Have you Vaccinated your Agreement? Disabling Code, Trap Doors, Viruses, and the Like
It is common for licensors to warrant that, except as documented, there are no trap doors, time bombs, or disabling devices in the software and services they provide. The failure of a licensee to obtain such a warranty may provide the licensor significant leverage in the event of a dispute, as some licenses specifically state that the licensor may disable the software in the event of a breach by the licensee. See American Computer Trust Leasing v. Jack Farrell Implement Co., 763 F. Supp. 1473 (D. Minn. 1991), aff’d, 967 F.2d 1208 (8th Cir. 1992) (license permitted licensor to disable software for licensee’s nonpayment). As such, the licensee should always seek to include a statement that the licensor will not engage in electronic self-help. A prudent licensor may seek to limit its risk by instituting the caveat “to the knowledge of licensor” under the reasoning that it cannot control the actions of a rogue employee.
At the same time, however, a licensor who disables software without contractual authority may be guilty of an intentional tort and be liable to punitive damages, see, e.g., Clayton X-Ray Co. v. Professional Systems Corp., 812 S.W.2d 565 (Mo. Ct. App. 1991), and may potentially be in violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. See North Texas Preventative Imaging, L.L.C. v. Eisenberg, 1996 WL 1359212 (C.D. Cal. Aug. 19, 1996) (surreptitious inclusion of time bomb could lead to violation of CFAA). YourNet Dating, Inc. v. Mitchell, 88 F. Supp.2d 870 (N.D. Ill. 2000) (unauthorized entry into computer system was violation of CFAA). Courts have interpreted the CFAA broadly. Data Security and Privacy Law: Combating Cyberthreats § 8.42 (Kevin P. Cronin and Ronald N. Weikers eds. 2005).
Because demonstration licenses usually provide the licensee a limited time period during which the licensee may use the software for testing purposes, most demonstration software includes an internal mechanism that terminates the licensee’s access to the software after a set period of time. To avoid potential problems, prudent licensors should ensure that the automatic termination of the license is clearly disclosed in the license. Depending on the specific security measures contained within the software (e.g., IP tracking, nonuser triggered “phone home” features, automatic termination), a licensor may have to disclose and may even be required to obtain the licensee’s consent in the European Union and in those countries with similar laws addressing data privacy. This is particularly true if it is not self-evident from the nature of the software that such features have been incorporated.
Subject to the nature and type of license, licensees should seek to include an express prohibition in the license prohibiting the vendor from incorporating any “lock-out” mechanisms in the software. Vendors should reject this position if the licensee is receiving a license limited to a specific time period or if the licensor is using a SaaS model and thus requires the ability to terminate access upon expiration of the license term or a breach of the license use rights.
Model language to this effect favoring the licensee is as follows:
Licensor further represents and warrants that if the Works or other deliverables include any computer programs or software code (“Software”): (a) the Software and its media shall contain no computer instructions or inappropriate functions whose purpose or result is to disrupt, damage or interfere with Licensee’s or its Affiliates’ use of or access to the Software or any of their data, programs, systems, or telecommunications or broadcast equipment, software or services; and (b) unless expressly authorized in writing by Licensee, such Software shall not contain (i) any mechanism which electronically notifies Licensor of any fact or event, nor (ii) any key, node lock, time-out, login bomb or other function, implemented by any means, which may restrict Licensee or its Affiliates’ use of or access to the Software or any other data, programs, computers, systems or telecommunications or broadcast equipment, software or services.
Licensees should also insist on a virus warranty. Virus detection and removal is reactive as opposed to proactive with virus detection software responding with a “cure” only once a virus has been identified. Thus, it is impossible for the licensor ever to be completely sure the software is virus free. As such, many licensors will seek to give a “knowledge” warranty with respect to viruses or worms or warrant that they will use commercially reasonable efforts to screen the software and media for viruses prior to the delivery of the software to the licensee. See, generally, Robbins, Vendor Liability for Computer Viruses and Undisclosed Disabling Devices in Software, 10 Computer Law. 20 (July 1993). Licensors should avoid providing an absolute warranty as to the existence of viruses, as they are difficult to detect and may enter the software through no fault of the licensor. Model language is as follows:
Licensor has and will maintain industry standard quality assurance and virus protection procedures designed to ensure that all Deliverables and Services, as applicable, are free of viruses, contaminants, and other malicious code that may harm Customer systems.
Further, some licensors seek an additional level of protection by requiring the licensee to run the software through the licensee’s own virus detection software prior to installing the software on the licensee’s systems and seek to have the licensee warrant to the licensor that the licensee will not infect the licensor’s system. In the event of an infection, the party causing the infection should agree to assume all costs of removing the virus and restoring any corrupted data from the affected party’s computer systems.