Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Authenticom, Inc. v. CDK Global, LLC

United States District Court, W.D. Wisconsin

July 14, 2017


          OPINION & ORDER

          JAMES D. PETERSON, District Judge

         This is an antitrust case involving the software used by car dealers. Defendants, CDK Global, LLC, and the Reynolds and Reynolds Company, are the main providers of comprehensive software packages called dealer management systems, which are used by virtually all United States car dealers. Plaintiff, Authenticom, Inc., is a third-party data integrator. It provides a service that links car dealers to third-party software vendors who provide features and enhancements that are not built into the dealers' DMSs. Authenticom contends that defendants have violated the Sherman Act in numerous ways, including by conspiring to drive it out of business. Authenticom seeks a preliminary injunction that would require defendants to allow Authenticom to continue its historical practice of accessing dealer data on defendants' information systems, using login credentials provided by dealers.

         The case is complicated both factually and legally. But based on the parties' written submissions, documentary evidence, and the evidence presented at a two-and-one-half day hearing, the court concludes that Authenticom is entitled to a preliminary injunction. Authenticom's evidence establishes at least a moderate chance of success in proving that defendants have violated the Sherman Act. And the balance of harms tips sharply in favor of Authenticom, because Authenticom is clearly at risk of going under without a preliminary injunction. The countervailing harm alleged by defendants-primarily the threat to the security of their information systems-is not persuasive because defendants already allow third-party access of the sort that Authenticom asks to continue. And there was no evidence that Authenticom itself had lax security practices or posed a specific threat to the security of defendants' systems.


         I make no effort here to set out all the facts established by the parties' evidence or to review comprehensively that evidence. The parties have submitted declarations and documentary evidence, most of which is not objected to. Defendants have, however, lodged specific objections to a number of Authenticom's exhibits and some declaration testimony in Dkt. 171. For the most part, I will sustain defendants' objections.[1]

         Focusing on the main points and issues, I find the following facts. Some additional facts are set out the analysis section.

         A. Background

         Virtually every dealer in the country uses a DMS, a dealer management system, to manage the major aspects of its business, from vehicle and parts inventory to service appointments to payroll. Defendants, CDK Global, LLC, and the Reynolds and Reynolds Company, provide and maintain the two most-used DMSs. Together, defendants provide DMSs to roughly three-quarters of the dealers in the United States. Dozens of other DMS providers serve the remaining quarter of the market, although Dealertrack appears to be the leading alternative to defendants' systems. Defendants provide the DMS software to the dealer and run the servers that hold the dealer's data. The data itself belongs to the dealer. Sophisticated DMS software, like defendants', is expensive. A dealer typically pays $8-10, 000 per month for its DMS.

         Dealers also use software applications from third-party vendors to provide features and services that are not built into the basic DMS, although these applications require data from the DMS. A typical dealer uses 10 to 15 vendor-provided applications in addition to its DMS. For example, a dealer might engage Carfax to provide a vehicle history report for every used car that it offers for sale. Somehow the dealer must get data about its inventory to Carfax, so that Carfax can provide the required reports. Generally speaking, dealers find it cumbersome to retrieve their own data from their DMS and send it to vendors, so most dealers authorize vendors to get the data from the DMS, either directly or through a third-party data integrator.

         B. Authenticom

         Plaintiff Authenticom, Inc., is a third-party data integrator, founded by Steve Cottrell in 2002. With the dealer's consent, Authenticom accesses the dealer's data on its DMS, downloads the necessary data, reformats the data to suit the needs of the vendor, and then sends the reformatted data to the vendor. The vendor uses the data to provide its services to the dealer. The dealer pays the vendor for its services, and the vendor pays Authenticom for its data integration. Typically, a vendor pays Authenticom about $50 per month for each dealer for which data is provided.

         In 2014, Authenticom introduced its DealerVault software. DealerVault provides an interface that allows dealers to monitor and control the data provided from its DMS to the vendors it uses. DealerVault is popular with dealers, who generally feel strongly that because they own their data, they should be able to control and monitor its use. Cottrell estimates that approximately 15, 000 of 18, 000 dealers nationwide have at one time or another relied on Authenticom for services. Dkt. 164, at 89:7-11.

         The method Authenticom uses to acquire dealer data is a point of contention. Dealers who want to work with Authenticom provide Authenticom a username and password, which Authenticom uses to log into the dealer's DMS account on defendants' systems. Authenticom “screen scrapes” the data by capturing what is displayed, and then it cleans up the data to keep the needed elements. Authenticom works with a very large number of dealers, so it has automated this process. Authenticom's information systems are programmed to automatically and regularly log into dealer DMS accounts so that the data that vendors use is up to date.

         The evidence generally shows that Authenticom is secure. DealerVault is hosted on Microsoft Azure, secure cloud technology. And the data to which Authenticom has access is controlled by the dealer. Wayne Fitkin, a veteran in the automotive IT industry and currently IT director for a dealership group, testified that although Fitkin himself has access to a large amount of extremely sensitive information, he creates a user ID specifically for Authenticom that has access to limited accounts and a single function necessary to query and scrape the system. Dkt. 165, at 9:12-21. The court did not receive any evidence that Authenticom has ever suffered a security breach or that it has caused a security breach at another entity.[2]

         C. Defendants block Authenticom

         Defendants object to Authenticom's screen-scraping data extraction method, which they call “hostile access.” Reynolds has never approved of third-party access based solely on the dealer's authorization. Reynolds allows third-party access only with its own approval, and preferably via an interface specifically designed for that purpose, the Reynolds Certified Interface (RCI). Through RCI, third parties-vendors, typically-access and receive specified data fields in a highly controlled environment. Reynolds contends that access via RCI is more secure and less burdensome on the Reynolds system than Authenticom's screen-scraping technique. The court accepts this point as a general principle, but Reynolds did not provide evidence to quantify the relative burden Authenticom places on the system, and Reynolds did not adduce any evidence of any actual or realized security threat attributable to Authenticom.

