Apex Tool Group LLC v. Cyderes, LLC et al
ORDER granting in part and denying in part Defendants' 27 Motion to Dismiss. This case shall proceed towards a decision on the merits on the remaining claims in the absence of a voluntary resolution of the dispute among the parties. Signed by District Judge Kenneth D. Bell on 11/9/2023. (brl)
IN THE UNITED STATES DISTRICT COURT
FOR THE WESTERN DISTRICT OF NORTH CAROLINA
CIVIL ACTION NO. 3:23-CV-00236-KDB-SCR
APEX TOOL GROUP LLC,
CYDERES, LLC AND FISHTECH
THIS MATTER is before the Court on Defendants’ Motion to Dismiss Plaintiff’s
Amended Complaint (Doc. No. 27). The Court has carefully considered this motion and the
parties’ briefs and exhibits in support and in opposition to the motion. Applying the generous
standard for the Court’s review of a motion to dismiss pursuant to Rule 12(b)(6), the Court finds
that Plaintiff Apex Tool Group, LLC (“Apex”) has sufficiently pled its fraudulent inducement,
unfair trade practices and unjust enrichment claims and it is premature to address the “limitation
of liability” provision in the parties’ cybersecurity services contract. However, the Court also finds
that Plaintiffs’ negligence and gross negligence claims, which are wholly based on Defendants’
alleged failures to adequately perform the duties undertaken in the parties’ contract, are barred as
a matter of law by the “economic loss” rule. Therefore, the Court will in part GRANT and in part
DENY the Defendants’ motion to dismiss.
Under Rule 8(a)(2) of the Federal Rules of Civil Procedure, a complaint must contain a
“short and plain statement of the claim showing that the pleader is entitled to relief.” A motion to
dismiss under Federal Rule of Civil Procedure 12(b)(6) for “failure to state a claim upon which
relief can be granted” tests whether the complaint is legally and factually sufficient. See Fed. R.
Civ. P. 12(b)(6); Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); Bell Atl. Corp. v. Twombly, 550 U.S.
544, 570 (2007); Coleman v. Md. Court of Appeals, 626 F.3d 187, 190 (4th Cir. 2010), aff’d, 566
U.S. 30 (2012). The purpose of Rule 12(b)(6) is to expose deficient allegations “at the point of
minimum expenditure of time and money by the parties and the court.” Twombly, 550 U.S. at 558.
To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must plead facts sufficient to
“state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)
(citing Twombly, 550 U.S. at 570). “A claim has facial plausibility when the pleaded factual
content allows the court to draw the reasonable inference that the defendant is liable for the
misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556). A claim will not survive a motion to
dismiss if it contains nothing more than “labels and conclusions, and a formulaic recitation of a
cause of action’s elements.” Twombly, 550 U.S. at 555 (citing Papasan v. Allain, 478 U.S. 265,
286 (1986)). However, the Court “accepts all well-pled facts as true and construes these facts in
the light most favorable to the plaintiff in weighing the legal sufficiency of the complaint.” Nemet
Chevrolet, Ltd. V. Consumeraffairs.com, Inc., 591 F.3d 250, 255 (4th Cir. 2009); see Ashcroft, 556
U.S. at 678. Thus, “a well-pleaded complaint may proceed even if it strikes a savvy judge that
actual proof of those facts is improbable, and that a recovery is very remote and unlikely.”
Twombly, 550 U.S. at 555. (internal citation and quotation marks omitted).
When deciding a motion to dismiss, “a court considers the pleadings and any materials
‘attached or incorporated into the complaint.’” Fitzgerald Fruit Farms LLC v. Aseptia, Inc., 527
F. Supp. 3d 790, 796 (E.D.N.C. 2019) (quoting E.I. du Pont de Nemours & Co. v. Kolon Indus.,
Inc., 637 F.3d 435, 448 (4th Cir. 2011)). Further, “[d]etermining whether a complaint states a
plausible claim for relief will … be a context-specific task that requires the reviewing court to
draw on its judicial experience and common sense.” Id. (citation omitted). In sum, a motion to
dismiss under Rule 12(b)(6) determines only whether a claim is stated; “it does not resolve contests
surrounding the facts, the merits of a claim, or the applicability of defenses.” Republican Party v.
