UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ALABAMA SOUTHERN DIVISION
DIGITALDOORS, INC., ) ) Plaintiff, ) ) v. ) 2:25-cv-595-EGL ) SOUTHPOINT BANK, ) ) Defendant. )
MEMORANDUM OPINION & ORDER DigitalDoors sued SouthPoint Bank for allegedly infringing four patents covering methods to securely organize and store data. DigitalDoors does not know how SouthPoint protects data. All it seems to know about SouthPoint is that it is a bank. DigitalDoors believes that it is enough to state a claim. That is so, in its view, because a group of financial institutions (though not SouthPoint) spearheaded the creation of Sheltered Harbor, an initiative that promulgates data-security standards for the financial industry and certifies institutions who comply with the standards. According to DigitalDoors, at least some ways of complying with these standards (or their equivalent) infringe its patents, and banks certified by Sheltered Harbor hold around 70% of deposit accounts. DigitalDoors asserts that these allegations are enough to state a claim against SouthPoint. They are not. The complaint alleges nothing about SouthPoint that would indicate it uses Sheltered Harbor other than its line of business. But not all banks use
Sheltered Harbor. And the fact that a subset of the market might be infringing the patents does not justify blindly suing every bank. The complaint is DISMISSED, though DigitalDoors may file an amended complaint within 14 days.
BACKGROUND1 DigitalDoors is a data security company. Doc. 1 ¶2. In 2007, it became “the sole and exclusive owner” of the four patents asserted in this case. Id. at ¶¶19-20.2 Each patent relates “generally to … organizing and processing data” by extracting
“specific sensitive content for specialized storage and subsequent reconstruction.” Id. at ¶27. These patented methods extract content from both structured and unstructured data, apply various filters, classify the content, map and select the
appropriate storage architecture, and set a protocol for data reconstruction. Id. at ¶28.
1 The Court accepts well-pleaded factual allegations as true and construes those allegations in the light most favorable to the plaintiff. Lanfear v. Home Depot, Inc., 679 F.3d 1267, 1275 (11th Cir. 2012). 2 The four patents are U.S. 9,015,301; U.S. 9,734,169; U.S. 10,182,073; and U.S. 10,250,639. DigitalDoors has sued roughly 60 banks for infringing those patents. See DigitalDoors, Inc. v. Peapack Priv. Bank & Tr., No. CV 25-2349, 2025 WL 1592715, at *1 (D.N.J. June 5, 2025) (“The allegations against Peapack are identical to those brought by DigitalDoors against fifty-nine other financial services institutions across the country.”). DigitalDoors believes that its patents are infringed by most financial institutions that comply with the Sheltered Harbor standard or its functional
equivalent. See, e.g., id. at ¶96. Sheltered Harbor is an “industry-driven initiative launched in 2015 to promote the stability of the U.S. financial markets by protecting critical account information and data sets of market participants in order to facilitate
the recovery and use of such information following a destructive cyberattack or other extreme loss of operational capability.” Id. at ¶63. Sheltered Harbor furthers its mission by creating data-protection standards and certifying complaint systems. Id. at ¶¶63, 65.
Founded by thirty-four financial institutions and owned by FS-ISAC Inc. (a worldwide non-profit with board members from organizations like Citigroup, Bank of American, Morgan Stanley, Truist, and Deutsche Bank), Sheltered Harbor
“provides the only industry-developed standards and certifications for resilience, data recovery, and protection of isolated data.” Id. at ¶64. With financial institutions having legal and market incentives to protect customer data, 72% of deposit accounts and 71% of retail brokerage client assets are held by Sheltered Harbor-certified
banks. Id. at ¶66. DigitalDoors also alleges that “Sheltered Harbor certification, or its functional equivalent, is required by industry regulations.” Id. at ¶95. But the complaint does
not cite the referenced industry regulations. Instead, it supports the allegation with a couple of quotations from exhibits: that “[i]ndustry regulation requires that financial institutions prepare for a data destruction event” and that, according to the American
Bankers Association, “100% participation [in Sheltered Harbor] is optimal.” Id. DigitalDoors sued SouthPoint Bank for using data security systems that infringe its patents. See id. at ¶¶95-96. DigitalDoors alleges, on information and belief, that SouthPoint is a “consumer and business financial institution” that “acts
responsibly with respect to cybersecurity” and “endeavors to provide robust state of the art data security protection to customer financial information.” Id. at ¶¶5-7. DigitalDoors does not know the specifics of SouthPoint’s data security efforts
because those measures are “uniquely known to SouthPoint and are beyond public view.” Id. at ¶96. DigitalDoors nonetheless alleges based on information and belief that SouthPoint uses systems or methods that either comply with the Sheltered Harbor standard or are functionally equivalent. Id. Though Southpoint would not
“necessarily infringe” if it implemented such systems, according to DigitalDoors, it “likely” would. Doc. 25 at 12. DigitalDoors asserts five counts of patent infringement against SouthPoint, one for each patent and then an additional claim for willful infringement. Each claim
rests on the assumption that SouthPoint implements Sheltered Harbor or a functional equivalent. SouthPoint moved to dismiss under Federal Rule of Civil Procedure 12(b)(6). Doc. 22. The Court held a hearing on the motion, during which
DigitalDoors abandoned (at least for now) its willful infringement claim. DISCUSSION Under Federal Rule of Civil Procedure 8(a)(2), a complaint must include “a short and plain statement of the claim showing that the pleader is entitled to relief.”
