United States District Court, W.D. Wisconsin
OPINION & ORDER
D. PETERSON, District Judge
an antitrust case involving the software used by car dealers.
Defendants, CDK Global, LLC, and the Reynolds and Reynolds
Company, are the main providers of comprehensive software
packages called dealer management systems, which are used by
virtually all United States car dealers. Plaintiff,
Authenticom, Inc., is a third-party data integrator. It
provides a service that links car dealers to third-party
software vendors who provide features and enhancements that
are not built into the dealers' DMSs. Authenticom
contends that defendants have violated the Sherman Act in
numerous ways, including by conspiring to drive it out of
business. Authenticom seeks a preliminary injunction that
would require defendants to allow Authenticom to continue its
historical practice of accessing dealer data on
defendants' information systems, using login credentials
provided by dealers.
case is complicated both factually and legally. But based on
the parties' written submissions, documentary evidence,
and the evidence presented at a two-and-one-half day hearing,
the court concludes that Authenticom is entitled to a
preliminary injunction. Authenticom's evidence
establishes at least a moderate chance of success in proving
that defendants have violated the Sherman Act. And the
balance of harms tips sharply in favor of Authenticom,
because Authenticom is clearly at risk of going under without
a preliminary injunction. The countervailing harm alleged by
defendants-primarily the threat to the security of their
information systems-is not persuasive because defendants
already allow third-party access of the sort that Authenticom
asks to continue. And there was no evidence that Authenticom
itself had lax security practices or posed a specific threat
to the security of defendants' systems.
no effort here to set out all the facts established by the
parties' evidence or to review comprehensively that
evidence. The parties have submitted declarations and
documentary evidence, most of which is not objected to.
Defendants have, however, lodged specific objections to a
number of Authenticom's exhibits and some declaration
testimony in Dkt. 171. For the most part, I will sustain
on the main points and issues, I find the following facts.
Some additional facts are set out the analysis section.
every dealer in the country uses a DMS, a dealer management
system, to manage the major aspects of its business, from
vehicle and parts inventory to service appointments to
payroll. Defendants, CDK Global, LLC, and the Reynolds and
Reynolds Company, provide and maintain the two most-used
DMSs. Together, defendants provide DMSs to roughly
three-quarters of the dealers in the United States. Dozens of
other DMS providers serve the remaining quarter of the
market, although Dealertrack appears to be the leading
alternative to defendants' systems. Defendants provide
the DMS software to the dealer and run the servers that hold
the dealer's data. The data itself belongs to the dealer.
Sophisticated DMS software, like defendants', is
expensive. A dealer typically pays $8-10, 000 per month for
also use software applications from third-party vendors to
provide features and services that are not built into the
basic DMS, although these applications require data from the
DMS. A typical dealer uses 10 to 15 vendor-provided
applications in addition to its DMS. For example, a dealer
might engage Carfax to provide a vehicle history report for
every used car that it offers for sale. Somehow the dealer
must get data about its inventory to Carfax, so that Carfax
can provide the required reports. Generally speaking, dealers
find it cumbersome to retrieve their own data from their DMS
and send it to vendors, so most dealers authorize vendors to
get the data from the DMS, either directly or through a
third-party data integrator.
Authenticom, Inc., is a third-party data integrator, founded
by Steve Cottrell in 2002. With the dealer's consent,
Authenticom accesses the dealer's data on its DMS,
downloads the necessary data, reformats the data to suit the
needs of the vendor, and then sends the reformatted data to
the vendor. The vendor uses the data to provide its services
to the dealer. The dealer pays the vendor for its services,
and the vendor pays Authenticom for its data integration.
Typically, a vendor pays Authenticom about $50 per month for
each dealer for which data is provided.
2014, Authenticom introduced its DealerVault software.
DealerVault provides an interface that allows dealers to
monitor and control the data provided from its DMS to the
vendors it uses. DealerVault is popular with dealers, who
generally feel strongly that because they own their data,
they should be able to control and monitor its use. Cottrell
estimates that approximately 15, 000 of 18, 000 dealers
nationwide have at one time or another relied on Authenticom
for services. Dkt. 164, at 89:7-11.
method Authenticom uses to acquire dealer data is a point of
contention. Dealers who want to work with Authenticom provide
Authenticom a username and password, which Authenticom uses
to log into the dealer's DMS account on defendants'
systems. Authenticom “screen scrapes” the data by
capturing what is displayed, and then it cleans up the data
to keep the needed elements. Authenticom works with a very
large number of dealers, so it has automated this process.
Authenticom's information systems are programmed to
automatically and regularly log into dealer DMS accounts so
that the data that vendors use is up to date.
evidence generally shows that Authenticom is secure.
DealerVault is hosted on Microsoft Azure, secure cloud
technology. And the data to which Authenticom has access is
controlled by the dealer. Wayne Fitkin, a veteran in the
automotive IT industry and currently IT director for a
dealership group, testified that although Fitkin himself has
access to a large amount of extremely sensitive information,
he creates a user ID specifically for Authenticom that has
access to limited accounts and a single function necessary to
query and scrape the system. Dkt. 165, at 9:12-21. The court
did not receive any evidence that Authenticom has ever
suffered a security breach or that it has caused a security
breach at another entity.
Defendants block Authenticom
object to Authenticom's screen-scraping data extraction
method, which they call “hostile access.”
