We have gotten multiple reports of soft audits being conducted by BSA | The Software Alliance involving Adobe software. Similar to what Oracle sales teams appear to be doing with Java, the BSA is reaching out to customers with letters demanding that the company take certain actions including taking a software inventory and submitting proof of license purchases and other information to the BSA. These are not formal audit notices sent pursuant to the audit provision of the Adobe license but appear to be fishing expeditions where BSA is perhaps, in our opinion, seeking a sales opportunity and additional revenue. We advise companies on how to respond to such notices, as well as formal BSA audits.
In addition to Adobe, BSA Global Members include Autodesk, Cisco, IBM, Microsoft, Salesforce and SAP, among other well-known software publishers. Although Oracle is a BSA Global Member, we know that its audits are typically conducted by Oracle’s own internal licensing arm, LMS or GLAS. If you are a company that receives a notice from BSA involving your use of software, we are experienced software licensing lawyers and can help advise you concerning your contractual rights.
In David Karling, et. Al. v. Samsara, Inc., a federal court in the Northern District of Illinois has declined to dismiss a class action complaint brought under the Illinois Biometric Information & Privacy Act (“BIPA”), by a truck driver against a maker of facial recognition camera technology. The plaintiff alleged that Samsara was liable because the dash cam installed by his employer took facial scans, and Samsara collected those scans and shared them with the employer without complying with BIPA's requirements. Plaintiff David Karling, on behalf of himself and a putative class, alleges that Defendant Samsara Inc. ("Samsara"), violated BIPA by collecting his information from facial scans without notice or release; disseminating that information to third parties; failing to create, disclose and adhere to a written policy for data retention and destruction; and profiting from these actions.
What is the Case About?
The court describes the facts of the case as follows:
“Samsara provides facial recognition software and sensors to commercial fleets and industrial operations. The Samsara cameras capture the actions of the drivers to monitor for fatigue and distraction. Karling worked in Illinois as a driver for Lily Transportation, a customer of Samsara. In 2021, Lily Transportation installed an AI Dash Camera, provided by Samsara, in Karling’s truck. The AI Dashcam extracted biometric identifiers from Karling’s face while he drove and sent them to the Samsara Cloud Dashboard, where Samsara stored the images. The Samsara Camera includes a feature called Camera ID, which automatically performed facial recognition to identify Karling by extracting biometric identifiers and comparing those to the stored data. Karling never gave permission for the collection and storage of his biometric data. Samsara never provided Karling with a written release, the required statutory disclosures, or a retention and destruction policy. Karling never signed a written release or had an opportunity to prevent this collection and use of his biometric data.”
Samsara moved to dismiss the Complaint on a number of grounds including that federal law governing truck safety technology preempted the state law-based BIPA claims. Samsara also argued that BIPA as applied to it, violated the Dormant Commerce Clause, as BIPA places a great burden on “interstate motor carriers and their technology providers and would substantially interfere with interstate commerce” by unconstitutionally projecting Illinois law onto other states and placing a significant burden on interstate commerce.
Court Rules That Preemption Defense Can’t Be Decided on a Motion to Dismiss on These Facts
Citing Cap. Cities Cable, Inc. v. Crisp, 467 U.S. 691, 699 (1984) the court noted that “[f]ederal law may preempt state law in three situations: when Congress expressly states so, when a federal regulatory scheme implies exclusive congressional legislative power, and in cases of “actual conflict”. Samsara did not argue that BIPA conflicts with a particular federal statute but rather urged “the Court to find “a uniform scheme of federal regulation of truck safety technology” disrupted by BIPA’s Illinois-specific requirements.” But this the court declined to do. Instead, the court reasoned that:
“The scattershot nature of Samsara’s cited agency statements and proposed rulemaking hardly qualifies as a uniform federal scheme to regulate truck safety technology. The Court cannot find “a clear and manifest” Congressional purpose to preempt state regulation of “truck safety technology” from these disparate sources, which range from a law that directed DOT [Department of Transportation] to conduct research and rulemaking on driver monitoring systems to a recent federal initiative to incentivize driver-safety technologies. Although these sources potentially touch on biometrics and privacy concerns, their overwhelming aim is traffic safety, while BIPA targets “disclosure, consent, and recordkeeping requirements” for biometric identifiers.”
The court did not find the preemption issue appropriate for deciding on a motion to dismiss, and denied the motion.
The Court Can’t Decide Whether BIPA Violates the Dormant Commerce Clause on the Motion to Dismiss
Samsara moved to dismiss the complaint under the Dormant Commerce Clause, arguing that:
“BIPA, as applied to it, places a great burden on “interstate motor carriers and their technology providers and would substantially interfere with interstate commerce.” [citation omitted] According to Samsara, BIPA unconstitutionally projects Illinois law onto other states and would place a significant burden on it because it would “require Samsara either to ensure compliance with BIPA everywhere Samsara does business or, absurdly, to prohibit its customers from using Samsara technology while driving in Illinois due to risk of noncompliance.” [citation omitted] Karling argues that, again, the Court should decide this issue on a full factual record. The Court agrees.”
Noting that “courts have repeatedly rejected the argument that the Dormant Commerce Clause prevents BIPA's application to out-of-state defendants at the motion to dismiss stage” and holding that the “issue is more properly addressed on a motion for summary judgment” the court dismissed Samsara’s argument. Instead, the court reasoned that “[w]ithout discovery into Samsara’s processes for scanning, storing, and using biometrics with its dashcam system and the alleged burden of compliance with BIPA, the Court cannot determine whether there is a Dormant Commerce Clause violation.”
