
    BAIDU, INC. and Beijing Baidu Netcom Science & Technolohy Co., Ltd., Plaintiffs, v. REGISTER.COM, INC., Defendant.
    No. 10 Civ. 444 (DC).
    United States District Court, S.D. New York.
    July 22, 2010.
    
      Paul, Weiss, Rifkind, Wharton & Garrison LLP, by: Carey R. Ramos, Esq., Marc Falcone, Esq., New York, NY, for Plaintiffs.
    Gibson, Dunn & Crutcher LLP, by: Orin Snyder, Esq., Alexander H. South-well, Esq., New York, NY, for Defendant.
   OPINION

CHIN, Circuit Judge:

Plaintiffs Baidu, Inc. and Beijing Baidu Netcom Science & Technology Co., Ltd. (together, “Baidu”) operate an Internet search engine service in China. Baidu registered its domain name “baidu.com” with defendant Register.com, Inc. (“Register”), a domain name registrar. Register provides its clients, including Baidu, with Internet traffic routing services.

On January 11, 2010, someone engaged in a cyber-attack on Baidu by gaining unauthorized access to Baidu’s account at Register. As a consequence, Internet traffic intended for Baidu’s web site was re-directed to a web page showing an Iranian flag and a broken Star of David and proclaiming: “This site has been hacked by the Iranian Cyber Army.” Web traffic was diverted in this manner for about five hours.

In this ease, Baidu sues Register for damages, asserting claims for, inter alia, contributory trademark infringement under the Lanham Act, 15 U.S.C. § 1114(1)(a), breach of contract, and gross negligence and recklessness. Baidu asserts that Register committed gross negligence by failing to follow its own security protocols, and permitting the intruder to gain unauthorized access to Baidu’s confidential and proprietary account information.

Register moves to dismiss the complaint pursuant to Fed.R.Civ.P. 12(b)(6) for failure to state a claim upon which relief may be granted. For the reasons that follow, the motion is granted in part and denied in part. Baidu will be permitted to proceed with its claims of gross negligence, recklessness, and breach of contract.

STATEMENT OF THE CASE

A. The Facts

The facts alleged in the complaint are assumed to be true for purposes of this motion and may be summarized as follows:

1. The Parties

Baidu, Inc. is incorporated under the laws of the Cayman Islands and has its principal place of business in China. (Compl. ¶ 6). Beijing Baidu Netcom Science & Technology Co., Ltd. is incorporated under the laws of China and has its principal place of business in China. (Id. ¶ 7). Baidu is the third largest search engine service provider in the world and the largest in China, with an estimated more than 70% share of the Chinese-language market. (Id. ¶ 13). Baidu owns the registered trademark “Baidu” and the domain name “baidu.com.” (Id. ¶¶ 15, 16). It generates revenue through the public’s use of its search engine service on its web site. (Id. ¶¶ 14, 24).

Register is incorporated under Delaware law and has its principal place of business in New York. (Id. ¶ 8). Register is an accredited domain name registrar and provides domain name registration, Internet traffic routing, and related services for its customers. (Id. ¶ 16).

2. Baidu’s Relationship with Register

Baidu registered its domain name with Register in 1999. (Id. ¶ 16; see Jacobson Decl. ¶ 3). The parties entered into a series of written agreements; the currently operative agreement is the Master Services Agreement dated December 18, 2009 (the “MSA”). (Compl. ¶¶ 11, 16; see Jacobson Decl. ¶ 4 & Ex. A).

Under the MSA, Baidu agreed to use Register’s services “entirely at [Baidu’s] own risk.” (MSA at 9). The MSA includes a “Limitation of Liability” clause limiting Register’s liability for the use by customers of its “Services.” The clause provides in part as follows:

You agree that [Register] will not be liable, under any circumstances, for any (a) termination, suspension, loss, or modification of your Services, (b) use of or the inability to use the Service(s), (c) interruption of business, (d) access delays or access interruptions to this site or a service (including, without limitation, to web site(s) accessed by the domain name registered in your name), ... (f) events beyond [Register’s] ... reasonable control, ... (j) transactions conducted on a user web site, including fraudulent transactions, (k) loss incurred in connection with your service(s) including in connection with e-commerce transactions, (l) unauthorized access to or alteration of your transmissions or data, (m) statements or conduct of any third party using your service(s), or (n) any other matter relating to your use of the Service(s). [Register] also will not be liable for any indirect, special, incidental, or consequential damages of any kind (including lost profits, goodwill, data, the cost of replacement goods or services, or other intangible losses) regardless of the form of action whether in contract, tort (including negligence), or otherwise, even if [Register] has been advised of the possibility of such damages. In no event shall [Register’s] maximum aggregate liability exceed the total amount paid by you for the Services, but in no event greater than five hundred dollars ($500). Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, in such states, our liability is limited to the maximum extent permitted by law.

