Opinion
Case No. 20-10858
09-09-2020
Linda M. Watson, Birmingham, MI, Michael Croghan, Clark Hill PLC, Chicago, IL, for Plaintiff. Lee Janiczek, Lewis Brisbois Bisgaard & Smith LLP, Wayne, PA, John R. Christie, Lewis Brisbois Bisgaard and Smith LLP, Cleveland, OH, for Defendant.
Linda M. Watson, Birmingham, MI, Michael Croghan, Clark Hill PLC, Chicago, IL, for Plaintiff.
Lee Janiczek, Lewis Brisbois Bisgaard & Smith LLP, Wayne, PA, John R. Christie, Lewis Brisbois Bisgaard and Smith LLP, Cleveland, OH, for Defendant.
OPINION AND ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS
ROBERT H. CLELAND, UNITED STATES DISTRICT JUDGE
Plaintiff Grifo & Company, PLLC, brings this action for breach of contract, negligence, and gross negligence. (ECF No. 1-1, PageID.16-21.) Defendant Cloud X Partners Holdings, LLC, provided "virtual desktop and cloud data-hosting services," which Plaintiff allegedly utilized to store substantial amounts of business data. (Id. , PageID.10-11, ¶¶ 20-27.) Defendant was subject to a cyberattack and Plaintiff's data was damaged or lost. (Id. , PageID.12, ¶ 32.)
In lieu of filing an answer, Defendant moves to dismiss the complaint. Fed. R. Civ. P. 12(b). (ECF No. 3.) The matter has been thoroughly briefed. (ECF Nos. 5, 6, 8.) The court has reviewed the record and finds a hearing to be unnecessary. E.D. Mich. L.R. 7.1(f)(2). For the reasons provided below, the court will grant in part and deny in part Defendant's motion.
I. BACKGROUND
The following are facts as alleged in Plaintiff's complaint. In a motion to dismiss, the court accepts Plaintiff's factual allegations as true but makes no overt finding as to truth or falsity. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009).
Plaintiff is an accounting firm that was looking for a company to host its data. (ECF No. 1-1, PageID.9-10, ¶¶ 13, 21.) On July 10, 2017, Plaintiff and Defendant executed a "Member Order" whereby Plaintiff and its employees could access a virtual desktop with software used in its accounting practice and Plaintiff could store data on Defendant's network. (Id. , PageID.10-11, ¶¶ 26, 27.) Plaintiff agreed to pay Defendant a monthly membership fee of $594. (Id. , PageID.11, ¶ 28.) The agreement was renewed on an annual basis and was in place for the duration of the events giving rise to this action. (Id. , ¶¶ 29, 30.)
The Member Order states that the agreement "is subject to the included ... Information Privacy Security Policy." (Id. , ¶ 31; id. , PageID.25.) The order also states that "[Defendant] is not responsible for the availability of Subscriber Data." (Id. , PageID.25.) Plaintiff attached the Member Order and the Information Privacy Security Policy to its complaint. (Id. , PageID.25-40.)
On or around July 6, 2019, a cybercriminal embedded a "ransomware" virus in Defendant's internal systems. (Id. , PageID.12, ¶ 32.) After ten days, on July 16, 2019, the ransomware was deployed. (Id. , ¶ 35.) The virus sealed off and encrypted data hosted on Defendant's servers; the cybercriminal demanded payment to remove the encryptions and allow Defendant, and its customers including Plaintiff, to regain access. (Id. , PageID.12-13, ¶ 36.) Defendant immediately took its systems offline, preventing Plaintiff from accessing its virtual desktops and data. (Id. , PageID.13, ¶ 37.)
Plaintiff asked Defendant to return its data, in part to consider paying the ransom. (Id. , PageID.14, ¶ 44.) Defendant refused the request, stating the Plaintiff's data was combined with the data of many other customers and could not be separated. (Id. , ¶ 45.) Defendant then chose not to pay the ransom and as a result "most of [Plaintiff's] data was corrupted and unable to be restored or recovered." (Id. , ¶ 43.) "All of [Plaintiff's] data" was affected, including "1700 tax engagement files," "120 financial engagement files," and "critical practice management files, including ... billing, time entry, and business contacts," all compiled over the course of ten years. (Id. , PageID.15-16, ¶¶ 50, 54.) None of the files were "recovered," but a small subset were "restored." (Id. , ¶ 52.) The restored files lacked "names, ... organizational structure, and ... metadata," requiring "multiple hours per file" to return them to a usable form. (Id. , ¶ 52-53.) Plaintiff "experienced significant downtime" after the attack "in which it could not operate its business." (Id. , PageID.16, ¶ 55.) Additionally, Plaintiff could not use the information contained in the lost files "to generate additional revenue." (Id. , ¶ 54.)
