Safeclick, LLC v. Visa International Service Association , 208 F. App'x 829 ( 2006 )

                 NOTE: Pursuant to Fed. Cir. R. 47.6, this disposition
is not citable as precedent. It is a public record.
United States Court of Appeals for the Federal Circuit
06-1182
SAFECLICK, LLC,
Plaintiff-Appellant,
v.
VISA INTERNATIONAL SERVICE ASSOCIATION and
VISA U.S.A., INC.,
Defendants-Appellees.
__________________________
DECIDED: October 23, 2006
__________________________
Before BRYSON, Circuit Judge, CLEVENGER, Senior Circuit Judge, and GAJARSA,
Circuit Judge.
CLEVENGER, Senior Circuit Judge.
Plaintiff-Appellant Safeclick, LLC ("Safeclick") filed this patent infringement suit
against Defendants-Appellees Visa International Service Assoc. and Visa USA, Inc.
(collectively, "Visa") on December 30, 2003, in the United States District Court for the
Northern District of California. Safeclick alleges that Visa's "Verified by Visa" service
infringes claims 6 and 7 of 

 ("the '028 patent"). On July 19,
2005, Visa filed a motion for summary judgment of noninfringement. The motion was
granted on December 21, 2005, and judgment was thereafter entered in Visa's favor.
Safeclick appeals that judgment. We affirm.
I
The invention of the '028 patent is an "electronic transaction security system . . .
designed to substantially prevent the unauthorized use of transaction identification
codes such as credit card numbers for placing transaction requests electronically via
any suitable communication link, such as the Internet." '028 patent col.1 ll.43-48. So,
for example, when a card-holding consumer ("transactionor") wishes to make a
purchase over the Internet from an online merchant ("transactionee"), the invention
attempts to ensure that the parties to the transaction are who they purport to be.
In order to make a verified purchase using the invention, the transactionor sends
a transaction initiation request from his or her computer to a computer operated by the
transactionee.    Before proceeding further with the transaction, the transactionee's
computer requests verification from a computer operated by an entity such as the bank
that issued the credit card ("verifier"). The verifier's computer does this by sending an
acknowledgement request to the transactionor's computer. In response, the verifier's
computer must receive a private identification code that uniquely identifies the
transactionor's computer. If the verifier's computer does not receive the code it expects,
the transaction will not be verified.
Because claims 6 and 7 of the '028 patent are substantially similar, only claim 6
is reproduced here (with emphasis on the relevant claim limitation):
6. A method comprising the steps of:
transmitting a transaction initiation request requesting the initiation of an
electronic transaction to a transactionee computer from a transactionor
computer, the transaction initiation request including a public identification
code uniquely identifying the transactionor computer, and a public
identification code uniquely identifying a transactionee computer;
06-1182                                  2
receiving by the transactionee computer the transaction initiation request;
transmitting a verification request requesting verification of the transaction
from the transactionee computer to a verifier computer in response to the
transactionee computer receiving the transaction initiation request, the
verification request including one of a private identification code and a
public identification code uniquely identifying the transactionee computer
and the public identification code uniquely identifying the transactionor
computer;
receiving the verification request by the verifier computer[;]
transmitting an acknowledgement request requesting acknowledgement of
the electronic transaction from the verifier computer to the transactionor
computer in response to the verifier computer receiving the verification
request;
receiving the acknowledgement request by the transactionor computer;
transmitting an acknowledgement response indicating one of a valid
electronic transaction and an invalid electronic transaction from the
transactionor computer to the verifier computer in response to the
transactionor computer receiving the acknowledgement request, the
acknowledgement response including the private identification code
uniquely identifying the transactionor computer;
receiving the acknowledgement response by the verifier computer;
transmitting a verification response indicating one of a valid electronic
transaction and an invalid electronic transaction from the verifier computer
to the transactionee computer in response to the verifier computer
receiving the acknowledgement response; and
receiving the verification response by the transactionee computer and
executing the electronic transaction in response to the transactionee
computer receiving the verification response indicating a valid electronic
transaction.
'028 patent col.23 l.60 – col.24 l.41 (emphasis added).
06-1182                                  3
II
More than a decade ago, Visa began development of an internet-transaction
protocol known as "3-D Secure" and marketed it under the name "Verified by Visa."
Like the invention of the '028 patent, Verified by Visa seeks to reduce fraud by verifying
the identity of an online consumer who attempts to make a purchase using a registered
Visa credit card.    The details of Visa's methodology are largely unimportant to the
present case. Suffice it to say, a consumer who attempts to make a purchase using the
Verified by Visa system must enter a password into his or her computer and send it to
the card-issuing bank's "Access Control Server" ("ACS"). Before that password is sent,
however, it goes through a process called "Secure Socket Layer" ("SSL") encryption.
The SSL protocol enables the two communicating computers to generate a secret key
for use during the communication session.         If the transmitted information is not
encrypted using this key, then the receiver will be unable to decrypt the information.
