Grifo & Company PLLC v. Cloud X Partners Holdings, LLC f/k/a InsynQ, LLC
Filing
10
OPINION AND ORDER granting in part and denying in part 3 Defendant's Motion to Dismiss. Signed by District Judge Robert H. Cleland. (LWag)
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.131
Page 1 of 24
UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF MICHIGAN
SOUTHERN DIVISION
______________________________________________________________________
GRIFO & COMPANY, PLLC,
Plaintiff,
v.
Case No. 20-10858
CLOUD X PARTNERS HOLDINGS, LLC,
f/k/a INSYNQ, LLC,
Defendant.
__________________________________/
OPINION AND ORDER GRANTING IN PART AND DENYING IN PART
DEFENDANT’S MOTION TO DISMISS
Plaintiff Grifo & Company, PLLC, brings this action for breach of contract,
negligence, and gross negligence. (ECF No. 1-1, PageID.16-21.) Defendant Cloud X
Partners Holdings, LLC, provided “virtual desktop and cloud data-hosting services,”
which Plaintiff allegedly utilized to store substantial amounts of business data. (Id.,
PageID.10-11, ¶¶ 20-27.) Defendant was subject to a cyberattack and Plaintiff’s data
was damaged or lost. (Id., PageID.12, ¶ 32.)
In lieu of filing an answer, Defendant moves to dismiss the complaint. Fed. R.
Civ. P. 12(b). (ECF No. 3.) The matter has been thoroughly briefed. (ECF Nos. 5, 6, 8.)
The court has reviewed the record and finds a hearing to be unnecessary. E.D. Mich.
L.R. 7.1(f)(2). For the reasons provided below, the court will grant in part and deny in
part Defendant’s motion.
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.132
Page 2 of 24
I. BACKGROUND
The following are facts as alleged in Plaintiff’s complaint. In a motion to dismiss,
the court accepts Plaintiff’s factual allegations as true but makes no overt finding as to
truth or falsity. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).
Plaintiff is an accounting firm that was looking for a company to host its data.
(ECF No. 1-1, PageID.9-10, ¶¶ 13, 21.) On July 10, 2017, Plaintiff and Defendant
executed a “Member Order” whereby Plaintiff and its employees could access a virtual
desktop with software used in its accounting practice and Plaintiff could store data on
Defendant’s network. (Id., PageID.10-11, ¶¶ 26, 27.) Plaintiff agreed to pay Defendant a
monthly membership fee of $594. (Id., PageID.11, ¶ 28.) The agreement was renewed
on an annual basis and was in place for the duration of the events giving rise to this
action. (Id., ¶¶ 29, 30.)
The Member Order states that the agreement “is subject to the included . . .
Information Privacy Security Policy.” (Id., ¶ 31; id., PageID.25.) The order also states
that “[Defendant] is not responsible for the availability of Subscriber Data.” (Id.,
PageID.25.) Plaintiff attached the Member Order and the Information Privacy Security
Policy to its complaint. (Id., PageID.25-40.)
On or around July 6, 2019, a cybercriminal embedded a “ransomware” virus in
Defendant’s internal systems. (Id., PageID.12, ¶ 32.) After ten days, on July 16, 2019,
the ransomware was deployed. (Id., ¶ 35.) The virus sealed off and encrypted data
hosted on Defendant’s servers; the cybercriminal demanded payment to remove the
encryptions and allow Defendant, and its customers including Plaintiff, to regain access.
2
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.133
Page 3 of 24
(Id., PageID.12-13, ¶ 36.) Defendant immediately took its systems offline, preventing
Plaintiff from accessing its virtual desktops and data. (Id., PageID.13, ¶ 37.)
Plaintiff asked Defendant to return its data, in part to consider paying the ransom.
(Id., PageID.14, ¶ 44.) Defendant refused the request, stating the Plaintiff’s data was
combined with the data of many other customers and could not be separated. (Id., ¶
45.) Defendant then chose not to pay the ransom and as a result “most of [Plaintiff’s]
data was corrupted and unable to be restored or recovered.” (Id., ¶ 43.) “All of
[Plaintiff’s] data” was affected, including “1700 tax engagement files,” “120 financial
engagement files,” and “critical practice management files, including . . . billing, time
entry, and business contacts,” all compiled over the course of ten years. (Id.,
PageID.15-16, ¶¶ 50, 54.) None of the files were “recovered,” but a small subset were
“restored.” (Id., ¶ 52.) The restored files lacked “names, . . . organizational structure,
and . . . metadata,” requiring “multiple hours per file” to return them to a usable form.
(Id., ¶ 52-53.)
Plaintiff “experienced significant downtime” after the attack “in which it could not
operate its business.” (Id., PageID.16, ¶ 55.) Additionally, Plaintiff could not use the
information contained in the lost files “to generate additional revenue.” (Id., ¶ 54.)
II. STANDARD
Under Federal Rule of Civil Procedure 12(b)(6) a party can move to dismiss a
complaint for “failure to state a claim upon which relief can be granted.” In considering a
motion to dismiss, the court must “construe the complaint in the light most favorable to
the plaintiff and accept all factual allegations as true.” Laborers’ Local 265 Pension
Fund v. iShares Trust, 769 F.3d 399, 403 (6th Cir. 2014). “To survive a motion to
3
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.134
Page 4 of 24
dismiss, a complaint must contain factual matter, accepted as true, to ‘state a claim to
relief that is plausible on its face.’” Ashcroft, 556 U.S. at 678 (quoting Bell Atlantic Corp.
v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff
pleads factual content that allows the court to draw the reasonable inference that the
defendant is liable for the misconduct alleged.” Id. Determining plausibility is “a contextspecific task that requires the reviewing court to draw on its judicial experience and
common sense.” Id. at 679. The plaintiff must present “more than labels and
conclusions.” Twombly, 550 U.S. at 545. “[A] formulaic recitation of a cause of action's
elements will not do.” Id.
