Synopsys, Inc. v. Risk Based Security, Inc.
This text of 70 F.4th 759 (Synopsys, Inc. v. Risk Based Security, Inc.) is published on Counsel Stack Legal Research, covering Court of Appeals for the Fourth Circuit primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.
Opinion
USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 1 of 31
PUBLISHED
UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT
No. 22-1812
SYNOPSYS, INC.,
Plaintiff – Appellee,
v.
RISK BASED SECURITY, INC.,
Defendant – Appellant.
Appeal from the United States District Court for the Eastern District of Virginia, at Richmond. John A. Gibney, Jr., Senior District Judge. (3:21-cv-00252-JAG)
Argued: March 8, 2023 Decided: June 15, 2023
Before AGEE and RUSHING, Circuit Judges, and Joseph DAWSON III, United States District Judge for the District of South Carolina, sitting by designation.
Affirmed by published opinion. Judge Agee wrote the opinion, in which Judge Rushing and Judge Dawson joined.
ARGUED: Andrew Evan Samuels, BAKER & HOSTETLER LLP, Columbus, Ohio, for Appellant. Catherine Emily Stetson, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee. ON BRIEF: Kevin W. Kirsch, Columbus, Ohio, Michael S. Gordon, New York, New York, Christopher A. Wiech, BAKER & HOSTETLER LLP, Atlanta, Georgia; C. Dewayne Lonas, Stewart R. Pollock, MORAN REEVES CONN PC, Richmond, Virginia, for Appellant. N. Thomas Connally, Christopher T. Pickens, Tysons, Virginia, USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 2 of 31
Patrick T. Michael, San Francisco, California, Sean Marotta, Johannah Walker, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee.
2 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 3 of 31
AGEE, Circuit Judge:
Both Risk Based Security, Inc. (“RBS”) and Synopsys, Inc., identify vulnerabilities
in the source code of software and share information about those vulnerabilities so they
can be corrected before nefarious individuals exploit them. After RBS accused Synopsys
of engaging in unlawful conduct related to the content of RBS’ vulnerability database,
Synopsys filed this declaratory judgment action. In relevant part, Synopsys sought a
judicial declaration that it had not misappropriated RBS’ trade secrets. On the merits, the
district court granted Synopsys’ motion for summary judgment on that claim after
concluding that RBS had not come forward with evidence showing that any of its alleged
trade secrets satisfied the statutory definition of that term. RBS appeals by challenging the
district court’s merits determination of trade secrets as well as its decisions denying RBS’
motion to dismiss the case as moot, excluding testimony from two of RBS’ expert
witnesses, and denying its motion for partial summary judgment as to some of its trade
secret claims. For the reasons set out below, we affirm the district court’s judgment in favor
of Synopsys.
I.
Software programs run according to their list of instructions, and those instructions
are found in the programs’ code. See Decision Insights, Inc. v. Sentia Grp., Inc., 416 F.
App’x 324, 325 n.2 (4th Cir. 2011) (per curiam)) (describing “source code” as “a document
written in computer language, which contains a set of instructions designed to be used in a
computer to bring about a certain result” (citing Trandes Corp. v. Guy F. Atkinson Co., 996
3 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 4 of 31
F.2d 655, 662–63 (4th Cir. 1993))). Many software programs use open source code,
meaning that the code is publicly accessible. Open source code allows for a greater
exchange of information between all users, including the subset of users who want to
identify and exploit vulnerabilities in the code for malevolent purposes. To counter the
risks posed by these cyberattacks, entities like the federal government as well as private
companies such as RBS and Synopsys work to identify vulnerabilities in open source code.
Once identified, these vulnerabilities can be shared with the public or paying customers for
their use.
RBS has been in the business of identifying and disclosing open source code
vulnerabilities for over a decade. In 2011, it acquired a publicly available vulnerability
database and used the data it contained to create a private database known as “VulnDB.”
It then invested years of research and development into expanding VulnDB’s content far
beyond the originally acquired public database. RBS then commercially licensed VulnDB
to companies including some of its competitors.
One such licensed competitor was Black Duck Software, Inc., which is now a
wholly owned subsidiary of Synopsys. RBS and Black Duck entered into a license
agreement permitting Black Duck certain uses of VulnDB beginning in 2014. During the
time this agreement was in force, Black Duck developed its own databases to manage and
store information about open source code vulnerabilities. Believing that Black Duck
violated the license agreement and misappropriated VulnDB content to undertake that
initiative, RBS revoked Black Duck’s license in 2018 and also filed a complaint against it
in Massachusetts state court. That complaint has since languished in the Massachusetts
4 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 5 of 31
courts, but in late 2021, RBS filed a second amended complaint naming Synopsys—which
acquired Black Duck in 2017—as a new defendant in the case. To date, the Massachusetts
litigation has not been resolved.
As noted earlier, the parties here are not the only entities interested in identifying
vulnerabilities in open source code. The U.S. Department of Homeland Security and the
Cybersecurity and Infrastructure Security Agency sponsor programs for this purpose as
well, one of which is the Common Vulnerabilities and Exposures (“CVE”) Program. As
part of this program, certain entities—CVE Numbering Authorities (“CNA”)—are
authorized to “assign unique identifier numbers [(“CVE Identifiers”)] to vulnerabilities in
open source security software and publish information about the vulnerabilities in the CVE
Program’s public catalogs.” Synposys, Inc. v. Risk Based Sec., Inc., No. 3:21cv252, 2022
WL 3005990, at *2 (E.D. Va. July 28, 2022). Only CNAs can assign CVE Identifiers,
which are unique, alphanumeric identifiers referring to a specific vulnerability that are then
made available to the public for use in cataloging information about and evaluating that
specific vulnerability.
In late March 2021, Synopsys became a CNA and announced its designation in a
press release. Shortly after that announcement, RBS sent Synopsys a cease and desist letter
stating that Synopsys’ work as a CNA would constitute a “severe escalation of the wrongful
conduct engaged in by Black Duck, and now Synopsys” because, in RBS’ view, it
necessarily involved VulnDB data that Black Duck had unlawfully obtained. J.A. 58. RBS
asserted that Synopsys’ work as a CNA would “at a minimum” constitute several violations
5 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 6 of 31
of state and federal law, including misappropriation of trade secrets. 1 J.A. 58. It thus
demanded in the cease and desist letter that Synopsys and its affiliates:
1. Immediately cease the unauthorized use, distribution, and modification of RBS’s intellectual property, including but not limited to the VulnDB database, all vulnerabilities identified therein, and all vulnerabilities discovered by Black Duck or Synopsys by copying or misappropriating information in the VulnDB database.
2. Immediately commit, in writing, to refrain from identifying vulnerabilities to CVE until the full resolution of the Massachusetts litigation against Black Duck.
J.A. 58 (emphases added).
