680 F.Supp.3d 919

N.D. Ill.

2023

IN RE DEALER MANAGEMENT SYSTEMS ANTITRUST LITIGATION

No. 18 C864

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

June 29, 2023

Judge Rebecca R. Pallmeyer

MDL 2817; This dоcument relates to: CDK‘s Counterclaims against Dealers

MEMORANDUM OPINION AND ORDER

CDK, a business that sells a Dealership Management System (“DMS“) to car dealerships, has been sued by a number of those dealerships for alleged anticompetitive conduct. Those actions are consolidated before this court and have generated a number of rulings. This opinion addresses two remaining counterclaims brought by CDK against a putative class of car dealerships (“Dealership Counter-Defendants” or “Dealers“) [522]. First, CDK alleges that all the Dealers breached their contracts with CDK by allowing independent data integrators to access CDK‘s DMS without authorization. Second, CDK alleges that two groups of dealerships, referred to as the “Continental” and the “Warrensburg” Counter-Defendants, have violated Section 1201(a) of the Digital Millennium Copyright Act (“DMCA“), 17 U.S.C. § 1201, by circumventing technological controls that CDK implemented to prevent unauthorized third parties from accessing its DMS. The Dealers have moved for summary judgment on both counterclaims. For the reasons discussed below, the Dealership Counter-Defendants’ motion [963] is granted.

BACKGROUND

I. Parties

A. CDK

Counter-Plaintiff CDK provides DMS software and services to car dealerships across the United States. (Dealership Counter-Defs.’ Statement of Undisputed Material Facts in Supp. of Mot. for Summ. J. on CDK‘s Counterclaims (“PSUF“) [968] ¶ 1.) A DMS is a complex enterprise computer system that car dealerships use to collect and manage data generated during their operations.

B. Authenticom

Non-party Authenticom is an independent data integrator, or, as CDK refers to such actors, a “hostile integrator.” The Dealers have allowed third-party integrators including Authenticom to extract their data from CDK‘s DMS. Authenticom reorganizes the extracted data and sells it to vendors, who use the datа for other commercial purposes, including making apps that dealerships use to market and advertise their cars and maintain contact with vehicle owners. Unlike the Dealers, Authenticom is not a paying licensee of CDK‘s DMS software.

C. Dealership Counter-Defendants

The Dealership Counter-Defendants are 17 automotive dealerships located in Illinois, Massachusetts, Minnesota, Missouri, New Jersey, and New York. (Id. ¶ 2.) CDK brings specific claims against two subsets of Dealership Counter-Defendants. CDK uses the term “Continental Counter-Defendants” to collectively refer to a group of eight individually-owned dealerships.¹ CDK uses the term “Warrensburg Counter-Defendants” to collectively refer to a group of three jointly-owned dealerships located in or near Warrensburg, Missouri.²

II. Relevant Facts for Breach-of-Contract Counterclaim

Each Dealership Counter-Defendant is party to a “Master Service Agreement” (“MSA“) with CDK. (Id. ¶ 5.) By their terms, the MSAs restrict unauthorized third-party access tо CDK‘s DMS. For example, some of the MSAs include provisions barring the dealer from “sell[ing] or otherwise provid[ing], directly or indirectly, any of the Services or Software to any third party.” (Defs.’ Statement of Add‘l Facts in Opp. to MDL Pls.’ Mots. For Summ. J. (“DSOAF“) [1062] ¶ 87; Pls.’ Resp. to DSOAF (“DSOAFR“) [1139] ¶ 87.)

Since the 1990s, CDK‘s standard MSA has prohibited dealers from issuing login credentials to unauthorized third parties. (PSUF ¶ 26; PSUFR ¶ 26.) CDK‘s enforcement of those provisions has evolved over time. Historically, CDK was lenient regarding “dealer-permissioned” access to its DMS; beginning in or about 2010, however, CDK became more concerned about system security, and it sought to strengthen its system security by strictly enforcing limitations on third-party access from then on. (PSUF ¶¶ 28-31; PSUFR ¶¶ 28-31, 32.) Those limitations are the basis for CDK‘s counterclaims: CDK alleges that the Dealers breached their contractual obligations by providing login credentials to Authenticom and other third parties, thus enabling those third parties to access CDK‘s DMS withоut CDK‘s authorization. (Countercl. ¶ 136.) CDK further alleges that this conduct has damaged CDK by (a) depriving CDK of revenue it could otherwise collect by charging the third parties for access, (b) causing CDK to incur costs for investigating third-party access and attempting to stop it, and (c) “degrading CDK‘s DMS system and corrupting the data thereon.” (Id. ¶ 137.)

The Dealers do not dispute that they did in the past permit third parties to access the data they stored on CDK‘s DMS. However, there is no evidence in the record that the Dealers continue to do so. The only record evidence relating to the issue of ongoing violations are CDK Dealer Data Exchange Non-Authorized Access Reports, which, because they are blank, show that CDK has in fact detected no access by any suspected unauthorized third-party on the Dealers’ servers as of spring 2020. (PSUF ¶¶ 10-25; PSUFR ¶¶ 10-25.)

Despite the absence of specific evidence of unauthorized third-party access, CDK insists it has been damaged. To date, however, CDK has not quantified damages it claims to have suffered as a result of past access. CDK asserted on several occasions that it would present expert testimony in support of its damages claim, but it has not done so. In response to an interrogatory from the Dealers requesting identification of CDK‘s damages, CDK stated that “quantification of the damages CDK seeks [regarding CDK‘s breach of contract counterclaim] is a subject for expert opinion testimony, which CDK intends to disclose in accordance with the expert disclosure deadlines established by the Court.” (PSUF ¶ 7.) CDK did solicit an expert damages report from Daniel L. Rubinfeld, but that report does not include a damages calculation for CDK‘s breach-of-contract counterclaim. (Id.) When deposed, Professor Rubinfeld testifiеd that he did not know that CDK had brought such a counterclaim and he did not estimate damages relating to such a claim. (Id.) Rubinfeld‘s testimony prompted Dealership counsel to ask whether CDK would voluntarily dismiss its breach-of-contract counterclaim. (Id.) CDK responded, stating for the first time that it sought only “declaratory and injunctive relief . . . and/or nominal damages.” (Id.)