The Complaint Adequately Alleged Other BIPA Violations
The court next analyzed whether the Complaint adequately alleged BIPA violations under Sections 15(a) through 15 (d) and found that it did. In making such findings the court rejected arguments that: (1) Samsara’s website adequately provided a written policy regarding retention and destruction of biometric data (Section 15(a); (2) the release requirement applies only to employers (Section 15 (b); (3) Samsara is not liable because it only possessed and did not collect the biometric data (Section 15 (c); and (4) the Complaint inadequately alleged that Samsara profited from the collection of the biometric data (Section 15(d). Finally, the court found that the Complaint adequately alleged facts supporting an award of enhanced damages for Samsara’s intentional or reckless disregard of compliance with the requirements of BIPA.
What Does This Mean For Companies Collecting Biometric Data?
Companies collecting or using biometric data in their businesses need to understand and comply with the requirements of BIPA if they are doing business in Illinois or collecting the biometric data of Illinois consumers. BIPA continues to be a trap for the unwary company, and class actions filed in Illinois under BIPA cannot easily be defeated on a motion to dismiss, but instead will likely require the investment of time and money in expensive and burdensome discovery, and the development of a factual record in order to dispose of the case.
The case is David Karling et al. v. Samsara Inc., case number 1:22-cv-00295, in the U.S. District Court for the Northern District of Illinois. Tactical Law will continue to monitor the case. Please check back for updates.
California Federal Court to Decide Whether the Absence of a Public Facing Retention Policy Constitutes a Single Violation of BIPA or Whether Multiple Violations Are Possible.
By Pam Fulmer
Unique among state laws, the Illinois Biometric Information Privacy Act (“BIPA”) creates a private right of action for "any person aggrieved" by a violation of the statute and provides for statutory damages of $1,000 for a negligent violation to $5,000 for an intentional or reckless violation, in addition to reasonable attorneys' fees and costs. Liquidated damages can also be awarded under the statute. The potential to aggregate these penalties on a class-wide basis and the availability of attorneys' fees has made BIPA an attractive statute for the plaintiffs' class action bar. Because of this recovery scheme, BIPA has made Illinois a national litigation magnet.
However, BIPA cases are not just limited to Illinois. Instead, Plaintiffs have filed several BIPA related consumer class action cases in the Northern District of California, and have targeted tech companies, including Facebook in particular, and its photo tagging technology, which Facebook has since discontinued using. One of those cases, In re Facebook Biometric Info. Priv. Litig.., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), affirmed by Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), addressed directly whether BIPA covers the method Facebook used in its photo "Tag Suggestions" program. Judge Donato ruled it did and certified the class. Facebook appealed and the Ninth Circuit affirmed Judge Donato’s ruling. Facebook later settled that case for $650 million, after the U.S. Supreme Court declined to grant certiorari.
Now another consumer class action case, Zellmer v. Facebook Inc., case number 3:18-cv-01880, is again before Judge Donato. However, unlike the previous case, Zellmer consists of a class of non-Facebook users who had their photos uploaded to Facebook by other Facebook users. In an April 2022 ruling, Judge Donato found that it would be "patently unreasonable" to hold Facebook liable for claims that it failed to inform nonusers in Illinois who were strangers to Facebook, about its collection and storage of their facial scans, and ruled against Plaintiffs on their Section 15(b) claim requiring notice and consent. However, the court allowed the claims under Section 15(a) to proceed, finding that factual issues abounded as to whether Facebook had a “written policy, made available to the public” that established data retention policies and related practices for biometric identifiers or information as required by 740 Ill. Comp. Stat. 14/15(a).
What is BIPA?
BIPA passed by the Illinois state legislature in 2008, protects biometric identifiers and biometric information of human beings. Biometric identifiers are defined as a "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry," and "do not include writing samples, written signatures, [or] photographs." Biometric information is considered "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier," but "does not include information derived from items or procedures excluded under the definition of biometric identifiers."
Under BIPA, an organization may not "collect, capture, purchase, receive through trade, or otherwise obtain" biometric identifiers or information (collectively, biometric data) unless it first:
The organization must store, transmit, and protect from disclosure any collected biometric data using the reasonable standard of care within the applicable industry, and in a manner that is at least as protective as the means used to protect other confidential and sensitive information (740 Ill. Comp. Stat. 14/15(e)). Additionally, any organization that possesses biometric data must:
Does the Absence of a Public Retention Policy Constitute a Single Violation of the Statute or Can There Be More?
Recently Judge Donato asked the parties to analyze and submit 5-page briefs on whether the absence of a public retention policy as required by Illinois law is a single violation of Section 15(a) that can be remedied by a single liquidated damages award or whether there can be multiple violations. 740 Ill. Comp. Stat. 14/15(a).
For its part Facebook argues that “BIPA’s text establishes that the failure to publicly post a retention policy constitutes a single violation of BIPA and that the only authorized remedy for such a violation is a single award of actual or liquidated damages.” Facebook reasons that an entity cannot fail to publish something more than once. Facebook also argues that Section 20 of BIPA “limits recovery to those “aggrieved” by a violation” of the statute and that “BIPA does not extend a legal right to every member of the public in all situations.” Noting that Illinois courts require that “aggrieved” persons have a “direct, immediate and substantial interest rather than a speculative, theoretical, inconsequential or remote interest,” Facebook argues that no such showing can be made on these facts. Facebook asserts that Plaintiffs as non-users could not possibly have benefited from Facebook’s decision to post a retention policy and thus do not have the direct, immediate and substantial interest needed to meet the “aggrieved” requirement under BIPA.