Free access — add to your briefcase to read the full text and ask questions with AI
USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 1 of 31
PUBLISHED
UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT
No. 22-1812
SYNOPSYS, INC.,
Plaintiff – Appellee,
v.
RISK BASED SECURITY, INC.,
Defendant – Appellant.
Appeal from the United States District Court for the Eastern District of Virginia, at Richmond. John A. Gibney, Jr., Senior District Judge. (3:21-cv-00252-JAG)
Argued: March 8, 2023 Decided: June 15, 2023
Before AGEE and RUSHING, Circuit Judges, and Joseph DAWSON III, United States District Judge for the District of South Carolina, sitting by designation.
Affirmed by published opinion. Judge Agee wrote the opinion, in which Judge Rushing and Judge Dawson joined.
ARGUED: Andrew Evan Samuels, BAKER & HOSTETLER LLP, Columbus, Ohio, for Appellant. Catherine Emily Stetson, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee. ON BRIEF: Kevin W. Kirsch, Columbus, Ohio, Michael S. Gordon, New York, New York, Christopher A. Wiech, BAKER & HOSTETLER LLP, Atlanta, Georgia; C. Dewayne Lonas, Stewart R. Pollock, MORAN REEVES CONN PC, Richmond, Virginia, for Appellant. N. Thomas Connally, Christopher T. Pickens, Tysons, Virginia, USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 2 of 31
Patrick T. Michael, San Francisco, California, Sean Marotta, Johannah Walker, HOGAN LOVELLS US LLP, Washington, D.C., for Appellee.
2 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 3 of 31
AGEE, Circuit Judge:
Both Risk Based Security, Inc. (“RBS”) and Synopsys, Inc., identify vulnerabilities
in the source code of software and share information about those vulnerabilities so they
can be corrected before nefarious individuals exploit them. After RBS accused Synopsys
of engaging in unlawful conduct related to the content of RBS’ vulnerability database,
Synopsys filed this declaratory judgment action. In relevant part, Synopsys sought a
judicial declaration that it had not misappropriated RBS’ trade secrets. On the merits, the
district court granted Synopsys’ motion for summary judgment on that claim after
concluding that RBS had not come forward with evidence showing that any of its alleged
trade secrets satisfied the statutory definition of that term. RBS appeals by challenging the
district court’s merits determination of trade secrets as well as its decisions denying RBS’
motion to dismiss the case as moot, excluding testimony from two of RBS’ expert
witnesses, and denying its motion for partial summary judgment as to some of its trade
secret claims. For the reasons set out below, we affirm the district court’s judgment in favor
of Synopsys.
I.
Software programs run according to their list of instructions, and those instructions
are found in the programs’ code. See Decision Insights, Inc. v. Sentia Grp., Inc., 416 F.
App’x 324, 325 n.2 (4th Cir. 2011) (per curiam)) (describing “source code” as “a document
written in computer language, which contains a set of instructions designed to be used in a
computer to bring about a certain result” (citing Trandes Corp. v. Guy F. Atkinson Co., 996
3 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 4 of 31
F.2d 655, 662–63 (4th Cir. 1993))). Many software programs use open source code,
meaning that the code is publicly accessible. Open source code allows for a greater
exchange of information between all users, including the subset of users who want to
identify and exploit vulnerabilities in the code for malevolent purposes. To counter the
risks posed by these cyberattacks, entities like the federal government as well as private
companies such as RBS and Synopsys work to identify vulnerabilities in open source code.
Once identified, these vulnerabilities can be shared with the public or paying customers for
their use.
RBS has been in the business of identifying and disclosing open source code
vulnerabilities for over a decade. In 2011, it acquired a publicly available vulnerability
database and used the data it contained to create a private database known as “VulnDB.”
It then invested years of research and development into expanding VulnDB’s content far
beyond the originally acquired public database. RBS then commercially licensed VulnDB
to companies including some of its competitors.
One such licensed competitor was Black Duck Software, Inc., which is now a
wholly owned subsidiary of Synopsys. RBS and Black Duck entered into a license
agreement permitting Black Duck certain uses of VulnDB beginning in 2014. During the
time this agreement was in force, Black Duck developed its own databases to manage and
store information about open source code vulnerabilities. Believing that Black Duck
violated the license agreement and misappropriated VulnDB content to undertake that
initiative, RBS revoked Black Duck’s license in 2018 and also filed a complaint against it
in Massachusetts state court. That complaint has since languished in the Massachusetts
4 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 5 of 31
courts, but in late 2021, RBS filed a second amended complaint naming Synopsys—which
acquired Black Duck in 2017—as a new defendant in the case. To date, the Massachusetts
litigation has not been resolved.
As noted earlier, the parties here are not the only entities interested in identifying
vulnerabilities in open source code. The U.S. Department of Homeland Security and the
Cybersecurity and Infrastructure Security Agency sponsor programs for this purpose as
well, one of which is the Common Vulnerabilities and Exposures (“CVE”) Program. As
part of this program, certain entities—CVE Numbering Authorities (“CNA”)—are
authorized to “assign unique identifier numbers [(“CVE Identifiers”)] to vulnerabilities in
open source security software and publish information about the vulnerabilities in the CVE
Program’s public catalogs.” Synposys, Inc. v. Risk Based Sec., Inc., No. 3:21cv252, 2022
WL 3005990, at *2 (E.D. Va. July 28, 2022). Only CNAs can assign CVE Identifiers,
which are unique, alphanumeric identifiers referring to a specific vulnerability that are then
made available to the public for use in cataloging information about and evaluating that
specific vulnerability.
In late March 2021, Synopsys became a CNA and announced its designation in a
press release. Shortly after that announcement, RBS sent Synopsys a cease and desist letter
stating that Synopsys’ work as a CNA would constitute a “severe escalation of the wrongful
conduct engaged in by Black Duck, and now Synopsys” because, in RBS’ view, it
necessarily involved VulnDB data that Black Duck had unlawfully obtained. J.A. 58. RBS
asserted that Synopsys’ work as a CNA would “at a minimum” constitute several violations
5 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 6 of 31
of state and federal law, including misappropriation of trade secrets. 1 J.A. 58. It thus
demanded in the cease and desist letter that Synopsys and its affiliates:
1. Immediately cease the unauthorized use, distribution, and modification of RBS’s intellectual property, including but not limited to the VulnDB database, all vulnerabilities identified therein, and all vulnerabilities discovered by Black Duck or Synopsys by copying or misappropriating information in the VulnDB database.
2. Immediately commit, in writing, to refrain from identifying vulnerabilities to CVE until the full resolution of the Massachusetts litigation against Black Duck.
J.A. 58 (emphases added). The letter expressly reserved RBS’ “right to seek an appropriate
remedy in the event this matter is not expeditiously resolved.” J.A. 59.
