Since the early 2000s, patent trolls—opportunists who obtained questionable patents and asserted those patents against large operating companies to extract nuisance value settlements, leveraging the high cost of patent litigation defense—have been a blight on the patent system in the United States. So impactful were they that Congress mobilized and President Obama enacted the America Invents Act in 2011, which, in part, was designed to curtail this kind of advantage taking. That statute, along with action by the U.S. Supreme Court, have been widely heralded as effective antidotes to the patent troll problem. Still, opportunists abound—as does the money that funds them—and may be leading to a shift from patent troll activity to troll-like activity in other, analogous types of high-tech litigation in the realms of privacy and cybersecurity.

Recent Decline of Patent Trolls

For decades now, patent trolls have capitalized on the high cost of patent litigation defense to extract settlements. Big businesses for years have faced the Hobson's choice of either spending millions of dollars defending the frivolous patent suits brought against them by patent trolls, or avoiding those litigation costs and making quick settlement payment to the trolls for a fraction of that amount. Pure math made it difficult for most companies to justify taking a stand against the trolls, and at least some reports estimated the trolls had cost defendants over half a trillion dollars in economic value by 2011. See James Bessen et al., The Private and Social Costs of Patent Trolls (Boston Univ. School of Law, Law and Economics Research Paper No. 11-45, 2011).

That all changed with President Obama's signing into law of the America Invents Act in 2011. That Act provided powerful new tools for defending nuisance lawsuits in a cost-effective way, and, along with troll-stopping action from the Supreme Court, helped significantly reduce not just patent troll litigation but—perhaps as an unintended consequence—patent litigation on the whole. High-volume plaintiffs (HVPs)—companies that file 10 or more patent cases in a year (which tend to be patent trolls)—are filing fewer and fewer lawsuits. In 2018, HVPs filed about 1,000 lawsuits, down from a peak of more than 3,000 in 2013. See Figure 1 below. And given the success of new post-grant review procedures in the America Invents Act for invalidating weak patents, there is little reason to expect that trend to change.

But as patent trolls recede, the expansion of Big Data and the Internet of Things (IoT) into nearly every aspect of the economy and daily life has created new opportunities for a new group of opportunists: the “Big Data trolls.”

According to a recent survey of general counsel and compliance officers, 37 percent of respondents indicated their companies had been involved in data-privacy litigation in the past 12 months, compared to just 23 percent for intellectual property litigation. This is a three-fold increase from just two years ago, when only 12 percent reported data-privacy litigation. Not surprisingly, particularly given the mass media attention of late to high profile data breaches, 94 percent of in-house counsel say data security is a top-of-mind concern. Alixpartners' 2019 Litigation and Corporate Compliance Survey.

Why Is Big Data Such a Big Target?

Patent trolls have been successful not only due to a glut of weak patents. What has made asserting patent claims such a successful business model—and what has made defending against those claims so frustrating—is the high cost of discovery, and the asymmetry that it presents.

In a traditional competitor-versus-competitor patent litigation, both sides are similarly situated. They both make and sell products and therefore have licensing needs to freely operate, both typically have voluminous documents and data to produce to the other side in costly discovery during litigation, and they both typically hire sophisticated outside counsel to assist them. Since both sides of a competitor dispute feel these same pressures, competitors will often choose to cross-license, or find other ways to avoid litigation.

Additionally, operating companies are generally less likely to assert weak patents. The patent trolls for years made their bones buying up patent assets from bankrupted dot-com companies, and then asserting those patents in ways and against products that were not anticipated at the time the patents were applied for. The end result was that either weak patents, or weak infringement allegations, began to flood federal courts.

These circumstances most often led to targets paying “nuisance” fees to quickly settle patent troll cases. The math was simple: Better to pay five or six figures now than to pay seven figures to win at trial three years from now.

Rise of Big Data Trolls?

Many of these same asymmetries exist in privacy and data-related litigation. These kinds of cases, which have been increasing in number and in public scrutiny, are likewise costly to defend. These often-complex cases involve questions of high technology that can require technical analysis and expert witnesses, and vast amounts of discovery. The stakes are high, as often a company's reputation, and sometimes the jobs of key executives, are on the line. As a result, the costs of defense can be significant. And the plaintiffs are usually individuals, not competitors, so the burden of discovery and other costs is one-sided, much like in patent troll cases.

In some ways, Big Data cases can be even more favorable to plaintiffs than patent troll cases. Data and privacy breaches usually affect large numbers of people, which makes them good candidates for class certification. One such example in the news recently is the Illinois Biometric Information Privacy Act (BIPA). Enacted in 2008, BIPA is aimed at protecting an individual's biometric identifiers from unauthorized use by requiring companies that collect such data to comply with certain notice and consent requirements. The law gives any aggrieved party a private right to sue for monetary compensation.

In January, the Illinois Supreme Court ruled that individuals alleging BIPA violations do not need to allege concrete injury to sue. Rather, standing is satisfied merely by pleading a violation of BIPA's technical requirements. See Rosenbach v. Six Flags Entm't, 2019 IL 123186, ¶ 30 (“A person who suffers actual damages as the result of the violation of his or her rights would meet th[e] definition [of 'aggrieved'] of course, but sustaining such damages is not necessary to qualify as 'aggrieved.' Rather, a person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of … .”)

This broad standing rule in Illinois state court, coupled with BIPA's private cause of action—which entitles successful plaintiffs to recover attorney fees, expert fees, and litigation expenses—has made Illinois an attractive venue for class action lawsuits against companies that collect employees' or consumers' biometric information. See, e.g., Steven Grimes & Eric Shinabarger, Biometric Privacy Litigation: The Next Class Action Battleground, Big Law Business (Jan. 9, 2018) (“[T]he class action plaintiffs' bar has discovered a new statutory tool, complete with a large pool of potential plaintiffs, high statutory damages, and a private right of action: the Illinois Biometric Information Privacy Act (BIPA).”).

And these sorts of big data cases extend far beyond these biometric information privacy laws, into the large numbers of privacy and cybersecurity breach cases that have recently been in the news. These cases have been on the rise—perhaps in part due to the increase in the storage of data, and the increase in high-profile hacks that have inevitably resulted.

Are the trolls moving from the patent space to the big data space? There appears to be at least a correlation, with the data in recent years showing a downward trend in patent troll cases, and an increase in privacy and cybersecurity cases. It is possible that the opportunists—and the money that funds them—are shifting away from the patent trolling landscape, which has become far less favorable, and towards other litigation opportunities on a new frontier.

Source: LexMachina.com. High-volume plaintiffs (blue line) are plaintiffs that have filed 10 or more patent cases in a 365-day span. Data privacy/security filings (orange line) are based on non-patent cases returned in keyword searches for “data breach,” “sensitive personal information,” “personally identifiable information,” “cybersecurity,” “biometric,” and “BIPA.” This data is limited to federal courts; many data privacy and security cases are filed in state courts.

Conclusion

As patent troll filings continue to fall, companies should expect plaintiffs' lawyers and funders to continue to seek out other opportunities. One such opportunity may be found in claims arising from the mass storage of data in Big Data and IoT systems, including privacy claims, data breach claims, breach of contract/warranty claims, products liability claims, consumer protection claims, and others. Much to the chagrin of concerned corporate counsel and compliance officers, we may be witnessing the rise of the Big Data trolls.

Rob Maier is an intellectual property partner in the New York office of Baker Botts, and the head of its intellectual property group in New York. Josh Sibble, a senior associate at the firm, assisted in the preparation of this article.