(Id.).

With respect to user names and passwords, the MSA provides that it is the customer’s “responsibility to safeguard the User name, password and any secret question/secret answer you select from any unauthorized use.” (Id. at 6). The MSA provides: “In no event will [Register] be liable for the unauthorized use or misuse of your user name or password.” (Id.). The MSA also provides that the customer is “responsible for maintaining the security of your account.” (Id.).

The MSA provides, with certain exceptions not applicable here, that New York law will govern. (Id. at 10).

3. The Cyber-Attack

On January 11, 2010, at approximately 5:03 p.m. EST, an unauthorized individual falsely claiming to be an agent of Baidu (the “Intruder”) contacted Register through a " 'tech support’ Internet chat” service operated by Register. The Intruder asked to change the email address on file for Baidu. The Register service representative (the “Rep”) asked the Intruder to provide security verification information. The Intruder gave an incorrect answer, but the Rep nonetheless emailed a security code to the email address that Baidu had on file. The Rep then asked the Intruder to repeat the security code back via the Internet chat. (Compl. ¶ 18). Because the Intruder did not have access to Baidu’s email account, he did not receive the security code. Instead, he responded with a different and inaccurate code. The Rep did not compare the two codes, and, even though the codes did not match, the Rep changed the email address on file for Baidu to the new email address provided by the Intruder: “antiwahabi 2008@gmail.com.” (Id. ¶ 19). “Gmail.com” is the domain name of a competitor of Baidu, while Baidu’s original email address on file used its own “baidu.com” domain name. (Id. ¶ 20).

The change in email address gave the Intruder the ability to access Baidu’s account with Register. The Intruder went to Register’s web site and requested access to the Baidu account. Register’s system asked the Intruder for Baidu’s user name and password, and the Intruder responded by clicking on the automated “forgot password” function. Baider’s user name was then sent to the new email address, “antiwahabi2008@gmail.com,” along with a web link allowing the Intruder to change Baidu’s account password, enabling him to gain access to the account. (Id. ¶ 21).

The Intruder was then able to re-route Internet traffic from Baidu’s web site to the “Iranian Cyber Army” site. (Id. ¶ 22). By 5:48 p.m. EST, Internet users attempting to access Baidu’s web site to use the Baidu search engine were routed instead to the “rogue” web site. (Id.).

Baidu contacted a Register online chat representative, but the representative refused to help. Baidu tried to contact Register by telephone, but was unsuccessful. Register did not begin to address the problem until two hours after first being contacted by Baidu. (Id. ¶ 23). Baidu’s operations were interrupted for five hours and its operations did not fully resume for two days. As a consequence, Baidu suffered “serious and substantial injury to [its] reputation and business,” including “millions” in lost revenue and out-of-pocket costs. (Id. ¶¶ 5, 24).

B. Prior Proceedings

Baidu commenced this action on January 19, 2010, invoking both federal question and diversity jurisdiction. (Id. ¶ 9). The complaint asserts seven counts: contributory trademark infringement under the Lanham Act, breach of contract, gross negligence or recklessness, tortious conversion, aiding and abetting tortious conversion, aiding and abetting trespass, and breach of duty of bailment.

This motion followed.

DISCUSSION

First, I set forth the standards governing motions to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure. Second, I address the principal issue presented: whether the limitation of liability clause in the MSA bars Baidu’s claims as a matter of law. Third, I consider Baidu’s claim for contributory trademark infringement under the Lanham Act. Finally, I discuss Baidu’s remaining claims.

A. Motions To Dismiss

To survive a Rule 12(b)(6) motion to dismiss pursuant to Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Ashcroft v. Iqbal, — U.S. -, 129 S.Ct. 1937, 1949, 173 L.Ed.2d 868 (2009) (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)).