In April 2021, Synopsys filed this declaratory judgment action in the U.S. District
Court for the Eastern District of Virginia. Against the backdrop of the cease and desist
letter’s accusations and demands, the complaint sought a declaration that Synopsys had not
misappropriated RBS’ trade secrets. 2
During discovery, however, RBS sent Synopsys a covenant not to sue and a
withdrawal letter, which it also filed in the district court. Based on those documents, RBS
1 Both the cease and desist letter and the complaint identified multiple alleged violations of state and federal law, all of which have been resolved before this appeal and none of which are contested in this appeal. Accordingly, we do not address them and focus instead on the allegation of misappropriated trade secrets under Virginia and federal law. 2 Although Synopsys filed the declaratory judgment complaint, the district court identified the parties based on their relative positions in a misappropriation-of-trade-secrets claim, with RBS as the “plaintiff” alleging that “defendant” Synopsys had violated the pertinent statutes. This opinion adopts the same approach, discussing the misappropriation claims as if RBS were the “plaintiff” and Synopsys were the “defendant.”
6 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 7 of 31
moved to dismiss the complaint as moot. 3 As expounded on below, the district court held
that the declaratory judgment action was not moot because “RBS has not demonstrated that
the covenant remedies or prevents the injuries Synopsys alleges.” Synopsys, Inc. v. Risk
Based Sec., Inc., No. 3:21cv252, 2022 WL 107184, *1 (E.D. Va. Jan. 11, 2022). 4
Upon the close of discovery, each party moved to exclude certain testimony from
the other’s experts and for summary judgment (Synopsys in full and RBS partially). The
district court addressed the motions in a single order. Relevant to this appeal, the district
court granted Synopsys’ motion to exclude one of RBS’ expert witnesses in toto and one
in part, concluding that “each conveys improper legal conclusions, speculation, or factual
narrative.” Synposys, Inc., 2022 WL 3005990, at *5 (footnotes omitted). In addition, the
district court granted Synopsys’ motion for summary judgment after determining that RBS
had failed to come forward with proof sufficient to show that the alleged “trade secrets” it
accused Synopsys of misappropriating met the legal definition of that term. As relevant to
the court’s determination, the definition of “trade secret” common to Virginia and federal
law requires proof of something (here, data or information) that “[d]erives independent
economic value” from its secrecy, id. at *15 (alteration in original) (quoting Va. Code
§ 59.1-336 and citing 18 U.S.C. § 1839(3)), and that its owner had undertaken “reasonable
efforts to maintain the secrecy of its asserted trade secrets,” id. at *16; Va. Code § 59.1-
336; 18 U.S.C. § 1839(3)(A). The district court concluded RBS’ evidence was deficient as
Around the same time, RBS added Synopsys as a defendant in the pending 3
Massachusetts litigation. 4 In January 2022, RBS was acquired by Flashpoint for . 7 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 8 of 31
to both aspects of a trade secret. Accordingly, it granted Synopsys summary judgment for
a declaration that the company had not misappropriated RBS’ trade secrets. Lastly, the
district court held that regardless of its ruling on Synopsys’ motion for summary judgment,
it would have separately denied RBS’ motion for partial summary judgment.
After the parties resolved the remaining claims and procured the district court’s
entry of final judgment, RBS noted a timely appeal. The Court has jurisdiction under 28
U.S.C. § 1291.
II.
Before proceeding to the merits, we must assure ourselves that the district court
correctly determined that the parties’ dispute was not moot.
A.
Article III limits a federal court’s jurisdiction to actual “cases” and “controversies,”
and the parties’ dispute must “be extant at all stages of review, not merely at the time the
complaint is filed.” Campbell-Ewald Co. v. Gomez, 577 U.S. 153, 160 (2016) (citations
omitted). To account for this requirement, the mootness doctrine recognizes that some
“intervening circumstance[s] deprive[] the plaintiff of a personal stake in the outcome of
the lawsuit, [such that] the action can no longer proceed.” Id. at 160–61 (cleaned up). “A
case becomes moot, however, only when it is impossible for a court to grant any effectual
relief whatever to the prevailing party.” Id. at 161 (cleaned up). “As long as the parties
have a concrete interest, however small, in the outcome of the litigation, the case is not
moot.” Id. (citation omitted).
8 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 9 of 31
Article III’s case and controversy requirement—and the attendant doctrine of
mootness—is “no less strict under the Declaratory Judgment Act than in case of other
suits.” Altvater v. Freeman, 319 U.S. 359, 363 (1943) (internal citation omitted). In
MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118 (2007), the Supreme Court held that a
declaratory action is available when the totality of the circumstances “show[s] that there is
a substantial controversy, between parties having adverse legal interests, of sufficient
immediacy and reality to warrant the issuance of a declaratory judgment.” Id. at 127
(citation omitted). This means that the parties’ dispute must be “definite and concrete,
touching the legal relations of parties having adverse legal interests,” it must be “real and
substantial,” and it must be amenable to “specific relief through a decree of a conclusive
character, as distinguished from an opinion advising what the law would be upon a
hypothetical state of facts.” Id. (citation omitted).
One aspect of mootness associated with declaratory judgment actions arises when a
party unilaterally covenants not to sue the other party, thus raising the question of whether
that covenant sufficiently alters the circumstances so as to render the case moot. These
actions fall within the doctrine’s broader recognition that a party “cannot automatically
moot a case simply by ending its unlawful conduct once sued.” Already, LLC v. Nike, Inc.,
568 U.S. 85, 91 (2013). And a party “claiming that its voluntary compliance moots a case
bears the formidable burden of showing that it is absolutely clear the allegedly wrongful
behavior could not reasonably be expected to recur.” Id. (emphases added) (citation
omitted). In assessing whether a particular covenant not to sue renders the declaratory
judgment action moot, the Court looks to the claims and relief sought in the complaint as
9 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 10 of 31
compared to the scope of the covenant not to sue. E.g., Revolution Eyewear, Inc. v. Aspex
Eyewear, Inc., 556 F.3d 1294, 1297 (Fed Cir. 2009) (“Whether a covenant not to sue will
divest the trial court of jurisdiction depends on what is covered by the covenant.”); Caraco
Pharm. Lab’ys, Ltd. v. Forest Lab’ys, Inc., 527 F.3d 1278, 1297 (Fed. Cir. 2008) (observing
that if, after the covenant has been issued, “a substantial controversy . . . of sufficient
immediacy and reality to warrant the issuance of a declaratory judgment” still exists, then
the case is not moot (quoting MedImmune, 549 U.S. at 127)).
B.
RBS asserts that “in reliance on” certain representations made during the pretrial
proceedings, it covenanted not to sue Synopsys and withdrew its cease and desist letter.
