Court in Domain Hijacking Case, Reminds Parties: You Can't Contractually Limit Liability in NY for Willful or Grossly Negligence Conduct
As a big fan of the late Paul Harvey, who's signature closing catch-phrase was “and now you know the rest of the story,” there are times that posts analyzing cases, statutes or developments are held until additional information is in. The opinion early this year by U.S. Circuit Judge Denny Chin in the hijacked domain case of Baidu, Inc. et al v. Register.com, Inc., 2010 U.S. Dist. LEXIS 73905 (July 22, 2010) (1:10-cv-00444-DC), proved just such a situation and I waited to see what the defendant's Answer might hold followed by how the parties responded thereafter. J. Chin's rejection of Register.com's summary judgment motion - allowing Baidu's action to proceed on its claims for breach of contract, gross negligence and recklessness - likely surprised many who've come to view the typical extremely broad limitations of liability language frequently found in today's contracts as near iron-clad protection.
But before examining why the Court reached its decision, a bit of quick background is needed to fully appreciate J. Chin's approach under New York law.
Baidu, Inc. and its affiliate Beijing Baidu Netcom Science & Technology Co., Ltd. (“Baidu”) run the largest search engine in China with a claimed 70% share of Chinese-language search traffic. Baidu had registered the baidu.com domain name in 1999 with Register.com, an ICANN-accredited domain name register, as well as the trademark “Baidu.” All went apparently without incident until earlier this year, when, according to Baidu's complaint, Baidu's domain was hijacked and the domain's DNS info directed to a webpage “depicting an Iranian flag and a broken Star of David and proclaiming 'This site has been hijacked by the Iranian Cyber Army.'” Id.
The steps that led up to the hijacking, as depicted in the complaint and accepted as required by the court's consideration of defendant's FRCP 12(b)(6) motion to dismiss paint quite a picture. In short, the hijaaker contacted a Register.com support agent, and requested that the email address on file (though it's not specified which email address, i.e., tech, billing or admin contact) for Baidu be changed. Register's agent is alleged in response to have asked the hijacker for the security verification information.
The verification information provided by the hijacker was wrong, but Register's agent emailed a verification code to Baidu's actual email address on file, which of course the hijacker could not access. Then, Register's agent asked the hijacker to repeat the code sent to the email address on file. The hijacker responded with a different and incorrect code but Register's agent went ahead and changed Baidu's email address on file to the one requested by the hijacker, firstname.lastname@example.org, which the Court noted used the domain of Google's email, Google being a search engine competitor (implying another potential red flag should have been raised by the proffered email address).
At this point the hijacker was fully in charge of the domain, as once the email address had been change he was able to use the “forget password” feature of most sites (an increasing noted weakness) to have a change password link sent to the new changed email address. With the password changed the hijacker updated the DNS info to re-target traffic from Baidu's actual websites to the “Iranian Cyber Amy” (ICA) website.
As part of its complaint Baidu's alleges that it took more than two hours for Register to begin addressing the problem, and that traffic was fully re-routed to the ICA for five hours with Baidu's operations not fully restored until two days after the initial attack. The result, as the Court notes in echoing Baidu's complaint, is that “Baidu suffered 'serious and substantial injury to [its] reputation and business,' including 'millions' in lost revenue and out-of-pocket costs.” Baidu at *7.
In response to the beach and hijacking, Baidu filed suit against Register.com in federal court in the Southern District of New York claiming seven causes of action: (i) contributory trademark infringement; (ii) breach of contract; (iii) gross negligence; recklessness; (iv) tortious conversion; (v) aiding and abetting tortious conversion; (vi)aiding and abetting trespass; and (vii) breach of duty of bailment. Baidu also asked in its prayer for relief all actual damages, treble damages and punitive damages, in amounts to be determined at trial, along with associated costs, attorneys' fees and expenses.
The Limitation of Liability Clause
Register.com's limitation of liability clause should be very familiar to contracting professionals. Indeed, its language or rough equivalents can be commonly found in a large plurality, if not majority, of online service and other contracts. The actual applicable Master Services Agreement (“MSA”) language, as quoted by the Court, was:
“ You agree that [Register] will not be liable, under any circumstances, for any (a) termination, suspension, loss, or modification of your Services, (b) use of or the inability to use the Service(s), (c) interruption of business, (d) access delays or access interruptions to this site or a service (including, without limitation, to web site(s) accessed by the domain name registered in your name), . . . (f) events beyond [Register's]. . . reasonable control, . . . (j) transactions conducted on a user web site, including fraudulent transactions, (k) loss incurred in connection with your service(s) including in connection with e-commerce transactions, (1) unauthorized access to or alteration of your transmissions or data, (m) statements or conduct of any third party using your service(s), or (n) any other matter relating to your use of the Service(s). [Register] also will not be liable for any indirect, special, incidental, or consequential damages of any kind (including lost profits, goodwill, data, the cost of replacement goods or services, or other intangible losses) regardless of the form of action whether in contract, tort (including negligence), or otherwise, even if [Register] has been advised of the possibility of such damages. In no event shall [Register's] maximum aggregate liability exceed the total amount paid by you for the Services, but in no event greater than five hundred dollars ($ 500). Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, in such states, our liability is limited to the maximum extent permitted by law.”
