Oracle Blog of Tactical Law Group LLP

How Oracle’s Sales Model Creates ERP Failure Risk

1/22/2026

By Pam Fulmer

Failed ERP implementations are often described as “project problems.” Oracle reinforces this framing, pointing to implementation partners, change management challenges, or customer indecision. That narrative is convenient—and misleading. In many NetSuite SuiteSuccess or Oracle Fusion disputes, the root cause of failure is not poor execution. It is how Oracle sells ERP systems in the first place. The sales model itself creates predictable legal and operational risk, long before the first data is migrated.

Understanding that model is critical for executives and in-house counsel assessing litigation risks and rewards, contract termination scenarios, or settlement strategy with Oracle.
This blog post is based on a review of actual litigation filed against Oracle involving its ERP software and failed ERP implementations to demonstrate Oracle’s playbook and identify common themes across the disputes.

Oracle Sells Certainty—While Structurally Avoiding Accountability

Oracle’s ERP sales strategy is built around a fundamental tension:

Promise certainty to close the deal
Disclaim responsibility once the deal closes

During the sales cycle, Oracle positions itself as a trusted business advisor and often leads solution design discussions. From these discussions, Oracle identifies required modules. Oracle sales represent that by purchasing this specific set of modules, the customer’s requirements discussed during the sales cycle can be met. Oracle markets NetSuite SuiteSuccess and Oracle Fusion as integrated, proven solutions and emphasizes speed, standardization, and reduced risk.

After contract execution, and once disputes arise, Oracle abruptly changes its posture. Oracle claims it merely licensed the software and points to implementation partners as the reason for the failures. Then Oracle relies on contractual disclaimers in its Subscription Services Agreement (“SSA”) to attempt to avoid responsibility. Many customers are unaware of the SSA, which is the governing agreement because it is buried in a disguised and grayed out hyperlink on the Estimate Form.
This structural disconnect is not incidental—it is the core of many ERP disputes.

The Modular Sales Trap: Selling Pieces as a “Solution”

Oracle sells ERP systems as bundled modules, while contractually treating each module as an isolated product. From a business perspective, customers are told the modules work together seamlessly, the configuration supports their industry, and the ERP will deliver defined operational outcomes.

Once a dispute arises and from a legal perspective, Oracle later argues that each module stands alone and that the integration risk belongs to the customer and the customer was solely responsible in determining whether the solution is fit for its business.

When the combined system does not function as promised, Oracle characterizes the failure as implementation error rather than solution design failure, even when Oracle itself selected the architecture.

SuiteSuccess: Speed as a Sales Weapon, Not a Delivery Reality

SuiteSuccess is Oracle’s most aggressive example of sales-driven risk. It is marketed as:

Industry-specific
Preconfigured
Faster to deploy
Lower risk than traditional ERP

In practice, many SuiteSuccess failures arise because the standardized configuration does not match real-world operations, critical functionality is missing or immature, extensive customization is required despite promises to the contrary, and the timeline was unrealistic from the outset. Plaintiffs in these cases against Oracle claim that Oracle used high pressure sales tactics to close the deal, but that Oracle’s scoping was inadequate and incomplete and risks were either minimized or omitted all together.

The Partner Buffer: Shifting Risk Without Reducing It

It appears that Oracle’s heavy reliance on implementation partners is not merely operational—it is strategic. Partners allow Oracle to:

Accelerate sales without staffing delivery
Shift execution risk downstream
Preserve subscription revenue regardless of outcome

But this structure does not eliminate risk—it redistributes it to the customer.

However, in many disputes Oracle selected or strongly influenced the choice of partner and relied on partner participation to close the deal during the sales cycle. But once the deal closed and problems arise, Oracle disclaims all responsibility for the partner’s performance. This creates a risk vacuum, where Oracle controls the sale, the partner controls execution, and the customer bears the consequences when the system fails.

Information Asymmetry: Oracle Knows More Than It Tells

One of the most overlooked aspects of Oracle ERP disputes is information asymmetry.
Oracle typically knows how often similar implementations fail and which configurations break down. Oracle also has knowledge of which modules are immature or unstable and how dependent success is on customization. Customers do not know these things and rely on Oracle’s greater expertise and knowledge.

When Oracle sells ERP solutions without disclosing known risks—or affirmatively minimizes them—it creates fertile ground for claims based on misrepresentation and concealment.
ERP litigation often turns on what Oracle knew, when it knew it, and how much of that information was withheld during the sales cycle.

Why These Disputes Are Predictable—and Repeatable

The same patterns appear across publicly filed Oracle NetSuite and Fusion disputes:

Aggressive sales timelines
High pressure sales tactics including the threat that deep discounts will disappear if the deal is not closed on Oracle’s timeline
Overstated functionality by Oracle sales personnel during the sales cycle
Partner dependency and customization risk downplayed or not mentioned at all
Risk shifted contractually after the fact

Then after the contract is signed and the customer encounters severe implementation problems similar patterns emerge.

If Oracle is doing the implementation, frequent personnel changes that lead to loss of knowledge and inefficiency
Language barriers with the offshore Oracle team
Additional third-party software must be purchased to achieve promised functionality
Costs escalate and balloon well over initial estimates
Oracle or its assignee enforces subscription payments despite failures and inability to deliver an operational system

These are not one-off anomalies. They are the natural byproduct of a sales model that prioritizes closing deals over the feasibility of delivering the promised functionality. From a legal standpoint, predictability strengthens customer claims—it undermines Oracle’s argument that failure was unforeseeable or partner-specific.

What Executives and In-House Counsel Should Take From This

When an Oracle ERP fails, the most important question is not:
“What went wrong during implementation?”
It is:
“Was this system ever realistically capable of delivering what Oracle sold?”
That question reframes the dispute from project management to sales conduct, risk disclosure, and solution viability—where Oracle is far more exposed.

The Bottom Line

Oracle ERP failures are often not execution mistakes. They are sales-driven failures, rooted in a business model that appears based on the filed cases to separate promise from accountability.
For companies facing NetSuite or Oracle Fusion disputes, recognizing this reality early can fundamentally change:

Litigation strategy
Termination leverage
Damage recovery
Settlement dynamics

Final Thought: ERP Risk Is Created Long Before Go-Live

By the time an ERP fails in production—or never reaches go-live—the legal issues are already baked in. They were created during the sales cycle, not the implementation phase.
Companies that understand Oracle’s sales model are far better positioned to challenge Oracle’s defenses—and to avoid funding a failed ERP indefinitely.

During the sales cycle it is important to document Oracle’s promises in emails and other communications. Oracle’s playbook of setting up Zoom calls to do the scoping and requirements gathering often does not leave a paper trail. Oracle customers must create one, and they must preserve carefully these pre-contract communications made by Oracle during the sales cycle.

Our attorneys advise clients on strategies to resolve disputes with Oracle and its partners when a NetSuite SuiteSucces or Oracle Fusion project goes off the rails.

0 Comments

Oracle Java Licensing Enforcement: How “Friendly Outreach” Is Driving Significant Compliance Risk

1/21/2026

0 Comments

By Pam Fulmer

Across industries, companies are increasingly reporting a common pattern in Oracle’s approach to Java licensing. What often begins as a polite, informal inquiry about Java usage can quickly escalate into a high-dollar compliance demand—sometimes reaching into the millions of dollars—followed by pressure to purchase enterprise-wide Java subscriptions.

Often in house counsel is not even aware that Oracle has reached out to various IT personnel. They only become aware when a multi-million dollar licensing demand is escalated to the legal department. And then much of the damage has already been done.

Oracle is able to identify organizations that have downloaded or deployed Java. An Oracle Java team member initiates contact under the guise of a routine security or licensing discussion, and then leverages information voluntarily provided by the company to assert noncompliance. The risk is compounded by Oracle’s revised Java subscription model, which can dramatically increase licensing exposure based on employee headcount rather than actual Java usage.

This article explains what is happening in the Java licensing marketplace, why so many companies are caught off guard, and what organizations should do now to reduce risk before Oracle comes calling. And if Oracle is already on your door step, our law firm assists companies in resolving disputes with Oracle over Java.

Oracle’s Shift From Traditional Audits to “Soft” Java Enforcement

Historically, software compliance disputes began with a formal audit letter invoking contractual audit rights. Oracle’s current Java enforcement model looks very different.
Many organizations now report receiving:

A cordial email requesting a short call about Java licensing
A message asking the company to “confirm Java usage”
A discussion framed around Java security updates or licensing alignment

These communications rarely mention audits, noncompliance, or breach. As a result, they are often routed to IT teams or handled informally. That initial informality is precisely what creates risk, and is probably why Oracle chooses this path in order to avoid the legal department and to get to the information that it wants so it can claim a huge non-compliance gap before management or legal even knows about the outreach.

Once Oracle receives deployment information, the engagement often escalates quickly—sometimes moving from a casual inquiry to a significant financial claim within days or weeks.

How Oracle Identifies Java Users

A common misconception is that only companies with existing Oracle contracts are exposed to Java audits. In reality, Oracle’s Java licensing enforcement extends well beyond traditional Oracle customers.

Oracle has visibility into Java activity through various touchpoints, including downloads obtained through Oracle-controlled distribution channels. When Java is downloaded using identifiable credentials or corporate domains, Oracle can associate that activity with a specific organization.

This is why companies that believe they “do not use Oracle software” or “have never purchased Java” are often surprised to receive settlement demands from Oracle. From Oracle’s perspective, download activity alone may be sufficient to justify initiating a licensing discussion.

Why the First Response Matters More Than Companies Realize

When Oracle contacts an organization about Java, it typically requests information such as:

Where Java is installed
How many users or systems run Java
Whether Java is used in production, development, or testing

Companies often respond with estimates, partial inventories, or assumptions. That information—once provided—frequently becomes the basis for Oracle’s compliance position and monetary claims.

The problem is not simply whether the information is accurate. It is that:

Java is often deployed incidentally, not intentionally
Many organizations lack a centralized Java inventory
Different Java distributions and versions have different licensing implications
Some software comes with an embedded Java licenses, so there is no compliance issue

What starts as an attempt to be cooperative can quickly create a record that Oracle later relies on to justify a multi-million dollar licensing demand.

