Authenticom, Inc. v. CDK Global, LLC et al

Filing 172

OPINION & ORDER granting 51 Motion for Preliminary Injunction; granting 168 Motion to Admit Preliminary Injunction Hearing Exhibits; granting in part and denying in part 170 Motion to Admit Preliminary Injunction Hearing Exhibits. The parti es will work together to craft the form of the injunction. The parties are ordered to confer and to submit an agreed proposed form of injunction to the court by July 21, 2017. If the parties cannot agree on all terms of the injunction, they should set out their competing proposals in the document. Signed by District Judge James D. Peterson on 7/14/2017. (kwf)

Download PDF
IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WISCONSIN AUTHENTICOM, INC., Plaintiff, v. OPINION & ORDER CDK GLOBAL, LLC, and THE REYNOLDS AND REYNOLDS COMPANY, 17-cv-318-jdp Defendants. This is an antitrust case involving the software used by car dealers. Defendants, CDK Global, LLC, and the Reynolds and Reynolds Company, are the main providers of comprehensive software packages called dealer management systems, which are used by virtually all United States car dealers. Plaintiff, Authenticom, Inc., is a third-party data integrator. It provides a service that links car dealers to third-party software vendors who provide features and enhancements that are not built into the dealers’ DMSs. Authenticom contends that defendants have violated the Sherman Act in numerous ways, including by conspiring to drive it out of business. Authenticom seeks a preliminary injunction that would require defendants to allow Authenticom to continue its historical practice of accessing dealer data on defendants’ information systems, using login credentials provided by dealers. The case is complicated both factually and legally. But based on the parties’ written submissions, documentary evidence, and the evidence presented at a two-and-one-half day hearing, the court concludes that Authenticom is entitled to a preliminary injunction. Authenticom’s evidence establishes at least a moderate chance of success in proving that defendants have violated the Sherman Act. And the balance of harms tips sharply in favor of Authenticom, because Authenticom is clearly at risk of going under without a preliminary injunction. The countervailing harm alleged by defendants—primarily the threat to the security of their information systems—is not persuasive because defendants already allow third-party access of the sort that Authenticom asks to continue. And there was no evidence that Authenticom itself had lax security practices or posed a specific threat to the security of defendants’ systems. FINDINGS OF FACT I make no effort here to set out all the facts established by the parties’ evidence or to review comprehensively that evidence. The parties have submitted declarations and documentary evidence, most of which is not objected to. Defendants have, however, lodged specific objections to a number of Authenticom’s exhibits and some declaration testimony in Dkt. 171. For the most part, I will sustain defendants’ objections.1 Focusing on the main points and issues, I find the following facts. Some additional facts are set out the analysis section. A. Background Virtually every dealer in the country uses a DMS, a dealer management system, to manage the major aspects of its business, from vehicle and parts inventory to service 1 The newspaper accounts and other third-party documents are hearsay, and the objected-to declaration testimony lacks foundation. I will overrule the hearsay objection to PHX-009 and PHX-099, although I did not consider those exhibits in my decision. The only objected-to documents that I did consider are PHX-156 and PHX-159, which relate to the exceptions accorded to Penske dealers. I overrule the hearsay objection to these documents; ultimately defense witnesses conceded the existence of the Penske exceptions. I also overrule the objections to PHX-150 and PHX-151, although I did not consider these documents. 2 appointments to payroll. Defendants, CDK Global, LLC, and the Reynolds and Reynolds Company, provide and maintain the two most-used DMSs. Together, defendants provide DMSs to roughly three-quarters of the dealers in the United States. Dozens of other DMS providers serve the remaining quarter of the market, although Dealertrack appears to be the leading alternative to defendants’ systems. Defendants provide the DMS software to the dealer and run the servers that hold the dealer’s data. The data itself belongs to the dealer. Sophisticated DMS software, like defendants’, is expensive. A dealer typically pays $8-10,000 per month for its DMS. Dealers also use software applications from third-party vendors to provide features and services that are not built into the basic DMS, although these applications require data from the DMS. A typical dealer uses 10 to 15 vendor-provided applications in addition to its DMS. For example, a dealer might engage Carfax to provide a vehicle history report for every used car that it offers for sale. Somehow the dealer must get data about its inventory to Carfax, so that Carfax can provide the required reports. Generally speaking, dealers find it cumbersome to retrieve their own data from their