This requires a plaintiff to plead “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). The test is
not whether the defendant is probably liable, but the allegations must indicate “more than a sheer possibility that a defendant has acted unlawfully.” Id. DigitalDoors alleges SouthPoint is violating 35 U.S.C. § 271(a) because it “makes, owns, operates, uses, or otherwise exercises control over” systems and
methods that infringe its patents. Doc. 1 at ¶96. To state a claim, DigitalDoors must first identify the allegedly infringing products. See K-Tech Telecomms., Inc. v. Time Warner Cable, Inc., 714 F.3d 1277, 1284 (Fed. Cir. 2013); Golden v. Qualcomm
Inc., No. 2023-1818, 2023 WL 6561044, at *2 (Fed. Cir. Oct. 10, 2023). The infringing product, according to DigitalDoors, is a Sheltered Harbor system or its functional equivalent. Doc. 1 at ¶96.
SouthPoint moves to dismiss because DigitalDoors has not adequately alleged that SouthPoint uses Sheltered Harbor or an equivalent. Doc.
Free access — add to your briefcase to read the full text and ask questions with AI
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ALABAMA SOUTHERN DIVISION
DIGITALDOORS, INC., ) ) Plaintiff, ) ) v. ) 2:25-cv-595-EGL ) SOUTHPOINT BANK, ) ) Defendant. )
MEMORANDUM OPINION & ORDER DigitalDoors sued SouthPoint Bank for allegedly infringing four patents covering methods to securely organize and store data. DigitalDoors does not know how SouthPoint protects data. All it seems to know about SouthPoint is that it is a bank. DigitalDoors believes that it is enough to state a claim. That is so, in its view, because a group of financial institutions (though not SouthPoint) spearheaded the creation of Sheltered Harbor, an initiative that promulgates data-security standards for the financial industry and certifies institutions who comply with the standards. According to DigitalDoors, at least some ways of complying with these standards (or their equivalent) infringe its patents, and banks certified by Sheltered Harbor hold around 70% of deposit accounts. DigitalDoors asserts that these allegations are enough to state a claim against SouthPoint. They are not. The complaint alleges nothing about SouthPoint that would indicate it uses Sheltered Harbor other than its line of business. But not all banks use
Sheltered Harbor. And the fact that a subset of the market might be infringing the patents does not justify blindly suing every bank. The complaint is DISMISSED, though DigitalDoors may file an amended complaint within 14 days.
BACKGROUND1 DigitalDoors is a data security company. Doc. 1 ¶2. In 2007, it became “the sole and exclusive owner” of the four patents asserted in this case. Id. at ¶¶19-20.2 Each patent relates “generally to … organizing and processing data” by extracting
“specific sensitive content for specialized storage and subsequent reconstruction.” Id. at ¶27. These patented methods extract content from both structured and unstructured data, apply various filters, classify the content, map and select the
appropriate storage architecture, and set a protocol for data reconstruction. Id. at ¶28.
1 The Court accepts well-pleaded factual allegations as true and construes those allegations in the light most favorable to the plaintiff. Lanfear v. Home Depot, Inc., 679 F.3d 1267, 1275 (11th Cir. 2012). 2 The four patents are U.S. 9,015,301; U.S. 9,734,169; U.S. 10,182,073; and U.S. 10,250,639. DigitalDoors has sued roughly 60 banks for infringing those patents. See DigitalDoors, Inc. v. Peapack Priv. Bank & Tr., No. CV 25-2349, 2025 WL 1592715, at *1 (D.N.J. June 5, 2025) (“The allegations against Peapack are identical to those brought by DigitalDoors against fifty-nine other financial services institutions across the country.”). DigitalDoors believes that its patents are infringed by most financial institutions that comply with the Sheltered Harbor standard or its functional
equivalent. See, e.g., id. at ¶96. Sheltered Harbor is an “industry-driven initiative launched in 2015 to promote the stability of the U.S. financial markets by protecting critical account information and data sets of market participants in order to facilitate
the recovery and use of such information following a destructive cyberattack or other extreme loss of operational capability.” Id. at ¶63. Sheltered Harbor furthers its mission by creating data-protection standards and certifying complaint systems. Id. at ¶¶63, 65.
