Authenticom, Inc. v. CDK Global, LLC, 17-cv-318-jdp

AUTHENTICOM, INC., Plaintiff, v. CDK GLOBAL, LLC,and THE REYNOLDS AND REYNOLDS COMPANY, Defendants.

17-cv-318-jdp

UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WISCONSIN

July 14, 2017

OPINION & ORDER

This is an antitrust case involving the software used by car dealers. Defendants, CDK Global, LLC, and the Reynolds and Reynolds Company, are the main providers of comprehensive software packages called dealer management systems, which are used by virtually all United States car dealers. Plaintiff, Authenticom, Inc., is a third-party data integrator. It provides a service that links car dealers to third-party software vendors who provide features and enhancements that are not built into the dealers' DMSs. Authenticom contends that defendants have violated the Sherman Act in numerous ways, including by conspiring to drive it out of business. Authenticom seeks a preliminary injunction that would require defendants to allow Authenticom to continue its historical practice of accessing dealer data on defendants' information systems, using login credentials provided by dealers.

The case is complicated both factually and legally. But based on the parties' written submissions, documentary evidence, and the evidence presented at a two-and-one-half day hearing, the court concludes that Authenticom is entitled to a preliminary injunction. Authenticom's evidence establishes at least a moderate chance of success in proving that defendants have violated the Sherman Act. And the balance of harms tips sharply in favor of Authenticom, because Authenticom is clearly at risk of going under without a preliminary injunction. The countervailing harm alleged by defendants—primarily the threat to the security of their information systems—is not persuasive because defendants already allow third-party access of the sort that Authenticom asks to continue. And there was no evidence that Authenticom itself had lax security practices or posed a specific threat to the security of defendants' systems.

FINDINGS OF FACT

I make no effort here to set out all the facts established by the parties' evidence or to review comprehensively that evidence. The parties have submitted declarations and documentary evidence, most of which is not objected to. Defendants have, however, lodged specific objections to a number of Authenticom's exhibits and some declaration testimony in Dkt. 171. For the most part, I will sustain defendants' objections.¹

Focusing on the main points and issues, I find the following facts. Some additional facts are set out the analysis section.

A. Background

Virtually every dealer in the country uses a DMS, a dealer management system, to manage the major aspects of its business, from vehicle and parts inventory to serviceappointments to payroll. Defendants, CDK Global, LLC, and the Reynolds and Reynolds Company, provide and maintain the two most-used DMSs. Together, defendants provide DMSs to roughly three-quarters of the dealers in the United States. Dozens of other DMS providers serve the remaining quarter of the market, although Dealertrack appears to be the leading alternative to defendants' systems. Defendants provide the DMS software to the dealer and run the servers that hold the dealer's data. The data itself belongs to the dealer. Sophisticated DMS software, like defendants', is expensive. A dealer typically pays $8-10,000 per month for its DMS.

Dealers also use software applications from third-party vendors to provide features and services that are not built into the basic DMS, although these applications require data from the DMS. A typical dealer uses 10 to 15 vendor-provided applications in addition to its DMS. For example, a dealer might engage Carfax to provide a vehicle history report for every used car that it offers for sale. Somehow the dealer must get data about its inventory to Carfax, so that Carfax can provide the required reports. Generally speaking, dealers find it cumbersome to retrieve their own data from their DMS and send it to vendors, so most dealers authorize vendors to get the data from the DMS, either directly or through a third-party data integrator.

B. Authenticom

Plaintiff Authenticom, Inc., is a third-party data integrator, founded by Steve Cottrell in 2002. With the dealer's consent, Authenticom accesses the dealer's data on its DMS, downloads the necessary data, reformats the data to suit the needs of the vendor, and then sends the reformatted data to the vendor. The vendor uses the data to provide its services to the dealer. The dealer pays the vendor for its services, and the vendor pays Authenticom for itsdata integration. Typically, a vendor pays Authenticom about $50 per month for each dealer for which data is provided.