III. Relevant Facts for DMCA Counterclaim³

In 2017, CDK implemented access controls to enhance data security and ward off threats to system performance and data corruption. (PSUFR ¶ 43.) These access controls included using CAPTCHA prompts⁴ and disabling accounts that CDK suspected were being used for automated third-party access. (PSUF ¶ 43; PSUFR ¶ 43.)

A. Continental Counter-Defendants

The Continental Counter-Defendants are eight individually-owned dealerships. Each Continental dealership is a paying licensee of CDK‘s DMS software; CDK bills each dealership separately for DMS access. (PSUF ¶ 39.) The Continental Counter-Defеndants share a single server (PSUFR ¶ 41), but CDK assigned a separate client master file number to each Continental dealership as a way of identifying them. (DSOAF ¶ 94; DSOAFR ¶ 94.) IT Director Mark Johnson works for the owners of each of the Continental dealers. (DSOAF ¶ 94.)

CDK alleges that the Continental Counter-Defendants are secondarily liable for a claim it has brought against Authenticom, a party that has since settled with CDK. CDK alleges that Authenticom unlawfully circumvented CDK‘s CAPTCHA prompts and that the Continental Counter-Defendants materially contributed to that circumvention. (Countercl. ¶¶ 147-58.) In an effort to prevent unauthorized access to its DMS, CDK created a CATPCHA prompt that a user must respond to when logging into the DMS:

Only dealer personnel are authorized to use the CDK Global DMS. Use or access by unauthorized third parties is strictly prohibited and is in violation of the terms on which CDK licenses its software and services. Machine/automated access, access via the use of non CDK software or issuing of user names and passwords for third party use is considered non-authorized access. Those using this system without authorization will be denied access and may be subject to legal action.

(DSOAFR ¶ 48.) CDK alleges that Authenticom circumvented its CAPTCHA control by entering the system even after being presented with the above prompt; CDK further asserts that the Continental Counter-Defendants induced Authenticom to circumvent this CAPTCHA control when the Continental Dealers’ IT Director, Mark Johnson, continued to provide Authenticom login credentials even after CDK implemented the CAPTCHA prompt.⁵ (DSOAF ¶ 96.)

CDK hired Edward M. Stroz, a cybersecurity expert, to opine on the nature of CDK‘s technological access controls and the extent of the Counter-Defendants’ purported violations. Assuming that Authenticom‘s purported CAPTCHA circumventions qualify as DMCA violations аnd that the Continental Counter-Defendants are secondarily liable for those violations, Mr. Stroz estimates the total number of DMCA violations allegedly committed by the Continental Counter-Defendants as a group, but he does not identify or quantify any violations by any individual Counter-Defendant. (PSUF ¶ 42; PSUFR ¶ 42). CDK‘s damages expert, Professor Rubinfeld, did not identify any actual damages resulting from the Continental Counter-Defendants’ alleged DMCA violations, but instead calculated only statutory damages. (PSUF ¶ 58; PSUFR ¶ 58.)⁶

B. Warrensburg Counter-Defendants

The Warrensburg Counter-Defendants are separately incorporated entities. (DSOAFR ¶ 99.) They share common ownership (Cliff Harris), a common controller (Linda Smith), and common general managers (Adam Harris and Shawn Jeffrey). (DSOAF ¶ 99; DSOAFR ¶ 99.) CDK entered into separate contracts for DMS services with each Warrensburg dealership, though the dealerships also share a common DMS server. (PSUFR ¶ 41.) Each of the Warrensburg Counter-Defendants is a pаying licensee of CDK‘s DMS software, and CDK bills each dealership separately for DMS access. (PSUF ¶ 39.) The Dealers are authorized and able to use CDK‘s DMS to create new login credentials to access the DMS system. (See id. ¶ 60.)

On August 23, 2016, Smith received an email in which Authenticom reported that CDK had invalidated a profile that Authenticom had used to access the DMS; Authenticom requested that Smith create a new profile with the same access controls as the disabled one. (DSOAF ¶ 101.) The invalidated profile was an “elead” profile, meaning simply that the profile had “elead” in its name. (See id.) CDK has come to associate “elead” profiles with Authenticom based on those accounts’ usage patterns. (Countercl. ¶ 112.) On March 3, 2017, Lisa Johnston, a technical services representative at Authenticom, sent Smith an email with the subject line “Disabled Profile - Marshall Chrysler - DSS 1384.” (DSOAF ¶ 102.) Johnston wrote that CDK had disabled the profile “elead20,” and she offered to assist Smith with re-enabling the profile or creating a new one. (Id.) Johnston further stated that Authenticom “recently validated some technology through testing with over 200 dealers that may help dealerships protect their usernames and password” from further being locked. (Id.) Johnston offered to access Smith‘s computer remotely in order to install the new tool and Smith agreed, granting Johnston remote access to install Authenticom‘s new program on March 9, 2017. (Id. ¶¶ 102-03.) The effort evidently failed: on March 30, 2017, Johnston emailed Smith, stating that she tried to extract data but received an error message. (Id. ¶ 103.) She requested remote access to “fix it to [sic] the profile gets enabled again.” (Id.) No follow-up email confirms that Johnston‘s “fix” was effective.