J.A. 581, 583. In particular, both the covenant and the withdrawal letter hinged on certain
representations Synopsys allegedly made in the pending litigation, such as that its
continuing work as a CNA would be “the product of its independent research and not based
on any vulnerability database at all, let alone VulnDB.” J.A. 580–81. In express “good faith
reliance” on those representations, J.A. 581, RBS asserted that it withdrew the cease and
desist letter “and any subsequent assertion concerning Synopsys’ use or potential use of
VulnDB in its role as a CNA,” J.A. 583. RBS viewed the covenant not to sue and the
withdrawal letter as “finally resolv[ing] any dispute over Synopsys’s conduct as a CNA
related to VulnDB®” and urged that the case be dismissed as moot because these
documents “conclusively end[ed] this litigation.” J.A. 581.
The district court disagreed and declined to dismiss the declaratory judgment action.
Relying on the Supreme Court’s seminal decision in Already, LLC v. Nike, Inc., the court
10 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 11 of 31
determined that RBS’ unilateral covenant not to sue did not satisfy its “‘formidable’ burden
of showing that the injury Synopsys seeks to remedy and prevent ‘could not reasonably be
expected’ to recur.” Synopsys, Inc., 2022 WL 107184, at *7 (quoting Already, 568 U.S. at
91). In particular it observed that the covenant was limited to Synopsys’ “role as a CNA
related to VulnDB,” and thus “does not sufficiently protect Synopsys’s other commercial
conduct,” which it had sought to protect “in its complaint [through] repeated[] refer[ences]
to its business relationships.” Id. Acknowledging that Synopsys’ CNA activities formed
the backdrop for the litigation, the district court observed that this ultimately was one
“example of the conduct [Synopsys] s[ought] to protect in its remaining claims, [and] the
relief it s[ought] for each claim demonstrate[d] that it did not refer to this conduct in a
vacuum” given the “financial and reputational harm that” it desired to avoid by seeking a
declaratory judgment. Id. at *8. “[G]iven the narrowly-tailored protection the covenant
provide[d],” and the broader scope of the complaint’s alleged harms and claim for relief,
the district court concluded the case had not been rendered moot under Already’s standards.
Id.
C.
On appeal, RBS renews its argument that the case is moot, urging the Court to vacate
the district court’s judgment on the merits and dismiss the case for want of jurisdiction. It
contends that the complaint’s factual allegations pertained solely to Synopsys’ role as a
CNA and that the relief sought here similarly relates solely to that role. RBS maintains that
its covenant not to sue and withdrawal of the cease and desist letter resolved the entirety of
the parties’ dispute because in them RBS agreed not to sue Synopsys based on its
11 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 12 of 31
performance of that role. And it asserts the district court improperly looked outside
Synopsys’ actions as a CNA to determine the case was not moot because that conduct falls
outside the scope of the parties’ dispute.
We review de novo this issue of the federal courts’ jurisdiction. Porter v. Clarke,
852 F.3d 358, 363 (4th Cir. 2017).
D.
Under the governing legal principles outlined above, our review centers on the scope
of the covenant not to sue and the withdrawal of the cease and desist letter when read in
tandem with the complaint. That review leads us to conclude that RBS did not meet its
“formidable burden” by unilaterally withdrawing the cease and desist letter and
covenanting not to sue. Already, 568 U.S. at 91 (citation omitted). This is so for at least
three reasons. First, the complaint’s broader background and prayer for relief addressed a
dispute larger than Synopsys’ specific role as a CNA, and the covenant not to sue and
withdrawal letter only partially addressed the entire dispute. Second, the language of the
covenant not to sue and the withdrawal letter were vaguely conditioned on Synopsys’ future
performance and thus did not make it “absolutely clear” that RBS’ “allegedly wrongful
behavior could not reasonably be expected to recur.” Id. (citation omitted). Third, and
relatedly, because RBS’ unilateral change relied on certain conditions about how Synopsys
12 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 13 of 31
undertook its role as a CNA, the withdrawal letter and covenant not to sue were revocable
at its discretion and thus fell further short of the high benchmark established in Already. 5
At the outset, RBS’ mid-litigation course reversal only partially addressed the
parties’ underlying dispute, as evidenced by the language of both the cease and desist letter
and—more importantly—the complaint. Although the cease and desist letter’s immediate
factual foundation was RBS’ belief that Synopsys would misuse VulnDB content in its role
as a CNA, the letter articulates the dispute more broadly. RBS demanded that Synopsys
“[i]mmediately cease the unauthorized use, distribution, and modification of RBS’s
intellectual property, including but not limited to the VulnDB database, all vulnerabilities
identified therein, and all vulnerabilities discovered by Black Duck or Synopsys by
copying or misappropriating information in the VulnDB database.” J.A. 58 (emphases
added). Given that the cease and desist letter spurred Synopsys to file the complaint, this
broader demand supports the district court’s conclusion that what Synopsys sought to
protect in the complaint, including its specific prayer for relief, went beyond clarifying the
parties’ rights solely as to Synopsys’ CNA activities. As recounted throughout the
complaint, Synopsys sought—in relevant part—declarations that it “has not copied or
misappropriated any of RBS’ purported” trade secrets, and thus has not violated federal or
Virginia law in any capacity; not just as a CNA. J.A. 37 (emphasis added); see also J.A.
5 Synopsys contends that RBS’ characterizations of certain statements made during the litigation—which form part of the recitals giving rise to the covenant and withdrawal letter—misrepresent its position in this case. If true, this too would be problematic, though we have ample basis for rejecting RBS’ mootness arguments without needing to delve into the record to resolve that aspect of the parties’ arguments on appeal. 13 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 14 of 31
54 (prayer for relief). These requests are untethered to Synopsys’ specific role as a CNA
or its use of VulnDB in that role, and thus support the district court’s conclusion that RBS’
covenant not to sue Synopsys “for any and all existing or future claims based on Synopsys’s
role as a CNA related to VulnDB®” did not conclusively show the parties’ dispute had
been resolved. J.A. 581. 6 As we have previously recognized, “the bar for maintaining a
legally cognizable claim is not high: ‘As long as the parties have a concrete interest,
however small, in the outcome of the litigation, the case is not moot.’” Grimm v. Gloucester
Cnty. Sch. Bd., 972 F.3d 586, 604 (4th Cir. 2020) (quoting Chafin v. Chafin, 568 U.S. 165,
172 (2013)).
Two more reasons apparent on the face of the covenant and withdrawal letter make
clear that their issuance did not affect the justiciability of Synopsys’ action: conditionality
and revocability. Each document is conditioned on lengthy fact-specific recitals purporting
to serve as the basis for RBS’ willingness to issue them. For example, they cite Synopsys’
counsel “unequivocal[ly] represent[ing] that its conduct as a CNA is not and will not be
6 The broader context in which the covenant was issued bolsters our conclusion, though it’s unnecessary to reach it. Shortly after issuing the covenant and withdrawal letter, RBS added Synopsys as a party defendant to the pending Massachusetts litigation also involving alleged misappropriation of VulnDB and its data. While the state case involves different claims against Black Duck and Synopsys, it still demonstrates RBS’ ongoing belief that Synopsys is liable to it for conduct relating to VulnDB. To the extent that Synopsys sought a determination in this case that particular allegations and claims of misconduct relating to VulnDB were untrue apart from the limited context of its role as a CNA, those remained a live controversy as RBS intends to continue pursuing its core theory that some portion of Black Duck and Synopsys’ ongoing work improperly originates from VulnDB. Thus, there’s a “live” controversy and Synopsys continues to have a “legally cognizable interest in the outcome” of this action. See Already, 568 U.S. at 91 (citation omitted).