When reviewing a motion to dismiss, the court may consider “documents
incorporated into the complaint by reference . . . and matters of which a court may take
judicial notice” in addition to allegations in the complaint. Tellabs, Inc. v. Makor Issues &
Rights, Ltd., 551 U.S. 308, 322 (2007). The court may consider “a document that is not
formally incorporated by reference or attached to a complaint” when “[the] document is
referred to in the complaint and is central to the plaintiff’s claim.” Greenberg v. Life Ins.
Co. of Va., 177 F.3d 507, 514 (6th Cir. 1999).
III. DISCUSSION
Defendant moves to dismiss all three counts of Plaintiff’s complaint: breach of
contract, negligence, and gross negligence. The court will address each claim in turn.
A. Breach of Contract
Defendant presents arguments in its motion that, although not entirely clear,
appear to challenge whether Plaintiff adequately pled the elements of a breach of
contract claim. In its reply, Defendant points to a contract term that it argues limits
4
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.135
Page 5 of 24
Plaintiff’s recovery as a matter of law, 1 and raises two other arguments. The court finds
the entirety of Defendant’s breach of contract arguments unconvincing.
1. Breach of a Legal Duty
Defendant’s motion asserts generally that Plaintiff failed to allege a breach of
duty. (ECF No. 3, PageID.63-64.) Defendant refers to standards such as “reasonable
care,” and contends that it did not take “an affirmative act that unreasonably exposed
Plaintiff to a risk of harm.” (Id., PageID.64.) Having a “duty” to act “reasonably” so as to
mitigate the “risk of harm” are concepts most naturally associated with negligence, not
contract law. “A negligence action may . . . be maintained [only] if a legal duty exists
which requires the defendant to conform to a particular standard of conduct in order to
protect others against unreasonable risks of harm.” Bertrand v. Alan Ford, Inc., 449
Mich. 606, 612, 537 N.W.2d 185, 188 (1995) (emphasis added) (quotation removed).
To bring a successful breach of contract claim under Michigan law, Plaintiff must
prove that “(1) there was a contract (2) which the other party breached (3) thereby
resulting in damages to the party claiming breach.” Miller-Davis Co. v. Ahrens Constr.,
Inc., 495 Mich. 161, 178, 848 N.W.2d 95, 104 (2014) (citing Stevenson v. Brotherhoods
Mut. Benefit, 312 Mich. 81, 90-91, 19 N.W.2d 494, 498 (1945)); see Shady Grove
1
The court is not generally inclined to accept new arguments in a reply brief;
however, Plaintiff was provided the opportunity to respond to Defendant’s arguments in
a sur-reply. See Eng’g & Mfg. Servs., LLC v. Ashton, 387 F. App’x 575, 583 (6th Cir.
2010) (citing Seay v. Tenn. Valley Auth., 339 F.3d 454, 481-82 (6th Cir. 2003)) (raising
“new arguments and new evidence in [a] reply brief . . . necessitated that [the
nonmovant] be permitted to respond”). (ECF No. 8.) Going forward, the court expects
the parties to comply with basic briefing protocol, and refrain from presenting new
arguments in the reply, unless justified by newly emerged evidence or the like.
5
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.136
Page 6 of 24
Orthopedic Assocs. v. Allstate Ins., 559 U.S. 393, 417 (2010) (“Federal courts sitting in
diversity apply state substantive law.”).
Defendant makes little mention of contract law or Plaintiff’s breach of contract
claim in its motion to dismiss. Nonetheless, Defendant’s arguments could be interpreted
as claiming that no terms of the parties’ agreement covered Defendant’s conduct. If no
terms applied, there can be no breach. Miller-Davis Co., 848 N.W.2d at 104; Van Buren
Charter Twp. v. Visteon Corp., 319 Mich. App. 538, 554, 904 N.W.2d 192, 202 (2017)
(requiring a plaintiff prove “that the defendant breached [the contract’s] terms”).
Plaintiff points to terms in the Information Privacy Security Policy, alleged and
attached to the complaint, in which Defendant promised various services. See Tellabs,
Inc., 551 U.S. at 322 (permitting the court to consider “documents incorporated into the
complaint by reference”). (ECF No. 1-1, PageID.11-12, ¶ 31; id., PageID.29.) Under the
subsection “Baseline Procedures” in the “Introduction” section of the policy, the terms
state that “[m]inimum data security and protection services provide for continuous file
systems scanning for virus signatures or activity” and “[c]ompromised files are
quarantined in secure systems,” among other security precautions. (ECF No. 1-1,
PageID.11-12, ¶ 31; id., PageID.29.) Plaintiff alleges Defendant failed to perform all of
these promised services before and during the alleged data breach and cyberattack,
thereby establishing a claim for breach of contract. Miller-Davis Co., 848 N.W.2d at 104.
(ECF No. 1-1, PageID.17-18, ¶ 62.)
Other than arguing generally that Plaintiff has not stated a claim for breach of
contract, Defendant presents no other substantive arguments in its motion as to why
6
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.137
Page 7 of 24
Plaintiff’s complaint would not satisfy the material elements of a breach of contract.