The tool Johnston referred to is called “Profile Manager,” which is a comрuter script developed by Authenticom that “runs” or “launches” by logging into CDK‘s DMS using a preexisting dealership DMS user account that has administrative permissions. (PSUF ¶ 59.) As explained in Mr. Stroz‘s report, administrator-level accounts on the CDK DMS have “the broadest access and use permissions,” allowing them to create and set the access level permissions for other accounts. (Ex. DDD (Stroz Rep.) to Wedgworth Decl. [968-1] at 16.) According to that same report, administrator-level accounts are “usually reserved for individuals at the dealership with IT and/or network security responsibilities.” (Id.) The Profile Manager program developed by Authenticom is an automated process for re-enabling login credentials that CDK has disabled.⁷ (PSUF ¶ 59; PSUFR ¶ 59.) Authenticom also developed a scheduler function that prompted Profile Manager to run on an hourly basis. (PSUFR ¶ 60.) In April 2017, CDK developed and deployed a seсurity patch that disabled Profile Manager. (Id.) After the patch was deployed, Profile Manager continued to run on an unidentified Warrensburg account until at least 2019, though there is no evidence that Profile Manager re-enabled any disabled user account, at a Warrensburg dealership or elsewhere, after the patch. (See PSUFR ¶ 62.)

In 2016 and 2017, Warrensburg controller Linda Smith received four emails from CDK stating that CDK had detected unauthorized access on the Warrensburg server. (DSOAF ¶ 100.) The first three emails predate the email exchange between Smith and Johnston and thus do not ‍‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‍concern Profile Manager; they are dated July 6, August 22, and November 18, 2016. (Id.) The fourth notice also does not directly relate to Profile Manager: it is dated June 13, 2017 and therefore postdates the patch that rendered Profile Manager ineffective. (Id.)

Mr. Stroz, CDK‘s cybersecurity expert, did not identify or quantify any violations by аny individual Warrensburg Counter-Defendant. (PSUF ¶ 41; PSUFR ¶ 41.) His opinion is not based on login data coming from each Warrensburg dealership. Instead, he calculates the number of times Profile Manager re-enabled the Warrensburg Counter-Defendants’ user accounts by reference to (i) the number of dates between March 20 and April 24, 2017 in which Profile Manager was running on an (unspecified) Warrensburg Counter-Defendant‘s account and (ii) his assumption that Profile Manager successfully re-enabled one disabled user account per day per dealer group.⁸ (PSUF ¶ 63.) Based on this calculation, Mr. Stroz attributes 36 re-enablements to the dealership group. As for damages, Professor Rubinfeld calculated statutory damages, but not actual damages, resulting from the Warrensburg Counter-Defendants’ alleged DMCA violations. (PSUF ¶ 58; PSUFR ¶ 58.)

IV. Procedural History

The Dealers moved to dismiss CDK‘s counterclaims, and on September 3, 2019, Judge Dow granted that motion in part. The сourt dismissed CDK‘s counterclaim arising under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, but CDK‘s breach-of-contract and DMCA counterclaims survived the motion. See generally In re Dealer Mgmt. Sys. Antitrust Litig., No. 18-CV-864, 2019 WL 4166864 (N.D. Ill. Sept. 3, 2019).

On May 20, 2020, the Dealers moved for summary judgment on those counterclaims [963], raising several complementary and alternative arguments. (See generally Dealership Counter-Defs.’ Mem. in Supp. of Mot. for Summ. J. on CDK Countercl. (“Dealers’ Br.“) [965].)

Regarding CDK‘s breach-of-contract claim, the Dealers argue that CDK is entitled to no relief because it has no evidence of actual damages, an essential element of its claim. (Dealers’ Br. at 11-22.) Even if CDK could show damages, the Dealers contend, CDK is not entitled to injunctive relief. (Id. at 16-22.) The Dealers further argue that, alternatively, they are entitled to summary judgment on CDK‘s breach-of-contract counterclaim under the doctrines of waiver and unclean hands. (Id. at 22-32.)

Regаrding CDK‘s DMCA counterclaim, the Dealers argue that CDK cannot establish the basic elements of that claim because (1) CDK‘s software is not entitled to protection under the Copyright Act, (2) the Counter-Defendants (and data integrators) did not “circumvent” CDK‘s technological measures, and (3) CDK‘s technology did not “effectively control” access to CDK‘s software. (Id. at 33 (incorporating by reference Authenticom‘s Mem. in Supp. of its Mot. for Summ. J. on Defs.’ Countercl. [978] at 41-55).) The Dealers further argue that they cannot be held liable under the DMCA because the purpose of that statute is to protect copyrighted works from piracy, and any purported circumvention did not threaten CDK‘s copyright interests. (Dealers’ Br. at 34-53.) As an alternative basis for summary judgment, the Dealers argue that CDK‘s claim fails because CDK has not proffered any evidence of DMCA violations by any individual Counter-Defendant. (Id. at 53-56.) Furthermоre, the Dealers argue, the record cannot support a finding of vicarious or contributory liability against the Continental Counter-Defendants, because there is no evidence that those dealerships knew of, contributed to, or had any direct financial interest in Authenticom‘s allegedly violative conduct. (Id. at 56-73.) And, finally, the Dealers argue that, on this record, the Warrensburg Counter-Defendants cannot be held vicariously liable for Authenticom‘s alleged circumventions because CDK cannot show that those dealerships had a direct financial interest in any of Authenticom‘s purported violations. (Id. at 73-84.)