Martin, 980 F.2d 943, 952 (4th Cir. 1992).
FACTS AND PROCEDURAL HISTORY
Apex, a Delaware corporation which has its principal place of business in North Carolina,
is one of the largest manufacturers of professional hand and power tools in the world. (Doc. No.
25 at ¶ 7). In 2019, Apex sought to hire a company to oversee and manage cybersecurity threats,
which it alleges that it did not have the resources or sophistication to handle on its own. (Id. at ¶¶
11-12). To select a vendor, Apex engaged in a “bid process” to find a “comprehensive security
operation team to provide ongoing monitoring and detection services for threats to its network
comprised of over 3,000 employees.” (Id. at ¶ 12).
Defendants Cyderes, LLC and Fishtech Group, LLC provide “outsourced” cybersecurity
services of the type sought by Apex. (Id. at ¶ 16). In October 2020, Apex was introduced to
Fishtech, and Apex’s Head of Cybersecurity and Data Center Architect met with Fishtech
employees to talk about Fishtech providing cybersecurity services to Apex. (Id. at ¶¶ 13-14). In
particular, Apex was interested in using Google Chronicle, a cloud service that indexes,
correlates, and analyzes data received from cybersecurity monitoring and detection tools,
allowing the end-user to assess security threats and alerts. (Id.). Over the course of the ensuing
two months, Apex and Fishtech employees met several times to discuss Fishtech’s capabilities and
service offerings and then to negotiate a written “statement of work” (“SOW”) that became the
contract between Apex and Fishtech. (Id. at ¶¶ 13-26). Apex alleges that during the negotiations
Fishtech misrepresented that it would use Google Chronicle to:
“aggregate alerts from disparate sources on the Apex network,
and … synthesize these in a manner that would allow Defendants
to easily identify and timely respond to threat actors”;
“deliver … [a] customized log of alerts identifying threat
create “reporting features and rules and logic development in
Chronicle Detect”; and
“provide ‘10 custom parsers for [Google] Chronicle’ and set up
‘24x7 Chronicle product support’”.
(Id. at ¶¶ 15, 17, 22 and 23). Apex further alleges Fishtech misrepresented in a “Welcome Packet”
and/or “Tracker File” that Fishtech “could offer … endpoint monitoring,” as well as “collect or
parse” data from “nearly 400 Apex network data sources” in order “to create custom effective
threat detection tools,” all of which are features of Google Chronicle. (Id. at ¶ 19). Apex and
Fishtech entered into the SOW on December 18, 2020. (Id. at ¶ 33). Apex alleges that each of
these representations was “agreed to … under the SOW.”
(Id. at ¶ 60). .
Significantly, Apex further claims Defendants knew, at the time they made these
representations, that they could not and could never perform the services they touted, including
tailoring the Google Chronicle’s capabilities to Apex’s corporate network, and thus never intended
to provide such services. (Id. at ¶ 84). Instead, according to Apex, Fishtech simply wanted to enter
into an agreement with Apex to “prop up its valuation to secure a higher purchase price” in its
merger with Cyderes, which was finalized in December 2021. (Id. at ¶ 29).
Apex further complains about the formation of the SOW beyond Fishtech’s alleged
misrepresentations. Specifically, it alleges that on December 15, 2020, it was “pressure[d]” into
signing the SOW “without fulsome review,” based on an offered discount that applied only if the
SOW was signed by December 18, 2020. (Doc. No. 25 at ¶ 25). Apex further alleges the SOW
was unfairly structured because it provided for “a lofty payment of $350,000 before any services
were even provided,” and did not “allow Apex to terminate the contract before the expiration of
the [SOW’s] three-year term.” (Id.).