Why Java Compliance Exposure Escalates So Quickly

A. Java Is Embedded Throughout Enterprise IT Environments

Java appears in far more places than most companies expect, including:

Legacy enterprise applications
Third-party commercial software
Developer workstations
Build servers
Virtual desktop environments
Cloud images and containers

Because Java is frequently bundled with other software or installed automatically, organizations often underestimate how widely it is deployed.

B. Oracle’s Java Subscription Model Multiplies Cost

Oracle’s current Java licensing framework is subscription-based. In recent years, Oracle has emphasized pricing models that can be tied to total employee headcount rather than actual Java installations.

For many organizations, this creates a severe mismatch between usage and cost:

A limited number of Java deployments can trigger enterprise-wide subscription requirements
Employee-based pricing dramatically increases exposure for mid-sized and large companies
The cost to “resolve” an audit may bear little relationship to the business value derived from Java

This is why Java compliance claims routinely reach millions of dollars, even when Java is not mission-critical.

C. Ongoing Confusion About “Free Java”

Despite years of changes to Java licensing, confusion remains widespread. Many companies assume:

Java is open source
All OpenJDK distributions are interchangeable
Upgrading eliminates licensing risk

In reality, Java licensing depends on:

The specific distribution (Oracle JDK vs. OpenJDK vs. third-party builds)
The version and update history
The applicable license terms at the time of use

Mistaken assumptions about “free Java” are one of the most common drivers of compliance disputes.

Oracle’s Leverage Strategy in Java Licensing Disputes

IIn practice, Oracle’s Java enforcement approach often follows a consistent pattern:

Identify potential Java usage through download activity or other signals
Initiate friendly outreach that does not resemble a traditional audit
Request self-reported deployment information
Highlight gaps, uncertainty, or risk in the company’s responses
Present subscription purchases as the fastest and safest way to resolve the issue

The pressure to “fix the problem” quickly—combined with licensing complexity—often leads companies to agree to broad Java subscriptions without fully evaluating alternatives.

What Companies Are Doing in Response

As Java enforcement has intensified, organizations are increasingly reassessing their Java strategies. Common responses in the marketplace include:

Standardizing on non-Oracle Java distributions where feasible
Actively removing Oracle JDK from environments where it is not required
Tightening controls over Java downloads and installations
Centralizing Java inventory and license governance

Even companies that ultimately continue using Oracle-licensed Java are approaching negotiations more deliberately, with a clearer understanding of their actual needs and risk profile.

Practical Steps to Reduce Java Audit and Licensing Risk

Before Oracle Contacts You

Proactive planning significantly reduces exposure.

Establish a clear policy identifying approved Java distributions
Limit downloads from Oracle-controlled Java sources unless intentionally licensed
Inventory Java across servers, desktops, virtual environments, and cloud workloads
Remove legacy or unused Java installations
Educate IT and development teams on Java licensing boundaries

If Oracle Has Already Reached Out

The first response often determines the trajectory of the engagement.

Treat the outreach as a legal and commercial matter, not a technical request
Do not provide deployment data before completing an internal review
Designate a single point of contact
Ask Oracle to clarify the scope and basis of its inquiry in writing
Retain experience outside counsel who have dealt with Oracle before in disputes involving Java licensing

Early discipline can prevent an informal conversation from becoming an expensive compliance dispute.

Conclusion

Oracle’s Java licensing enforcement is no longer passive or occasional. It is systematic, data-driven, and increasingly detached from traditional audit formalities. Organizations that assume Java is low risk—or that a friendly email requires a friendly response—are often caught unprepared.

Companies that take proactive steps to understand their Java footprint, control deployments, and manage communications are far better positioned to avoid coercive licensing outcomes and unnecessary enterprise-wide subscriptions. However, if your company has already been contacted by Oracle or has shared Java related data with Oracle, then it is time to retain experienced outside counsel to assist the company in resolving the dispute.

Tactical Law has assisted multiple clients to resolve Java licensing disputes with Oracle.

0 Comments

Brown v. GlobalLogic and Oracle: Key Allegations, Oracle E‑Business Suite, and What It Means for Customers

11/13/2025

1 Comment

By Pam Fulmer

A new class action filed in the Western District of Texas alleges that GlobalLogic Inc. and Oracle Corporation failed to protect highly sensitive personal information associated with GlobalLogic’s workforce. The complaint, brought by a former GlobalLogic employee, ties the incident to a zero‑day vulnerability that affected Oracle E‑Business Suite (EBS), and it raises significant questions for organizations that run HR, payroll, and finance on Oracle’s flagship ERP platform. A "zero day" (also written as "0-day") refers to a previously unknown software vulnerability that is discovered and exploited by attackers before the software vendor becomes aware of it and has a chance to develop and release a fix or patch. The term "zero day" comes from the fact that the vendor has had zero days to address and remediate the vulnerability. Below is a concise overview of the allegations, the Oracle software at issue, the timeline, and potential implications for Oracle and its customers.

Who the parties are and where the case was filed

Plaintiff: Arianna M. Brown, a New York citizen and former GlobalLogic employee, sues on behalf of a proposed nationwide class of individuals whose PII was compromised. (p. 3)
Defendants: GlobalLogic Inc. (Delaware; principal place of business Santa Clara, CA) and Oracle Corporation (Delaware; principal place of business Austin, TX). (p. 3)
Jurisdiction/venue: CAFA jurisdiction is alleged; venue is the Austin Division of the Western District of Texas based on Oracle’s principal place of business. (p. 3)

What Oracle software is involved?

The complaint squarely focuses on Oracle E‑Business Suite. GlobalLogic allegedly “uses Oracle E-Business Suite, a collection of applications, to manage core business functions such as finance, HR, accounts payable and receivable.” (p. 2) The plaintiff alleges Oracle issued a security advisory on October 4, 2025 concerning a previously unknown zero‑day exploit, that GlobalLogic determined its Oracle instance was exploited, and that the exfiltrated data came from the Oracle platform hosting HR information. (p. 7)
Based on GlobalLogic’s description, the exposed HR data could include names, contact details, dates of birth, nationality and passport information, employee identifiers, SSNs or other national identifiers, salary data, and bank account and routing numbers. (p. 8) For EBS customers, this underscores the sensitivity of the data commonly centralized in HR/payroll modules.

The alleged timeline

Earliest threat actor activity: July 10, 2025. (p. 7)
Most recent activity: August 20, 2025. (p. 7)
Oracle advisory: October 4, 2025 (previously unknown zero‑day). (p. 7)
Exfiltration identified: October 9, 2025. (p. 7)
Notification: Began November 7, 2025; at least 10,471 individuals impacted according to a filing with the Maine Attorney General. (p. 8 , p. 8)

GlobalLogic states it activated incident response, engaged third‑party cybersecurity experts, notified law enforcement, and applied Oracle’s patches upon release. (p. 7) The plaintiff alleges that notification lagged roughly 120 days after initial malicious activity. (p. 8)

Alleged harms and risks

The plaintiff claims actual misuse (a ~$520 fraudulent debit card charge in or around September 2025), increased spam/scam outreach, and ongoing time and anxiety related to monitoring. (p. 11) The complaint emphasizes continuing risks of identity theft given the breadth of HR data allegedly accessed and notes that the breach notice advised vigilance, fraud alerts, and potential contact with the FTC and law enforcement. (p. 9)

Theories of liability

The complaint pleads six causes of action:

Negligence: Alleged failure to implement and maintain reasonable security, to detect unauthorized access, to timely notify, and to adhere to industry standards; foreseeability of harm from compromised PII. (p. 22)
Negligence per se: Alleged violations grounded in Section 5 of the FTC Act and related FTC guidance regarding reasonable data security. (p. 25)
Breach of Implied Contract: PII provided as a condition of employment, with implied promises (and policy representations) to safeguard and promptly notify; alleged material breach by failing to safeguard and to notify. (p. 27)
Invasion of Privacy: Highly offensive unauthorized acquisition and disclosure of highly sensitive PII; alleged knowing inadequacy of security and notification delays. (p. 30)
Unjust Enrichment (pled in the alternative): Defendants allegedly benefited from employees’ PII and saved costs by underinvesting in security, unjustly retaining the benefit. (p. 32)
Breach of Fiduciary Duty: Alleged fiduciary obligations to safeguard PII, timely notify, and maintain accurate records; alleged breach through insufficient protection and delay. (p. 33)

Requested relief includes class certification, damages (including punitive where available), restitution/disgorgement, injunctive and declaratory relief, fees, and interest. (p. 34)

What this could mean for Oracle

Litigation exposure alongside customers: By naming Oracle, the lawsuit highlights a trend where platform vendors may be sued together with customers when a vulnerability is implicated. The complaint asserts that many Oracle customers may have been impacted and that GlobalLogic’s Oracle instance was exploited. (p. 8)
Spotlight on secure development and advisories: Oracle’s advisory on October 4, 2025 regarding a previously unknown zero‑day will likely focus discovery on secure development lifecycle, vulnerability disclosure, and emergency patching cadence. (p. 7)
Shared responsibility debates: Expect arguments about the division of responsibilities between Oracle (code/vendor advisories and patches) and customers (configuration, identity and access management, monitoring, segmentation). The complaint advances broad duty allegations against both companies. (p. 20)
Contract and representations scrutiny: While the complaint quotes GlobalLogic’s privacy policy and recruitment notice to establish data protection representations, plaintiffs may also explore any Oracle contractual terms or security documentation for representations and reliance. (p. 6)

Implications and practical steps for Oracle EBS customers

Given the alleged vector and data at issue, organizations running EBS for HR and finance should consider the following steps:

Map and minimize HR data in EBS: Identify exactly which PII elements reside in EBS HR modules and assess encryption at rest/in transit, tokenization options (e.g., SSNs, bank details), data minimization, and retention. The complaint’s description of impacted fields illustrates the breadth of sensitive data often centralized in EBS. (p. 8)
Accelerate zero‑day response: Establish a rapid pipeline for processing Oracle critical advisories—triage, exploitability assessment, emergency change windows—and deploy compensating controls (WAF rules, segmentation) while patching. The timeline suggests adversary activity predating public advisories, reinforcing the need for layered defenses. (p. 7)
Monitor for exfiltration from EBS: Tune database activity monitoring, DLP, and egress controls to EBS data flows, with alerts for bulk exports or anomalous queries and sufficient logging for forensics. The complaint alleges exfiltration on a particular date, making rapid detection and containment crucial. (p. 7)
Rehearse breach notification workflows: Coordinate legal, HR, and IT to satisfy multi‑state notification requirements and avoid delays that can exacerbate harm and litigation risk. The complaint flags a roughly 120‑day gap before notices began. (p. 8)
Revisit vendor contracts and SLAs: Clarify roles and expectations for vulnerability disclosure, patch SLAs, hardening guidance, telemetry, and incident coordination among Oracle, managed service providers, and your team. (p. 7)

What to watch procedurally

Defendants will likely contest class certification and move to dismiss certain claims, particularly around the existence and scope of duties, causation, and damages, and whether Oracle, as a platform vendor, owed duties directly to GlobalLogic’s employees. Expect factual disputes over controls in place, detection/notification timelines, and the extent of any misuse. The court’s treatment of duty and causation in a shared‑responsibility context will be closely watched by Oracle customers and other ERP platform users.