In the time since the parties submitted their summary judgment briefing, the court ruled on their Daubert motions. In re Dealer Mgmt. Sys. Antitrust Litig., 581 F. Supp. 3d 1029 (N.D. Ill. 2022). In that ruling, the court deemed admissible the report of CDK‘s cybersecurity expert, Mr. Stroz. Id. at 1088. The court noted, however, that Mr. Stroz‘s report supported damages only at the dealership-group level, and the court declined to rule on the Dealers’ argument that the DMCA does not permit joint and several liability. See id. at 1094. In supplemental briefing, the parties informed the court of their shared understanding that the Daubert rulings would not affect the court‘s summary judgment rulings [1327, 1333]. In that same briefing, the Dealership Counter-Defendants again emphasized their argument that the DMCA does not permit joint and several liability for DMCA statutory damages, the issue on which Judge Dow had reserved ruling.

DISCUSSION

I. Legal Standard

Summary judgment is proper where “the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” FED. R. CIV. P. 56(a); see Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). A genuine issue of material fact exists if “the evidence is such that a reasonable jury could return a verdict for the nonmoving party.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). The court “must construe all facts and draw all reasonable inferences in the light most favorable to the nonmoving party.” Majors v. Gen. Elec. Co., 714 F.3d 527, 532 (7th Cir. 2013) (citation omitted). But it “may not make credibility determinаtions, weigh the evidence, or decide which inferences to draw from the facts; these are jobs for a factfinder.” Johnson v. Rimmer, 936 F.3d 695, 705 (7th Cir. 2019) (quotation omitted).

A party opposing summary judgment must go beyond the pleadings and “set forth specific facts showing that there is a genuine issue for trial.” Liberty Lobby, 477 U.S. at 250. The nonmoving party “must do more than simply show that there is some metaphysical doubt as to the material facts.” Matsushita Elec. Indus. Co., Ltd. v. Zenith Radio Corp., 475 U.S. 574, 586 (1986). Summary judgment is proper if the nonmoving party “fails to make a showing sufficient to establish the existence of an element essential to that party‘s case, and on which that party will bear the burden of proof at trial.” Ellis v. CCA of Tennessee LLC, 650 F.3d 640, 646 (7th Cir. 2011) (quoting Celotex, 477 U.S. at 322).

II. Breach-of-Contract Counterclaim

CDK brings a breach-of-contract claim against all Dealership Counter-Defendants, asserting that the Dealers have breached obligations under their MSAs “by providing login credentials to Authenticom and other third parties to enable those third parties to hostilely access CDK‘s DMS.” (Countercl. ¶ 136.) As noted above, CDK switched course during discovery, choosing not to calculate actual damages but instead to pursue declaratory and injunctive relief and/or nominal damages. (PSUMF ¶ 7.) Significantly, in its brief opposing summary judgment CDK stated that “the record shows CDK did suffer monetary harm from Counter-Defendants’ conduct, even if CDK is not pursuing a damages remedy . . . CDK has elected not to seek those damages at trial because CDK did not think it worthwhile to pursue the expensive expert analysis needed to quantify those damages. . . .” (CDK Global, LLC‘s Opp. to the Dealership Counter-Defs.’ Mot. for Summ. J. (“CDK‘s Opp.“) [1057] at 6 (emphasis omitted).) Dealership Counter-Defendants argue that, because CDK has not even attempted to provide a reasonable basis for calculating damages, its breach-of-contract counterclaim cannot survive summary judgment.

Most of thе MSAs at issue include a choice-of-law provision stating that Illinois law governs the agreement. (DSAOF ¶ 87; PSUFR ¶ 5.) To succeed on an Illinois breach-of-contract claim, “a plaintiff must plead and prove (1) the existence of a valid and enforceable contract, (2) substantial performance by the plaintiff, (3) breach by the defendant, and (4) damages caused by that breach.” Ivey v. Transunion Rental Screening Sols., Inc., 2022 IL 127903, ¶ 28, reh‘g denied (Jan. 23, 2023); see also Hernandez v. Illinois Inst. Of Tech., 63 F.4th 661, 667 (7th Cir. 2023). The MSA that the Warrensburg Counter-Defendants submitted is governed by New Jersey law. (PSUFR ¶ 6.) Under New Jersey law, the elements of a breach-of-contract claim are, in material respects, the same. See Goldfarb v. Solimine, 245 N.J. 326, 338, 245 A.3d 570, 577 (2021).

The Dealers’ focus on this motion is a narrow one: they challenge CDK‘s claim for damages, reasoning that the “damages” ‍‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‍element for breach of contract requires a showing of actual damages, which CDK alleged but chose not to calculate. See TAS Distrib. Co. v. Cummins Engine Co. (“TAS“), 491 F.3d 625, 631 (7th Cir. 2007) (“Merely showing that a contract has been breached without demonstrating actual damage does not suffice, under Illinois law, to state a claim for breach of contract.“). CDK responds that Illinois law does not require a showing of actual damage to establish a prima facie case, but rather requires a “resultant injury to the plaintiff,” Avila v. CitiMortgage, Inc., 801 F.3d 777, 786 (7th Cir. 2015), and, under New Jersey law, “proof of actual damages is not necessary to survive summary judgment on a breach of contract claim.” Interlink Grp. Corp. USA v. Am. Trade & Fin. Corp., No. 12-6179 (JBC), 2014 WL 3578748, at *7 (D.N.J. July 18, 2014) (quoting Nappe v. Anschelewitz, Barr, Ansell & Bonello, 97 N.J. 37, 45-46, 477 A.2d 1224, 1228 (1984)).

The trouble with CDK‘s position, as discussed in greater detail below, is that the kinds of remedies it seeks (nominal damages, declaratory relief, and an injunction) are available only when money damages are difficult to calculate or are inadequate to remedy the harm identified in the complaint. In this case, CDK‘s breаch-of-contract counterclaim alleges pecuniary loss, which would typically result in monetary damages. CDK has not shown that its damages can not be calculated; CDK‘s decision to decline to submit those calculations does not satisfy the court that CDK is entitled to alternative remedies.