SOW, the parties set out their “Goals and Objectives,” as well as the
“Methodology” and “Approach” Fishtech would employ in providing cybersecurity services to
Apex. (Doc. No. 21-1 at 3-5). The SOW also contains “Terms and Conditions” that govern the
parties’ relationship, including the “Scope of Services” (§ 1), the “Term” of the agreement
(§ 3), the parties’ respective “Confidentiality Obligations” (§ 7), and a “Limitation of
Liability” (§ 10). See id. at 7-9. Section 10 provides in relevant part:
Limitation of Liability. Under no circumstances shall [Cyderes] be
liable to [Apex] . . . for any indirect, incidental, exemplary,
consequential, or special damages relating to or arising out of these
Terms and Conditions or the SOW . . . . In no event . . . shall
[Cyderes’s] total cumulative liability in connection with these
Terms and Conditions and the Services, whether in contract, tort or
otherwise, exceed the total amount of [Apex’s] payment(s)
hereunder. . . .
Id. § 10. The SOW further includes a “Warranty Disclaimer,” which states that “[CYDERES]
MAKES NO WARRANTY THAT THE SERVICE . . . WILL DETECT EVERY
VULNERABILITY TO CLIENT’S NETWORK.” Id. § 9 (emphasis in original). Apex alleges it
has paid $670,741.50 in fees to Defendants pursuant to the SOW. (Doc. No. 25 at ¶ 125).
After Fishtech/Cyderes began providing cybersecurity services to Apex under the SOW,
Apex experienced at least two cybersecurity incidents. In November 2021, its network security
was temporarily compromised by a “phishing attack” triggered by an Apex employee who
unintentionally disclosed his or her login credentials to a threat actor. (Id. at ¶ 61). While Apex
alleges the attack was resolved “before any significant damage was done to the Apex network,” it
asserts that it was “forced to resolve [the attack] without any assistance from [Cyderes].” Apex
claims this shows that Cyderes “never had any intention of performing . . . under the SOW.” (Id.
at ¶¶ 60-64).
The second attack was more serious. On February 21, 2022, a user on Apex’s network
Then, from February 21, 2022 to March 7, 2022, cybercriminals allegedly worked inside
Apex’s IT systems to deactivate antivirus software, exfiltrate data, and map Apex’s network. (Id.
at ¶ 65). Apex claims that Cyderes’s cybersecurity systems issued five “high alert” notifications
about the cybercriminals’ activities, including on February 21, March 7, and March 8, 2022, but
did not inform Apex. (Id. at ¶¶ 66, 68-69). On March 9, 2022, Cyderes notified Apex of an
intrusion, but Apex alleges that Cyderes did not fully warn Apex of the potential impact of the
attack. (Id. at ¶ 71). On March 11, 2022, the “threat actor executed a LockBit 2.0 ransomware
attack.” (Id. at ¶ 75). Apex alleges it suffered $25 million in losses from the attack, including
damages from an extended network outage from March 11, 2022 to March 30, 2022, and costs
associated with restoring system access and complying with data and privacy-breach laws, as well
as other consequential damages. (Id. at ¶ 78).
Apex filed its original Complaint on April 25, 2023, asserting claims for breach of contract,
breach of warranty, negligence, fraud, and unjust enrichment. (Doc. No. 1). On June 20, 2023,
Cyderes moved to dismiss the tort based claims. (Doc. No. 20). In response, Apex filed an
Amended Complaint in which it added a claim for violation of North Carolina’s Unfair Trade
Practices Act (“UDTPA”). (Doc. No. 25). Defendants have now moved to dismiss Apex’s fraud,
negligence, gross negligence, unjust enrichment and unfair trade practices claims and to limit
Apex’s damages under the SOW’s “limitation of liability” provision. Apex opposes the motion,
which has been fully briefed and is ripe for decision.
Defendants challenge the sufficiency of each of Apex’s extracontractual claims, which are
discussed separately below.