DMS and send it to vendors, so most dealers authorize vendors to get the data from the DMS, either directly or through a third-party data integrator. B. Authenticom Plaintiff Authenticom, Inc., is a third-party data integrator, founded by Steve Cottrell in 2002. With the dealer’s consent, Authenticom accesses the dealer’s data on its DMS, downloads the necessary data, reformats the data to suit the needs of the vendor, and then sends the reformatted data to the vendor. The vendor uses the data to provide its services to the dealer. The dealer pays the vendor for its services, and the vendor pays Authenticom for its 3 data integration. Typically, a vendor pays Authenticom about $50 per month for each dealer for which data is provided. In 2014, Authenticom introduced its DealerVault software. DealerVault provides an interface that allows dealers to monitor and control the data provided from its DMS to the vendors it uses. DealerVault is popular with dealers, who generally feel strongly that because they own their data, they should be able to control and monitor its use. Cottrell estimates that approximately 15,000 of 18,000 dealers nationwide have at one time or another relied on Authenticom for services. Dkt. 164, at 89:7-11. The method Authenticom uses to acquire dealer data is a point of contention. Dealers who want to work with Authenticom provide Authenticom a username and password, which Authenticom uses to log into the dealer’s DMS account on defendants’ systems. Authenticom “screen scrapes” the data by capturing what is displayed, and then it cleans up the data to keep the needed elements. Authenticom works with a very large number of dealers, so it has automated this process. Authenticom’s information systems are programmed to automatically and regularly log into dealer DMS accounts so that the data that vendors use is up to date. The evidence generally shows that Authenticom is secure. DealerVault is hosted on Microsoft Azure, secure cloud technology. And the data to which Authenticom has access is controlled by the dealer. Wayne Fitkin, a veteran in the automotive IT industry and currently IT director for a dealership group, testified that although Fitkin himself has access to a large amount of extremely sensitive information, he creates a user ID specifically for Authenticom that has access to limited accounts and a single function necessary to query and scrape the 4 system. Dkt. 165, at 9:12-21. The court did not receive any evidence that Authenticom has ever suffered a security breach or that it has caused a security breach at another entity.2 C. Defendants block Authenticom Defendants object to Authenticom’s screen-scraping data extraction method, which they call “hostile access.” Reynolds has never approved of third-party access based solely on the dealer’s authorization. Reynolds allows third-party access only with its own approval, and preferably via an interface specifically designed for that purpose, the Reynolds Certified Interface (RCI). Through RCI, third parties—vendors, typically—access and receive specified data fields in a highly controlled environment. Reynolds contends that access via RCI is more secure and less burdensome on the Reynolds system than Authenticom’s screen-scraping technique. The court accepts this point as a general principle, but Reynolds did not provide evidence to quantify the relative burden Authenticom places on the system, and Reynolds did not adduce any evidence of any actual or realized security threat attributable to Authenticom. Reynolds began blocking Authenticom’s access to its DMS in 2009, and it achieved more effective blocking around 2013, apparently by using technology that was able to detect and instantly disconnect automated access to its DMS. Reynolds’ more effective blocking had a significant impact on Authenticom’s revenue, because blocking interfered with Authenticom’s ability to integrate data for vendors who served dealers using Reynolds’ DMS. Unlike Reynolds, until 2015, CDK offered what the parties and the court have been calling an “open system.” An open system allows third-party integrators, such as Authenticom, 2 In the time Authenticom has been in operation, there has been only one reported incident with defendants: several years ago, a faulty code placed by Authenticom caused the Reynolds system to cyclically reprocess the same code. 5 to access and scrape data from the DMS with dealer authorization. Indeed, until recently, CDK touted its open system as one of the competitive advantages of its DMS. In fact, CDK itself owned and operated third-party integrators, DMI and Integralink. Apparently the open system was appealing to dealers, as Reynolds’ market share declined from approximately 40 percent to approximately 28 percent as CDK marketed its open system and Reynolds solidified its closed one. Id. at 84:7-17. CDK picked up most of the dealers who left Reynolds. But things changed around 2014, as CDK reconsidered its third-party access programs. Internal documents and testimony from CDK witnesses suggest that two primary concerns motivated CDK’s reconsideration. First, well-publicized security breaches prompted CDK to improve its cybersecurity, and CDK implemented a “Security First” initiative. (Notably, the