October 18, 2010 -

With Security, You Can’t Always Hide Behind Disclaimers

Failure to follow its own security protocols may have landed domain name registrar in hot water for alleged gross negligence – despite abundant disclaimers in its terms of service.  In Baidu, Inc. v., Inc., 10-Civ.-444 (S.D.N.Y. July 22, 2010), a federal court refused to dismiss claims of gross negligence and grossly negligent breach of contract against Register after a social engineering attack allowed an intruder to gain access to the domain name account for the Chinese search engine and re-route traffic to an “Iranian Cyber Army” site.

A not-too-crafty social engineering attack scores big

The facts alleged in Baidu’s complaint are enough to send both giggles and shivers down the spine of any techie or information security officer.   The intruder contacted Register’s tech support chatline and asked to change the e-mail address for the Baidu account.    The intruder gave an incorrect answer to the Register representative’s security verification question, but the representative nonetheless e-mailed a security code to the on-file Baidu address for the intruder to repeat through the chat service.   Not having access to Baidu’s e-mail, the intruder repeated back a code that claimed was similar to the correct one (that is, if you consider 96879818 a similar number to the correct code, which was 81336134!).

According to Baidu’s complaint, the representative did not compare the two numbers, but rather went ahead and processed the intruder’s request to change the e-mail address on file to  (Not only is this a rather odd-looking address for the third largest search engine in the world, but, as the court noted, “’’ is the domain name of a competitor of Baidu….”)    The intruder then went to the site and requested a new username and password by clicking on the “forgot password” button.   The system generated an e-mail to the intruder’s address enclosing Baidu’s username and a link allowing the intruder to change the password for the account and gain access.  Baidu’s operations were interrupted for five hours, and, according to the complaint, Register did not even begin to address the problem until two hours after first being contacted by Baidu.

“Not responsible” no longer cuts it?

Baidu, understandably, was miffed and filed suit against Register.  Register moved to dismiss Baidu’s claims for breach of contract and gross negligence, relying on the standard  “we’re not responsible for anything” legalese in its master services agreement (MSA).  Among the copious disclaimers were statements that use of the services was “entirely at [Baidu’s] own risk” and that Register was not liable for “use of or inability to use the Service(s),” “interruption of business,”  “unauthorized access to or alteration of” transmissions or data, or (my favorite) “any other matter relating to your use of the Service(s).”  The MSA also provided that the registrant was responsible for maintaining the security of its account and that in no event would Register be liable for any unauthorized use or misuse of a username or password.  In a nutshell, the contract on its face clearly disclaimed liability for a loss or hijacking of service due to a security breach.

The court, however, refused to dismiss these claims, holding that under New York law, limitations of liability cannot be enforced to bar claims for intentional, grossly negligent (or recklessly indifferent) misconduct.   (This principle should be kept in mind whenever New York law is selected as the choice of law for a commercial contract, as it frequently is when the two parties are located in distant states and a supposedly “neutral” state is needed.)    In finding that Baidu had alleged sufficient facts to make a case for gross negligence, the court zeroed in on Register’s (total, laughable and shocking, if the facts alleged in Baidu’s complaint are true) failure to follow its own security protocols.

What is less guffaw-inducing is the court’s response to Baidu’s argument that, in light of the disclaimers in the MSA, Baidu had no legal duty to provide website security:  “This may be true as a general matter, but Register did undertake to provide web site security and established protocols to do so.”  Therefore, it was required to use reasonable care in providing security or else face liability for the negligent performance of its voluntarily assumed security obligations.  In other words, once Register implemented security measures (as any sane and reputable domain name registrar would), it could be held liable for not following them diligently, even though this was never part of the contract.    If Register’s failure was so egregious that it amounted to a complete disregard for security, such behavior could be said to be grossly negligent, blowing an enormous hole in the contractual limitations of liability and opening Register up to significant damage exposure, including consequential damages (imagine how much business is lost when the leading Chinese search engine is unavailable for five hours).

What it means for data security

It is this principle that makes Baidu not only a mildly interesting Internet contract case, but a potentially groundbreaking data security case.  According to the federal district court, under New York law if you choose to adopt security measures and don’t follow them, you could face unlimited liability for a security breach, regardless of how many tech lawyers finessed the disclaimers in your terms of service.

The Federal Trade Commission (FTC) has taken a somewhat similar approach, bringing enforcement actions under Section 5 of the FTC Act against Twitter and other websites for reassuring consumers about security and then suffering data breaches due to lax controls.  Furthermore, taking no responsibility for security whatsoever is not an option.  The FTC has used its enforcement power against unfair or deceptive trade practices essentially to jerry-rig a national requirement to use reasonable online security procedures where consumers could be harmed by a data breach.  (A no-security approach would also be business suicide for a domain name registrar and most other online businesses.)

The lesson here is plain and harsh:  when it comes to data security, increasingly you can’t hide behind a wall of disclaimers.