At first glance this limitation of liability appears extremely strong. The lists of items to which no liability will adhere to in (a) through (n) is wide ranging, followed by a traditional limitation as to any indirect, special, incidental or consequential damages, all topped off by an aggregate maximum dollar limit for damages of $500. Register's language does include a passing head-nod that “some states do not allow the exclusion or limitation of liability for consequential or incidental damage.” Still, nothing in the language addressed potential liability in the face of wilfull acts or gross negligence, though each, arguably, and Register.com likely thought so, could be included in the “not be liable, under any circumstances” language. This said, the “under any circumstances” is, in reality, followed by the unwritten text of “unless prohibited by public policy,” as seen from J. Chin's decision and one that many contracting attorneys tend to forget in the day-to-day wrangling during negotiations over limitations of liability and indemnification language.
The Claims; The Analysis; The Result
As a preliminary point, it's interesting to note in passing that Baidu viewed its primary claim going into the case as one of contributory trademark infringement. The available docket in PACER slugs the plaintiff's Cause [of action] as “15:44 Trademark Infringement,” the Nature of Suit as “840 Trademark,” and the trademark issue was front and center as claim one in its complaint. Obviously strategic decisions in litigation as to what claims to bring, ordering and strength are easily second-guessed by those not on the front line. Yet, J. Chin methodically and in a rather straightforward manner – except for one twist – chopped the contributory trademark infringement count down and dismissed it completely.
The twist is that 15 U.S.C. 1114(2)(D)(iii) provides that a “domain name registrar . . . shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name.” Access to domain name controls could arguably be said to come within “maintenance of a domain name,” but J. Chin said not so fast - drawing distinction between Baidu's account overall and the Baidu.com domain name. Instead he found “while Register's actions arguably concerned the maintenance of Baidu's account with Register, they did not concern the maintenance of Baidu's domain name. Rather, the alleged malfeasance occurred in the context of security protocols and access to an account.” Id. at *21.
Gross Negligence and Recklessness
As to the beach of contract, gross negligence and recklessness claims and Register's limitation of liability defense, J. Chin acknowledged both parties rely on New York law controlling, as provided in the MSA. Under New York law it's settled doctrine that “contractual provisions that 'clearly, directly and absolutely' limit liability for 'any act or omission' are enforceable, 'especially when entered into at arm's length by sophisticated contracting parties.'” Id. at *10 (citations omitted). The Court further recognized that New York courts “generally enforce contractual waivers or limitations of liability.” Id.
However, the New York Court of Appeals (NY's highest court), in a 4-3 decision cited by J. Chin as controlling, affirmed in Kalisch-Jarcho, Inc. v. City of New York, 58 N.Y.2d 377 (1983), available at http://tinyurl.com/3acdj5x, that “an exculpatory agreement, no matter how flat and unqualified its terms, will not exonerate a party from liability under all circumstances. Under announced public policy, it will not apply to exemption of willful or grossly negligent acts.” Id. at 384-85. Moreover, even if such conduct was within the parties' actual or foreseeable contemplation and reflected in the limitation language, the Kalisch court noted that “the policy which condemns such conduct is firm” that any attempted exculpatory language “will be unenforceable.” Id. At 385.
J. Chin noted that later cases have required that “a more exacting standard of gross negligence must be satisfied” when both parties are sophisticated commercial parties, and that intervening criminal action will not, per blackletter law, act as a superseding intervening cause to absolve a party from liability unless unforeseeable. The hijackers alleged acts were not only foreseeable, but key in J. Chin's analysis, who noted that “it was precisely because these cyber attacks are foreseeable that the security measures were adopted [by Register.com].” As a result if Baidu proves gross negligence or recklessness as the case proceeds, the MSA's limitation of liability clause will not bar Baidu's recovery for consequential, indirect, punitive and other damages.
The Take Away This case is one we'll follow to resolution given the intersection of traditional contract law, negligence, domain name registrars and the reminder, too often forgotten, that relied upon key contract language may be void for public policy reasons under certain circumstances. The other lessons to take away from the case to date are:
- Carefully check the conduct and circumstances. Whenever faced with a claim, either as a plaintiff or defendant, that may seemingly be short-circuited by broad limitation of liability language review the facts and circumstances carefully. If there's any chance the conduct could be viewed as willfull conduct, grossly negligent or display a reckless disregard for the rights of others under your state's applicable caselaw, be prepared to press or defend the issue that such actions serve to negate the limitation of liability;
- Following procedures is crucial. As the legal defensibility approach spreads (see INFOLAWGROUP partner, Dave Navetta's article The Legal Defnsibility Era is Upon Us), an excessively stringent security procedure could work against you if it's not carefully followed. The recommendation on this issue is to not overpromise when it comes to the processes and procedures that are part of your security program.
We'll continue to watch this case so we get “the rest of the story” and can make sure to bring any interesting points to the fore that you can factor into your own applications. Stay tuned.