Customer scraping our SaaS data - breach of ToS enough to sue?

We run a B2B data platform. One of our customers (paying us $500/mo) has been systematically scraping our entire database and - this is the infurating part - reselling it as their own product. We found out because someone forwarded us their sales deck and it's literally our data with their logo slapped on it.

Our ToS explicitly prohibits: automated scraping, bulk downloading, redistribution, and creating derivative products. They've violated all of it.

Question: is breach of ToS enough to sue? What are the realistic options here? We're a small team, can't afford massive litigation but this is killing us.

Dealt with almost exactly this 2 years ago. Someone bought our cheapest plan and scraped everything.

What actually worked: 1) Killed their access immediately, 2) Lawyer sent cease and desist demanding they destroy all copies and cease sales, 3) They complied within a week because they didnt want the legal exposure.

Total cost was like $2k in legal fees. Way cheaper than suing and we got the outcome we needed.

Caveat: they were a small operation. If you're dealing with a well-funded competitor they might call your bluff. But most scrapers fold when they realize you're serious.

Not a lawyer but from the technical side: you should be implementing rate limiting, API usage tracking, and anomaly detection yesterday. If someone is pulling your entire DB you should know about it in real time not after they're already selling it.

Also helps your legal case - you can show exactly what they accessed, when, and how much. Courts like detailed evidence.

Going forward: require API access agreements for anyone pulling more than X records. Separate ToS from technical access controls. Make scraping not just a ToS violation but technically difficult.

Thanks all - this is really helpful. We've already killed their access.

@what_do_i_do_now_14 quick question: should we try reaching out directly first or go straight to formal C&D? Part of me wants to give them a chance to do the right thing but I don't want to look weak or mess up our legal position.

@definitely_overreacting_1 you're absolutely right, lesson learned. Already talking to our eng team about better monitoring. The frustrating thing is we DID have rate limits but they stayed just under them and scraped slowly over months. Sophisticated operation.

@beyond_a_doubt_31 Go straight to formal C&D from an attorney. Here's why:

1. A casual "hey stop that" email doesn't create the same paper trail. You want documented notice of the violation.

2. It doesn't make you look weak - it makes you look like you take this seriously and have legal resources. That's intimidating.

3. If they ignore it and you do sue, "we sent formal legal demand and they ignored it" looks much better to a judge than "we sent a friendly email."

4. C&D typically includes demand to preserve evidence, destruction certification, and sometimes a deadline for response. Informal email doesn't cover any of that.

Re: damages - start documenting everything now. Any customers who left for their competing product, server costs, employee time spent investigating. If your ToS has a fee-shifting provision (loser pays attorney fees), make sure to reference that in the C&D.