Mr. Zellmer argues the opposite and focuses on the number of times Facebook scanned Plaintiff’s face to argue that the policy was violated multiple times. According to his brief:
“Here, each time Facebook scanned Plaintiff’s face, it used the scan to compare it to other faces stored in Facebook’s facial recognition system. Facebook scanned Plaintiff’s face on at least four separate occasions, each time without having a public policy containing the disclosures mandated by Section 15(a). On each such date Facebook owed Plaintiff a written policy. In addition, once the comparisons were completed, the purpose for which Facebook collected Plaintiff’s face scan ended. Facebook thus violated Section 15(a) by failing to timely delete Plaintiff’s biometric data.”
Plaintiff also argues that the statute provides for the award of liquidated damages in the absence of showing the existence of actual damages.
“Under Section 20, Plaintiff is entitled to liquidated damages of $5,000.00 for each of Facebook’s intentional and reckless violations of Section 15(a) or, alternatively, liquidated damages of $1,000.00 for each violation if the jury finds that Facebook was negligent in its failure develop a public policy or comply with Section 15(a)’s data destruction requirements. Plaintiff is entitled to liquidated damages in the absence of any showing of actual damages.”
Tactical Law will continue to monitor the case and report back on further developments, including Judge Donato's ruling.
By Pam Fulmer
The Northern District of California gave Facebook a partial win in a class action lawsuit brought under the Illinois Biometric Information Privacy Act ("BIPA"), when it granted partial summary judgment in Facebook's favor. Judge Donato in his ruling, cited the prior class action case In re Biometric Information and Privacy Litigation ("In re Facebook"), which he presided over and that ended in Facebook paying $650 million to settle the case. Unlike the previous case, Judge Donato reasoned that Plaintiff "does not have, and has never had, a Facebook account,” and “has never used Facebook’s services”. This distinction proved key to Judge Donato's decision.
In Zellmer v. Facebook, the Plaintiff sued on behalf of a putative class of Illinois non-Facebook users, but who had been tagged in a photo by another Facebook account holder. The functionality challenged in Zellmer involves Facebook's prior technology that allowed the scanning of faces in photographs uploaded on Facebook for association with other scanned faces to automatically tag users, their friends, and other recognized individuals. The court noted that as part of the In re Facebook settlement, Facebook had agreed to abandon such practices.
In granting summary judgment to Facebook on Zellmer's Section 15(b) claim under BIPA, which requires notice and consent before using biometric identifiers, Judge Donato reasoned that Zellmer's interpretation of the statute would put an unreasonable burden on Facebook. Noting that the Illinois legislature's stated purpose in enacting BIPA was to apply the statute in situations where a business had at least some measure of knowing contact with and awareness of the people subject to biometric data collection, such as its customers, the Court declined to extend the rule further. According to the Court,
"To construe BIPA as Zellmer urges would lead to obvious and insoluble problems. Under Zellmer’s interpretation of Section 15(b), Facebook in effect would need to identify every non-user in Illinois on a regular basis, and figure out a way to communicate with them to provide notice and obtain consent."
The Court found that such an interpretation would create an insurmountable practical problem "for the myriad of photos taken in restaurants, vacation destinations, school graduations, and countless other settings where unknown people will appear in a picture. There is no realistic way for the person posting the photo to obtain consent from every stranger whose face happened to be caught on camera."
The Court concluded that Zellmer's notice and consent claim under BIPA Section 15(b) would be unreasonable and would put Facebook in an impossible position. Construing the statute any other way would produce an absurd result and put an impossible burden on businesses, which was not the purpose of the statute or the intent of the Illinois Supreme Court in cases interpreting the statute.
Zellner also brought a claim under Section 15(a), which requires that businesses using biometric data have a publicly available written policy, which would set forth data retention policies and related practices. Facebook did not have such a policy but instead made a number of highly factually intensive arguments about whether or not it possessed biometric identifiers or information at all. For this claim, the Court found factual disputes that could not be ruled on in a motion for summary judgment. That claim will need to be tried.
Thryv, Inc. Hits Micro Focus With Texas DJ and Breach of Contract Action over ULA Type Certification
By Pam Fulmer
Those readers who follow the software industry and our blog know that Micro Focus has a reputation for its brass knuckles audit tactics deployed against its customers to increase revenues. On a new twist to the Micro Focus audit playbook, Plaintiff Thryv, Inc. ("Thryv") alleges in a new suit that Micro Focus has breached the parties' license agreement and seeks a declaration from the Texas court that it owns certain perpetual licenses arising out of an unlimited license agreement certification process. According to the Complaint Thryv seeks a declaratory judgement "finding that Micro Focus has conveyed perpetual licenses to Thryv under the Agreement consistent with the certification it provided in July 2016, and that Thryv has no further payment obligations under the Agreement." Oracle customers certifying off Unlimited License Agreements ("ULA") may also find this case instructive.
Thryv is a "print and digital marketing company that delivers cloud-based business
software on a subscription basis as well as a host of marketing products to over 400,000 small businesses in the United States." Thryv contends that in late 2014 it "requested a proposal from Micro Focus to supply software for a specific project known as kGen/Monarch." Not knowing the exact configurations for the system, Micro Focus "proposed a "Volume License Addendum (“VLA”), whereby Thryv would be licensed to deploy and use an unlimited amount of specific types of Micro Focus software for a specified period of time." The parties agreed that at the end of the time frame "Thryv was to certify the deployment of the software and Micro Focus would then grant a perpetual license for the actual quantities of software deployed at that time (the “Certification Date”)."
