268, 280 (4th Cir. 2021).

D.

Having reviewed the record evidence and the parties' arguments on appeal, we agree with the district court that RBS failed to come forward with evidence showing its seventy-five alleged trade secrets met the independent economic value requirement. Relatedly, we conclude that the district court did not abuse its discretion in excluding Shostack's testimony on the matter of independent economic value because it would not have aided RBS in satisfying its burden of proof. For these reasons, we agree that Synopsys was entitled to summary judgment on the Virginia and federal misappropriation-of-trade-secrets claims.

Because a "trade secret" comprises both independent economic value and reasonable secrecy, Va. Code § 59.1-336; 18 U.S.C. § 1839(3), RBS' failure to prove independent economic value is fatal to its Virginia and federal claims that Synopsys misappropriated trade secrets. See Haulbrook, 252 F.3d at 702; accord Trandes Corp., 996 F.2d at 661 ("Trandes had to describe the subject matter of its alleged trade secrets in sufficient detail to establish each element of a trade secret."). We therefore need not consider the other ground on which the district court relied to reach its conclusion, namely, whether RBS' evidence was insufficient to prove its reasonable efforts to maintain the secrecy of the alleged trade secrets. Nor do we need to consider whether the court abused its discretion in excluding the entirety of Kursh's testimony, which did not touch on independent economic value and thus would not have enabled RBS to satisfy its burden on that element.

As has been established, for information to constitute a "trade secret" under Virginia and federal law, it must "[d]erive[ ] independent economic value" from its secrecy. Va. Code § 59.1-336; 18 U.S.C. § 1839(3)(B). This element requires proof not just of value, but of value specifically tied to secrecy. See Ruckelshaus v. Monsanto Co., 467 U.S. 986, 1012, 104 S.Ct. 2862, 81 L.Ed.2d 815 (1984) ("The economic value of that property right lies in the competitive advantage over others that [the plaintiff] enjoys by virtue of its exclusive access to the data, and disclosure or use by others of the data would destroy that competitive edge."). In the district court, RBS sought to prove that all seventy-five of its alleged trade secrets satisfied this requirement by pointing to its January 2022 acquisition price of [Redacted] and evidence that at least 90 percent of its revenue comes from licensing VulnDB. But as the district court correctly recognized, a fatal disconnect exists between the evidence RBS relied on and its burden of proof because that evidence does not reflect that the alleged trade secrets had value nor prove that any such value derived from their secrecy.

RBS failed to come forward with evidence establishing the trade secrets had "value." Neither RBS itself nor its private database VulnDB is one of the alleged seventy-five trade secrets, so evidence about RBS' or VulnDB's value cannot substitute for evidence about the seventy-five alleged trade secrets' value. Permitting evidence of the value of the whole entity to substitute as value of a particular component part (the trade secrets) would defeat the obligation of proving that the alleged trade secrets themselves have independent economic value. To hold otherwise would allow RBS to circumvent its burden of proof and redefine "trade secret."

By its own representation, RBS does many things, only one of which (though an important one) is maintaining VulnDB, and VulnDB comprises information far beyond the seventy-five alleged trade secrets. See, e.g., Opening Br. 6-7. Indeed, at the time of RBS' sale, the company was asserting the existence of some 150 trade secrets, which it later recalibrated to 160 trade secrets before eventually slashing that number by over half. These representations show that both the company itself and its proprietary database consist of more than just the alleged seventy-five trade secrets. Far from being co-extensive and thus interchangeable for purposes of establishing value, they are nested, but distinct subparts.