In 2014, Authenticom introduced its DealerVault software. DealerVault provides an interface that allows dealers to monitor and control the data provided from its DMS to the vendors it uses. DealerVault is popular with dealers, who generally feel strongly that because they own their data, they should be able to control and monitor its use. Cottrell estimates that approximately 15,000 of 18,000 dealers nationwide have at one time or another relied on Authenticom for services. Dkt. 164, at 89:7-11.

The method Authenticom uses to acquire dealer data is a point of contention. Dealers who want to work with Authenticom provide Authenticom a username and password, which Authenticom uses to log into the dealer's DMS account on defendants' systems. Authenticom "screen scrapes" the data by capturing what is displayed, and then it cleans up the data to keep the needed elements. Authenticom works with a very large number of dealers, so it has automated this process. Authenticom's information systems are programmed to automatically and regularly log into dealer DMS accounts so that the data that vendors use is up to date.

The evidence generally shows that Authenticom is secure. DealerVault is hosted on Microsoft Azure, secure cloud technology. And the data to which Authenticom has access is controlled by the dealer. Wayne Fitkin, a veteran in the automotive IT industry and currently IT director for a dealership group, testified that although Fitkin himself has access to a large amount of extremely sensitive information, he creates a user ID specifically for Authenticom that has access to limited accounts and a single function necessary to query and scrape thesystem. Dkt. 165, at 9:12-21. The court did not receive any evidence that Authenticom has ever suffered a security breach or that it has caused a security breach at another entity.²

C. Defendants block Authenticom

Defendants object to Authenticom's screen-scraping data extraction method, which they call "hostile access." Reynolds has never approved of third-party access based solely on the dealer's authorization. Reynolds allows third-party access only with its own approval, and preferably via an interface specifically designed for that purpose, the Reynolds Certified Interface (RCI). Through RCI, third parties—vendors, typically—access and receive specified data fields in a highly controlled environment. Reynolds contends that access via RCI is more secure and less burdensome on the Reynolds system than Authenticom's screen-scraping technique. The court accepts this point as a general principle, but Reynolds did not provide evidence to quantify the relative burden Authenticom places on the system, and Reynolds did not adduce any evidence of any actual or realized security threat attributable to Authenticom.

Reynolds began blocking Authenticom's access to its DMS in 2009, and it achieved more effective blocking around 2013, apparently by using technology that was able to detect and instantly disconnect automated access to its DMS. Reynolds' more effective blocking had a significant impact on Authenticom's revenue, because blocking interfered with Authenticom's ability to integrate data for vendors who served dealers using Reynolds' DMS.

Unlike Reynolds, until 2015, CDK offered what the parties and the court have been calling an "open system." An open system allows third-party integrators, such as Authenticom,to access and scrape data from the DMS with dealer authorization. Indeed, until recently, CDK touted its open system as one of the competitive advantages of its DMS. In fact, CDK itself owned and operated third-party integrators, DMI and Integralink. Apparently the open system was appealing to dealers, as Reynolds' market share declined from approximately 40 percent to approximately 28 percent as CDK marketed its open system and Reynolds solidified its closed one. Id. at 84:7-17. CDK picked up most of the dealers who left Reynolds.

But things changed around 2014, as CDK reconsidered its third-party access programs. Internal documents and testimony from CDK witnesses suggest that two primary concerns motivated CDK's reconsideration. First, well-publicized security breaches prompted CDK to improve its cybersecurity, and CDK implemented a "Security First" initiative. (Notably, the Security First initiative recommended improved third-party access practices and retiring "certain integration that risks data integrity", but it did not specifically recommend terminating all third-party access. DHX-27.) Second, CDK realized that it was not getting all the value it could from 3PA, its third-party access program which is, essentially, the equivalent of Reynolds' RCI. So, after years of touting the benefits of its open system, CDK decided to bring data integration in house and transition toward a closed system.

D. The defendants' agreements

CDK's transition to a closed system roughly coincided with CDK and Reynolds signing written agreements in February 2015. The first of the three agreements was a so-called Data Exchange Agreement. Dkt. 106-1. In the Data Exchange Agreement, CDK agreed to wind down certain aspects of DMI, CDK's third-party integrator—specifically, those aspects that involved "hostilely integrating" with the Reynolds...