II. STANDARD
Under Federal Rule of Civil Procedure 12(b)(6) a party can move to dismiss a complaint for "failure to state a claim upon which relief can be granted." In considering a motion to dismiss, the court must "construe the complaint in the light most favorable to the plaintiff and accept all factual allegations as true." Laborers’ Local 265 Pension Fund v. iShares Trust , 769 F.3d 399, 403 (6th Cir. 2014). "To survive a motion to dismiss, a complaint must contain factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Ashcroft , 556 U.S. at 678, 129 S.Ct. 1937 (quoting Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Determining plausibility is "a context-specific task that requires the reviewing court to draw on its judicial experience and common sense." Id. at 679, 129 S.Ct. 1937. The plaintiff must present "more than labels and conclusions." Twombly , 550 U.S. at 545, 127 S.Ct. 1955. "[A] formulaic recitation of a cause of action's elements will not do." Id.
When reviewing a motion to dismiss, the court may consider "documents incorporated into the complaint by reference ... and matters of which a court may take judicial notice" in addition to allegations in the complaint. Tellabs, Inc. v. Makor Issues & Rights, Ltd. , 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007). The court may consider "a document that is not formally incorporated by reference or attached to a complaint" when "[the] document is referred to in the complaint and is central to the plaintiff's claim." Greenberg v. Life Ins. Co. of Va. , 177 F.3d 507, 514 (6th Cir. 1999).
III. DISCUSSION
Defendant moves to dismiss all three counts of Plaintiff's complaint: breach of contract, negligence, and gross negligence. The court will address each claim in turn.
A. Breach of Contract
Defendant presents arguments in its motion that, although not entirely clear, appear to challenge whether Plaintiff adequately pled the elements of a breach of contract claim. In its reply, Defendant points to a contract term that it argues limits Plaintiff's recovery as a matter of law, and raises two other arguments. The court finds the entirety of Defendant's breach of contract arguments unconvincing.
The court is not generally inclined to accept new arguments in a reply brief; however, Plaintiff was provided the opportunity to respond to Defendant's arguments in a sur-reply. See Eng'g & Mfg. Servs., LLC v. Ashton , 387 F. App'x 575, 583 (6th Cir. 2010) (citing Seay v. Tenn. Valley Auth. , 339 F.3d 454, 481-82 (6th Cir. 2003) ) (raising "new arguments and new evidence in [a] reply brief ... necessitated that [the nonmovant] be permitted to respond"). (ECF No. 8.) Going forward, the court expects the parties to comply with basic briefing protocol, and refrain from presenting new arguments in the reply, unless justified by newly emerged evidence or the like.
1. Breach of a Legal Duty
Defendant's motion asserts generally that Plaintiff failed to allege a breach of duty. (ECF No. 3, PageID.63-64.) Defendant refers to standards such as "reasonable care," and contends that it did not take "an affirmative act that unreasonably exposed Plaintiff to a risk of harm." (Id. , PageID.64.) Having a "duty" to act "reasonably" so as to mitigate the "risk of harm" are concepts most naturally associated with negligence, not contract law. "A negligence action may ... be maintained [only] if a legal duty exists which requires the defendant to conform to a particular standard of conduct in order to protect others against unreasonable risks of harm. " Bertrand v. Alan Ford, Inc. , 449 Mich. 606, 612, 537 N.W.2d 185, 188 (1995) (emphasis added) (quotation removed).
To bring a successful breach of contract claim under Michigan law, Plaintiff must prove that "(1) there was a contract (2) which the other party breached (3) thereby resulting in damages to the party claiming breach." Miller-Davis Co. v. Ahrens Constr., Inc. , 495 Mich. 161, 178, 848 N.W.2d 95, 104 (2014) (citing Stevenson v. Brotherhoods Mut. Benefit , 312 Mich. 81, 90-91, 19 N.W.2d 494, 498 (1945) ); see Shady Grove Orthopedic Assocs. v. Allstate Ins. , 559 U.S. 393, 417, 130 S.Ct. 1431, 176 L.Ed.2d 311 (2010) ("Federal courts sitting in diversity apply state substantive law.").
Defendant makes little mention of contract law or Plaintiff's breach of contract claim in its motion to dismiss. Nonetheless, Defendant's arguments could be interpreted as claiming that no terms of the parties’ agreement covered Defendant's conduct. If no terms applied, there can be no breach. Miller-Davis Co. , 848 N.W.2d at 104 ; Van Buren Charter Twp. v. Visteon Corp. , 319 Mich. App. 538, 554, 904 N.W.2d 192, 202 (2017) (requiring a plaintiff prove "that the defendant breached [the contract's] terms").
Plaintiff points to terms in the Information Privacy Security Policy, alleged and attached to the complaint, in which Defendant promised various services. See Tellabs, Inc. , 551 U.S. at 322, 127 S.Ct. 2499 (permitting the court to consider "documents incorporated into the complaint by reference"). (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.29.) Under the subsection "Baseline Procedures" in the "Introduction" section of the policy, the terms state that "[m]inimum data security and protection services provide for continuous file systems scanning for virus signatures or activity" and "[c]ompromised files are quarantined in secure systems," among other security precautions. (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.29.) Plaintiff alleges Defendant failed to perform all of these promised services before and during the alleged data breach and cyberattack, thereby establishing a claim for breach of contract. Miller-Davis Co. , 848 N.W.2d at 104. (ECF No. 1-1, PageID.17-18, ¶ 62.)
Other than arguing generally that Plaintiff has not stated a claim for breach of contract, Defendant presents no other substantive arguments in its motion as to why Plaintiff's complaint would not satisfy the material elements of a breach of contract. Miller-Davis Co. , 848 N.W.2d at 104.
