Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Dealer Management Systems Antitrust Litigation

United States District Court, N.D. Illinois, Eastern Division

September 3, 2019



          Robert M. Dow, Jr. United States District Judge.

         Before the Court is the motion to dismiss the counterclaims of Defendant/Counter-Plaintiff CDK Global, LLC (“Counter-Plaintiff” or “CDK”) [593] filed by Plaintiffs/Counter-Defendants ACA Motors, Inc.; Continental Classic Motors, Inc.; 5800 Countryside, LLC; HDA Motors, Inc.; H & H Continental Motors, Inc.; Continental Autos, Inc.; Naperville Zoom Cars, Inc.; NV Autos, Inc.; Baystate Ford Inc.; Cliff Harris Ford, LLC; Marshall Chrysler Jeep Dodge, L.L.C.; Warrensburg Chrysler Dodge Jeep, L.L.C.; Cherry Hill Jaguar; JCF Autos LLC; Jericho Turnpike Sales LLC; Patchogue 112 Motors LLC; and Waconia Dodge, Inc. (collectively, “Counter-Defendants”). For the reasons set forth below, the motion to dismiss [593] CDK's counterclaims is granted in part and denied in part. CDK is given until September 30, 2019 to file amended counterclaims consistent with this opinion.

         I. Background[1]

         Given that this case already has been extensively litigated before multiple courts, the Court assumes some familiarity with the background of this case and thus will limit its recitation of the facts essential to the motion now before it. CDK brings counterclaims against the Counter-Defendants under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and for breach of contract. The counterclaims focus on Counter-Defendants' purported unauthorized access-along with data integrator Authenticom, Inc.-of CDK's enterprise software and computing platform for automotive dealerships and dealership groups known as its Dealer Management System or, more commonly, its DMS.

         The automotive data system that CDK supports is massive-with tens of thousands of installations of approved vendor applications and millions of transactions every day-supporting hundreds of billions of dollars in commerce each year. [522 (Counterclaims), at ¶ 5.] CDK has made tremendous investments to build out and support its network of product and service offerings. [Id.] Over the last four years alone, CDK has spent more than $480 million researching, developing, and deploying new and enhanced product solutions for its customers. [Id.] CDK's DMS includes (and is largely comprised of) valuable pieces of intellectual property, including patented technologies, proprietary software elements and programs that it has created (including software programs protected by the copyright laws), and proprietary data collections, which are accessible through the DMS. [Id. at ¶ 32.] Dealers that purchase DMS services from CDK are granted a personal, non-transferable license to use CDK's DMS in accordance with the terms and conditions of their agreements. [Id.]

         CDK's DMS offering consists of software and hardware components residing at both the dealership and at CDK's data centers (“CDK's network”). [Id. at ¶ 33.] CDK uses state-of-the-art technology to secure the connections between the dealerships and CDK's network, including through specialized hardware at each dealership site. [Id.] That hardware creates a “virtual private network” or “Leased-Line Multiprotocol Label Switching network” between the dealership and CDK's network, which accepts direct communications only from computers on the corresponding dealership's network. [Id.]

         CDK's DMS is password protected. [Id. at ¶ 37.] To access the DMS, each dealership employee must use his or her individual login credentials. [Id.] CDK has implemented security features in addition to password protection. [Id. at ¶ 40.] In early 2016, CDK created a login prompt requiring users to certify that they were an “authorized dealer employee” before they could access CDK's DMS. [Id.] Further, in November 2017, CDK began introducing a CAPTCHA[2]control for particular login credentials that it suspected were being used to facilitate unauthorized access to its DMS by third parties. [Id. at ¶ 41.] Humans can easily pass CAPTCHA tests, but automated scripts-like those used by Authenticom and other third-party data extractors-often encounter difficulty. [Id.] The CAPTCHA controls are specifically designed to prevent access to computers through automated means. [Id.]