Consequently, the password sent from the consumer to the ACS must be the correct
password, and it must have been encrypted using the appropriate key. Upon its receipt
of the encrypted password, the ACS decrypts the password and cross references it with
the password on file. If the message containing the password cannot be decrypted—
indicating a possibility that it may have been changed accidentally or deliberately in
transit—or if the decrypted password does not match the one on file, then the
transaction will not be verified.
III
In the proceedings below, the district court construed "private identification code
uniquely identifying the transactionor computer" as "a nonpublic code that singularly
06-1182                                 4
identifies the computer used by the transactionor, but not only the transactionor himself
or herself." Within thirty days after the issuance of that order, Safeclick was permitted,
pursuant to the Northern District of California's Patent Local Rules, to serve Visa with its
Final Infringement Contentions (to replace its Preliminary Infringement Contentions,
discussed infra) in the form of "[a] chart identifying specifically where each element of
each asserted claim is found within each Accused Instrumentality." Patent Local Rules
3-1(c) and 3-6(a). Safeclick took advantage of the opportunity and timely served Visa
with a chart in which it is asserted that
The private identification code uniquely identifying the cardholder
computer is the authenticating information entered by the cardholder,
which includes the cardholder's password, and, in some case[s], a
personal identification statement.
(JA at A02948.)
Visa subsequently filed a motion for summary judgment of noninfringement,
arguing that there could be no literal infringement because Safeclick had not adduced
any evidence that Verified by Visa meets the "private identification code" limitation as
construed by the court. Safeclick answered with a detailed explanation of its theory:
In Verified by Visa, the cardholder enters a password into his or her
computer to verify his or her identity. Before the cardholder sends the
password, the cardholder computer and issuing bank computer (Access
Control Server, or ACS) share a unique cryptographic key. (Tsudik Decl.
¶¶ 10-11) The cardholder computer uses this unique key to scramble, or
encrypt, the typed-in password so that only the verifier computer can read
the encrypted password. (Id. ¶ 11) This encrypted password is then sent
to the ACS for authentication. (Visa Br. 11-12) The Verified by Visa
password is a "private identification code" as defined by the Court. It is
undisputedly "nonpublic" because it is not known to the merchant, and
thus is not known to all of the parties to the transaction. (Tsudik Decl. ¶¶
13 [sic, ¶ ]; Dominguez Dep. 133:18-25[;] Mortara Decl. Ex. 5) And this
Verified by Visa password singularly identifies the cardholder computer
because the ACS cannot successfully process the encrypted data unless
it comes from the cardholder computer. (Tsudik Decl. ¶ 11)
06-1182                                     5
(JA at A03395) (footnote omitted). Visa objected to this theory of infringement under
Patent Local Rule 3-6(a) because it was, in Visa's opinion, a theory that had not been
set forth in Safeclick's Final Infringement Contentions. Specifically, Visa characterized
Safeclick's new theory that the encrypted version of the cardholder's password satisfies
the "private identification code" limitation as being materially different than Safeclick's
previous theory that the plaintext version of the cardholder's password (i.e., the
password "entered by the cardholder") satisfies that limitation. Accordingly, Visa, in its
reply, urged the court to preclude Safeclick from proceeding with its new theory.
Although the court entertained additional briefing on this issue, at no time did Safeclick
seek leave to amend its Final Infringement Contentions. See Patent Local Rule 3-7
(permitting amendment for good cause shown).
The district court considered the summary judgment motion on the papers and
concluded that Safeclick had in fact violated the local rules by deviating from its Final
Infringement Contentions. In the court's view, Safeclick's old theory of infringement
only required the password entered by the cardholder to singularly identify the
transactionor computer, whereas Safeclick's new theory of infringement requires both
the password entered by the cardholder and the encryption information to singularly
identify the transactionor computer. In other words, "it is the entry and the sending of
[the password] in the manner that Visa has chosen that identifies the cardholder
computer." Safeclick, LLC v. Visa U.S.A., Inc., No. C 03-5865, slip op. at 15 (N.D. Cal.
Dec. 21, 2005) (emphasis in original).         Thus, the district court refused to consider
Safeclick's new theory, and summary judgment was granted in Visa's favor. On appeal,
Safeclick urges this court to find that the district court abused its discretion.
06-1182                                    6
IV
The Northern District of California, like every other district court, has its own set
of local rules for litigants. However, presumably due to the volume of patent cases
brought there, the Northern District also has a special set of Patent Local Rules.
Pursuant to those rules, a party claiming patent infringement—generally the plaintiff—
must provide the following:
Not later than 10 days after the Initial Case Management
Conference, a party claiming patent infringement must serve on all parties
a "Disclosure of Asserted Claims and Preliminary Infringement
Contentions." Separately for each opposing party, the "Disclosure of
Asserted Claims and Preliminary Infringement Contentions" shall contain
the following information:
...
(c) A chart identifying specifically where each element of each
asserted claim is found within each Accused Instrumentality, including for
each element that such party contends is governed by 