Thryv contends that as the Certification Date approached, and as the contract was vague as to what information would be required, it requested a certification template from Micro Focus. After some delays Micro Focus provided such a template. Thryv claims that "the template was vague and requested information that was not required by the Agreement," and that "Micro Focus did not provide any other information to Thryv on how to complete the certification." The request for information not required by the Agreement is something we see frequently in Oracle ULA certifications. According to the Complaint, "Thryv timely and accurately listed all user counts and core counts that were deployed as of the Certification Date and provided the required certification under the Agreement to Micro Focus. Micro Focus acknowledged receipt of the certification document and indicated in writing that it would contact Thryv when the certification had been reviewed, if it had any questions. Micro Focus did not verify the certification as required by the Agreement. In fact, Micro Focus never contacted Thryv regarding the certification." Thryv alleges that under the Agreement the number of core and user counts specified by Thryv "as of the Certification Date became the maximum entitlement under the perpetual license going forward." Again this is very similar to an Oracle ULA certification.
Thryv contends that in November of 2018, over two years after it completed the certification form, Micro Focus commenced an audit. The Complaint alleges that only In mid-2020, nearly eighteen months after the audit began, "Micro Focus for the first time provided documentation indicating that it had not granted license entitlements for all items listed in the certification." Now Micro Focus claims that it disagrees with Thryv's interpretation of the certification requirements under the contract with Thryv's claimed license entitlement, and that Thryv owes it millions of dollars in licensing fees and back support. Specifically Thryv seeks a "declaratory judgment finding that Micro Focus has conveyed perpetual licenses to Thryv under the Agreement consistent with the certification Thryv provided in July 2016, and that Thryv has no further payment obligations under the Agreement." Thryv also seeks damages of between $200,000 to $1 million, dollars and the recovery of its attorneys' fees pursuant to the license agreement and Texas law.
Certainly a bad fact for Micro Focus is that it never responded to the Certification and apparently gave no indication to Thryv that it did not agree with the user and core count that Thryv had provided, and did not follow-up with any questions concerning the certification. Thryv will no doubt argue that Micro Focus is estopped from changing position now and that it has an express or at least an implied license to use the software given the conduct of Micro Focus.
This is a cautionary tale that American businesses using enterprise software should take note of. Customers certifying off unlimited license agreements involving Oracle, Micro Focus or other software vendors should consider retaining experienced legal counsel to advise them on what the contract requires, and potential risks and how to mitigate those risks involved in the certification process.
Tactical Law will be monitoring the case for further developments. Check our blog for periodic updates about the case. The case is Thryv, Inc. Vs. Micro Focus (Us), Inc., TX District & County - Tarrant District (141st District Court), Case No. 141-319074.
By Anne-Marie Eileraas
Companies based outside California may be reluctant to accept California as the governing law for their contracts. While some companies base their view on first-hand experiences, others cite media reports and surveys placing California in the bottom ranks of states’ legal and regulatory environments. For example, in late 2019, the U.S. Chamber Institute for Legal Reform published results of its latest survey of how participating U.S. business executives view the states’ legal environments, specifically regarding litigation and liability. California, along with Illinois and several southeastern states, fell in the bottom 10 states.
Whatever one’s view of such surveys, what’s clear is that polls tend to home in on a narrow range of issues: the perceived fairness of consumer/class action litigation and “hometown” jury verdicts. They don’t shed much light on the typical economic issues that arise in business-to-business contracts. Is California substantive law unfavorable for companies who contract under it?
Part 1 of this blog post will touch on California legal issues relevant to business contracts; more specifically, technology agreements for services, XaaS/cloud agreements, and software licenses. (This article does not address agreements with individuals, such as for personal or consulting services, which are subject to very different considerations under California law.) Part 2, coming soon, will discuss California venue for business litigation.
Choice-of-law clauses under California law
If a contract properly specifies California governing law and venue, most likely a court will enforce it. There is a strong policy favoring enforcement of contractual choice-of-law provisions in California. Many California-based companies, such as Oracle, Cisco, VMWare, and Palo Alto Networks, routinely use California choice of law provisions in their contracts.
In California, the court (not a jury) decides issues of contract interpretation and the application of contract defenses, such as force majeure. That may be of comfort to contracting parties, since pretrial jury waivers are unlawful in California. California courts strive to give effect to the mutual intent of the parties at the time of contracting. However, if the language of a contract is ambiguous in light of all the circumstances, a court will consider extrinsic evidence relevant to prove a particular meaning.
Legal issues that may favor customers
Not surprisingly given courts’ latitude to interpret contracts, California contracts law has pros and cons for companies purchasing software or services, and the following issues under California law, on balance, could be helpful and protective of their interests.
• Good faith and “best efforts” in California contracts
Under California law, an implied covenant of good faith and fair dealing protects the express promises in a contract and prevents one party from exercising its discretion to deny the other party the benefits of the contract. Unlike in some states, the implied covenant is not absolute; California permits parties to contract out of it with express provisions, such as a right to terminate in a party’s sole discretion.
The implied good-faith covenant can be helpful to customers in scenarios where, as a practical matter, some terms cannot be finalized until a future time, when the contract is in effect. While an “agreement to agree” is not enforceable, an agreement to negotiate in good faith can be enforced and can permit a party to recover damages.