         CDK has entered into a Master Service Agreement (“MSA”) with each Counter-Defendant (collectively, the “MSAs”). [Id. at ¶ 43.] The MSAs expressly prohibit Counter-Defendants from supplying DMS login credentials to third parties or otherwise granting third parties access to CDK's DMS. [Id.] Specifically, Section 6(D) of the MSAs provides that the “Client shall not allow access to [CDK's DMS] by any third parties except as otherwise permitted by this agreement.” [Id. at ¶ 44.] In addition, each Counter-Defendant expressly agrees that it will only use CDK's software “for its own internal business purposes and will not sell or otherwise provide, directly or indirectly, any of the Services or Software, or any portion thereof, to any third party” and that it will “treat as confidential and will not disclose or otherwise make available any of the [CDK's] Products (including, without limitation, screen displays or user documentation) or any * * * proprietary data, information, or documentation related thereto * * * in any form, to any person other than employees and agents of [the dealer.]” [Id. at ¶ 45.] Each dealer acknowledges that-notwithstanding its license to use CDK's DMS-the DMS remains at all times “the exclusive and confidential property of [CDK].” [Id.] Additionally, the MSAs independently prohibit “ANY THIRD PARTY SOFTWARE TO ACCESS [CDK'S] DEALER MANAGEMENT SYSTEM EXCEPT AS OTHERWISE PERMITTED BY THIS AGREEMENT.” [Id. at ¶ 46.]

         CDK contends that third party hostile data extractors like Authenticom are not “agents” of the Counter-Defendants. [Id. at ¶ 49.] Authenticom's own contract with dealers makes clear that Authenticom is not the dealer's “agent, ” and in fact refers to “agents” of the dealer repeatedly as third parties to the agreement. [Id.] Similarly, the standard End-User License Agreement (“EULA”) offered by Superior Integrated Solutions (“SIS”), another third party data extractor, states that “[t]he parties shall be independent contractors under this Agreement, and nothing herein will constitute either party as the employer, employee, agent or representative of the other party, or both parties as joint ventures or partners for any purpose.” [Id.]

         CDK submits that Counter-Defendants have repeatedly breached their contracts with CDK by handing out their DMS login credentials (directly or through their software vendors) to third party data extractors for the express purpose of enabling those third parties to use those credentials to repeatedly and relentlessly access CDK's DMS using sophisticated computer software that extracts (or scrapes) large volumes of data from the system. [Id. at ¶ 2.] Many of these data extractors-including Authenticom-then resell that data to other third-party application providers, paying nothing to CDK. [Id.] According to CDK, this unauthorized access not only threatens the security of the data in CDK's DMS, but also threatens the integrity of that data because ungoverned extraction and insertion of data into the DMS may corrupt the DMS databases. [Id.] Moreover, the thousands of unauthorized extractions and the high volume of data in many of those extractions degrade the performance of the DMS, impairing its value for all of CDK's DMS customers. [Id.]

         CDK brings counterclaims against Counter-Defendants based on this alleged unauthorized access. Before the Court is Counter-Defendants' motion to dismiss the breach of contract, Computer Fraud and Abase Act, and Digital Millennium Copyright Act counterclaims brought against them.

         II. Legal Standard

         To survive a Federal Rule of Civil Procedure (“Rule”) 12(b)(6) motion to dismiss for failure to state a claim upon which relief can be granted, the complaint first must comply with Rule 8(a) by providing “a short and plain statement of the claim showing that the pleader is entitled to relief, ” Fed.R.Civ.P. 8(a)(2), such that the defendant is given “fair notice of what the * * * claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (quoting Conley v. Gibson, 355 U.S. 41, 47 (1957)) (alteration in original). Second, the factual allegations in the complaint must be sufficient to raise the possibility of relief above the “speculative level.” E.E.O.C. v. Concentra Health Servs., Inc., 496 F.3d 773, 776 (7th Cir. 2007) (quoting Twombly, 550 U.S. at 555). “A pleading that offers ‘labels and conclusions' or a ‘formulaic recitation of the elements of a cause of action will not do.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 555). Dismissal for failure to state a claim under Rule 12(b)(6) is proper “when the allegations in a complaint, however true, could not raise a claim of entitlement to relief.” Twombly, 550 U.S. at 558. In reviewing a motion to dismiss pursuant to Rule 12(b)(6), the Court accepts as true all of Counter-Plaintiff's well-pleaded factual allegations and draws all reasonable inferences in Counter-Plaintiff's favor. Killingsworth v. HSBC Bank Nev., N.A., 507 F.3d 614, 618 (7th Cir. 2007).

