REPORTED CASES ON ELECTRONIC SELF HELP
Prepared by Mary Jo Dively
September, 2000

> Purpose:

This memorandum briefly discusses the reported cases which address the use of electronic means to deactivate a computer program, and, where possible (depending upon the availability of facts), discusses what result would have been reached on the same facts under UCITA.

> Commercial Context:

Section 816 of UCITA, "Limitations on Electronic Self-Help," initially was conceived to address the following fact pattern: A software licensee materially breaches a software license (by failure to pay or other action constituting material breach, such as copying the software and reselling the copies to third parties, or wrongfully making the software available to unlimited third parties over the Internet ). The software licensor exercises its right to cancel the software on account of the material breach, and then uses electronic means to either repossess or prevent further use of the software, on the theory that the licensee is not entitled to use the software after cancellation.

The Drafting Committee was aware that there were few reported cases on the subject, and that courts would be likely to apply by analogy the self-help provisions of UCC Articles 2 and 9. In 1992, the ABA issued an updated Model Software Licensing Agreement that sets forth an express provision warranting that there is no Self-Help or Unauthorized Code evidencing that self-help was an issue over a decade ago. It was and is not extraordinary for a License to contain an authorization to disable the software if there is a material breach.

In considering the issue whether to be silent as is UCC article 9, the Committee was aware of a number of new commercial realities presented by the development of the Internet and the increasing reliance on computer systems to run virtually all aspects of business:

1. Information in digital form could, in a matter of seconds, be copied and distributed to millions over the Internet.
2. While the Internet had made it possible for thousands of small software licensors to distribute their products globally, those small companies generally had limited economic power. Self-help provided a way to secure their property and protect their income stream, thus leveling the playing field for them as against larger, established entities.
3. Companies against whom self-help was exercised could be crippled, even shut down completely.
4. There existed the potential for grave harm to the public by the exercise of self-help.

> Findings:

A review of the reported cases which address the use of electronic means to deactivate a computer program reveals the following:

1. Only one reported case was found which follows the classic fact pattern for which Section 816 initially was conceived (use of electronic self-help to remotely deactivate software following breach). That case, Computer Trust Leasing, v. Jack Farrell Implement Co. 793 F.Supp. 1473 (D.Minn 1991), affirmed 967 F.2d 1208 (8th Cir., 1992) upheld the right of the licensor to electronically deactivate the software after the licensee's default, despite the fact that there was no clause in the license agreement expressly permitting same.
2. No reported case holds that parties to a contract may not agree to provide in their contract for electronic deactivation of software;
3. Computer crimes statutes do not prohibit parties to a contract from including in their agreements provisions permitting the electronic deactivation of software.
4. There are several reported cases which held that it was wrongful to "secret" a "timebomb" or other disabling device in the software. Many of these cases were decided under federal and state computer crimes laws, none of which laws will be disturbed by UCITA. Some of these cases involved a breach by the licensee, others did not.
5. No reported case, whether commercial or under a criminal statute, holds that self-help is prohibited where authorized by a contract term.

> Case Summaries:

A. Classic Electronic Self Help:

> American Computer Trust Leasing, v Jack Farrell Implement Co., 793 F.Supp. 1473 (D. Minn 1991) aff'd 967 F2d 1208 (89th Cir. 1992).

Plaintiff ACTL and its related company, Automatic Data Processing ("ADP"), leased computer hardware and software to Defendant Jack Farrell. Jack Farrell fell behind on payments and then refused to pay the balance owed, charging, among other things, that system failed to work properly. After Farrell's account had fallen significantly past due, ADP notified Farrell on June 30, 1987 that it would terminate all processing and support services on July 8 if payment was not received by that date. On July 8, ADP deactivated Farrell's software as previously warned. After Farrell discovered that its software had been shut off for nonpayment, Farrell paid the amounts past due on its account and ADP promptly reactivated the software. At that point, ADP contended, Farrell disconnected its modem so that ADP could no longer access the system for service and support. Farrell made no further payments to ADP although, ADP contended, Farrell continued to use ADP software and hardware. One of Farrell's officers testified that Farrell was aware of the fact that software services would be discontinued if payments were not made (though it does not appear from the record that the software license actually stated that the software could be deactivated electronically but merely provided that it could be canceled upon the client's default). The trial court found that the deactivation occurred as a result of Farrell's nonpayment under the terms of the software license agreement and that its deactivation was not unlawful or wrongful but merely an exercise of its rights under the software license agreement. The trial court stated that "B ADP had a legal right to deactivateBfor non-paymentB" the defendant's software. Moreover, the court found that ADP was under no obligation to provide the defendant with a conversion tape to help transfer its information from the ADP system to another vendor's system. The case was appealed and affirmed on grounds not relating to the exercise of self-help.