14 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 15 of 31
based on VulnDB” “or any other vulnerability database” and they note RBS’ “good faith
reliance” on these statements as the basis for RBS’ willingness to covenant not to sue and
withdraw the cease and desist letter. J.A. 580–81. These reservations expressly condition
RBS’ issuance of both documents on Synopsys’ alleged representations, and thus implicitly
condition RBS’ future obligation to adhere to them as well. Nothing in either document
would prevent RBS from unilaterally determining at some future date that Synopsys had
violated the basis for its own obligations and thus arguing that it was not bound by the
covenant not to sue.
The absence of language unequivocally disavowing future litigation or other action
against Synopsys makes the covenant not to sue here a far cry from the one at issue in
Already. In that case, Nike “unconditionally and irrevocably covenant[ed] to refrain from
making any claim(s) or demand(s) . . . against Already or any of its . . . related business
entities . . . on account of any possible cause of action based on or involving” any of the
claims or any of the current or previous products at issue, including colorable imitations of
them. 568 U.S. at 93 (second and third alterations in original). In discussing why Nike’s
covenant satisfied the burden of showing that its unilateral issuance made it “absolutely
clear [Nike’s] allegedly wrongful behavior could not reasonably be expected to recur,” id.
at 91 (citation omitted), the Court pointed to it being “unconditional and irrevocable”; it
prohibited not just “filing suit,” but also “making any claim or any demand”; it extended
beyond Already itself to include affiliates; and “it covers not just current or previous
designs, but any colorable imitations.” Id. at 93. In short, the covenant “encompass[ed] all
of [Nike’s] allegedly unlawful conduct,” id. at 94, meaning that “Already [was] free to sell
15 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 16 of 31
its shoes without any fear of” Nike acting against it, id. at 96, and Already had not come
forward with any argument to the contrary, id. at 95.
Even accepting that a covenant not to sue may not need to contain such extensive
language as used in Already, it’s readily evident here that RBS’ covenant falls well short
of meeting its initial burden under the Supreme Court’s high standard. 7 Its conditioned
terms and revocability are both fatal to satisfying the requirements set forth in Already. See
Porter, 852 F.3d at 364 (“The Supreme Court has held that a defendant satisfies [its] heavy
burden when, for example, it enters into an ‘unconditional and irrevocable’ agreement that
prohibits it from returning to the challenged conduct.” (citation omitted)); ArcelorMittal v.
AK Steel Corp., 856 F.3d 1365, 1370 (Fed. Cir. 2017) (concluding that a covenant not to
sue had not rendered the case moot because it had not “unconditionally assure[d]
Defendants and their customers that it would never assert [the challenged] claims . . .
against them”); Lewis Bros. Bakeries Inc. v. Interstate Brands Corp. (In re Interstate
Bakeries Corp.), 751 F.3d 955, 960–61 (8th Cir. 2014) (declining to dismiss the action as
moot where the defendant—unlike Nike in Already—“ha[d] not given ironclad assurances
7 This case does not require us to determine what distance exists between the particular covenant not to sue at issue in Already and a less comprehensive covenant not to sue that nonetheless meets the Already standard. But we note that other courts have recognized at least some distance is permissible. See, e.g., ABS Glob., Inc. v. Cytonome/ST, LLC, 984 F.3d 1017, 1021–22 (Fed. Cir. 2021) (concluding that a covenant that was “unquestionably narrower than the covenant not to sue in Already” still satisfied Already’s standard because the disavowal was “coextensive with the asserted injury,” allowing the plaintiff to continue operating, and prohibiting the defendant from asserting liability against it for doing so not just for the products at issue but also for those that were “essentially the same” as the ones at issue (citation omitted)).
16 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 17 of 31
about the License Agreement” and, “[e]specially in light of the lengthy and ongoing dispute
between the parties over [that agreement], the record d[id] not foreclose a reasonable
possibility that [the owner of the disputed mark would] maintain that the agreement is
executory,” which was the “precise dispute in th[e] case”). We have previously recognized
that “[w]henever ‘a defendant retains the authority and capacity to repeat an alleged harm,
a plaintiff’s claims should not be dismissed as moot.’” Courthouse News Serv. v. Schaefer,
2 F.4th 318, 323 (4th Cir. 2021) (quoting Wall v. Wade, 741 F.3d 492, 497 (4th Cir. 2014)).
RBS retained such authority and capacity by issuing a covenant premised on its
interpretation of Synopsys’ representations and future conduct in accordance with those
understandings.
In sum, the documents RBS issued mid-litigation do not meet Already’s standards
because they are partial, conditional, and revocable. Accordingly, we reject RBS’
contention that the case should have been dismissed as moot following RBS’ issuance of
the covenant not to sue and its withdrawal of the cease and desist letter. The district court
appropriately concluded that it retained jurisdiction to consider the merits.
III.
We next turn to whether the district court erred in granting Synopsys’ motion for
summary judgment on whether it had misappropriated RBS’ trade secrets and the related
question of whether the court abused its discretion in excluding testimony from RBS’
expert witnesses.
17 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 18 of 31
Failing to prove the existence of a “trade secret” dooms a misappropriation claim.
Trandes Corp., 996 F.2d at 661 (observing that a plaintiff does not satisfy his burden by
identifying something that “could qualify as trade secrets,” but also must come forward
with “evidence that these items met the definition of a trade secret” (emphasis added)); see
also MicroStrategy Inc. v. Li, 601 S.E.2d 580, 588 (Va. 2004) (stating that the relevant
Virginia statute has two elements—“the existence of a ‘trade secret’ and its
‘misappropriation’ by the defendant” —and that “if a plaintiff fails to prove either required
element, the plaintiff is not entitled to relief” (citation omitted)). The Virginia and federal
definitions of “trade secret” are of a piece, applying to all sorts of things—including
information and compilations of information—bearing two characteristics. First, a trade
secret must “[d]erive[] independent economic value, actual or potential, from not being
generally known to, and not being readily ascertainable by proper means by, other persons
who can obtain economic value from its disclosure or use.” Va. Code § 59.1-336; accord
18 U.S.C. § 1839(3)(B) (containing materially identical language). Second, a trade secret
must be “the subject of efforts that are reasonable under the circumstances to maintain its
secrecy.” Va. Code § 59.1-336; accord 18 U.S.C. § 1839(3)(A) (requiring that “the owner
thereof has taken reasonable measures to keep such information secret”). For ease of
reference, we refer to the two elements of the trade secret definition by the shorthand
requirements of “independent economic value” and “reasonable secrecy.”