Miller-Davis Co., 848 N.W.2d at 104.
2. Limitation on Damages Resulting from Data Being “Unavailable”
In its reply, Defendant points to a contract term in the Member Order that
Defendant argues precludes Plaintiff from recovering any damages. (ECF No. 6,
PageID.94.) The court disagrees and will not preemptively limit Plaintiff’s recovery.
The question is one of contract interpretation. “[T]he court’s obligation [is] to
determine the intent of the parties by examining the language of the contract according
to its plain and ordinary meaning.” In re Smith Trust, 480 Mich. 19, 24, 745 N.W.2d 754,
758 (2008) (citing Frankenmuth Mut. Ins. Co. v. Masters, 460 Mich. 105, 112, 595
N.W.2d 832, 837 (1999)). “[It] must . . . give effect to every word, phrase, and clause in
a contract and avoid an interpretation that would render any part of the contract
surplusage or nugatory.” Klapp v. United Ins. Grp. Agency, 468 Mich. 459, 468, 663
N.W.2d 447, 453 (2003).
When a contract’s language in unambiguous, “[the] court[] must interpret and
enforce the contract as written, because an unambiguous contract reflects the parties'
intent as a matter of law.” In re Smith Trust, 745 N.W.2d at 758; accord Solo v. United
Parcel Serv. Co., 819 F.3d 788, 794 (6th Cir. 2016) (citing Port Huron Educ. Assn. v.
Port Huron Area Sch. Dist., 452 Mich. 309, 323, 550 N.W.2d 228, 237 (1996)) (“When
the language at issue is clear and unambiguous, its meaning is a question of law.”). A
contract is ambiguous “if it is equally susceptible to more than a single meaning,” and “a
finding of ambiguity is to be reached only after all other conventional means of
interpretation have been applied and found wanting.” Kendzierski v. Macomb Cnty., 503
7
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.138
Page 8 of 24
Mich. 296, 311, 931 N.W.2d 604, 611 (2019) (quotation removed). Determining the
meaning of an ambiguous contract is a question of fact. Klapp, 663 N.W.2d at 454;
accord Solo, 819 F.3d at 794 (quoting Port Huron, 550 N.W.2d at 237) (“[I]f the
language is unclear or susceptible to multiple meanings, interpretation becomes a
question of fact.”).
Plaintiff alleges that it was “locked out of its systems and lost data, suffering
damages including . . . the loss of data, costs associated with recreation of its file
systems, and lost profits during downtime and ongoing operational disruptions.” (ECF
No. 1-1, PageID.18, ¶ 63.) The Member Order, a document two pages long and
attached to Plaintiff’s complaint, states that Defendant “is not responsible for the
availability of Subscriber Data.” (Id., PageID.25.) Defendant argues the entirety of
Plaintiff’s damages for the breach of contract claim are covered by this “not responsible”
provision and are thus barred. (ECF No. 6, PageID.94.)
Defendant is not “responsible” for the “availability of Subscriber Data.” (ECF No.
1-1, PageID.25.) “Responsible” is defined as “creditable or chargeable with the result.”
Responsible, Webster’s Third International Dictionary, Unabridged (2020); see also
Universal Underwriters Ins. Co. v. Kneeland, 464 Mich. 491, 496, 628 N.W.2d 491, 494
(2001) (finding that the word “responsibility” connotes liability). “Available” is defined as
“capable of use for the accomplishment of a purpose” and “immediately utilizable.”
Available, Webster’s Third International Dictionary, Unabridged (2020).
The court does not find as a matter of law that the “not responsible” clause bars
Plaintiff’s recovery for any category of damages alleged in the complaint, including
damages resulting from “lost data.” In re Smith Trust, 745 N.W.2d at 758. (ECF No. 1-1,
8
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.139
Page 9 of 24
PageID.18, ¶ 63.) It is not at all clear what “availability” of “data” means in this
contractual context. Although it is possible the provision limits Plaintiff from recovering
for data not being “available” as a result of a cyberattack, 2 it would be little more than
speculation to conclude that the provision sweeps so broadly as to deny liability for any
long-term loss of data. The court is to read the contract as a whole and give effect to
every term. Klapp, 663 N.W.2d at 453. It is counter-intuitive to allow Defendant to
promise institution of, as Plaintiff adequately alleges, numerous security measures to
mitigate the risks of a cyberattack, (ECF No. 1-1, PageID.11-12, ¶ 31; id., PageID.29.),
but then disclaim any liability for loss-of-data damages that seem to quite naturally flow
from a cyberattack, and to do so by relying on words such as “availability of . . . [d]ata”
that at this stage of the case remain opaque. (Id., PageID.25.)
“Lost” is defined as “taken away or beyond reach or attainment.” Lost, Webster’s
Third International Dictionary, Unabridged (2020). While being “unavailable” and “lost”
may be similar concepts, it is a stretch of logic to assume that merely not having
something “capable of use” necessarily and inherently implies that it is permanently
“beyond . . . attainment.” The contractual language is ambiguous and is “equally
susceptible to more than a single meaning.” Kendzierski, 931 N.W.2d at 611. At this
early stage of litigation, the court will not rule that Plaintiff cannot recover damages for
the loss of its data.
The court cannot find as a matter of law that other damages Plaintiff alleges are
covered by the “not responsible” clause. It is not clear that incurring costs to “recreat[e]
2
The court does not endorse, nor does it reject, Defendant’s claim that the
contract provision applies to cyberattacks and any data disruptions that result from a
cyberattack. (ECF No. 1-1, PageID.25.)