Bottom line

Brown v. GlobalLogic and Oracle places Oracle E‑Business Suite at the center of a high‑stakes data breach class action and highlights the operational and legal risks when zero‑days intersect with platforms that centralize highly sensitive employee data. Regardless of outcome, the allegations provide a timely reminder to EBS customers to tighten zero‑day preparedness, harden identity and access, monitor for exfiltration, streamline notification workflows, and clarify vendor/customer responsibilities.

1 Comment

New Class Action Targets Adobe’s “Dark Pattern” Subscription Practices — A Call for Fairness and Full Disclosure

11/12/2025

0 Comments

By Pam Fulmer

A new putative class action filed in the Northern District of California alleges that Adobe deceives consumers into year-long, automatically renewing “annual, billed monthly” plans, obscures material terms and early termination fees in fine print and hyperlinks, and makes cancellation unduly difficult. The complaint also challenges Adobe’s dispute-resolution scheme, alleging the company refuses to pay arbitration fees and then forces consumers into small-claims court, depriving them of meaningful remedies. The suit seeks damages, restitution, injunctive relief, and a declaration that Adobe’s small-claims provision is unenforceable.

What the case is about

•   The core allegation: Adobe prominently advertises per month pricing but defaults consumers into “annual, billed monthly” (ABM) commitments, while failing to clearly disclose that the plan auto renews and carries a steep early termination fee equal to 50% of remaining monthly payments if canceled within the first year. The complaint says these key terms are relegated to fine print and a web of hyperlinks rather than clearly and conspicuously presented at checkout.
•   Cancellation obstacles: Plaintiffs allege Adobe’s online cancellation flow requires navigating multiple screens, prompts, and sometimes live-agent interactions, with “offers” to deter cancellation; at times, online cancellation may be disabled, pushing consumers to other channels.
•   Dispute resolution concerns: According to the complaint, Adobe requires a pre arbitration “informal” process, designates JAMS arbitration, but then refuses to pay JAMS fees and invokes a “small claims election” to shut down arbitration—effectively routing consumers to small claims court where counsel, discovery, and appeal are limited or unavailable.

Why this matters: fairness and full disclosure

At bottom, the case is about transparency. Subscription sellers must clearly and conspicuously disclose auto renewal terms, obtain affirmative consent, and provide easy, immediate online cancellation. Consumers should not be surprised by hidden minimum commitments, opaque renewal mechanics, or penalty fees buried in small type or behind hyperlinks. While Adobe is the defendant here, the industry at large should take note—companies like Oracle have also been criticized by customers and commentators for burying impactful terms behind inconspicuous hyperlinks. Clear, front and center disclosures and frictionless cancellation build trust, reduce disputes, and align with modern statutory requirements and regulator expectations.
Summary of the claims pled

The complaint asserts California consumer protection causes of action and seeks declaratory relief:

•   Declaratory judgment: A declaration that Adobe’s “small claims” provision is unconscionable and unenforceable; that Adobe has breached or waived any agreement to arbitrate by refusing to pay required arbitration fees; and that its terms do not constitute a valid FAA arbitration agreement as used.
•   California Consumer Legal Remedies Act (CLRA): For alleged misrepresentations and omissions regarding subscription characteristics and cancellation terms; advertising without intent to sell as advertised; representing rights/obligations that differ from reality; and inserting unconscionable terms.
•   False Advertising Law (FAL): For allegedly untrue or misleading statements by commission and omission regarding pricing, plan nature (monthly vs. annual commitment), renewal, and cancellation penalties.
•   Unfair Competition Law (UCL): “Unlawful,” “unfair,” and “fraudulent” prongs based on the same conduct, including alleged violations of the ARL, CLRA, and FAL; seeks restitution, disgorgement, and injunctive relief to stop deceptive designs and mandate clear disclosures.
•   Automatic Renewal Law (ARL) violations as the predicate: Plaintiffs allege Adobe failed to present auto renewal terms “clearly and conspicuously,” failed to obtain affirmative consent, failed to provide a retention capable acknowledgment with cancellation methods, misrepresented material facts, and failed to allow “online, at will” termination via a prominent link or immediate termination email—all resulting in unlawful charges and remedies including restitution.

Alleged practices highlighted in the complaint

•   “Annual, billed monthly” default and fee disclosure: The ABM plan’s monthly price is emphasized visually; the annual commitment and 50% early termination fee are not clearly called out in proximity to consent, according to plaintiffs. The complaint details screens where fine print is minimized or pushed below the fold, and where the “Terms of Use” and “Subscription and Cancellation Terms” hyperlinks appear only at the final payment stage after personal and billing information is entered.
•   Early termination fee: For ABM plans, canceling in the first year triggers a fee equal to 50% of remaining monthly payments—allegedly a material term not disclosed clearly and conspicuously during enrollment.
•   “Cancel anytime” ambiguity: Plaintiffs say “cancel anytime” messaging conflicts with fee deadlines and limited refund windows, confusing consumers about real cancellation rights.
•   Obstacles to cancellation: Multi page flows, prompts, and occasional forced customer support interactions; sometimes online cancellation is unavailable (e.g., during payment processing issues), contrary to ARL’s “online, at will” mandate, plaintiffs allege.
•   Arbitration/Small claims pivot: The complaint asserts Adobe refused to pay JAMS’ fees after demands were filed and invoked a small claims election to administratively close arbitrations—then argued consumers must proceed in small claims court, which cannot award the injunctive relief sought under the UCL, FAL, and CLRA.
Relief sought

Plaintiffs seek class certification; damages; restitution and disgorgement; declaratory relief regarding the dispute-resolution terms; civil penalties; injunctive orders to cure disclosures and cancellation flows; and fees and costs.
Nature of the class action proceeding

The complaint seeks certification of a nationwide class of all natural persons in the United States who paid for Adobe subscriptions during the applicable limitations period. Plaintiffs allege common questions predominate—such as whether Adobe’s presentation of auto renewal terms was clear and conspicuous, whether affirmative consent was obtained, whether disclosures and cancellation methods satisfied the ARL, and whether marketing and UX choices were misleading or unfair. They contend a class action is the superior method to resolve uniform design and disclosure practices, given relatively modest per consumer losses and the burdens of individual litigation.

Takeaways for businesses and consumers

•   Put critical terms up front: If a plan is annual with monthly billing, say so conspicuously at every relevant step, alongside any early termination fee and renewal mechanics.
•   Obtain clear consent: Secure express, unambiguous assent to auto renewal terms; don’t bury consent in small print or optional hyperlinks late in checkout.
•   Make cancellation immediate and online: Provide a prominent “Cancel” link or button and allow immediate termination without friction or delays, consistent with modern statutory standards.
•   Design for trust: Hidden hyperlinks, fine print traps, or obstructive flows draw litigation and regulatory scrutiny. Companies across the software and cloud ecosystem—including those, like Oracle, that have faced criticism for concealing impactful terms in nested links—should embrace transparent, consumer centric UX and disclosures.

Conclusion

The Foret v. Adobe class action illustrates how the modern contract of adhesion has evolved from fine print to fine links. As digital interfaces become the new vehicles for assent, courts and regulators are signaling that hidden hyperlinks and misleading design choices will not withstand scrutiny.
Software and cloud vendors that rely on automatic renewals or tiered billing should review their contracting processes now—before deceptive hyperlink practices become the next wave of consumer litigation.

About Tactical Law Group LLP

Tactical Law Group LLP is a boutique law firm focused on technology contracts, software licensing disputes, and failed ERP and cloud implementations. Our attorneys monitor emerging litigation trends affecting SaaS providers, resellers, and customers across the United States.

For further insights into deceptive subscription practices and hidden online agreements, visit tacticallawgroup.com

0 Comments

Lessons from ERP Lawsuits: Key Contract Provisions and Litigation Themes

11/10/2025

0 Comments

By Pam Fulmer

Enterprise Resource Planning (ERP) software is meant to unify a company’s core functions — finance, inventory, HR, sales, and operations — into one seamless system. But when implementations go wrong, they go spectacularlywrong. Multi-million-dollar projects can collapse under the weight of poor planning, hidden contract risks, and unrealistic promises.
Over the last several years, ERP lawsuits have surged as businesses confront failed go-lives, blown budgets, and software that simply doesn’t work as promised. These cases reveal recurring contractual pitfalls and litigation themes that every company should understand before signing — or litigating — an ERP deal.

1. The “One-Sided” Contract Problem

ERP contracts are almost always vendor-drafted, and rarely negotiated deeply enough. These agreements typically limit termination to “material breach,” restrict remedies to “re-performance,” disclaim reliance on pre-contract statements, and cap damages at the fees paid. In other words, the playing field is tilted in favor of vendors such as Oracle and SAP.
In practice, that means the customer is paying for the privilege of having no meaningful remedy when the project fails.

Courts scrutinizing ERP disputes have found that contractual asymmetry—where one side controls performance and the other bears the risk—can support claims of unconscionability, misrepresentation, or even fraud in the inducement. Companies entering new ERP engagements should focus on balancing rights and obligations: termination for cause, realistic service-level commitments, and clear consequences for missed milestones.