Although the existence of a trade secret “ordinarily presents a question of fact to be
determined by the fact finder from the greater weight of the evidence,” MicroStrategy Inc.,
18 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 19 of 31
601 S.E.2d at 589, summary judgment can still be appropriate when the record does not
create a genuine issue of material fact as to the necessary elements.
In the district court, RBS repeatedly altered the number of trade secrets that it
alleged Synopsys purportedly misappropriated. For most of the case, it asserted 150 and as
many as 160 trade secrets were at issue. By the summary-judgment stage, however, RBS
had cut the number to seventy-five. Broadly speaking, its alleged trade secrets consisted of
vulnerability data collected over certain periods of time or in certain file locations,
including structures, mapping, and relationships contained in VulnDB as well as
compilations and methods of analyzing and documenting identified vulnerabilities. E.g.,
J.A. 4682 (Trade Secret 1: “RBS’s vulnerability references from January through May of
2016 contained in ossAvailability2016.csv (cited in BD-RBS-000006741).”); J.A. 4692
(Trade Secret 26: “The compilation of software vulnerability data contained in
base_credits.csv (RBS-00003368).”); J.A. 4699 (Trade Secret 68: “VulnDB software
vulnerability data structure contained in BD-RBS-181790-91.”).
The district court concluded RBS failed to come forward with proof that could show
that the seventy-five alleged trade secrets satisfied both statutory requirements—
independent economic value and reasonable secrecy. Synopsys, Inc., 2022 WL 3005990,
at *15–17. In short, the court held that RBS failed to establish that its trade secrets had
independent economic value because it had not “established a connection between” RBS’
mid-litigation acquisition price, its “revenues, VulnDB, and any particular trade secret.”
Id. at *15. It observed the acquisition price did not provide a relevant marker of any asserted
19 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 20 of 31
trade secret’s value because RBS had not shown how a value for the entire company on the
date of its recent sale reflected the value of any of the trade secrets. In particular, it observed
that since that date, RBS had cut the number of alleged trade secrets by almost half, yet it
had not adjusted its asserted value for the remaining trade secrets. As for reasonable
secrecy, the district court concluded that although RBS had required nondisclosure
agreements from some of its customers, it had not done so consistently or comprehensively,
including pertinent gaps in agreements with major customers.
The court’s conclusions on the merits of RBS’ trade secrets claims rested in part on
its exclusion of testimony from RBS’ expert witnesses, observing that they had improperly
incorporated “legal conclusions, speculation, or factual narrative” into their written reports.
Id. at *5 (footnotes omitted). Only one of the witnesses—Adam Shostack—opined on
independent economic value and the court excluded that and other portions of his proposed
testimony. In explaining that decision, the court observed that Shostack’s testimony did
not “demonstrate that he individually evaluated RBS’s claimed trade secrets” in reaching
his opinion that the seventy-five alleged trade secrets collectively had independent
economic value. Id. at *7. The court then observed that it didn’t need to decide whether
grouping of trade secrets was permissible in an expert-opinion report because before
reaching such an opinion the expert would still be required to individually evaluate each
trade secret to know how to group them and determine that they indeed had independent
economic value. In excluding the other challenged witness’s testimony (Steven Kursh), the
court pointed to many instances where he described incomplete or missing data from
Synopsys files, and yet usurped the court’s function by making adverse credibility
20 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 21 of 31
assessments from those gaps and drawing conclusions against Synopsys without adequate
comparison of the underlying data.
On appeal, RBS challenges all four determinations, that is, both substantive
conclusions supporting summary judgment and the attendant exclusion of its two expert
witnesses’ testimony. We review the grant of summary judgment de novo, undertaking the
same review as the district court. Goodman v. Diggs, 986 F.3d 493, 497 (4th Cir. 2021).
Summary judgment should be granted “only if, taking the facts in the best light for the
nonmoving party, no material facts are disputed and the moving party is entitled to
judgment as a matter of law.” Id. at 497–98 (citation omitted); see Fed. R. Civ. P. 56(a).
When there’s a “failure of proof concerning an essential element of a plaintiff’s case,”
summary judgment is appropriate. Haulbrook v. Michelin N. Am., Inc., 252 F.3d 696, 702
(4th Cir. 2001) (cleaned up). As for the district court’s evidentiary determination, we
review the decision to exclude expert testimony for abuse of discretion. Sardis v. Overhead
Door Corp., 10 F.4th 268, 280 (4th Cir. 2021).
Having reviewed the record evidence and the parties’ arguments on appeal, we agree
with the district court that RBS failed to come forward with evidence showing its seventy-
five alleged trade secrets met the independent economic value requirement. Relatedly, we
conclude that the district court did not abuse its discretion in excluding Shostack’s
testimony on the matter of independent economic value because it would not have aided
21 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 22 of 31
RBS in satisfying its burden of proof. 8 For these reasons, we agree that Synopsys was
entitled to summary judgment on the Virginia and federal misappropriation-of-trade-
secrets claims.
As has been established, for information to constitute a “trade secret” under Virginia
and federal law, it must “[d]erive[] independent economic value” from its secrecy. Va.
Code § 59.1-336; 18 U.S.C. § 1839(3)(B). This element requires proof not just of value,
but of value specifically tied to secrecy. See Ruckelshaus v. Monsanto Co., 467 U.S. 986,
1012 (1984) (“The economic value of that property right lies in the competitive advantage
over others that [the plaintiff] enjoys by virtue of its exclusive access to the data, and
disclosure or use by others of the data would destroy that competitive edge.”). In the district
court, RBS sought to prove that all seventy-five of its alleged trade secrets satisfied this
requirement by pointing to its January 2022 acquisition price of and evidence
that at least 90 percent of its revenue comes from licensing VulnDB. But as the district
court correctly recognized, a fatal disconnect exists between the evidence RBS relied on
8 Because a “trade secret” comprises both independent economic value and reasonable secrecy, Va. Code § 59.1-336; 18 U.S.C. § 1839(3), RBS’ failure to prove independent economic value is fatal to its Virginia and federal claims that Synopsys misappropriated trade secrets. See Haulbrook, 252 F.3d at 702; accord Trandes Corp., 996 F.2d at 661 (“Trandes had to describe the subject matter of its alleged trade secrets in sufficient detail to establish each element of a trade secret.”). We therefore need not consider the other ground on which the district court relied to reach its conclusion, namely, whether RBS’ evidence was insufficient to prove its reasonable efforts to maintain the secrecy of the alleged trade secrets. Nor do we need to consider whether the court abused its discretion in excluding the entirety of Kursh’s testimony, which did not touch on independent economic value and thus would not have enabled RBS to satisfy its burden on that element.
