Opinion
Civil Action 3:23-CV-00236-KDB-SCR
11-09-2023
APEX TOOL GROUP LLC, Plaintiff, v. CYDERES, LLC AND FISHTECH GROUP, LLC, Defendants.
ORDER
KENNETH D. BELL, UNITED STATES DISTRICT JUDGE
THIS MATTER is before the Court on Defendants' Motion to Dismiss Plaintiff's Amended Complaint (Doc. No. 27). The Court has carefully considered this motion and the parties' briefs and exhibits in support and in opposition to the motion. Applying the generous standard for the Court's review of a motion to dismiss pursuant to Rule 12(b)(6), the Court finds that Plaintiff Apex Tool Group, LLC (“Apex”) has sufficiently pled its fraudulent inducement, unfair trade practices and unjust enrichment claims and it is premature to address the “limitation of liability” provision in the parties' cybersecurity services contract. However, the Court also finds that Plaintiffs' negligence and gross negligence claims, which are wholly based on Defendants' alleged failures to adequately perform the duties undertaken in the parties' contract, are barred as a matter of law by the “economic loss” rule. Therefore, the Court will in part GRANT and in part DENY the Defendants' motion to dismiss.
I. LEGAL STANDARD
Under Rule 8(a)(2) of the Federal Rules of Civil Procedure, a complaint must contain a “short and plain statement of the claim showing that the pleader is entitled to relief.” A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) for “failure to state a claim upon which relief can be granted” tests whether the complaint is legally and factually sufficient. See Fed.R.Civ.P. 12(b)(6); Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007); Coleman v. Md. Court of Appeals, 626 F.3d 187, 190 (4th Cir. 2010), aff'd, 566 U.S. 30 (2012). The purpose of Rule 12(b)(6) is to expose deficient allegations “at the point of minimum expenditure of time and money by the parties and the court.” Twombly, 550 U.S. at 558.
To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must plead facts sufficient to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 570). “A claim has facial plausibility when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556). A claim will not survive a motion to dismiss if it contains nothing more than “labels and conclusions, and a formulaic recitation of a cause of action's elements.” Twombly, 550 U.S. at 555 (citing Papasan v. Allain, 478 U.S. 265, 286 (1986)). However, the Court “accepts all well-pled facts as true and construes these facts in the light most favorable to the plaintiff in weighing the legal sufficiency of the complaint.” Nemet Chevrolet, Ltd. V. Consumeraffairs.com, Inc., 591 F.3d 250, 255 (4th Cir. 2009); see Ashcroft, 556 U.S. at 678. Thus, “a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that a recovery is very remote and unlikely.” Twombly, 550 U.S. at 555 . (internal citation and quotation marks omitted).
When deciding a motion to dismiss, “a court considers the pleadings and any materials ‘attached or incorporated into the complaint.'” Fitzgerald Fruit Farms LLC v. Aseptia, Inc., 527 F.Supp.3d 790, 796 (E.D. N.C. 2019) (quoting E.I. du Pont de Nemours & Co. v. Kolon Indus., Inc., 637 F.3d 435, 448 (4th Cir. 2011)). Further, “[d]etermining whether a complaint states a plausible claim for relief will be a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Id. (citation omitted). In sum, a motion to dismiss under Rule 12(b)(6) determines only whether a claim is stated; “it does not resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses.” Republican Party v. Martin, 980 F.2d 943, 952 (4th Cir. 1992).
II. FACTS AND PROCEDURAL HISTORY
Apex, a Delaware corporation which has its principal place of business in North Carolina, is one of the largest manufacturers of professional hand and power tools in the world. (Doc. No. 25 at ¶ 7). In 2019, Apex sought to hire a company to oversee and manage cybersecurity threats, which it alleges that it did not have the resources or sophistication to handle on its own. (Id. at ¶¶ 11-12). To select a vendor, Apex engaged in a “bid process” to find a “comprehensive security operation team to provide ongoing monitoring and detection services for threats to its network comprised of over 3,000 employees.” (Id. at ¶ 12).
