Malicious, Threats, and Malware: Objective Facts, Not Subjective Opinions 

Enigma Software Grp. USA, LLC v. Malwarebytes, Inc., 21-16466 (9th Cir. June 2, 2023)

Author(s): Lisa Holubar and Ariel Katz
Edited by: 
Jason Keener
June 22, 2023

On June 2, 2023, the Ninth Circuit reversed a dismissal of Plaintiff Enigma Software Group’s (“Enigma”) Lanham Act false advertising and related state law claims against its competitor, Defendant Malwarebytes, Inc. (“Malwarebytes”).  The primary basis for the reversal was that designating Enigma’s products as “malicious,” “threats,” and “malware” were, per the Court, actionable statements of objective fact, subject to being found false, and not merely subjective opinions protected by the First Amendment.  

Both Enigma and Malwarebytes operate in the anti-malware and computer security market.  Among other things, their products help consumers detect and remove malicious software.  In October 2016, Malwarebytes began identifying Enigma’s products as “malware,” “malicious,” “threats,” or a “potentially unwanted program.”   

Malwarebytes won various procedural triumphs in the District Court in California over the last several years, getting the claims dismissed the first time around because the Court found all of Enigma’s claims were barred by Section 230 of the Communications Decency Act of 1996, 47 U.S.C. § 230(c)(2), and the second time around because the Court found the statements were nonactionable opinions.  However, the Ninth Circuit reversed and remanded on both instances, this time finding that Malwarebytes’s statements were actionable statements of objective fact that could be false or misleading.  

While there are five elements to state a claim for false advertising under Section 43(a) of the Lanham Act, the District Court only addressed part of the first element: whether there was a false statement of fact as opposed to an opinion or subjective suggestion.  The District Court found Malwarebytes’s designations of Enigma products as “malware,” “malicious,” “threats,” and “potentially unwanted program” to be subjective opinions, but the Ninth Circuit reversed, in part, finding the first three designations made a claim as to a specific characteristic of a product and were thus actionable statements of fact under the Lanham Act, noting whether or not these claims are true would be tested on the merits.  The Court also noted that on remand, the District Court would need to consider in the first instance whether the statements were “commercial speech,” and whether they deceived a substantial segment of the relevant audience, alternate bases on which Malwarebytes requested dismissal.  

Judge Bumatay, in his dissent, disagreed, noting that flagging a competitor’s products as “threats” or “malicious” are subjective statements and not readily verifiable.  Specifically, he cautioned: “By treating these terms as actionable statements of fact under the Lanham Act, our court sends a chilling message to cybersecurity companies—civil liability may now attach if a court later disagrees with your classification of a program as “malware.” 

Contact the Authors

Name: Lisa Holubar Phone: (312) 667-6086 Email: [email protected]
Name: Ariel Katz Phone: (847) 409-9391 Email: [email protected]