         III. Analysis

         A. Breach of Contract (First Counterclaim)

         CDK's first cause of action alleges that the Counter-Defendants violated the terms of their respective MSAs by sharing login credentials with Authenticom and other third parties. CDK further contends that Counter-Defendants have “repeatedly violated the express contractual prohibitions” in their respective MSAs by “actively facilitating hostile, unauthorized access to CDK's DMS.” [522 (Counterclaims), at ¶ 103, 104-32.] The MSAs “expressly prohibit the Counter-Defendants from allowing third-parties to access CDK's DMS.” [Id. at ¶ 43.] There is a limited exception to this prohibition in some MSAs that allows access by “employees and agents of [the dealer] with a need-to-know.” [Id. at ¶ 49.] Counter-Defendants argue that CDK's breach of contract counterclaim fails because Counter-Defendants authorized data extractors to extract data from the DMS, which-according to Counter-Defendants-is all that is necessary under the MSAs. Specifically, CDK alleges:

In knowingly providing login credentials to these data extractors and, actively or passively, “authorizing” them to access CDK's DMS to extract or insert data- including data that does not belong to the Dealership Counter-Defendants-the Dealership Counter-Defendants have breached their contracts with CDK. This conduct also violates the CFAA, which prohibits unauthorized access to protected computer systems. In addition, certain Dealership Counter-Defendants-and numerous members of the putative class-have engaged in further unlawful conduct that violates the DMCA. CDK requests that the Court enjoin the Dealership Counter-Defendants' illegal conduct and award CDK damages.

[Id. at ¶ 3.] According to Counter-Defendants, this allegation establishes that Authenticom and other third-party integrators were authorized to access CDK's data and therefore were acting as the agents of Counter-Defendants. CDK responds that the word “authorizing” is in quotation marks because CDK is alleging that third-party access to its data was not authorized. Stone v. Wright, 734 Fed.Appx. 989 (7th Cir. 2018) (using scare quotes around claim brought by plaintiff to express doubts regarding viability of such a claim under the Constitution). The Court agrees that the use of the term “authorizing” in scare quotes does not amount to a concession that Counter-Defendants' access to CDK's data was authorized.

         That leaves the question of whether Authenticom and other third-party data integrators were the employees and/or agents of Counter-Defendants such that they were authorized to access CDK's DMSs under the terms of the relevant MSAs. Because Counter-Defendants do not contend that Authenticom and other third-party data integrators were their employees, the Court need only consider whether the third-party data integrators were the agents of Counter-Defendants. To the extent that Counter-Defendants contend that all that is needed to circumvent the MSAs' prohibition on allowing parties to access CDK's DMS was Counter-Defendants' authorization, the prohibition on third-party access would be pointless, as Counter-Defendants simply could authorize any third-party to access CDK's DMS. Thus, something more than authorization by Counter-Defendants' must be necessary to establish agency under the MSAs. Cress v. Recreation Servs., Inc., 795 N.E.2d 817, 852 (Ill.App.Ct. 2003) (“[A] court must give meaning and effect to every part of the contract.”).

         Counter-Defendants argue that-to the extent that the term “agents” is ambiguous-the term should be construed against CDK, as the drafter of the MSAs. Bourke v. Dun & Bradstreet Corp., 159 F.3d 1032, 1036 (7th Cir. 1998) (Under Illinois law, “any ambiguity in the terms of a contract must be resolved against the drafter of the disputed provision.” (quoting Dowd & Dowd, Ltd. v. Gleason, 693 N.E.2d 358, 368 (Ill.App.Ct. 1998) (internal quotation marks omitted)). But agency is a concept well-defined and understood under the law and by businesses of even modest sophistication-a threshold that all of the parties to this motion easily clear. Hernandez ex rel. Gonzalez v. Tapia, 2010 WL 5232942, at *7 (N.D. Ill.Dec. 15, 2010) (“The phrase ‘agents and employees' is not ambiguous and therefore the court will apply the plain meaning of these terms.”).

