In re Dealer Mgmt. Sys. Antitrust Litig.

• Docket Number: 18 C864
• Decision Date: 29 June 2023
• Parties: IN RE DEALER MANAGEMENT SYSTEMS ANTITRUST LITIGATION, MDL 2817 This document relates to: CDK's Counterclaims against Dealers
• Court: U.S. District Court — Northern District of Illinois

1

IN RE DEALER MANAGEMENT SYSTEMS ANTITRUST LITIGATION, MDL 2817 This document relates to: CDK's Counterclaims against Dealers

No. 18 C864

United States District Court, N.D. Illinois, Eastern Division

June 29, 2023

MEMORANDUM OPINION AND ORDER

REBECCA R. PALLMEYER UNITED STATES DISTRICT JUDGE

CDK, a business that sells a Dealership Management System (“DMS”) to car dealerships, has been sued by a number of those dealerships for alleged anticompetitive conduct. Those actions are consolidated before this court and have generated a number of rulings. This opinion addresses two remaining counterclaims brought by CDK against a putative class of car dealerships (“Dealership Counter-Defendants” or “Dealers”) [522]. First, CDK alleges that all the Dealers breached their contracts with CDK by allowing independent data integrators to access CDK's DMS without authorization. Second, CDK alleges that two groups of dealerships, referred to as the “Continental” and the “Warrensburg” Counter-Defendants, have violated Section 1201(a) of the Digital Millennium Copyright Act (“DMCA”), 17 U.S.C. § 1201, by circumventing technological controls that CDK implemented to prevent unauthorized third parties from accessing its DMS. The Dealers have moved for summary judgment on both counterclaims. For the reasons discussed below, the Dealership Counter-Defendants' motion [963] is granted.

BACKGROUND

I. Parties

A. CDK

Counter-Plaintiff CDK provides DMS software and services to car dealerships across the United States. (Dealership Counter-Defs.' Statement of Undisputed Material Facts in Supp. of Mot. for Summ. J. on CDK's Counterclaims (“PSUF”) [968] ¶ 1.) A DMS is a complex enterprise computer system that car dealerships use to collect and manage data generated during their operations.

B. Authenticom

Non-party Authenticom is an independent data integrator, or, as CDK refers to such actors, a “hostile integrator.” The Dealers have allowed third-party integrators including Authenticom to extract their data from CDK's DMS. Authenticom reorganizes the extracted data and sells it to vendors, who use the data for other commercial purposes, including making apps that dealerships use to market and advertise their cars and maintain contact with vehicle owners. Unlike the Dealers, Authenticom is not a paying licensee of CDK's DMS software.

C. Dealership Counter-Defendants

The Dealership Counter-Defendants are 17 automotive dealerships located in Illinois, Massachusetts, Minnesota, Missouri, New Jersey, and New York. (Id. ¶ 2.) CDK brings specific claims against two subsets of Dealership Counter-Defendants. CDK uses the term “Continental Counter-Defendants” to collectively refer to a group of eight individually-owned dealerships.^[1]CDK uses the term “Warrensburg Counter-Defendants” to collectively refer to a group of three jointly-owned dealerships located in or near Warrensburg, Missouri.^[2]

II. Relevant Facts for Breach-of-Contract Counterclaim

Each Dealership Counter-Defendant is party to a “Master Service Agreement” (“MSA”) with CDK. (Id. ¶ 5.) By their terms, the MSAs restrict unauthorized third-party access to CDK's DMS. For example, some of the MSAs include provisions barring the dealer from “sell[ing] or otherwise provid[ing], directly or indirectly, any of the Services or Software to any third party.” (Defs.' Statement of Add'l Facts in Opp. to MDL Pls.' Mots. For Summ. J. (“DSOAF”) [1062] ¶ 87; Pls.' Resp. to DSOAF (“DSOAFR”) [1139] ¶ 87.)

Since the 1990s, CDK's standard MSA has prohibited dealers from issuing login credentials to unauthorized third parties. (PSUF ¶ 26; PSUFR ¶ 26.) CDK's enforcement of those provisions has evolved over time. Historically, CDK was lenient regarding “dealer-permissioned” access to its DMS; beginning in or about 2010, however, CDK became more concerned about system security, and it sought to strengthen its system security by strictly enforcing limitations on third-party access from then on. (PSUF ¶¶ 28-31; PSUFR ¶¶ 28-31, 32.) Those limitations are the basis for CDK's counterclaims: CDK alleges that the Dealers breached their contractual obligations by providing login credentials to Authenticom and other third parties, thus enabling those third parties to access CDK's DMS without CDK's authorization. (Countercl. ¶ 136.) CDK further alleges that this conduct has damaged CDK by (a) depriving CDK of revenue it could otherwise collect by charging the third parties for access, (b) causing CDK to incur costs for investigating third-party access and attempting to stop it, and (c) “degrading CDK's DMS system and corrupting the data thereon.” (Id. ¶ 137.)