2. Limitation on Damages Resulting from Data Being "Unavailable"
In its reply, Defendant points to a contract term in the Member Order that Defendant argues precludes Plaintiff from recovering any damages. (ECF No. 6, PageID.94.) The court disagrees and will not preemptively limit Plaintiff's recovery.
The question is one of contract interpretation. "[T]he court's obligation [is] to determine the intent of the parties by examining the language of the contract according to its plain and ordinary meaning." In re Smith Trust , 480 Mich. 19, 24, 745 N.W.2d 754, 758 (2008) (citing Frankenmuth Mut. Ins. Co. v. Masters , 460 Mich. 105, 112, 595 N.W.2d 832, 837 (1999) ). "[It] must ... give effect to every word, phrase, and clause in a contract and avoid an interpretation that would render any part of the contract surplusage or nugatory." Klapp v. United Ins. Grp. Agency , 468 Mich. 459, 468, 663 N.W.2d 447, 453 (2003).
When a contract's language in unambiguous, "[the] court[ ] must interpret and enforce the contract as written, because an unambiguous contract reflects the parties’ intent as a matter of law." In re Smith Trust , 745 N.W.2d at 758 ; accord Solo v. United Parcel Serv. Co. , 819 F.3d 788, 794 (6th Cir. 2016) (citing Port Huron Educ. Assn. v. Port Huron Area Sch. Dist. , 452 Mich. 309, 323, 550 N.W.2d 228, 237 (1996) ) ("When the language at issue is clear and unambiguous, its meaning is a question of law."). A contract is ambiguous "if it is equally susceptible to more than a single meaning," and "a finding of ambiguity is to be reached only after all other conventional means of interpretation have been applied and found wanting." Kendzierski v. Macomb Cnty. , 503 Mich. 296, 311, 931 N.W.2d 604, 611 (2019) (quotation removed). Determining the meaning of an ambiguous contract is a question of fact. Klapp , 663 N.W.2d at 454 ; accord Solo , 819 F.3d at 794 (quoting Port Huron , 550 N.W.2d at 237 ) ("[I]f the language is unclear or susceptible to multiple meanings, interpretation becomes a question of fact.").
Plaintiff alleges that it was "locked out of its systems and lost data, suffering damages including ... the loss of data, costs associated with recreation of its file systems, and lost profits during downtime and ongoing operational disruptions." (ECF No. 1-1, PageID.18, ¶ 63.) The Member Order, a document two pages long and attached to Plaintiff's complaint, states that Defendant "is not responsible for the availability of Subscriber Data." (Id. , PageID.25.) Defendant argues the entirety of Plaintiff's damages for the breach of contract claim are covered by this "not responsible" provision and are thus barred. (ECF No. 6, PageID.94.)
Defendant is not "responsible" for the "availability of Subscriber Data." (ECF No. 1-1, PageID.25.) "Responsible" is defined as "creditable or chargeable with the result." Responsible , Webster's Third International Dictionary, Unabridged (2020); see also Universal Underwriters Ins. Co. v. Kneeland , 464 Mich. 491, 496, 628 N.W.2d 491, 494 (2001) (finding that the word "responsibility" connotes liability). "Available" is defined as "capable of use for the accomplishment of a purpose" and "immediately utilizable." Available, Webster's Third International Dictionary, Unabridged (2020).
The court does not find as a matter of law that the "not responsible" clause bars Plaintiff's recovery for any category of damages alleged in the complaint, including damages resulting from "lost data." In re Smith Trust , 745 N.W.2d at 758. (ECF No. 1-1, PageID.18, ¶ 63.) It is not at all clear what "availability" of "data" means in this contractual context. Although it is possible the provision limits Plaintiff from recovering for data not being "available" as a result of a cyberattack, it would be little more than speculation to conclude that the provision sweeps so broadly as to deny liability for any long-term loss of data. The court is to read the contract as a whole and give effect to every term. Klapp , 663 N.W.2d at 453. It is counter-intuitive to allow Defendant to promise institution of, as Plaintiff adequately alleges, numerous security measures to mitigate the risks of a cyberattack, (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.29.), but then disclaim any liability for loss-of-data damages that seem to quite naturally flow from a cyberattack, and to do so by relying on words such as "availability of ... [d]ata" that at this stage of the case remain opaque. (Id. , PageID.25.)
The court does not endorse, nor does it reject, Defendant's claim that the contract provision applies to cyberattacks and any data disruptions that result from a cyberattack. (ECF No. 1-1, PageID.25.)
"Lost" is defined as "taken away or beyond reach or attainment." Lost, Webster's Third International Dictionary, Unabridged (2020). While being "unavailable" and "lost" may be similar concepts, it is a stretch of logic to assume that merely not having something "capable of use" necessarily and inherently implies that it is permanently "beyond ... attainment." The contractual language is ambiguous and is "equally susceptible to more than a single meaning." Kendzierski , 931 N.W.2d at 611. At this early stage of litigation, the court will not rule that Plaintiff cannot recover damages for the loss of its data.
