Some cybersecurity companies have doubts about whether their software-based inventions are patentable under U.S. law. Some of these doubts are reasonable, but many are not. Before you decide whether to protect your company's cybersecurity innovations with patents—or leave them freely available for competitors to copy—you need to understand what is patentable.

Fortunately, there are now many data points to inform your decision. In 2016, the U.S. appellate court primarily responsible for shaping patent law issued more than 20 decisions addressing what types of inventions are patent-eligible. Examples of software inventions that were analyzed by that court in 2016 include:

Inventions Found Patent-Eligible

  •  Merging data in a network-based filtering and aggregating platform, and enhancing network accounting data records
  • Reporting on the collection of network usage information from a plurality of network devices
  • Generating a single data record reflecting multiple services for accounting purposes, and enhancing collected data
  • An Internet content filtering system (e.g., for parental controls) located on a remote ISP server that flexibly associates network accounts with filtering schemes and filtering elements
  • A self-referential table for a computer database that stores information and adds new columns or rows according to an algorithm
  • Creating animations of facial gestures based on rules that relate subsequences of phonemes, timings, and morph weight sets

Inventions Rejected as Patent-Ineligible

  • Requesting and receiving at a cellular telephone, located outside the range of a regional broadcaster, network-based content from the broadcaster
  • Providing a first menu (e.g., restaurant menu) that has categories and items, and generating a second menu from that first menu by allowing categories and items to be selected
  • Detecting events on an electric power grid in real time over a wide area and automatically analyzing the events
  • Detecting improper access to a patient's protected health information in a computer environment based on received data and application of rules
  • Classifying and storing digital images in an organized manner

Looking at these data points in the aggregate, several general trends emerge. Cybersecurity companies should assess how their innovations match up with the trends before deciding on a patent protection program. For most cybersecurity inventions, the takeaway is that patent protection is available as long as the patent application is properly drafted.

One observation is that the same invention may be patent-eligible, or not, depending on how the patent application and claims are drafted. When applications and claims are broadly written to generally describe an idea or function, patent-eligibility can be difficult to demonstrate. Patent examiners and courts may find that the invention is a mere "abstract idea" without the technological substance required for patent-eligibility. But when applications and claims are written in light of particular technical implementations or applications, patent-eligibility is often much easier to show. One way to think about this is in terms of "problem" and "solution"; inventions described with broadly casted problems and solutions are less likely to be patent-eligible than inventions described with more thought, detail, and explanation.

Another trend is that, for inventions rooted in a particular technology—such as Internet technologies or relational databases—it can be easier to show patent-eligibility. This is good news for many cybersecurity companies, whose innovations often are unique to the threats posed by cyber breaches, and are not analogous to, for example, well-known techniques of physical security.

The flipside of this trend is that inventions based on implementing, with technical means, what was previously done by humans or businesses, are often difficult to establish as patent-eligible. For example, if the basic idea underlying an invention was previously done mentally, by pen and paper, or by routine business practices, then merely performing the idea using a computer, mobile phone, or other processor-based device may not be considered patent-eligible. This problem is toughest to overcome when the core idea of the invention is a fundamental economic practice, such as exchanging securities or creating restaurant menus.

Understanding these trends is critical for cybersecurity companies of all sizes—from emerging companies seeking to establish a market foothold to industry leaders focused on resisting competitive threats. Patents can be immensely valuable from both perspectives. The good news for cybersecurity companies is that more clarity has recently emerged on what inventions are patent-eligible in the U.S. And more importantly, for most cybersecurity inventions, patents are available if the patent applications are properly drafted.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.