9
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.140
Page 10 of 24
file systems” relates to data “availability.” In re Smith Trust, 745 N.W.2d at 758;
Kendzierski, 931 N.W.2d at 611. (ECF No. 1-1, PageID.18, 25; ECF No. 8,
PageID.120.) The data was made “available” to Plaintiff through Defendant’s recovery
efforts, but only in a form requiring expenditures to recreate file structures. (ECF No. 11, PageID.25; id., PageID.16, ¶ 53.) The “not responsible” term is ambiguous, and
Plaintiff is not barred at this time from recovering “costs associated with recreation of its
file systems.” In re Smith Trust, 745 N.W.2d at 758; Kendzierski, 931 N.W.2d at 611.
(ECF No. 1-1, PageID.18, ¶ 63.)
Plaintiff also paid Defendant for access to “virtual desktop[s]” which allowed
Plaintiff to use several software programs “including TValue, Microsoft Office, PFX Tax
versions, PPC Checkpoint Tools, QuickBooks versions, PFX Practice Management,
PFX Engagement, CCH ProSystem versions, and SuperForm Tax.” (ECF No. 1-1,
PageID.10, ¶ 26.) Plaintiff alleges that Defendant’s breaches caused Plaintiff to be
“locked out of its systems.” (Id., PageID.18, ¶ 63.) Resulting damages appear unrelated
to the “availability of [Plaintiff’s] [d]ata,” (ECF No. 1-1, PageID.25.), and Defendant
points to no portion of the Member Order or Information Privacy Security Policy that
excludes Defendant’s responsibility to provide Plaintiff access to virtual desktops.
Thus, considering the allegations in Plaintiff’s complaint and the relevant
documents attached to the complaint, Tellabs, 551 U.S. at 322, the proper reading of
the parties’ contract is not clear. Kendzierski, 931 N.W.2d at 611. Defendant’s motion to
dismiss on the “not responsible” clause will be denied.
10
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.141
Page 11 of 24
3. Two Remaining Arguments in Defendant’s Reply
Defendant’s reply includes two other arguments that are easily resolved. First,
Defendant asserts that the Information Privacy Security Policy is authored and created
by InsynQ, Inc., not InsynQ, LLC, who is named in this action. (ECF No. 6, PageID.95.)
Nonetheless, the Member Order, the terms of which Defendant itself relies on to deny
liability, states that “[t]his Member Order is subject to the included InsynQ, LLC
Information Privacy Security Policy” and provides a URL link. (ECF No. 1-1, PageID.25.)
Plaintiff alleges that the contract attached to its complaint is the referenced Information
Privacy Security Policy. (Id., PageID.11-12, ¶ 31.) As the court must accept all factual
allegations as true for the purposes of a motion to dismiss, it will not make a factual
determination at this stage that, in fact, the parties entered into separate and distinct
contract. Laborers’ Local 265 Pension Fund, 769 F.3d at 403. Whether the Information
Privacy Security Policy applies to Defendant is a question of fact that may be resolved
at a later time. Id.
Second, Defendant points to a term in the Information Privacy Security Policy
that states: “Client is responsible for all its content hosted by [Defendant]. [Defendant]
exercises no control over, and accepts no responsibility for, the content of the
information passing through the InsynQ network.” (ECF No. 6, PageID.95; ECF No. 1-1,
PageID.37.) While the term’s most natural implication may be that Defendant is not
responsible for unsavory or illegal files posted by Plaintiff onto Defendant’s servers, in
line with the term “[Defendant] is not responsible for screening or monitoring content
used by Client,” Defendant argues the term excludes liability for any virus that infects
Defendant’s systems. (ECF No. 1-1, PageID.37.) Defendant claims “content . . . passing
11
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.142
Page 12 of 24
through the INsynQ network” includes ransomware. (Id.) But it does not provide a
detailed textual analysis nor does it cite to any caselaw in support of this contention.
The court cannot find as a matter of law that the “plain and ordinary meaning” of
“content” in this contractual context includes third-party viruses and ransomware. In re
Smith Trust, 745 N.W.2d at 758; Kendzierski, 931 N.W.2d at 611. The language is at
best ambiguous, and Defendant’s motion to dismiss as to this issue will be denied.
B. Negligence
Defendant next argues that Plaintiff did not state a viable claim for negligence. As
mentioned in the court’s breach of contract analysis, Defendant’s motion asserts
generally that Plaintiff has not alleged that Defendant “breached a duty,” and further,
Plaintiff has not alleged that Defendant “did not take reasonable care.” (ECF 3,
PageID.63-64.) The argument is not well articulated, but, in its reply, Defendant clarifies
and states that the parties’ relationship is governed by contract, and therefore Plaintiff is
precluded from bringing an independent claim for negligence. (ECF No. 6, PageID.96.)
Plaintiff brings its negligence claim under three duties: a general duty of care, a
duty created through a “special relationship,” and a statutory duty created through the
Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45. (ECF No. 1-1, PageID.20, ¶¶
75-77.) All three fail as a matter of law to support a valid negligence claim.