Security First initiative recommended improved third-party access practices and retiring “certain integration that risks data integrity”, but it did not specifically recommend terminating all third-party access. DHX-27.) Second, CDK realized that it was not getting all the value it could from 3PA, its third-party access program which is, essentially, the equivalent of Reynolds’ RCI. So, after years of touting the benefits of its open system, CDK decided to bring data integration in house and transition toward a closed system. D. The defendants’ agreements CDK’s transition to a closed system roughly coincided with CDK and Reynolds signing written agreements in February 2015. The first of the three agreements was a so-called Data Exchange Agreement. Dkt. 106-1. In the Data Exchange Agreement, CDK agreed to wind down certain aspects of DMI, CDK’s third-party integrator—specifically, those aspects that involved “hostilely integrating” with the Reynolds system. Reynolds agreed that it would not block DMI’s access to the Reynolds system during the wind-down period, which might last as long 6 as five years. And CDK agreed to cooperate with Reynolds to have DMI clients—vendors using DMI to poll data from the Reynolds system—transition to RCI, Reynolds’ in-house “data integrator.” Id. §§ 4.1, 4.4. Defendants further agreed that they would not assist any person that attempts to access or integrate with the other party’s DMS. Id. § 4.5. This section is described as “not intended as a ‘covenant not to compete,’ but rather as a contractual restriction of access and attempted access intended to protect the operational and data security integrity of the Reynolds DMS and the CDK DMS.” Id. Section 4.5’s terms do not expire. Id. § 6.1. The remaining agreements in the set—the 3PA Agreement and the RCI Agreement— granted reciprocal access to defendants’ in-house data integration platforms. Both Reynolds and CDK provide add-on software applications for dealers, just like third-party vendors. CDK wanted access to the Reynolds DMS for its applications, and Reynolds wanted access to the CDK DMS for its applications. Id. at 2. Under the agreements, CDK’s applications could access the Reynolds DMS via RCI, and vice versa. Reynolds received five free years of 3PA access, purportedly as consideration for its allowing DMI’s access to the Reynolds system during the wind down. By signing up for 3PA, Reynolds agreed that it would access the CDK DMS exclusively through 3PA, and Reynolds agreed that it would not “otherwise access, retrieve, license, or otherwise transfer any data from or to a CDK System (including, without limitation, pursuant to any ‘hostile interface’) for itself or any other entity,” or contract with any third parties to access the system. Dkt. 106-2, at 5. The RCI Agreement contains similar restrictions: “Non-Approved Access” is any access to the Reynolds DMS made without Reynolds’ prior written consent. Dkt. 106-3, § 1.8. 7 E. The aftermath According to Cottrell, on the heels of the February 2015 agreements, in May 2015, Robert Schaefer, Reynolds’ head of data services, told Cottrell that CDK and Reynolds agreed to support one another’s data integration programs—3PA and RCI—and block third-party data integrators, like Authenticom. Reynolds was “adamant that all third-party data integrators must be cut off.” Dkt. 62, ¶ 52. Schaefer denies making such statements, although the Reynolds/CDK agreements would essentially have this effect. In August 2015, CDK began aggressively blocking Authenticom. Vendors, many of whom were understanding and willing to work with Authenticom following Reynolds’ aggressive blocking in 2013, began to move their business elsewhere. According to Cottrell, Authenticom has been unable to attract new vendor customers because it cannot guarantee that it will be able to provide services without access to Reynolds’ and CDK’s DMSs. Cottrell testified that in April 2016, he had a conversation with Dan McCray of CDK. McCray told Cottrell that CDK and Reynolds had agreed to “lock you and the other third parties out.” Id. ¶ 48. According to Cottrell, McCray stated in no uncertain terms that CDK wanted to destroy Authenticom. Like Schaefer, McCray largely denies that CDK and Reynolds agreed to take concerted action, and he denies the more aggressive statements Cottrell attributes to him. But he does concede that he “confirmed that it was CDK’s goal to remove all non-authorized access, including the user ID and password access Authenticom used, from the CDK DMSs in an orderly manner so as to ensure a smooth transition for CDK’s dealers, the OEMs, and vendors.” Dkt. 95, ¶ 11. The consequences to Authenticom’s business have been severe. Evidence from Authenticom shows a dramatic drop-off in revenue, very limited cash reserves, and breaches of 8 covenants with its lender on a substantial loan. Authenticom’s financial expert, Gordon Klein, testified that Authenticom is on the brink of going under. Without court intervention, Klein estimates that Authenticom will be $1 million in the red over the next 12 months, and Klein would recommend that the bank foreclose on Authenticom’s outstanding loan. Defendants’ financial expert, Mark Zmijewski, testified that Authenticom has