The Supreme Court in Iqbal set out a “two-pronged” approach for courts considering a motion to dismiss. Id. at 1950. First, the court accepts plaintiffs factual allegations as true and draws all reasonable inferences in its favor. See id.; see also Vietnam Ass’n for Victims of Agent Orange v. Dow Chem. Co., 517 F.3d 104, 115 (2d Cir.2008). The court considers only the factual allegations in the complaint and “any documents that are either incorporated into the complaint by reference or attached to the complaint as exhibits” or otherwise properly considered. Blue Tree Hotels Inv. (Can.), Ltd. v. Starwood Hotels & Resorts Worldwide, Inc., 369 F.3d 212, 217 (2d Cir.2004); see also Prentice v. Apfel, 11 F.Supp.2d 420, 424 (S.D.N.Y.1998) (citing Brass v. Am. Film Techs., Inc., 987 F.2d 142, 150 (2d Cir. 1993)). Legal conclusions must be supported by factual allegations. Iqbal, 129 S.Ct. at 1949. Pleadings that are “no more than conclusions are not entitled to the assumption of truth.” Id. at 1950. “ ‘[B]ald contentions, unsupported characterizations, and legal conclusions are not well-pleaded allegations,’ ” and will not defeat the motion. Gavish v. Revlon, Inc., No. 00 Civ. 7291(SHS), 2004 WL 2210269, at *10 (S.D.N.Y. Sept. 30, 2004) (quoting Citibank, N.A. v. Itochu Int’l, Inc., No. 01 Civ. 6007(GBD), 2003 WL 1797847, at *1 (S.D.N.Y. Apr. 4, 2003)).

Second, the court determines whether the allegations “plausibly give rise to an entitlement to relief.” Iqbal, 129 S.Ct. at 1949. A plausible claim “pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 1949 (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955). “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955). Determining plausibility is a “context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Id. at 1950.

Accordingly, dismissal of a complaint under Rule 12(b)(6) is appropriate only if, drawing all reasonable inferences in favor of the plaintiff, the complaint fails to allege facts that would give rise to a plausible claim for relief.

B. The Limitation of Liability Defense

1. Applicable Law

Contractual provisions that “clearly, directly and absolutely” limit liability for “any act or omission” are enforceable, “especially when entered into at arm’s length by sophisticated contracting parties.” Kalisch-Jarcho, Inc. v. City of New York, 58 N.Y.2d 377, 384, 461 N.Y.S.2d 746, 448 N.E.2d 413 (1983). Courts in New York generally enforce contractual waivers or limitations of liability. See, e.g., Indus. Risk Insurers v. Port Auth. of N.Y. & N.J., 387 F.Supp.2d 299, 307 (S.D.N.Y. 2005) (“[Pjarties, especially those of equal bargaining power, should be able to rely upon the general New York rule that enforces contracts for the release of claims of liability.”); Metro. Life Ins. Co. v. Noble Lowndes Int’l, Inc., 84 N.Y.2d 430, 436, 618 N.Y.S.2d 882, 643 N.E.2d 504 (1994) (“A limitation on liability provision in a contract represents the parties’ agreement on the allocation of the risk of economic loss in the event that the contemplated transaction is not fully executed, which -the courts should honor....”); Moore v. Microsoft Corp., 293 A.D.2d 587-588, 741 N.Y.S.2d 91 (2d Dep’t 2002) (enforcing waiver of liability clause in click-through agreement).

On the other hand, in certain circumstances contractual limitations of liability will not be enforced. As the New York State Court of Appeals has held:

[A]n exculpatory agreement, no matter how flat and unqualified its terms, will not exonerate a party from liability under all circumstances. Under announced public policy, it will not apply to exemption of willful or grossly negligent acts. More pointedly, an exculpatory clause is unenforceable when ... the misconduct for which it would grant immunity ... betokens a reckless indifference to the rights of others.

Kalisch-Jarcho, 58 N.Y.2d at 384-85, 461 N.Y.S.2d 746, 448 N.E.2d 413 (citations omitted). In other words, New York courts will decline to enforce a contractual limitation or waiver of liability clause when there is willful or grossly negligent or recklessly indifferent conduct. Id. A claim of gross negligence requires a plaintiff to prove that the defendant failed to “exercise even slight care, scant care, or slight diligence,” Fed. Ins. Co. v. Honeywell, Inc., 641 F.Supp. 1560, 1563 (S.D.N.Y. 1986), or that the defendant’s actions “evince[d] a reckless disregard for the rights of others,” Colnaghi, U.S.A., Ltd. v. Jewelers Protection Servs., Ltd., 81 N.Y.2d 821, 823, 595 N.Y.S.2d 381, 611 N.E.2d 282 (1993).