A. Nominal Damages

Nominal damages are appropriate where a plaintiff has been injured but is unable to calculate damages within a reasonable degree of certainty. See TAS, 491 F.3d at 632. CDK cites no case in which a plaintiff affirmatively casts aside its burden to prove actual damages—let alone a case where a plaintiff chose not to calculate damages after representing for several months that an expert report on the matter is on the way, as CDK has done here. Cf. Hentze v. Unverfehrt, 237 Ill. App. 3d 606, 612, 604 N.E.2d 536, 640 (5th Dist. 1992) (awarding nominal damages only after finding that “[t]he calсulation given cannot reasonably be broken down” to establish lost profits without “pure speculation and conjecture“); Jones v. Rempert, 2012 IL App (2d) 110208-U, ¶¶ 12, 24 (awarding nominal damages after “[b]oth parties elicited expert testimony from certified public accountants“).⁹

CDK insists that nominal damages are available as a standalone remedy for its counterclaim under New Jersey law, but that is not so. In Nappe v. Anschelewitz, Barr, Ansell & Bonello, on which CDK relies, the New Jersey Supreme Court stated: “The general rule is that whenever there is a breach of contract . . . the law ordinarily infers that damage ensued, and, in the absence of actual damages, the law vindicates the right by awarding nominal damages.” 97 N.J. 37, 46, 477 A.2d 1224, 1228 (1984). The New Jersey Supreme Court has since clarified that “if compensatory damages are otherwise available to the plaintiff, nominal damages are not to be awarded.” Graphnet, Inc. v. Retarus, Inc., 250 N.J. 24, 38, 269 A.3d 413, 422 (2022) (internal quotation marks omitted).¹⁰ Again, by CDK‘s own admission, compеnsatory damages are available on its counterclaim, but CDK chose not to calculate them. CDK cannot proceed to trial on its breach-of-contract claim seeking nominal damages alone.

B. Declaratory Relief

Declaratory relief is not a typical remedy for breach of contract, and CDK has cited no authority in which a court has issued declaratory relief as a remedy for such a claim.¹¹ CDK urges that declaratory relief is appropriate here because “a key purpose of declaratory relief is to authorize judgments in cases where there are no quantifiable damages.” (CDK‘s Opp. at 14 (citing Central Brown Cnty. Water Auth. v. Consoer, Townsend, Envirodyne, No. 09-C-0131, 2013 WL 501419, at *7 (E.D. Wis. Feb. 11, 2013)).) But, again, CDK represents that the Dealers’ alleged breaches did lead to quantifiable damages—CDK simply chose not to calculate them. (CDK‘s Opp. at 6 n.3.) This court has “unique and substantiаl discretion to abstain from hearing claims for declaratory relief,” and it would decline to award such relief here. Rarick v. Federated Serv. Ins. Co., 852 F.3d 223, 230 (3d Cir. 2017) (quoting R.R. St. & Co., Inc. v. Vulcan Materials Co., 569 F.3d 711, 716-17 (7th Cir. 2009)).

C. Injunctive Relief

The only remaining relief CDK seeks for its breach-of-contract counterclaim is an injunction. Such relief “is not available as a matter of course; it remains a creature of equity, and so the district court has discretion to decide whether that relief is warranted, even if it has found liability.” Liebhart v. SPX Corp., 998 F.3d 772, 774 (7th Cir. 2021). The party seeking an injunction must demonstrate “(1) that it has suffered an irreparable injury; (2) that remedies available at law, such as monetary damages, are inadequate to compensate for that injury; (3) that, considering the balance of hardships between the plaintiff and defendant, a remedy in equity is warranted; and (4) that the public interest would not be disserved by a permanent injunction.” Id. (citing eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 391 (2006)). The party seeking an injunction bears the burden of persuasion: “damages are the norm, so the plaintiff must show why his case is abnormal.” Walgreen Co. v. Sara Creek Prop. Co., 966 F.2d 273, 275 (7th Cir. 1992).

Again, CDK has not met its burden. Even if questions of fact persist on the third and fourth injunctive-relief factors, CDK has failed to present evidence that the alleged contract breaches are (1) a cause of the irreparable harm it claims to suffer and (2) ongoing or likely to reoccur, such that monetary damages would not adequately compensate CDK for its injury.

With respect to irreparable harm: CDK argues that it faces increased security risks stemming from unauthorized DMS access.¹² In support, CDK‘s cybersecurity expert opines that “[h]ostile third-party access to DMSs poses a security risk to the confidentiality, integrity, and availability of DMS data and the underlying systems.” (Stroz Rep. at 4.) Beyond this general statement, however, CDK has presented no evidence that the Dealers’ ‍‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‍alleged contract breaches actually caused those increased risks. For example, CDK discusses a security breach of DealerBuilt‘s DMS in 2016, but it identifies no connection between the DealerBuilt incident and Dealers issuing login credentials to data integrators. Instead, record evidence reveals that the breach occurred due to a malicious hacker exploiting a DealerBuilt employee‘s error. (Ex. 448 to Fenske Decl. [1064-93] ¶¶ 9-12.) CDK next points to an example of a security incident that, again, has nothing to do with Dealers issuing login credentials to data integrators: a May 2020 event regarding escrow funds for the Dealers’ class settlement with Reynolds, another DMS provider and a former defendant in this case. (CDK‘s Opp. at 9.) CDK has not sufficiently linked the irreparable harm it claims to face with the conduct it seeks to enjoin.