Founded by thirty-four financial institutions and owned by FS-ISAC Inc. (a worldwide non-profit with board members from organizations like Citigroup, Bank of American, Morgan Stanley, Truist, and Deutsche Bank), Sheltered Harbor
“provides the only industry-developed standards and certifications for resilience, data recovery, and protection of isolated data.” Id. at ¶64. With financial institutions having legal and market incentives to protect customer data, 72% of deposit accounts and 71% of retail brokerage client assets are held by Sheltered Harbor-certified
banks. Id. at ¶66. DigitalDoors also alleges that “Sheltered Harbor certification, or its functional equivalent, is required by industry regulations.” Id. at ¶95. But the complaint does
not cite the referenced industry regulations. Instead, it supports the allegation with a couple of quotations from exhibits: that “[i]ndustry regulation requires that financial institutions prepare for a data destruction event” and that, according to the American
Bankers Association, “100% participation [in Sheltered Harbor] is optimal.” Id. DigitalDoors sued SouthPoint Bank for using data security systems that infringe its patents. See id. at ¶¶95-96. DigitalDoors alleges, on information and belief, that SouthPoint is a “consumer and business financial institution” that “acts
responsibly with respect to cybersecurity” and “endeavors to provide robust state of the art data security protection to customer financial information.” Id. at ¶¶5-7. DigitalDoors does not know the specifics of SouthPoint’s data security efforts
because those measures are “uniquely known to SouthPoint and are beyond public view.” Id. at ¶96. DigitalDoors nonetheless alleges based on information and belief that SouthPoint uses systems or methods that either comply with the Sheltered Harbor standard or are functionally equivalent. Id. Though Southpoint would not
“necessarily infringe” if it implemented such systems, according to DigitalDoors, it “likely” would. Doc. 25 at 12. DigitalDoors asserts five counts of patent infringement against SouthPoint, one for each patent and then an additional claim for willful infringement. Each claim
rests on the assumption that SouthPoint implements Sheltered Harbor or a functional equivalent. SouthPoint moved to dismiss under Federal Rule of Civil Procedure 12(b)(6). Doc. 22. The Court held a hearing on the motion, during which
DigitalDoors abandoned (at least for now) its willful infringement claim. DISCUSSION Under Federal Rule of Civil Procedure 8(a)(2), a complaint must include “a short and plain statement of the claim showing that the pleader is entitled to relief.”
This requires a plaintiff to plead “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). The test is
not whether the defendant is probably liable, but the allegations must indicate “more than a sheer possibility that a defendant has acted unlawfully.” Id. DigitalDoors alleges SouthPoint is violating 35 U.S.C. § 271(a) because it “makes, owns, operates, uses, or otherwise exercises control over” systems and
methods that infringe its patents. Doc. 1 at ¶96. To state a claim, DigitalDoors must first identify the allegedly infringing products. See K-Tech Telecomms., Inc. v. Time Warner Cable, Inc., 714 F.3d 1277, 1284 (Fed. Cir. 2013); Golden v. Qualcomm
Inc., No. 2023-1818, 2023 WL 6561044, at *2 (Fed. Cir. Oct. 10, 2023). The infringing product, according to DigitalDoors, is a Sheltered Harbor system or its functional equivalent. Doc. 1 at ¶96.
SouthPoint moves to dismiss because DigitalDoors has not adequately alleged that SouthPoint uses Sheltered Harbor or an equivalent. Doc. 23 at 13-19. SouthPoint also asserts that the Court should dismiss the complaint because implementing
Sheltered Harbor does not necessarily infringe the patents and because the patents are invalid. Id. at 20-33. But the Court need not reach those arguments because it agrees that DigitalDoors has not plausibly alleged that SouthPoint uses Sheltered Harbor or an equivalent.
A. At this stage, plaintiffs often know the product the alleged infringer uses and the dispute is whether the product likely infringes. See, e.g., Bot M8 LLC v. Sony Corp. of Am., 4 F.4th 1342, 1354-55 (Fed. Cir. 2021). But not here. DigitalDoors’s
allegations about the product SouthPoint uses are based on information and belief. Doc. 1 at ¶¶5, 7, 96. It does not know the product SouthPoint uses, it says, because that information is kept confidential to enhance effectiveness. See id. at ¶96; Doc. 25 at 12-13.