2. Misrepresentation and “Sales Cycle Fraud”

A consistent litigation theme in ERP cases involves misrepresentations during the sales cycle. Vendors often tout “industry-specific solutions,” “pre-configured accelerators,” or “SuiteSuccess”-type templates that supposedly guarantee rapid implementation. Sales teams are often comprised of individuals who have no real understanding of the technology they are promoting but they are excellent communicators and adept at instilling trust in the unsuspecting customer.  Do not fall for the sweet talking sales person trap.

In many lawsuits, discovery reveals that these representations were marketing talking points, not deliverables. When the customer later discovers that the promised functionality or timeline was unattainable, the question becomes whether those statements were mere “puffery” or actionable misrepresentations. Also, many of the initial scoping meetings are held online via Zoom or Teams.  Vendors avoid putting anything in writing, but are willing to make all kinds of promises orally in the meetings.  Ask vendors for permission to record the meetings.  If they balk, then be ready to take excellent notes and follow-up the meetings afterwards with emails to the vendor confirming what was discussed.  ERP customers need to create their own paper trail to best protect themselves.

Recent decisions suggest that where a vendor’s sales claims are specific (e.g., “this system will meet your regulatory requirements on Day One”), and the customer reasonably relied on them, courts are increasingly willing to let fraud claims proceed alongside breach of contract claims. And under California law, fraud in the inducement will cause any economic loss defense to fail if properly pled at the pleading stage.

3. The “Scope Creep” and Change Order Trap

Another major litigation driver is scope management. ERP projects evolve — modules are added, integrations multiply, and “configuration” quietly turns into “customization.”
If the contract lacks clear change management procedures, vendors often exploit ambiguity to demand additional fees, delay timelines, or avoid accountability. Conversely, if the client pushes changes informally, the vendor may later claim those requests voided the original timeline or deliverables.

Successful ERP contracts establish formal change control processes: written approval, pricing mechanisms, and impact analysis for each modification. In litigation, these documents often become the paper trail proving which party expanded or derailed the project scope.

4. Data Migration and Integration Failures

Data migration is the unsung villain of ERP disasters. Vendors frequently understate the effort required to cleanse, map, and migrate legacy data — leading to failed go-lives and business disruption.  Customers usually have no real understanding of the hours of commitment and hard work that this aspect of the implementation will require.

When litigation follows, discovery often shows that the vendor never performed adequate data assessment or testing. The resulting claims focus on negligent implementation, breach of professional standards, or failure to deliver a system fit for purpose.
Contractually, data migration and integration should be treated as core deliverables, not optional services. Define ownership, responsibilities, and testing protocols in the statement of work — not in vague “collaborative” language.

5. The “Go-Live” Decision and Post-Implementation Failures

A common flashpoint in ERP lawsuits is the go-live date. Vendors push for early go-live declarations to trigger milestone payments or project “completion.” Customers, meanwhile, may be pressured to sign off despite known defects.  Customers should resist such efforts and only sign off when the system is truly ready.  Otherwise, customers are in for a world of hurt.

Once the system goes live, vendors often argue that subsequent problems are support issues, not implementation failures — insulating them from liability under “acceptance” provisions.

Litigation frequently turns on whether the system was ever truly “accepted,” whether acceptance testing was manipulated, and whether the vendor concealed known deficiencies. Clear acceptance criteria and documented testing results can make or break a case.

6. Limitation of Liability and Damages Cap Clauses

Nearly every ERP contract includes a limitation of liability provision capping damages at fees paid — even if the project destroyed millions in business value. Courts generally enforce such caps unless there’s evidence of intentional misconduct, gross negligence, or fraud.

That’s why allegations of fraud in the inducement or willful misrepresentation are common in ERP litigation: they can open the door to consequential damages or rescission despite contractual caps. And as discussed above, many case fact patterns show slick sales teams overselling capabilities and inducing potential customers into expensive cloud software agreements that never really work.

From a drafting standpoint, customers should negotiate carve-outs for fraud, gross negligence, and data loss, and vendors should ensure those carve-outs are narrowly drawn to maintain predictability. If a vendor will not make changes to these provisions, you may want to find another vendor who will.

7. Arbitration vs. Litigation: Procedural Posture Matters

Many ERP contracts require arbitration — often in vendor-friendly venues. Yet post-termination and other disputes can raise intellectual property and data ownership issues that fall outside arbitration clauses.

Recent cases have tested whether unauthorized post-termination use or data withholding constitutes a “contractual” dispute or a statutory or property rights claim, potentially allowing litigation in court despite an arbitration clause.

Counsel should carefully analyze whether an arbitration clause actually governs all disputes, particularly where IP rights or fraud claims are at issue.

Vendors like arbitration clauses because they can cloak their failures in secrecy in confidential arbitration proceedings rather than in a public court of law.  Instead, of agreeing to arbitration, consider deleting such clauses and adopt language that allows parties to seek relief in federal or state court.  The threat of a public lawsuit filing will often cause ERP vendors to be more willing to look for common ground in an attempt to avoid a messy public lawsuit.

8. Lessons for Future Contracts — and Litigation Strategy

The pattern across ERP lawsuits is strikingly consistent:

Over-promised and under-delivered software
Vague or one-sided contracts
Poor project governance
Misrepresented implementation readiness
Unclear acceptance and change control mechanisms

For companies entering new ERP projects, contract prevention is the best litigation defense. For those already in dispute, success often depends on proving vendor misrepresentation, demonstrating non-performance against contractual standards, and preserving evidence from project documentation and communications.

Final Thoughts

ERP implementations are complex, high-stakes undertakings — but the legal issues that arise from them are surprisingly predictable. Whether advising on contract formation or litigating post-go-live failures, understanding the recurring themes in ERP lawsuits helps clients protect their investments and recover losses when vendors fall short.

At Tactical Law Group, we have seen these disputes play out across multiple platforms. Each case reinforces the same message: technology may change, but contract fundamentals do not.

0 Comments

Hidden Traps in Oracle’s Cloud Agreements: What ERP Customers Must Know (and Do) Before They Click “Accept”

11/9/2025

1 Comment

If you’re implementing an ERP system, you’re already juggling risk: budget overrun, schedule slippage, change management, data migration, and integration complexity. The last thing you need is a vendor contract that shifts even more risk onto your organization—often invisibly. Oracle commonly tucks its operative cloud terms into URLs or hyperlinks embedded in Estimate/Order Forms. Those seemingly “standard” terms contain multiple one-sided provisions that can leave customers exposed in precisely the moments they most need leverage.

This article analyzes two Oracle form agreements—the Oracle Cloud Services Agreement (CSA) and the Oracle NSGBU Transactional Subscription Services Agreement for NetSuite (NSA)—to highlight the most customer‑hostile clauses, why they matter in the ERP implementation context, the key differences between the forms, and practical strategies for leveling the playing field. Citations to specific clauses appear in footnotes.
Why “URL terms” and buried hyperlinks matter in ERP deals

They are easy to overlook. Teams focus on scope, price, and timeline laid out in an Estimate/Order Form and miss how the incorporated web terms reallocate risk to the customer. Both agreements expressly incorporate extensive “Service Specifications,” “policies,” and data protection terms by reference, and Oracle reserves the right to update some of them unilaterally during the term—so what you sign today may not be what governs tomorrow. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 9 , id., p. 8 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 1 , id., p. 5)
They move critical obligations off-page. Privacy, security, hosting, and support are often defined in linked policies. If those change mid‑implementation or mid‑incident, your remedies can vanish. Oracle expressly allows updates and says they won’t “materially reduce” performance or security—but Oracle decides materiality, not you. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 1 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 5)

Customer‑hostile clauses to watch—and why they sting during ERP implementations

Non-cancelable, non-refundable orders; invoice splitting

What Oracle says: Orders are non‑cancelable and sums paid are non‑refundable (subject to narrow warranty remedies). Payments are due net‑30. You may receive multiple invoices. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 1 , id., p. 1)
Why this hurts in ERP: If the project derails, you’re often stuck paying for shelfware. “Multiple invoices” can complicate internal controls and dispute management. In NetSuite’s NSA, the fees are similarly non‑refundable and non‑cancelable, and auto‑renewal is the default unless you give notice. (nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 3 , id., p. 3)
Level the field:
- Add phased acceptance milestones tied to functionality, data migration checkpoints, or integration tests; make future fees contingent on passing acceptance.
- Insert a termination for convenience (T4C) with a fair wind‑down fee cap and a pro‑rata refund of prepaid, unused fees.
- Remove or tightly constrain auto‑renewal; require written mutual renewal at negotiated pricing.

“Excess usage” true-ups

What Oracle says: If you exceed ordered quantities, you must promptly buy and pay fees for the overage. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 1 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 2)
Why this hurts: During rollouts, counts fluctuate (e.g., temporary contractors, test users). Surprise true‑ups mid‑implementation can drain budgets.
Level the field:
- Include a buffer (e.g., 10–15%) and quarterly reconciliation, not immediate charge.
- Define who counts as a “User” during testing; exclude non‑production credentials from billable metrics.

Acceptable Use Policy as a suspension lever

What Oracle says: Broad “Acceptable Use Policy” with Oracle’s right to take “remedial action,” including removing or disabling access; grounds include benchmarking and performance testing, and Oracle can suspend for “significant threat” or alleged violations. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 1 , id., p. 4 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 3 , id., p. 6)
Why this hurts: ERP implementations require load tests, resilience testing, and integration validation. An overly restrictive AUP plus suspension rights can chill necessary diligence, and any suspension mid‑go‑live is catastrophic.
Level the field:
- Carve out approved performance and security testing in a written test plan with notice and contact protocols.
- Add a “narrowly tailored suspension” clause requiring Oracle to limit suspension to the affected component, with prior notice, cure periods, and SLA credits for any wrongful or overbroad suspension.