22 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 23 of 31
and its burden of proof because that evidence does not reflect that the alleged trade secrets
had value nor prove that any such value derived from their secrecy.
RBS failed to come forward with evidence establishing the trade secrets had
“value.” Neither RBS itself nor its private database VulnDB is one of the alleged seventy-
five trade secrets, so evidence about RBS’ or VulnDB’s value cannot substitute for
evidence about the seventy-five alleged trade secrets’ value. 9 Permitting evidence of the
value of the whole entity to substitute as value of a particular component part (the trade
secrets) would defeat the obligation of proving that the alleged trade secrets themselves
have independent economic value. To hold otherwise would allow RBS to circumvent its
burden of proof and redefine “trade secret.”
But the problem with RBS’ evidence runs deeper still because it also failed to show
that any asserted value derives from the seventy-five alleged trade secrets’ secrecy. Not
everything with commercial value constitutes a trade secret. Both Virginia and federal law
require a specific connection between value and secrecy. Va. Code § 59.1-336 (defining
“trade secret” as “[d]eriv[ing] independent economic value . . . from not being generally
known . . . and not being readily ascertainable” (emphasis added)); 18 U.S.C. § 1839(3)(B)
9 By its own representation, RBS does many things, only one of which (though an important one) is maintaining VulnDB, and VulnDB comprises information far beyond the seventy-five alleged trade secrets. See, e.g., Opening Br. 6–7. Indeed, at the time of RBS’ sale, the company was asserting the existence of some 150 trade secrets, which it later recalibrated to 160 trade secrets before eventually slashing that number by over half. These representations show that both the company itself and its proprietary database consist of more than just the alleged seventy-five trade secrets. Far from being co-extensive and thus interchangeable for purposes of establishing value, they are nested, but distinct subparts.
23 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 24 of 31
(same); see Trandes Corp., 996 F.2d at 663 (discussing independent economic value as the
value competitors could obtain by possessing the information that had previously been kept
from them). Thus, part of RBS’ obligation was to come forward with evidence that its
seventy-five alleged trade secrets had value because they remain secret. See DTM
Research, L.L.C. v. AT&T Corp., 245 F.3d 327, 332 (4th Cir. 2001) (“[A trade secret’s]
continuing secrecy provides the value, and any general disclosure destroys the value.”);
see also Oakwood Laby’s LLC v. Thanoo, 999 F.3d 892, 913 (3d Cir. 2021) (“The trade
secret’s economic value depreciates or is eliminated altogether upon its loss of secrecy[.]”);
Stromback v. New Line Cinema, 384 F.3d 283, 305 (6th Cir. 2004) (“Thus, the essence of
a trade secret is that it derives its value from secrecy.”). Proof of value untethered to value
derived from secrecy does not show an alleged trade secret’s independent economic value.
E.g., Buffets, Inc. v. Klinke, 73 F.3d 965, 969 (9th Cir. 1996) (affirming the district court’s
conclusion that the evidence did not establish independent economic value of the plaintiff’s
recipes because, under Washington law, which uses a materially identical definition of a
trade secret, the plaintiff had not established a connection between the asserted value of the
recipes and those recipes “being kept secret”).
Here, even if we were to assume that RBS’ purchase price and the percentage of
revenue stemming from VulnDB could prove in the abstract that the trade secrets had some
commercial value, neither one satisfies the requirement of showing value arising from their
remaining secret. Put another way, the marker of value on which RBS relies does nothing
to establish that the asserted value associated with the seventy-five alleged trade secrets
derives from their “not being generally known” or “readily ascertainable” to others through
24 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 25 of 31
lawful means. At bottom, the company’s purchase price cannot—as a matter of law—serve
as the basis for satisfying this element of the definition of a trade secret.
RBS’ arguments in favor of a contrary holding on the requirement of independent
economic value do not hold force. For example, it criticizes the district court for requiring
it to prove independent economic value “per trade secret.” Opening Br. 60 (emphasis
omitted). To begin with, because independent economic value is one part of the definition
of a “trade secret,” Va. Code § 59.1-336; 18 U.S.C. § 1839(3)(B), a basis exists in the
statutory language for concluding that evidence of independent economic value must be
proven as to each item that a plaintiff seeks to have identified as a distinct “trade secret.”
Under this reading of the statutory language, value may need to be established “per trade
secret.” Opening Br. 60 (emphasis omitted). Recognizing as much would not necessarily
prohibit a court, the parties, or an expert witness from discussing the independent economic
value of individual trade secrets by groups so long as the same evidence related to more
than one of the alleged trade secrets and permitted a conclusion to be drawn with respect
to each individual trade secret’s value.
For purposes of this case, however, we need not definitively decide whether or when
“grouping” of evidence to establish a trade secret’s independent economic value is ever
permitted. Even accepting that RBS could satisfy its burden with proof of valuation based
on evidence about groups of its alleged trade secrets rather than individual assessments,
that is not what it tried to do here. Instead, RBS relied on evidence of valuation that was
not particularized to its seventy-five alleged trade secrets whether they are viewed
individually, in smaller groupings, or as a whole. That’s the fundamental disconnect
25 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 26 of 31
identified by the district court, and that’s a basis for our affirmance on appeal. E.g.,
Synopsys, 2022 WL 3005990, at *15 (observing that it “has no method—and RBS has
likewise suggested none—of determining which of the now-asserted trade secrets, if any,
contributed to RBS’s valuation on January 6, 2022”).
RBS’ reliance on the concept that “value” encompasses more than “a numerical
amount” also misses the mark. Opening Br. 60 (emphasis omitted). Once again, a concept
true in the abstract fails to grapple with the fundamental lack of evidence of the value of
the seventy-five alleged trade secrets based on how RBS decided to prove its case. In the
district court, RBS bore the burden of coming forward with evidence of value, and it relied
on the company’s acquisition price and the share of the company’s revenues derived from
VulnDB to do so. Thus, RBS—not the district court—introduced a numeric amount into
the analysis by relying on the collective corporate value as the sole basis for meeting its
burden. It’s the misdirection to unrelated measures of value that was the problem, not just
a lack of a specific numeric amount tied to each of the alleged trade secrets.
Lastly, in its opening brief, RBS points to evidence in the record that it did not rely
on in the district court as proof of the seventy-five alleged trade secrets’ independent
economic value. It says independent economic value exists based on (1) Synopsys’ expert
witness Dr. Eric Cole’s testimony that he “spent ‘a few hours’ searching 18 websites to
find only 21 of the 300,000+ vulnerabilities reported in VulnDB,” thus creating a genuine
dispute about the value of VulnDB’s “unique data compilations” based on what it would
cost an outsider to locate “every source, reference, and vulnerability in VulnDB,” Opening
Br. 58; (2) Black Duck’s repeated efforts to buy RBS and VulnDB and its (alleged)
26 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 27 of 31
unlawful extraction of VulnDB data, which demonstrate the value of the seventy-five
alleged trade secrets; and (3) Shostack’s testimony about independent economic value,
which the district court (purportedly) improperly excluded. 10
None of this evidence satisfied RBS’ burden for the same fundamental reason
already discussed. It too attempts to show the independent economic value of the seventy-
five alleged trade secrets through proof that RBS and VulnDB have value. Such sleight-of-
hand is no more availing as to this evidence than it is to the rest.