CDK has also not satisfied the court that an award of money damages would be an inadequate remedy. Such an award may be inadequate where a violation is ongoing—but there is no evidence in this record that the Dealers are currently violating their MSAs. CDK‘s own system reports show that no Counter-Defendant is currently providing log-in credentials to non-authorized third parties. (PSUMF ¶¶ 10-25; Exs. K-O to Wedgworth Decl. [968-1].) CDK protests that its system reports “show[] only that CDK is unable to detect third-party credential sharing“—not that such breaches are not occurring. (CDK‘s Opp. at 11.) But summary judgment is the “put up or shut up” moment in litigation. Reed v. Brex, Inc., 8 F.4th 569, 578 (7th Cir. 2021) (citation omitted). It is CDK‘s burden to present evidence that a Dealer Counter-Defendant is providing login credentials to “non-authorized” entities or that such conduct is likely to occur in the future, and CDK has not done so.

In short, CDK has opted not to calculate compensatory damages and has not presented evidence that the Dеalers’ contract breaches resulted in irreparable harm to CDK or harm that cannot be compensated through monetary damages. The Dealership Counter-Defendants are entitled to summary judgment on this counterclaim.¹³

III. DMCA Counterclaim

CDK‘s remaining claim arises under Section 1201(a)(1)(A) of the DMCA. The DMCA provides, in relevant part, that “[n]o person shall circumvent a technological measure that effectively controls access to a work protected [by copyright].” 17 U.S.C. § 1201(a)(1)(A). The DMCA‘s provisions on civil remedies grant the court discretion to impose injunctive relief, id. at § 1203(b)(1), and sets forth that “a person committing a violation” of § 1201 may be liable for either actual damages or statutory damages. Id. at § 1203(c)(1)(A)-(B).

CDK claims that the Continental and Warrensburg Counter-Defendants have violated § 1201 of the DMCA and seeks recovery of statutory damages, which range from $200 to $2,400 per act. CDK alleges that it implemented technological controls—including CAPTCHA controls and disablement of dealer credentials that CDK believes to have been used for automated access by third parties—in order to prohibit unauthorized access to its copyrighted material, including its software code and the data compilations on its DMS. (Countercl. ¶ 150.) CDK asserts that the Continental Counter-Defendants induced Authenticom to circumvent its CAPTCHA controls so that Authenticom could gain unauthorized access to its DMS. (Id. ¶¶ 151-55.) As for the Warrensburg Counter-Defendants, CDK alleges that they are either primarily or secondarily liable for violating the DMCA because they allowed Authenticom to run Profile Manager on their server. (Id. ¶¶ 151-55.) As a result, CDK alleges, the Continental Counter-Defendants are liable for 1,256 DMCA violations, amounting to a minimum of $251,200 and a maximum of $3,140,000. (See Rubinfeld Report [968-3] ¶ 78, Table 5.) CDK maintains that the Warrensburg Counter-Defendants are liable for 9,771 violations, amounting to a minimum of $1,954,200 and a maximum of $24,427,500. (Id.)

The court begins (and ends) with the argument that the Dealers have repeаtedly asked the court to address: whether CDK‘s inability to proffer evidence assigning particular alleged DMCA violations to particular dealerships is fatal to its counterclaim. Although the Continental Counter-Defendants are a group of eight individual dealerships and the Warrensburg Counter-Defendants are a group of three individual dealerships, CDK has not attributed particular alleged violations to each dealership. The Dealers hone in on this potential defect in their opening brief, arguing that CDK engaged in a group-pleading tactic that cannot overcome summary judgment. (Dealers’ Br. at 53-56.) CDK responds by asserting that the individual dealerships in each group belong to that group‘s “corporate family,” meaning, in CDK‘s view, that they are jointly and severally liable for the claims in CDK‘s pleadings. (CDK‘s Opp. at 22.) CDK further argues that it is appropriate to hold the Warrensburg Counter-Defеndants jointly and severally liable because they did not disclose any use of Authenticom by any individual dealerships in response to CDK‘s interrogatory requests. (Id. at 25.) In reply, the Dealers argue that the DMCA does not allow for joint and several liability for statutory damages, and, even if it did, this record would not support imposing such liability on the two dealership groups. (Corrected Dealership Counter-Defs.’ Reply Mem. in Supp. of their Mot. for Summ. J. on CDK‘s Counterclaims (“Dealers’ Reply“) [1119] at 10-12.) The Dealers further argue that allowing CDK to seek joint and several liability at this late date would be unduly prejudicial. (Id. at 12-13.)

The court agrees with the Dealers that CDK‘s inability to connect any DMCA violation to any particular dealership is fatal to its claim. First and critically, CDK‘s Counterclaims do not allege joint and several liability; it is not enough for CDK to allege that the Dealerships “share common ownership, managers, аnd employees and therefore operate as a single business unit.” (Countercl. ¶¶ 15, 20.) Cf. Papa v. Katy Indus., 166 F.3d 937, 943 (7th Cir. 1999) (“The plaintiffs seem to think that unless a corporate group erects a Chinese wall between affiliates, each affiliate is responsible for the other‘s debts. That is nonsense.“). The Dealers assert that, had CDK pleaded joint and several liability, the Dealers would have deposed CDK witnesses concerning CDK‘s decisions to (i) enter into separate MSAs with each Warrensburg dealership, (ii) separately bill the Warrensburg dealerships, and (iii) assign separate client master file numbers to each Continental dealership. (Id.) The court agrees with the Dealers that, if joint and several liability were available for statutory damages under the DMCA, it would be unduly prejudicial to allow CDK to seek such liability at this late date. See Johnson v. Methodist Med. Ctr. of Ill., 10 F.3d 1300, 1304 (7th Cir. 1991) (affirming denial of motion to amend a complaint after defendant moved for summary judgment and would be prejudiced by need to engage in substantial additional discovery). Because CDK‘s newly articulated liability theory is untimely, CDK‘s DMCA counterclaim is dismissed.