The court cannot find as a matter of law that other damages Plaintiff alleges are covered by the "not responsible" clause. It is not clear that incurring costs to "recreat[e] file systems" relates to data "availability." In re Smith Trust , 745 N.W.2d at 758 ; Kendzierski , 931 N.W.2d at 611. (ECF No. 1-1, PageID.18, 25; ECF No. 8, PageID.120.) The data was made "available" to Plaintiff through Defendant's recovery efforts, but only in a form requiring expenditures to recreate file structures. (ECF No. 1-1, PageID.25; id. , PageID.16, ¶ 53.) The "not responsible" term is ambiguous, and Plaintiff is not barred at this time from recovering "costs associated with recreation of its file systems." In re Smith Trust , 745 N.W.2d at 758 ; Kendzierski , 931 N.W.2d at 611. (ECF No. 1-1, PageID.18, ¶ 63.)
Plaintiff also paid Defendant for access to "virtual desktop[s]" which allowed Plaintiff to use several software programs "including TValue, Microsoft Office, PFX Tax versions, PPC Checkpoint Tools, QuickBooks versions, PFX Practice Management, PFX Engagement, CCH ProSystem versions, and SuperForm Tax." (ECF No. 1-1, PageID.10, ¶ 26.) Plaintiff alleges that Defendant's breaches caused Plaintiff to be "locked out of its systems." (Id. , PageID.18, ¶ 63.) Resulting damages appear unrelated to the "availability of [Plaintiff's] [d]ata," (ECF No. 1-1, PageID.25.), and Defendant points to no portion of the Member Order or Information Privacy Security Policy that excludes Defendant's responsibility to provide Plaintiff access to virtual desktops.
Thus, considering the allegations in Plaintiff's complaint and the relevant documents attached to the complaint, Tellabs , 551 U.S. at 322, 127 S.Ct. 2499, the proper reading of the parties’ contract is not clear. Kendzierski , 931 N.W.2d at 611. Defendant's motion to dismiss on the "not responsible" clause will be denied.
3. Two Remaining Arguments in Defendant's Reply
Defendant's reply includes two other arguments that are easily resolved. First, Defendant asserts that the Information Privacy Security Policy is authored and created by InsynQ, Inc., not InsynQ, LLC, who is named in this action. (ECF No. 6, PageID.95.) Nonetheless, the Member Order, the terms of which Defendant itself relies on to deny liability, states that "[t]his Member Order is subject to the included InsynQ, LLC Information Privacy Security Policy" and provides a URL link. (ECF No. 1-1, PageID.25.) Plaintiff alleges that the contract attached to its complaint is the referenced Information Privacy Security Policy. (Id. , PageID.11-12, ¶ 31.) As the court must accept all factual allegations as true for the purposes of a motion to dismiss, it will not make a factual determination at this stage that, in fact, the parties entered into separate and distinct contract. Laborers’ Local 265 Pension Fund , 769 F.3d at 403. Whether the Information Privacy Security Policy applies to Defendant is a question of fact that may be resolved at a later time. Id.
Second, Defendant points to a term in the Information Privacy Security Policy that states: "Client is responsible for all its content hosted by [Defendant]. [Defendant] exercises no control over, and accepts no responsibility for, the content of the information passing through the InsynQ network." (ECF No. 6, PageID.95; ECF No. 1-1, PageID.37.) While the term's most natural implication may be that Defendant is not responsible for unsavory or illegal files posted by Plaintiff onto Defendant's servers, in line with the term "[Defendant] is not responsible for screening or monitoring content used by Client," Defendant argues the term excludes liability for any virus that infects Defendant's systems. (ECF No. 1-1, PageID.37.) Defendant claims "content ... passing through the INsynQ network" includes ransomware. (Id. ) But it does not provide a detailed textual analysis nor does it cite to any caselaw in support of this contention. The court cannot find as a matter of law that the "plain and ordinary meaning" of "content" in this contractual context includes third-party viruses and ransomware. In re Smith Trust , 745 N.W.2d at 758 ; Kendzierski , 931 N.W.2d at 611. The language is at best ambiguous, and Defendant's motion to dismiss as to this issue will be denied.
B. Negligence
Defendant next argues that Plaintiff did not state a viable claim for negligence. As mentioned in the court's breach of contract analysis, Defendant's motion asserts generally that Plaintiff has not alleged that Defendant "breached a duty," and further, Plaintiff has not alleged that Defendant "did not take reasonable care." (ECF 3, PageID.63-64.) The argument is not well articulated, but, in its reply, Defendant clarifies and states that the parties’ relationship is governed by contract, and therefore Plaintiff is precluded from bringing an independent claim for negligence. (ECF No. 6, PageID.96.)
Plaintiff brings its negligence claim under three duties: a general duty of care, a duty created through a "special relationship," and a statutory duty created through the Federal Trade Commission Act ("FTCA"), 15 U.S.C. § 45. (ECF No. 1-1, PageID.20, ¶¶ 75-77.) All three fail as a matter of law to support a valid negligence claim.
