United States District Court, N.D. Illinois, Eastern Division
BARBARA MACHOWICZ, individually and on behalf of all others similarly situated, Plaintiff,
KASPERSKY LAB, INC., Defendant.
MEMORANDUM OPINION AND ORDER
JAMES F. HOLDERMAN, District Judge.
On January 27, 2014, plaintiff Barbara Machowicz ("Machowicz") filed this putative class action against computer security software developer Kaspersky Lab, Inc. ("Kaspersky") in the Circuit Court of Cook County, Illinois. Defendant Kaspersky removed the case to this court pursuant to 28 U.S.C. § 1332 and 28 U.S.C. § 1446(a). This court has subject matter jurisdiction under the Class Action Fairness Act of 2005 ("CAFA"), 28 U.S.C. § 1332(d)(2)(A). Machowicz sought no remand.
Machowicz's three-count class action complaint ("Complaint") (Dkt. No. 1 Ex. 1 ("Compl.")) alleges Kaspersky fraudulently induced her to buy its security software through a free program called Kaspersky Security Scan ("KSS"), which is purportedly designed to "detect unwanted malware, software vulnerabilities, and other non-malware security problems." (Compl. ¶ 1.) Machowicz alleges that KSS is essentially "scareware" engineered to detect fake security threats and trick average consumers into buying one of Kaspersky's paid security products. ( Id. ¶¶ 2-3.) Machowicz's Complaint claims a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"), 815 ILCS 505/1, et seq. (Count I), fraudulent inducement (Count II), and unjust enrichment (Count III). ( Id. ¶¶ 53-77.)
Kaspersky has moved to dismiss all of Machowicz's claims on the grounds that Machowicz's Complaint fails to state a claim upon which relief can be granted. (Dkt. No. 18.) Kaspersky has also moved to strike Machowicz's class action allegations or, in the alternative, to limit the scope of the putative class. (Dkt. No. 21.) For the reasons explained below, both motions are denied.
FACTUAL BACKGROUND ALLEGED IN MACHOWICZ'S COMPLAINT
Founded in 1997, Kaspersky develops and sells enterprise and consumer computer security software. (Compl. ¶ 8.) Kaspersky's consumer security software, which generally costs between $40 and $60 dollars, includes Kaspersky Internet Security, Kaspersky Total Security, and Kaspersky Anti-Virus. ( Id. ¶ 9.) To demonstrate the supposed necessity of its software, Kaspersky offers KSS as a free download to prospective customers. ( Id. ¶ 10.) KSS, according to Kaspersky's website, "checks for known malware and security vulnerabilities-plus advises you on your PC's security status." ( Id. ¶ 11.) KSS also purports to "provide[ ] advice on how to remedy security problems that have been identified by [KSS]." ( Id. ¶ 12.) That advice, naturally, includes the purchase of one Kaspersky's paid security products. ( Id. )
Machowicz alleges that Kaspersky's seemingly legitimate marketing scheme is actually a "scareware" scam. According to Machowicz's Complaint, Kaspersky purposefully engineered KSS to "invariably and falsely report security threats, " thereby inducing customers, like Machowicz, to pay for one of Kaspersky's computer security products. (Compl. ¶ 12.)
In September 2013, Machowicz searched the Internet for software to optimize and protect her computer and viewed an advertisement for Kaspersky's free KSS program. ( Id. ¶ 38.) After reading representations in Kaspersky's advertisement and on its website that KSS would detect malware, other security threats, and report on her PC's security status, Machowicz downloaded KSS and conducted a "scan" of her computer. ( Id. ¶¶ 39-41.) Upon completion of the scan, KSS reported "PROBLEMS FOUND!" and informed Machowicz that her "computer could be at risk." ( Id. ¶¶ 33 Fig. 2, 41.) KSS also provided a button labeled "CLICK FOR A SOLUTION, " which directed Machowicz to Kaspersky's website. ( Id. ¶¶ 33 Fig. 2, 42.) The website displayed Kaspersky's security product suite and contained the following representations: (1) "[KSS] found a potential vulnerability that could put your PC at risk, " (2) "Kaspersky products provide recommendations on how to fix these issues, " and (3) "PURCHASE A SECURITY SOLUTION NOW." ( Id. ¶¶ 16 Fig. 5, 42.)
Based on these representations and her belief that KSS detected genuine security issues on her computer, Machowicz purchased Kaspersky's Internet Security software for $54.95. ( Id. ¶ 43.) Machowicz was ultimately unhappy with her purchase and suspected that KSS reported false "problems" to trick her into paying for one of Kaspersky's full-fledged security products. ( Id. ¶ 44.) She contacted Kaspersky to complain about KSS's misrepresentations and request a refund, but Kaspersky refused. ( Id. ¶ 45.)
Machowicz, through her counsel, later investigated the functionality of KSS using a brand new computer. (Dkt. No. 29 ("Pl.'s Resp.") at 5.) She downloaded KSS onto the new computer and ran a scan. (Compl. ¶ 15.) Machowicz discovered that, even on a brand new computer, KSS always reports "PROBLEMS FOUND!" and informs the user that "[y]our computer could be at risk." ( Id. ¶ 15.) Machowicz alleges that these purported "problems, " which KSS characterizes as "vulnerabilities associated with the settings of installed applications and the operating system, " do not pose any credible threat to a computer's security. ( Id. ¶¶ 18-19.)
First, KSS reports vulnerabilities if a computer's "AutoRun" configuration setting is not switched to "Off." ( Id. ¶ 21.) Machowicz concedes that the AutoRun setting poses security risks to computers running "older" versions of Microsoft Windows, but alleges that "newer" versions of Windows contain safeguards to eliminate those threats. ( Id. ¶¶ 21-22.) KSS, however, reports the AutoRun "issues" as vulnerabilities without ever checking the version of Windows installed on the PC. ( Id. ¶ 23.)
Second, KSS reports several vulnerabilities associated with the default settings of Microsoft's Internet Explorer and Windows Explorer. ( Id. ¶ 24.) Machowicz alleges these default settings pose no credible threat to a computer's security and Kaspersky apparently agrees-its website classifies six of the purported "vulnerabilities" as "Not very dangerous. Not necessary to be fixed." ( Id. ¶ 25.) In other words, KSS encourages customers to purchase a "security solution" for purported vulnerabilities that Kaspersky itself states are "not necessary to be fixed." ( Id. )
Third, Machowicz alleges that KSS reports multiple vulnerabilities associated with a single Windows setting relating to the display of file type extensions. ( Id. ¶ 26.) Machowicz contends that the only purpose of KSS's alleged "double-counting" is to artificially inflate the number of vulnerabilities and frighten users into buying a security solution. ( Id. ¶ 26.)
Fourth, KSS reports that cookies placed on a user's computer by Kaspersky's own website are threatening vulnerabilities. ( Id. ¶¶ 27-31.) When a user reaches Kaspersky's website, which he or she must visit to download KSS, Kaspersky places several cookies on the user's computer. ( Id. ¶ 28.) KSS subsequently detects these cookies (along cookies from other websites) and reports them as vulnerabilities affecting the security of the computer. ( Id. ¶ 29.) And, like the other vulnerabilities that require fixing, KSS advises the user to purchase Kaspersky's software to eliminate the threat its own cookies purportedly pose. ( Id. ) Consequently, ...