Small company successfully pleads materiality/damage against Microsoft

TocMail Inc. v. Microsoft Corp., 2021 WL 5084182, No. 20-60416-CIV-CANNON/Hunt (S.D. Fla. Jul. 16, 2021)

Previous ruling; new judge still finds the false advertising claims sufficiently pled. TocMail sued Microsoft for false advertising of its cloud-based cybersecurity software, Safe Links, which competes with TocMail’s cloud-based link scanner, as part of a greater Advanced Threat Protection program that accompanies Office 365.

Most malicious websites allegedly send users to malicious sites but send security software to benign sites to avoid detection. TocMail alleged that other cloud-based scanners have a key weakness allowing bad guys to discriminate based on the IP address of the user that clicked the link, since cloud-based link scanners (including Safe Links) cannot mimic a user’s IP address. TocMail alleged that only its patented product can successfully protect cloud-based servers from IP cloaking attacks by sending users directly to the benign site to which the link scanner had been redirected. Thus, Microsoft allegedly falsely advertises its scanner as possessing a security capability that it does not actually possess; TocMail identified statements such as “a higher standard of security at lower cost than ... [is available] with on-premises productivity servers [which are not vulnerable to IP cloaking],” “with Safe Links, we are able to protect users right at the point of click by checking the link for reputation and triggering detonation if necessary,” Safe Links “ensure[s] hyperlinks in documents are harmless,” and Office provides “the benefits of cloud computing with ... enterprise-grade security.”

A previous version of the complaint alleged false advertising and contributory false advertising, and the latter claim was dismissed; TocMail refiled with a single count of false advertising. Microsoft moved to dismiss again for want of materiality/injury.

“Although the Eleventh Circuit appears not to have characterized the materiality standard specifically in Lanham Act cases, it has noted in related contexts that materiality is a mixed question of law and fact that requires delicate assessments of the inferences that a reasonable person would draw from a given set of facts, and therefore, that such assessments are peculiarly ones for the trier of fact.” Microsoft argued that Safe Links represented only one of the many services included in Office 365 and is not, by itself, an “inherent quality or characteristic of the product.” TocMail rejoined that security is one of Office 365’s major selling points, and that it had alleged an effect on consumer behavior. The court sided with TocMail. Microsoft had allegedly admitted that “organizations must consider security” when deciding on whether to accept cloud-based services; and that “[b]usinesses and users are going to embrace technology only if they can trust it,” and its 2020 Form 10-K stated that “[t]he security of our product and services is important in our customers’ decisions to purchase or use our products or services.” That was sufficient at the pleading stage.

Injury: Microsoft argued that TocMail could not have suffered injury because TocMail did not have its product readily available until 2019, and because it markets only one service and has little brand recognition, so it is too small to plausibly allege it has been reputationally harmed by Microsoft’s marketing campaign. TocMail responded that it has in fact entered the market by actively marketing and selling a competing product through their website. TocMail was also seeking disgorgement, so it argued that it didn’t need to show actual harm. At the motion to dismiss stage, the court wouldn’t seek to calculate damages. TocMail sufficiently pled injury by alleging that TocMail and Microsoft currently compete for the same customers, and that it “is hindered from selling its patented solution because Microsoft has convinced companies that is has already solved this issue.”