Most hosts have attempted to limit their liability for claims against them with a “Limitation of Liability” contract provision. Hosts generally rely on these provisions to ensure that their risks are manageable and understood.
Frequently I’ll be asked “will the limitation of liability paragraph protect me if ‘X’ happens.” I usually answer, in most cases, yes. A recent decision in Baidu v. Register.com, provides excellent guidance for hosts about when the term “most cases” does not apply.
The facts in this case read like “high importance” emails I sometimes get from clients at 1 am in the morning:
- Register.com’s tech support agent answers an IM chat from someone asking to change Baidu’s email address;
- The “customer” can’t verify into the account;
- The agent emails a security code to the address Baidu has on file;
- The “customer” comes back on IM and gives the agent an incorrect code;
- The agent does not verify whether the codes are different, and changes the email address on file to an @gmail.com address;
- The “customer” uses the “forgot password” function in Register.com’s system, resets Baidu.com’s password and redirects the Baidu.com site to the “Iranian Cyber Army” site;
- Because the password and email have now been changed, legitimate agents for Baidu cannot now authenticate into their account. Register.com refuses to help Baidu because Baidu cannot authenticate the account; and
- The legitimate Baidu site is down for five hours, and does not recover for two days.
Baidu then sued Register.com for, among other things, breach of contract and gross negligence or recklessness. Register.com claimed that its all caps limitation of liability clause shielded it from liability. The court held that whether Register.com’s actions rose to the level of gross negligence or recklessness was an issue for trial, and that the limitation of liability clause did not shield Register.com from suit.
When a party’s conduct rises to level of gross negligence or recklessness, a limitation of liability clause is not likely to bar a lawsuit. Public policy is not served if companies can engage in grossly negligent acts and not suffer the consequences of those acts. In particular, courts will not enforce these clauses when “there is willful or grossly negligent or recklessly indifferent conduct.”
So what type of conduct rises to this standard? Conduct in which the actor fails to “exercise even slight care, scant care, or slight diligence.” In the Baidu case, the court cited the fact that Register.com failed to follow its own security policies as evidence of gross negligence. In particular, the agent responded to the request even though the “customer” was initially unable to authenticate the account; the agent failed to compare the authentication code sent to Baidu with the one given to the agent during the chat; and the agent accepted a free mail account as a legitimate address for a very well known company.
If proven in a trial, this series of events would be sufficient for Baidu to escape the application of the limitation of liability clause in its contract.
Before you say “well my staff will never do this,” it’s important to realize that I see similar sequences of events on a regular basis. Under no circumstances should you rely on your limitation of liability clause as a fail safe way of ensuring your business activities will not result in liability. You should think of your limitation of liability clause as part of a series of actions you need to take to avoid significant liability for events beyond your control. As the Baidu case illustrates, a contract provision like this won’t necessarily protect you if it is determined that you have engaged in conduct that pays “scant” attention to the consequences.
To help strengthen the effectiveness of these clauses you should ensure that your staff is adequately trained; that company procedures are followed, tested and screened for vulnerability on a regular basis; and that hardware, software and other aspects of your network are cared for and their reliability ensured to the best of your ability.
About David Snead
David Snead is a lawyer whose practice is focused on internet infrastructure providers. In his eleven years in this practice, he has represented clients including multinationals, middle tier hosting companies, and two guys, a server, a T-1 and a huge MasterCard balance.
A long-time WHIR contributor, David Snead is the Web hosting business's best-known legal expert. Through his WHIR blog, he offers a credible legal perspective on both specific actions in the Web hosting business and general developments in legislation.
No related posts.
