SuccessFactors, Inc. v. Softscape, Inc., 2008 WL 906420 (N.D. Cal.)
This one is most interesting to me for the manner in which the facts were developed; technology is changing cases in lots of ways. The parties compete in the market for internet-based human resources management software.
On [February, I think, but the case says March] 24, 2008, hundreds of actual and prospective customers received an email from “John Anonymous” stating, “If you are thinking about purchasing from SuccessFactors, please read the following document; it provides information about Successfactors [sic] which they do not want you to know.” Attached was a 43-slide PowerPoint, “The Naked Truth.” It used a SuccessFactors template and included the SuccessFactors logo at the top of each page. It claimed to contain “a compilation of the facts from Successfactors [sic] customers” and to explain plaintiff’s “lack of corporate integrity and why many of us have left them.”
The PowerPoint included screenshots from three areas of plaintiff’s website, including from a password-protected area accessible only to plaintiff’s employees, customers, prospective customers, and partners. When plaintiff found out about the presentation, it analyzed its IP logs to figure out who’d accessed all three areas of the site recently. Only one outside IP address had done so; it belongs to one of defendant’s offices. This IP address also accessed a specific demo account in the password-protected area, which was the source of one of the screenshots. This account was also accessed without authorization from two residential IP addresses near that office and one business address associated with another of defendant’s offices. The account was created for a purported prospective customer on behalf of “New Millenium [sic] Shoe.” Defendant’s CEO is the CEO of New Millenium Shoe. Further investigation of the IP addresses found nine other names and registration information associated with those addresses; though plaintiff suspects many of the names were false, defendant is linked to two of those names.
After the email, plaintiff allegedly received a lot of worried questions from current and perspective customers, and the report was discussed on an internet message board covering SuccessFactors stock. JMP Securities, an investment bank, reported on the PowerPoint as “highly critical” and stated that “independent due diligence” was needed to investigate the claims. Nonetheless, the report maintained JMP’s high rating of SuccessFactors. Three days later, JMP issued a further report debunking the PowerPoint as “unfounded.”
Plaintiff sued under the Lanham Act, California state law, and the Computer Fraud and Abuse Act (CFAA). Defendant conceded that it created the presentation, but argued that it was intended only for internal use. Defendant denied knowledge of how the presentation was sent out, and pledged not to use it in any external sales or marketing. But the email messages sent by defendant’s CEO—after the complaint was filed—say that the presentation is based on “publicly available sources” and that the information in the presentation “should be used judiciously in competitive situation [sic] as required.” Moreover, defendant issued a press release defending the truthfulness of the presentation as “substantiated,” and emailed a link to the press release to potential customers for whom it’s competing with plaintiff.
The CFAA provides for liability for people who intentionally access a computer without authorization or exceed authorized access; civil actions are limited to cases in which victims suffer at least $5000 in losses. Plaintiff argued that its costs of investigating the breach took many hours of time from other work, meeting the $5000 minimum. Defendant argued that the cost of investigating and trying to locate a perpetrator isn’t a qualifying loss. This might be true in some cases, as when the issue is a spam attack. But when the offense involves the use of protected information and not just damage to a computer system, the cost of responding to the offense is different. Discovering the source of a spam attack is important to find the right defendant, but not to assessing the damage; discovering the source of a security breach and the nature of the information accessed, however, is essential to remedying or discovering the extent of the harm. Thus, forensic expenses in such cases can be loss for purposes of the CFAA. Plaintiff showed a likelihood of success on the merits.
Similarly, the court found a likelihood of success on trademark infringement, based on the idea that defendant used more of plaintiff’s trademarks than necessary to engage in legitimate criticism. Defendant responded that its use was only on internal documents, and any distribution was outside the scope of its employees’ employment. The court pointed out that “[c]onduct is not outside the scope of employment merely because an employee disregards the employer’s instructions.” Rest. (3d) Agency § 7.07 cmt. c.
Comment: I’m really not clear what the infringement is. Defendant doesn’t seem to be passing off its own goods and services as plaintiff’s. Defendant is passing off its own work product as plaintiff’s, but it isn’t selling the PowerPoints to anyone. Assuming that the claims in the PowerPoint are false as alleged, this is false advertising, perhaps; commercial disparagement almost certainly. Maybe this is even trademark dilution in the form of tarnishment. But infringement? I don’t get it. Of course, the court was working under extreme time pressure.
For the same reasons, the court found a likelihood of success on false advertising. Defendant argued that it didn’t use the presentation in commerce, that the presentation wasn’t an ad, and that it didn’t distribute the presentation in interstate commerce. Given that defendant continued to use information from the presentation in commerce, this was unpersuasive.