Court says registrars can’t get away with gross negligence just because it’s in their TOS.
Domain name registrars, take note: you can’t just claim no responsibility for your actions in your terms of service and expect a court to uphold it.
That’s exactly what Register.com tried to do in a lawsuit brought by Baidu. If all the allegations are true, Register.com really screwed up on this one. Yet it claimed Baidu couldn’t hold it accountable because it agreed so in the terms of service.
But a ruling (pdf) today by the judge in this case says otherwise: you can’t just disclaim responsibility for your gross negligence:
If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized Intruder, who engaged in cyber vandalism. On these facts, a jury surely could find that Register acted in a grossly negligent or reckless manner.
The judge refers to a case that is actually a good analogy here:
Green v. Holmes Protection of N.Y.. Inc., 629 N.Y.S.2d 13 (1st Dep’t 1995) (holding limitation of liability clause was not enforceable where alarm company was grossly negligent when it gave burglars keys to store and security codes to disengage alarm and failed to respond promptly when crime was discovered).
Register.com also argued that Baidu agreed that the search giant would be responsible for the security of its account. But the judge noted that Register.com did implement security features because this type of hijacking was foreseeable:
The attack by the Intruder was reasonably foreseeable — it was precisely because these cyber attacks are foreseeable that the security measures were adopted. While Baidu gave up, in agreeing to the Limitation of Liability clause, any claims for ordinary negligence or breach of contract based on ordinary negligence, it did not waive its claims for gross negligence or recklessness. If Baidu can prove gross negligence or recklessness, the Limitation of Liability clause will not be a bar.
Of course, it will be up to a jury to decide the ultimate outcome. But the judge has reaffirmed that a registrar can’t run away from its gross negligence in security matters.
This could have implications on most services where a disclaimer was accepted as a “legal” defence to escape resposibilities..
This is similar to what is happening in the DNSSEC arena.
If you make a lot of noise about DNSSEC and security like ICANN and ISOC/IETF have people will listen, IF something goes wrong, they will hold ICANN and ISOC/IETF liable.
IETF people are NOW saying, DNSSEC is not what it was claimed to be by clueless promoters.
DNSSEC is a bridge to no-where.
Lawyers will want to follow DNSSEC to those $50,000,000 non-profit cash reserves of ICANN and the ISOC/IETF.
http://www.ietf.org/mail-archive/web/ietf/current/msg62668.html
2) Educate people so that they understand exactly what security DNSSEC
is going to provide.
Good luck with that one. People will do silly things, ignore all the
warning labels and then blame the protocol. There is a real risk that
some will sue. And telling people that DNSSEC is not going to secure
the Internet is not going to be very easy while Vint Cerf is out there
telling people that it is.
“You can’t just claim no responsibility for your actions in your terms of service and expect a court to uphold it.”
Thank God!
Register.com made a major mistake in the Baidu.com disaster. The fact that they feel the need to defend it, instead of apologize and improve their security and training reflects even worse on them.
I would want nothing to do with a company like that.
Brad