1. General Duty of Care
In order to state claim for negligence under Michigan law, Plaintiff must plausibly
allege “(1) duty; (2) breach of that duty; (3) causation, both cause in fact and proximate
causation; and (4) damages.” Romain v. Frankenmuth Mut. Ins. Co., 483 Mich. 18, 21,
762 N.W.2d 911, 913 (2009) (citing Schultz v. Consumers Power Co., 443 Mich. 445,
12
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.143
Page 13 of 24
449, 506 N.W.2d 175, 176 (1993)); Ashcroft, 556 U.S. at 678. The existence of a duty is
a question of law. Hill v. Sears, Roebuck and Co., 492 Mich. 651, 659, 822 N.W.2d 190,
195 (2012). “The ultimate inquiry in determining whether a legal duty should be imposed
is whether the social benefits of imposing a duty outweigh the social costs of imposing a
duty.” Id. at 196 (quoting In re Certified Question from Fourteenth Dist. Court of App. of
Tex., 479 Mich. 498, 505, 740 N.W.2d 206, 216 (2007)). In making this determination,
courts consider “the relationship of the parties, the foreseeability of the harm, the
burden on the defendant, and the nature of the risk presented.” Id. (quoting In re
Certified Question from Fourteenth Dist. Court of App. of Tex., 740 N.W.2d at 216).
Most importantly, “there must be a relationship between the parties and the harm must
have been foreseeable.” Id. (quoting In re Certified Question from Fourteenth Dist.
Court of App. of Tex., 740 N.W.2d at 213).
A foundational rule in negligence law is that parties are not held liable for
“passive inaction or the failure to actively protect others from harm.” Williams v.
Cunningham Drug Stores, Inc., 429 Mich. 495, 498, 418 N.W.2d 381, 382 (1988);
accord Murdock v. Higgins, 454 Mich. 46, 53, 559 N.W.2d 639, 643 (1997); see also
Restatement (Second) of Torts § 314 (Am. Law Inst. 1975). Based on this principle,
Michigan courts have refused to find a duty of care where the extent of alleged
misconduct amounts to a failure to perform promises included in a contract. One of the
preeminent cases in this area is Hart v. Ludwig, where the defendant promised the
plaintiff that he would care for the plaintiff’s orchard; the promise was not kept, and the
orchard fell into disrepair. 347 Mich. 559, 560, 79 N.W.2d 895, 896 (1956). The plaintiff
asserted a negligence theory in which the defendant had undertaken a responsibility to
13
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.144
Page 14 of 24
care for the orchard and had been negligent in doing so. Id. The Michigan Supreme
Court found that the plaintiff’s argument for a legal duty could not be maintained
“without enforcing the contract promise itself,” and thus the court was “left with [the]
defendant’s failure to complete his contracted-for promise,” which is not a tort. Id. at
898.
Michigan courts have since reiterated that when a plaintiff alleges breach of a
duty that is not “separate and distinct from [a] contractual obligation” the defendant
owes the plaintiff, “no tort action based on a contract will lie.” Fultz v. Union-Commerce
Ass’s., 470 Mich. 460, 467, 683 N.W.2d 587, 592 (2004); Ulrich v. Fed. Land Bank of
St. Paul, 192 Mich. App. 194, 199, 480 N.W.2d 910, 912 (1991) (citing Hart, 79 N.W.2d
at 898) (“[I]f a relation exists that would give rise to a legal duty without enforcing the
contract promise itself, the tort action will lie, otherwise it will not.”); 24 Mich. Civ. Jur.
Torts § 2 (2020) (“In order for an action in tort to arise out of a breach of contract, the
act must constitute not only a breach of duty separate and distinct from the breach of
contract but also active negligence or misfeasance.”). For example, in Fultz, the plaintiff
slipped and injured herself while walking on an icy parking lot; she brought a negligence
action against the snow clearing company for its failure to prevent ice from
accumulating. 683 N.W.2d at 589. The Michigan Supreme Court found that the plaintiff
did not have a viable claim under negligence, reasoning that the alleged violation
involved only the company’s responsibility “to fulfill its contractual obligation”. 3 Id. at
592.
3
By contrast, Michigan courts have permitted negligence actions when a party
engages in “active misconduct causing . . . injury” while performing obligations under a
contract. Williams, 418 N.W.2d at 382; see also Loweke v. Ann Arbor Ceiling & Partition
14
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.145
Page 15 of 24
Plaintiff itself recognizes the distinction between contract nonfeasance, which is
not recoverable under tort, and active misfeasance outside the obligations of a contract,
which is recognized as a cause of action. It argues its breach of contract and negligence
claims are separated by “contractual nonfeasance,” on the one hand, and
“misfeasance” in performance of the contract on the other. (ECF No. 8, PageID.123.)
Nonetheless, Plaintiff’s negligence claim amounts to allegations that Defendant
failed to take action to protect Plaintiff from a virus attack. Plaintiff claims Defendant
failed to: use effective anti-virus software and automated email scanning; property train
its employees to prevent email phishing; separate consumer data from its sales
department, where the virus originated; use a backup system; perform incremental
backups; segment networks; implement adequate security measures generally;
adequately monitor the security of its networks; have plans in place to ensure data
security; timely detect the virus; and pay the ransom. (ECF No. 1-1, PageID.20-21, ¶
78.)
However, Defendant had no general duty to act, install safeguards, and protect
Plaintiff and its data from a third-party ransomware attack; Defendant did not have a
general duty to protect Plaintiff at all. Williams, 418 N.W.2d at 382; Hart, 79 N.W.2d at
898; Fultz, 683 N.W.2d at 590-92. In fact, some of the actions Plaintiff claims Defendant
Co., LLC, 489 Mich. 157, 171, 809 N.W.2d 553, 561 (2011) (quotation removed)
(“[E]ntering into a contract with another pursuant to which one party promises to do
something does not alter the fact that there exists a preexisting obligation or duty to
avoid harm when one acts.”). In other words, the existence of a contract does not
eviscerate the public’s right to sue for negligent behavior. Thus, in Loweke, the
Michigan Supreme Court allowed for a negligence claim by a third party against a
construction company who was performing a contract and negligently placed cement
boards, which subsequently fell on the third party. 809 N.W.2d 555-56, 561-62.
