Liveperson, Inc. v. 24/7 Customer, Inc., 2015 WL 170348, No. 14 Civ. 1559 (S.D.N.Y. Jan. 13, 2015)
LivePerson “provides customers with live-interaction and customer engagement technology for e-commerce websites, enabling businesses to interact in real-time with their website customers.” Its competitor 24/7 used to provide human call-center operators for customers’ call centers, but more recently developed its own live-interaction technology. The parties entered into cooperative marketing/service contracts to serve certain customers in order to offer joint solutions—LP’s tech and 24/7’s call center personnel. 24/7 thus obtained a limited license to access and use LP’s IP.
24/7 allegedly misappropriated LP’s software and sold it as its own, along with other alleged wrongdoing: accessing LP’s back-end systems to copy LP’s technology and interfering with LP’s client relationships. 24/7 allegedly designed its competing software to interfere with LP’s software, so that a customer using both technologies would experience poor performance from LP, and also designed the software to collect performance data from LP’s data. 24/7 also allegedly poached LP employees, falsely claimed that its software was the “first predictive or smart chat platform,” and disseminated fabricated and disparaging LP performance metrics to clients.
First, the court dismissed LP’s copyright infringement claim as inadequately pled because it didn’t explain when the infringement allegedly took place, neither as a start time or a period of infringement. However, alleging that 24/7 copied the entire software module adequately alleged that it copied protectable elements.
The DMCA claim was also inadequately pled. While courts have have held that password protection, DVD encryption measures, activation and validation keys, and a “secret handshake” protocol have all been found to be protected technological measures, the complaint didn’t allege any of this. LP alleged, somewhat contradictorily, that 24/7 had access to its back-end under their contractual relationship and misused its access and also that 24/7 improperly used its knowledge of LP’s customer-facing software to impersonate LP and gain unauthorized access to its secure internal system, at which point 24/7 allegedly installed spyware and code to degrade LP’s software’s functionality. Also, LP alleged that 24/7 reverse engineered LP’s software after accessing LP’s internal system.
The complaint didn’t allege that 24/7 used reverse engineering to circumvent LP’s security measures, but rather that 24/7 breached its computers in order to carry out reverse engineering. This didn’t allege circumvention. As for the alleged mimicking of LP to gain access to LP’s secure system, LP didn’t adequately allege what technological measure the mimicry circumvented. Successful complaints have “explicitly referenced a password, encryption system, software protocol, validation key, or some other measure designed to thwart unauthorized access to a protected work.” Alleging that 24/7 “circumvented LivePerson’s security measures” didn’t provide adequate notice.
The CFAA claim was also inadequately pled because LP didn’t plead facts showing that 24/7 exceeded its authorization, and also didn’t adequately allege damages. There’s legal uncertainty about whether a user who abuses authorized access can trigger the CFAA’s ban on exceeding authorized access. The Second Circuit hasn’t ruled on the issue and other circuits and other district courts within the Second Circuit are split. The court here joined the majority narrow approach, so that abusing authorized access isn’t actionable. Among other things, this avoids adding a subjective intent requirement to the Act; comports with the type of “loss” against which the CFAA protects (which don’t include losses related to misappropriation of information); and complies with the rule of lenity governing ambiguous criminal laws. Exceeding authorized access is therefore defined as having permission to access certain information on a computer, but accessing other information as to which there is no permission. Here, LP’s allegations focused on 24/7’s misuse of data obtained through authorized access, or didn’t explain the means by which 24/7 allegedly gained unauthorized access.
In addition, LP didn’t adequately allege damage or loss over $5000, because actionable damage or loss under the CFAA has to relate to LP’s computer systems. Allegations that 24/7’s conduct endangered LP’s relationships with several major clients, diluted its good will, injured its reputation, and misappropriated/devalued its IP didn’t qualify.
However, misappropriation of trade secrets and breach of contract were adequately pled, as well as some aspects of the intentional interference with prospective and existing economic relationships claims. LP alleged improper interference from providing inaccurate performance data to LP’s clients, when the data required access to LP’s confidential system and differed significantly from LP’s performance data shown when its technology was used by other call-center labor providers/employees. (Put that way, it sounds like LP did perform badly in conjunction with 24/7; inaccuracy isn’t really the complaint, but misleadingness about the source of the performance.) LP also alleged that it found 24/7 code “expressly designed to suppress the proper operation of LivePerson’s technology, such as preventing livechat sessions from being initiated, and/or eliminating LivePerson’s ‘chat’ button from appearing altogether” on its clients’ websites. That would constitute improper interference.
By contrast, the alleged interference with LP’s employees wasn’t adequately pled. LP didn’t allege noncompete agreements and failed to meet its high burden of alleging wrongful means, such as fraud or threats, to get employees to quit. Raiding isn’t itself wrongful means.
Further, the Lanham Act claim was adequately pled. LP alleged that 24/7 falsely claimed to have developed the first predictive chat platform, while LP actually did so, resulting in harm to LP’s goodwill and reputation as well as misappropriation and devaluation of its IP. (Dastar problem, especially with the misappropriation/devaluation parts?) LP didn’t provide the full context of the allegedly false ad, making it hard to evaluate the “entire mosaic” of the ad, as required. 24/7 correctly argued that context could establish truth, e.g., that 24/7 was promoting innovative, unique features; or “first” could be immaterial puffery, “considering the sophistication of the clients in this industry and the unlikelihood that claims of developing the ‘first’ such software would influence their purchasing decisions.” But materiality is generally a fact question not resolvable on the pleadings; LP was instead ordered to provide a more definite statement about context and materiality.
The common law unfair competition claim was also adequately pled. Unfair competition is generally limited to passing off, acting solely to destroy a rival, and using independently illegal methods. Here, allegedly embedding spyware on LP’s clients’ websites to engage in reverse engineering, injecting tracking markers into LP’s systems to facilitate unauthorized data mining, manipulating LP’s software on client deployments to reduce its performance, and deploying software code designed to suppress the proper operation of LP’s technology, would either be independently illegal or would constitute passing off. (Hunh? How is this passing off?)
Finally, unjust enrichment was adequately pled.