Also helpful to a customer of technology services, California courts interpret “efforts” clauses to require more of a party than just acting good faith. A provider contracting to use its “best efforts” to perform a service must use the diligence that a reasonable person would exercise under the circumstances. It’s not enough for a vendor to say “I tried…”
• Availability of damages and failure of exclusive remedies
A well-drafted liquidated damages clause can reduce uncertainty of remedies if the other party does not perform. Liquidated damages clauses are presumed valid in California, with the burden of proof on the party seeking to invalidate a clause to show that it was unreasonable under the circumstances existing at the time of the contract.
California law protects an aggrieved party’s right to get a fair remedy when the other party breaches a contract, despite language in the contract excluding or limiting recovery. California Commercial Code §2719 provides, “Where circumstances cause an exclusive or limited remedy to fail of its essential purpose, remedy may be had as provided in this code.” The commentary to §2719 notes “it is of the very essence of a sales contract that at least minimum adequate remedies be available. If the parties intend to conclude a contract for sale within this Article they must accept the legal consequence that there must be at least a fair quantum of remedy for breach of the obligations or duties outlined in the contract.”
Note the commercial code applies to sales of goods, which can include software under a case-by-case analysis of whether the essence of the transaction is for goods or services. The commercial code provides for specified remedies, but courts have also relied on it to invalidate exclusions of consequential damages. For instance, in RRX Indus. v. Lab-Con, Inc., 772 F.2d 543 (9th Cir. 1985), the court interpreting California law invalidated a consequential-damages waiver in a software agreement after the vendor’s “repair” remedy failed of its essential purpose.
• Force majeure clauses
California courts do not enforce force majeure clauses literally. California cases have equated force majeure clauses to the common-law doctrine of impossibility, and courts will read certain common-law elements of a force majeure defense into contract terms. Most notably, a force majeure event must be beyond the reasonable control of the party seeking to be excused; and the incident must truly impose extreme and unreasonable difficulty, rather than merely render performance harder or more costly (including consideration of the party’s reasonable efforts to mitigate). Courts will consider the context and determine whether a party’s obligations should be delayed or completely terminated, in whole or in part.
Additionally, force majeure clauses must be drafted with particularity to overcome the presumption that only events unforeseeable at the time of contract will be excused. Mere “boilerplate” clauses will not excuse a party from performing if the event claimed as a force majeure was reasonably foreseeable.
Parties have significant freedom to draft express contractual indemnity clauses under California law. Courts will enforce a properly drafted indemnity covering a party’s negligence, including negligent misrepresentations and non-disclosure of material facts. However, outside of the insurance context, if a party “seeks to be indemnified for its own active negligence, or regardless of the indemnitor's fault, the contractual language on the point ‘must be particularly clear and explicit and will be construed strictly against the indemnitee.’” Prince v. Pacific Gas & Electric Co., 45 Cal. 4th 1151 (Cal. 2009). It is against public policy for an agreement to indemnify a party from knowingly unlawful future acts. Cal. Civ. Code §2774.
California has adopted statutory rules for interpreting indemnity provisions that apply unless expressly overridden by the parties. Those rules require, among other things, that the indemnifying party must defend indemnified claims upon the request of an indemnified party. Cal. Civ. Code §1778.
With attentive drafting, customers can protect their interests under California law by including indemnity provisions tailored to manage the risks of the technology they are buying.
• No one-sided provisions for recovery of attorneys’ fees
California generally follows the “American rule” for attorneys’ fees, meaning that each party to a dispute must pay its own legal fees. However, California’s civil code overrides unilateral attorneys’ fees provisions in a contract. If a contract has a term awarding attorneys’ fees to only the seller in the event of a dispute, that provision will be interpreted to award attorneys’ fees to whichever party prevails in a claim for breach of contract. Cal. Civ. Code §1717. This can protect customers contracting under one-sided vendor forms.
Scenarios where California law may not be as customer-friendly
Companies should investigate how California law applies to their specific industries or to particular kinds of contracts. For instance, because California law in general is more protective of individuals (especially employees), customers should understand the implications for any business contracts involving individual services under California law. Companies should be especially cautious when retaining independent contractors or attempting to include non-solicitation and non-compete clauses in their agreements.
The content of this blog is intended to convey general information about legal issues that may be of interest to our readers. This information is not intended to, and does not, constitute legal advice, nor is it intended to create an attorney-client relationship. Tactical Law does not sponsor, endorse, verify, or warrant the accuracy of the information found at external sites or subsequent links.
The Third Circuit in an interesting new case, reversed a district court’s grant of summary judgment for Amazon finding that the on-line retailer could be strictly liable for products liability because it qualified as a “seller” of a defective dog leash under Pennsylvania law. The court also reversed a finding that Section 230 of the Communications Decency Act (“CDA”) barred other claims against Amazon, and said that the giant retailer could be liable if it was an “actor” in the sales process and not just acting as a publisher of the third-party seller’s content. The court expressly found that under Pennsylvania law an actor need not hold the title to the property to be considered a seller. This is important as many cases ruling in favor of Amazon in similar contexts have based their rulings on the concept that since Amazon doesn’t hold title to the products it cannot therefore be a seller.
In analyzing the case and finding that Amazon could be strictly liable the court applied a four-factor test and found all four factors weighed in favor of holding Amazon liable:
(1) Whether the actor is the “only member of the marketing chain available to the injured plaintiff for redress”; The court found this factor present as the third-party seller who sold the defective product could not be found by Amazon or by the Plaintiff.