15
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.146
Page 16 of 24
had a duty to perform were explicitly contemplated and provided for in the parties’
contract. For instance, Plaintiff alleges that Defendant contracted to provide “continuous
file system scanning for virus signatures or activity” but was negligent for not
“adequately monitor[ing] the security of its . . . systems.” (ECF No. 1-1, PageID.11-12, ¶
31; id., PageID.20-21, ¶ 78.) Thus, Plaintiff has alleged that Defendant committed
negligent nonfeasance, which, outside the terms of the parties’ contract, does not bind
Defendant to a general duty of care. Williams, 418 N.W.2d at 382; Hart, 79 N.W.2d at
898; Fultz, 683 N.W.2d at 590-92.
2. Duty Created Through a “Special Relationship”
Although generally “an individual has no duty to protect another who is
endangered by a third person’s conduct,” “[a] duty of reasonable care may arise where
one stands in a special relationship with either the victim or the person causing the
injury.” Marcelletti v. Bathani, 198 Mich. App. 655, 664, 500 N.W.2d 124, 129 (1993).
Because extending liability to parties who fail to protect and secure others violates a
basic norm of negligence law, Michigan courts have been hesitant to create “special
relationships” beyond a few narrow and historical categories. Williams, 418 N.W.2d at
282-83 (“[The law] has been slow in recognizing liability for nonfeasance because the
courts are reluctant to force persons to help one another and because such conduct
does not create a new risk of harm to a potential plaintiff.”). These categories include
“landlord-tenant, proprietor-patron, employer-employee, residential invitor-invitee,
psychiatrist-patient, . . . doctor-patient . . . common carrier-passenger[,] and innkeeperguest” relationships. Marcelletti, 500 N.W.2d at 129. Notably, these categories involve
common people, individuals, being placed in vulnerable situations with someone or
16
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.147
Page 17 of 24
something more powerful in which those individuals may not be able to ensure their
security or protection outside the imposition of tort liability. Williams, 418 N.W.2d at 283
(explaining that special relationships often arise when “one person entrusts himself to
the control and protection of another, with a consequent loss of control to protect
himself”).
Additionally, “absent special circumstances,” “there is no duty to protect another
from the criminal acts of a third party.” Krass v. Tri-Cnty. Sec., Inc., 233 Mich. App. 661,
593 N.W.2d 578, 582 (1999). Michigan courts have been exceptionally hesitant to
extend liability to cases of third-party criminal behavior. See, e.g., MacDonald v. PKT,
Inc., 464 Mich. 322, 334, 628 N.W.2d 33, 38 (2001) (holding that a merchant, although it
had a special relationship with its business invitees, had only the duty “to respond
reasonably” to criminal act committed against an invitee while on the merchant’s
property); see also Graves v. Warner Bros., 253 Mich. App. 486, 499, 656 N.W.2d 195,
203 (2002) (quoting Papadimas v. Mykonos Lounge, 176 Mich. App. 40, 46-47, 439
N.W.2d 280, 283 (1989)) (“[C]riminal activity, by its deviant nature, is normally
unforeseeable.”).
Plaintiff argues that the parties had a “special relationship” through their “datahosting relationship.” Id. (ECF No. 8, PageID.123.) It alleged in its complaint that
Defendant’s “duty arose because there was a special relationship between [Defendant]
as data-hoster and [Plaintiff] as data-owner.” (ECF No. 1-1, PageID.20, ¶ 76.) Plaintiff
cites no caselaw establishing the existence of a broad special relationship for all data
hosts to data owners, and instead relies on unpublished caselaw from the Michigan
17
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.148
Page 18 of 24
Court of Appeals and Sixth Circuit that have found special relationships in distinct
factual scenarios.
In Stacy v. HRB Tax Group., Inc., a company that provided tax preparation
services hired an employee who accessed clients’ tax information and personal
information to illegally collect tax refunds. 516 F. App’x 588, 589. Although the court did
not find a Michigan decision that was directly on point, it reasoned that Michigan courts
would recognize a special relationship in the facts of the case “between taxpayer and
tax preparer.” Id. at 591. The court’s analysis was not long, but it did mention that the
company had a duty “to ensure the security of their most essential confidential
identifying information, information which easily could be used to appropriate a person's
identity.” Id.
Plaintiff is not bringing the instant action under the confines of Stacy and for
Defendant’s inability to protect personal information from identity theft in the tax
preparation context. 516 F. App’x at 589. Plaintiff alleges a far wider duty for all those
hosting others’ data to institute precautions to limit the risk of an extensive virus attack.
(ECF No. 1-1, PageID.20, ¶ 76.) While Stacy involved individuals who had provided
personal financial and tax information to a company for tax preparation services, an
activity regularly undertaken by unsophisticated individuals, here Plaintiff is a
sophisticated accounting firm entered into a commercial contract whereby Defendant
would house its data, and without Defendant’s engagement and involvement in creating
an individualized product like a tax return. 516 F. App’x at 589. (ECF No. 1-1, PageID.9,
¶ 13; id., PageID.10-11, ¶¶ 26-27.)
18
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.149
Page 19 of 24
In Bell v. Michigan Council 25, 911 operators were obliged to join a union as a
condition of their employment. Case No. 246684, 2005 WL 356306, at *1 (Mich. Ct.