         Reynolds began blocking Authenticom's access to its DMS in 2009, and it achieved more effective blocking around 2013, apparently by using technology that was able to detect and instantly disconnect automated access to its DMS. Reynolds' more effective blocking had a significant impact on Authenticom's revenue, because blocking interfered with Authenticom's ability to integrate data for vendors who served dealers using Reynolds' DMS.

         Unlike Reynolds, until 2015, CDK offered what the parties and the court have been calling an “open system.” An open system allows third-party integrators, such as Authenticom, to access and scrape data from the DMS with dealer authorization. Indeed, until recently, CDK touted its open system as one of the competitive advantages of its DMS. In fact, CDK itself owned and operated third-party integrators, DMI and Integralink. Apparently the open system was appealing to dealers, as Reynolds' market share declined from approximately 40 percent to approximately 28 percent as CDK marketed its open system and Reynolds solidified its closed one. Id. at 84:7-17. CDK picked up most of the dealers who left Reynolds.

         But things changed around 2014, as CDK reconsidered its third-party access programs. Internal documents and testimony from CDK witnesses suggest that two primary concerns motivated CDK's reconsideration. First, well-publicized security breaches prompted CDK to improve its cybersecurity, and CDK implemented a “Security First” initiative. (Notably, the Security First initiative recommended improved third-party access practices and retiring “certain integration that risks data integrity”, but it did not specifically recommend terminating all third-party access. DHX-27.) Second, CDK realized that it was not getting all the value it could from 3PA, its third-party access program which is, essentially, the equivalent of Reynolds' RCI. So, after years of touting the benefits of its open system, CDK decided to bring data integration in house and transition toward a closed system.

         D. The defendants' agreements

         CDK's transition to a closed system roughly coincided with CDK and Reynolds signing written agreements in February 2015. The first of the three agreements was a so-called Data Exchange Agreement. Dkt. 106-1. In the Data Exchange Agreement, CDK agreed to wind down certain aspects of DMI, CDK's third-party integrator-specifically, those aspects that involved “hostilely integrating” with the Reynolds system. Reynolds agreed that it would not block DMI's access to the Reynolds system during the wind-down period, which might last as long as five years. And CDK agreed to cooperate with Reynolds to have DMI clients-vendors using DMI to poll data from the Reynolds system-transition to RCI, Reynolds' in-house “data integrator.” Id. §§ 4.1, 4.4. Defendants further agreed that they would not assist any person that attempts to access or integrate with the other party's DMS. Id. § 4.5. This section is described as “not intended as a ‘covenant not to compete, ' but rather as a contractual restriction of access and attempted access intended to protect the operational and data security integrity of the Reynolds DMS and the CDK DMS.” Id. Section 4.5's terms do not expire. Id. § 6.1.

         The remaining agreements in the set-the 3PA Agreement and the RCI Agreement- granted reciprocal access to defendants' in-house data integration platforms. Both Reynolds and CDK provide add-on software applications for dealers, just like third-party vendors. CDK wanted access to the Reynolds DMS for its applications, and Reynolds wanted access to the CDK DMS for its applications. Id. at 2. Under the agreements, CDK's applications could access the Reynolds DMS via RCI, and vice versa. Reynolds received five free years of 3PA access, purportedly as consideration for its allowing DMI's access to the Reynolds system during the wind down. By signing up for 3PA, Reynolds agreed that it would access the CDK DMS exclusively through 3PA, and Reynolds agreed that it would not “otherwise access, retrieve, license, or otherwise transfer any data from or to a CDK System (including, without limitation, pursuant to any ‘hostile interface') for itself or any other entity, ” or contract with any third parties to access the system. Dkt. 106-2, at 5. The RCI Agreement contains similar restrictions: “Non-Approved Access” is any access to the Reynolds DMS made without Reynolds' prior written consent. Dkt. 106-3, § 1.8.

         E. The aftermath

         According to Cottrell, on the heels of the February 2015 agreements, in May 2015, Robert Schaefer, Reynolds' head of data services, told Cottrell that CDK and Reynolds agreed to support one another's data integration programs-3PA and RCI-and block third-party data integrators, like Authenticom. Reynolds was “adamant that all third-party data integrators must be cut off.” Dkt. 62, ¶ 52. Schaefer denies making such statements, although the Reynolds/CDK agreements would essentially have this effect.

         In August 2015, CDK began aggressively blocking Authenticom. Vendors, many of whom were understanding and willing to work with Authenticom following Reynolds' aggressive blocking in 2013, began to move their business elsewhere. According to Cottrell, Authenticom has been unable to attract new vendor customers because it cannot guarantee that it will be able to provide services without access to Reynolds' and CDK's DMSs.

         Cottrell testified that in April 2016, he had a conversation with Dan McCray of CDK. McCray told Cottrell that CDK and Reynolds had agreed to “lock you and the other third parties out.” Id. ¶ 48. According to Cottrell, McCray stated in no uncertain terms that CDK wanted to destroy Authenticom. Like Schaefer, McCray largely denies that CDK and Reynolds agreed to take concerted action, and he denies the more aggressive statements Cottrell attributes to him. But he does concede that he “confirmed that it was CDK's goal to remove all non-authorized access, including the user ID and password access ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.