Baidu, Inc. et al v. Register.com, Inc.MEMORANDUM OF LAW in Opposition re: 14 MOTION to Dismiss.. DocumentS.D.N.Y.April 9, 2010 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK BAIDU, INC. and BEIJING BAIDU NETCOM SCIENCE & TECHNOLOGY CO., LTD., Plaintiffs, v. REGISTER.COM, INC. Defendant. ECF CASE Civil Action No. 10 CV 444(DC) MEMORANDUM OF LAW IN OPPOSITION TO DEFENDANT REGISTER.COM, INC.’S MOTION TO DISMISS PAUL, WEISS, RIFKIND, WHARTON & GARRISON LLP 1285 Avenue of the Americas New York, New York 10019-6064 (212) 373-3000 Attorneys for Plaintiffs Baidu, Inc. and Beijing Baidu Netcom Science and Technology Co., Ltd. April 9, 2010 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 1 of 33 i TABLE OF CONTENTS Page Table of Authorities .................................................................................................................. iii Preliminary Statement.................................................................................................................1 Statement of facts........................................................................................................................3 Argument....................................................................................................................................6 I. Baidu’s Claims Are Not Barred by the MSA’s Limitations on Liability. ..........................7 A. New York Law Renders Liability Limitations Unenforceable in Cases of Gross Negligence. ................................................................................................7 B. Baidu Has Adequately Pled Facts Demonstrating Register’s Gross Negligence...........................................................................................................8 C. The Imposter’s Unlawful Actions Do Not Relieve Register of Liability. ............10 D. Whether Register’s Actions Were Grossly Negligent Is a Jury Question. ...........12 II. Baidu’s Tort Claims Are Independent of its Contract Claim. .........................................12 III. Baidu Has Stated a Claim For Gross Negligence. ..........................................................14 IV. Baidu Has Stated Claims for Bailment, Conversion, and Trespass. ................................15 A. Baidu Has Stated a Claim for Breach of Bailment. .............................................15 B. Baidu Has Stated a Claim for Conversion. .........................................................16 1. Baidu’s Domain Name and Associated Information Constitute Property. ................................................................................................17 2. Register Exercised Unauthorized Dominion Over Baidu’s Property in Derogation of Baidu’s Right to Control Its Property. ..........................17 C. Baidu Has Stated Claims for Aiding and Abetting Conversion and Trespass. ............................................................................................................19 V. Baidu Has Stated a Claim for Contributory Trademark Infringement Under the Lanham Act...................................................................................................................20 A. Register Is Not Statutorily Immune From a Lanham Act Claim..........................20 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 2 of 33 ii B. Baidu Has Stated a Claim for Contributory Infringement of the BAIDU Trademark. ........................................................................................................22 1. The Imposter Committed Direct Infringement of the BAIDU Mark. .......22 2. Register Is Contributorily Liable for the Imposter’s Infringement of the BAIDU Mark. ..............................................................................23 Conclusion................................................................................................................................25 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 3 of 33 iii TABLE OF AUTHORITIES Page(s) CASES A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001)........................................................................................24 Adler v. Pataki, 185 F.3d 35 (2d Cir. 1999) ............................................................................................14 Alston v. State, 862 N.Y.S.2d 806 (N.Y. Ct. Cl. 2005) .....................................................................14, 16 Amusement Indus., Inc. v. Stern, __ F. Supp. 2d __, 2010 WL 445900 (S.D.N.Y. 2010)...................................................14 Arell’s Fine Jewelers, Inc. v. Honeywell, Inc., 537 N.Y.S.2d 365 (4th Dept. 1989) .................................................................................7 Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009).....................................................................................................6 Astroworks, Inc. v. Astroexhibit, Inc., 257 F. Supp. 2d 609 (S.D.N.Y. 2003) ..............................................................................7 Aviles v. Crystal Mgmt., Inc., 677 N.Y.S.2d 330 (1st Dept. 1998)................................................................................15 Banc of Am. Sec. LLC v. Solow Bldg. Co. II, L.L.C., 847 N.Y.S.2d 49 (1st Dept. 2007)................................................................................1, 7 Calcutti v. SBU, Inc., 273 F. Supp. 2d 488 (S.D.N.Y. 2003) ............................................................................19 Chambers v. Time Warner, Inc., 282 F.3d 147 (2d Cir. 2002)...........................................................................................18 Colavito v. N.Y. Organ Donor Network, Inc., 8 N.Y.3d 43 (1993)............................................................................................ 16, 18, 19 Colnaghi, U.S.A., Ltd. v. Jewelers Protection Servs., Ltd., 81 N.Y.2d 821 (1993)......................................................................................................8 Cromer Fin. Ltd. v. Berger, 2003 WL 21436164 (S.D.N.Y. June 23, 2003)...............................................................20 Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530 (N.Y. Sup. Ct. 2004).........................................................................13 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 4 of 33 iv Fed. Ins. Co. v. Honeywell, Inc., 641 F. Supp. 1560 (S.D.N.Y. 1986) .............................................................................7, 8 Fetsch v. Miller’s Mint, Ltd., 2009 WL 4068515 (N.Y. App. Term Nov. 19, 2009) .....................................................15 Fonovisa, Inc. v. Cherry Auction, Inc., 73 F.3d 259 ...................................................................................................................24 Gentile v. Garden City Alarm Co., Inc., 541 N.Y.S.2d 505 (2d Dept. 1989) ..................................................................................8 Glassman v. Wachovia Bank, N.A., 847 N.Y.S.2d 901 (N.Y. Sup. Ct. 2007).........................................................................12 Gotham Boxing Inc. v. Finkel, 856 N.Y.S.2d 498 (N.Y. Sup. Ct. 2008).........................................................................19 Green v. Holmes Protection, 629 N.Y.S.2d 13 (1st Dept. 1995)..............................................................................8, 10 Gross v. Sweet, 49 N.Y.2d 102 (1979)......................................................................................................7 Hard Rock Café Licensing Corp. v. Concession Servs., Inc., 955 F.2d 1143 (7th Cir. 1992)........................................................................................24 Hartford Ins. Co. v. Holmes Protection Group, 673 N.Y.S.2d 132 (1st Dept. 1998)................................................................................10 Henry v. Daytop Village, Inc., 42 F.3d 89 (2d Cir. 1994) ..............................................................................................14 Herrington v. Verrilli, 151 F. Supp. 2d 449.......................................................................................................18 Isik Jewelry v. Mars Media, Inc., 418 F. Supp. 2d 112 (S.D.N.Y. 2005) ......................................................................15, 16 Jones v. Commerce Bancorp, Inc., 2006 WL 1409492 (S.D.N.Y. May 23, 2006) ................................................................13 Kalisch-Jarcho v. City of New York, 58 N.Y.2d 377 (1983)..................................................................................................2, 7 Kerman v. City of N.Y., 374 F.3d 93 (2d Cir. 2004) ............................................................................................12 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 5 of 33 v Koch v. Consol. Edison Co. of N.Y., Inc., 62 N.Y.2d 548 (1984)....................................................................................................11 