Contracts

Subscribe to Contracts via RSS

UPDATE: On December 23, 2021, the parties reached a settlement, as Southwest filed an unopposed motion for entry of final judgment and a permanent injunction containing the same restrictions as the temporary injunction issued in September. Under the proposed permanent injunction, Kiwi would be barred from scraping flight and fare information from Southwest’s site, publishing any Southwest flight or fare information on kiwi’s site or app (or selling any Southwest flights), or otherwise using Southwest’s site for any commercial purpose or in a manner that violates Southwest’s site terms.

UPDATE: On November 1, 2021, the parties filed a Joint Notice of Settlement indicating that they have reached a settlement agreement in principle.  The terms of the settlement were not disclosed.

UPDATE: On October 28, 2021, the defendant Kiwi.com, Inc. filed a notice of appeal to the Fifth Circuit seeking review of the district court’s ruling granting Southwest Airlines Co.’s motion for a preliminary injunction.

On September 30, 2021, a Texas district court granted Southwest Airline Co.’s (“Southwest”) request for a preliminary injunction against online travel site Kiwi.com, Inc. (“Kiwi”), barring Kiwi from, among other things, scraping fare data from Southwest’s website and committing other acts that violate Southwest’s terms. (Southwest Airlines Co. v. Kiwi.com, Inc., No. 21-00098 (N.D. Tex. Sept. 30, 2021)). Southwest is no stranger in seeking and, in most cases, obtaining injunctive relief against businesses that have harvested its fare data without authorization – ranging as far back as the 2000s (See e.g., Southwest Airlines Co. v. BoardFirstLLC, No. 06-0891 (N.D. Tex. Sept. 12, 2007) (a case cited in the current court opinion)), and as recently as two years ago, when we wrote about a 2019 settlement Southwest entered into with an online entity that scraped Southwest’s site and had offered a fare notification service, all contrary to Southwest’s terms.

In this case, the Texas court found that Southwest had established a likelihood of success on the merits of its breach of contract claim. Rejecting Kiwi’s arguments that it did not assent to Southwest’s terms, the court found that Kiwi had knowledge of and assented to the terms in multiple ways, including by agreeing to the terms when purchasing tickets on Southwest’s site. In all, the court found the existence of a valid contract and Kiwi’s likely breach of the terms, which prohibit scraping Southwest’s flight data and selling Southwest flights without authorization. The court also found that Southwest made a sufficient showing that Kiwi’s scraping and unauthorized sale of tickets, if not barred, would result in irreparable harm. In ultimately granting Southwest’s request for a preliminary injunction, the Texas court also found that Southwest also demonstrated the threatened injury if the injunction is denied outweighed any harm to Kiwi that will result if the injunction is granted and that the injunction would be in the public interest.

What made this result particularly notable is that the preliminary injunction is based on the likelihood of success on the merits of Southwest’s breach of contract claim and Kiwi’s alleged violation of Southwest’s site terms, as opposed to other recent scraping disputes which have centered around claims of unauthorized access under the federal Computer Fraud and Abuse Act (CFAA).

On January 14, 2021, Southwest Airlines Co. (“Southwest”) filed a complaint in a Texas district court against an online travel site, Kiwi.com, Inc. (“Kiwi”), alleging, among other things, that Kiwi’s scraping of fare information from Southwest’s website constituted a breach of contract and a violation of the Computer Fraud and Abuse Act (CFAA). (Southwest Airlines Co. v. Kiwi.com, Inc., No. 21-00098 (N.D. Tex. filed Jan. 14, 2021)). Southwest is no stranger in seeking and, in most cases, obtaining injunctive relief against businesses that have harvested its fare data without authorization – ranging as far back as the 2000s (See e.g., Southwest Airlines Co. v. BoardFirst, LLC, No. 06-0891 (N.D. Tex. Sept. 12, 2007), and as recently as two years ago, when we wrote about a 2019 settlement Southwest entered into with an online entity that scraped Southwest’s site and had offered a fare notification service, all contrary to Southwest’s terms.

According to the current complaint, Kiwi operates an online travel agency and engaged in the unauthorized scraping of Southwest flight and pricing data and the selling of Southwest tickets (along with allegedly charging unauthorized service fees), all in violation of the Southwest site terms. Upon learning of Kiwi’s scraping activities, Southwest sent multiple cease and desist letters informing Kiwi of its breach of the Southwest terms. It demanded that Kiwi cease scraping fare data, publishing fares on Kiwi’s site and using Southwest’s “Heart” logo in conjunction with the selling of tickets. Kiwi responded and sought to form a business relationship, an overture that Southwest refused.  According to Southwest, when discussions failed to yield a resolution, Kiwi allegedly continued its prior activities, prompting the filing of the suit.

As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called SolarWinds. The compromised software, known as Orion, is enterprise network management software that helps organizations manage their networks, servers and networked devices. The software is widely-used by both public and private sector companies.

The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”), it is common for network administrators to configure Orion with pervasive privileges, which would allow it to bypass firewalls and other security measures, thus making it an enviable target for hackers. CISA categorized the SolarWinds attack as presenting a “grave risk” to government agencies and private entities.

The attack had been ongoing and undetected since perhaps March 2020 (or earlier, and certainly planned out for years). SolarWinds’s SEC filings last week estimated that about 18,000 of its customers may have downloaded the malware-laden software update for Orion.  However, the number of organizations impacted may be even higher.  Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers.  And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.

It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion.  “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.

While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a SolarWinds installation.  While the disabling of the so-called Orion “Sunburst backdoor” and the confiscation of the original domain name that was receiving communications from the attacker should stop further data loss from the initial entry point, it will not stop further incidents if the attacker has already established persistent access within the network. Thus, it is important to note merely because an affected organization may have closed the initial vulnerability, it should not declare itself as contained too quickly as the hackers may have surreptitiously achieved persistent access beyond the Orion entry point.