1. General Duty of Care
In order to state claim for negligence under Michigan law, Plaintiff must plausibly allege "(1) duty; (2) breach of that duty; (3) causation, both cause in fact and proximate causation; and (4) damages." Romain v. Frankenmuth Mut. Ins. Co. , 483 Mich. 18, 21, 762 N.W.2d 911, 913 (2009) (citing Schultz v. Consumers Power Co. , 443 Mich. 445, 449, 506 N.W.2d 175, 176 (1993) ); Ashcroft , 556 U.S. at 678, 129 S.Ct. 1937. The existence of a duty is a question of law. Hill v. Sears, Roebuck and Co. , 492 Mich. 651, 659, 822 N.W.2d 190, 195 (2012). "The ultimate inquiry in determining whether a legal duty should be imposed is whether the social benefits of imposing a duty outweigh the social costs of imposing a duty." Id. at 196 (quoting In re Certified Question from Fourteenth Dist. Court of App. of Tex. , 479 Mich. 498, 505, 740 N.W.2d 206, 216 (2007) ). In making this determination, courts consider "the relationship of the parties, the foreseeability of the harm, the burden on the defendant, and the nature of the risk presented." Id. (quoting In re Certified Question from Fourteenth Dist. Court of App. of Tex. , 740 N.W.2d at 216 ). Most importantly, "there must be a relationship between the parties and the harm must have been foreseeable." Id. (quoting In re Certified Question from Fourteenth Dist. Court of App. of Tex. , 740 N.W.2d at 213 ).
A foundational rule in negligence law is that parties are not held liable for "passive inaction or the failure to actively protect others from harm." Williams v. Cunningham Drug Stores, Inc. , 429 Mich. 495, 498, 418 N.W.2d 381, 382 (1988) ; accord Murdock v. Higgins , 454 Mich. 46, 53, 559 N.W.2d 639, 643 (1997) ; see also Restatement (Second) of Torts § 314 (Am. Law Inst. 1975). Based on this principle, Michigan courts have refused to find a duty of care where the extent of alleged misconduct amounts to a failure to perform promises included in a contract. One of the preeminent cases in this area is Hart v. Ludwig , where the defendant promised the plaintiff that he would care for the plaintiff's orchard; the promise was not kept, and the orchard fell into disrepair. 347 Mich. 559, 560, 79 N.W.2d 895, 896 (1956). The plaintiff asserted a negligence theory in which the defendant had undertaken a responsibility to care for the orchard and had been negligent in doing so. Id. The Michigan Supreme Court found that the plaintiff's argument for a legal duty could not be maintained "without enforcing the contract promise itself," and thus the court was "left with [the] defendant's failure to complete his contracted-for promise," which is not a tort. Id. at 898.
Michigan courts have since reiterated that when a plaintiff alleges breach of a duty that is not "separate and distinct from [a] contractual obligation" the defendant owes the plaintiff, "no tort action based on a contract will lie." Fultz v. Union-Commerce Ass's. , 470 Mich. 460, 467, 683 N.W.2d 587, 592 (2004) ; Ulrich v. Fed. Land Bank of St. Paul , 192 Mich. App. 194, 199, 480 N.W.2d 910, 912 (1991) (citing Hart , 79 N.W.2d at 898 ) ("[I]f a relation exists that would give rise to a legal duty without enforcing the contract promise itself, the tort action will lie, otherwise it will not."); 24 Mich. Civ. Jur. Torts § 2 (2020) ("In order for an action in tort to arise out of a breach of contract, the act must constitute not only a breach of duty separate and distinct from the breach of contract but also active negligence or misfeasance."). For example, in Fultz , the plaintiff slipped and injured herself while walking on an icy parking lot; she brought a negligence action against the snow clearing company for its failure to prevent ice from accumulating. 683 N.W.2d at 589. The Michigan Supreme Court found that the plaintiff did not have a viable claim under negligence, reasoning that the alleged violation involved only the company's responsibility "to fulfill its contractual obligation". Id. at 592. Plaintiff itself recognizes the distinction between contract nonfeasance, which is not recoverable under tort, and active misfeasance outside the obligations of a contract, which is recognized as a cause of action. It argues its breach of contract and negligence claims are separated by "contractual nonfeasance," on the one hand, and "misfeasance" in performance of the contract on the other. (ECF No. 8, PageID.123.)
By contrast, Michigan courts have permitted negligence actions when a party engages in "active misconduct causing ... injury" while performing obligations under a contract. Williams , 418 N.W.2d at 382 ; see also Loweke v. Ann Arbor Ceiling & Partition Co. , LLC , 489 Mich. 157, 171, 809 N.W.2d 553, 561 (2011) (quotation removed) ("[E]ntering into a contract with another pursuant to which one party promises to do something does not alter the fact that there exists a preexisting obligation or duty to avoid harm when one acts."). In other words, the existence of a contract does not eviscerate the public's right to sue for negligent behavior. Thus, in Loweke , the Michigan Supreme Court allowed for a negligence claim by a third party against a construction company who was performing a contract and negligently placed cement boards, which subsequently fell on the third party. 809 N.W.2d at 555-56, 561-62.
