Customer scraping our SaaS data - breach of ToS enough to sue?

We run a B2B data platform. One of our customers (paying us $500/mo) has been systematically scraping our entire database and - this is the infurating part - reselling it as their own product. We found out because someone forwarded us their sales deck and it's literally our data with their logo slapped on it.

Our ToS explicitly prohibits: automated scraping, bulk downloading, redistribution, and creating derivative products. They've violated all of it.

Question: is breach of ToS enough to sue? What are the realistic options here? We're a small team, can't afford massive litigation but this is killing us.

Yes, you have claims. Let me break down your options:

Breach of Contract: This is your strongest claim. ToS is a contract. If they agreed to it (clickwrap, browsewrap, or signed) and violated specific provisions, that's breach. You'll need to prove damages - what have you lost? Lost sales to their competing product? Server costs from their scraping? Diminished value of your data?

CFAA (Computer Fraud and Abuse Act): This used to be a go-to but got weaker after the Van Buren Supreme Court decision (2021). CFAA now really focuses on accessing systems without ANY authorization. Your customer was authorized to access - they just misused that access. Breach of contract is cleaner.

Other potential claims: Unfair competition, tortious interference (if they're stealing your customers), possibly trade secret misappropriation if your data qualifies.

Practical reality: Litigation is expensive and slow. Before you go there, terminate their account immediately and send a strong cease and desist letter. Many of these situations resolve with a C&D + threat of litigation.

Dealt with almost exactly this 2 years ago. Someone bought our cheapest plan and scraped everything.

What actually worked: 1) Killed their access immediately, 2) Lawyer sent cease and desist demanding they destroy all copies and cease sales, 3) They complied within a week because they didnt want the legal exposure.

Total cost was like $2k in legal fees. Way cheaper than suing and we got the outcome we needed.

Caveat: they were a small operation. If you're dealing with a well-funded competitor they might call your bluff. But most scrapers fold when they realize you're serious.

Not a lawyer but from the technical side: you should be implementing rate limiting, API usage tracking, and anomaly detection yesterday. If someone is pulling your entire DB you should know about it in real time not after they're already selling it.

Also helps your legal case - you can show exactly what they accessed, when, and how much. Courts like detailed evidence.

Going forward: require API access agreements for anyone pulling more than X records. Separate ToS from technical access controls. Make scraping not just a ToS violation but technically difficult.

Thanks all - this is really helpful. We've already killed their access.

@TechLawyer quick question: should we try reaching out directly first or go straight to formal C&D? Part of me wants to give them a chance to do the right thing but I don't want to look weak or mess up our legal position.

@BackendEngineer_M you're absolutely right, lesson learned. Already talking to our eng team about better monitoring. The frustrating thing is we DID have rate limits but they stayed just under them and scraped slowly over months. Sophisticated operation.

@saas_founder_2024 Go straight to formal C&D from an attorney. Here's why:

1. A casual "hey stop that" email doesn't create the same paper trail. You want documented notice of the violation.

2. It doesn't make you look weak - it makes you look like you take this seriously and have legal resources. That's intimidating.

3. If they ignore it and you do sue, "we sent formal legal demand and they ignored it" looks much better to a judge than "we sent a friendly email."

4. C&D typically includes demand to preserve evidence, destruction certification, and sometimes a deadline for response. Informal email doesn't cover any of that.

Re: damages - start documenting everything now. Any customers who left for their competing product, server costs, employee time spent investigating. If your ToS has a fee-shifting provision (loser pays attorney fees), make sure to reference that in the C&D.