a base of revenue that is not affected by the defendants’ blocking, and that there is some residual data integration revenue that is still coming in, including some from non-CDK and Reynolds dealers. He opined that the situation is not as grave as Klein portrays, that the bank would not likely foreclose, and that Authenticom could survive on a reduced scale. F. Post-agreement competitive effects Historically, the market for data integration services was competitive, with a number of providers offering services similar to Authenticom’s. Now, essentially only Authenticom remains. One other vendor, SIS, is now primarily an application software vendor, but it continues to provide some vestigial data integration services. For the most part, CDK and Reynolds have brought data integration for their dealers in house. The court received some informative, though not comprehensive, evidence regarding data integration pricing. Although Reynolds’ information for pricing RCI integration services is not public, one witness, Alan Andreu, testified that when his software company, Dominion, first began using RCI in 2011, it was paying $247 per month per dealer. Come September 2017, that same data package will cost $893. Andreu also testified that Dominion was paying $457 per dealership for 3PA, CDK’s integration service. Dkt. 165, at 39:1-3 (“So compared to Reynolds’ 893, it’s cheap—it’s only $457—until you compare it to that $30 that I could have paid Authenticom.”). A second vendor witness, Matthew Rodeghero with AutoLoop, testified 9 that in 2015, Reynolds charged approximately $700 per month for a dealer using “the full suite of AutoLoop’s products.” Id. at 59:3-5. Now, that price has gone up to $835, plus additional write-back fees. Access to the CDK DMS via 3PA cost approximately $160 in 2014, $694 in 2016, and $735 in July 2017, without “any noticeable product improvements.” Id. at 62:1617. CDK concedes that it is now charging vendors more after the 3PA “refresh” initiative. Defendants attempt to prevent vendors from informing dealers about the price of data integration services. According to Reynolds, its standard RCI vendor contract prohibits the vendor from discussing RCI costs because it would allow for confusing comparisons; each application’s RCI interface is individualized, so prices are not comparable. Similarly, CDK prevents vendors from putting a line item on their bills attributable to 3PA charges, to prevent vendors from passing the charge through to the dealer. G. Security A few points on security before the court turns to the merits. Schafer testified that the DMSs store customer information, OEM proprietary information, financial information, and other sensitive information. Schaefer testified that Authenticom scrapes data from the Reynolds DMS that it does not need. Reynolds has spent a great deal of time and money developing its “sandbox” system, including customized interface packages, real time access to data, and a journaling feature to track activity and guard against automated errors that may infect the system. In this sense, RCI provides a one-to-one relationship with applications to ensure that they receive only the data they need to serve the dealers. One witness, Andreu, described Dynamic Reporting—Reynolds’ means of allowing dealers to manually extract their data from the DMS—as “comically” and “horribly insecure.” Id. at 43:7, 13-14. With dealer employees at the helm, it is possible that vendors will receive 10 pulled data in an unsecured email, unencrypted, despite instructions to upload the data over a secure file transfer protocol (SFTP). ANALYSIS To obtain a preliminary injunction, Authenticom must demonstrate that: (1) it has a better-than-negligible chance of success on the merits; and (2) it has no adequate remedy at law and that it would suffer irreparable harm without preliminary relief. Promatek Indus., Ltd. v. Equitrac Corp., 300 F.3d 808, 811 (7th Cir. 2002). Once it satisfies these two preliminary elements, Authenticom must show that the harm it would suffer without the injunction would outweigh the harm that defendants would suffer if the injunction issued. Id. Authenticom must also show that the public interest would not be negatively affected by the injunction. Id. The stronger Authenticom’s case on the merits, the less the balance of harms needs to tip in favor of Authenticom to support the injunction. Id. A. Likelihood of success on the merits Authenticom brings a number of claims against defendants. For our purposes here, the court will focus on Authenticom’s claim that defendants engaged in a horizontal conspiracy, in violation of § 1 of the Sherman Act. “Every contract, combination . . . , or conspiracy, in restraint of trade or commerce among the several States . . . is declared to be illegal.” 