Oracle can update services and policies during the term

What Oracle says: Oracle may update services and specifications/policies during the term; it promises not to “materially reduce” performance, functionality, security, or availability. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 1 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 5)
Why this hurts: If a key feature is changed or deprecated after you’ve designed processes or integrations around it, remediation costs sit with you unless you negotiate protection.
Level the field:
- Require “no adverse change” to named critical features; if a change materially impairs your documented use case, secure a right to rollback, extended support, or a fee reduction/termination right with refunds.
- Lock the specific version of security, hosting, and support policies for the term unless mutually agreed.

Restrictions that block internal benchmarking and reverse engineering

What Oracle says: Prohibits benchmarking, availability testing, and reverse engineering; performance or vulnerability testing requires prior written approval. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 1 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 3)
Why this hurts: You lose leverage to compare actual performance to promises and to validate capacity before cutover.
Level the field:
- Negotiate a testing addendum that allows agreed test scripts in pre‑production and limited production windows.
- Define acceptable data and tooling (e.g., synthetic datasets) and coordinate to minimize impact.

Warranty is narrow; exclusive remedy is limited to correction or partial refund

What Oracle says: Warranty limited to “commercially reasonable care and skill” in material conformance with specs; Oracle does not warrant error‑free or uninterrupted service, and your exclusive remedy is correction or, if not feasible, to end the deficient services for a refund of prepaid fees for the post‑termination period. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 3 , id., p. 3 , id., p. 3 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 6 , id., p. 7)
Why this hurts: If the service underperforms during a critical cutover, your outage losses (e.g., missed shipments, revenue impact) fall on you, and the remedy is limited to a narrow credit/termination right.
Level the field:
- Add targeted warranties (e.g., data import tools will process volumes in the migration runbook; integrations will support specific throughput).
- Incorporate meaningful SLAs with service credits escalating to termination rights; add “implementation protection” credits for go‑live windows.

Liability caps and exclusions that wipe out meaningful recovery

What Oracle says: Broad exclusions of indirect, consequential, special, punitive, or exemplary damages, and for loss of revenue, profits, data, data use, goodwill, or reputation; total liability capped at fees paid for the services giving rise to liability in the prior 12 months. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 3 , id., p. 3 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 7 , id., p. 7)
Why this hurts: In ERP, most real harms are “indirect” (business interruption, inventory imbalance, missed invoicing). A 12‑month fee cap can be a fraction of your exposure.
Level the field:
- Carve out from the cap: data breach, confidentiality breach, IP infringement, willful misconduct, and violation of law; set a higher cap for data breach (e.g., 2–3x total contract value) and for implementation‑phase outages.
- Narrow the consequential damages waiver by reinstating recovery for documented business interruption stemming from Oracle’s uncured material breach or gross negligence during a defined cutover window.

IP indemnity with big exceptions

What Oracle says: Each party indemnifies for third‑party IP claims over materials they provide, but Oracle disclaims indemnity for claims based on third‑party content or third‑party portals accessed via the services. Remedies include modifying, licensing, or terminating and refunding unused fees. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 3 , id., p. 4)
NetSuite NSA mirrors this structure and excludes indemnity for Third Party Applications; many ERP deployments rely on third‑party connectors or SuiteApps—your risk increases as your architecture becomes more realistic. (nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 7)
Level the field:
- Require IP indemnity to cover Oracle‑approved integrations/connectors and SuiteApps listed in your architecture; ensure the “termination and refund” remedy includes migration assistance and reimbursement of switching costs.
- Add indemnity for violation of third‑party API terms caused by Oracle’s guidance or tooling.

Data protection is your problem unless you buy add‑ons; HIPAA exclusion in NSA

What Oracle says: You are responsible for notices/consents, content vulnerabilities, and regulatory obligations for certain data (e.g., PCI/health) unless specified and covered by add‑on services. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 2 , id., p. 3)
NetSuite NSA expressly disclaims HIPAA compliance unless specified: Oracle is not your Business Associate; the service may not be used to store/process PHI. (nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 3)
Why this hurts: ERP deployments often consolidate sensitive data (customers, payments, healthcare, export‑controlled). Misalignment between your data types and Oracle’s permitted data can create breach and compliance exposure.
Level the field:
- Inventory regulated data early; align on permitted data in writing. Buy required compliance modules (e.g., PCI) and reflect them in the order; include audit rights and breach response commitments.
- Strengthen the data processing agreement with specific subprocessor lists, localization, and deletion/return SLAs.

Suspension rights for delinquent accounts and “significant threats”

What Oracle says: Oracle can suspend for nonpayment and for perceived security threats or policy violations; during suspension, they’ll make your content/data available “as it existed on the suspension date.” (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 4 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 6)
Why this hurts: A payment dispute or a false‑positive security flag during cutover can halt operations.
Level the field:
- Add a “no suspension during good faith dispute” clause when you pay undisputed amounts.
- Require multiple, escalating notices and a minimum cure period; exclude suspension during agreed go‑live windows, absent imminent, demonstrable harm.

Retrieval and deletion windows at term end

What Oracle says: Oracle will make your data available for retrieval for a period specified in service specs, then delete; details are in specs, not the main agreement. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 5)
Why this hurts: If the retrieval window is short or the export format is limited, your off‑boarding may fail.
Level the field:
- Negotiate a specific retrieval period (e.g., 60–90 days) and structured export formats and assistance commitments.
- Add a paid transition assistance clause with defined hours and rates for data extraction and verification.

Assignment bans; audit rights (NSA)

What Oracle says: You may not assign; Oracle reserves audit rights (NSA) on 45 days’ notice, annually, with remediation in 30 days if non‑compliance found. (id., p. 8 , nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 9)
Why this hurts: M&A or internal reorganizations become friction points; audits during implementation consume resources.
Level the field:
- Add consent not to be unreasonably withheld for internal reorganizations, change of control, or transfer to affiliates.
- Limit audit scope, frequency, and hours; exclude implementation sandboxes and pre‑production from “use” counts.

Key differences between the CSA (Oracle Cloud Services Agreement) and the NSA (NetSuite Subscription Services Agreement)

Product scope and ecosystem:
- NSA is tailored to NetSuite and SuiteProjects Pro, with explicit terms for SuiteCloud technologies and SuiteApps (including customer‑developed SuiteApps counted as “Third Party Applications” and subject to Oracle inspection). This makes the integration and customization footprint a contract risk area unique to NetSuite. (id., p. 1 , id., p. 5)
- The CSA is more general across Oracle Cloud and leans on “Service Specifications” tied to URLs. (Cloud-CSA-Online-v062223-US-ENG.pdf, p. 9)
Auto‑renewal:
- NSA auto‑renews for a year unless you give notice 30 days prior; CSA does not contain an explicit auto‑renew provision in the core text provided. (nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 3)
HIPAA:
- NSA explicitly prohibits PHI and disclaims Business Associate status unless otherwise specified; CSA addresses sensitive data at a higher level and pushes PCI/health data to add‑on services and specifications. (id., p. 3 , Cloud-CSA-Online-v062223-US-ENG.pdf, p. 3)
Subsidiary/OneWorld terms:
- NSA includes specific OneWorld/ Subsidiary Service provisions, including co‑resident environments for parent and subsidiaries and cross‑visibility of content—a governance and privacy risk if not managed. (nsgbu-subscription-services-agreement-v061625-us-eng.pdf, p. 2)
Audit rights:
- NSA grants Oracle explicit audit rights; CSA text cited here does not include a comparable audit clause. (id., p. 9)
Training/Professional Services:
- NSA defines Training and Professional Services, their deliverables, and limitations (e.g., no maintenance/updates for training deliverables). The CSA excerpt is focused on cloud services and hardware options; professional services are outside its “cloud hosting” specifications. (id., p. 5 , Cloud-CSA-Online-v062223-US-ENG.pdf, p. 9)

Tactics to protect ERP customers in Oracle negotiations

Tie money to measurable outcomes

Milestone‑based fees with acceptance criteria mapped to your ERP project plan (data migration, key integrations, UAT pass, performance thresholds).
Add a right to withhold a portion of fees pending cure of material defects during go‑live windows.

Lock critical features and policies

Append a “Critical Capabilities Schedule” listing the exact features, APIs, limits, and security controls you rely on; prohibit material adverse changes, or provide economic relief/termination if they occur.

Strengthen SLAs for implementation reality

Demand higher uptime and performance SLAs during cutover and quarter‑end cycles; include response and resolution SLAs for P1/P2 incidents; add service credits escalating to termination rights.

Expand remedies beyond “fix or partial refund”

Create custom remedies for migration failure, data corruption, or prolonged underperformance: funded remediation hours, credits against professional services, and reimbursement for documented, reasonable out‑of‑pocket mitigation costs.

Rebalance liability

Increase the cap to a multiple of annual fees or total contract value; create super‑caps for data breach and cutover‑window outages; carve back some consequential damages for documented business interruption arising from Oracle’s gross negligence or willful misconduct.

Build a safe harbor for testing and security validation

A mutually agreed testing protocol permitting load, failover, and vulnerability testing in defined windows and environments without triggering AUP violations or suspension.

Clarify data handling and exit

Specify data types permitted, encryption standards, data residency, subprocessor lists, incident notification timelines, and cooperation duties. At term end, secure a 60–90 day retrieval window, structured exports, and paid transition support.

Control third‑party risk

Enumerate approved Third Party Applications/SuiteApps; require Oracle to support interoperability and include those components within IP indemnity scope; add a remedy if an Oracle‑driven API change breaks integrations.

Guard against surprise true‑ups and audits

Include a non‑billable buffer and quarterly usage reviews; confine audit rights (NSA) to working hours, limit frequency, and exclude development/test.

Stop silent renewal

Replace auto‑renew with express mutual renewal; bake in a cap on renewal increases (e.g., CPI + 3%) and a right to terminate if Oracle seeks higher pricing.

No suspension during disputes and go‑live

Add “no suspension during good‑faith billing disputes” with payment of undisputed amounts; restrict suspension during defined go‑live and financial close windows absent imminent harm.

Assignment flexibility

Permit assignment to affiliates or successors in corporate reorganizations or change of control with prior notice.