Second, even if CDK had pleaded joint and several liability in its Counterclaims, the court would still have serious concerns about CDK‘s inability to attribute the alleged violations to particular dealerships. Assuming that the DMCA does allow for joint and several liability, CDK would still need to present evidence that at least one dealership in each group committed a DMCA violation. See 17 U.S.C. § 1201(a)(1)(A) (imposing liability on a “person” gaining unauthorized access to a copyrighted work); id. at § 1203(c)(1)(A)-(B) (providing that “a person committing a violation” may be liable for either actual or statutory damages). If CDK brought forward such evidence, then the court could reach the question of whether the individual dealerships could be held jointly liable. But, on this record, the evidence of any specific violation is too thin to establish liability in the first instance. CDK‘s strongest evidence is the email chain between Warrensburg controller Linda Smith and Authenticom employee Lisa Johnston. In a footnote to its argument in favor of joint and several liability, CDK argues that, in light of that email chain, “there is evidence tying the DMCA violation by the Warrensburg Counter-Defendants to Marshall Chrysler Jeep Dodge, L.L.C., specifically.” (CDK‘s Opp. at 22.) This is so, CDK contends, because the subject line of that email chain read “Disabled Profile - Marshall Chrysler - DSS 1384.” That email thread shows that Smith allowed Johnston to install Profile Manager on the Warrensburg server, but the email does not indicate that Profile Manager actually re-enabled a disabled account. Instead, Smith wrote that Profile Manager “is not working as it should” and that Authenticom would need to fix the problem so that “thе profile gets enabled again.” (Defs.’ Add‘l Ex. 485 [1065-17] at CLIFF_HARRIS0007900.) CDK does not offer evidence that the problem was fixed such that Profile Manager enabled one of that dealership‘s disabled accounts. The email, the only evidence CDK offers to tie a specific Warrensburg dealership to its DMCA counterclaim, amounts to little more than “a scintilla of evidence,” which is insufficient to defeat summary judgment. Trahanas v. Nw. Univ., 64 F.4th 842, 852 (7th Cir. 2023).

In any event, the court is not at all certain that the DMCA supports joint and several liability. Whether joint and several liability is available for statutory violations, as opposed to common law torts, depends on the statute‘s specific wording.¹⁴ See Ferris v. Haymore, 967 F.2d 946, 956-57 (4th Cir. 1992) (” [W]hen Congress has intended to impose joint and several liability rather than separate and individual liability, it has so provided explicitly.“). Unlike the Copyright Act—the DMCA‘s neighbor—the DMCA does not include a joint and several liability clause. Cf. Martinez v. United States, 803 F.3d 878, 882 (7th Cir. 2015) (noting thаt a comparison of a “neighboring statute[]” may aid the court‘s interpretation). The Copyright Act‘s statutory damages provision is similar in structure to the DMCA‘s: it allows a copyright owner to elect statutory damages in lieu of actual damages and profits for “all infringements involved in the action,” 17 U.S.C. § 504(c)(1), just as the DMCA permits a complaining party to recover an award of statutory damages “for each violation of section 1201,” 17 U.S.C. § 1203(c)(3). Notably, however, the Copyright Act permits statutory damages “for all infringements . . . for which any two or more infringers are liable jointly and severally.” Id. The later-enacted DMCA elides such language, and CDK does not articulate a basis for reading a “joint and several” clause into the statute‘s text. While a plaintiff seeking damages for copyright infringement may sue any infringer for jointly caused damages, it does not appear that a plaintiff seeking statutory damages under the DMCA can rely on joint and several liability.

Finally, although the court dismisses CDK‘s DMCA violations based on the untimeliness of CDK‘s joint-and-several liability theory, the court notes that it has concerns about many additional elements of CDK‘s DMCA counterclaim. In the above discussion, the court assumes without deciding that Authenticom‘s alleged CAPTCHA circumventions and its rollout of Profile Manager could be found to violate the DMCA. The above discussion also assumes without deciding that CDK could prove on this record that the Continental and Warrensburg Dealers knew of and materially contributed to Authenticom‘s purported infringement. In making these assumptions, the court declines to address many of the parties’ arguments concerning the DMCA and the Copyright Act. Specifically, the court does not address (a) whether CDK‘s disablement of accounts is a “technological measure” within the meaning of the DMCA; (b) whether respоnding to the CAPTCHA prompt or running Profile Manager “circumvented” that access control, despite caselaw holding that using valid login credentials (even without copyright owner authorization) is not a DMCA violation;¹⁵ and (c) whether CDK‘s (i) software, (ii) graphic interface, and/or (iii) data compilations fall within the Copyright Act‘s ambit. Because the court does not address copyrightability issues here, it also declines to address the parties’ arguments concerning fair use.

The court further declines to address the Dealers’ alternative argument that CDK‘s DMCA claim must fail because CDK has not shown a requisite “nexus” to copyright infringement. The court recognizes that the Courts of Appeals ‍‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‍disagree on that issue: the Federal Circuit holds that a DMCA plaintiff must show a nexus between the alleged DMCA violation and a copyright interest, while the Ninth Circuit holds that no such nexus is required. Compare Storage Technology Corp. v. Custom Hardware Engineering & Consulting, Inc., 421 F.3d 1307, 1319 (Fed. Cir. 2005) and Chamberlain Group, Inc. v. Skylink Technologies, Inc., 381 F.3d 1178, 1202 (Fed. Cir. 2004) with MDY Indus., LLC v. Blizzard Entm‘t, Inc., 629 F.3d 928, 950 (9th Cir. 2010). The Seventh Circuit has not spoken on the issue, and this court need not do so to resolve the Dealers’ motion. In short, because CDK has failed to attribute the alleged violations to individual dealerships, the court declines to address whether the record supports a finding that the conduct of any dealership in fact circumvented technological access to a copyrighted work.