15 U.S.C. § 1. Horizontal agreements between competitors are per se illegal. Toys “’R” Us, Inc. v. FTC, 221 F.3d 928, 936 (7th Cir. 2000). A plaintiff may prove the existence of a horizontal agreement by either direct or circumstantial evidence. Id. at 934. “When circumstantial evidence is used, there must be some evidence that ‘tends to exclude the possibility’ that the alleged conspirators acted 11 independently.” Id. (quoting Monsanto Co. v. Spray-Rite Serv. Corp., 465 U.S. 752, 764 (1984)). “[T]o prove an antitrust conspiracy, ‘a plaintiff must show the existence of additional circumstances, often referred to as “plus” factors, which, when viewed in conjunction with the parallel acts, can serve to allow a fact-finder to infer a conspiracy.’” United States v. Apple, Inc., 791 F.3d 290, 315 (2d Cir. 2015) (quoting Apex Oil Co. v. DiMauro, 822 F.2d 246, 253 (2d Cir. 1987)), cert. denied, 136 S. Ct. 1376 (2016). Market division agreements—agreements to “stay out of each other’s territories”—are “per se illegal, just like price-fixing agreements.” Blue Cross & Blue Shield United of Wis. v. Marshfield Clinic, 152 F.3d 588, 591 (7th Cir. 1998). Group boycotts are per se illegal, too, i.e., “joint efforts by a firm or firms to disadvantage competitors by either directly denying or persuading or coercing suppliers or customers to deny relationships the competitors need in the competitive struggle.” Toys “’R” Us, 221 F.3d at 936 (quoting Nw. Wholesale Stationers, Inc. v. Pac. Stationery & Printing Co., 472 U.S. 284, 294 (1985)). Here, Authenticom has adduced evidence that could establish the existence of a per se illegal horizontal conspiracy. Steve Cottrell, Authenticom’s founder, owner, and CEO, testified that defendants’ representatives—Schaefer and McCray—told him that they had agreed to drive Authenticom from the market. Schaefer and McCray deny making these statements. But their denials were conclusory, whereas Cottrell’s testimony was detailed and thus more persuasive. At this point, I will credit Cottrell’s testimony. The February 2015 agreements between CDK and Reynolds also suggest a horizontal conspiracy. Although the agreements do not explicitly state that defendants will work together to eliminate third-party data integrators, the agreements have that effect. The parties agree that they will not attempt to access, or help others access, the other’s DMS without permission 12 (although Reynolds gives CDK a long wind-down period to transition out of the Reynolds integration business). Both parties agree to cooperate in facilitating their dealers’ access to each other’s software applications. And their agreements with third-party vendors—like the 3PA Agreement and the RCI Agreement—are exclusive, in the sense that defendants agreed that in their capacity as app providers, their sole access to one another’s DMSs would be through the in-house interfaces. In other words, by signing up for 3PA or RCI, defendants agreed not to use third-party integrators to access the CDK DMS or the Reynolds DMS, respectively. After the agreements, there is little room in the market for third-party integrators. Both sides adduced economic experts to explain the parties’ conduct here. Authenticom’s expert, Hal Singer, testified that when CDK agreed that DMI would wind down its hostile integration practices (with respect to Reynolds, at least), it gave up a competitive advantage: its “toe hold” in the Reynolds market and the opportunity to move Reynolds dealers over to CDK. Before February 2015, CDK was stealing business from Reynolds. After the agreements, it is not clear how CDK benefits. As Singer put it, CDK closed for one of two reasons: either cybersecurity issues really did motivate its move to a closed system, or Reynolds did. Singer suggests that the more reasonable implication is that CDK made an agreement with Reynolds so that it could extract higher prices for data integration services, which would more than offset the loss of dealers who were unhappy with CDK’s move to a closed system. Defendants’ expert, Sumanth Addanki, testified that the prime interest of both CDK and Reynolds is the DMS market, not the data integration market. And by closing its system, CDK risked losing DMS customers, so the only rational explanation is that CDK closed it system because it saw value in increasing security. It could not have been to increase data integration costs; the value is too small to be worth the trouble. 13 Neither economic expert had enough data to offer a fully compelling economic explanation for the February 2015 agreements. But Singer’s analysis is more supported by the other evidence at the hearing. If a typical dealer uses 10 to 15 applications, and data integration costs are approximately $800 per application, data integration revenue per dealer is nearly the equal of the base cost of the DMS itself. Contrary to Addanki’s suggestion, data integration is no sideline. Internal CDK documents also confirm that CDK’s decision to refresh its 3PA program was motivated, at least in part, by a desire to realize more revenue from third-party access. And testimony from software vendors suggests that data integration prices have risen considerably, particularly in comparison to prices charged by third-party integrators. The February 2015 agreements do not explicitly state that defendants agree to work together to freeze out third-party data integrators. But Authenticom has adduced evidence sufficient to suggest more than merely parallel conduct by independent firms. The court will touch only briefly on Authenticom’s remaining Sherman Act claims. As discussed, Authenticom has adduced evidence that suggests that defendants’ contracts with vendors are exclusive dealing agreements. “Exclusive dealing involves an agreement between a vendor and a buyer that prevents the buyer from purchasing a given good from any other vendor.” Allied Orthopedic Appliances Inc. v. Tyco Health Care Grp. LP, 592 F.3d 991, 996 (9th Cir. 2010). Reynolds’ standard vendor contract provides that the vendor and its agents are not authorized to directly or indirectly access the Reynolds DMS; they have to use RCI. PHX-53, § 1.9. A similar provision appears in the standard 3PA agreement. DHX-32, at 3 (“Vendor agrees that it will . . . access data on, and provide data to, CDK Systems exclusively through the Managed Interface System[.]”). 