Only the exclusion of Shostack’s testimony warrants a brief additional discussion.
As noted, the district court excluded relevant parts of Shostack’s testimony as a result of
his legal conclusions and speculative foundation, in addition to the court’s concern that
Shostack had not demonstrated that he’d reviewed the alleged trade secrets individually.
We agree that these problems plagued his assessment of independent economic value. Most
problematically, Shostack’s report repeatedly refers to the value of RBS and VulnDB while
making conclusory assertions about the trade secrets contained in the database. Further,
Shostack failed to connect the dots between the collective corporate value and the seventy-
10 Synopsys argues RBS’ failure to make these arguments in district court results in their forfeiture on appeal. See United States v. Lavabit, LLC (In re Under Seal), 749 F.3d 276, 285 (4th Cir. 2014) (reiterating our “settled rule [that] absent exceptional circumstances, we do not consider issues raised for the first time on appeal” (cleaned up)). RBS responds that these arguments can be considered in the first instance, citing language from our cases stating that when claims are “plainly encompassed by” and a “[v]ariation[] on arguments made” in district court. De Simone v. VSL Pharms., Inc., 36 F.4th 518, 528 (4th Cir. 2022) (citations omitted). We are inclined to agree that RBS has forfeited these arguments by failing to direct the district court’s attention to this evidence as part of its proof of independent economic value. But we ultimately do not determine the side of the line on which these arguments fall because they readily fail on their merits.
27 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 28 of 31
five alleged trade secrets. For example, Shostack’s written report included the opinion that
“[v]ulnerability databases such as VulnDB, and the trade secrets contained within VulnDB,
have independent economic value as a result of the skilled work which goes into creating,
organizing, compiling, and maintaining them (i.e., as a result of not being generally known
or readily ascertainable).” J.A. 5868–69. But his entire analysis explaining this viewpoint
focuses on the market for vulnerability databases as a whole without any discussion of why
the seventy-five alleged trade secrets have particular value. E.g., J.A. 5888 (“VulnDB’s
trade secret features, designs, methods, techniques, processes, procedures, programs, and
codes have independent value. This is demonstrated by RBS’s success in selling the
product both in the general market and to Black Duck in particular. Based on my
experience, if these secrets had no independent value, then [Black Duck] would not have
licensed them or would have cancelled their re-seller agreement without creating their own
database.”); J.A. 5890 (listing four additional “expression[s] of the value of RBS’s
database” as (1) royalty payments, (2) “valuation of a company like Black Duck,” (3)
“either increased number or value of sales,” and (4) “market perception by either customers
or influencers”).
Nor does Shostack represent that his conclusions were based on an individual
review of the seventy-five alleged trade secrets. 11 To the contrary, he suggests otherwise
11 Nor could he. At the time of his report, dated January 12, 2022, RBS was still propounding over 150 alleged trade secrets. The settled-upon seventy-five were not newly alleged items but were taken from the list of the earlier identified items. Even so, Shostack’s failure to identify with precision which alleged trade secrets he reviewed or based his opinions on presents problems when assessing his expert opinion because—given (Continued) 28 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 29 of 31
by observing that the “trade secrets in this case are numerous,” representing his
understanding “that another expert is examining the trade secrets individually,” and stating
that his analysis of Synopsys’ “[d]irect [u]se of [t]rade [s]ecrets” “focused on the trade
secrets pertaining to sources of vulnerability information to be evaluated and checked
regularly,” and then cautioning that his report was “intended to supplement, but not replace,
any other RBS expert opinion.” J.A. 5903. 12
RBS again contends that the district court abused its discretion in excluding
Shostack’s testimony on this ground because Shostack was not required to opine on the
trade secrets individually. 13 And as discussed earlier, RBS’ argument is problematic given
that the definition of a “trade secret” requires an individualized assessment even if that
assessment could be discussed in groups rather than per trade secret. Even if grouping is
appropriate in some cases, it must be done in a way that permits the trier of fact to undertake
this review. Sweeping conclusions untethered to specific shared characteristics of a group
of trade secrets that show that each has independent economic value would not aid the trier
of fact in undertaking that task. What’s more, the district court did not exclude Shostack’s
testimony on independent economic value only because he considered the trade secrets in
that there’s no indication he reviewed all of them—it increases the likelihood that his views were based on consideration of earlier-alleged trade secrets that were not part of the seventy-five. 12 RBS does not point to any of its other expert witness’s testimony as opining on the matter of independent economic value. 13 RBS’ only authority for that proposition consists of two district court decisions, both of which are narrower than how RBS uses them and involve scenarios different from what the district court concluded here.
29 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 30 of 31
his expert report as an undivided whole to streamline the analysis for a trier of fact. To the
contrary, the court specifically stated it “need not determine whether to permit this type of
grouping.” Synopsys, Inc., 2022 WL 3005990, at *7. Instead, the district court pointed out,
and the record confirms, that Shostack never indicates that, in formulating his opinion, he
ever assessed the trade secrets individually before determining their collective value simply
from being part of VulnDB. See id. (excluding Shostack’s conclusions because the report
“admits that he did not individually evaluate each trade secret and RBS has not identified
any evidence that shows otherwise”). Without undertaking that task, Shostack’s method
for formulating his opinions was on shaky ground, and the district court did not abuse its
discretion in excluding it.
****
In sum, the district court properly concluded that RBS failed to put forward
admissible evidence showing that the seventy-five alleged trade secrets had independent
economic value. Absent proof sufficient to satisfy that part of the statutory definition of a
“trade secret,” RBS could not prevail in a misappropriation-of-trade-secrets claim, and the
district court properly granted summary judgment to Synopsys. Given this holding, we
need not consider RBS’ additional argument that the district court erred in denying its
motion for partial summary judgment.
IV.
For the reasons stated, we hold that the district court properly exercised jurisdiction
because the case did not become moot during its pendency. In addition, we affirm the
30 USCA4 Appeal: 22-1812 Doc: 65 Filed: 06/15/2023 Pg: 31 of 31
district court’s grant of summary judgment to Synopsys on the claim that it had
misappropriated RBS’ trade secrets.
AFFIRMED
Related
Cite This Page — Counsel Stack
70 F.4th 759, Counsel Stack Legal Research, https://law.counselstack.com/opinion/synopsys-inc-v-risk-based-security-inc-ca4-2023.