“The essential elements of fraud in the inducement are: (1) [a] [f]alse representation or
concealment of a material fact, (2) reasonably calculated to deceive, (3) made with intent to
deceive, (4) which does in fact deceive, (5) resulting in damage to the injured party.” TradeWinds
Airlines, Inc. v. C-S Aviation Servs., 222 N.C. App. 834, 840 (2012) (cleaned up and citation
omitted). Defendants argue that Apex has not adequately alleged a fraudulent inducement claim
because (i) that claim is barred by the economic loss rule, (ii) Apex fails to plead an actionable
misstatement, and (iii) Apex fails to plead intent to deceive. Applying the lenient standard of
review of 12(b)(6) motions, the Court finds that Plaintiff has adequately pled a claim of fraudulent
The economic loss rule “prohibits recovery for purely economic loss in tort when a contract
[or] warranty . . . operates to allocate risk” between the parties. Severn Peanut Co. v. Indus.
Fumigant Co., 807 F.3d 88, 94 (4th Cir. 2015). While this principle applies to Apex’s negligencebased claims as discussed below, it does not apply to fraudulent inducement claims. Under North
Carolina law,1 “claims for fraud are not … barred [by the economic loss rule] and indeed, ‘the law
is … to the contrary: a plaintiff may assert both [fraud and contract] claims.” Bradley Woodcraft,
Inc. v. Bodden, 251 N.C. App. 27, 34 (2016) (quoting Jones v. Harrelson & Smith Contractors,
LLC, 194 N.C. App. 203, 215 (2008), aff’d, 363 N.C. 371 (2009)); Provectus Biopharmaceuticals,
Inc. v. RSM US LLP, 2018 WL 4700371, at *18 (N.C. Super. Sept. 28, 2018) (“[T]he economic
loss rule does not apply to [plaintiff’s] fraud claims.”).
More specifically, where a plaintiff adequately alleges a defendant “‘had no intention of
[completing work required under the contract]’ from the very beginning,” it “constitutes fraud”
and the economic loss rule does not apply. Legacy Data Access, Inc. v. Cadrillion, LLC, 889 F.3d
158, 166 (4th Cir. 2018) (quoting Bradley Woodcraft, 251 N.C. App. at 30); see also Foodbuy,
LLC v. Gregory Packaging, Inc., 987 F.3d 102, 121 (4th Cir. 2021) (“[T]he North Carolina Court
The Amended Complaint is silent about which state’s laws govern Apex’s tort claims. Pursuant
to North Carolina choice of law rules, “the law of the state where the plaintiff has actually suffered
harm” applies to tort claims. Harco Nat. Ins. Co. v. Grant Thornton LLP, 698 S.E.2d 719, 726
(N.C. Ct. App. 2010). Here, Apex alleges it suffered the damages it seeks in North Carolina, (Doc.
No. 25 at ¶ 7), and the parties have cited North Carolina law in their memoranda of law. The Court
will therefore apply North Carolina law to Apex’s claims for purposes of this motion.
of Appeals has limited the application of the [economic loss rule] to negligence claims.” (citing
Bradley Woodcraft, 251 N.C. App. at 30)). Here, Apex alleges that prior to entering the SOW,
Defendants deliberately misstated their then current capabilities, which Apex contends shows that
they had no intention of completing the contract. See, e.g., Doc. No. 25 at ¶¶ 2, 14–31, 84. Thus,
Apex has pled that Defendants breached a duty other than a contractual duty, 2 such that its
fraudulent inducement claim is “identifiable and distinct” from the breach of contract claim and
thus outside the economic loss rule. See LifeBrite Hosp. Grp. of Stokes, LLC v. Blue Cross & Blue
Shield of N. Carolina, 2022 WL 801646, at *4 (M.D.N.C. Mar. 16, 2022); see also Brown v. Secor,
2020 WL 6696101, at *5 (N.C. Super. Nov. 13, 2020) (rejecting argument that fraudulent
inducement claim “is bound up with the alleged breach of contract and therefore barred by the
economic loss rule” and holding “[t]he economic loss rule does not bar claims for fraudulent
Further, Apex has alleged misstatements, which, if proven, plausibly support its claim for
fraudulent inducement. Defendants argue that Apex’s fraud claims fall short because it has alleged
only “non-actionable promissory statements of future intent and sales talk rather than
misstatements of pre-existing fact.” Doc. No. 28 at 15. However, Apex’s Amended Complaint goes
beyond allegations of future promises. Apex has alleged that Defendants falsely represented to Apex
North Carolina recognizes “a separate and distinct duty not to provide false information to induce
the execution of [a] contract.” Jones v. BMW of N. Am., LLC, 2020 WL 5752808, at *9 (M.D.N.C.