14 Unlike horizontal agreements, which are per se illegal, vertical agreements are unlawful “only if an assessment of market effects, known as a rule-of-reason analysis, reveals that they unreasonably restrain trade.” Apple, 791 F.3d at 313-14. Under the rule of reason, an exclusive dealing arrangement violates § 1 if it forecloses competition in a substantial share of the line of commerce at issue. Allied Orthopedic, 592 F.3d at 996. “[A] plaintiff must prove two things to show that an exclusive-dealing agreement is unreasonable. First, he must prove that it is likely to keep at least one significant competitor of the defendant from doing business in a relevant market. If there is no exclusion of a significant competitor, the agreement cannot possibly harm competition. Second, he must prove that the probable (not certain) effect of the exclusion will be to raise prices above (and therefore reduce output below) the competitive level, or otherwise injure competition; he must show in other words that the anticompetitive effects (if any) of the exclusion outweigh any benefits to competition from it.” Roland Mach. Co. v. Dresser Indus., Inc., 749 F.2d 380, 394 (7th Cir. 1984). Here, Authenticom has adduced evidence that defendants have effectively cut it out of the data integration market. And, as discussed above, the court received evidence suggesting that defendants are charging significantly more for data integration through RCI and 3PA than Authenticom charges for data integration. The question here would be whether defendants’ higher prices are justified. Defendants explain that the costs are justified because they undertake the burden of maintaining the DMS and preserving its security. I am not persuaded for two primary reasons. First, defendants did not present evidence of the cost of data integration. They presented evidence that they had invested vast sums in their respective DMSs, which is a point taken. But the dealers already pay a lot for the DMS, and defendants did not put in any evidence to quantify the additional expense of providing data integration 15 services. Second, defendants did not show that properly managed third-party access, even using dealer credentials and screen scraping, really poses additional security risks. Reynolds allows significant exceptions by “whitelisting” certain third parties that it allows to access its system, most notably DMI, CDK’s third-party integrator. Authenticom has made the requisite likelihood of success showing. The court moves to the next factor. B. Adequacy of legal remedies and irreparable harm Authenticom must demonstrate that it has no adequate remedy at law. This is a separate consideration from whether Authenticom would suffer irreparable harm, although the considerations are related, and Authenticom presents virtually the same evidence for both. Typically, a legal remedy is inadequate for one of four reasons: (1) damages would come too late to be of meaningful value to the plaintiff; (2) plaintiff might not be able to afford the full litigation; (3) the defendant might not be collectible at the end of the litigation; or (4) the monetary damages might be too difficult to calculate. Id. at 386. Here, Authenticom has adduced compelling evidence that it is on the brink of collapse, which satisfies both options one and two. As discussed in the fact section, Gordon Klein, Authenticom’s financial expert, opined that defendants’ continued blocking of access to dealer data would essentially destroy Authenticom’s data integration business. Klein opined that without court intervention, Authenticom could be $1 million in the red over the next 12 months. And he predicted that the bank would foreclose on Authenticom’s loan. I do not find Klein’s testimony fully convincing, because he has assumed nearly worstcase assumptions about business loss. But the opinions of defendants’ financial expert are also 16 based on assumptions rather than evidence. I find Klein’s predictions closer to the mark. Reynolds’ blocking, if completely effective, would cut Authenticom out of 28 percent of the market. This would be difficult, but survivable, as Authenticom has demonstrated by largely surviving Reynolds’ 2013 blocking efforts by hanging on to CDK. But with CDK also blocking access, Authenticom will be cut off from nearly three-quarters of the dealers in the United States. Most third-party software vendors would be disinclined to engage a third-party integrator that could access data from only a quarter of the dealers in the United States. Authenticom may have some business