A federal appeals panel says a computer security software firm can sue a corporate rival for allegedly programming its own software to attack competitor’s products as threats.
Florida-based Enigma Software Group filed the false advertising complaint against Malwarebytes, of California, accusing it of violating the Lanham Act. Enigma sued in federal court in the Southern District of New York, but Malwarebytes succeeded in having the case transferred to the Northern District of California. There, U.S District Judge Edward Davila dismissed the complaint, which Enigma challenged before the U.S. Ninth Circuit Court of Appeals.
Judge Richard Clifton wrote the majority opinion, filed June 2; Judge Miller Baker, from the U.S. Court of International Trade, sat on the panel by designation and concurred. Judge Patrick Bumatay dissented.
Enigma alleged Malwarebytes didn’t single out its products from 2008 through October 2016 and claimed the change amounted to retaliation for Enigma’s lawsuit against Bleeping Computer, a software review website that allegedly failed to disclose its affiliation with Malwarebytes.
According to Clifton, Malwarebytes started designating Enigma products as “malicious,” “threats” and “potentially unwanted programs,” but Judge Davila granted a motion to dismiss because the challenged phrases were “non-actionable statements of opinion.” The majority considered the industry and noted description of software using such words “is more a statement of objective fact” and said “Malwarebytes’ designations employ terminology that is substantively meaningful and verifiable in the cybersecurity context.”
The majority agreed with Enigma that its products “either contain malicious files and threaten the security of users’ computers, or they do not,” implying that distinction is a question of fact unsuitable for a motion to dismiss.
In his dissent, Judge Bumatay disagreed with Enigma’s absolutist view, writing “a program isn’t simply ‘potentially unwanted’ or not. A software program isn’t verifiably a ‘threat’ or not. And a website isn’t measurably ‘malicious’ or not. In the cybersecurity context, these terms refer to a spectrum of digital features with no verifiable line to cross to determine when they apply.”
Bumatay insisted Malwarebytes only issued subjective opinions, writing “The freedom to express opinions is at the core of the First Amendment. And that guarantee doesn’t change because the opinions are about cybersecurity, malware or internet domains.”
Clifton addressed that point, saying it is possible to objectively determine if certain software is malware, meaning created “with the intent to gain unauthorized access to a computer for some nefarious purpose.” He further said “more importantly, judges are not experts in the cybersecurity field. We should not presume that we are.”
Regarding jurisdictional questions, the majority said Judge Davila was wrong to rule New York lacked personal jurisdiction over Malwarebytes. It therefore reversed Davila’s ruling that California law applies to Enigma’s state law claims, a finding that also undercut Davila’s dismissal of Enigma’s claim under New York General Business Law and led to the conclusion the claims for interference with contractual and business relations also should fall under New York law instead of California. However, the majority still agreed the contractual interference claim failed because Enigma didn’t adequately allege the existence of a contract between the two parties.
“Here, Enigma alleged that its pre-existing customers canceled their subscriptions and requested refunds because of Malwarebytes’ conduct,” Clifton wrote. “And although this amounts to disruption of the contractual relationship between Enigma and its customers, it falls short of alleging any contractual breach by those customers.”
Enigma is represented by Budd Law, of Wexford, Pennsylvania, and K&L Gates, of Pittsburgh and San Francisco.
Malwarebytes is represented by Hueston Hennigan, of Los Angeles and Newport Beach.