August 03, 2010
Baidu Can Maintain Negligence Claims Against Register.com for Lax Security Practices Which Allegedly Facilitated Cyber-Attack - Baidu v. Register.com
[Post by Venkat]
Baidu, Inc. v. Register.com, Inc., Case no. 10 Civ. 444 (DC) (S.D.N.Y.) (July 22, 2010).
Background: Baidu registered the
The cyber-attacker gained access to Baidu's account with Register through engaging in an online chat with a Register customer service representative. The representative asked the intruder for Baidu's security verification information. The intruder did not provide the representative with the correct information, "but the [representative] nonetheless emailed a security code to the email address that Baidu had on file." When asked for the security code, the intruder did not provide the correct code (the intruder did not have access to the Baidu email address on file). Notwithstanding the discrepancy in the security codes, at the intruder's request, the representative changed the email address on file (to "email@example.com"). From here, the intruder was easily able to access the account, by utilizing the "forgot password" function.
Discussion: Baidu brought claims for breach of contract, negligence (gross negligence), recklessness, and contributory trademark infringement.
The limitation of liability clause: Register pointed to the limitation of liability clause in its Master Services Agreement. The clause provided that Register would not be held liable for, among other things, "termination . . . or modification of [the Services,] . . . inability to use the Service[s], . . . loss incurred in connection with [the customer's] services," or "any other matter relating to [customer's] use of the Service[s]." The agreement also contained a limitation of liability clause that limited Register's liability at five hundred dollars, and also provided that it was the customer's "responsibility to safeguard the User name, password and any secret question/secret answer . . . from any unauthorized use."
The court held that as a general matter, courts in New York enforce limitations of liability clauses, particularly where these limitations are contained in a contract entered into by "those of equal bargaining power." However, New York courts do not enforce such limitations where they purport to limit liability for willful or grossly negligent acts. This "gross negligence exception" applies even to agreements between sophisticated commercial parties, although the standard for gross negligence is somewhat higher in this context. The court held that the complaint satisfied this standard, in alleging that:
(1) the rep proceeded with processing the intruder's request even though the intruder provided an incorrect response to the security question; (2) the rep didn't even bother to compare the code provided by the intruder with the security code on file; (3) the rep failed to notice the red flags raised by the rep providing the "firstname.lastname@example.org" email address (which was tied to Google, a Baidu competitor); and (4) the rep ultimately provided the intruder with Baidu's user name.
Ultimately, the court found that Register's failure to follow its own security procedures (or any minimal security procedures, for that matter) were sufficient to get Baidu past the gross negligence hurdle. Register also pointed to the provision in the contract that the customer was responsible for maintaining the security of any password/security information and thus Register had no duty to maintain any security procedures with respect to Baidu's account. The court rejects this argument, noting that although Register may not have had any duty to provide any security, once it undertook to do so, it was required to do so in a non-negligent manner:
The attack by the Intruder was reasonably foreseeable - it was precisely because these cyber attacks are foreseeable that the security measures were adopted.
Lanham Act Claim: With respect to the Lanham Act claim, Register argued that it was entitled to immunity as a registrar and in any event Baidu failed to adequately allege the elements for contributory trademark infringement.
The court rejects the registrar immunity argument out of hand (registrars are only entitled to immunity when they act as registrars - i.e., "when [a registrar] accepts registrations for domain names for customers"). However, the court agreed with Register that Baidu failed to allege the elements for contributory trademark infringement. Citing to Inwood Labs., Inc. v. Ives Labs., Inc. (a flea market case) the court notes that contributory liability only attaches where the defendant either intentionally induces infringement or continues to supply products or services to the infringer where the defendant knows or has reason to know that the infringer is engaged in infringement. The court also cites to the Tiffany v. eBay case (discussed by Professor Goldman here).
The interesting aspect of this case is the fact that Register's broad contractual protections did not protect it against Baidu's claims. It's unclear as to whether the court's ruling would encompass a situation where someone just plain hacked into Register's system and gained access to Baidu's accounts. I would think not. Disclaimers often insulate service providers (see Duffy v. The Ticketreserve and Grace v. Neeley) but here the facts alleged by Baidu with respect to Register's negligence were pretty egregious. Given the exception in New York law for gross negligence and reckless conduct, I'm not sure any sort of limitation/disclaimer could have saved Register here.
The trademark claims are curious. To be honest, I can't even see where there's basic trademark infringement by the cyber-attacker. The cyber-attacker was not interested in selling any products or services, and the Baidu webpage text clearly stated that the website had been hacked. Moreover, any finding of infringement would have been based on the much-discredited initial interest confusion doctrine. In any event, it's tough to see - given Baidu's allegations of an attack - how Register would have harbored the requisite knowledge to have been able to prevent the infringement.
It's worth noting also that this isn't a typical domain name conversion case (a la sex.com). The case is really about failed security procedures, and the ease of gaining access to an account through social engineering. There's a big lesson in the Register rep's alleged dealings with the cyber-attacker.
Added: This interview with Elisa Cooper by Dancho Danchev ("Hundreds of High Profile Sites Unprotected From Domain Hijacking") looks at the efficacy of using Verisign's "Registry Lock Service." Some interesting bits from the interview:
1. The Registry Lock Service offers protection at the registry-level so even if the registrar account is compromised, the attacker will not be unable to update any domain settings.
2. Elisa notes that DNS hijacking may only amount to a PR/brand hit unless the website is collecting information or conducting transactions.
3. "[D]omains that are registered by large retail registrars are . . . highly vulnerable to social engineering attacks." [That's exactly what happened in the Baidu case.]
Of course, the registrar does not have an obligation to implement the additional security measures that are mentioned in the interview. It would be up to the registrant to do so.