CONCLUSION

For the reasons discussed above, the Dealership Counter-Defendants’ motion for summary judgment on CDK‘s counterclaims [963] is granted.

ENTER:

REBECCA R. PALLMEYER

United States District Judge

Dated: June 29, 2023

Notes

The Continental Counter-Defendants (perhaps so named because they sell vehicles whose manufacturers’ headquarters are outside the United States) include ACA Motors, Inc., d/b/a Continental Acura; Continental Autos, Inc., d/b/a Continental Toyota; Continental Classic Motors, Inc., d/b/a Continental Autosports; 5800 Countryside, LLC, d/b/a Continental Mitsubishi; HDA Motors, Inc., d/b/a Continental Honda; H & H Continental Motors, Inc., d/b/a Continental Nissan; Naperville Zoom Cars, Inc., d/b/a Continental Mazda; and NV Autos, Inc., d/b/a Continental Audi.

The Warrensburg Counter-Defendants include Cliff Harris Ford, LLC, d/b/a Warrensburg Ford; Marshall Chrysler Jeep Dodge, L.L.C. d/b/a Marshall Chrysler; and Warrensburg Chrysler Dodge Jeep, L.L.C. d/b/a Warrensburg Chrysler Dodge Jeep Ram Fiat.

The parties set forth facts concerning the extent of CDK‘s copyright interests. Because the court resolves the Dealership Counter-Defendants’ motion on other grounds, it does not repeat those facts here. (See DSOAF ¶¶ 53-54; DSOAFR ¶¶ 53-54.)

“CAPTCHA” is an acronym for “Completely Automated Public Turing Test to tell Computers and Humans Apart.” .

Since the filing of these motions, CDK has reached an agreement settling its claims against Authenticom. Neither side has addressed the impact of this settlement on the claims against the Dealеrs, and the court deems any argument the Dealers might make on this score waived.

The court sets forth only the facts necessary to resolve the Dealers’ motion for summary judgment above. The parties also present evidence relevant to other elements of CDK‘s counterclaim, including, for example, evidence regarding the Continental Counter-Defendants’ (i) alleged knowledge or willful blindness regarding Authenticom‘s automated system for CAPTCHA responses (PSUFR ¶¶ 46-54) and (ii) purported financial interest in Authenticom‘s automated CAPTCHA response system (PSUFR ¶ 57).

The parties’ descriptions of the Profile Manager function are somewhat opaque, but the court understands the process as follows: Profile Manager calls up a list of user accounts and accesses each account in order. If a profile in that list does not have a valid “C#” (meaning the user account is disabled), Profile Manager uses the DMS‘s “Update User Profile” function to reset the C# and, as a result, re-enables the user account. Profile Manager then calls up the next user account in the list if there is one and repeats the process. If a user account has a valid C# (meaning, the account is not disabled), Profile Manager takes no further action with regards to that account and instead calls up the next one. If all of the user accounts that Profile Manager pulls during a particular launch have valid C#s, Profile Manager does not affect those active accounts. (PSUF ¶ 61.)

The basis for this assumption is a CDK record showing that Profile Manager re-enabled the user account “Brianna” at the dealership Mike Hellack Chevrolet (not a Warrensburg dealership) as many as four times in one day between February 2 and February 22, 2017. (Stroz Rep. at App C. ¶ 49.) Though he identified no basis fоr finding the episode at Mike Hellack Chevrolet representative, Mr. Stroz “conservatively assum[ed] that the Profile Manager script successfully re-enabled only one user account per day per dealer group.” (Id.)

CDK also cites . That unpublished ruling concerned a motion to dismiss, and the court does not find it persuasive for resolving this summary judgment motion.

Although is a defamation case, rather than a breach-of-contract case, its discussion of nominal damages applies both to both types of claims. Indeed, when discussing the purpose and limitations of nominal damages, , cites , which CDK relies on as the seminal New Jersey case on nominal damages in breach-of-contract suits. See .

Instead, CDK cites a bankruptcy case in which the claimant moved for relief under the Declaratory Judgment Act, which is inapplicable here. See .

CDK аlso contends that an injunction is necessary because the Dealers’ breaches have wrought intangible harms. See (“[I]t is virtually impossible to ascertain the precise economic consequences of intangible harms, such as damage to reputation and loss of goodwill“). While intangible harms can be a valid reason for seeking injunctive relief, CDK did not plead such injuries in its counterclaims and may not introduce on them at this late date. See (“[P]laintiff may not amend his complaint through arguments in his brief in opposition to a motion for summary judgment.” (internal quotation marks omitted)).

Because the court grants summary judgment on the damages issue, it declines to address the Dealers’ alternative arguments regarding the doctrines of waiver and unclean hands.

CDK cites two cases in which other district courts have imposed joint and several liability when granting default judgments on DMCA claims. (CDK‘s Opp. at 22 (citing ; ).) Those cases are of limited persuasive value because in both cases, the judgments were unopposed, and neither opinion engages with the text of the DMCA‘s statutory damages provision.

See, e.g., (“[U]sing a password to access a copyrighted work, even without authorization, does not constitute ‘circumvention’ under the DMCA because it does not ‍‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‍involve descrambling, decrypting, or otherwise avoiding, bypassing, removing, deactivating, or impairing a ‘technological measure.’ “); but see (distinguishing this case from in declining to dismiss the DMCA claims on motion because CDK alleged that its DMS was “not designed to allow third-parties such as Authenticom to re-enable passwords that CDK intentionally disabled” (emphasis omitted)).

Read the detailed case summary