lines that could survive defendants’ blocking—mostly “data hygiene” services—but these services are generic data processing services that are available from many sources, and thus would not be a secure foundation for Authenticom’s business that is based on its successful specialized data integration services to dealers and related software vendors. Every day that Authenticom is unable to serve its customers, it burns more of its goodwill and solidifies its customers’ doubts about its viability. Regardless of whether the evidence conclusively establishes that defendants are able to effectively and completely block Authenticom, Authenticom’s customer base is growing increasingly wary of continuing to do business with it. Authenticom has demonstrated that it does not have an adequate remedy at law and that it stands to incur irreparable harm absent court intervention. C. Balance of harms Because Authenticom has made its threshold showings, the court considers the balance of the harms to the parties. Defendants contend that a preliminary injunction would harm them in two ways: by imposing increased security risks and overburdening their DMSs. 17 Cybersecurity. Reynolds made the more substantial showing on this point, so the court will focus on Reynolds. Defendants’ security expert, Eric Rosenbach, testified that every point of access to a system is a point of vulnerability. And Reynolds has consistently resisted thirdparty access using dealer login credentials. Reynolds contends that RCI is more secure, substantially because it is more tightly controlled. Allowing third parties to use dealer login credentials to forage around in Reynolds’ DMS renders both dealer data and the Reynolds system less secure. All this is very plausible. But for several reasons, the court is not convinced that Authenticom’s access poses significant risks. First, the evidence at the hearing showed that Authenticom does not forage around or access data beyond the legitimate needs of its customers, vendors and dealers. The court did not hear any evidence that Authenticom takes proprietary OEM data or that any extra information captured in the screen-scraping process is put to ill use. Second, the court did not hear any evidence that Authenticom has ever experienced a security breach or facilitated a security breach of either defendant’s DMS. Third, Reynolds’ Dynamic Reporting function, which Reynolds contends is an acceptable alternative to Authenticom’s automated access, poses its own security risks. One witness described the use of Dynamic Reporting by dealer employees as “comically” insecure, because dealer employees often send downloaded dealer data in plain text in unencrypted emails. Dkt. 165, at 43:7, 13-14. Fourth, Reynolds contends that it is particularly concerned about Authenticom’s “machine access” to its DMS. But Reynolds presented no evidence that Authenticom’s automated access was less secure than manual access by dealer employees. Also, Reynolds DMS 18 agreements prohibit dealers from disclosing passwords to non-employees, but they do not specifically prohibit automated access, if done by the dealers or their employees. Fifth, part of the difficulty of tracking and dealing with third-party access is attributable to Reynolds’ blocking efforts, and dealers’ and data integrators’ efforts to counter the blocking. If Authenticom were to use login credentials created specifically for Authenticom and disclosed to Reynolds, Reynolds should be able to adequately track Authenticom’s access and resolve any potential problems associated with that access. The “cat and mouse” game that Schaefer described would be a thing of the past. Sixth, and perhaps most important, Reynolds already allows many exceptions to its “no hostile integration” policy. There was ample evidence that Reynolds allowed (and even continues to allow to this day) third parties to use dealer credentials when it suited Reynolds. Although Reynolds characterized these exceptions as short-term transitional needs that are tightly controlled, the bottom line is that Reynolds allows many exceptions. And if those exceptions can be managed during a transitional period, it is hard to see how allowing Authenticom temporary access during the course of this trial would impose a serious risk. I turn now to defendants’ contention that Authenticom’s access imposes an unwarranted burden on their DMSs. CDK offered evidence that Authenticom made 18,000 queries to CDK’s DMS in one day. DHX-186. No one would dispute that Authenticom’s queries tax defendants’ systems to some degree. But defendants did not submit evidence that would allow the court to determine what proportion of overall system resources were expended on Authenticom’s queries. Nor did defendants submit evidence to show how much more resources Authenticom’s queries consumed than would have been consumed if the dealers and vendors had used some other, approved means of accessing data. Defendants have not shown 19 that the Authenticom’s access to defendants’ DMSs imposes a substantial burden, let alone one that would outweigh the harm to Authenticom if the injunction does not issue. The balance of harms tips sharply in Authenticom’s favor. It faces a very substantial risk of failure without