Kremen v. Cohen, 337 F.3d 1024 (9th Cir. 2003)........................................................................................17 Levin v. Eleto, 283 N.Y.S.2d 105 (N.Y. Mun. Ct. 1935) .................................................................11, 18 Liberman v. Worden, 268 A.D.2d 337 (1st Dept. 2000)...................................................................................20 Lockheed Martin Corp. v. Network Solutions, Inc., 194 F.3d 980 (9th Cir. 1999) ...................................................................................21, 24 MacFarlane v. Grasso, 696 F.2d 219 (2d Cir. 1982)...........................................................................................14 Martin v. Briggs, 663 N.Y.S.2d 184 (1st Dept. 1997)................................................................................15 Mas v. Two Bridges Assocs., 75 N.Y.2d 680 (1990)....................................................................................................10 Niagara Mohawk Power Corp. v. Stone & Webster Eng’g Corp, 725 F. Supp. 656 (N.D.N.Y. 1989) ................................................................................12 OSRecovery, Inc. v. One Groupe Int’l, Inc., 354 F. Supp. 2d 357 (S.D.N.Y. 2005) ........................................................................6, 20 PACCAR Inc. v. TeleScan Techs., L.L.C., 319 F.3d 243 (6th Cir. 2003) .........................................................................................23 In re Paige, 413 B.R. 882 (Bkrtcy. D. Utah 2009).............................................................................17 Palazzo v. Katz Parking Sys., 315 N.Y.S.2d 384 (N.Y. Civ. Ct. 1970) .........................................................................16 Peralta v. Port of N.Y. Auth., 326 N.Y.S.2d 776 (N.Y. Civ. Ct. 1971) .........................................................................14 Planned Parenthood Fed’n of Am., Inc. v. Bucci, 1997 WL 133313 (S.D.N.Y. Mar. 24, 1997) ............................................................22, 23 Robin Bay Assocs., LLC v. Merrill Lynch & Co., 2008 WL 2275902 (S.D.N.Y. June 3, 2008) ..................................................................12 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 6 of 33 vi Sealey v. Meyers Parking Sys., 555 N.Y.S.2d 574 (N.Y. Civ. Ct. 1990) .........................................................................16 In re Sept. 11 Litig., 640 F. Supp. 2d 323 (S.D.N.Y. 2009) ............................................................................19 Six West Retail Acquisition, Inc. v. Sony Theatre Mgmt. Corp., 2000 WL 264295 (S.D.N.Y. Mar. 09, 2000) ....................................................................7 Solid Host, NL v. Namecheap, Inc., 652 F. Supp. 2d 1092 (C.D. Cal. 2009) ....................................................................21, 22 Sommer v. Fed. Signal Corp., 79 N.Y.2d 540 (1992)..............................................................................................13, 16 Stellan Holm, Inc. v. Malmberg Int’l Art, 2002 WL 392294 (S.D.N.Y. Mar. 13, 2002) ..................................................................19 Thyroff v. Nationwide Mut. Ins. Co., 8 N.Y.3d 283 (2007)......................................................................................................17 Tiffany (NJ) Inc. v. eBay Inc., __ F.3d __, 2010 WL 1236315 (2d Cir. Apr. 1, 2010)....................................................25 Transamerica Corp. v. Moniker Online Servs., 2009 WL 4715853 (S.D. Fla. Dec. 4, 2009).............................................................21, 23 Translucent Comms. v. Ams. Premier Corp., 2010 WL 723937 (D. Md. Feb. 24, 2010) ......................................................................17 United States v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947)...........................................................................................15 United States v. Clarke, 2006 WL 3615111 (S.D.N.Y. Dec. 7, 2006) ..................................................................14 United States v. Scala, 388 F. Supp. 2d 396 (S.D.N.Y. 2005) ............................................................................14 United We Stand Am., Inc. v. United We Stand, Am. N.Y., 128 F.3d 86 (2d Cir. 1997) ............................................................................................22 Verizon Cal. Inc. v. OnlineNIC, Inc., 647 F. Supp. 2d 1110.....................................................................................................22 W.S.A., Inc. v. ACA Corp., 1998 WL 635536 (S.D.N.Y. Sept. 15, 1998)..................................................................18 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 7 of 33 vii Wedbush Morgan Sec., Inc. v. Robert W. Baird & Co., 320 F. Supp. 2d 123 (S.D.N.Y. 2004) ............................................................................20 Woodling v. Garrett Corp., 813 F.2d 543 (2d Cir. 1987).....................................................................................11, 12 Wornow v. Register.com, 778 N.Y.S.2d 25 (1st Dept. 2004)..................................................................................17 STATUTES 15 U.S.C. § 1114.................................................................................................................21, 22 OTHER AUTHORITIES Fed. R. Civ. P. 8(a) .....................................................................................................................7 Fed. R. Civ. P. 8(d)(2)...............................................................................................................14 Fed. R. Civ. P. 12(b)(6).......................................................................................................1, 6, 7 Restatement (Third) of Unfair Competition § 27 (1995) ............................................................24 S. Rep. No. 106-140 (1999) ......................................................................................................22 A. Mitchell Polinski, An Introduction to Law and Economics (1983)........................................15 Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 8 of 33 1 PRELIMINARY STATEMENT Defendant Register.com seeks to escape liability for a reckless and inexcusable breach of security of Baidu’s confidential domain name account that enabled an unauthenticated person to redirect millions of users of Baidu’s search engine to a web page advocating racist violence. In its effort to avoid liability for this reckless conduct, Register resorts to flatly incorrect statements of law; factual contentions that are extraneous to the complaint and improper in support of a motion to dismiss; self-serving characterizations of itself as a “victim” of the crime that Register abetted through its own gross negligence (although Register fails to articulate any injury that it suffered as a result of the attack on Baidu’s website); and disparaging innuendo apparently intended to distract the Court from the infirmity of Register’s motion.1 The truth is that Baidu’s claims are amply supported by Baidu’s detailed factual allegations and New York law, which governs this dispute. New York law does not permit Register to use the contractual limitations on liability in the parties’ Master Services Agreement (“MSA”) - as Register attempts to do here - to shield itself from liability for the recklessness and gross negligence of ignoring its own security protocols and handing over control of Baidu’s account to an unidentified individual (the “Imposter”) who provided wrong - and highly suspicious - answers each time Register attempted to verify his or her identity as a Baidu representative. 1 For example, Register attempts to suggest that Baidu is somehow complicit in government censorship (Def. Br. at 3 n.2) or had some ill-defined political or other motive for bringing this action (id. at 7 n.9). These charges, based on rank suspicion and innuendo, are irrelevant at best and defamatory at worst. And Register accuses Baidu of “attempting to conceal” the terms of its contract with Register.com (id. at 1), despite the fact that the second claim for relief in Baidu’s complaint is for breach of that very contract. Plaintiffs need not anticipate in a complaint for breach of contract that defendants will assert that a provision of that contract limits its liability. Banc of Am. Sec. LLC v. Solow Bldg. Co. II, L.L.C., 847 N.Y.S.2d 49, 53 (1st Dept. 2007) (“Contrary to [Defendant’s] contentions . . . there is no requirement that a complaint anticipate and overcome every defense that might be raised in opposition to a cause of action.”). As detailed infra at 7-8, moreover, the provision in question does not apply as a matter of law to gross negligence as is alleged here. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 9 of 33 2 In addition, compounding this inexcusable behavior, when Baidu reached out to Register to stop the attack and to return control of Baidu’s domain name to Baidu, Register nearly doubled the duration of the attack by delaying its response to Baidu’s pleas for help. Indeed, despite Register’s representation that it provides “24/7” customer service, Register failed to answer its customer service telephone line when Baidu called for help, and Register refused to assist Baidu through Register’s on-line customer support chat service. (Compl. ¶ 23; see Snyder Decl. Exh. A at 1). Well-established principles of New York law - and the Lanham Act - place the liability for Baidu’s injuries squarely on the shoulders of the only party that had the means to protect Baidu from the Imposter’s attack: Register.com. The New York State Court of Appeals has made clear that it will not permit parties to contract out of liability for reckless or intentional misbehavior, holding that “an exculpatory clause is unenforceable when, in contravention of acceptable notions of morality, the misconduct for which it would grant immunity . . . betokens a reckless indifference to the rights of others.”2 If parties in Register’s position are permitted to contract out of liability for a complete failure to execute security protocols, then all of the 2.5 million customers who have accounts with Register (Def. Br. at 3 n.1) will be in jeopardy - with no legal recourse if Register allows unauthorized access to their accounts. Register was clearly the least cost avoider of the attack that caused Baidu’s injuries. Register’s attempt to place responsibility for security on Baidu’s shoulders - when Register controlled the security procedures for protecting its customers’ accounts - is ludicrous. (Def. Br. at 4-5) If Register 2 Kalisch-Jarcho v. City of New York, 58 N.Y.2d 377, 385 (1983). Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 10 of 33 3 bears no responsibility for its conduct here - as it claims - then it might with impunity make account passwords available to anyone who asks.3 STATEMENT OF FACTS “Baidu” is the registered trademark of the leading Internet search engine in China. Baidu’s revenue is closely tied to the traffic on its website. Advertisers pay fees to Baidu based on the number of “click-throughs” on advertisements that appear in search results obtained by individuals who use Baidu’s search engine. (Compl. ¶ 13-15) In 1999, Baidu registered its domain name, “baidu.com,” with defendant Register, and entered into the MSA. (Id. ¶ 16) In connection with that transaction, Baidu deposited confidential and proprietary information with Register. (Id. ¶¶ 46, 52) On January 11, 2010, Register, in breach of numerous duties, enabled a cyber attack against Baidu. Register gave an obvious Imposter - posing as a Baidu representative - access to Baidu’s confidential and proprietary account information, thus enabling the Imposter to re-route Internet traffic intended for Baidu’s search site to a web page depicting an Iranian flag and a broken Star of David and proclaiming “This site has been hacked by Iranian Cyber Army.” (Id. ¶ 4; see Ramos Decl. Exhs. A & B) On its web page, the Imposter also solicited visitors to “baidu.com” to contact “Soldier@CyberArmyofIran.com” - thus ostensibly seeking to recruit “soldiers” or other support for its cause. (Ramos Decl. Exh. A) Register enabled this attack against Baidu through gross negligence that breached Register’s own security protocols. Moreover, during the attack, Register repeatedly ignored Baidu’s demands for assistance, thus causing the attack on Baidu to continue for approximately 3 If the facts alleged in Baidu's complaint - a complete failure to follow internal security protocols - were deemed not to constitute gross negligence as a matter of law on a motion to dismiss, then all of Register’s 2.5 million clients, and all clients of domain registrars with similar liability clauses in their customer agreements, would be able to simply turn over control of their customers’ domain names to unauthenticated users with impunity. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 11 of 33 4 five hours. Baidu’s website was not fully repaired for two days, resulting in millions of dollars of damage. (Id. ¶ 5) The attack and the resulting injuries to Baidu could not have occurred but for Register’s gross negligence and reckless disregard for Baidu’s rights. The attack on Baidu began just after 5 P.M. EST on January 11, 2010. The Imposter initiated a “chat” with a Register customer service representative via an on-line chat service provided by Register. The Imposter asked the Register representative to change the email address associated with Baidu’s account. (Id. ¶ 18) The Register representative responded to the Imposter with a question intended to verify that the Imposter was an authorized representative of Baidu. The Imposter answered this question incorrectly. (Id.) The Register representative then emailed a security code to the email address that Register had on file for Baidu, and asked the Imposter to report the code back to Register on- line, in the chat session. (Id.) The Imposter responded with a bogus code, different from the one Register had sent to Baidu.4 (Id. ¶ 19) The Register representative, however, failed to compare the code received from the Imposter to the code that the representative had just sent to Baidu. Instead, the Register representative proceeded to ask the Imposter for the email address that the Imposter wished to substitute for the email address on file for the baidu.com account. The Imposter requested that Register change the email address it had on file for Baidu - an address using the “baidu.com” domain name - to “antiwahabi2008@gmail.com.” (Id.) At that moment, the transaction between Register and the Imposter was marked with at least three glaring red flags that any reasonable domain registrar should have recognized. First, the Imposter provided a wrong answer to the security verification question posed by the 4 Register incorrectly asserts that the code sent by Register to Baidu was “similar” to the code sent by the Imposter to Register. (Def. Br. at 6.) In fact, the codes are not “similar” at all. The code sent by Register to Baidu was “81336134.” The code sent by the Imposter to Register was “96879818.” (Ramos Decl. ¶ 3) If these codes are “similar,” then any two series of eight numbers are “similar” - rendering Register’s security code verification process a sham. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 12 of 33 5 Register representative. (Id. ¶ 18) Second, the Imposter provided a bogus security code when asked to provide the code that Register emailed to the Baidu account address on file. (Id.) Finally, the Imposter, while purporting to be an employee of Baidu, asked Register to change the email address on file for the baidu.com account to an address that consisted of a politically- charged and provocative user name (“antiwahabi2008”) and the domain name of a Baidu competitor (“gmail.com”), instead of the “baidu.com” domain in the email address already on file. (Id. ¶ 19) By changing the email address on file for the baidu.com account, Register enabled the Imposter to change the password and user name that gave the Imposter control over Baidu’s account. (Id. ¶ 21) Using Register’s automated “forgot password” function, the Imposter caused Baidu’s user name to be sent to “antiwahabi2008@gmail.com,” along with a web link allowing the Imposter to change Baidu’s account password, thereby obtaining full access to Baidu’s account. (Id.) Register thus granted full control of the means by which users access Baidu’s search engine service to an unidentified individual who had twice provided false information in the identity verification process and who clearly was not associated with Baidu. Having gained control over Baidu’s account, the Imposter re-routed traffic intended for Baidu’s search engine service to the Imposter’s web page. (Id. ¶ 22) Baidu users typing “baidu.com” into their browsers arrived, instead, at the Imposter’s web page, which depicted an Iranian flag and broken Star of David, proclaimed “This site has been hacked by Iranian Cyber Army,” and solicited Baidu’s users to its cause (Id. ¶ 4.; Ramos Decl. Exhs. A & B) The attack persisted for approximately five hours, and full service was not restored to Baidu and its users for two days. (Id. ¶¶ 4, 24) Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 13 of 33 6 After the attack started, Baidu’s representatives contacted Register to plead for help. (Id. ¶ 23) Despite Register’s touting “24/7” customer service on its website, Baidu’s many phone calls to Register went unanswered, and Baidu representatives attempting to use the on-line customer chat service to reach Register were rebuffed. (Id.) Although Baidu made the urgency of the situation very clear to Register, Register did not even begin efforts to restore Baidu’s control of its account until two hours after the initial contact by Baidu. (Id.)5 At all times during the attack, Register could have wrested control from the Imposter - as it eventually did. Had Register restored Baidu’s control of its account as soon as it was notified, the consequences for Baidu could have been mitigated. (Id. ¶¶ 23, 24) This attack caused a substantial loss of revenue for Baidu, and had a negative impact on Baidu’s public image and consumer confidence. (Id. ¶ 24) Moreover, because Baidu’s domain name is also its trademark, Register’s actions abetted the Imposter’s infringement of Baidu’s trademark. (Id. ¶¶ 15, 26-31) ARGUMENT In deciding a motion to dismiss pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure, all facts alleged in the complaint are to be presumed true and all reasonable inferences to be drawn in the plaintiff's favor. OSRecovery, Inc. v. One Groupe Int’l, Inc., 354 F. Supp. 2d 357, 364 (S.D.N.Y. 2005). In order to defeat a motion to dismiss, a complaint need only “contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009) (citation omitted). This pleading standard “does not require detailed factual allegations.”6 Id. (citation omitted). 