But the problem with RBS' evidence runs deeper still because it also failed to show that any asserted value derives from the seventy-five alleged trade secrets' secrecy. Not everything with commercial value constitutes a trade secret. Both Virginia and federal law require a specific connection between value and secrecy. Va. Code § 59.1-336 (defining "trade secret" as "[d]eriv[ing] independent economic value . . . from not being generally known . . . and not being readily ascertainable" (emphasis added)); 18 U.S.C. § 1839(3)(B) (same); see Trandes Corp., 996 F.2d at 663 (discussing independent economic value as the value competitors could obtain by possessing the information that had previously been kept from them). Thus, part of RBS' obligation was to come forward with evidence that its seventy-five alleged trade secrets had value because they remain secret. See DTM Research, L.L.C. v. AT&T Corp., 245 F.3d 327, 332 (4th Cir. 2001) ("[A trade secret's] continuing secrecy provides the value, and any general disclosure destroys the value."); see also Oakwood Laby's LLC v. Thanoo, 999 F.3d 892, 913 (3d Cir. 2021) ("The trade secret's economic value depreciates or is eliminated altogether upon its loss of secrecy[.]"); Stromback v. New Line Cinema, 384 F.3d 283, 305 (6th Cir. 2004) ("Thus, the essence of a trade secret is that it derives its value from secrecy."). Proof of value untethered to value derived from secrecy does not show an alleged trade secret's independent economic value. E.g., Buffets, Inc. v. Klinke, 73 F.3d 965, 969 (9th Cir. 1996) (affirming the district court's conclusion that the evidence did not establish independent economic value of the plaintiff's recipes because, under Washington law, which uses a materially identical definition of a trade secret, the plaintiff had not established a connection between the asserted value of the recipes and those recipes "being kept secret").

Here, even if we were to assume that RBS' purchase price and the percentage of revenue stemming from VulnDB could prove in the abstract that the trade secrets had some commercial value, neither one satisfies the requirement of showing value arising from their remaining secret. Put another way, the marker of value on which RBS relies does nothing to establish that the asserted value associated with the seventy-five alleged trade secrets derives from their "not being generally known" or "readily ascertainable" to others through lawful means. At bottom, the company's purchase price cannot—as a matter of law—serve as the basis for satisfying this element of the definition of a trade secret.

RBS' arguments in favor of a contrary holding on the requirement of independent economic value do not hold force. For example, it criticizes the district court for requiring it to prove independent economic value "per trade secret." Opening Br. 60 (emphasis omitted). To begin with, because independent economic value is one part of the definition of a "trade secret," Va. Code § 59.1-336; 18 U.S.C. § 1839(3)(B), a basis exists in the statutory language for concluding that evidence of independent economic value must be proven as to each item that a plaintiff seeks to have identified as a distinct "trade secret." Under this reading of the statutory language, value may need to be established "per trade secret." Opening Br. 60 (emphasis omitted). Recognizing as much would not necessarily prohibit a court, the parties, or an expert witness from discussing the independent economic value of individual trade secrets by groups so long as the same evidence related to more than one of the alleged trade secrets and permitted a conclusion to be drawn with respect to each individual trade secret's value.

For purposes of this case, however, we need not definitively decide whether or when "grouping" of evidence to establish a trade secret's independent economic value is ever permitted. Even accepting that RBS could satisfy its burden with proof of valuation based on evidence about groups of its alleged trade secrets rather than individual assessments, that is not what it tried to do here. Instead, RBS relied on evidence of valuation that was not particularized to its seventy-five alleged trade secrets whether they are viewed individually, in smaller groupings, or as a whole. That's the fundamental disconnect identified by the district court, and that's a basis for our affirmance on appeal. E.g., Synopsys, 2022 WL 3005990, at *15 (observing that it "has no method—and RBS has likewise suggested none—of determining which of the now-asserted trade secrets, if any, contributed to RBS's valuation on January 6, 2022").

RBS' reliance on the concept that "value" encompasses more than "a numerical amount" also misses the mark. Opening Br. 60 (emphasis omitted). Once again, a concept true in the abstract fails to grapple with the fundamental lack of evidence of the value of the seventy-five alleged trade secrets based on how RBS decided to prove its case. In the district court, RBS bore the burden of coming forward with evidence of value, and it relied on the company's acquisition price and the share of the company's revenues derived from VulnDB to do so. Thus, RBS—not the district court—introduced a numeric amount into the analysis by relying on the collective corporate value as the sole basis for meeting its burden. It's the misdirection to unrelated measures of value that was the problem, not just a lack of a specific numeric amount tied to each of the alleged trade secrets.