Sept. 25, 2020); see also Schumacher Immobilien Und Beteiligungs AG v. Prova, Inc., 2010 WL
3943754, at *2 (M.D.N.C. Oct. 7, 2010) (“[A] party to a contract owes the other contracting party
a separate and distinct duty not to provide false information to induce the execution of the
that they had existing tools, infrastructure, and resources to deploy Google Chronicle, when
they in fact did not. Doc. No. 25 at ¶¶ 15, 17, 21, 23. Moreover, Apex alleges that Defendants
still lack those capabilities. Id. ¶ 84. These alleged statements potentially relate to then current
facts3 and support a claim for fraudulent inducement. See Gaming v. Trustwave Holdings, Inc.,
2016 WL 5799300, at *4, *5 (D. Nev. Sept. 30, 2016) (denying motion to dismiss fraudulent
inducement claim against data security provider that allegedly “misrepresent[ed] that ‘it had the
capabilities and experience as a data service security provider to investigate, diagnose, and help
remedy the data breach’ and that it would perform these tasks”).
Also, a “[d]efendants’ alleged intent contrary to the promises of future conduct … can
support a finding of a misrepresentation of material fact to state an action for fraud.” See Boeing
Co. v. Ten Oaks Mgmt., LLC, 2023 WL 4241679, at *5 (W.D.N.C. June 28, 2023) (citing Glob.
Hookah Distributors, Inc. v. Avior, Inc., 401 F. Supp. 3d 653 (W.D.N.C. 2019)); Leftwich v.
Gaines, 521 S.E.2d 717, 723 (N.C. Ct. App. 1999) (“a promissory misrepresentation may
constitute actionable fraud when it is made with intent to deceive the promisee, and the promisor,
at the time of making it, has no intent to comply.”). Again, it is Defendants’ alleged
misrepresentation of their then existing capabilities and their alleged intent at that time not to
provide the offered services that combine to support Apex’s fraudulent inducement claim. So,
while a statement of promissory intent alone is insufficient to support a claim of fraud, a promise
of future action together with the contemporaneous intent not to fulfill the promise can plausibly
To be clear, the Court expresses no view at this stage of the case on whether Defendants precontractual sales efforts will ultimately be held to be more than non-actionable “sales talk” or
expressions of opinion about the quality of services offered by Defendants. Rather, the Court only
finds for purposes of this motion that, accepting the allegations of the Amended Complaint as true,
Apex has plausibly pled a claim for fraudulent inducement.
state a claim. Here, Apex has sufficiently alleged both material misstatements and, as discussed
further below, Defendants’ wrongful intent. Therefore, Apex’s allegations of Defendants’
misrepresentations are sufficient to plausibly support its claim of fraudulent inducement.
Finally, Apex has adequately alleged that Defendants did not intend to comply with the
SOW at the time of their alleged misrepresentations. Under Rule 9(b), “intent … may be alleged
generally.” See Fed. R. Civ. P. 9(b); see also Wilson v. McAleer, 368 F. Supp. 2d 472, 478
(M.D.N.C. 2004) (“[A]ll [the plaintiff] needs to survive a motion to dismiss is to set out a scenario
that, if proved, suggests the possibility of a fraudulent and deceitful scheme that extended prior
to the formation of any contract between plaintiff and defendants and continued through the
execution of the contract.”); Packrite, LLC v. Graphic Packaging Int’l, Inc., 2019 WL 2992340,
at *6 (M.D.N.C. July 9, 2019) (“[T]he complaint need only ‘contain specific factual matter
to permit the plausible inference that the defendant did not intend to honor the agreement at the
time of its making.’”). Apex has met that low threshold.