(2) Whether “imposition of strict liability upon the [actor] serves as an incentive to safety”; The court found that “although Amazon does not have direct influence over the design and manufacture of third-party products, Amazon exerts substantial control over third-party vendors. Third-party vendors have signed on to Amazon’s Agreement, which grants Amazon “the right in [its] sole discretion to . . . suspend, prohibit, or remov[e] any [product] listing,” “withhold any payments” to third-party vendors, “impose transaction limits,” and “terminate or suspend . . . any Service [to a third-party-vendor] for any reason at any time.” Therefore, Amazon is fully capable, in its sole discretion, of removing unsafe products from its website.”
(3) Whether the actor is “in a better position than the consumer to prevent the circulation of defective products”; Here the court reasoned that “while Amazon may at times lack continuous relationships with a third-party vendor, the potential for continuing sales encourages an on-going relationship between Amazon and the third-party vendors.” The court also found that “Amazon is uniquely positioned to receive reports of defective products, which in turn can lead to such products being removed from circulation. Amazon’s website, which Amazon in its sole discretion has the right to manage, serves as the public-facing forum for products listed by third-party vendors. In its contract with third-party vendors, Amazon already retains the ability to collect customer feedback.” Finding third-party vendors “ill-equipped to fulfill this function, because Amazon specifically curtails the channels that third-party vendors may use to communicate with customers” the court found Amazon in a better position than the consumer to prevent circulation of the defective products.
(4) Whether “[t]he [actor] can distribute the cost of compensating for injuries resulting from defects by charging for it in his business, i.e., by adjustment of the rental terms.” The court found this factor weighed in favor of holding Amazon liable as Amazon includes provisions in all of its contracts with its third-party sellers, which require the sellers to indemnify Amazon.
With regard to the CDA argument, the court explained that “unlike the first issue, this is a question of federal law” and concluded that “the CDA bars some, but not all, of Oberdorf’s claims”. According to the court, “[t]he CDA states, in relevant part, that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider . . .” and that the CDA “bars lawsuits seeking to hold a service provider liable for its exercise of a publisher’s traditional editorial functions—such as deciding whether to publish, withdraw, postpone, or alter content.” The court explained that the “CDA is intended to allow interactive computer services companies “to perform some editing on user-generated content without thereby becoming liable for all defamatory or otherwise unlawful messages that they didn’t edit or delete.” The court went on “to the extent that Oberdorf is alleging that Amazon failed to provide or to edit adequate warnings regarding the use of the dog collar, we conclude that that activity falls within the publisher’s editorial function. That is, Amazon failed to add necessary information to content of the website. For that reason, these failure to warn claims are barred by the CDA. However, because the District Court did not parse Oberdorf’s claims in order to distinguish between “failure to warn” claims and claims premised on other actions or failures in the sales or distribution processes, we will vacate its holding that Oberdorf’s claims are barred by the CDA.”
In remanding the issue back to the trial court for additional analysis, the Third Circuit disagreed that all of Oberdorf’s claims sought to treat Amazon as the publisher or speaker of information provided by another information content provider. The court found that “Amazon is a “seller” of products on its website, even though the products are sourced and shipped by third-party vendors” and that “Amazon’s involvement in transactions extends beyond a mere editorial function; it plays a large role in the actual sales process.“ The court ruled that “to the extent that Oberdorf’s claims rely on allegations relating to selling, inspecting, marketing, distributing, failing to test, or designing, they pertain to Amazon’s direct role in the sales and distribution processes and are therefore not barred by the CDA safe harbor provision.”
In bringing claims against Amazon relating to sales on its website, litigants would do well to hi-light what role Amazon played in the sales process and to focus allegations on Amazon’s role in “selling, inspecting, marketing, distributing, failing to test, or designing” to ensure getting around Section 230 of the Communications Decency Act.
The Eleventh Circuit recently reversed a Georgia federal district court’s dismissal of Amazon in a products liability suit involving injuries and property damage caused by an explosion of a defective Chinese hoverboard, which was sold by Amazon. Plaintiff alleges that the batteries in the hoverboard were defective and that Amazon knew of the safety issues and failed to adequately warn consumers.
The court desribed the relevant facts as follows:
"On 22 November 2015, Plaintiff purchased a hoverboard through Amazon’s website (“Hoverboard”). The Hoverboard was manufactured in China and was powered by a lithium-ion battery. The Hoverboard’s packaging contained no warnings about potential fire risks. Nor did Amazon warn Plaintiff about potential fire risks associated with the Hoverboard. On 5 February 2016, the Hoverboard started a fire at Plaintiff’s home. As a result of the fire, Plaintiff’s home was destroyed; and Plaintiff sustained severe injuries."
The district court had dismissed the complaint finding that the Plaintiff had not alleged enough facts demonstrating that Amazon knew of the defect. The appellate court reversed, finding that the Plaintiff had pled sufficient facts showing that Amazon was on notice of the defect, and sent the case back to the trial court. The appellate court found:
"The complaint contains more than just “bare assertions” that Amazon “knew or should have known” about the risk of fire; Plaintiff provided additional “factual content” to support that allegation. See Iqbal, 556 U.S. at 678, 681. Plaintiff alleged that several fires had been caused by “lithium-ion battery powered hoverboards manufactured in China,” including by the same model as Plaintiff’s Hoverboard. More important, Plaintiff alleged that when Amazon sold the Hoverboard to Plaintiff, Amazon had already been sent written notification of four specific fires that had been caused by hoverboards sold by Amazon. Plaintiff also alleged that thousands of hoverboards had been seized by United States custom authorities based on concerns about the hoverboards’ “potentially explosive lithium batteries.”