Defendants Cyderes, LLC and Fishtech Group, LLC provide “outsourced” cybersecurity services of the type sought by Apex. (Id. at ¶ 16). In October 2020, Apex was introduced to Fishtech, and Apex's Head of Cybersecurity and Data Center Architect met with Fishtech employees to talk about Fishtech providing cybersecurity services to Apex. (Id. at ¶¶ 13-14). In particular, Apex was interested in using Google Chronicle, a cloud service that indexes, correlates, and analyzes data received from cybersecurity monitoring and detection tools, allowing the end-user to assess security threats and alerts. (Id.). Over the course of the ensuing two months, Apex and Fishtech employees met several times to discuss Fishtech's capabilities and service offerings and then to negotiate a written “statement of work” (“SOW”) that became the contract between Apex and Fishtech. (Id. at ¶¶ 13-26). Apex alleges that during the negotiations Fishtech misrepresented that it would use Google Chronicle to:
• “aggregate alerts from disparate sources on the Apex network, and ... synthesize these in a manner that would allow Defendants to easily identify and timely respond to threat actors”;
• “deliver . [a] customized log of alerts identifying threat detections”;
• create “reporting features and rules and logic development in Chronicle Detect”; and
• “provide ‘10 custom parsers for [Google] Chronicle' and set up ‘24x7 Chronicle product support'”.(Id. at ¶¶ 15, 17, 22 and 23). Apex further alleges Fishtech misrepresented in a “Welcome Packet” and/or “Tracker File” that Fishtech “could offer . endpoint monitoring,” as well as “collect or parse” data from “nearly 400 Apex network data sources” in order “to create custom effective threat detection tools,” all of which are features of Google Chronicle. (Id. at ¶ 19). Apex and Fishtech entered into the SOW on December 18, 2020. (Id. at ¶ 33). Apex alleges that each of these representations was “agreed to . under the SOW.” (Id. at ¶ 60). .
Significantly, Apex further claims Defendants knew, at the time they made these representations, that they could not and could never perform the services they touted, including tailoring the Google Chronicle's capabilities to Apex's corporate network, and thus never intended to provide such services. (Id. at ¶ 84). Instead, according to Apex, Fishtech simply wanted to enter into an agreement with Apex to “prop[] up its valuation to secure a higher purchase price” in its merger with Cyderes, which was finalized in December 2021. (Id. at ¶ 29).
Apex further complains about the formation of the SOW beyond Fishtech's alleged misrepresentations. Specifically, it alleges that on December 15, 2020, it was “pressure[d]” into signing the SOW “without fulsome review,” based on an offered discount that applied only if the
SOW was signed by December 18, 2020. (Doc. No. 25 at ¶ 25). Apex further alleges the SOW was unfairly structured because it provided for “a lofty payment of $350,000 before any services were even provided,” and did not “allow[] Apex to terminate the contract before the expiration of the [SOW's] three-year term.” (Id.).
In the SOW, the parties set out their “Goals and Objectives,” as well as the “Methodology” and “Approach” Fishtech would employ in providing cybersecurity services to Apex. (Doc. No. 21-1 at 3-5). The SOW also contains “Terms and Conditions” that govern the parties' relationship, including the “Scope of Services” (§ 1), the “Term” of the agreement (§ 3), the parties' respective “Confidentiality Obligations” (§ 7), and a “Limitation of Liability” (§ 10). See id. at 7-9. Section 10 provides in relevant part:
Limitation of Liability. Under no circumstances shall [Cyderes] be liable to [Apex] . . . for any indirect, incidental, exemplary, consequential, or special damages relating to or arising out of these Terms and Conditions or the SOW .... In no event . . . shall [Cyderes's] total cumulative liability in connection with these Terms and Conditions and the Services, whether in contract, tort or otherwise, exceed the total amount of [Apex's] payment(s) hereunder....Id. § 10. The SOW further includes a “Warranty Disclaimer,” which states that “[CYDERES] MAKES NO WARRANTY THAT THE SERVICE . . . WILL DETECT EVERY VULNERABILITY TO CLIENT'S NETWORK.” Id. § 9 (emphasis in original). Apex alleges it has paid $670,741.50 in fees to Defendants pursuant to the SOW. (Doc. No. 25 at ¶ 125).
After Fishtech/Cyderes began providing cybersecurity services to Apex under the SOW, Apex experienced at least two cybersecurity incidents. In November 2021, its network security was temporarily compromised by a “phishing attack” triggered by an Apex employee who unintentionally disclosed his or her login credentials to a threat actor. (Id. at ¶ 61). While Apex alleges the attack was resolved “before any significant damage was done to the Apex network,” it asserts that it was “forced to resolve [the attack] without any assistance from [Cyderes].” Apex claims this shows that Cyderes “never had any intention of performing . . . under the SOW.” (Id. at ¶¶ 60-64).