Reynolds has never approved of third-party access based
solely on the dealer's authorization. Reynolds
allows third-party access only with its own approval, and
preferably via an interface specifically designed for that
purpose, the Reynolds Certified Interface (RCI). Through RCI,
third parties-vendors, typically-access and receive specified
data fields in a highly controlled environment. Reynolds
contends that access via RCI is more secure and less
burdensome on the Reynolds system than Authenticom's
screen-scraping technique. The court accepts this point as a
general principle, but Reynolds did not provide evidence to
quantify the relative burden Authenticom places on the
system, and Reynolds did not adduce any evidence of any
actual or realized security threat attributable to
began blocking Authenticom's access to its DMS in 2009,
and it achieved more effective blocking around 2013,
apparently by using technology that was able to detect and
instantly disconnect automated access to its DMS.
Reynolds' more effective blocking had a significant
impact on Authenticom's revenue, because blocking
interfered with Authenticom's ability to integrate data
for vendors who served dealers using Reynolds' DMS.
Reynolds, until 2015, CDK offered what the parties and the
court have been calling an “open system.” An open
system allows third-party integrators, such as Authenticom,
to access and scrape data from the DMS with dealer
authorization. Indeed, until recently, CDK touted its open
system as one of the competitive advantages of its DMS. In
fact, CDK itself owned and operated third-party integrators,
DMI and Integralink. Apparently the open system was appealing
to dealers, as Reynolds' market share declined from
approximately 40 percent to approximately 28 percent as CDK
marketed its open system and Reynolds solidified its closed
one. Id. at 84:7-17. CDK picked up most of the
dealers who left Reynolds.
things changed around 2014, as CDK reconsidered its
third-party access programs. Internal documents and testimony
from CDK witnesses suggest that two primary concerns
motivated CDK's reconsideration. First, well-publicized
security breaches prompted CDK to improve its cybersecurity,
and CDK implemented a “Security First”
initiative. (Notably, the Security First initiative
recommended improved third-party access practices and
retiring “certain integration that risks data
integrity”, but it did not specifically recommend
terminating all third-party access. DHX-27.) Second, CDK
realized that it was not getting all the value it could from
3PA, its third-party access program which is, essentially,
the equivalent of Reynolds' RCI. So, after years of
touting the benefits of its open system, CDK decided to bring
data integration in house and transition toward a closed
The defendants' agreements
transition to a closed system roughly coincided with CDK and
Reynolds signing written agreements in February 2015. The
first of the three agreements was a so-called Data Exchange
Agreement. Dkt. 106-1. In the Data Exchange Agreement, CDK
agreed to wind down certain aspects of DMI, CDK's
third-party integrator-specifically, those aspects that
involved “hostilely integrating” with the
Reynolds system. Reynolds agreed that it would not block
DMI's access to the Reynolds system during the wind-down
period, which might last as long as five years. And CDK
agreed to cooperate with Reynolds to have DMI clients-vendors
using DMI to poll data from the Reynolds system-transition to
RCI, Reynolds' in-house “data integrator.”
Id. §§ 4.1, 4.4. Defendants further agreed
that they would not assist any person that attempts to access
or integrate with the other party's DMS. Id.
§ 4.5. This section is described as “not intended
as a ‘covenant not to compete, ' but rather as a
contractual restriction of access and attempted access
intended to protect the operational and data security
integrity of the Reynolds DMS and the CDK DMS.”
Id. Section 4.5's terms do not expire.
Id. § 6.1.
remaining agreements in the set-the 3PA Agreement and the RCI
Agreement- granted reciprocal access to defendants'
in-house data integration platforms. Both Reynolds and CDK
provide add-on software applications for dealers, just like
third-party vendors. CDK wanted access to the Reynolds DMS
for its applications, and Reynolds wanted access to the CDK
DMS for its applications. Id. at 2. Under the
agreements, CDK's applications could access the Reynolds
DMS via RCI, and vice versa. Reynolds received five free
years of 3PA access, purportedly as consideration for its
allowing DMI's access to the Reynolds system during the
wind down. By signing up for 3PA, Reynolds agreed that it
would access the CDK DMS exclusively through 3PA, and
Reynolds agreed that it would not “otherwise access,
retrieve, license, or otherwise transfer any data from or to
a CDK System (including, without limitation, pursuant to any
‘hostile interface') for itself or any other
entity, ” or contract with any third parties to access
the system. Dkt. 106-2, at 5. The RCI Agreement contains
similar restrictions: “Non-Approved Access” is
any access to the Reynolds DMS made without Reynolds'
prior written consent. Dkt. 106-3, § 1.8.
to Cottrell, on the heels of the February 2015 agreements, in
May 2015, Robert Schaefer, Reynolds' head of data
services, told Cottrell that CDK and Reynolds agreed to
support one another's data integration programs-3PA and
RCI-and block third-party data integrators, like Authenticom.
Reynolds was “adamant that all third-party data
integrators must be cut off.” Dkt. 62, ¶ 52.
Schaefer denies making such statements, although the
Reynolds/CDK agreements would essentially have this effect.
August 2015, CDK began aggressively blocking Authenticom.
Vendors, many of whom were understanding and willing to work
with Authenticom following Reynolds' aggressive blocking
in 2013, began to move their business elsewhere. According to
Cottrell, Authenticom has been unable to attract new vendor
customers because it cannot guarantee that it will be able to
provide services without access to Reynolds' and
testified that in April 2016, he had a conversation with Dan
McCray of CDK. McCray told Cottrell that CDK and Reynolds had
agreed to “lock you and the other third parties
out.” Id. ¶ 48. According to Cottrell,
McCray stated in no uncertain terms that CDK wanted to
destroy Authenticom. Like Schaefer, McCray largely denies
that CDK and Reynolds agreed to take concerted action, and he
denies the more aggressive statements Cottrell attributes to
him. But he does concede that he “confirmed that it was
CDK's goal to remove all non-authorized access, including
the user ID and password access ...