Consumer information is exchanged more frequently with each passing day. Indeed, the number of electronic payments in the United States in 2009 totaled 84.5 billion, representing a 31% increase since 2006. (1) Whether consumers purchase clothing online or swipe their Visa cards after dinner, personal information moves constantly through the electronic channels of commerce. As consumers expect to purchase goods more easily in this electronic economy, they also rely increasingly on businesses to protect their personal information. (2)
Businesses protect consumer information by installing encryption and data security software. Recently, one state even mandated that businesses take specific and complex preventive measures to help ensure that security breaches do not occur. (3) As many companies are now required to use data security software, software vendors find themselves in increasingly strong bargaining positions when negotiating software licensing agreements. (4) Further, the highly specialized nature of this software and the consolidation within the software security industry mean that fewer vendors provide these products, and businesses in need of this software face increasingly asymmetrical negotiations. (5) Certain companies, including smaller businesses, face the most pressure because they have fewer options for recourse if a fair licensing agreement is not reached. (6)
Some critics also argue that this level of industry consolidation has led to a decline in the quality of products offered by some software vendors. (7) Despite the fact that some software companies are arguably providing a lower quality good, the bargaining power created by consolidation in the industry-combined with the fact that many businesses are statutorily required to use data security software--allows these companies to disclaim practically all liability stemming from a security breach, even where the software fails. (8)
Moreover, as businesses acquire and transmit more consumer information, the potential liabilities associated with a security breach increase. Indeed, several of the worst data security breaches have occurred in recent years. (9) One example involved TJX Companies, a clothing retailer. In 2007, TJX suffered a breach and lost roughly 45.7 million credit card numbers. (10) By 2008, the cost of this security breach was estimated at $226 million, and this figure was expected to climb because of pending litigation, including a class-action lawsuit. (11)
Although the number of people affected and the frequency of security breaches are troubling, this Comment focuses on a company's potential liability after a breach. In doing so, however, it offers a solution that provides software vendors with strong incentives to manufacture more secure products.
When businesses lose information because of a security breach, they face massive costs, as illustrated by the TJX breach. Recently, many states have increased these costs by passing more complex and expensive reporting requirements. These disclosure statutes shift greater costs from consumers to the businesses that hold their information should a breach occur. While these changes affect the relationship between consumers and businesses, software licensing agreements between vendors and businesses remain unchanged. In short, these agreements continue to restrict vendors' liabilities, allowing them to avoid these new burdens. The ability of vendors to avoid these liabilities is especially troubling considering that in 2010 more than a quarter of security breaches were due to a system failure. (12)
To address this situation, this Comment argues that courts should adopt a fairer remedy under the Uniform Commercial Code (UCC) by holding unreasonable limitations on liability unenforceable when contractual remedies frustrate the essential purposes of the contract. This remedy will allow businesses to spread costs more efficiently, will give the proper incentives to software vendors, (13) and will allow the UCC to achieve its goal of allowing expectation damages in the case of a breach. This solution is a measured response to the current imbalance in the data security licensing industry because it would only invalidate licensing agreement provisions that frustrate the essential purpose of the contract.
Part I provides a brief background on how Article II of the UCC affects software licensing agreements. Part II then introduces the recent state statutory developments in data security and demonstrates why these new reporting requirements justify shifting additional liability back to software vendors. Part III builds on Part II and argues that courts should stop enforcing a licensor's limitations on liability when they frustrate the agreement's essential purpose, except in cases where the fault causing the breach lies with the software user. (14)
SOFTWARE LICENSING AGREEMENTS AND THE UCC
Applying Article II to Data Security Licensing Agreements
Whether Article II even applied to the sale of software was a hotly debated issue just fifteen years ago. (15) This initial question is critical because Article II covers only transactions that involve a sale of goods. (16) "Goods" are defined as "all things [including specially manufactured goods] that are movable at the time of identification to a contract for sale." (17) This definition distinguishes goods from services that lie beyond Article II's scope. (18)
Software is a hybrid good because it involves certain services that accompany the tangible product. (19) To determine whether software qualifies as a good or service, most courts evaluate the contract's "predominant purpose." (20) This test asks which part of the contract is paramount--the goods sold or the services rendered. (21) The second test, used by a minority of courts, is known as the "gravamen of the action" test. (22) Under the "gravamen" test, courts determine whether the source of the complaint regards the goods or the services section of the contract. (23) Even with these two tests, determining the contract's "predominant purpose" or the "gravamen of the action" can be complex because of these interrelated features. Despite this complexity, courts generally view software licensing agreements as contracts for "goods" and review their terms under Article II. (24)
Limiting Liability and Remedies Under Article II
Software licensors attempt to limit their liability by using provisions of the UCC, such as warranty disclaimers, limitations of liability, and limitations on remedies. (25) Licensors can disclaim these liabilities and warranties under the UCC because Article II allows parties to depart from the Code's default rules if they agree. (26) Simply put, the UCC promotes freedom of contract, and only a few provisions cannot be altered by agreement. (27)
Courts generally enforce the restrictive language inserted by software vendors in an effort to limit virtually all of their potential liabilities. (28) For example, in disclaiming the various warranties provided for in the UCC, many provisions inserted by vendors include disclaimers for: (1) "all implied warranties (e.g., merchantability and fitness for a particular purpose)"; (2) "any express warranties except as otherwise stated in the agreement"; and (3) "in those states that have adopted the Uniform Computer Information Transactions Act (UCITA), the warranties implied through UCITA." (29) Further, in limiting liabilities and remedies, vendors insist on including provisions that specify the licensee's remedies (if any)--including time frame and mechanism for providing notice of election of remedies--and that state that the remedies in the contract provide the "sole and exclusive" means of redress. (30) Vendors also sometimes require that businesses send back the defective software before receiving a refund. (31)
While vendors employ the UCC to disclaim many of these warranties and to limit their liabilities and remedies, businesses have attempted to recover some of the losses stemming from software vendors after security breaches. (32) Various theories used in these cases include unconscionability, (33) tort doctrines such as negligent misrepresentation or fraudulent inducement, (34) and the failure of essential purpose doctrine. (35)...