Finding that "Plaintiff has alleged enough facts to state plausibly that Amazon had actual or constructive knowledge that the Hoverboard posed a risk of fire at the time of Plaintiff’s purchase", the court vacated the dismissal and sent the case back to the lower court for further proceedings.
This is a rare loss for Amazon, which has been able to escape liability in similar cases by making a number of arguments, including that it is not liable for defects in the products of third party sellers who simply use the Amazon platform to sell their goods. Tactical Law Group will continue to monitor the case, which is Love Jr. v. Weecoo et al., Case Number 1:18cv540-TWT, in the Northern District of Georgia. You can read a copy of the Eleventh Circuit's opinion by clicking below.
In the last few years software developer Quest Software, Inc. (“Quest”) has ramped up the number of audits it is conducting against its licensees. In fact, not only is Quest increasingly auditing its customers, but it is suing them for copyright infringement and breach of contract arising out of the audit. Within the last year or so at least 4 lawsuits have been filed by Quest against its customers, including suits against Nike, HCL America, Electric Reliability Council of Texas and World Fuel Services Corporation. We know first-hand that Quest has gotten increasingly aggressive, as we are currently defending software audits brought by Quest against other customers.
Originally founded in Newport Beach in 1987, Quest is a software company with over 100,000 customers worldwide, which develops and supports software used by database professionals for cloud management, security, workforce mobility and data-driven insights. In 2016 Francisco Partners and Elliott Management acquired the company from Dell. Industry insiders know that Francisco Partners has a reputation of owning companies that aggressively audit their software customers.
Although several of the cases brought by Quest settled quickly, the one against Nike appears to have some legs and Nike is fighting back. Quest filed its complaint on April 24, 2018 asserting claims for copyright infringement, breach of contract and violations of the Digital Millennium Copyright Act and seeking licensing fees of $15,646,191.55 for alleged overdeployment. In part to support this big number, Quest has taken the position that an “authorized” user under the contract, is anyone that can access the software even if the user has never actually done so. This is an issue that we often see in audits conducted by Oracle Corporation as well. In fact, a similar issue was raised by Mars in its motion for preliminary injunction in the Mars vs. Oracle case.
Nike fired back with its own counterclaim for declaratory relief, breach of contract and breach of the implied covenant of good faith and fair dealing on May 31, 2018. In its counterclaim, Nike accused Quest of predatory audit practices setting forth a number of questionable actions by Quest. For example, according to Nike, although the license agreement only requires a payment to Quest if the software is used, Quest’s auditors ran scripts that “were not designed to inventory users of Quest Software on NIKE systems – that is, persons who had actually run a Quest Software program. Instead, they were intentionally designed to inventory all persons or machines which had the right to access servers on which Quest Software programs were stored, without regard to whether such persons or machines ever actually used a Quest Software program.” Nike Counterclaim at ¶ 33. The counterclaim alleges that “Quest intentionally designed its audit “scripts” for NIKE for the bad faith purposes of creating an improper estimation of overdeployment, in order to support an inflated demand for payment, contrary to the requirements of Section 12 of the SLSA.” Nike Counterclaim at ¶ 34. Counting the actual number of users who actually used the software and taking into account other issues, Nike came up with an overdeployment calculation of $348,664.74, which they offered to pay to Quest to resolve the audit. Counterclaim at ¶ 39. Quest rejected this offer. Counterclaim ¶ 40.
In addition, Nike contends that Quest engages in a laundry list of bad faith and predatory audit practices against its licensees including: (a) substantially increasing the number of audits of licensees; (b) in conducting audits, disregarding the contractual terms of its license agreements regarding calculation of amounts due for overdeployment, and demanding grossly exaggerated and unjustified payments from licensees for overdeployment; (c) refusing to accept payment or tender of payment by licensees for overdeployment that has been calculated by the licensees in accordance with contractual terms; (d) demanding payment from licensees for uses of freeware and trialware versions of Quest software, even where such payments are not required under agreements between Quest and the licensees or the terms under which such versions are made available to the public; (e) demanding overdeployment payments in excess of Quest’s published licensing prices where licensees are alleged to have used license keys or other access devices not provided by Quest to access licensed Quest software, even where such use is not prohibited by Quest’s agreement with the licensee; (f) threatening and/or commencing claims against licensees that assert damage claims under the Copyright Act or the Digital Millennium Copyright Act for alleged licensee overdeployment, with knowledge that such claims are not permitted and that Quest’s sole and exclusive remedy for overdeployment is payment by the licensee of amounts due under the licensees’ agreements with Quest; and (g) in order to exert coercive pressure on licensees to accede to Quest’s predatory demands for payment, refusing to provide or renew Maintenance Services to those licensees, even though Quest is aware that such refusals are breaches of the license agreement between Quest and its licensee, and that such refusals damage the licensee by denying it necessary security and software upgrades.” Nike Counterclaim at ¶ 59.