(6),
the identity of the structure(s), act(s), or material(s) in the Accused
Instrumentality that performs the claimed function;
(d) Whether each element of each asserted claim is claimed to be
literally present or present under the doctrine of equivalents in the
Accused Instrumentality[.]
Patent Local Rule 3-1.
The plaintiff is not locked into these Preliminary Infringement Contentions.
The Patent Local Rules allow for amendment in two ways:
If a party claiming patent infringement believes in good faith that
(1) the Court's Claim Construction Ruling or (2) the documents produced
pursuant to Patent L.R. 3-4 so requires, not later than 30 days after
service by the Court of its Claim Construction Ruling, that party may serve
"Final Infringement Contentions" without leave of court that amend its
"Preliminary Infringement Contentions" with respect to the information
required by Patent L.R. 3-1(c) and (d).
Patent Local Rule 3-6(a).
06-1182                                 7
Amendment or modification of the Preliminary or Final Infringement
Contentions or the Preliminary or Final Invalidity Contentions, other than
as expressly permitted in Patent L.R. 3-6, may be made only by order of
the Court, which shall be entered only upon a showing of good cause.
Patent Local Rule 3-7.
Our standard of review for a district court's application of such rules is very
deferential. In Genentech, Inc. v. Amgen, Inc., we stated:
"[U]nlike the liberal policy for amending pleadings, the philosophy behind
amending claim charts . . . is decidedly conservative and designed to
prevent the 'shifting sands' approach to claim construction." Atmel
Corp. v. Info. Storage Devices, Inc., 

, 

, at *2 (N.D. Cal. Nov. 5, 1998). Furthermore, this court defers
to the district court when interpreting and enforcing local rules so as not to
frustrate local attempts to manage patent cases according to prescribed
guidelines. In reviewing a district court's exercise of discretion, this court
determines "whether (1) the decision was clearly unreasonable, arbitrary,
or fanciful; (2) the decision was based on an erroneous conclusion of law;
(3) the court's findings were clearly erroneous; or (4) the record contains
no evidence upon which the court rationally could have based its
decision." In re Cambridge Biotech Corp., 

, 1369, 51
USPQ2d 1321, 1329 (Fed. Cir. 1999). . . . [Even where] the record
shows ample reasons for the district court to permit [a party] to amend its
claim chart, our standard of review on this issue does not require reversal
in the presence of reasons to permit amendments. Even a determination
that the district court's ruling was erroneous does not require reversal.
Only if the ruling is found to be clearly erroneous is reversal mandated.
Genentech, 

, 774 (Fed. Cir. 2002).
Safeclick argues that the district court clearly erred in finding that "Safeclick did
not disclose the act of 'sending' the password in its Final Infringement Contentions"
because the claim language itself provides for the act of "transmitting" the private
identification code, and furthermore, because Safeclick explained in its contentions that
"the cardholder enters required authentication information and presses the 'Purchase' or
similar button in the browser window to transmit that information." Appellant's Br. at 37-
38 (emphasis amended).
06-1182                                 8
Safeclick's argument mischaracterizes the district court's reasoning. The act of
transmitting (or sending) the information is not the part of the theory that changed after
service of the Final Infringement Contentions, but rather it was the content of what gets
transmitted (or sent) that changed.        Safeclick explained in its Final Infringement
Contentions that information entered by the user (e.g., a password) is transmitted. In
subsequent briefing, however, Safeclick went beyond the statement in its final
contentions.   It explained that the private identification code was not merely the
password entered by the user but that password as mathematically transformed for
transmission by the SSL features of the user's web browser. This new argument had
the advantage of indicating how the merchant's computer could in some sense
"identify[]" the consumer's computer as required by the claim. When the password is
considered outside its SSL wrapping, the only entity identified is the cardholder, not any
particular computer.    While it might have been reasonable for the district court to
interpret Safeclick's latest infringement contentions as a restatement of its earlier
infringement contention with a mere change of "scope and clarity," see Orion IP, LLC v.
Staples, Inc., 