Apex alleges that Fishtech was motivated to induce Apex to sign the SOW to increase
Fishtech’s attractiveness as an acquisition target. Doc. No. 25 at ¶ 27. Apex further alleges that
the SOW’s provisions requiring a significant “upfront” payment and limiting Apex’s ability to
cancel the contract before the end of the contract term are consistent with that goal. Id. at ¶ 25.
The Amended Complaint also alleges that Defendants failed to perform under the SOW soon after
signing it. Id. at ¶¶ 60–64; see also Boeing Co., 2023 WL 4241679, at *4 (noting that when
misstatements are followed by breach in “quick succession [it] suggests that the statements could
be found to be a knowing lie when they were made”). And, finally, Apex contends that the
number, extent, and detail of Defendants’ misrepresentations about Google Chronicle, followed
by the alleged failure to deliver, creates an inference of an intent to deceive. Again, it may turn
out that Apex is unable to prove its allegations as this case proceeds.4 However, at this stage, Apex
has plausibly alleged a claim of fraudulent inducement.
Unfair Trade Practices
Based on the Court’s ruling allowing Plaintiff’s fraud claim to proceed, the Court will also
deny Defendants’ motion to dismiss Plaintiff’s UDTPA claim.
Because fraudulent conduct
violates the UDTPA, if Apex’s fraudulent inducement claim survives, then its UDTPA claim
survives as well. See Doc. No. 28 at 20; see also Unifour Constr. Servs., Inc. v. Bellsouth
Telecomm., 594 S.E.2d 802, 808 (N.C. Ct. App. 2004) (“[P]roof of fraud necessarily constitutes a
violation of the statutory prohibition against unfair and deceptive acts.”). Accordingly, Apex’s
UDTPA claim will be allowed to proceed.5
“The general rule of unjust enrichment is that where services are rendered and
expenditures made by one party to or for the benefit of another, without an express contract
to pay, the law will imply a promise to pay a fair compensation therefor.” Cross v. Ciox Health,
For example, it may be that Apex, a much larger company, has difficulty proving that it was
unlawfully “pressured” to enter into the SOW (which the parties had been negotiating for two
months) simply because Fishtech dangled the possibility of a “discount” if the SOW was executed
by a date three days in the future.
5 Having decided that Apex’s UDTPA claim can proceed based on the possibility that Apex will
be successful in proving fraud, the Court need not and does not reach the alternate question as to
whether Apex has stated a UDTPA claim based on a breach of contract accompanied by
“substantial aggravating and egregious conduct.” See Foodbuy, 2022 WL 3102356, at *4.
As with Apex’s fraud claim, a determination of the merits of that argument must be deferred and
will depend on the course of discovery and further proceedings.
LLC, 438 F. Supp. 3d 572, 589 (E.D.N.C. 2020). Defendants move the Court to dismiss Apex’s
unjust enrichment claim on the grounds that the Amended Complaint alleges the existence of a
binding contract and that an “unjust enrichment claim fails as a matter of law” where the
payments claimed as damages were “given pursuant to a contract.” See Weare v. Bennett Bros.
Yachts, Inc., 2020 WL 398501, at *8 (E.D.N.C. Jan. 23, 2020). While this is an accurate statement
of the law, it is also true that parties may “plead alternative and inconsistent claims.” See
Renfinity, Inc. v. Jones, 2022 WL 1102473 (W.D.N.C. Apr. 13, 2022) at *2. Such is the case
here. While Apex has not specifically pled its unjust enrichment claim in the alternative (and it
will of course not be permitted to recover on its claim for unjust enrichment if an enforceable
contract exists between the parties), at this early stage of the case, the Court will allow Plaintiff’s
alternative claim for unjust enrichment to proceed past Defendants’ motion to dismiss. 6
Negligence and Gross Negligence
A “tort action must be grounded on a violation of a duty imposed by operation of law,” not
a violation of a duty arising purely from “the contractual relationship of the parties.” Legacy Data
Access, Inc. v. Cadrillion, LLC, 889 F.3d 158, 164–65 (4th Cir. 2018) (emphasis in original). Thus,
a “tort action does not lie against a party to a contract who simply fails to properly perform the
terms of the contract.” Rountree v. Chowan Cty., 796 S.E.2d 827, 830 (N.C. Ct. App. 2017). “It is
the law of contract,” not tort law, “which defines the obligations and remedies of the parties in
such a situation.” Id. Accordingly, “North Carolina law requires” courts “to limit plaintiffs' tort
Defendants argue that the parties here have admitted the existence of a contract (the SOW) so
there is no possibility of a claim for unjust enrichment. However, as discussed above, Apex
contends that it was fraudulently induced to enter into the SOW so it could possibly be held to be
void or unenforceable. In that event, Apex’s alternate claim for unjust enrichment may become
relevant (an issue the Court need not and does not resolve now).
claims to only those claims which are ‘identifiable’ and distinct from the primary breach of
contract claim.” Broussard v. Meineke Disc. Muffler Shops, Inc., 155 F.3d 331, 346 (4th Cir. 1998)
(quoting Newton v. Standard Fire Ins. Co., 291 N.C. 105, 229 S.E.2d 297, 301 (1976) ).
The economic loss rule, which prohibits recovery for purely economic loss in tort when
a contract [or] warranty governs the parties’ respective rights and obligations, reflects “the
fundamental difference between tort and contract claims.” Id. In preventing parties from asserting
tort claims for a simple breach of contract, the economic loss rule thus “encourages contracting
parties to allocate risks for economic loss themselves.” Lord v. Customized Consulting Specialty,
Inc., 182 N.C.App. 635, 643 S.E.2d 28, 30 (2007); see also Moore v. Coachmen Indus., Inc., 129
N.C.App. 389, 499 S.E.2d 772, 780 (1998) (“To give a party a remedy in tort ... would permit the
party to ignore and avoid the rights and remedies granted or imposed by the parties' contract.”).
Thus, the Fourth Circuit has “previously rejected ‘attempt[s] by the plaintiff to manufacture
a tort dispute out of what is, at bottom, a simple breach of contract claim’ as ‘inconsistent both
with North Carolina law and sound commercial practice.’” Legacy Data, 889 F.3d at 164 (citing
Broussard, 155 F.3d at 346). In Broussard, the defendants contended that various contract
provisions allowed them to pay advertising commissions from a particular bank account, while
plaintiffs contended that the contract allowed no such thing. Broussard, 155 F.3d at 346. The court
held that because the “crux of this matter is and always has been a contract dispute,” the district
court erred in permitting plaintiffs to assert an “extensive” array of tort claims—such as breach of
fiduciary duty, fraud, and intentional interference with contractual relations—for the same alleged
The dispute here, as it relates to Apex’s negligence and gross negligence claims, is similar
to Broussard and Legacy Data because those tort claims in effect simply restate Apex’s breach of
contract allegations – the asserted failure to provide competent cybersecurity services – as
allegedly “negligent” conduct. While Apex argues that Defendants had a “duty by operation of
law” to “protect Apex and its data,” Doc. No. 25 at ¶ 107, the alleged breaches of that supposed
“duty” are Defendants’ alleged failure to monitor, detect, respond, or notify Apex of harmful
cyberattacks, which are the same contracted-for services related to cybersecurity as those agreed
to under the SOW. Compare Doc. No. 25 at ¶¶ 92-97 with Doc. No. 25 at ¶ 108; see also Doc.
No. 30 at 19 (“Defendants breached … duty to … monitor and safeguard Apex’s information
technology systems and networks from the foreseeable risk of data breach.”). Apex’s negligence
claims are thus not independent of the SOW.
Absent the SOW, Defendants had no common law or statutory duty to provide
cybersecurity services, to monitor or safeguard Apex’s systems, or to detect and report any
cyberattack. Still, Apex seeks to ground Defendants’ claimed tort duty on their alleged “unique
access to and control over Apex’s corporate data, specialized expertise, and pivotal role in
preventing large-scale cyberattacks.” Doc. No. 25 at ¶ 107. This argument proves too much. If
inside access to private locations, data or other information and “specialized expertise” are
sufficient to create a duty which may be the basis for a claim of negligence (and the award of
extracontractual damages) then most service providers, from plumbers to business consultants to
IT workers, would be at risk of being accused of negligence anytime a client was unhappy with
their services. This is not the law in North Carolina (or elsewhere so far as the Court is aware).