5 By contrast, Register gave control of Baidu’s account to the Imposter in less than 45 minutes. (Id. ¶ 23) 6 Register’s claim that Baidu’s damages allegations are insufficient to meet New York’s pleading standards (Def. Br. at 16 n.16) is irrelevant: because this case is in federal court, federal procedural law - including pleading Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 14 of 33 7 I. Baidu’s Claims Are Not Barred by the MSA’s Limitations on Liability. Register attempts to escape liability for its appalling conduct here by hiding behind certain contractual limitations on liability in the parties’ MSA. These liability limitations, however, do not shield Register from the gross negligence that Baidu has alleged in its complaint. Contrary to the contention of Register, Baidu’s allegations of gross negligence are hardly “conclusory.” They are detailed, specific, and more than sufficient to state a claim for relief. Fed. R. Civ. P. 8(a), 12(b)(6). A. New York Law Renders Liability Limitations Unenforceable in Cases of Gross Negligence. It is well-established in New York law that: [A]n exculpatory agreement, no matter how flat and unqualified its terms, will not exonerate a party from liability under all circumstances. Under announced public policy, it will not apply to exemption of willful or grossly negligent acts. More pointedly, an exculpatory clause is unenforceable when . . . the misconduct for which it would grant immunity . . . betokens a reckless indifference to the rights of others. Kalisch-Jarcho, Inc. v. City of N.Y., 58 N.Y.2d 377, 384-85 (1983) (citations omitted). See also Six West Retail Acquisition, Inc. v. Sony Theatre Mgmt. Corp., 2000 WL 264295, at *32-33 (S.D.N.Y. Mar. 09, 2000); Gross v. Sweet, 49 N.Y.2d 102, 106 (1979); Banc of Am. Sec. LLC v. Solow Bldg. Co., 847 N.Y.S.2d 49, 53 (1st Dept. 2007). The New York state and federal courts consistently apply this principle to hold contractual liability waivers and limits and damages caps unenforceable by defendants even when both parties to the contract were sophisticated commercial parties and without regard to whether they had equal bargaining power. See Fed. Ins. Co. v. Honeywell, Inc., 641 F. Supp. 1560 (S.D.N.Y. 1986); Solow, 847 N.Y.S.2d at 54; Arell’s Fine Jewelers, Inc. v. Honeywell, Inc., standards - is applied. Astroworks, Inc. v. Astroexhibit, Inc., 257 F. Supp. 2d 609, 613 n.7 (S.D.N.Y. 2003) (“A federal court may not impose a [state’s] heightened pleading standard - under any circumstance. . . .”). Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 15 of 33 8 537 N.Y.S.2d 365, 365 (4th Dept. 1989) (“[T]here is no significant distinction between an agreement which completely relieves a party from liability and one which limits liability to a nominal sum.”); Gentile v. Garden City Alarm Co., Inc., 541 N.Y.S.2d 505, 510-11 (2d Dept. 1989) (applying gross negligence exception to damages caps as well as general liability waivers). B. Baidu Has Adequately Pled Facts Demonstrating Register’s Gross Negligence. To plead gross negligence, Baidu must demonstrate either (i) that Register failed to “exercise even slight care, scant care, or slight diligence,” Fed. Ins. Co., 641 F. Supp. at 1563, or (ii) that Register’s actions “evince[d] a reckless disregard for the rights of others.” Colnaghi, U.S.A., Ltd. v. Jewelers Protection Servs., Ltd., 81 N.Y.2d 821, 823-23 (1993). Contrary to Register’s suggestions (Def. Br. at 2), there is no requirement that such actions occur more than once in order to constitute gross negligence. See, e.g., Green v. Holmes Protection, 629 N.Y.S.2d 13 (1st Dept. 1995). Baidu’s allegations of gross negligence are not, as Register contends, “bald assertions” or “conclusory allegations” but specific factual allegations that would amply support findings of reckless disregard for Baidu’s rights and of failure to exercise even minimal care: • On January 11, 2010, the Imposter contacted Register through its technical support chat site. Posing as a representative of Baidu, the Imposter asked a Register customer support representative to change the email address that Register had on file for communicating with Baidu. (Compl. ¶ 18) • The Imposter then provided an incorrect response to the Register representative’s request for security verification information. (Id.) This incorrect response was the first red flag that something was amiss, and that caution was advised. • The Register representative then emailed a security code to the email address that Register had on file for the Baidu account, and asked the Imposter to repeat the security code on the chat site. Instead, the Imposter sent Register a bogus code - a different code than what the Register representative had sent to the email address specified in Baidu’s account. (Id. ¶ 19) The bogus security code was the second red Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 16 of 33 9 flag in the communications between the Imposter and Register, but both red flags were ignored. (Id.) 7 • The Register representative then proceeded to ask for the new email address that the Imposter wished to replace Baidu’s address on file (an address including the Baidu domain name). The Imposter responded: “antiwahabi2008@gmail.com.” This was yet a third red flag, which the Register representative ignored by changing the email address associated with the Baidu account to an address consisting of a politically- charged user name and the domain name of a Baidu competitor. (Id. ¶ 20) 8 In addition, Baidu alleges that Register knew or should have known that its clients include businesses, like Baidu, engaged in Internet-based commercial operations and that Baidu and defendants’ other business clients depend upon Register for the continuance of their business operations. (Id. ¶ 17) By failing to compare the code that Register received from the Imposter to the code that Register emailed to Baidu (Id. ¶ 19) - a failure that, Baidu submits, was simply inexcusable - and blithely changing the email address on file for Baidu’s account to the provocative address tendered by the Imposter, Register handed over control of Baidu’s account to an unknown Imposter who had repeatedly thrown up red flags to alert Register to his or her illegal intentions (Id. ¶ 20). This was no mere “mistake or a series of mistakes,” as Register contends. (Def. Br. at 14 (citation omitted)) This was gross negligence. Baidu also alleges that when the consequences of Register’s gross negligence in enabling the Imposter’s attack on Baidu became known, Register committed further acts of gross negligence by failing to answer its customer support line, refusing to provide Baidu with access to its account information and control over its account, and delaying restoration of Baidu’s 7 Without discovery, Baidu is unable to determine what procedure Register generally follows to compare security codes. Such a comparison could easily have been performed by electronic means so as to eliminate the risk of error. 8 Contrary to Register’s implications (Def. Br. at 6), Register need not have known what “wahabi” meant in order for the word “antiwahabi” to have raised suspicion: the use of the prefix “anti-” is hardly typical for the address of a legitimate commercial business. In any event, the issue of Register’s scienter is a question of fact to be determined by the jury at trial (see discussion at p. 12 infra) after Baidu has conducted discovery - not on a motion to dismiss. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 17 of 33 10 domain name to its rightful owner - thus nearly doubling the amount of time that Baidu’s domain name was under the control of the Imposter and extending until two days the time it would take to restore full service to Baidu and users of its popular search engine service. (Compl. ¶¶ 4, 23-24) Under New York law, Register’s failure to respond in a timely manner to Baidu’s pleas for help to stop the harm that Register recklessly allowed to occur clearly states a second claim for gross negligence. In Mas v. Two Bridges Assocs., 75 N.Y.2d 680 (1990), for example, the New York Court of Appeals held that a landlord was liable for injuries to a tenant occasioned by operation of a faulty elevator and for the landlord’s subsequent fault in failing to respond to her cries for help until thirty minutes later. In Green, the New York Appellate Division for the First Department held that an alarm company was grossly negligent both in allowing robbers access to plaintiffs’ store by divulging to them the security codes that disengaged the alarm and in failing to respond promptly when the crime was discovered.9 Green, 629 N.Y.S.2d at 13. Register’s actions clearly parallel the “outrageous acts of folly” committed by Holmes Protection in Green. Hartford Ins. Co. v. Holmes Protection Group, 673 N.Y.S.2d 132, 134 (1st Dept. 1998) (citing Green as a clear example of gross negligence). Far from constituting “bald assertions,” these specific factual allegations clearly meet the federal court pleading requirements and lay out a prima facie case of gross negligence against Register. C. The Imposter’s Unlawful Actions Do Not Relieve Register of Liability. Register contends that it has found no New York case in which a defendant who had no duty to the plaintiff was found grossly negligent despite having been “the victim of the 9 Green is similar to this case in that the robbers in Green had given incorrect names to the Defendant security company, which nevertheless gave the robbers the security code. Green, 629 N.Y.S.2d at 13. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 18 of 33 11 same criminal act that harmed the plaintiff.” (Def. Br. at 12-13) Here, however, Register clearly had a duty to protect and safeguard access to Baidu’s confidential information and control over Baidu’s account. (Infra at 13-14) And, while purporting to be a “victim” along with Baidu, Register tellingly fails to identify any injury it suffered. Moreover, it is clear under New York law that intervening criminal action by a third party does not cut off liability for gross negligence when that criminal action was foreseeable by a grossly negligent actor. See Koch v. Consol. Edison Co. of N.Y., Inc., 62 N.Y.2d 548, 560 (1984) (defendant’s liability for gross negligence was not automatically cut off by intervening criminal activity where “plaintiffs have shown facts sufficient to require a trial of the factual question of whether intervention of the rioters was within the contemplation of the parties or reasonably to have been foreseen by Con Edison”); Levin v. Eleto, 283 N.Y.S.2d 105, 107 (N.Y. Mun. Ct. 1935) (where landlord was guilty of gross negligence, “[t]he burglary . . . may be said to have been a reasonable and natural result of the wrongful act of the defendant,” and thus liability was imposed on defendant despite intervening criminal acts). Here, Register had security measures in place that could only have had as their object preventing the sort of unlawful conduct engaged in by the Imposter. Having adopted those security procedures, and as a registrar of domain names used in e-commerce, Register cannot seriously deny the foreseeability of what occurred here. And, even where “circumstances permit varying inferences as to the foreseeability of the intervening act, the proximate cause issue is a question of fact for the jury.” Woodling v. Garrett Corp., 813 F.2d 543, 556 (2d Cir. 1987). In this case, there was a proximate causal relationship between Register’s gross negligence and the Imposter’s criminal actions. If Register had not acted recklessly in granting Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 19 of 33 12 the Imposter access despite glaring red flags that should have warned Register of the Imposter’s illicit designs, the Imposter’s misappropriation of Baidu’s domain name would have been foiled. Register’s grossly negligent actions granted the Imposter the means by which he or she injured Baidu and foreseeably resulted in harm to Baidu. See id. (“[We should not] strain to relieve a negligent party from responsibility because of an intervening act when the original negligence created a situation of extreme danger” (citation omitted).). D. Whether Register’s Actions Were Grossly Negligent Is a Jury Question. Interpreting New York law, the Second Circuit has held that “questions as to whether there was gross negligence, intent, or reckless disregard are questions of fact to be answered by the jury.” Kerman v. City of N.Y., 374 F.3d 93, 116 (2d Cir. 2004) (where liability was contingent on distinction between ordinary and gross negligence, reversing district court’s conclusion as a matter of law that defendant’s actions did not rise to the level of gross negligence). This principle applies with particular force where the application of an exculpatory clause rests upon whether a given action or set of actions constitute ordinary or gross negligence. See, e.g., Robin Bay Assocs., LLC v. Merrill Lynch & Co., 2008 WL 2275902, at *6 (S.D.N.Y. June 3, 2008) (“where the inquiry is as to the existence or nonexistence of gross negligence [in breach of contract action], . . . the question . . . remains a matter for jury determination” (citation omitted)); Glassman v. Wachovia Bank, N.A., 847 N.Y.S.2d 901 (N.Y. Sup. Ct. 2007). II. Baidu’s Tort Claims Are Independent of its Contract Claim. Baidu’s tort claims are not duplicative of Baidu’s claim for breach of contract as Register contends. Injurious conduct by a contract party is “considered a tort [if] a legal duty independent of the contract itself has been violated.” Niagara Mohawk Power Corp. v. Stone & Webster Eng’g Corp, 725 F. Supp. 656, 662 (N.D.N.Y. 1989) (citation omitted). In the seminal case of Sommer v. Fed. Signal Corp., 79 N.Y.2d 540, 551-53 (1992), the New York Court of Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 20 of 33 13 Appeals considered in depth the intersection between tort and contract. Noting that even where two parties’ relationship is governed by contract “[a] legal duty independent of contractual obligations may be imposed by law as an incident to the parties’ relationship,” the court held that “policy” may also “give[] rise to a duty of due care” even in the presence of an all-encompassing contract. Id. at 551-52. The Sommer court concluded that tort claims predicated on the same facts and same injuries as a contract claim, but invoking breach of an independent duty (including a relationship of bailment, whether or not explicitly provided for in the governing contract), could be brought despite the general rule barring duplicative claims.10 In this case, Register breached at least two duties independent of the MSA. First, New York law recognizes that a corporation that requires a customer to turn over confidential information in order to purchase the corporation’s services incurs a fiduciary duty toward its customers to keep that information secure. See Jones v. Commerce Bancorp, Inc., 2006 WL 1409492, at *3 (S.D.N.Y. May 23, 2006) (holding based on New York law that institutions that require turnover of customers’ personal information have common law duty to protect that information from theft by third parties); Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 535 (N.Y. Sup. Ct. 2004) (finding fiduciary duty to keep confidential information safe where “[w]hen [Plaintiff] wished to purchase a life insurance policy from [Defendant], she was required to, and agreed to supply [Defendant] with highly sensitive personal information including her full name, her social security number, and her date of birth. Implicit in this agreement was a covenant to safeguard this information”). Thus, Register had an independent duty to safeguard Baidu’s highly confidential information, including user name and password. 10 The Sommer court also pointed out that plaintiff was not “seeking the benefit of its contractual bargain, but instead [sought] recovery of damages for” the result of defendant’s gross negligence. Sommer, 79 N.Y.2d at 553. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 21 of 33 14 Second, as will be discussed further (infra at 17), Baidu’s confidential information and the registered trademark “Baidu” constitute personal property that is treated no differently than any other form of personal property. Once Baidu conveyed its personal property to Register for the purpose of creating an account, Register had an obligation in bailment to care for the property. Peralta v. Port of N.Y. Auth., 326 N.Y.S.2d 776, 787 (N.Y. Civ. Ct. 1971). Bailment is considered to be a contract in and of itself - arising as a matter of law from the relationship of the parties. Alston v. State, 862 N.Y.S.2d 806, at *3 (N.Y. Ct. Cl. 2005). Baidu’s bailment claim does not depend upon the MSA, but instead has an independent basis.11 III. Baidu Has Stated a Claim For Gross Negligence. As explained above, Baidu has amply alleged a claim for gross negligence. (See supra at 8-10) Baidu has pled specific facts more than sufficient to support a jury’s conclusion that Register failed to exercise minimal care and/or acted with reckless disregard for the rights of Baidu. Register’s arguments to the contrary are themselves conclusory assertions and are entitled to no weight on a motion to dismiss. United States v. Clarke, 2006 WL 3615111, at *3 (S.D.N.Y. Dec. 7, 2006) (“[T]he conclusory assertions contained in Defendant’s motion papers do not provide the Court any basis on which to dismiss . . . .”); see United States v. Scala, 388 F. Supp. 2d 396, 399-400 (S.D.N.Y. 2005). Moreover, Baidu’s independent gross negligence claim 11 Even assuming arguendo that Baidu’s contract and tort claims were somehow inconsistent, Register is incorrect in arguing that Baidu cannot plead both claims in its complaint. See Fed. R. Civ. P. 8(d)(2) (permitting alternative and inconsistent pleading); MacFarlane v. Grasso, 696 F.2d 219, 224-25 (2d Cir. 1982). Because the court “clarif[ies] all ambiguities in favor of the nonmoving party,” plaintiff need not explicitly plead in the alternative; alternative pleading is implied where necessary to preserve inconsistent but otherwise permissible claims. Henry v. Daytop Village, Inc., 42 F.3d 89, 95 (2d Cir. 1994); see Adler v. Pataki, 185 F.3d 35, 41 (2d Cir. 1999) (“Although these allegations were not specifically pleaded as ‘in the alternative,’ we have ruled that Rule 8([d])(2) offers sufficient latitude to construe separate allegations in a complaint as alternative theories, at least when drawing all inferences in favor of the nonmoving party as we must do in reviewing orders granting motions to dismiss or for summary judgment.”); Amusement Indus., Inc. v. Stern, __ F. Supp. 2d __, 2010 WL 445900, at *5 (S.D.N.Y. 2010) (alternative pleading implied where claims pled were inconsistent). Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 22 of 33 15 may be considered to derive from a breach of either of the two duties mentioned above; it is by no means precluded by Baidu’s contract claim.12 IV. Baidu Has Stated Claims for Bailment, Conversion, and Trespass. A. Baidu Has Stated a Claim for Breach of Bailment. As explained above, Register’s argument that Baidu’s bailment claim is a tort claim duplicative of Baidu’s contract claim is spurious. A bailment is typically adjudicated as a form of contract. See Isik Jewelry v. Mars Media, Inc., 418 F. Supp. 2d 112, 120 (S.D.N.Y. 2005); Martin v. Briggs, 663 N.Y.S.2d 184, 197 (1st Dept. 1997); Fetsch v. Miller’s Mint, Ltd., 2009 WL 4068515, at *1 (N.Y. App. Term Nov. 19, 2009) (dismissing case because “plaintiff failed to establish that defendant . . . breached its bailment contract with plaintiff”). A bailment is defined as the “delivery of personal property for some particular purpose, or a mere deposit, upon a contract express or implied, and that after such purpose has been fulfilled it shall be redelivered to the person who delivered it.” Isik Jewelry, 418 F. Supp. 2d at 119 (emphasis added).13 A bailment arises when “there is a relinquishment of exclusive possession, control and dominion over the property . . . [and] either actual or constructive 12 New York also has a strong public policy that places liability in negligence on the least cost avoider. United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947) (accused tortfeasor’s liability depends on whether the burden to prevent the harm is less than the probable loss); Aviles v. Crystal Mgmt., Inc., 677 N.Y.S.2d 330, 332- 33 (1st Dept. 1998) (applying Carroll Towing to determine party that would most appropriately bear liability for negligence); see A. Mitchell Polinski, An Introduction to Law and Economics, 7-9 (1983). Register was clearly the least cost avoider here, as Register had exclusive control of the security process that failed to safeguard Baidu’s account and could have avoided the breach that occurred here, it appears, simply by following the verification procedures that it already had in place. Discovery may expose further failures on Register’s part - but the facts pled provide ample basis for holding Register responsible for the breach of security that occurred here. 13 The MSA explicitly discusses the procedure for moving a customer’s domain name to the care of another registrar. (See Jacobson Decl. Exh. A, Master Services Agreement (subject to certain minor conditions, a customer “may transfer [its] domain name to a third party domain name registrar of [its] choice”)) Thus it is quite clear that the domain name is to be redelivered to the customer upon demand, or when the customer determines that the usefulness of Register’s services has come to an end. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 23 of 33 16 delivery by the bailor as well as actual [or] constructive acceptance by the bailee.” Alston, 862 N.Y.S.2d at *3 (citations omitted). Baidu relinquished its exclusive possession when it delivered its property to Register by choosing Register to be the registrar for its domain name. (Compl. ¶¶ 16, 58) See, e.g., Isik Jewelry, 418 F. Supp. 2d at 120-21 (finding transference of complete control because recipient of property was able to exercise sufficient control to breach bailment); Palazzo v. Katz Parking Sys., 315 N.Y.S.2d 384, 385 (N.Y. Civ. Ct. 1970) (claim check stating “[n]o car delivered without this claim check” indicated lot’s admission of possessory interest in car, giving rise to bailment even though plaintiff parked own car and retained keys). Register exercised dominion and control by restricting access to Baidu’s property to those who could produce the correct identifying information. Register’s “mandatory procedures [for access to the account] and . . . right of refusal” meant that even Baidu personnel could not have retrieved their property without Register affirmatively relinquishing it. Sealey v. Meyers Parking Sys., 555 N.Y.S.2d 574, 576-77 (N.Y. Civ. Ct. 1990) (also noting that “the employment of [a security guard] . . . is further evidence of the operator’s dominion and control over the [bailed property]”). Register breached its duty as bailee when it recklessly “allowed the Imposter to use and exercise control over Baidu’s property.” (Compl. ¶ 60) See also Sommer, 79 N.Y.2d at 551-52 (noting that a bailment gives rise to an independent duty of care regardless of whether the bailment is included in the written contract governing the parties’ relationship). B. Baidu Has Stated a Claim for Conversion. Conversion occurs when “someone, intentionally and without authority, assumes or exercises control over personal property belonging to someone else, interfering with that person's right of possession.” Colavito v. N.Y. Organ Donor Network, Inc., 8 N.Y.3d 43, 50 (1993). Baidu has alleged each of these elements against Register. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 24 of 33 17 1. Baidu’s Domain Name and Associated Information Constitute Property. Register contends that Baidu cannot state a claim for conversion because the domain name “baidu.com” is not property. Register relies on a single case holding that “a domain name that is not trademarked or patented is not personal property.” (Def. Br. at 17, citing Wornow v. Register.com, 778 N.Y.S.2d 25, 25-26 (1st Dept. 2004) (emphasis added)) As alleged in the Complaint, however, “Baidu” is a registered trademark owned by plaintiff Baidu, Inc. (Compl. ¶ 15) The addition of “.com” to “Baidu” does not permit infringement of Baidu’s trademark rights in “Baidu” through the unauthorized use of “baidu.com.” Moreover, several federal courts have determined that a domain name is personal property susceptible to conversion. See Kremen v. Cohen, 337 F.3d 1024, 1033-34 (9th Cir. 2003); Translucent Comms. v. Ams. Premier Corp., 2010 WL 723937, at *11-15 (D. Md. Feb. 24, 2010); In re Paige, 413 B.R. 882, 916-919 (Bkrtcy. D. Utah 2009) (“Like web pages and software, the Domain Name at issue is a type of tangible property that is capable of conversion.”). In addition, Register ignores Baidu’s allegations that Register converted - and aided and abetted the conversion of and trespass upon - confidential and proprietary information that Baidu deposited with Register in connection with establishing and maintaining its account. (Compl. ¶¶ 18-19, 46, 49, 52) The New York Court of Appeals has made clear that such electronic property is entitled to the same protection as physical property under New York law. See Thyroff v. Nationwide Mut. Ins. Co., 8 N.Y.3d 283, 292 (2007). 