Practical playbook for counsel and project leaders

Due diligence before signature:
- Pull every URL/policy incorporated by reference and snapshot the content at signing.
- Align the agreement with the ERP project plan: acceptance, milestones, test plans, data types, integrations, and cutover windows.
Redline with purpose:
- Focus on SLA definitions, liability carve‑outs, suspension limits, change‑control for features/policies, and exit assistance.
- Add an Implementation Annex detailing environments, test rights, throughput/volumetrics, and issue‑management war room procedures.
Governance during rollout:
- Establish a joint escalation matrix; require weekly risk reports; enforce RCA (root cause analysis) obligations for Sev‑1 incidents with corrective action commitments.
Preserve leverage:
- Stage spend; avoid 100% prepayment. Use acceptance gates and holdbacks.
- Negotiate executive‑level step‑in rights if performance falters.
Document everything:
- Keep contemporaneous records of commitments made in sales cycles and workshops; incorporate them into the order or a binding SOW.

A closing note on tone and leverage
Oracle’s forms are written to protect Oracle. That’s expected—but not inevitable. In ERP, your operational risk dwarfs your subscription fee, so “standard terms” that cap liability at 12 months’ fees while banning consequential damages simply do not reflect your exposure. Do not accept boilerplate on faith. Treat the contract as a control surface for implementation risk: define, measure, and enforce the behaviors you need from your vendor when it matters most.
With disciplined contracting, you can convert invisible hyperlinks into enforceable commitments—and keep your ERP program out of the ditch.

1 Comment

Oracle NetSuite Lawsuit: How Courts Protect Big Tech Over Small Businesses

9/3/2025

1 Comment

By Pam Fulmer

On September 2, 2025, the U.S. District Court for the Northern District of Ohio issued a ruling that should alarm every small and mid-sized business that has purchased software from global giants like Oracle. In Realscape Group LLC d/b/a Realogic Solutions v. Oracle America, Inc., Judge Charles E. Fleming transferred the case from Ohio to California, enforcing a forum-selection clause hidden deep in Oracle’s online Subscription Services Agreement (SSA)
.
This decision highlights a growing problem in ERP implementation disputes: courts continue to side with large corporations that bury key contractual terms in hyperlinked documents few small business customers ever read. While these rulings may appear to respect “freedom of contract,” they tilt the playing field in favor of big tech giants and against mom-and-pop and other small and medium size businesses, who are exploited by big tech companies and often go bankrupt or face severe financial challenges due to the one-sided clauses in these hyperlinked contracts.
.
Background: Realogic’s Oracle NetSuite Dispute

Realogic Solutions, a small IT services and healthcare staffing company in Ohio, purchased Oracle NetSuite software to manage its accounting, HR, and payroll. Oracle assured Realogic that the system would be fully implemented and operational by July 2025.

But Realogic alleges that Oracle knew it could not meet that timeline and instead of implementing the system itself, Oracle subcontracted the work overseas and sold Realogic’s debt to a third party, Wells Fargo Equipment Finance. The project never succeeded, leaving Realogic without functioning software despite being on the hook to Wells Fargo to pay $184,000 in fees under Oracle’s clever financing arrangement, which effectively severs its performance obligations from the customer's payment obligations.

Frustrated, Realogic filed a class action lawsuit against Oracle NetSuite, seeking relief for itself and other small businesses nationwide that paid for implementation services but never received working software.  Realogic also sued Wells Fargo in the Northern District of Ohio to seek to invalidate the financing assignment.  The case against Wells Fargo has subsequently been settled and the case dismissed.

The Hidden Forum-Selection Clause

At the center of the case is Oracle’s Subscription Services Agreement, buried in a hyperlink that can only be found on Oracle’s confusing contracts page. Realogic’s order forms contained a one-line reference to the SSA, which included a forum-selection clause requiring all disputes to be litigated in California.

For a small business, being forced to sue in San Francisco or Santa Clara Counties in California is no small matter. The costs of out-of-state litigation often discourage small businesses from pursuing valid claims. Realogic argued that the clause was deceptively hidden in fine print and that Oracle had fraudulently induced them into the deal.

The Ohio court disagreed. Judge Fleming held that Realogic had over a year to review the SSA hyperlink and was therefore bound by its terms.  In transferring the case to the Northern District of California, the court also reasoned that Plaintiff’s choice of forum was not as important given that the case was a nationwide class action.

Why This Ruling Hurts Small Businesses in ERP Disputes

1. Hyperlinked Agreements Are Not Real Negotiation
Oracle NetSuite contracts are almost always presented as take-it-or-leave-it deals. The reality is that small businesses have no power to negotiate hidden clauses. Yet courts enforce them as if both parties bargained at arm’s length.
2. Courts Treat Small Businesses Like Large Corporations
The court emphasized that Realogic is a business, not a consumer, and therefore should be held to a higher standard. But small LLCs and family-run companies are far closer to consumers than to Fortune 500 corporations with large and sophisticated legal teams.
3. Forum-Selection Clauses in Contracts of Adhesion Block Access to Justice
Forcing small companies to litigate in California significantly raises legal costs. Many businesses simply give up. Oracle most likely knows this, and it uses such clauses to make litigation for its customers expensive as well as inconvenient.  Sadly many companies will continue to pay Oracle to avoid Oracle and its assignees ruining the company's credit, even though they got nothing of value from the agreement.
4. Oracle Gets a Free Pass on Failed ERP Implementations
By enforcing these clauses, courts allow Oracle to avoid facing consequences for failed NetSuite implementations. Even when businesses allege fraud, misrepresentation, and breach of contract, Oracle can push disputes into its home courts, making litigation prohibitively expensive for smaller plaintiffs.

The Bigger Picture: Oracle NetSuite Litigation and Buried Clauses

Oracle is not alone. Many software vendors use hyperlinked agreements to impose forum-selection clauses, arbitration provisions, and liability limits. Courts often uphold them in the name of contractual freedom.

But the reality is that these agreements are contracts of adhesion. Not many small businesses buying ERP software can get Oracle to agree to revise its SSA. And when courts enforce them, they prioritize formalistic “consent” over fairness.

Rethinking Forum-Selection in ERP Implementation Lawsuits

To restore balance, courts and lawmakers should:

Differentiate between small businesses and corporate giants. A family-owned company or small business should not be held to the same standard as a multinational corporation.
Require explicit agreement to forum-selection clauses. Instead of burying them in hyperlinks, companies should obtain clear, affirmative assent.
Consider bargaining power. Enforcing hidden clauses against small businesses effectively deprives them of access to justice.
Explore legislative reform. Just as consumers enjoy protections against unconscionable arbitration clauses, similar safeguards could help small businesses facing unfair ERP contracts.

Conclusion: Small Businesses Need Protection from Oracle NetSuite Contracts

The transfer of Realogic v. Oracle may look like a routine procedural ruling, but it has Important consequences. By enforcing Oracle’s forum-selection clause, the court has made it harder for Realogic — and small businesses like it — to obtain justice and seek redress for their injuries.

This decision is part of a broader pattern: failed ERP implementations paired with hidden contract terms that trap small companies in unfair forums. Until courts or legislators step in, small businesses remain at a severe disadvantage in Oracle NetSuite litigation.

At Tactical Law Group, we represent companies harmed by failed ERP projects and unfair vendor practices. If your business is facing problems with Oracle NetSuite, SAP, Workday, Filevine, or other ERP systems, contact us. You deserve a fair fight — and we’re here to help.

1 Comment

Oracle v. Rimini Street: A Decade-Long Legal War Winds Down as Court Stays Proceedings Pending Settlement

7/24/2025

1 Comment

By Pam Fulmer

In one of the most interesting and long-running copyright and software licensing battles in enterprise software history, Oracle and Rimini Street have reached a major inflection point. On July 18, 2025, the U.S. District Court for the District of Nevada granted a joint stipulation to stay all proceedings and vacate the case schedule in Oracle Int’l Corp. et al. v. Rimini Street, Inc., Case No. 2:14-cv-01699-MMD-DJA. The litigation—spanning over a decade, multiple trials, and appeals—has shaped the legal landscape governing third-party software support and license compliance. We have blogged on the case in the past as our readers know, and additional articles can be found on our website.

At Tactical Law Group LLP, we counsel clients navigating complex software licensing issues with large enterprise software publishers, including disputes involving third-party support, software audits, vendor overreach, Oracle Java SE disputes, and failed ERP implementations involving Oracle, NetSuite and other vendors.

A Historic Copyright Dispute with Far-Reaching Implications

The Oracle v. Rimini saga began in earnest in 2010 with a separate lawsuit (often referred to as Rimini I), in which Oracle successfully obtained a $50+ million judgment and a permanent injunction against Rimini Street for infringing Oracle’s copyrights in delivering unauthorized third-party support services.

In the second case—filed in 2014—Oracle continued its claims, focusing on Rimini’s continued practices and alleged violations of Oracle’s software license terms, particularly around PeopleSoft, JD Edwards, and other Oracle applications. The litigation has spanned:

Complex issues of software copyright infringement,
Disputes over the scope of software licenses,
Injunction enforcement,
Appeals to the Ninth Circuit,
And now, a conditional settlement tied to Rimini's cessation of PeopleSoft-related services.

Key Terms of the Court's Stay Order

The July 2025 court order staying the case follows a successful June 2025 mediation between the parties and a subsequent settlement agreement effective July 7, 2025. Rimini has agreed to fully wind down its PeopleSoft support operations by July 31, 2028, after which Oracle will dismiss the case with prejudice. Notably:

The court vacated all current deadlines and hearings under the existing case schedule;
The stay remains in effect unless breached or completed earlier;
If Rimini violates the settlement, Oracle may reinstate proceedings without filing a new lawsuit;
The court retains jurisdiction to enforce permanent injunctions previously entered in Rimini I and this case.

This structure provides finality and avoids incurring further litigation costs that have no doubt been substantial, while ensuring Oracle can enforce compliance during the wind-down period.

Why This Case Matters

Enterprise software support has become a major profit center for enterprise software companies such as Oracle. In fact, it has been said by some in the software industry that large publishers are no longer innovating to grow revenue, but instead are focusing on negotiating annual support uplifts. Oracle has support policies that are expressly incorporated into its license agreements, so enterprise customers should be aware of those policies and other contractual terms when moving away from Oracle and to third party vendors for support. The case also illustrates that although Oracle seems at times actually reluctant to sue its customers, it has no such qualms about suing third party support vendors who may be cutting into its lucrative support offerings. In those cases Oracle will be relentless.