Many of the arguments made by Quest are similar to ones we have seen in Oracle software audits. As discussed above, a similar “authorized user” issue was raised in the Mars filing and we have seen it raised with other Oracle customers. We have also seen Oracle use an expansive interpretation of what it means to be “installed” in the context of its own software audits, especially where licensees are using VMware in a virtualized environment. Similar issues are apparent in the Quest vs. Nike lawsuit. For example, Nike contends that “Quest Software, like all operational software, contains executable files. When these files are accessed and executed, the relevant program(s) will run and perform the tasks for which the program(s) are designed and for which NIKE has licensed that software. “Use” of a Quest software program means to run that program and a person who directs the program to run is a ‘user’”. Counterclaim ¶ 17. Nike further contends that “the Microsoft Windows operating system, on which Quest Software was installed, creates logs that can be used to identify each occasion on which a Quest Software program was executed, that is, used, on that particular system. Using these logs in correlation with other forensic artefacts on the system permits identification of the users of Quest Software.” Counterclaim ¶ 18. Nike concludes that it “has not agreed, under the SLSA or otherwise, to pay for licenses for Quest Software for persons or systems who could theoretically access the Quest Software, but who do not actually use the software.” Citing internal data security personnel as one example, Nike contends that one “important reason for this is that although many people and machines within the NIKE system are authorized to access servers on which a copy of a Quest Software program is stored, they have no need to run any Quest Software program and do not use that software.” Counterclaim ¶ 19.
As pointed out in an earlier July 6, 2017 Tactical Law blog post, Oracle’s Chad Russell, Senior Counsel in Oracle’s Legal Department, took a similar position with its licensee Mars as to what it means to use the software. Instead of focusing on actual usage, Oracle instead twists the meaning and claims a licensing event where the software “is available for use”. According to Mr. Russell. “Oracle programs are installed on any processors where the programs are available for use. Third party VMware technology specifically is designed for the purpose of allowing live migration of programs to all processors across the entire environment. Thus, Oracle Enterprise Edition is installed and available for use on all processors in a V-Center.” Exhibit 11 to Declaration of Eloise Backer, Mars v. Oracle, San Francisco Superior Court, Case No. CGC-15 -548606. Essentially, Oracle took the position that the mere fact that Oracle software might possibly be installed and run on one of these processors at some indeterminate time in the future, constituted a present use of Oracle software and a licensing event for which Mars would need to pay a royalty at the time of the audit.
One key take away from both these cases, is that licensees need to carefully control the information that licensors are receiving during software audits and ensure that they are actually entitled to the information under the terms of the license agreement. Before blindly running scripts, get the auditors to set forth in writing what information the scripts are collecting, and the basis in the contract allowing the licensor access to such data. Licensors conducting software audits may overreach if they can and gather much more information concerning the customer’s IT system than they are entitled to. This ends up resulting in inflated claims of overdeployment and large dollar expenditures for licensees. If you get a Quest audit notice, consider retaining experienced outside counsel to assist you with successfully navigating the audit.
We will be monitoring the Quest vs. Nike case for any interesting filings such as motions for summary judgment. Recently the Judge in the matter, the Honorable Judge Anna Brown, issued a scheduling order setting the fact discovery cut-off on May 16, 2019. Dispositive motions are due at the end of August 2019. The parties appear to be engaged in a great deal of discovery, but no formal discovery motions have yet been filed. The case is Quest Software, Inc. vs. Nike Inc., Case No. 3:18cv721 pending in the U.S. District Court for the District of Oregon.
Over the years we have advised numerous clients on contract issues and handled many breach of contract cases in the courts and in arbitral forums around the country. Often, we see many of the same issues arise time and again. One area that is ripe for dispute involves the termination provision of a contract. What looks crystal clear on the first read often ends up being more complicated.
Extreme care must be taken when terminating a contract, and the business person or in-house lawyer responsible for the termination needs to ensure that he or she complies with the requirements of the termination provision exactly. Otherwise, the termination may be ineffective and lead to expensive and time consuming litigation, and the terminating party may find itself in breach.
Many of the cases that we have litigated contain language requiring 30-days’ notice and an opportunity to cure before the contract may be terminated. Read these provisions very carefully and follow them exactly, if you want to perfect your right to terminate.
I remember very clearly litigating a multi-million dollar breach of contract case in an arbitration. The other side claimed that a letter they had sent my client was a cure notice, and I argued that it was not. The arbitrator, a former California appellate justice, glowered at my opponent and in a booming voice dismissed the notion that the letter was a cure notice. He said something to this effect: “Counsel, this is not a cure notice. A cure notice is plainly labeled as such in the Re line of the document. It cites to the relevant provision, and is delivered in accordance with the notice provision of the contract. It specifically identifies the provisions of the contract, which have been breached, and for which a cure must be effectuated. It provides a date certain when the cure must be made, or else risk termination of the contract.” We won a $33 million-dollar arbitration award for our client, and were also awarded attorneys’ fees in that case. Sweating the details does matter.
Another error that seems to occur frequently is failure by the party terminating the contract to comply with the notice provision of the agreement. Most termination clauses require written notice of the breach and the opportunity to cure, but they may not specifically reference the notice provision, which appears elsewhere in the contract and/or relevant statutory provisions. As a result, many people overlook the manner by which notice must be given. It is very important before sending the cure notice or the termination letter to check and see if the contract contains such a notice provision or if there is an applicable statutory requirement. If there is, make sure that you comply fully, and do not take any short cuts.
Today, most parties to a contract communicate via email. However, notice provisions may be copied from older contracts and require personal delivery or via overnight or certified mail. Same for statutory requirements. Make sure that you are sending the correspondence to the designated persons at the designated address using the proper method of delivery, and if there are time limits or other procedural requirements in the termination provision, be sure to comply with these as well.
If you are considering terminating a contract, or if your company receives a cure or termination notice, Tactical Law Group LLP is here to help and to guide you through the process.