Nonetheless, Plaintiff's negligence claim amounts to allegations that Defendant failed to take action to protect Plaintiff from a virus attack. Plaintiff claims Defendant failed to: use effective anti-virus software and automated email scanning; property train its employees to prevent email phishing; separate consumer data from its sales department, where the virus originated; use a backup system; perform incremental backups; segment networks; implement adequate security measures generally; adequately monitor the security of its networks; have plans in place to ensure data security; timely detect the virus; and pay the ransom. (ECF No. 1-1, PageID.20-21, ¶ 78.)
However, Defendant had no general duty to act, install safeguards, and protect Plaintiff and its data from a third-party ransomware attack; Defendant did not have a general duty to protect Plaintiff at all. Williams , 418 N.W.2d at 382 ; Hart , 79 N.W.2d at 898 ; Fultz , 683 N.W.2d at 590-92. In fact, some of the actions Plaintiff claims Defendant had a duty to perform were explicitly contemplated and provided for in the parties’ contract. For instance, Plaintiff alleges that Defendant contracted to provide "continuous file system scanning for virus signatures or activity" but was negligent for not "adequately monitor[ing] the security of its ... systems." (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.20-21, ¶ 78.) Thus, Plaintiff has alleged that Defendant committed negligent nonfeasance, which, outside the terms of the parties’ contract, does not bind Defendant to a general duty of care. Williams , 418 N.W.2d at 382 ; Hart , 79 N.W.2d at 898 ; Fultz , 683 N.W.2d at 590-92.
2. Duty Created Through a "Special Relationship"
Although generally "an individual has no duty to protect another who is endangered by a third person's conduct," "[a] duty of reasonable care may arise where one stands in a special relationship with either the victim or the person causing the injury." Marcelletti v. Bathani , 198 Mich. App. 655, 664, 500 N.W.2d 124, 129 (1993). Because extending liability to parties who fail to protect and secure others violates a basic norm of negligence law, Michigan courts have been hesitant to create "special relationships" beyond a few narrow and historical categories. Williams , 418 N.W.2d at 382-83 ("[The law] has been slow in recognizing liability for nonfeasance because the courts are reluctant to force persons to help one another and because such conduct does not create a new risk of harm to a potential plaintiff."). These categories include "landlord-tenant, proprietor-patron, employer-employee, residential invitor-invitee, psychiatrist-patient, ... doctor-patient ... common carrier-passenger[,] and innkeeper-guest" relationships. Marcelletti , 500 N.W.2d at 129. Notably, these categories involve common people, individuals, being placed in vulnerable situations with someone or something more powerful in which those individuals may not be able to ensure their security or protection outside the imposition of tort liability. Williams , 418 N.W.2d at 383 (explaining that special relationships often arise when "one person entrusts himself to the control and protection of another, with a consequent loss of control to protect himself").
Additionally, "absent special circumstances," "there is no duty to protect another from the criminal acts of a third party." Krass v. Tri-Cnty. Sec., Inc. , 233 Mich. App. 661, 593 N.W.2d 578, 582 (1999). Michigan courts have been exceptionally hesitant to extend liability to cases of third-party criminal behavior. See, e.g. , MacDonald v. PKT, Inc. , 464 Mich. 322, 334, 628 N.W.2d 33, 38 (2001) (holding that a merchant, although it had a special relationship with its business invitees, had only the duty "to respond reasonably" to criminal act committed against an invitee while on the merchant's property); see also Graves v. Warner Bros. , 253 Mich. App. 486, 499, 656 N.W.2d 195, 203 (2002) (quoting Papadimas v. Mykonos Lounge , 176 Mich. App. 40, 46-47, 439 N.W.2d 280, 283 (1989) ) ("[C]riminal activity, by its deviant nature, is normally unforeseeable.").
Plaintiff argues that the parties had a "special relationship" through their "data-hosting relationship." Id. (ECF No. 8, PageID.123.) It alleged in its complaint that Defendant's "duty arose because there was a special relationship between [Defendant] as data-hoster and [Plaintiff] as data-owner." (ECF No. 1-1, PageID.20, ¶ 76.) Plaintiff cites no caselaw establishing the existence of a broad special relationship for all data hosts to data owners, and instead relies on unpublished caselaw from the Michigan Court of Appeals and Sixth Circuit that have found special relationships in distinct factual scenarios.
In Stacy v. HRB Tax Group., Inc. , a company that provided tax preparation services hired an employee who accessed clients’ tax information and personal information to illegally collect tax refunds. 516 F. App'x 588, 589 (6th Cir. 2013). Although the court did not find a Michigan decision that was directly on point, it reasoned that Michigan courts would recognize a special relationship in the facts of the case "between taxpayer and tax preparer." Id. at 591. The court's analysis was not long, but it did mention that the company had a duty "to ensure the security of their most essential confidential identifying information, information which easily could be used to appropriate a person's identity." Id.
Plaintiff is not bringing the instant action under the confines of Stacy and for Defendant's inability to protect personal information from identity theft in the tax preparation context. 516 F. App'x at 589. Plaintiff alleges a far wider duty for all those hosting others’ data to institute precautions to limit the risk of an extensive virus attack. (ECF No. 1-1, PageID.20, ¶ 76.) While Stacy involved individuals who had provided personal financial and tax information to a company for tax preparation services, an activity regularly undertaken by unsophisticated individuals, here Plaintiff is a sophisticated accounting firm entered into a commercial contract whereby Defendant would house its data, and without Defendant's engagement and involvement in creating an individualized product like a tax return. 516 F. App'x at 589. (ECF No. 1-1, PageID.9, ¶ 13; id. , PageID.10-11, ¶¶ 26-27.)