There are two sobering consequences from this recognition.  First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature.  Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection.  Accordingly, it may be necessary to revisit prior incidents thought long resolved.

New York has enacted a new law, effective February 9, 2021, regulating automatic renewal and some “free trial” type agreements. While some organizations may have already taken steps to be in compliance with industry requirements, the federal Restore Online Shoppers’ Confidence Act (ROSCA), and similar auto-renewal laws in place

In continuing its efforts to enforce its terms and policies against developers that engage in unauthorized scraping of user data, this week Facebook brought suit against two marketing analytics firms, BrandTotal Ltd (“BrandTotal”) and Unimania, Inc. (“Unimania”) (collectively, the “Defendants”) (Facebook, Inc. v. BrandTotal Ltd., No. 20Civ04246

Many online services feature comprehensive terms of use intended to protect their business from various types of risks.  While it is often the case that a great deal of thought goes into the creation of those terms, frequently less attention is paid to how those terms are actually presented to users of the service. As case law continues to demonstrate, certain mobile and website presentations will be held to be enforceable, others will not.  Courts continue to indicate that enforceability of terms accessible by hyperlink depends on the totality of the circumstances, namely the clarity and conspicuousness of the relevant interface (both web and mobile) presenting the terms to the user. In a prior post about electronic contracting this year, we outlined, among other things, the danger of having a cluttered registration screen.  In this post, we will spotlight five recent rulings from the past few months where courts blessed the mobile contracting processes of e-commerce companies, as well as one case which demonstrates the danger of using a pre-checked box to indicate assent to online terms.

The moral of these stories is clear – the presentation of online terms is essential to enhancing the likelihood that they will be enforced, if need be. Thus, the design of the registration or sign-up page is not just an issue for the marketing, design and technical teams – the legal team must focus on how a court would likely view a registration interface, including pointing out the little things that can make a big difference in enforceability. A failure to present the terms properly could result in the most carefully drafted terms of service ultimately having no impact on the business at all.

This past week, the operator of the popular Weather Channel (“TWC”) mobile phone app entered into a Stipulation of Settlement with the Los Angeles City Attorney, Mike Feuer (“City Attorney”), closing the books on one of the first litigations to focus on the collection of locational data through mobile phones. (People v. TWC Product and Technology, LLC, No. 19STCV00605 (Cal. Super., L.A. Cty, Stipulation Aug. 14, 2020)). While the settlement appears to allow TWC to continue to use locational information for app-related services and to serve advertising (as long the app includes some agreed-upon notices and screen prompts to consumers), what is glaringly absent from the settlement is a discussion of sharing locational information with third parties for purposes other than serving advertising or performing services in the app. Because applicable law, industry practice and the policies of Apple and Google themselves have narrowed the ability to share locational information for such purposes, the allegations of the case were, in a sense, subsumed in the tsunami of attention that locational information sharing has attracted. While some are viewing this settlement as a roadmap for locational information collection and sharing, in fact the settlement is quite narrow.

This past March, many organizations were forced to suddenly pivot to a “work from home” environment (“WFH”) as COVID-19 spread across our country.  However, many companies did not have the necessary technical infrastructure in place to support their full workforce on a WFH basis.  Often, remote access systems were configured assuming only a portion of a company’s employees – not 100% of a company’s employees – would be remotely accessing the corporate networks simultaneously.  In addition, many employees have limited home Wi-Fi capacity that is insufficient to sustain extended, robust connections with the office systems.  Networks can then become overloaded, connections dropped, and employees can experience extended latency issues, frozen transmissions and the like.

As a result, many employees are using a work-around — often with their employer’s knowledge and approval.  They connect their personal devices to their employer’s network to download what they need from the network, but disconnect to perform the bulk of their work offline.  On a periodic basis and upon the completion of the task at hand, those employees then typically upload or distribute the work product to the organization’s network.

The COVID-19 pandemic has fundamentally altered the way we live and conduct business. Most non-essential businesses have closed their offices and established entirely remote workforces, and many individuals may be in quarantine, which means that “wet” signatures on paper can be highly inconvenient. This reality has focused more attention on electronic formats. In this blog post we examine the landscape of electronic signatures in light of the pandemic and what it will mean for signature requirements going forward. Electronic signatures apply to both agreements entered into online, such as when completing an internet transaction or assenting to a contract via email, as well as paper documents. With businesses wondering under what circumstances electronic signatures are binding, this post briefly lays out what rules businesses need to follow.

We continue to wait to see if the Supreme Court will accept LinkedIn’s petition to overturn the Ninth Circuit’s blockbuster ruling in the hiQ Labs case.  In that case, the appeals court held that an entity engaging in scraping of “public” data had shown a likelihood of success on its claim that such access does not constitute access “without authorization” under the federal Computer Fraud and Abuse Act (CFAA).

In the meantime, earlier this week the Supreme Court agreed to hear the appeal of an Eleventh Circuit decision that affirmed the conviction of a police officer under the CFAA for “exceeding authorized access” for accessing police databases for personal gain. (See U.S. v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019), pet. for cert. granted Van Buren v. U.S., No. 19-783 (Apr. 20, 2020)).  This would be the Supreme Court’s first CFAA case.

And in addition to the news at the Supreme Court, late last month, a D.C. district court issued a ruling interpreting the extent of criminal liability under the CFAA for accessing websites in contravention of terms of use for academic research. In that case, the D.C. court held that the mere violation of website terms of use cannot form the basis of criminal liability for “unauthorized access” or “exceeding authorized access” under the CFAA. (Sandvig v. Barr, No. 16. 1368 (D.D.C. Mar. 27, 2020)).