 (E.D. Tex. Jan. 9, 2006), it was also reasonable for
the district court to interpret Safeclick's latest contentions as impermissibly different than
its previous contentions. Consequently, we are unable to conclude that the district court
erred by adopting one of two reasonable interpretations. See Genentech, 

 ("[Even where] the record shows ample reasons for the district court to permit [a
party] to amend its claim chart, our standard of review on this issue does not require
reversal in the presence of reasons to permit amendments.").
06-1182                                   9
Safeclick argues in the alternative that even if it did violate the Patent Local
Rules, "a case-ending sanction is not appropriate when the opposing party suffers no
prejudice." Appellant's Br. at 42. According to Safeclick, the Patent Local Rules at
issue here are intended to supplement the disclosures required by Fed. R. Civ. P. 26,
and because it is impermissible for local rules to conflict with the Federal Rules of Civil
Procedure, the district court should have looked to Rule 37—which is the mechanism by
which courts enforce Rule 26—for the proper remedy to Safeclick's infraction. Rule 37
provides in relevant part:
A party that without substantial justification fails to disclose
information required by Rule 26(a) or 26(e)(1), or to amend a prior
response to discovery as required by Rule 26(e)(2), is not, unless such
failure is harmless, permitted to use as evidence at a trial, at a hearing, or
on a motion any witness or information not so disclosed.
Fed. R. Civ. P. 37(c)(1) (emphasis added). Had the district court followed the mandates
of this rule, Safeclick contends that it would have been able to show that Visa was not
prejudiced by Safeclick's failure to disclose its new theory of infringement. As such, the
district court would not have struck Safeclick's theory. Safeclick further argues that the
district court was required to provide notice that it was considering striking Safeclick's
theory altogether.
The court need not address the Rule 37 issue because Safeclick did not present
that argument to the district court. Sage Prods., Inc. v. Devon Indus., Inc., 

, 1426 (Fed. Cir. 1997) (explaining that "this court does not 'review' that which was
not presented to the district court"); Ecological Rights Found. v. Pac. Lumber Co.,

, 1154 (9th Cir. 2000) ("It is to assure two-level consideration that issues
usually cannot be raised in appellate courts in the first instance, but instead are waived
06-1182                                  10
(or reviewed only for plain error) if not raised before the district court."). To be sure,
Safeclick did point out in its sur-reply brief that "Visa does not even allege that it
suffered prejudice in this respect." (JA at A04132.) This single sentence simply does
not suffice to show that Safeclick raised Rule 37 before this appeal.         At best, that
sentence was merely a make-weight argument to support the broader argument that
Visa was on notice of Safeclick's theory of infringement. Moreover, although we do not
decide here whether Safeclick had a duty to seek leave to amend its Final Infringement
Contentions pursuant to Patent Local Rule 3-7, we do note that Safeclick's failure to do
so was another foregone opportunity make its Rule 37 argument to the district court.
The Ninth Circuit precedent cited by Safeclick stating that purely legal issues
may sometimes be considered for the first time on appeal is of no consequence in this
case. See, e.g., In re Am. W. Airlines, Inc., 

, 1165 (9th Cir. 2000);
Bolker v. C.I.R., 

, 1042 (9th Cir. 1985). Assuming arguendo that we
would abide by our sister circuit's precedent in this context, the question of whether
there must be a showing of prejudice (or, to be more precise, a showing of
harmlessness) is a factual issue that is not appropriate for us to resolve on appeal. The
plain language of Rule 37 requires the district court to first find that the offending party
was "without substantial justification" for its noncompliance with the discovery rules.
Although Safeclick certainly attempted to shift the blame by arguing that Visa's
discovery responses were inadequate (JA at A04132-33), the district court's written
opinion is devoid of any findings with regard to substantial justification. Therefore, it
would be inappropriate for us to make findings regarding the question of prejudice
06-1182                                  11
(harmlessness) when that highly factual issue has not been presented to, or addressed
by, the district court.
As to Safeclick's further argument that the district court should have provided
notice that it was considering striking Safeclick's theory altogether, we disagree.
Safeclick was provided with notice. On August 26, 2005, Visa argued in its reply brief
that the district court should not consider Safeclick's latest infringement contentions for
failure to comply with the local rules. Safeclick was then given an opportunity to file a
sur-reply brief, which it did on November 8, 2005. Thus, Safeclick's claim that the
district court's action was somehow "out of the blue" is demonstrably false.
V
Accordingly, we hold that the district court did not abuse its discretion by refusing
to consider Safeclick's new infringement contention. The judgment of the district court
is affirmed.
06-1182                                  12