The gross negligence exception applies even to contracts between sophisticated commercial parties, although a “more exacting standard of gross negligence” must be satisfied. Alitalia Linee Aeree Italiane, S.p.A. v. Airline Tariff Publ’g Co., 580 F.Supp.2d 285, 294 (S.D.N.Y.2008); accord Convergia Networks, Inc. v. Huawei Techs. Co., No. 06 Civ. 6191(PKC), 2008 WL 4787503, at *5 n. 5 (S.D.N.Y. Oct. 30, 2008) (“Between sophisticated parties to a commercial contract, New York would allow the avoidance of a limit on consequential damages in narrow circumstances.”); Indus. Risk Insurers, 387 F.Supp.2d at 307; SNS Bank, N.V. v. Citibank, N.A., 7 A.D.3d 352, 355, 777 N.Y.S.2d 62 (1st Dep’t 2004). In these circumstances, the defendant’s conduct must amount to “intentional wrongdoing,” “willful” conduct that is “fraudulent, malicious or prompted ... by one acting in bad faith,” or conduct constituting gross negligence or “reckless indifference to the rights of others.” Banc of Am. Sec. LLC v. Solow Bldg. Co. II, L.L.C., 47 A.D.3d 239, 244, 847 N.Y.S.2d 49 (1st Dep’t 2007) (citations omitted); accord Indus. Risk Insurers, 387 F.Supp.2d at 311 (“the gross negligence alleged must ‘smack[ ] of intentional wrongdoing’ ” (quoting Colnaghi, 81 N.Y.2d at 823-24, 595 N.Y.S.2d 381, 611 N.E.2d 282)).

Intervening criminal action by a third party does not cut off liability for gross negligence when that criminal action was reasonably foreseeable. See Koch v. Consol. Edison Co. of N.Y., Inc., 62 N.Y.2d 548, 560, 479 N.Y.S.2d 163, 468 N.E.2d 1 (1984); Levin v. Eleto Realty Corp., 157 Misc. 180, 283 N.Y.S. 105, 108 (N.Y.Mun. Ct.1935).

2. Application

I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness. If these facts are proven they would provide a sufficient basis for a jury to find that Register acted in a grossly negligent or reckless manner, in which event the limitation of liability clause in the MSA would be ineffective.

The complaint presents specific factual allegations that would support a finding of gross negligence or reckless indifference, including the following:

• Although the Intruder gave the Rep an incorrect response to the security question, the Rep nonetheless proceeded with processing the Intruder’s request to change Baidu’s email address;
• When the Intruder sent the Rep a bogus security code, the Rep did not notice that it was the wrong code, apparently because the Rep did not even bother to check it against the original security code;
• When the Intruder gave “antiwahabi 2008@gmail.com” as the proposed new email address, the Rep failed to question the legitimacy of the email address, which contained an unusual and unlikely user name and the domain name of a Baidu competitor instead of the Baidu domain name; and
• Register then provided the Intruder with Baidu’s user name, enabling the Intruder to change the password and hack into Baidu’s account to re-route traffic to the wrong web site.

If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized Intruder, who engaged in cyber vandalism. On these facts, a jury surely could find that Register acted in a grossly negligent or reckless manner. See Green v. Holmes Protection of N.Y., Inc., 216 A.D.2d 178, 629 N.Y.S.2d 13 (1st Dep’t 1995) (holding limitation of liability clause was not enforceable where alarm company was grossly negligent when it gave burglars keys to store and security codes to disengage alarm and failed to respond promptly when crime was discovered).

Register argues that the complaint alleges “at most—an inadvertent and isolated mistake by a Register customer service agent” rather than intentional wrongdoing or reckless disregard. (Def. Mem. at 13). Indeed, Register contends that it, too, was a “victim[ ]” of the attack, and that “Register itself was criminally victimized by the cyber-attacker.” (Id. at 12; see also id. at 6 (“On January 11, 2010, a cyber-criminal attacked Register, gaining unauthorized access to Baidu’s account .... ”)). These arguments are unconvincing. If Register had simply followed its own security protocols, the attack surely would have been averted and neither Register nor Baidu would have been victimized. Moreover, the Rep’s failure to even look at the security code sent back by the Intruder “smacks of’ intentional wrongdoing; at a minimum, a jury could reasonably find that it reflected a “reckless disregard for the rights of others.”

