Liveperson, Inc. v. 24/7 Customer, Inc., 2015 WL 170348, No.
14 Civ. 1559 (S.D.N.Y. Jan. 13, 2015)
LivePerson “provides customers with live-interaction and
customer engagement technology for e-commerce websites, enabling businesses to
interact in real-time with their website customers.” Its competitor 24/7 used to provide human
call-center operators for customers’ call centers, but more recently developed
its own live-interaction technology. The parties entered into cooperative
marketing/service contracts to serve certain customers in order to offer joint
solutions—LP’s tech and 24/7’s call center personnel. 24/7 thus obtained a limited license to
access and use LP’s IP.
24/7 allegedly misappropriated LP’s software and sold it as
its own, along with other alleged wrongdoing: accessing LP’s back-end systems
to copy LP’s technology and interfering with LP’s client relationships. 24/7 allegedly designed its competing
software to interfere with LP’s software, so that a customer using both
technologies would experience poor performance from LP, and also designed the
software to collect performance data from LP’s data. 24/7 also allegedly poached LP employees,
falsely claimed that its software was the “first predictive or smart chat
platform,” and disseminated fabricated and disparaging LP performance metrics
to clients.
First, the court dismissed LP’s copyright infringement claim
as inadequately pled because it didn’t explain when the infringement allegedly
took place, neither as a start time or a period of infringement. However, alleging that 24/7 copied the entire
software module adequately alleged that it copied protectable elements.
The DMCA claim was also inadequately pled. While courts have have held that password
protection, DVD encryption measures, activation and validation keys, and a
“secret handshake” protocol have all been found to be protected technological
measures, the complaint didn’t allege any of this. LP alleged, somewhat contradictorily, that
24/7 had access to its back-end under their contractual relationship and
misused its access and also that 24/7 improperly used its knowledge of LP’s
customer-facing software to impersonate LP and gain unauthorized access to its
secure internal system, at which point 24/7 allegedly installed spyware and
code to degrade LP’s software’s functionality.
Also, LP alleged that 24/7 reverse engineered LP’s software after
accessing LP’s internal system.
The complaint didn’t allege that 24/7 used reverse
engineering to circumvent LP’s security measures, but rather that 24/7 breached
its computers in order to carry out reverse engineering. This didn’t allege
circumvention. As for the alleged
mimicking of LP to gain access to LP’s secure system, LP didn’t adequately
allege what technological measure the mimicry circumvented. Successful complaints have “explicitly
referenced a password, encryption system, software protocol, validation key, or
some other measure designed to thwart unauthorized access to a protected work.”
Alleging that 24/7 “circumvented LivePerson’s security measures” didn’t provide
adequate notice.
The CFAA claim was also inadequately pled because LP didn’t
plead facts showing that 24/7 exceeded its authorization, and also didn’t
adequately allege damages. There’s legal
uncertainty about whether a user who abuses authorized access can trigger the
CFAA’s ban on exceeding authorized access.
The Second Circuit hasn’t ruled on the issue and other circuits and
other district courts within the Second Circuit are split. The court here joined the majority narrow approach,
so that abusing authorized access isn’t actionable. Among other things, this avoids adding a
subjective intent requirement to the Act; comports with the type of “loss”
against which the CFAA protects (which don’t include losses related to
misappropriation of information); and complies with the rule of lenity
governing ambiguous criminal laws.
Exceeding authorized access is therefore defined as having permission to
access certain information on a computer, but accessing other information as to
which there is no permission. Here, LP’s
allegations focused on 24/7’s misuse of data obtained through authorized
access, or didn’t explain the means by which 24/7 allegedly gained unauthorized
access.
In addition, LP didn’t adequately allege damage or loss over
$5000, because actionable damage or loss under the CFAA has to relate to LP’s
computer systems. Allegations that
24/7’s conduct endangered LP’s relationships with several major clients,
diluted its good will, injured its reputation, and misappropriated/devalued its
IP didn’t qualify.
However, misappropriation of trade secrets and breach of
contract were adequately pled, as well as some aspects of the intentional
interference with prospective and existing economic relationships claims. LP alleged improper interference from
providing inaccurate performance data to LP’s clients, when the data required
access to LP’s confidential system and differed significantly from LP’s
performance data shown when its technology was used by other call-center labor
providers/employees. (Put that way, it
sounds like LP did perform badly in conjunction with 24/7; inaccuracy isn’t
really the complaint, but misleadingness about the source of the performance.) LP also alleged that it found 24/7 code “expressly
designed to suppress the proper operation of LivePerson’s technology, such as
preventing livechat sessions from being initiated, and/or eliminating
LivePerson’s ‘chat’ button from appearing altogether” on its clients’ websites.
That would constitute improper interference.
By contrast, the alleged interference with LP’s employees wasn’t
adequately pled. LP didn’t allege
noncompete agreements and failed to meet its high burden of alleging wrongful means, such as fraud or
threats, to get employees to quit.
Raiding isn’t itself wrongful means.
Further, the Lanham Act claim was adequately pled. LP alleged that 24/7 falsely claimed to have
developed the first predictive chat platform, while LP actually did so,
resulting in harm to LP’s goodwill and reputation as well as misappropriation
and devaluation of its IP. (Dastar problem, especially with the
misappropriation/devaluation parts?) LP
didn’t provide the full context of the allegedly false ad, making it hard to
evaluate the “entire mosaic” of the ad, as required. 24/7 correctly argued that context could
establish truth, e.g., that 24/7 was promoting innovative, unique features; or
“first” could be immaterial puffery, “considering the sophistication of the
clients in this industry and the unlikelihood that claims of developing the
‘first’ such software would influence their purchasing decisions.” But
materiality is generally a fact question not resolvable on the pleadings; LP
was instead ordered to provide a more definite statement about context and
materiality.
The common law unfair competition claim was also adequately pled. Unfair competition is generally limited to
passing off, acting solely to destroy a rival, and using independently illegal
methods. Here, allegedly embedding spyware on LP’s clients’ websites to engage
in reverse engineering, injecting tracking markers into LP’s systems to
facilitate unauthorized data mining, manipulating LP’s software on client
deployments to reduce its performance, and deploying software code designed to
suppress the proper operation of LP’s technology, would either be independently
illegal or would constitute passing off.
(Hunh? How is this passing off?)
Finally, unjust enrichment was adequately pled.
No comments:
Post a Comment