the injunction, whereas defendants could accommodate Authenticom’s access to their DMSs substantially with the resources and processes that they already have in place. D. The public interest Finally, the court considers the public interest. The court has concluded that a preliminary injunction allowing Authenticom to access dealer data on defendants’ DMSs would not pose a substantial security risk. Accordingly, the court concludes that the public would not be disserved by a preliminary injunction. Moreover, the court concludes that third-party software vendors and dealers would be served by the continued availability of Authenticom’s DealerVault software and its data integrations services. Ultimately, if defendants prevail, Authenticom’s business model may not be viable. But the court concludes that the public interest is served by providing Authenticom preliminary relief so that it can survive this litigation and, if it prevails, continue to provide a competitive product that has already won acceptance in the market. E. Injunction formalities 1. Injunction bond Defendants contend that Authenticom should have to post a substantial bond, “to insure defendants against the substantial risks they would face as a result [of the preliminary injunction].” Dkt. 105, at 65. Defendants ask for $10 million. Authenticom, unsurprisingly, 20 contends that no bond is warranted and asks that the court waive the requirement. But if the court is inclined to require a bond, Authenticom advocates for $1 million. Rule 65(c) provides that the court may issue a preliminary injunction “only if the movant gives security in an amount that the court considers proper to pay the costs and damages sustained by any party found to have been wrongfully enjoined or restrained.” “The purpose of an injunction bond is to protect the restrained party from damages that it would incur in the event that the injunction was wrongfully issued.” Bader v. Wernert, 178 F. Supp. 3d 703, 745 (N.D. Ind. 2016). “[W]hen setting the amount of security, district courts should err on the high side.” Habitat Educ. Ctr. v. U.S. Forest Serv., 607 F.3d 453, 456 (7th Cir. 2010) (quoting Mead Johnson & Co. v. Abbott Labs., 201 F.3d 883, 888 (7th Cir.), opinion amended on denial of reh’g, 209 F.3d 1032 (7th Cir. 2000)). Nevertheless, “a number of cases allow a district court to waive the requirement of an injunction bond. In some of these cases the court is satisfied that there’s no danger that the opposing party will incur any damages from the injunction.” Id. at 458. In other cases, the appropriate bond amount exceeded the movant’s ability to pay, and courts balanced “the relative cost to the opponent of a smaller bond against the cost to the applicant of having to do without a preliminary injunction that he may need desperately.” Id. (collecting cases). Here, the court will not waive the bond requirement, but it will consider Authenticom’s circumstances. Authenticom, on the verge of going out of business, is not in a position to post a $10 million bond. The court did not receive compelling evidence regarding potential harm to defendants, either in terms of cybersecurity or the burden on their DMSs. But the court did receive evidence that a preliminary injunction may require defendants to adjust their systems to accommodate Authenticom’s access, and that such efforts may be costly. The court will 21 order that Authenticom post a $1 million bond, an amount that Authenticom concedes is manageable. 2. Form of the injunction The court will issue a preliminary injunction that will allow Authenticom to access dealer data from defendants’ DMSs—with dealer permission—during the pendency of this litigation. But the court will ask the parties to jointly propose the form of injunction. The core provision of the injunction is that defendants are to cease blocking Authenticom from using dealer login credentials to provide data integration services to dealers who authorize Authenticom to provide this service. But defendants may require that Authenticom use login credentials that allow defendants to identify and track the entity or person who is accessing their systems. Defendants may also limit the data accessed by Authenticom to those fields reasonably necessary to the services that Authenticom provides. The parties will have one week to submit the proposed form of injunction. ORDER IT IS ORDERED that: 1. Plaintiff Authenticom, Inc.’s motion for preliminary injunction, Dkt. 51, is GRANTED. 2. The parties will work together to craft the form of the injunction. The parties are ordered to confer and to submit an agreed proposed form of injunction to the court by July 21, 2017. If the parties cannot agree on all terms of the injunction, they should set out their competing proposals in the document. 22 3. Defendants CDK Global, LLC, and the Reynolds and Reynolds Company’s motion to admit preliminary injunction exhibits, Dkt. 168, is GRANTED. 4. Plaintiff’s motion to admit preliminary injunction exhibits, Dkt. 170, is GRANTED in part and DENIED in part, consistent with this order. Entered July 14, 2017. BY THE COURT: /s/ ________________________________________ JAMES D. PETERSON District Judge 23

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?