Lastly, in its opening brief, RBS points to evidence in the record that it did not rely on in the district court as proof of the seventy-five alleged trade secrets' independent economic value. It says independent economic value exists based on (1) Synopsys' expert witness Dr. Eric Cole's testimony that he "spent 'a few hours' searching 18 websites to find only 21 of the 300,000+ vulnerabilities reported in VulnDB," thus creating a genuine dispute about the value of VulnDB's "unique data compilations" based on what it would cost an outsider to locate "every source, reference, and vulnerability in VulnDB," Opening Br. 58; (2) Black Duck's repeated efforts to buy RBS and VulnDB and its (alleged) unlawful extraction of VulnDB data, which demonstrate the value of the seventy-five alleged trade secrets; and (3) Shostack's testimony about independent economic value, which the district court (purportedly) improperly excluded.

Synopsys argues RBS' failure to make these arguments in district court results in their forfeiture on appeal. See United States v. Lavabit, LLC (In re Under Seal), 749 F.3d 276, 285 (4th Cir. 2014) (reiterating our "settled rule [that] absent exceptional circumstances, we do not consider issues raised for the first time on appeal" (cleaned up)). RBS responds that these arguments can be considered in the first instance, citing language from our cases stating that when claims are "plainly encompassed by" and a "[v]ariation[ ] on arguments made" in district court. De Simone v. VSL Pharms., Inc., 36 F.4th 518, 528 (4th Cir. 2022) (citations omitted). We are inclined to agree that RBS has forfeited these arguments by failing to direct the district court's attention to this evidence as part of its proof of independent economic value. But we ultimately do not determine the side of the line on which these arguments fall because they readily fail on their merits.

None of this evidence satisfied RBS' burden for the same fundamental reason already discussed. It too attempts to show the independent economic value of the seventy-five alleged trade secrets through proof that RBS and VulnDB have value. Such sleight-of-hand is no more availing as to this evidence than it is to the rest.

Only the exclusion of Shostack's testimony warrants a brief additional discussion. As noted, the district court excluded relevant parts of Shostack's testimony as a result of his legal conclusions and speculative foundation, in addition to the court's concern that Shostack had not demonstrated that he'd reviewed the alleged trade secrets individually. We agree that these problems plagued his assessment of independent economic value. Most problematically, Shostack's report repeatedly refers to the value of RBS and VulnDB while making conclusory assertions about the trade secrets contained in the database. Further, Shostack failed to connect the dots between the collective corporate value and the seventy-five alleged trade secrets. For example, Shostack's written report included the opinion that "[v]ulnerability databases such as VulnDB, and the trade secrets contained within VulnDB, have independent economic value as a result of the skilled work which goes into creating, organizing, compiling, and maintaining them (i.e., as a result of not being generally known or readily ascertainable)." J.A. 5868-69. But his entire analysis explaining this viewpoint focuses on the market for vulnerability databases as a whole without any discussion of why the seventy-five alleged trade secrets have particular value. E.g., J.A. 5888 ("VulnDB's trade secret features, designs, methods, techniques, processes, procedures, programs, and codes have independent value. This is demonstrated by RBS's success in selling the product both in the general market and to Black Duck in particular. Based on my experience, if these secrets had no independent value, then [Black Duck] would not have licensed them or would have cancelled their re-seller agreement without creating their own database."); J.A. 5890 (listing four additional "expression[s] of the value of RBS's database" as (1) royalty payments, (2) "valuation of a company like Black Duck," (3) "either increased number or value of sales," and (4) "market perception by either customers or influencers").