Plaintiffs are entitled to make allegations based on information and belief. See 5 WRIGHT & MILLER, FEDERAL PRACTICE AND PROCEDURE § 1224 (4th ed.); cf. FED. R. CIV. P. 11(b) (requiring attorneys to certify that filings are supported by
“knowledge, information, and belief, formed after an inquiry reasonable under the circumstances”). But those allegations, like any other, are not assumed to be true if lacking “enough facts” to make them “plausible.” Mann v. Palmer, 713 F.3d 1306,
1315 (11th Cir. 2013); see Brown v. Anderson, No. 21-10494, 2023 WL 1102568, at *3 (11th Cir. Jan. 30, 2023) (courts “don’t have to take as true allegations made upon information and belief that lack the factual support to be plausible”).3
That is the case here. DigitalDoors’s allegation, based on information and belief, that SouthPoint infringes its patents because it uses a Sheltered Harbor- compliant system or its functional equivalent (see Doc. 1 at ¶96) is too speculative, as it is based on general allegations about the financial industry, not anything that
SouthPoint has done. DigitalDoors claims SouthPoint uses Sheltered Harbor or an equivalent because there are market and legal incentives for SouthPoint to do so, see, e.g., Doc.
1 at ¶¶6-9, 95, and because there is “near uniform” participation in Sheltered Harbor, the industry standard, id. at ¶¶66, 95. But there is no plausible allegation that banks are required to implement Sheltered Harbor or an equivalent.4
3 See Bascom Glob. Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341, 1347 (Fed. Cir. 2016) (“We review a district court’s dismissal for failure to state a claim under the law of the regional circuit.”). 4 See Crenshaw v. Lister, 556 F.3d 1283, 1292 (11th Cir. 2009) (exhibits trump contradicting conclusory allegations); compare Doc. 1 at ¶95 (“Sheltered Harbor certification, or its functional equivalent, is required by industry regulations.”) (citing Docs. 1-19 & 1-32), with Doc. 1 at ¶95 (“Industry regulation requires that financial institutions prepare for a data destruction event.”) (quoting Doc. 1-19), and Doc. 1 at ¶95 (“100% participation is optimal.”) (quoting Doc. 1-32). Thus, DigitalDoors’s “information and belief” reduces to Sheltered Harbor’s popularity in the financial industry. Even with that allegation, however, the
“complaint merely asserts, without any supporting factual basis, that [SouthPoint] uses a Sheltered Harbor-compliant system.” DigitalDoors, Inc. v. EagleBank, No. 24-CV-03792, 2026 WL 554533, at *6 (D. Md. Feb. 27, 2026). That is because there
is not uniform participation in Sheltered Harbor. DigitalDoors alleges that participation is “near uniform,” Doc. 1 at ¶66, but it never provides the percentage of banks that implement Sheltered Harbor. DigitalDoors clarifies that when it claims uniform participation, it is referring not to
the percentage of banks using it, but to the percentage of accounts held by banks that do so. The allegation—that 72% of deposit accounts and 71% of retail brokerage client assets are held by participants—might prove more helpful if it equated to
roughly 70% of banks using Sheltered Harbor, id., but nothing in the complaint supports that assumption.5 The complaint instead undermines that inference, as DigitalDoors also alleges that 34 financial institutions founded Sheltered Harbor and that representatives from some of the nation’s largest banks sit on the owner’s board.
Id. at ¶64. Nor does DigitalDoors allege anything unique about SouthPoint making it plausible that it is among the participants. For example, there is no allegation that
5 Nonetheless, it isn’t even clear that such an assumption would suffice to state a claim. SouthPoint was one of the 34 founding institutions, that any of its representatives sit on the board of the entity that owns Sheltered Harbor, that any of its officers or
employees supported Sheltered Harbor, or that it has ever associated with Sheltered Harbor in any way whatsoever. There aren’t even any allegations about SouthPoint’s size, market share, services, or anything of the like to support the inference that it
likely uses Sheltered Harbor. Indeed, across its 100-page complaint, DigitalDoors alleges almost no specific facts about SouthPoint aside from the fact that it is a bank in Alabama. But SouthPoint opening its doors as a bank is not enough for DigitalDoors to
state a claim against it. That is because SouthPoint being a bank is “merely consistent” with liability, which alone does not state a claim. Iqbal, 556 U.S. at 678. Not all banks use Sheltered Harbor, and there are no well-pleaded facts in the
complaint, assumed true, that could not also be said about a bank that does not use Sheltered Harbor. Thus, there is “an obvious alternative explanation” for the well- plead allegations against SouthPoint, and DigitalDoors cannot “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 567. “Given what little the
complaint tells us [about SouthPoint], there is nothing reasonable about [the] expectation that taking discovery would reveal any infringement.” DigitalDoors, Inc. v. Peapack Priv. Bank & Tr., No. CV 25-2349, 2025 WL 1592715, at *2 (D.N.J.