Result under UCITA: This is the classic case of electronic self help which UCITA was designed to address. If, as it appears from the record, the software license did not actually provide that ADP could exercise electronic self-help upon Jack Farrell's default, then under UCITA, ADP's exercise would have been wrongful, and ADP would have been liable for damages (including consequentials, which under UCITA cannot be avoided by contract.

B. Cases under Computer Fraud and Abuse Act (CFAA) 18 U.S.C. Sec. 1030

The CFAA is a criminal and civil action federal statute. It proscribes the unauthorized access to certain computer systems for harmful purposes by means of a modem or direct keyboard entry. To the extent that parties agree in a contract to permit such access, then, obviously, it is authorized and will not violate CFAA.

> North Texas Preventive Imaging, LLC vs. Harvey Eisenberg, 1996 U.S. District, Lexis 19990 (C.D. Calif, 1996).

NTPI was a provider of medical diagnostic imaging services. NTPI purchased the "Scribe" computer system from Defendant, the purpose of which was to perform computer enhancement of medical images. NTPI was dissatisfied with performance of software and tried to return for a $161,000 refund. Defendant (also known as "MDI") responded by asking NTPI to enter into a new licensing arrangement and stating that the software would be disabled on January 31, 1996 if the new license agreement were not executed. According to the record, when the software initially was installed, it contained no timebombs, but sometime later an "update disk" was sent to NTPI to install, which, unknown to NTPI, contained a timebomb. MDI notified NTPI that it could prevent the explosion of this timebomb by executing the new license agreement. NTPI sued , alleging that (1) MDI had violated the federal Computer Fraud and Abuse Act, and (2) the insertion of the timebomb amounted to "conversion." MDI filed motions to dismiss. The court dismissed the conversion claim, but refused to dismiss the CFAA claim. In not dismissing the CFAA claim, the court noted that "whether the use of a time bomb is illegal appears to require a case-by +case analysis of the defendant's intent, the type of computer involved and the resulting harm." Further, the court enjoined MDI from allowing the timebomb to go off until the matter could be litigated. The court noted: "Members of the public who have been, or who are now or who might become patients of NTPI are exposed to possible harm to their medical conditions if the Scribe System is deactivated by a timebomb in its software, for their previously taken scans will not be available for review to monitor effectiveness of treatment or to recommend treatment and new scans could not be taken to detect serious or possibly life threatening diseases." There is no further record of this case, so it is not known how it would have been decided on the merits.

Result under UCITA: Exercise of the timebomb on these facts would be wrongful under UCITA because there was no separately assented to term and no notice as mandated by UCITA. Further, UCITA would not disturb any finding of criminal or civil liability under CFAA. Finally, the type of potential harm to patients of NTPI is exactly what is contemplated by UCITA's no "harm to the public health" standard.

> Gomar Mfg. Co. v. Novelli, C.A. No 96-4000 (D.N.J. Jan. 28, 1998) (unpublished).

Gomar "surreptitiously" loaded a time bomb. The court found that "undisclosed" disabling codes were intended to be covered by CFAA.

Result under UCITA: A timebomb inserted "surreptitiously" is contrary to UCITA. It is clear that UCITA would not permit an undisclosed exercise of self help, or exercise without the required notice in the manner agreed upon by the parties. UCITA, of course, would not disturb the operation of any criminal sanction or finding under CFAA.

> Shaw and Moon v. Toshiba et al. 91 F Supp 2d 926, 1999 U.S. Dist. Lexis 21790 (E.D. Tex. 1999).

This case dealt with whether CFAA was intended to cover only the actions of hackers, rather than the placing of surreptitious codes by manufacturers. The court denied motions for summary judgment that CFAA did not apply to the placing of codes by manufacturers.

Result under UCITA: It is clear that UCITA would not disturb any finding under CFAA. Further to the extent of a contract issue, a "surreptitious" deactivating of codes would be contrary to UCITA.

C. State Criminal Law:

> Wisconsin v. Brian P. Corcoran, 186 Wis 2d 616, 522 NW 2d 226, 1994 Wisc. App. Lexis 954 (Court of Appeals, Wisc. 1994).

Defendant Corcoran was engaged to develop software for plaintiff Mueller Consulting Systems ("MCS") Defendant became concerned that he would not be paid for his work, and secretly installed a "time bomb" in the software set to disable the software at a preset time. It does not appear from the record that was any actual breach; Corcoran was merely concerned that there might be. (Note that Corcoran acted pro se, and that the arguments were not well developed in the case.) For example, defendant appears not to have argued that he set off the time bombs in reaction to MCS' failure to pay. It appears from the opinion that he merely was "worried" that MCS would not pay him. Nor, apparently did he demand payment, and threaten to set off the time bombs if he did not get payment. Note, also that this is a criminal case. A search of the record produced no citation to a companion civil case. Corcoran was convicted under the Wisconsin Computer Crimes Act.