Register argues that, in light of the provision in the MSA that Baidu would be “responsible for maintaining the security of [its] account,” Register had no legal duty to provide web site security. (Def. Mem. at 4). This may be true as a general matter, but Register did undertake to provide web site security and established protocols to do so. See Morgan Stanley & Co. v. J.P. Morgan Chase Bank, 645 F.Supp.2d 248, 256 (S.D.N.Y.2009) (“Under New York law, anyone who voluntarily assumes a duty can be held liable for negligence in the performance of that duty.”); Hilts v. Bd. of Educ. of Gloversville Enlarged School Dist., 50 A.D.3d 1419, 1420, 857 N.Y.S.2d 292 (3d Dep’t 2008) (“it is well settled that once a person voluntarily undertakes acts for which he or she has no legal obligation, that person must act with reasonable care or be subjected to liability for negligent performance of the assumed acts”). The attack by the Intruder was reasonably foreseeable— it was precisely because these cyber attacks are foreseeable that the security measures were adopted. While Baidu gave up, in agreeing to the Limitation of Liability clause, any claims for ordinary negligence or breach of contract based on ordinary negligence, it did not waive its claims for gross negligence or recklessness. If Baidu can prove gross negligence or recklessness, the Limitation of Liability clause will not be a bar.

Register’s motion to dismiss is denied as to counts two (breach of contract) and three (gross negligence/recklessness), although it must prove gross negligence or recklessness to prevail on either count.

C. The Lanham Act Claim

In count one of the complaint, Baidu alleges that Register engaged in “contributory trademark infringement” in violation of the Lanham Act. (Compl. ¶¶ 25-33). Baidu alleges that the Intruder’s use of the trademark “Baidu” in the domain name “baidu.com” on January 11, 2010, constituted trademark infringement, and that Register facilitated that infringement by providing the Intruder with access to Baidu’s account at Register. (Id. ¶¶ 28-31). Register moves to dismiss the trademark claim on the grounds that (i) it is statutorily immune from liability for trademark infringement, and (ii) the complaint fails to state a claim for contributory trademark infringement.

The first prong of the motion fails, as the statutory immunity for domain registrars is inapplicable. The Lanham Act provides that;

A domain name registrar, a domain name registry, or other domain name registration authority shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name.

15 U.S.C. § 1114(2)(D)(iii) (emphasis added). As the underlined words make clear, domain registrars are granted immunity for registering or maintaining a domain name for another. See S.Rep. No. 106-140, at 11 (1999) (domain registrars are granted immunity to “promote[ ] the continued ease and efficiency users of the current registration system enjoy by codifying current case law limiting the secondary liability of domain name registrars and registries for the act of registration of a name”) (citing Panavision Int’l v. Toeppen, 141 F.3d 1316, 1319 (9th Cir.1998)).

Here, Register was not registering or maintaining a domain name when it allowed the Intruder to take control of Baidu’s account. See Solid Host, NL v. Namecheap, Inc., 652 F.Supp.2d 1092, 1104 (C.D.Cal.2009) (domain registrar is immune when “it acts as a registrar, i.e., when it accepts registrations for domain names from customers”). Its purportedly wrongful actions occurred long after the registration of Baidu’s domain name. Moreover, while Register’s actions arguably concerned the maintenance of Baidu’s account with Register, they did not concern the maintenance of Baidu’s domain name. Rather, the alleged malfeasance occurred in the context of security protocols and access to an account. Register’s challenged actions went well beyond those of a mere registrar. The immunity defense is rejected.

As to the second prong of the motion, however, I conclude that Baidu fails to state a claim for contributory trademark infringement. Secondary liability for infringement arises when “a manufacturer or distributor intentionally induces another to infringe a trademark, or ... continues to supply its product to one whom it knows or has reason to know is engaging in trademark infringement.” Inwood, Labs., Inc. v. Ives Labs., Inc., 456 U.S. 844, 854, 102 S.Ct. 2182, 72 L.Ed.2d 606 (1982). The Inwood test was applied by the Seventh Circuit in the trademark context to the owner of a “flea market” where vendors were selling infringing tee-shirts; the flea market operator was held liable for the infringement because it knew or had reason to know that the infringement was occurring on its premises. See Hard Rock Café Licensing Corp. v. Concession Servs., Inc., 955 F.2d 1143, 1149 (7th Cir.1992); accord Lockheed Martin Corp. v. Network Solutions, Inc., 194 F.3d 980, 984 (9th Cir.1999) (“Direct control and monitoring of the instrumentality used by a third party to infringe the plaintiffs mark permits the expansion of Inwood Lab. ’s ‘supplies a product’ requirement for contributory infringement.”). In Tiffany (NJ) Inc. v. eBay, Inc., the Second Circuit assumed, without deciding the issue, that Inwood applied to the on-line market in the Internet context. 600 F.3d 93, 105-06 (2d Cir.2010). The Second Circuit held:

For contributory trademark infringement liability to lie, a service provider must have more than a general knowledge or reason to know that its service is being used to sell counterfeit goods. Some contemporary knowledge of which particular listings are infringing or will infringe in the future is necessary.