In Bell v. Michigan Council 25 , 911 operators were obliged to join a union as a condition of their employment. Case No. 246684, 2005 WL 356306, at *1 (Mich. Ct. App. Feb. 15, 2005). The union was given access to the workers’ personal information to deduct dues from their paychecks and provide representation. Id. The union treasurer's daughter took the workers’ names, social security numbers, and driver's license numbers and purchased goods and services under the workers’ names. Id. The court found that the union had a "special relationship" with the workers to protect their personal information. Id. at *1-6. It specifically mentioned that the "relationship between the parties ... is one of union-union member," which was likened to that of a "fiduciary duty" where the union "has an obligation to act on behalf of, and in the best interest of [the workers]." Id. at *3. The court also reasoned that the identity theft was especially foreseeable when for months the union "knew confidential information was leaving its premises" and unauthorized third parties, including the eventual perpetrator, had access to it. Id. at *4-5. In finding a duty, the court "[limited] [its] holding ... to the facts of this case" and stated that the decision should not be "construed as imposing a duty in every case where a third party has obtained identifying information and subsequently uses that information to commit the crime of identity theft." Id. at *5.
Like in Stacy , Bell involved perpetrators with close connections to the defendant. In Stacy an employee and in Bell the union treasurer's daughter appropriated personal information of clients and workers to commit identity theft. Stacy , 516 F. App'x at 589 ; Bell , 2005 WL 356306, at *1. The defendants in Stacy and Bell had intimate control over the perpetrators. Stacy , 516 F. App'x at 589 ; Bell , 2005 WL 356306, at *1. Additionally, Bell involved workers who were compelled to join the union, and the union represented the interests of the workers in a close and fiduciary relationship. 2005 WL 356306, at *1, 3. Here, Plaintiff is a sophisticated business entity who deposited its data onto Defendant's servers, and no employee or close confidant associated with Defendant took Plaintiff's information to steal the personal identity of Plaintiff. (ECF No. 1-1, PageID.9, ¶ 13; id. , PageID.10-11, ¶¶ 26-27.) A rouge criminal virus, completely unaffiliated with Defendant, infiltrated Defendant's security system and demanded a ransom. (ECF No. 1-1, PageID.12, ¶¶ 32-36.) The facts in this case are distinguishable, with two commercial organizations whose relationship extends to an arms-length contract. (ECF No. 1-1, PageID.10, ¶¶ 20-21.) The Bell court itself recognized the limited implications of its decision. 2005 WL 356306, at *5.
In essence, Plaintiff wishes to extend Michigan's law of "special relationships" to a new and expansive commercial context without the benefit of any Michigan precedent on point. Marcelletti , 500 N.W.2d at 129. If Plaintiff's arguments were to hold, any sophisticated entity who provided cloud data hosting services to another sophisticated entity could be held liable for a myriad of precautions beyond their contractual obligations that they could have taken—but did not—to prevent a criminal third-party cyberattack. See Krass , 593 N.W.2d at 582.
The establishment of a new duty is a public policy determination that requires the court to find that the "social benefits of imposing a duty outweigh the social costs." Hill , 822 N.W.2d at 195 ; Murdock v. Higgins , 208 Mich. App. 210, 215, 527 N.W.2d 1, 3 (1994) (explaining that many of the factors used to find the existence of a duty are utilized when analyzing whether a special relationship exists). Plaintiff and Defendant were sizable commercial entities, and Plaintiff willingly entered into a contractual relationship whereby Defendant allegedly failed to take effective precautions against cyberattacks. (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.29.) At this stage, well past the time for negotiating contract terms, the court declines the invitation to provide Plaintiff a windfall ex post by allowing it to impose additional duties under negligence law, and potentially substantial liability, based upon the criminal acts of third parties. Marcelletti , 500 N.W.2d at 129 ; Krass , 593 N.W.2d at 582. This is true even if, as Plaintiff alleges, Defendant was aware generally of a growing threat of ransomware in society at large. Ashcroft , 556 U.S. at 678, 129 S.Ct. 1937. (ECF No. 1-1, PageID.8, ¶ 10.) The fact that Plaintiff also brings a valid claim under contract law, arguing that the terms of the agreement, however limited, were breached, strengthens the finding that imposition of expanded tort liability is not warranted. (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.29.) Plaintiff and Defendant were demonstrably capable of agreeing to terms that protected Plaintiff from the adverse effects of cyberattacks and, in fact, did so.
Plaintiff and Defendant were not fiduciaries and could have tailored the terms of their agreement to better protect Plaintiff from cybercriminals. Plaintiff does not allege or argue that it was somehow left to the whim of Defendant or that Defendant had a position of authority over Plaintiff akin to the workers in Bell, 2005 WL 356306, at *1 ; see also Marcelletti , 500 N.W.2d at 129 (describing other situations where special relationships exist such as a doctor utilizing her medical expertise to treat ordinary patients). To obtain additional protections, Plaintiff may have had to pay a higher cost, and Defendant may have ultimately rejected such a proposed deal. But that is no different than the regular give and take that pervades commercial negotiations. As an alternative, Plaintiff could have obtained insurance.