Result under UCITA: This was not a case of self-help following breach. Although the "time bombs" were installed apparently because Corcoran was afraid he would not be paid, there is no evidence that MCS actually failed to pay, or otherwise breached the contract. Thus, this would not fall under 816, but instead would have to be analyzed under 605. Under 605, insertion and activation of this timebomb would have been wrongful. UCITA would not disturb any result under the Wisconsin Computer Crimes Statute. (These types of actions are exactly what most computer crimes statutes are designed to address.)

D. Other "Secret" Timebomb cases

> Franks & Sons, Inc. v. Information Solutions, 1998 U.S. Dist. Lexis 18646 (N.D. Oklahoma 1988).

The Order had no accompanying opinion, but states as follows: "The "drop dead" device was not a part of the original agreement between the parties. This type of extraordinary device by its very nature, when not part of the parties' bargain, is void as a matter of public policy."

Result under UCITA: The reference to "part of the bargain" indicates that the parties may agree upon a self-help term. Otherwise, it is impossible to determine further the application of UCITA given the lack of available facts.

> Art Stone Theatrical Corp. v. Technical Programming & Systems Support, 157 A.D. 2d 689, 549 N.Y.S. 2d 789, 1990 N.Y. App. Div. Lexis 483 (Sup Ct., App. Div., 2d Dept. 1990).

TPSS sold a software system to Art Stone. The system failed to work properly, and the parties engaged in a lengthy dispute over its performance. Defendant then removed the source code from the system without the plaintiff's knowledge or consent. This prevented any modification or adjustment to the system. Defendant agreed to restore the source code only if Plaintiff signed a General Release. Plaintiff signed the release, and then sued defendant. Defendant countered, contending that the release precluded Plaintiff from suing. Plaintiff charged that the release was procured through duress. The trial court agreed with defendant, but the appeals court reversed, holding that the release was invalid because it was procured through duress. The matter was returned for trial, but no record of the trial was found, indicating that the case likely settled.

Result under UCITA: Deactivation without knowledge is prohibited by UCITA. However, it does not appear that Defendant used electronic self help or surreptitious code to disable the program. Defendant's conduct in removing the source code ultimately would not be decided under UCITA, but would instead be decided under the applicable computer crimes statute, and attendant civil provisions.

> Werner, Zaroll, Slotnick, Stern & Askenazz v. Donald A. Lewis, 155 Misc. 2d 558, 588 N.Y.S. 2d 960, 1992 N.Y. Misc. Lexis 459 (Civil Court, NYC 1992).

Defendant computer consultant intentionally disabled Plaintiff's computer system by secretly placing a conditional statement in the software that caused the system to cease functioning when it reached a certain claim number, in the hope that plaintiff law firm would retain defendant computer consultant to correct the problem. The contract between the parties did not disclose that the system would fail to function upon reaching a certain number. The court held that defendant was civilly liable and probably was also criminally liable.

Result under UCITA: UCITA prohibits "secretly" disabling. Defendant's action was not taken in response to plaintiff's breach, but instead, in order to get more work from plaintiff. Therefore, this case would not fall under Section 816. A number of theories of recovery would be available to plaintiff under UCITA, including breach of warranty and wrongful use of an automatic restraint. Lewis had no right, under Section 605, to include such an automatic restraint.

> Clayton X-Ray Company v. Professional Systems Corporation, 812 WE 2d 565, 1991 MO App. Lexis 1198 (Court of Appeals, MO, W.D. 1991).

PSC sold Clayton a computer and software. When Clayton failed to pay the final balance of one-fourth of the price, PSC surreptitiously installed a "lock up code" which caused the system to lock up and made it impossible for Clayton to access its data. Jury found for Clayton on conversion theory. Court upheld on appeal noting that "PSC had no legal right, or any colorable legal right, to lock up Clayton's computer system. PSC's president had told a PSC employee to take a disk to Clayton's place of business, to tell the people at Clayton that there were some program changes that needed to be done, but then to load the computer instead with instructions to lock up. . . The effect of the lockup was to prevent Clayton's access to the records of is business."

Result under UCITA: PSC's actions would have been wrongful, thus making it liable for direct, incidental and consequential damages. However, had UCITA been in effect, it would have been more likely that PSC would have known that its actions were wrongful (because Section 816 states so clearly exactly what is required), PSC likely would have negotiated the self-help provision up front, and all parties would have been better off.

> Conclusion:

No case or statute was found which prohibits the exercise of self-help in the classic fact pattern described at the opening of this memorandum, or which prohibits parties from agreeing in a contract that they may permit electronic self help. The only reported case which addresses the classic self-help fact pattern upheld the licensor's exercise of self help even though there was no contract clause authorizing it. Other cases, whether commercial contract or criminal cases, clearly sanction "secret" self-help devices but do not prohibit self-help that is authorized.