Id. at 107. Accordingly, for a service provider to be secondarily liable for infringing acts of another, it must know or have reason to know of the infringement. Id. at 108. The Court held that eBay was not contributorially liable for trademark infringement with respect to counterfeit Tiffany goods sold by others on eBay. Id. The Court also rejected a “willful blindness” argument. Acknowledging that a provider may not “shield” itself from liability by “looking the other way,” the court held that eBay’s knowledge “as a general matter that counterfeit Tiffany products were listed and sold” on its web site was insufficient to trigger liability. Id. at 110.

Here, despite its purported failings, Register did not induce the Intruder to engage in trademark infringement, nor did it monitor or control the Intruder, nor did it know or have reason to know that the Intruder was engaging in or would engage in trademark infringement. Indeed, although it may have no one to blame other than itself, Register was tricked by the Intruder, and Baidu has not alleged facts from which a jury could find that Register “directly controlled, monitored and assisted the [Intruder’s method of infringement.” (Compl. ¶ 31). Nor could Baidu plausibly allege any knowledge by Register in this respect other than general knowledge of the risks of cyber-attacks. While Baidu plausibly alleges that Register’s gross negligence or recklessness allowed the Intruder to gain control of its account, Baidu does not plausibly allege that Register engaged in contributory trademark infringement.

The first count is dismissed.

D. The Remaining Claims

Baidu also asserts claims for tortious conversion, aiding and abetting tortious conversion, aiding and abetting trespass, and breach of duty of bailment. These claims are dismissed. They plead essentially the same acts as counts two and three, and are redundant and not independently viable. See Consol. Edison Co. of N.Y. v. Port Auth. of N.Y. & N.J., 640 F.Supp.2d 323, 341 (S.D.N.Y.2009). To the extent that Baidu argues anything less than gross negligence or recklessness, the claims would be barred by the Limitation of Liability clause, for the reasons discussed above. This is not a case where Baidu can fail on its gross negligence and breach of contract claims and still prevail on a conversion, trespass, or bailment claim. Accordingly, counts four, five, six, and seven of the complaint are dismissed.

CONCLUSION

For the foregoing reasons, Register’s motion is granted in part and denied in part. Counts one, four, five, six, and seven of the complaint are dismissed. Baidu may proceed with counts two and three. The parties shall appear for a pretrial conference on August 11, 2010, at 2:30 p.m.

SO ORDERED. 
      
      . The complaint refers to the "contract at issue” and asserts a breach of contract claim (Compl. ¶¶ 11, 34-38) and thus the MSA is deemed incorporated into the complaint by reference.
     
      
      . References to the MSA are to the pages of the version attached to the Jacobson Declaration as Exhibit A. For ease of reading, I have eliminated the all-capitalization that appears in some of the clauses.
     
      
      . The complaint does not give the two codes. In its memorandum of law in support of its motion to dismiss, Register contends that the two codes are "similar.” (Def. Mem. at 6). As Baidu points out, they are not similar other than that they were both eight-digit numbers: the Register agent sent the code "81336134” to Baidu's email address, while the Imposter responded with the code "96879818.” (Ramos Decl. ¶ 3).
     
      
      . The MSA provides for the application of New York law, and both sides rely on New York law. (See Def. Mem. at 8-15; Pl. Mem. at 7-13).
     
      
      . See, e.g., Michael Ena, Securing Online Transactions: Crime Prevention Is the Key, 35 Fordham Urb. L.J. 147, 149 (2008) ("The global nature of the Internet exposes online businesses to attacks by cybercriminals of all types from all over the world.”); John Markoff, Study Finds Growing Fear of Cyberattacks, N.Y. Times, Jan. 28, 2010, available at http://www.nytimes.com/2010/02/02/us/29 cyber.html (last visited Jul. 19, 2010).
     
      
      . Register argues that the tort claims must be dismissed as duplicative of the contract claim. (Def. Mem. at 15). I do not decide the question now as to counts two and three. Permitting both these counts to remain in the case will not expand discovery. Register may renew the argument at the summary judgment stage of the case or at trial.
     