In all, the court does not believe that the parties’ arms-length contractual relationship is sufficiently close, or Plaintiff sufficiently vulnerable to abuse in the context of a sophisticated commercial transaction, that the costs that would be imposed on all data-hosts are outweighed by the societal benefit of liability. Hill , 822 N.W.2d at 195 ; Murdock , 527 N.W.2d at 3 ; Williams , 418 N.W.2d at 383. Negligence liability would ultimately amount to a reward to Plaintiff for failing to obtain better and more exhaustive contractual provisions. To the extent that Plaintiff's negligence allegations overlap with the parties’ contract, Plaintiff has an adequate remedy under contract law. Taking the rare step of establishing a "special relationship" is not justified. Williams , 418 N.W.2d at 382-83.
Like the court in Bell , the court does not exclude the possibility that a data host may have a special relationship with a data owner and a duty to prevent cyberattacks in other contexts. 2005 WL 356306, at *5.
--------
3. Statutory Duty Under the Federal Trade Commission Act
Plaintiff makes a third attempt to establish a duty through federal statute. It asserts Defendant had a duty of care under the FTCA, 15 U.S.C. § 45, and its bar on "unfair ... practices in or affecting commerce." (ECF No. 1-1, PageID.20, ¶ 77; ECF No. 5, PageID.84.) Although a duty of care can be established through a statute, "the fact that defendant's conduct may have been in violation of a statute does not in and of itself shed light on whether defendant owed plaintiff a duty of care." Cipri v. Bellingham Frozen Foods, Inc. , 235 Mich. App. 1, 16, 596 N.W.2d 620, 628 (1999). Plaintiff presents no caselaw from Michigan, the Sixth Circuit, or the Supreme Court that has established a duty of care for data-holders to data-owners through the FTCA's bar on unfair commercial practices. Plaintiff cites one opinion in support of its position, from the United States District Court of New Jersey, which involved a regulatory enforcement action by the Federal Trade Commission and included no claims of negligence. See FTC v. Wyndham Worldwide Corp. , 10 F. Supp. 3d 602 (D.N.J. 2014). (ECF No. 5, PageID.84.)
It is Plaintiff's responsibility to establish the existence of a duty by which Defendant may be held liable for negligence; Defendant must have a duty for Plaintiff to state a claim as a matter of law. Mieras v. DeBona , 452 Mich. 278, 296, 550 N.W.2d 202, 210 (1996) ("The first element that a plaintiff must establish in any negligence claim is a duty the plaintiff is owed by the defendant."); James v. Meow Media, Inc. , 300 F.3d 683, 689 (6th Cir. 2002) (reviewing a district court's dismissal of a negligence action under Kentucky law for failure to state a claim, stating "the plaintiff must establish that the defendant owed a duty of care to the plaintiff"); see McPherson v. Kelsey , 125 F.3d 989, 996 (6th Cir. 1997) (quotation removed) (holding that it is not the court's responsibility to "put flesh on [the] bone" of a plaintiff's claims and arguments). Plaintiff failed to cite to or argue from any relevant caselaw in support of its position, nor for the creation of a new duty through the FTCA. Thus, Plaintiff has failed to establish Defendant had a duty to prevent a cyberattack as a matter of law, and Plaintiff's negligence claim will be dismissed. Mieras , 550 N.W.2d at 210 ; Hill , 822 N.W.2d at 195.
C. Gross Negligence
Defendant advances many arguments in support of dismissal of Plaintiff's gross negligence claim. (ECF No. 6, PageID.96-103.) The court need only address one: Plaintiff asserts for gross negligence the same three duties it relies on to establish a claim under ordinary negligence. See Smith v. Jones , 246 Mich. App. 270, 274, 632 N.W.2d 509, 514 (2001) ("Duty is an essential element of a claim of negligence or gross negligence."). (ECF No. 1-1, PageID.18, ¶¶ 65-67.) However, as the court discussed in its negligence analysis, Defendant does not have a duty as a matter of law to protect Plaintiff from a ransomware attack under a general duty of care, a duty created by a "special relationship," or the FTCA. Williams , 418 N.W.2d at 382 ; Marcelletti , 500 N.W.2d at 129. For the same reasons as those discussed above, Plaintiff's gross negligence claim will be dismissed.
IV. CONCLUSION
Defendant presents many arguments in favor of dismissal of Plaintiff's claim for breach of contract; they are all unsuccessful. Plaintiff's breach of contract claim survives Defendant's motion to dismiss. However, Plaintiff has not established that it was owed a duty under a negligence or gross negligence theory. Plaintiff's tort claims will be dismissed.
IT IS ORDERED that Defendant's "Motion to Dismiss" (ECF No. 3) is GRANTED IN PART and DENIED IN PART. It is GRANTED as to Plaintiff's claims of Negligence (Count III) and Gross Negligence (Count II). It is DENIED as to Plaintiff's claim of Breach of Contract (Count I).