A domain name registrar may be liable for damages sustained by a search engine as a result of a social engineering exploit that enabled a hacker to obtain control of the search engine's domain name and redirect traffic to the hacker's political site, a district court ruled. The court noted that under controlling New York law, while a disclaimer of liability such as that in the registrar's Master Services Agreement is generally enforceable, such disclaimers may not bar liability for the registrar's wilful or grossly negligent acts, or reckless indifference to the rights of others. The court found that allegations that the hacker obtained control of the domain name because the registrar did not follow its own security procedures alleged such conduct sufficiently.

Baidu, Inc. v. Register.com, Inc., 2010 U.S. Dist. LEXIS 73905 (S.D.N.Y. July 22, 2010) Download PDF

Editor’s Note: A similar analysis of a disclaimer in an online clickwrap agreement was applied in Smallwood v. NCSoft Corp., 2010 U.S. Dist. LEXIS 82484 (D. Haw. Aug. 4, 2010 ), where the court applied the law of Texas and Hawaii in concluding that gross negligence and fraud claims brought by an online gamer alleging that he experienced severe emotional distress from addiction to a video game were not precluded by the liability disclaimer in the game developer's online User Agreement.