App. Feb. 15, 2005). The union was given access to the workers’ personal information
to deduct dues from their paychecks and provide representation. Id. The union
treasurer’s daughter took the workers’ names, social security numbers, and driver’s
license numbers and purchased goods and services under the workers’ names. Id. The
court found that the union had a “special relationship” with the workers to protect their
personal information. Id. at *1-6. It specifically mentioned that the “relationship between
the parties . . . is one of union-union member,” which was likened to that of a “fiduciary
duty” where the union “has an obligation to act on behalf of, and in the best interest of
[the workers].” Id. at *3. The court also reasoned that the identity theft was especially
foreseeable when for months the union “knew confidential information was leaving its
premises” and unauthorized third parties, including the eventual perpetrator, had access
to it. Id. at *4-5. In finding a duty, the court “[limited] [its] holding . . . to the facts of this
case” and stated that the decision should not be “construed as imposing a duty in every
case where a third party has obtained identifying information and subsequently uses
that information to commit the crime of identity theft.” Id. at *5.
Like in Stacy, Bell involved perpetrators with close connections to the defendant.
In Stacy an employee and in Bell the union treasurer’s daughter appropriated personal
information of clients and workers to commit identity theft. Stacy, 516 F. App’x at 589;
Bell, 2005 WL 356306, at *1. The defendants in Stacy and Bell had intimate control over
the perpetrators. Stacy, 516 F. App’x at 589; Bell, 2005 WL 356306, at *1. Additionally,
Bell involved workers who were compelled to join the union, and the union represented
19
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.150
Page 20 of 24
the interests of the workers in a close and fiduciary relationship. 2005 WL 356306, at *1,
3. Here, Plaintiff is a sophisticated business entity who deposited its data onto
Defendant’s servers, and no employee or close confidant associated with Defendant
took Plaintiff’s information to steal the personal identity of Plaintiff. (ECF No. 1-1,
PageID.9, ¶ 13; id., PageID.10-11, ¶¶ 26-27.) A rouge criminal virus, completely
unaffiliated with Defendant, infiltrated Defendant’s security system and demanded a
ransom. (ECF No. 1-1, PageID.12, ¶¶ 32-36.) The facts in this case are distinguishable,
with two commercial organizations whose relationship extends to an arms-length
contract. (ECF No. 1-1, PageID.10, ¶¶ 20-21.) The Bell court itself recognized the
limited implications of its decision. 2005 WL 356306, at *5.
In essence, Plaintiff wishes to extend Michigan’s law of “special relationships” to
a new and expansive commercial context without the benefit of any Michigan precedent
on point. Marcelletti, 500 N.W.2d at 129. If Plaintiff’s arguments were to hold, any
sophisticated entity who provided cloud data hosting services to another sophisticated
entity could be held liable for a myriad of precautions beyond their contractual
obligations that they could have taken—but did not—to prevent a criminal third-party
cyberattack. See Krass, 593 N.W.2d at 582.
The establishment of a new duty is a public policy determination that requires the
court to find that the “social benefits of imposing a duty outweigh the social costs.” Hill,
822 N.W.2d at 195; Murdock v. Higgins, 208 Mich. App. 210, 215, 527 N.W.2d 1, 3
(1994) (explaining that many of the factors used to find the existence of a duty are
utilized when analyzing whether a special relationship exists). Plaintiff and Defendant
were sizable commercial entities, and Plaintiff willingly entered into a contractual
20
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.151
Page 21 of 24
relationship whereby Defendant allegedly failed to take effective precautions against
cyberattacks. (ECF No. 1-1, PageID.11-12, ¶ 31; id., PageID.29.) At this stage, well past
the time for negotiating contract terms, the court declines the invitation to provide
Plaintiff a windfall ex post by allowing it to impose additional duties under negligence
law, and potentially substantial liability, based upon the criminal acts of third parties.
Marcelletti, 500 N.W.2d at 129; Krass, 593 N.W.2d at 582. This is true even if, as
Plaintiff alleges, Defendant was aware generally of a growing threat of ransomware in
society at large. Ashcroft, 556 U.S. at 678. (ECF No. 1-1, PageID.8, ¶ 10.) The fact that
Plaintiff also brings a valid claim under contract law, arguing that the terms of the
agreement, however limited, were breached, strengthens the finding that imposition of
expanded tort liability is not warranted. (ECF No. 1-1, PageID.11-12, ¶ 31; id.,
PageID.29.) Plaintiff and Defendant were demonstrably capable of agreeing to terms
that protected Plaintiff from the adverse effects of cyberattacks and, in fact, did so.
Plaintiff and Defendant were not fiduciaries and could have tailored the terms of
their agreement to better protect Plaintiff from cybercriminals. Plaintiff does not allege or
argue that it was somehow left to the whim of Defendant or that Defendant had a
position of authority over Plaintiff akin to the workers in Bell. 2005 WL 356306, at *1;
see also Marcelletti, 500 N.W.2d at 129 (describing other situations where special
relationships exist such as a doctor utilizing her medical expertise to treat ordinary
patients). To obtain additional protections, Plaintiff may have had to pay a higher cost,
and Defendant may have ultimately rejected such a proposed deal. But that is no
different than the regular give and take that pervades commercial negotiations. As an
alternative, Plaintiff could have obtained insurance.