Nor does Shostack represent that his conclusions were based on an individual review of the seventy-five alleged trade secrets. To the contrary, he suggests otherwise by observing that the "trade secrets in this case are numerous," representing his understanding "that another expert is examining the trade secrets individually," and stating that his analysis of Synopsys' "[d]irect [u]se of [t]rade [s]ecrets" "focused on the trade secrets pertaining to sources of vulnerability information to be evaluated and checked regularly," and then cautioning that his report was "intended to supplement, but not replace, any other RBS expert opinion." J.A. 5903.

Nor could he. At the time of his report, dated January 12, 2022, RBS was still propounding over 150 alleged trade secrets. The settled-upon seventy-five were not newly alleged items but were taken from the list of the earlier identified items. Even so, Shostack's failure to identify with precision which alleged trade secrets he reviewed or based his opinions on presents problems when assessing his expert opinion because—given that there's no indication he reviewed all of them—it increases the likelihood that his views were based on consideration of earlier-alleged trade secrets that were not part of the seventy-five.

RBS does not point to any of its other expert witness's testimony as opining on the matter of independent economic value.

RBS again contends that the district court abused its discretion in excluding Shostack's testimony on this ground because Shostack was not required to opine on the trade secrets individually. And as discussed earlier, RBS' argument is problematic given that the definition of a "trade secret" requires an individualized assessment even if that assessment could be discussed in groups rather than per trade secret. Even if grouping is appropriate in some cases, it must be done in a way that permits the trier of fact to undertake this review. Sweeping conclusions untethered to specific shared characteristics of a group of trade secrets that show that each has independent economic value would not aid the trier of fact in undertaking that task. What's more, the district court did not exclude Shostack's testimony on independent economic value only because he considered the trade secrets in his expert report as an undivided whole to streamline the analysis for a trier of fact. To the contrary, the court specifically stated it "need not determine whether to permit this type of grouping." Synopsys, Inc., 2022 WL 3005990, at *7. Instead, the district court pointed out, and the record confirms, that Shostack never indicates that, in formulating his opinion, he ever assessed the trade secrets individually before determining their collective value simply from being part of VulnDB. See id. (excluding Shostack's conclusions because the report "admits that he did not individually evaluate each trade secret and RBS has not identified any evidence that shows otherwise"). Without undertaking that task, Shostack's method for formulating his opinions was on shaky ground, and the district court did not abuse its discretion in excluding it.

RBS' only authority for that proposition consists of two district court decisions, both of which are narrower than how RBS uses them and involve scenarios different from what the district court concluded here.

* * * *

In sum, the district court properly concluded that RBS failed to put forward admissible evidence showing that the seventy-five alleged trade secrets had independent economic value. Absent proof sufficient to satisfy that part of the statutory definition of a "trade secret," RBS could not prevail in a misappropriation-of-trade-secrets claim, and the district court properly granted summary judgment to Synopsys. Given this holding, we need not consider RBS' additional argument that the district court erred in denying its motion for partial summary judgment.

IV.

For the reasons stated, we hold that the district court properly exercised jurisdiction because the case did not become moot during its pendency. In addition, we affirm the district court's grant of summary judgment to Synopsys on the claim that it had misappropriated RBS' trade secrets.

AFFIRMED


Summaries of

Synopsys, Inc. v. Risk Based Sec.

United States Court of Appeals, Fourth Circuit
Jun 15, 2023
70 F.4th 759 (4th Cir. 2023)
Case details for

Synopsys, Inc. v. Risk Based Sec.

Case Details

Full title:SYNOPSYS, INC., Plaintiff-Appellee, v. RISK BASED SECURITY, INC.…

Court:United States Court of Appeals, Fourth Circuit

Date published: Jun 15, 2023

Citations

70 F.4th 759 (4th Cir. 2023)

Citing Cases

Hanks v. Anderson

. Synopsys, Inc v. Risk Based Sec., Inc., 70 F.4th 759, 769 (4th Cir. 2023) (quoting MicroStrategy Inc. v.…

Presidio, Inc. v. People Driven Tech.

PDT argues that, to defeat its motion for summary judgment, it is not enough for Plaintiffs to put for…