skip to main content

As digital technology and the online environment transform the distribution and use of intellectual property, our Copyright & Trademark group is on the front lines in protecting and enforcing our clients’ most important creative assets. Our trial-tested team represents a wide range of clients, from entrepreneurs to major corporations, from playwrights to media giants, and from individual songwriters to the country’s largest performing rights organizations.

Paul, Weiss Wins Significant Victory in Online Business Security Case

On July 22, Paul, Weiss won a significant victory for our client Baidu on hot-button issues concerning the security of online businesses.

Baidu, the largest search engine provider in China and the third-largest in the world, suffered a cyberattack on January 11, 2010 that resulted in the diversion of users trying to access Baidu's website to a web page containing racist rhetoric and images attributed to the "Iranian Cyber Army." The cyberattacker gained control over Baidu's domain name account when, posing as a Baidu representative in an online customer service chat session, the attacker obtained access to Baidu's user name and password from Baidu's domain registrar in the United States.

Baidu sued the domain registrar in the Southern District of New York for damages resulting from the attack. The domain registrar moved to dismiss the complaint principally on the ground that the registrar's service agreement contained purported disclaimers and limitations of liability, and on the ground that any injury Baidu suffered had resulted from criminal activity of which the registrar also claimed to be a "victim."

Judge Chin held that Baidu sufficiently pleaded acts of gross negligence such that, under New York law, the purported liability limitations in the service agreement would not be enforceable if Baidu's allegations are proven. In addition, Judge Chin held that although the domain registrar disclaimed liability for the security of Baidu's information in the services agreement, the registrar did, in fact, adopt security protocols, and, having thus assumed a duty to provide security, had a duty not to be grossly negligent or reckless in providing that service.

"The attack by the intruder was reasonably foreseeable," Judge Chin observed (citing recent studies on the growing threat of cyberattacks on online businesses), ". . . it was precisely because these cyber attacks are foreseeable that the security measures were adopted." Rejecting the registrar's contention that Baidu had pleaded nothing more than "an inadvertent isolated mistake," Judge Chin held that the registrar's alleged failure to follow its own protocols "'smacks of' intentional wrongdoing," and, at a minimum, could support a finding of "reckless disregard for the rights of others."

Judge Chin also rejected the registrar's argument that it should not be liable for injury caused by intervening criminal activity, concluding that if the registrar "had simply followed its own security protocols, the attack surely would have been averted and neither [the registrar] nor Baidu would have been victimized."

Judge Chin thus denied the motion to dismiss with respect to Baidu's claims for gross negligence, recklessness and breach of contract.

The Baidu team included litigation partners Marc Falcone and Roberto Finzi; and corporate partner Greg Liu.

© 2023 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy