RBS vs. Synopsys: Trade Secrets and Software Vulnerabilities

RBS and Synopsys are actively involved in identifying software vulnerabilities and sharing information to prevent exploitation. Recently, RBS accused Synopsys of engaging in unlawful conduct related to its vulnerability database. Synopsys sought a declaration affirming it did not misappropriate RBS' trade secrets. The district court ruled for Synopsys, stating that RBS did not provide enough evidence to support its claim that the alleged trade secrets met the legal definition. RBS appealed the court's decision and other rulings. The 4^th Circuit affirmed the district court's judgment for Synopsys.

Apart from the parties directly involved, other entities, such as the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, are also interested in identifying vulnerabilities in open-source code. These entities sponsor programs like the Common Vulnerabilities and Exposures (CVE) Program, where CVE Numbering Authorities (CNA) assign unique identifier numbers (CVE Identifiers) to vulnerabilities found in open-source security software. Synopsys recently became a CNA in March 2021 and received a cease-and-desist letter from RBS, claiming that their work as a CNA involved unlawfully obtaining VulnDB data. RBS demanded that Synopsys immediately stop using RBS' intellectual property and not identify vulnerabilities to the CVE until the Massachusetts litigation against Black Duck was resolved.

The court determined that RBS' covenant not to sue did not render the declaratory judgment action moot. The court granted Synopsys' motion to exclude expert witnesses and for summary judgment, concluding that RBS had not provided enough evidence of trade secret misappropriation.

Before delving into the merits, showing that the parties' dispute is not moot is crucial. Article III restricts the jurisdiction of federal courts to actual "cases" and "controversies." The mootness doctrine recognizes that certain circumstances can render a case moot. However, as long as the parties have a concrete interest in the outcome, the case remains active. The case and controversy requirements are as stringent under the Declaratory Judgment Act. A declaratory action is appropriate when there is a substantial and definite controversy between parties with adverse legal interests. The dispute must be specific, concrete, real, large, and amenable to specific relief through a conclusive decree.

RBS argued that the case is now moot and urged the court to vacate the district court's judgment and dismiss the case for lack of jurisdiction. RBS claims that the complaint and the relief sought only pertain to Synopsys' role as a CNA. RBS asserts that its covenant not to sue and withdrawal of the cease-and-desist letter has successfully resolved the dispute. Additionally, RBS believes that the district court erred in considering Synopsys' actions beyond its role as a CNA.

In its review, the Court of Appeals focused on the covenant not to sue and the withdrawal of the cease-and-desist letter, which, when examined alongside the complaint, led them to conclude that RBS had not met its burden. Three primary reasons support this conclusion. First, the complaint addresses a dispute beyond Synopsys' role as a CNA, and the covenant and withdrawal letter only partially address the entire dispute. Second, the language used in the covenant and withdrawal letter is vaguely conditioned on Synopsys' future performance, making it unclear whether RBS' behavior will not recur. Last, since RBS' change was based on specific conditions related to Synopsys' role as a CNA, the withdrawal letter and covenant were revocable at RBS' discretion. They fell short of the benchmark established in Nike vs. Already.

In this case, the covenant not to sue lacks the unequivocal language found in the Nike vs. Already case. Nike's covenant was unconditional, irrevocable, and encompassed all of its allegedly unlawful conduct, thus providing Already with the freedom to sell its shoes without apprehension of legal action. The covenant and documents issued by RBS were partial, conditional, and revocable, failing to meet the high standard set by the Supreme Court. Its conditioned terms and revocability do not satisfy the requirements listed in the Already case. The case should not have been dismissed on mootness grounds. So, the district court was correct in retaining jurisdiction to consider the merits.

Now, let us discuss whether the district court erred in granting Synopsys' motion for summary judgment on the misappropriation of RBS' trade secrets and excluding testimony from RBS' expert witnesses.

The court excluded testimony from RBS' expert witnesses, stating they had included inappropriate elements in their reports. Even though Adam Shostack, the only witness who discussed independent economic value, testified, his testimony was also excluded. The court determined that the witnesses did not individually evaluate RBS' claimed trade secrets and did not need to decide on the grouping of trade secrets in an expert-opinion report. Additionally, the court excluded Steven Kursh's testimony for making adverse credibility assessments without adequately comparing the underlying data. RBS challenges all four determinations on appeal, including the exclusion of the expert witnesses' testimony. The grant of summary judgment is reviewed de novo, considering whether there is a failure of proof about an essential element of RBS' case. The decision to exclude expert testimony is reviewed for abuse of discretion.

RBS did not provide evidence that its alleged trade secrets met the requirement of independent economic value. The district court correctly excluded testimony that would not have helped RBS meet its burden of proof. The evidence RBS relied on did not show that the trade secrets had value or any value derived from their secrecy.

Not everything with commercial value is a trade secret. Both Virginia and federal law require a specific connection between value and secrecy. Proof of value not linked to value derived from secrecy does not establish an alleged trade secret's independent economic value.

Even if RBS' purchase price and revenue percentage from VulnDB suggest some commercial value, they still do not show that the alleged trade secrets rarely are known or readily ascertainable. RBS' argument against proving independent economic value "per trade secret" lacks strength. While the evidence should show value for each distinct trade secret, discussing the value of trade secrets in groups is permissible if it relates to multiple secrets and allows for individual value conclusions.

For this case, it is unnecessary to definitively decide if grouping evidence to show the independent economic value of a trade secret is allowed. RBS did not provide evidence specifically related to its seventy-five alleged trade secrets, whether viewed individually or as a whole. RBS relied on evidence that did not establish which trade secrets contributed to its valuation. RBS' argument that "value" encompasses more than a numerical amount does not address the lack of evidence regarding the value of the alleged trade secrets. RBS introduced a numeric amount by relying on the company's acquisition price and revenue share from VulnDB. Last, RBS presented evidence in its opening brief that it did not rely on in the district court. However, it still did not satisfy its burden of proving the independent economic value of the alleged trade secrets.

This evidence fails to satisfy RBS' burden of proving the independent economic value of the seventy-five alleged trade secrets by relying on the value of RBS and VulnDB.

Excluding Shostack's testimony is worth discussing. The district court excluded parts of his testimony due to legal conclusions and lack of evidence in individually reviewing the alleged trade secrets. Shostack's report repeatedly mentions the value of RBS and VulnDB without explaining the specific value of the seventy-five alleged trade secrets. He did not connect the overall corporate value to the individual trade secrets.

Shostack's conclusions did not involve an individual review of the alleged trade secrets, as he acknowledged that another expert was examining them individually. RBS argued that Shostack did not have to assess the trade secrets individually. This argument is problematic since a trade secret assessment should be individualized. Even if grouping is allowed, it must still allow for a review of each trade secret's independent economic value. The district court did not exclude Shostack's testimony only based on his grouping approach but rather because he did not individually evaluate each trade secret before determining their collective value. Without undertaking this task, Shostack's method for formulating his opinions was questionable, and the district court was justified in excluding it.

The district court correctly found that RBS did not provide admissible evidence of independent economic value for the alleged trade secrets. Without meeting this requirement, RBS could not succeed in its misappropriation claim, and the court properly granted summary judgment to Synopsys. Therefore, there is no need to address RBS' argument regarding denying its motion for partial summary judgment. Additionally, the district court had jurisdiction and correctly exercised it, as the case did not become moot. The court also affirmed the grant of summary judgment to Synopsys on the claim of misappropriation of RBS' trade secrets.