2. Register Exercised Unauthorized Dominion Over Baidu’s Property in Derogation of Baidu’s Right to Control Its Property. Baidu has amply alleged that Register exercised unauthorized dominion over Baidu’s property. Baidu alleges that Register gave away Baidu’s confidential information, and with it complete control over Baidu’s domain name, to an unidentified third party who had not Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 25 of 33 18 been authorized by Baidu to receive that information or have that control. (Compl. ¶¶ 19-21) Register certainly was not authorized to give unauthorized persons access to the confidential information in Baidu’s account or control of its domain name. By doing so, Register clearly “interfere[d] with” Baidu’s property. Colavito, 8 N.Y.3d at 50 (noting that interference with plaintiff’s property in derogation of plaintiff’s rights is a defining element of conversion). Register further interfered by barring Baidu from reclaiming possession of its property for several hours.14 (Compl. ¶ 23) That the Imposter committed criminal actions during those two periods does not affect Register’s liability for its own actions: Register’s actions would clearly constitute conversion even if the Imposter had been an entirely innocent actor. Conversion does not require wrongful intent on the defendant’s part, but only that the defendant’s actions caused the plaintiff’s property to be interfered with. W.S.A., Inc. v. ACA Corp., 1998 WL 635536, at *4 (S.D.N.Y. Sept. 15, 1998) (“Conversion is any unauthorized exercise of . . . control over property . . . . Intent to possess another’s property is not an essential element of conversion.”). Register may not immunize itself against suit for conversion by invoking the proximate result of its own grossly negligent act. Levin, 283 N.Y.S.2d at 108 (defendant landlord liable where burglary was “a reasonable and natural result” of defendant’s gross negligence). Moreover, Register’s breach of bailment independently constitutes conversion. Bailment, as explained above, creates a “duty separate from the duty to perform under the 14 Register’s argument that this delay was in order to “verify authorized access” (Def. Br. at 18) assumes facts not stated in the complaint. At the motion to dismiss stage, the complaint’s allegations are deemed to be true. Chambers v. Time Warner, Inc., 282 F.3d 147, 152 (2d Cir. 2002). Furthermore, that Register refused to help via customer support chat and was unreachable by telephone during that time (Compl. ¶ 23) does not imply that Register was delaying action because of any “reasonable doubt as to the right of [Baidu]” (Def. Br. at 18 (citation omitted)) - it merely indicates that Register was grossly negligent in the performance of its customer support duties. Register’s inexcusable delay in returning control of Baidu’s property is by itself enough to support liability for conversion. See Herrington v. Verrilli, 151 F. Supp. 2d 449, 460 (claim for conversion, for statute of limitations purposes, arises at latest when request for return of property is ignored). Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 26 of 33 19 [Service Agreement].” In re Sept. 11 Litig., 640 F. Supp. 2d 323, 339 (S.D.N.Y. 2009) (quotation mark omitted) (citing Clark-Fitzpatrick, Inc. v. Long Island R.R. Co., 70 N.Y.2d 382, 389 (1987)). By giving bailed property to an entity other than the bailor (Baidu), Register exercised “dominion over the property or interference with it, in derogation of plaintiff’s rights.” Colavito, 8 N.Y.3d at 50; see also Stellan Holm, Inc. v. Malmberg Int’l Art, 2002 WL 392294, at *6 (S.D.N.Y. Mar. 13, 2002) (breaching bailment by turning bailed property over to unauthorized party constituted conversion). This claim for conversion is separate and independent from the Service Agreement, and thus is not duplicative of Baidu’s contract claim. C. Baidu Has Stated Claims for Aiding and Abetting Conversion and Trespass. To prove aiding and abetting, Baidu must show “(1) the existence of a primary violation; (2) knowledge of this violation on the part of the aider and abettor; and (3) substantial assistance by the aider and abettor in the achievement of the primary violation.” Calcutti v. SBU, Inc., 273 F. Supp. 2d 488, 493 (S.D.N.Y. 2003). Baidu has alleged all three elements in its claims for aiding and abetting conversion and trespass. First, Baidu has adequately alleged primary conversion and trespass violations by the Imposter. As discussed above (supra at 17), Register’s contention that there were no primary violations because “baidu.com” is not personal property is simply wrong as a matter of New York law. Register does not dispute that, if Register did in fact hold Baidu’s property, the Imposter’s actions would have constituted both trespass and conversion. (Def. Br. at 19) Second, Register was reckless in not knowing that the Imposter intended to trespass upon and convert Baidu’s property. Register cites a single federal case in support of its contention that Baidu must allege “actual knowledge,” but a subsequent New York state court precedent makes clear that constructive knowledge is sufficient. See Gotham Boxing Inc. v. Finkel, 856 N.Y.S.2d 498, at *12 (N.Y. Sup. Ct. 2008) (“[A]n aiding and abetting claim must Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 27 of 33 20 assert that the defendants had actual or constructive knowledge of the misconduct. . . .” (citation omitted)); see also OSRecovery, Inc., 354 F. Supp. 2d at 377-78 (recklessness); Wedbush Morgan Sec., Inc. v. Robert W. Baird & Co., 320 F. Supp. 2d 123, 131 (S.D.N.Y. 2004) (“Aiding and abetting required a showing . . . that [abettor] had knowledge of, or acted with reckless disregard of, the wrongful conduct. . . .” (emphasis added)); Cromer Fin. Ltd. v. Berger, 2003 WL 21436164, at *9 (S.D.N.Y. June 23, 2003) (“[T]here is no reason to believe that New York law would not accept willful blindness as a substitute for actual knowledge in connection with aiding and abetting claims.”); Liberman v. Worden, 268 A.D.2d 337, 338 (1st Dept. 2000) (dismissing aiding and abetting claims because plaintiff had not showed that defendant had “actual or constructive knowledge”). Third, by turning Baidu’s property over to the Imposter, Register obviously rendered substantial assistance to the Imposter in entering upon and interfering with Baidu’s property. Register, “by virtue of failing to act when required to do so[,] enable[d] the [underlying harm] to proceed.” OSRecovery, Inc., 354 F. Supp. 2d at 378. But for Register’s failure to check the security code it sent to the Imposter when it was required to do so, the attack could not have succeeded.15 But for Register’s failure to cut off the Imposter’s access to the account immediately when notified, the injury would have been mitigated. V. Baidu Has Stated a Claim for Contributory Trademark Infringement Under the Lanham Act. A. Register Is Not Statutorily Immune From a Lanham Act Claim. Register does not have statutory immunity from suit under the Lanham Act because Register was not registering a domain name - the activity that the Lanham Act 15 Register’s “affirmative[] work[] to screen out unauthorized users” (Def. Br. at 20) of course shows Register did not follow its own mandatory procedure meant to “screen out” individuals like the Imposter, and thus failed to act when required to do so. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 28 of 33 21 immunizes - when it allowed the Imposter to take control of Baidu’s already-existing account. Register’s reliance on Lockheed Martin Corp. v. Network Solutions, Inc., 194 F.3d 980 (9th Cir. 1999) is misplaced. Lockheed “stands merely for the proposition that a registrar is not liable when it acts as a registrar; that is, when it accepts registrations for domain names from customers.” Solid Host, NL v. Namecheap, Inc., 652 F. Supp. 2d 1092, 1103 (C.D. Cal. 2009). The statutory provision on which Register relies, 15 U.S.C. § 1114, was not intended to shield the registrar from liability for actions beyond that core function. Id. at 1005-06. Register’s actions here lie outside its core function of accepting registrations of domain names - and concern instead allowing a third party to take control of Baidu’s account and use of its domain name after it had been registered. Baidu is not claiming that Register agreed to register a domain name in contravention of a third-party’s trademark rights - a claim that would clearly be barred by § 1114. Rather, Baidu alleges that Register allowed an unauthorized intruder to take control of Baidu’s domain name account - and infringe its trademark - long after Baidu had registered its domain name. When a registrar is doing more than merely registering a domain name, and when the registrar has employed individuals to determine whether or not granting access to a customer’s domain name account is proper (and publicly boasts of its ability to do so on its company website), the registrar should be held to the same standards as any other business making such representations. Courts nationwide have been reluctant to grant blanket Lanham Act immunity to domain name registrars merely because they are registrars - instead interpreting § 1114 narrowly to apply only in situations in which registrars were acting as registrars in registering a domain name - a passive and often automated role. When registrars take on a more active role with respect to an infringement, courts impose liability. See, e.g., Transamerica Corp. v. Moniker Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 29 of 33 22 Online Servs., 2009 WL 4715853, at *11 (S.D. Fla. Dec. 4, 2009); Verizon Cal. Inc. v. OnlineNIC, Inc., 647 F. Supp. 2d 1110 (N.D. Cal. 2009); Solid Host, 652 F. Supp. 2d at 1108. Indeed, the legislative history of § 1114 indicates that the purpose of the provision is to “promote[] the continued ease and efficiency users of the current registration system enjoy by codifying current case law limiting the secondary liability of domain name registrars and registries for the act of registration of a domain name.” S. Rep. No. 106-140, at 11 (1999) (emphasis added). (See also Def. Br. at 22 n.19) This provision was not intended to immunize domain name registrars whose misfeasance, as was the case here, went beyond the act of registering a domain name. If Register’s interpretation of § 1114 were correct, domain name registrars would be free to violate their customers’ trademarks with impunity merely because they are registrars. This result would be absurd, and is clearly contrary to what Congress intended in enacting § 1114 and to the narrow construction courts have given it. B. Baidu Has Stated a Claim for Contributory Infringement of the BAIDU Trademark. 1. The Imposter Committed Direct Infringement of the BAIDU Mark. Register argues that the Imposter did not violate the Lanham Act because it did not use the BAIDU trademark “in commerce.”16 (Def. Br. at 24) However, the use of a trademark to draw consumers to a particular website has been repeatedly held to be “use in commerce” - regardless of the content of the website. See, e.g., United We Stand Am., Inc. v. United We Stand, Am. N.Y., 128 F.3d 86, 92-93 (2d Cir. 1997) (“‘[U]se in commerce’ denotes 16 Register also misquotes the relevant statute (Def. Br. at 24): § 1114(1)(a) forbids use of a mark “in connection with the sale, offering for sale, distribution, or advertising of any goods or services on or in connection with which such use is likely to cause confusion, or to cause mistake, or to deceive.” Not only were the Imposter’s actions “in connection with” Baidu’s sale of goods and services - and thus covered by the statute, see Planned Parenthood Fed’n of Am., Inc. v. Bucci, 1997 WL 133313, at *4 (S.D.N.Y. Mar. 24, 1997) - but the Imposter was “advertising” and “distribut[ing]” his or her own services by soliciting Baidu’s users to its cause, see id.; (Ramos Decl. Exh. A). Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 30 of 33 23 Congress’s authority under the Commerce Clause, rather than an intent to limit the [Lanham] Act’s application to profitmaking activity.”); Transamerica, 2009 WL 4715853, at *7 (use of a trademark to draw consumers to a particular website not belonging to the trademark holder constitutes use in commerce under Lanham Act). Register also argues that any confusion would have been dispelled once Baidu’s customers saw the contents of the Imposter’s web page. (Def. Br. at 24). But that is not the point - the use of the BAIDU trademark to draw Baidu’s users to the Imposter’s web page was a classic “bait and switch” stratagem that constituted “initial interest” confusion in violation of the Lanham Act. See Planned Parenthood Fed’n of Am., Inc. v. Bucci, 1997 WL 133313, at *12 (S.D.N.Y. Mar. 24, 1997) (appropriation of Planned Parenthood’s trademark as a domain name to direct Internet users to an anti-abortion website constituted infringement even though the contents of the website made it clear that it was unaffiliated with Planned Parenthood); see also PACCAR Inc. v. TeleScan Techs., L.L.C., 319 F.3d 243, 253 (6th Cir. 2003) (initial interest confusion from use of another’s trademark to lure users to website). 2. Register Is Contributorily Liable for the Imposter’s Infringement of the BAIDU Mark. Register contends that it did not act with the requisite scienter to be contributorily liable for the Imposter’s infringement of the BAIDU trademark. Register analogizes itself to a mailman who unknowingly delivers fraudulent material and cannot be held liable for aiding and abetting a mail fraud. But Register’s knowledge here was not akin to that of a mailman. It was not a mere conduit, ignorant of what it delivered to a third party. Register knew that Baidu maintained a domain name account with Register.com, that Baidu had registered the domain name “baidu.com,” that this domain name included Baidu’s name, and that its customers’ domain name accounts needed to be protected from unauthorized persons who might use them to Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 31 of 33 24 redirect Internet users to websites other than those designated in its customers’ accounts (as evinced by the security protocols that Register put in place but failed to follow here). And Register controlled access to its customers’ accounts, which served as the means to direct Internet traffic to a designated web address. Rather than like a mailman, Register was like the flea market operators whom courts have held liable for infringements occurring in premises they control. See Lockheed, 194 F.3d at 984; Hard Rock Café Licensing Corp. v. Concession Servs., Inc., 955 F.2d 1143, 1148-49 (7th Cir. 1992). Like a flea market operator who controls which vendors have access to a market, Register controlled access to Baidu’s Internet domain name account. Fonovisa, Inc. v. Cherry Auction, Inc., 73 F.3d 259, 261 (9th Cir. 1996); see A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1023 (9th Cir. 2001) (applying the trademark jurisprudence regarding flea markets to online infringement). Register had every reason to know that, by granting the Imposter control of Baidu’s domain name account, it would enable the Imposter to use Baidu’s domain name - and thus to use the trademarked name “Baidu” to redirect Baidu’s customers to a web page other than Baidu’s. Register cannot seriously argue that it did not have such constructive knowledge of the direct consequences of its actions when it had adopted verification procedures to prevent intruders from acquiring control of its customers’ domain name accounts. One who assists a third party’s trademark infringement is liable as a contributory infringer if it “fails to take reasonable precautions” against the third party’s infringement “in circumstances in which the infringement can be reasonably anticipated.” Restatement (Third) of Unfair Competition § 27 (1995). Here, Register - by “failing to take reasonable precautions” - handed control of Baidu’s Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 32 of 33 25 domain name account to someone who used the trademarked name “Baidu” in an infringing manner “in circumstances in which the infringement can be reasonably anticipated.” Id. Finally, Baidu pleads facts supporting its allegation (Compl. ¶ 30) that Register acted with willful blindness. Register’s deliberate choice not to investigate when presented with multiple red flags warning of an attempted security breach clearly constitutes “suspect[ing] wrongdoing and deliberately fail[ing] to investigate it.” (Def. Br. at 24) See Tiffany (NJ) Inc. v. eBay Inc., __ F.3d __, 2010 WL 1236315, at *13 (2d Cir. Apr. 1, 2010) (“A service provider is not . . . permitted willful blindness. When it has reason to suspect that users . . . are infringing a protected mark, it may not shield itself from learning of the [infringement] by looking the other way.”).17 CONCLUSION For all of the foregoing reasons, Baidu respectfully requests that this Court deny Register’s motion in its entirety. Dated: April 9, 2010 New York, New York PAUL, WEISS, RIFKIND, WHARTON & GARRISON LLP By: s/ Carey R. Ramos Carey R. Ramos (cramos@paulweiss.com) Marc Falcone (mfalcone@paulweiss.com) 1285 Avenue of the Americas New York, New York 10019-6064 (212) 373-3000 Attorneys for Plaintiffs Baidu, Inc. and Beijing Baidu Netcom Science and Technology Co., Ltd. 17 The court of appeals in Tiffany concluded that eBay was not contributorily liable for failing to police the use of its online auction site to prevent the sale of counterfeit Tiffany products because it lacked knowledge of “identified individuals” that it had reason to suspect were selling such counterfeit goods. Tiffany, 2010 WL 1236315 at *10-13. By contrast, Register had specific knowledge of the Imposter’s actions - and the multiple red flags they raised, supra at 8-9 - which gave Register ample reason to suspect wrongdoing and the opportunity to prevent it. Case 1:10-cv-00444-DC Document 18 Filed 04/09/2010 Page 33 of 33