Tactical Law’s Role in Software Licensing Disputes

At Tactical Law Group LLP, we represent licensees in disputes with major software vendors, including Oracle, Micro Focus, SUSE, Microsoft, IBM, Broadcom, Quest, Actian, VMware, Adobe, BSA, Autodesk, Anaconda and others. We have deep experience advising clients on:

Interpreting complex software licensing agreements,
Responding to license audits and compliance demands,
Evaluating third-party support relationships,
Challenging unfair contract provisions,
Advising clients on license disputes involving downloadable software such as Oracle Java SE and Virtual Box.
And litigating disputes involving failed ERP implementations.

Whether you are negotiating a new software agreement, facing a vendor audit, dealing with a failed ERP implementation, or responding to allegations of breach or copyright infringement, Tactical Law can help your company navigate these challenges strategically and effectively.

1 Comment

Another NetSuite ERP Fraud Lawsuit: Veronica’s Auto Sues Oracle for Misrepresentation

4/18/2025

0 Comments

Oracle and its NetSuite cloud-based ERP platform are again under legal fire. Veronica’s Auto Insurance Services, Inc. (“VAI”), a California-based insurance company, has filed a lawsuit in San Francisco Superior Court alleging Oracle and NetSuite fraudulently induced it into purchasing a flawed ERP system that ultimately failed to function as promised. The complaint, filed on April 17, 2025, asserts claims for breach of contract, breach of the implied covenant of good faith and fair dealing, fraudulent and negligent misrepresentation, and violation of California’s Unfair Competition Law (Bus. & Prof. Code § 17200).

Alleged Misrepresentations and Broken Promises
According to the complaint, NetSuite sales representatives made a series of specific promises before contract execution to win VAI’s business. These included assurances that the system was tailored for the insurance industry, would require no third-party add-ons, and would be implemented with full Spanish-language support—essential for the client’s predominantly Spanish-speaking workforce. Relying on these representations, VAI signed a Professional Services Agreement and Statement of Work with NetSuite in April 2021, committing to more than $111,000 in fees.

Once implementation began, however, it became clear the representations were untrue. Key functionalities were either missing or required costly third-party plugins. Data migration failed. Core features like vendor payment processing, financial reporting, and role-based user access didn’t work as promised. Worse still, the promised Spanish-language training never materialized, leaving key staff unable to use the system. Ultimately, Veronica’s abandoned the system entirely in 2024, absorbing substantial financial losses.

A Growing Pattern: Oracle ERP Litigation Landscape Expands
The lawsuit filed by VAI is just the latest in a mounting series of legal actions that paint a troubling picture of Oracle’s conduct in selling and implementing its ERP software. In recent years, a variety of businesses across industries have come forward alleging that Oracle misrepresented the capabilities, readiness, or suitability of its ERP solution—often promising a turnkey system that ultimately required extensive customization, failed to deliver key functionality, or came with hidden costs such as required and expensive third party add-ons.

For example, in River Supply v. Oracle, filed by our law firm, Plaintiff alleged that Oracle made sweeping misrepresentations during the pre-contract sales cycle, touting NetSuite as a ready-to-go solution that could be quickly configured to go live within months at a fixed price. But like in VAI’s case, implementation challenges emerged early and often.

In Realscape Group LLC v. Oracle, a class action lawsuit filed in the Northern District of Ohio, the plaintiff has accused Oracle of misrepresenting its ERP system as “off-the-shelf” while concealing the need for significant additional development and expensive third-party software purchases as add-on costs.  Advance Lifts, Inc. similarly claimed Oracle sold it on functionality that did not yet exist.

Additional lawsuits by Morse Communications and Elkay Manufacturing underscore the recurring nature of the same type of complaints raised by the Plaintiff here.  Janco Foods, Inc. v. Oracle America, Inc. provides another stark example. In Janco, a Texas-based food distributor alleged that Oracle failed to deliver on an ERP implementation. The project was never completed, forcing Janco to abandon the system altogether. The complaint alleged breach of contract and fraudulent inducement, claiming Oracle misrepresented both its capabilities and the system’s readiness for the food distribution sector.

Another case, Barrett Business Services, Inc.v. Oracle America, Inc., filed in San Francisco Superior Court, further illustrate how NetSuite implementations often unravel. Barrett, a staffing company, alleged the software failed to meet basic payroll and compliance needs, as well as suffering from other defects.

And problems with Oracle’s ERP product are not limited to this side of the pond.  Recently, an auditor hired by the City of Birmingham in England issued a scathing report finding fault with the solution.  According to one article, “Since it replaced aging SAP finance software with Oracle's cloud-based Fusion for HR, payroll, ERP, and finance in April 2022, Europe's largest local authority found the system "effectively crippled" its ability to manage and report on finances, auditors found. It was still not "safe and compliant" two-and-a-half years after the replacement went live.”https://www.theregister.com/2025/03/11/birmingham_oracle_auditors/?td=keepreading  The project to “replace an aging SAP system began in October 2019 with an expected budget of £19 million ($23.6 million) and go-live dates of December 2020 and February 2021. Auditors now say the costs may be as much as £130 million ($161 million), and although the new software went live in April 2022, the council is "unlikely to have a fully functioning finance system until at least 2026."  https://www.theregister.com/2025/01/29/birmingham_oracle/

Together, these lawsuits and others, point to a systemic problem in how Oracle and NetSuite market, contract for, and deliver their ERP solutions. Businesses considering Oracle ERP software should proceed with caution, ensure detailed written documentation of all representations, and fully understand the binding legal terms—often buried in hard-to-access agreements like the Subscription Services Agreement, which is nothing more than a grayed out hyperlink on the Estimate Form.

Implications and Advice for NetSuite Customers
The Veronica Auto Insurance lawsuit adds to the growing body of litigation alleging that Oracle/NetSuite uses a bait-and-switch model to sell ERP systems that fail to perform as represented. For businesses considering a NetSuite or other Oracle ERP solution, or currently entangled in a troubled implementation, these cases highlight the importance of documenting all pre-contract representations and seeking legal counsel early. It also reinforces the need to scrutinize every referenced agreement—including "click-through" and incorporated terms not provided upfront.

Tactical Law continues to monitor Oracle litigation closely and represents businesses harmed by Oracle and NetSuite’s practices. If your company has experienced similar issues with Oracle or NetSuite, we invite you to contact us to evaluate potential claims.

Cases

Realscape Group, LLC v. Oracle America, Inc., Case No. 1:24-cv-00558 (N.D. Ohio)
River Supply, Inc. v. Oracle America, Inc. et al., Case No. 3:23-cv-02981 (N.D. Cal.)
Advance Lifts, Inc. v. Oracle America, Inc. et al., Case No. 3:21-cv-04361 (N.D. Cal.)
Morse Communications v. Oracle America, Inc. et al., Case No. 4:21-cv-05363 (N.D. Cal.)
Elkay Plastics Co., Inc. v. NetSuite Inc. et al., Case No. CGC-20-583152 (San Francisco Sup. Ct.)
Tactical Law Summary
Barrett Business Services, Inc. v. Oracle America, Inc. et al., Case No. CGC-19-572474
Janco Foods, Inc. v. Oracle America, Inc., Case No. 3:20-cv-05152 LB

0 Comments

The Beat Goes On: Rimini Street Victorious at the Ninth Circuit as the Court Vacates and Remands Key Parts of the Case for Further Proceedings

12/17/2024

0 Comments

By Pam Fulmer

Yesterday a three-judge panel of the Ninth Circuit issued a significant ruling in the longstanding copyright and false advertising dispute between Oracle International Corporation and Rimini Street, Inc., a third-party software support provider and Oracle competitor. This latest decision, vacating and remanding key aspects of the district court’s permanent injunction, brings new clarity to derivative works under the Copyright Act, defenses under Section 117(a), and the application of the Lanham Act to commercial statements and what constitutes puffery versus actual misrepresentations.

Case Background
Oracle, a developer of enterprise software including Database and PeopleSoft, has been in litigation with Rimini since 2010. In prior rulings, Rimini was found to have infringed Oracle’s copyrights through processes like “cross-use,” where copies of Oracle’s software were stored on Rimini’s systems. Following these decisions, Rimini restructured its business model into “Process 2.0” and sought a declaratory judgment that its new methods no longer infringed. Oracle counterclaimed for further copyright infringement and false advertising under the Lanham Act.

The district court sided with Oracle, issuing a sweeping injunction requiring Rimini to delete software files and correct alleged misstatements.

The court vacated rulings that Rimini infringed Oracle's Database and PeopleSoft copyrights. For Database, the licensing agreement did not prohibit third parties from possessing copies to support clients' operations. For PeopleSoft, the district court's rulings relied on an erroneous view of derivative works. The court found that the district court erred by focusing on mere interoperability of the software and emphasized that instead the analysis must focus on whether the work substantially incorporates the copyrighted work. The court also found that the lower court must conduct a further analysis as to whether the Oracle customers owned a copy of the software so as to make a Section 117(a) defense potentially applicable. Finally, the Ninth Circuit ruled that several of Rimini's marketing related statements were not actionable as mere puffery, but did find that Rimini's statement that it provided a "holistic" and "multilayered" security actionable. All in all a big win for Rimini, and a crippling loss for Oracle. What were the key holdings from the case?

Key Ninth Circuit Holdings

1. Derivative Works (Copyright Act)

A copyright owner has the exclusive right to prohibit or authorize the preparation of derivative works.  The Ninth Circuit found that “[t]he district court held Rimini-written files and updates developed during the “Process 2.0” period were infringing derivative works because they “only interact[] and [are] useable with” Oracle software. Oracle Int’l Corp., 2023 WL 4706127, at *66. The Ninth Circuit criticized the district court for adopting “an “interoperability” test for derivative works—if a product can only interoperate with a preexisting copyrighted work, then it must be derivative.”

“A derivative work must actually incorporate Oracle’s copyrighted work, either literally or nonliterally.”

