Court says registrars can’t get away with gross negligence just because it’s in their TOS.
Domain name registrars, take note: you can’t just claim no responsibility for your actions in your terms of service and expect a court to uphold it.
That’s exactly what Register.com tried to do in a lawsuit brought by Baidu. If all the allegations are true, Register.com really screwed up on this one. Yet it claimed Baidu couldn’t hold it accountable because it agreed so in the terms of service.
But a ruling (pdf) today by the judge in this case says otherwise: you can’t just disclaim responsibility for your gross negligence:
If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized Intruder, who engaged in cyber vandalism. On these facts, a jury surely could find that Register acted in a grossly negligent or reckless manner.
The judge refers to a case that is actually a good analogy here:
Green v. Holmes Protection of N.Y.. Inc., 629 N.Y.S.2d 13 (1st Dep’t 1995) (holding limitation of liability clause was not enforceable where alarm company was grossly negligent when it gave burglars keys to store and security codes to disengage alarm and failed to respond promptly when crime was discovered).
Register.com also argued that Baidu agreed that the search giant would be responsible for the security of its account. But the judge noted that Register.com did implement security features because this type of hijacking was foreseeable:
The attack by the Intruder was reasonably foreseeable — it was precisely because these cyber attacks are foreseeable that the security measures were adopted. While Baidu gave up, in agreeing to the Limitation of Liability clause, any claims for ordinary negligence or breach of contract based on ordinary negligence, it did not waive its claims for gross negligence or recklessness. If Baidu can prove gross negligence or recklessness, the Limitation of Liability clause will not be a bar.
Of course, it will be up to a jury to decide the ultimate outcome. But the judge has reaffirmed that a registrar can’t run away from its gross negligence in security matters.