         Moreover, agency is an issue of fact generally not susceptible to resolution at the motion to dismiss stage. Restoration Specialists, LLC v. Hartford Fire Ins. Co., 2009 WL 3147481, at *3 (N.D. Ill. Sept. 29, 2009) (“[T]he question of agency typically presents an issue of fact that seldom can be resolved at the summary judgment stage, much less on a motion to dismiss.”); Semitekol v. Monaco Coach Corp., 582 F.Supp.2d 1009, 1024 (N.D. Ill. 2008) (“[W]hether an agency relationship has been established between the parties is [an issue] of fact which is not properly resolved on a motion to dismiss.” (citation omitted)). Under Illinois law-on which Counter-Defendants rely in their reply brief-“[t]he analysis turns primarily on the level of control that the alleged agent retains over the performance of its assigned work”. Jackson v. Bank of New York, 62 F.Supp.3d 802, 814 (N.D. Ill. 2014) (citing Horwitz v. Holabird & Root, 816 N.E.2d 272, 279 (2004)). “In a principal-agent relationship, the principal retains the right to control the manner and method in which the work is carried out by the agent.” Id. (citing Uesco Indus., Inc. v. Poolman of Wis., Inc., 993 N.E.2d 97, 112 (Ill.App.Ct. 2013)). “By contrast, ‘[a]n independent contractor is one who undertakes to produce a given result but in the actual execution of the work is not under the orders or control of the person for whom he does the work but may use his own discretion in things not specified * * * [and] without his being subject to the orders [of the person for whom the work is done] in respect to the details of the work.” Id. (quoting Horwitz, 816 N.E.2d at 279). Other factors that bear on the question of whether one is properly considered an agent or an independent contractor include “(1) the question of hiring; (2) the right to discharge; (3) the manner of direction of the servant; (4) the right to terminate the relationship; and (5) the character of the supervision of the work done.” Lawlor v. N. Am. Corp. of Ill., 983 N.E.2d 414, 427 (Ill. 2012). Counter-Defendants fail to explain how this analysis can be resolved as a matter of law based on the allegations in the breach of contract counterclaim.

         In fact, CDK identifies allegations suggesting that there is no such agency relationship. CDK alleges that Authenticom's own contract with dealers makes clear that Authenticom is not the dealer's “agent, ” and in fact refers to “agents” of the dealer repeatedly as third parties to the agreement. [522 (Counterclaims), at ¶ 49.] Similarly, SIS's EULA states that “[t]he parties shall be independent contractors under this Agreement, and nothing herein will constitute either party as the employer, employee, agent or representative of the other party, or both parties as joint ventures or partners for any purpose.” [Id.]

         Counter-Defendants counter that the contracts do not undermine their contention that data integrators are their agents. Specifically, Counter-Defendants note that an agent may be both an independent contractor in one relationship and an agent in another. Signs & Blanks, Ltd. v. Lanan Prod., Inc., 2009 WL 10695777, at *5 n.4 (N.D. Ill. Jan. 20, 2009) (“[A] person may be both an independent contractor and an agent with the authority both to control the details of the work and also the power to act for and to bind the principal in business negotiations within the scope of [the] agency.” (internal quotation marks and citation omitted)). Although Counter-Defendants do not identify what law applies to this analysis in their opening brief, Counter-Defendants assert in their reply brief that Illinois law applies to the issue of whether data extractors were agents of Counter-Defendants.[3] Illinois courts have indicated that an independent contractor may be considered an agent for certain purposes when they have “the authority both to control the details of the work and also ‘the power to act for and to bind the principal in business negotiations within the scope of [the] agency.'” Horwitz, 816 N.E.2d at 279 (citing Hoffman & Morton Co. v. American Insurance Co., 181 N.E.2d 821 (Ill.App.Ct. 1962)). Counter-Defendants do not contend that such circumstances are present here.

         Lastly, Counter-Defendants argue that the merger clause in the MSAs precludes interpreting the MSAs in light of Counter-Defendants' contracts with other entities. [595, at 13.] Specifically, the MSAs provide:

This Agreement contains the entire agreement of the parties with respect to their subject matter and supersedes all existing agreements and all other oral, written or other communications between them concerning their subject matter[.]

[595-1, at ¶ 18.A.] However, the merger clause addresses agreements between the parties to the contract, not agreements with third parties. Furthermore, it cannot be the case that Counter-Defendants' contracts with data integrators are irrelevant to determining whether the data integrators can be characterized as agents of Counter-Defendants. While Counter-Defendants' own characterization of their relationships with data integrators is not dispositive of the issue of agency, it certainly is relevant. K.C. 1986 Ltd. P'ship v. Reade Mfg., 33 F.Supp.2d 820, 828 (W.D. Mo. 1998) (“While [the parties'] characterization of their relationship as an employer/independent contractor is not dispositive of the issue before the Court, it is probative of the intended nature of the relationship.” (citations omitted)); Bartolotta v. Dunkin' Brands Grp., Inc., 2016 WL 7104290, at *5 (N.D. Ill.Dec. 6, 2016) (“In short, while the nature and extent of control as defined in the franchise agreement is relevant, so too is the parties' actual conduct and practice.” (citations omitted)); Ziehlsdorf v. Am. Family Ins. Grp., 461 N.W.2d 448 (Wis. Ct. App. 1990) (“A written agreement defining the relationship ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.