June 5, 2025). B. DigitalDoors contends that it should be allowed to move forward based on speculation because there is no way for it to know without discovery who is
infringing and who is not. See Doc. 25 at 12-13. While DigitalDoors cites decisions sympathetic to plaintiffs when facts are “peculiarly within … possession and control” of a defendant, id., even those decisions do not grant unlimited license. In
one such case, the court explained that the plaintiff “must offer sufficient factual allegations to show that he or she is not merely engaged in a fishing expedition,” Innova Hosp. San Antonio, Ltd. P’ship v. Blue Cross & Blue Shield of Georgia, Inc., 892 F.3d 719, 730 (5th Cir. 2018), and in another the court explained that the plaintiff
must plead “plausible reasons for its ‘belief,’” Exergen Corp. v. Wal-Mart Stores, Inc., 575 F.3d 1312, 1330-31 (Fed. Cir. 2009). DigitalDoors failed to do either. The Eleventh Circuit’s approach is similarly unhelpful for DigitalDoors. In
Mann, a prisoner sentenced to death challenged Florida’s lethal injection protocol under the Eighth Amendment. 713 F.3d at 1306. Under the Eighth Amendment, he needed to allege that the State’s method likely would inflict severe pain. Id. at 1314-15. To that end, he claimed the State lacked “a safe, current, or adequate
supply” of a lethal injection drug. Id. at 1315. He supported his showing by alleging on information and belief that because the manufacturer refused to sell it to States for use in capital punishment, Florida’s supply must have been “either expired,
illegally obtained, or compounded.” Id. at 1309, 1315. No doubt an inmate would have a hard time knowing for certain, without discovery, whether the State’s drugs expired, how the drugs were obtained, or how the drugs were compounded. Those
are not widely publicized details. And the manufacturer cutting off access certainly lent some credibility to his allegations. Yet the Eleventh Circuit declined to accept as true that “conclusory allegation ‘upon information and belief’” because it was not
adequately supported by other facts. Id. at 1315. Under this standard, DigitalDoors fails to state a claim. To be sure, the Eastern District of Texas and the Northern District of Georgia have found that DigitalDoors stated a claim against other banks based on similarly
scanty allegations, but the Court respectfully disagrees. The Northern District of Georgia did so by crediting DigitalDoors’s allegation that industry regulations require Sheltered Harbor or an equivalent. See, e.g., Doc. 25-6 at 15. But this Court
declined to credit that conclusory allegation because it is contradicted by the supporting exhibits. See supra, at 7 n.4. Without that allegation, DigitalDoors is left to speculate that SouthPoint is one of the banks using Sheltered Harbor even though it concedes that not all of them do.
And the Eastern District of Texas never grappled with the non-uniformity of the allegedly infringing technologies and the resulting obvious alternative explanation for the defendant’s conduct. See Doc. 25-2 at 5-7. But that is the required
analysis and the reason DigitalDoors fails to state a claim. At bottom, DigitalDoors’s arguments are based on an incorrect view of the law. As it sees things, even if it alleged that only 1% of banks in the United States
are infringing its patents, it could state a claim against every bank in the United States because it is difficult to sort the infringers from the innocent. That is wrong. Cf. Peapack, 2025 WL 1592715, at *2 (rejecting DigitalDoors’s “infringement-by-
assumption logic”); cf. FDA. v. All. for Hippo. Med., 602 U.S. 367, 396 (2024) (“The ‘assumption’ that if these plaintiffs lack ‘standing to sue, no one would have standing, is not a reason to find standing.’”). DigitalDoors cannot “unlock the doors of discovery” and impose significant costs against every player in an entire industry
because of the “sheer possibility” it might prevail in at least some of those cases. Iqbal, 556 U.S. at 678. To the contrary, DigitalDoors must “show[]” that it is “entitled to relief” from the defendant, id. at 679, not some unknown members of
the market. It has not done so against SouthPoint. CONCLUSION The Motion to Dismiss (Doc. 22) is GRANTED. The complaint is DISMISSED, but the Court GRANTS DigitalDoors leave to file an amended complaint on or before April 8, 2026. DONE and ORDERED this 25th day of March, 2026.
EDMUND G. LACOUR JR. UNITED STATES DISTRICT JUDGE