The panel emphasized that “mere interoperability” is insufficient to establish derivative status under the Copyright Act, vacating the lower court's findings.  According to the Court:
Here,

“[t]he examples of derivative works provided by the Act all physically incorporate the underlying work or works.” Lewis Galoob Toys, Inc. v. Nintendo of Am., Inc., 964 F.2d 965, 967 (9th Cir. 1992). Take a “translation.” Translating a novel from English incorporates the original expression of the novel in a new language. A motion picture takes elements of the novel’s original expression and incorporates them into an audio-visual experience. The same goes for an abridgment—it incorporates the novel’s original expression into a condensed version. Thus, Congress’s list of examples suggests that a “derivative work” must be in the subset of works substantially incorporating  the preexisting work. Once again, whether a work is interoperable with another work doesn’t tell us if it substantially incorporates the other work."

Based on this textual analysis, we’ve said that “a work is not derivative unless it has been substantially copied from the prior work.” Litchfield v. Spielberg, 736 F.2d 1352, 1357 (9th Cir. 1984); see also 1 Nimmer on Copyright § 3.01 (2024) (“A work is not derivative unless it has substantially copied from a prior work.”). And we have held that “[a] derivative work must incorporate a protected work in some concrete or permanent ‘form.’” Lewis Galoob Toys, Inc., 964 F.2d at 967.

What does it means to incorporate a work in the software context?  According to the Ninth Circuit:

[T]he incorporation of a preexisting work can take several forms. First, the incorporation can be “literal.” See Best Carpet Values, Inc. v. Google, LLC, 90 F.4th 962, 971 (9th Cir. 2024) (holding that a website’s source code is a “copyrightable literal element[]”). So copying substantial portions of PeopleSoft’s copyrighted code outright would be an example of literal incorporation.

Second, the incorporation can be nonliteral, such as copying the “total concept and feel” of a preexisting work. Litchfield, 736 F.2d at 1357; see also SAS Inst., Inc. v. World Programming Ltd., 64 F.4th 1319, 1326 (Fed. Cir. 2023) (stating that the nonliteral elements of a computer program “include the program architecture, structure, sequence and organization, operational modules, and user interface”).

The Court vacated the lower court’s ruling that Rimini created a derivative work based solely on Rimini’s “programs’ interoperability with Oracle’s programs.”

2. Section 117(a) Defense: Ownership of a Copy Survives

It is well settled that no copyright infringement exists under the Copyright Act if an “owner of a copy of a computer program . . . mak[es] . . . another copy or adaptation of that computer program” for certain purposes, such as when it’s an “essential step” in using the program. 17 U.S.C. § 117(a). Courts have described this provision as an “affirmative defense to infringement.”   According to the Ninth Circuit:

To determine whether a party is an “owner of a copy” of a computer program, we look to whether the party has “sufficient incidents of ownership” over the copy of the software program. See UMG Recordings, Inc. v. Augusto, 628 F.3d 1175, 1183 (9th Cir. 2011) (simplified). And the question is not about ownership of the copyrighted material—it’s about ownership of a copy of the copyrighted material.

The court vacated the district court's ruling striking Rimini's affirmative defense under 17 U.S.C. § 117(a). The court ruled that other incidents of ownership should be considered to determine if Oracle's customers are owners or licensees of the software copies. The Ninth Circuit ruled that labeling an agreement a “license” does not automatically foreclose ownership claims, and is just one factor to be considered.

On remand, the district court must examine the “totality of the incidents of ownership,” such as transfer restrictions or limitations on use.

3. False Advertising Under the Lanham Act

The court reversed most of the district court's rulings on Rimini's security-related statements as false advertising under the Lanham Act. Many statements were deemed puffery rather than actionable claims. However, the court affirmed that Rimini's claim of offering "holistic security" was false advertising. Notable rulings include:

Statements of superiority (e.g., Rimini’s security is “more effective” or “better than Oracle’s”) were non-actionable puffery, as these are generalized claims not grounded in objective metrics. Surprising to this author, these specific statements were found to be puffery and thus non-actionable:
- “Security professionals have found that traditional vendor security patching models are outdated and provide ineffective security protection.”
- Oracle’s [Critical Patch Updates] are unnecessary to be secure.
- It is not risky to switch to Rimini and forgo receiving [Critical Patch Updates] from Oracle.
- Virtual patching can serve as a replacement for [Oracle] patching.
- “Virtual patching can be more comprehensive, more effective, faster, safer, and easier to apply than traditional [Oracle] patching.”
- “Rimini Security Support Services helps clients proactively maintain a more secure application compared to [Oracle’s] support program which offers only software package-centric fixes.”
- Rimini provides more security as compared to Oracle.
- Rimini’s [Global Security Services] can “pinpoint and circumvent vulnerabilities months and even years before they are discovered and addressed by the software vendor.”
Holistic Security. However, Rimini’s claim to provide “holistic security”—interpreted as multi-layered security including source-code-level patching—was found false and actionable, as Rimini failed to offer such a service.
Security Patches. The court found that this was a closer call but ultimately found these statements non-actionable:
- Oracle’s [Critical Patch Updates] provide little to no value to customers and are no longer relevant.
- Once an Oracle ERP platform is stable, there is no real need for additional patches from Oracle.
- If you are operating a stable version of an Oracle application platform, especially with customizations, you probably cannot apply or do not even need the latest patches.

The court declined to find these statements actionable noting that Oracle’s customers are “some of the most sophisticated companies in the world” and “take the security of their systems seriously.”   The court found it:

"doubtful that any of Oracle’s customers would be fooled about its own security needs merely based on Rimini’s fanciful but vague statements. Indeed, Oracle could not identify “any customers that left Oracle and went to Rimini because of a statement about security.” Nor did Oracle present any evidence of a security breach suffered by a Rimini client. So while these statements border on falsehood, we cannot say that they are so specific and measurable to become actionable under the Lanham Act. We thus reverse."

Notably, Judge Bybee dissented in part, arguing that Rimini’s statement that Oracle patches were “no longer relevant” was sufficiently specific and absolute to be actionable.

4.  The court vacated rulings that Rimini infringed Oracle's Database and PeopleSoft copyrights.

Database

For Database, the licensing agreement did not prohibit third parties from possessing copies to support Oracle customers’ operations.  The court noted that
[t]he plain language of the Oracle Database licensing agreement did not prohibit third-party support providers, like Rimini, from possessing a copy of Oracle’s software to further a client’s “internal business operations.” Rimini St., 81 F.4th at 854–55. In the appeal of the contempt proceedings, “Oracle [could not] point[] to [any] location restriction” in the Oracle Database licensing agreement. Id. at 855. Nor did the district court here identify a “location restriction” in the use of Oracle Database. While we affirmed any activity that directly fell within Rimini I’s injunction, we declined to extend it to a “different situation.” See id.
We thus vacate the district court’s ruling that the 18 “gap customer” environments containing Oracle Database violated Oracle’s licensing agreement.

PeopleSoft

For PeopleSoft, the district court's rulings relied on an erroneous view of derivative works. Rimini challenged the district court’s ruling that both (1) its use of “automated tools” to deliver PeopleSoft updates from one client to another and (2) the “outright” delivery of PeopleSoft updates to clients without further testing in the clients’ environments constitute copyright infringement.

The Ninth Circuit instructed the lower court to reexamine the use of automated tools in light of the legal standard articulated for “derivative work” before deciding whether Rimini’s “automated tools” violate copyright laws.

With regard to “outright” delivery, the district court found that Rimini violated Oracle’s copyright when it developed an update in the City of Eugene’s PeopleSoft environment and then delivered it “outright” to three other clients. But again based on the derivative use standard articulated in the decision, the Panel found that the lower court’s analysis did not go far enough.  Instead,

"The district court must first determine whether this update copies Oracle’s protected expression, either literally or nonliterally. If the district court finds protected expression in this update, it would be relevant to know if any extra copies of the update were created in the City’s environment solely because Rimini planned to distribute the update to other clients. In other words, further explanation is required of why “prototyping” the update in the City’s environment for non-City clients “necessarily” violates the “internal data processing operations” provision."

Implications

This decision has far-reaching implications for software providers and third-party support businesses. By rejecting an overly broad definition of “derivative works” and reinforcing the Section 117(a) defense, the Ninth Circuit has provided stronger defenses to software users and their support partners. Simultaneously, it highlights the risks of overstating service capabilities under the Lanham Act, but also demonstrates a reluctance to reign in misleading statements, as long as the statements are made to sophisticated companies like the ones who use Oracle database software.

The Ninth Circuit vacated significant portions of the injunction and remanded the case for further proceedings under its clarified legal standards.  All in all, a huge win for Rimini Street and a bitter defeat for Oracle.  One thing is guaranteed.  We have not heard the end of it.

0 Comments

<<Previous

Oracle Blog

How Oracle’s Sales Model Creates ERP Failure Risk

Oracle Java Licensing Enforcement: How “Friendly Outreach” Is Driving Significant Compliance Risk

Brown v. GlobalLogic and Oracle: Key Allegations, Oracle E‑Business Suite, and What It Means for Customers

New Class Action Targets Adobe’s “Dark Pattern” Subscription Practices — A Call for Fairness and Full Disclosure

Lessons from ERP Lawsuits: Key Contract Provisions and Litigation Themes

Hidden Traps in Oracle’s Cloud Agreements: What ERP Customers Must Know (and Do) Before They Click “Accept”

Oracle NetSuite Lawsuit: How Courts Protect Big Tech Over Small Businesses

Oracle v. Rimini Street: A Decade-Long Legal War Winds Down as Court Stays Proceedings Pending Settlement

Another NetSuite ERP Fraud Lawsuit: Veronica’s Auto Sues Oracle for Misrepresentation

The Beat Goes On: Rimini Street Victorious at the Ninth Circuit as the Court Vacates and Remands Key Parts of the Case for Further Proceedings

By Tactical Law Attorneys and From Time to Time Their Guests

Authors

Archives

Categories

tactical law group llp

Oracle Blog

By Tactical Law Attorneys and From Time to Time Their Guests​

Authors

Archives

Categories

tactical law group llp

By Tactical Law Attorneys and From Time to Time Their Guests