21
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.152
Page 22 of 24
In all, the court does not believe that the parties’ arms-length contractual
relationship is sufficiently close, or Plaintiff sufficiently vulnerable to abuse in the context
of a sophisticated commercial transaction, that the costs that would be imposed on all
data-hosts are outweighed by the societal benefit of liability. Hill, 822 N.W.2d at 195;
Murdock, 527 N.W.2d at 3; Williams, 418 N.W.2d at 283. Negligence liability would
ultimately amount to a reward to Plaintiff for failing to obtain better and more exhaustive
contractual provisions. To the extent that Plaintiff’s negligence allegations overlap with
the parties' contract, Plaintiff has an adequate remedy under contract law. Taking the
rare step of establishing a “special relationship” is not justified. 4 Williams, 418 N.W.2d at
282-83.
3. Statutory Duty Under the Federal Trade Commission Act
Plaintiff makes a third attempt to establish a duty through federal statute. It
asserts Defendant had a duty of care under the FTCA, 15 U.S.C. § 45, and its bar on
“unfair . . . practices in or affecting commerce.” (ECF No. 1-1, PageID.20, ¶ 77; ECF No.
5, PageID.84.) Although a duty of care can be established through a statute, “the fact
that defendant's conduct may have been in violation of a statute does not in and of itself
shed light on whether defendant owed plaintiff a duty of care.” Cipri v. Bellingham
Frozen Foods, Inc., 235 Mich. App. 1, 16, 596 N.W.2d 620, 628 (1999). Plaintiff
presents no caselaw from Michigan, the Sixth Circuit, or the Supreme Court that has
established a duty of care for data-holders to data-owners through the FTCA’s bar on
unfair commercial practices. Plaintiff cites one opinion in support of its position, from the
4
Like the court in Bell, the court does not exclude the possibility that a data host
may have a special relationship with a data owner and a duty to prevent cyberattacks in
other contexts. 2005 WL 356306, at *5.
22
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.153
Page 23 of 24
United States District Court of New Jersey, which involved a regulatory enforcement
action by the Federal Trade Commission and included no claims of negligence. See
FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014). (ECF No. 5,
PageID.84.)
It is Plaintiff’s responsibility to establish the existence of a duty by which
Defendant may be held liable for negligence; Defendant must have a duty for Plaintiff to
state a claim as a matter of law. Mieras v. DeBona, 452 Mich. 278, 296, 550 N.W.2d
202, 210 (1996) (“The first element that a plaintiff must establish in any negligence
claim is a duty the plaintiff is owed by the defendant.”); James v. Meow Media, Inc., 300
F.3d 683, 689 (6th Cir. 2002) (reviewing a district court’s dismissal of a negligence
action under Kentucky law for failure to state a claim, stating “the plaintiff must establish
that the defendant owed a duty of care to the plaintiff”); see McPherson v. Kelsey, 125
F.3d 989, 996 (6th Cir. 1997) (quotation removed) (holding that it is not the court’s
responsibility to “put flesh on [the] bone” of a plaintiff’s claims and arguments). Plaintiff
failed to cite to or argue from any relevant caselaw in support of its position, nor for the
creation of a new duty through the FTCA. Thus, Plaintiff has failed to establish
Defendant had a duty to prevent a cyberattack as a matter of law, and Plaintiff’s
negligence claim will be dismissed. Mieras, 550 N.W.2d at 210; Hill, 822 N.W.2d at 195.
C. Gross Negligence
Defendant advances many arguments in support of dismissal of Plaintiff’s gross
negligence claim. (ECF No. 6, PageID.96-103.) The court need only address one:
Plaintiff asserts for gross negligence the same three duties it relies on to establish a
claim under ordinary negligence. See Smith v. Jones, 246 Mich. App. 270, 274, 632
23
Case 3:20-cv-10858-RHC-APP ECF No. 10 filed 09/09/20
PageID.154
Page 24 of 24
N.W.2d 509, 514 (2001) (“Duty is an essential element of a claim of negligence or gross
negligence.”). (ECF No. 1-1, PageID.18, ¶¶ 65-67.) However, as the court discussed in
its negligence analysis, Defendant does not have a duty as a matter of law to protect
Plaintiff from a ransomware attack under a general duty of care, a duty created by a
“special relationship,” or the FTCA. Williams, 418 N.W.2d at 382; Marcelletti, 500
N.W.2d at 129. For the same reasons as those discussed above, Plaintiff’s gross
negligence claim will be dismissed.
IV. CONCLUSION
Defendant presents many arguments in favor of dismissal of Plaintiff’s claim for
breach of contract; they are all unsuccessful. Plaintiff’s breach of contract claim survives
Defendant’s motion to dismiss. However, Plaintiff has not established that it was owed a
duty under a negligence or gross negligence theory. Plaintiff’s tort claims will be
dismissed.
IT IS ORDERED that Defendant’s “Motion to Dismiss” (ECF No. 3) is GRANTED
IN PART and DENIED IN PART. It is GRANTED as to Plaintiff’s claims of Negligence
(Count III) and Gross Negligence (Count II). It is DENIED as to Plaintiff’s claim of
Breach of Contract (Count I).
s/Robert H. Cleland
ROBERT H. CLELAND
UNITED STATES DISTRICT JUDGE
/
Dated: September 9, 2020
I hereby certify that a copy of the foregoing document was mailed to counsel of record
on this date, September 9, 2020, by electronic and/or ordinary mail.
s/Lisa Wagner
Case Manager and Deputy Clerk
(810) 292-6522
S:\Cleland\Cleland\JUDGE'S DESK\C2 ORDERS\20-10858.GRIFO.MotiontoDismiss.RMK.RHC.4.docx
24
/
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?