The Dealers do not dispute that they did in the past permit third parties to access the data they stored on CDK's DMS. However, there is no evidence in the record that the Dealers continue to do so. The only record evidence relating to the issue of ongoing violations are CDK Dealer Data Exchange Non-Authorized Access Reports, which, because they are blank, show that CDK has in fact detected no access by any suspected unauthorized third-party on the Dealers' servers as of spring 2020. (PSUF ¶¶ 10-25; PSUFR ¶¶ 10-25.)

Despite the absence of specific evidence of unauthorized third-party access, CDK insists it has been damaged. To date, however, CDK has not quantified damages it claims to have suffered as a result of past access. CDK asserted on several occasions that it would present expert testimony in support of its damages claim, but it has not done so. In response to an interrogatory from the Dealers requesting identification of CDK's damages, CDK stated that “quantification of the damages CDK seeks [regarding CDK's breach of contract counterclaim] is a subject for expert opinion testimony, which CDK intends to disclose in accordance with the expert disclosure deadlines established by the Court.” (PSUF ¶ 7.) CDK did solicit an expert damages report from Daniel L. Rubinfeld, but that report does not include a damages calculation for CDK's breach-of-contract counterclaim. (Id.) When deposed, Professor Rubinfeld testified that he did not know that CDK had brought such a counterclaim and he did not estimate damages relating to such a claim. (Id.) Rubinfeld's testimony prompted Dealership counsel to ask whether CDK would voluntarily dismiss its breach-of-contract counterclaim. (Id.) CDK responded, stating for the first time that it sought only “declaratory and injunctive relief . . . and/or nominal damages.” (Id.)

III. Relevant Facts for DMCA Counterclaim^[3]

In 2017, CDK implemented access controls to enhance data security and ward off threats to system performance and data corruption. (PSUFR ¶ 43.) These access controls included using CAPTCHA prompts^[4] and disabling accounts that CDK suspected were being used for automated third-party access. (PSUF ¶ 43; PSUFR ¶ 43.)

A. Continental Counter-Defendants

The Continental Counter-Defendants are eight individually-owned dealerships. Each Continental dealership is a paying licensee of CDK's DMS software; CDK bills each dealership separately for DMS access. (PSUF ¶ 39.) The Continental Counter-Defendants share a single server (PSUFR ¶ 41), but CDK assigned a separate client master file number to each Continental dealership as a way of identifying them. (DSOAF ¶ 94; DSOAFR ¶ 94.) IT Director Mark Johnson works for the owners of each of the Continental dealers. (DSOAF ¶ 94.)

CDK alleges that the Continental Counter-Defendants are secondarily liable for a claim it has brought against Authenticom, a party that has since settled with CDK. CDK alleges that Authenticom unlawfully circumvented CDK's CAPTCHA prompts and that the Continental Counter-Defendants materially contributed to that circumvention. (Countercl. ¶¶ 147- 58.) In an effort to prevent unauthorized access to its DMS, CDK created a CATPCHA prompt that a user must respond to when logging into the DMS:

Only dealer personnel are authorized to use the CDK Global DMS. Use or access by unauthorized third parties is strictly prohibited and is in violation of the terms on which CDK licenses its software and services. Machine/automated access, access via the use of non CDK software or issuing of user names and passwords for third party use is considered non-authorized access. Those using this system without authorization will be denied access and may be subject to legal action.

(DSOAFR ¶ 48.) CDK alleges that Authenticom circumvented its CAPTCHA control by entering the system even after being presented with the above prompt; CDK further asserts that the Continental Counter-Defendants induced Authenticom to circumvent this CAPTCHA control when the Continental Dealers' IT Director, Mark Johnson, continued to provide Authenticom login credentials even after CDK implemented the CAPTCHA prompt.^[5] (DSOAF ¶ 96.)

CDK hired Edward M. Stroz, a cybersecurity expert, to opine on the nature of CDK's technological access controls and the extent of the Counter-Defendants' purported violations. Assuming that Authenticom's purported CAPTCHA circumventions qualify as DMCA violations and that the Continental Counter-Defendants are secondarily liable for those violations, Mr. Stroz estimates the total number of DMCA violations allegedly committed by the Continental CounterDefendants as a group, but he does not identify or quantify any violations by any individual Counter-Defendant. (PSUF ¶ 42; PSUFR ¶ 42). CDK's damages expert, Professor Rubinfeld, did not identify any actual damages resulting from the Continental Counter-Defendants' alleged DMCA violations, but instead calculated only statutory damages. (PSUF ¶ 58; PSUFR ¶ 58.)^[6]

B. Warrensburg Counter-Defendants

The Warrensburg Counter-Defendants are separately incorporated entities. (DSOAFR ¶ 99.) They share common...