Rather, when a party fails to perform a contract, the proper remedy is determined by the law of
contracts, not torts. Rountree, 796 S.E.2d at 830.
In sum, the “crux of [Apex’s negligence claim] … is … a contract dispute,” which is
governed by contract law and barred by the economic loss doctrine. See Legacy Data, 889 F.3d at
165-66; see also Severn Peanut, 807 F.3d at 94-95 (dismissing negligence claim that “claim[ed]
a remedy in tort for [the defendant’s] breach of . . . the very same duty as that underlying
[the plaintiff’s] breach of contract claim”); Moore v. Coachmen Indus., Inc., 499 S.E.2d 772,
780 (N.C. Ct. App. 1998) (the “economic loss doctrine prevents plaintiffs from recovering on
their negligence claim against defendants” where the transaction is governed by contract law).
Similarly, the economic loss rule bars Apex’s gross negligence claim since it, too, “really
arise[s] out of [the defendant’s] performance on the contract.” Broussard, 155 F.3d at 346-47
(dismissing gross negligence claim); Jerman v. AT&T Corp., 2022 WL 2835428, at *2-3
(W.D.N.C. July 20, 2022), aff’d, 2023 WL 2136375 (4th Cir. Feb. 21, 2023) (dismissing gross
negligence claim that “ar[o]se out of the same harm underlying the breach of contract action”).
Apex’s gross negligence claim, like its negligence claim, arises from the same breach of duty
and alleged injury as Apex’s breach of contract claims. Compare Doc. No. 25 at ¶¶ 92-98 (pleading
breach of contract based on allegation that Defendants “breached [their] duty to detect and report
security events,” which caused “$25 million in losses”) with Doc. No. 25 at ¶¶ 115, 121 (pleading
gross negligence based on allegation that Cyderes “breached [its] duty” “to monitor and
safeguard Apex’s information-technology systems,” which caused “$25 million in losses”).
Apex’s gross negligence claim will therefore also be dismissed.
Limitation of Liability
Finally, in addition to moving to dismiss Apex’s tort and statutory claims discussed above,
Defendants ask the Court to, as a matter of law, limit the damages that Apex can recover to the
amount paid to Defendants under the “limitation of liability” provision in the SOW. The Court
will decline this request because the Court agrees with Apex that it would be premature to rule on
this issue at this early stage of the proceedings. While it appears from the Amended Complaint
that the SOW is the product of negotiations between sophisticated companies and the Defendants
are correct that the unambiguous language of a commercial contract must be enforced as written,
Galloway as Tr. of Melissa Galloway Snell Living Tr. Dated May 1, 2018 v. Snell, 384 N.C. 285,
288, 885 S.E.2d 834, 836 (2023), it remains uncertain (as discussed above) whether the SOW was
fraudulently induced. If, as alleged, the SOW was wrongfully obtained then it would plainly be
inappropriate to limit Apex’s recovery based on a provision in that document. See Kessing v. Nat'l
Mortg. Corp., 278 N.C. 523, 536, 180 S.E.2d 823, 831 (1971) (“The courts of this State will not
lend their aid to the enforcement of a contract which is unlawful …). Thus, any ruling on the
application of the SOW “limitation of liability” provision must await a full development of the
record and a decision on the validity of the SOW as against Apex.
NOW THEREFORE IT IS ORDERED THAT:
1. Defendants’ Motion to Dismiss (Doc. No. 27) is GRANTED in part and DENIED in part
as described above; and
2. This case shall proceed towards a decision on the merits on the remaining claims in the
absence of a voluntary resolution of the dispute among the parties.
SO ORDERED ADJUDGED AND DECREED.
Signed: November 9, 2023
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?