likely to forfeit liability limitation in Baidu hack case

Out-Law News | 06 Aug 2010 | 10:48 am | 2 min. read

Domain name registrar could be liable for damages for allowing a hacker to take over China's leading search engine,, despite contract clauses limiting liability, a New York court has said.

The mistakes made by the company's agents in allowing the hacker to gain control of the domain name were so serious that they could overcome the contractual provisions put in place by, the US District Court for the Southern District of New York said.

Baidu, the third biggest search engine in the world, had used as its registrar for more than 10 years when a hacker attacked the site in January of this year.

He engaged in a conversation with a Register agent on an internet chat service operated by Register to offer support to customers.

He asked to change the email address registered for, claiming to be an employee of that company. He was asked for a security code, which he did not have. The Register employee emailed a new code to the registered address.

The hacker had no access to that address so provided a fake code to the Register employee, who did not check the two codes and changed the address on file to [email protected], despite the fact that the Gmail email service is operated by Baidu's biggest competitor. Google.

By asking Register's system to send a password reminder to the now-changed email address the hacker gained control of the domain name and redirected it to a page containing an Iranian flag and a picture of a broken star of David. The page said that the site had been "hacked by the Iranian Cyber Army".

Baidu sued Register for, amongst other things, gross negligence or recklessness and breach of contract.

Register claimed that clauses in its contract with Baidu limited its liability and asked the Court not to allow the case to proceed because of that. The Court refused.

"Courts in New York generally enforce contractual waivers or limitations of liability," said the ruling. "[But] New York courts will decline to enforce a contractual limitation or waiver of liability clause when there is wilful or grossly negligent or recklessly indifferent conduct."

"A claim of gross negligence requires a plaintiff to prove that the defendant failed to 'exercise even slight care, scant care, or slight diligence'," said the ruling, quoting a previous case.

The ruling said that Courts would be particularly reluctant to over-rule a limitation of liability when it was the product of negation between two experienced companies, but that some cases demanded exactly that.

"The gross negligence exception applies even to contracts between sophisticated commercial parties, although a 'more exacting standard of gross negligence' must be satisfied," said the ruling, again quoting from an earlier case.

"In these circumstances, the defendant's conduct must amount to 'intentional wrongdoing,' 'wilful' conduct that is 'fraudulent, malicious or prompted […] by one acting in bad faith,' or conduct constituting gross negligence or 'reckless indifference to the rights of others'," said the Denny Chin, the judge.

He said that there was enough evidence to force a trial on the issue.

"I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness," he said. "If these facts are proven they would provide a sufficient basis for a jury to find that Register acted in a grossly negligent or reckless manner, in which event the limitation of liability clause in the [contract] would be ineffective."

"While Baidu gave up, in agreeing to the Limitation of Liability clause, any claims for ordinary negligence or breach of contract based on ordinary negligence, it did not waive its claims for gross negligence or recklessness. If Baidu can prove gross negligence or recklessness, the Limitation of Liability clause will not be a bar," said the ruling.