Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
Damage Cap Applies Even Where Software is Deficient; Beware of Phishing, Pharming and Evil Twins
May 24, 2005
DAMAGE CAP APPLIES EVEN WHERE SOFTWARE IS DEFICIENT
According to a Minnesota federal court, a software licensor may enforce a damages limitation clause contained in a software license, even if the licensor has failed to live up to its warranty obligations under the license.
The court determined that the license did not expressly link the separate contract provisions, and so failure of the warranty did not, in itself, void the damages clause.
The case arose when the securities firm Piper Jaffray & Co. contracted with SunGard Systems International Inc. for a $3 million software application called Global Trader. But the program never worked as SunGard promised. When Piper sued for breach of contract, SunGard filed a motion to dismiss the claims to the extent they went beyond the license agreement's damages cap, which limited SunGard's liability to the initial license fees actually paid.
Piper argued that, because SunGard failed to cure the defective software, as it was obligated to do under the warranty provision of the license, it could not enforce the damages limitation. Piper argued that because the warranty had failed "of its essential purpose," it could seek the more expansive remedies provided under the Uniform Commercial Code. Piper claimed that the warranty failed its essential purpose because SunGard could not put the software in the warranted condition.
The court saw it differently, finding that the warranty provision and the damage limitation were separate and distinct. Because it found the provisions distinct, the court concluded that the damages cap was enforceable even if the warranty failed its essential purpose. The court observed that neither clause referenced the other nor conditioned its operation upon the other.
The court also found that UCC remedies are available only when the parties have not otherwise limited damages under their agreement. The court based this holding on a comment to the pertinent UCC section that "where an apparently fair and reasonable clause because of circumstances fails in its purpose ... it must give way to the general remedy provisions." The court concluded that "it" is singular and refers to the specific remedy that failed as the one that is to be voided--and not that "all other substitute remedies or damages limitations must also be voided."
The court granted SunGard's motion to preclude Piper from recovering direct damages in excess of the initial license fees actually paid.
BEWARE OF PHISHING, PHARMING AND EVIL TWINS
Forget the "Revenge of the Sith." Businesses and other Internet users had better be on the lookout for "phishing," "pharming" and "evil twins." And just to be clear, we're not talking about the jam band "Phish," traditional (albeit misspelled) agriculture or Mary Kate and Ashley Olsen. Phishing, pharming and evil twins are Internet scams - and they can be costly to victims on all sides of the scam.
According to Webopedia [www.webopedia.com], "phishing" is "the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft." The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information.
Webopedia reports that in 2003, for example, users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.
Pharming, according to Webopedia, is similar in nature to e-mail phishing. Pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Pharming allows the scammers to target large groups of people at one time through domain spoofing.
Evil twins are bogus wireless networks that purport to offer Wi-Fi connections to the Internet, similar to those available at "internet cafes," hotels and airports. The scam is called an "evil twin" because on a laptop screen, the bogus Wi-Fi hotspot can look just like a legitimate public network. Once the user signs in, the evil twin operator attempts to capture any credit card information or passwords that it can.
What can a user do to avoid the scams? With phishing, take a look at the entire web address. Frequently, the HTML address is close, but not identical to the legitimate site. Also, before submitting personally identifying information, ask yourself why your institution would need that information. If you have any doubts, check with the institution.
With pharming, look for special secure web pages, which most legitimate financial institutions should be using. These sites encrypt data to protect against improper transfer. The Web addresses for such secure pages begin with "https" rather than the standard "http."
One way to protect against evil twins is to look for software that can check a Wi-Fi's digital ID certificate to make sure it's legitimate. T-Mobile provides such a product.
The other side of the coin of course, is the business that is "spoofed." Obviously, customers may be at least concerned, if not outraged, when they discover that they have sent personal information to a bogus site, thinking it was going to their legitimate institution. Prompt response, via e-mails to customers potentially affected, as well as prominent announcements on the web site are vital. It is also critical to contact one's ISP as soon as possible to forestall further damage.
The good news is that at some point, additional protections will emerge to guard against these scams. The troubling news is that the bad guys will come up with new scams.
If you have questions about any of the above information, please contact Jack Greiner at 513-629-2734 or jgreiner@graydon.com.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.