The second attack was more serious. On February 21, 2022, a user on Apex's network downloaded and decompressed a zip folder containing a malicious JavaScript file. (Id. at ¶ 65). Then, from February 21, 2022 to March 7, 2022, cybercriminals allegedly worked inside Apex's IT systems to deactivate antivirus software, exfiltrate data, and map Apex's network. (Id. at ¶ 65). Apex claims that Cyderes's cybersecurity systems issued five “high alert” notifications about the cybercriminals' activities, including on February 21, March 7, and March 8, 2022, but did not inform Apex. (Id. at ¶¶ 66, 68-69). On March 9, 2022, Cyderes notified Apex of an intrusion, but Apex alleges that Cyderes did not fully warn Apex of the potential impact of the attack. (Id. at ¶ 71). On March 11, 2022, the “threat actor executed a LockBit 2.0 ransomware attack.” (Id. at ¶ 75). Apex alleges it suffered $25 million in losses from the attack, including damages from an extended network outage from March 11, 2022 to March 30, 2022, and costs associated with restoring system access and complying with data and privacy-breach laws, as well as other consequential damages. (Id. at ¶ 78).
Apex filed its original Complaint on April 25, 2023, asserting claims for breach of contract, breach of warranty, negligence, fraud, and unjust enrichment. (Doc. No. 1). On June 20, 2023, Cyderes moved to dismiss the tort based claims. (Doc. No. 20). In response, Apex filed an Amended Complaint in which it added a claim for violation of North Carolina's Unfair Trade Practices Act (“UDTPA”). (Doc. No. 25). Defendants have now moved to dismiss Apex's fraud, negligence, gross negligence, unjust enrichment and unfair trade practices claims and to limit Apex's damages under the SOW's “limitation of liability” provision. Apex opposes the motion, which has been fully briefed and is ripe for decision.
III. DISCUSSION
Defendants challenge the sufficiency of each of Apex's extracontractual claims, which are discussed separately below.
A. Fraudulent Inducement
“The essential elements of fraud in the inducement are: (1) [a] [f]alse representation or concealment of a material fact, (2) reasonably calculated to deceive, (3) made with intent to deceive, (4) which does in fact deceive, (5) resulting in damage to the injured party.” TradeWinds Airlines, Inc. v. C-S Aviation Servs., 222 N.C.App. 834, 840 (2012) (cleaned up and citation omitted). Defendants argue that Apex has not adequately alleged a fraudulent inducement claim because (i) that claim is barred by the economic loss rule, (ii) Apex fails to plead an actionable misstatement, and (iii) Apex fails to plead intent to deceive. Applying the lenient standard of review of 12(b)(6) motions, the Court finds that Plaintiff has adequately pled a claim of fraudulent inducement.
The economic loss rule “prohibits recovery for purely economic loss in tort when a contract [or] warranty . . . operates to allocate risk” between the parties. Severn Peanut Co. v. Indus. Fumigant Co., 807 F.3d 88, 94 (4th Cir. 2015). While this principle applies to Apex's negligencebased claims as discussed below, it does not apply to fraudulent inducement claims. Under North Carolina law, “claims for fraud are not .. barred [by the economic loss rule] and indeed, ‘the law is ... to the contrary: a plaintiff may assert both [fraud and contract] claims.” Bradley Woodcraft, Inc. v. Bodden, 251 N.C.App. 27, 34 (2016) (quoting Jones v. Harrelson & Smith Contractors, LLC, 194 N.C.App. 203, 215 (2008), aff'd, 363 N.C. 371 (2009)); Provectus Biopharmaceuticals, Inc. v. RSM U.S. LLP, 2018 WL 4700371, at *18 (N.C. Super. Sept. 28, 2018) (“[T]he economic loss rule does not apply to [plaintiff's] fraud claims.”).
The Amended Complaint is silent about which state's laws govern Apex's tort claims. Pursuant to North Carolina choice of law rules, “the law of the state where the plaintiff has actually suffered harm” applies to tort claims. Harco Nat. Ins. Co. v. Grant Thornton LLP, 698 S.E.2d 719, 726 (N.C. Ct. App. 2010). Here, Apex alleges it suffered the damages it seeks in North Carolina, (Doc. No. 25 at ¶ 7), and the parties have cited North Carolina law in their memoranda of law. The Court will therefore apply North Carolina law to Apex's claims for purposes of this motion.
More specifically, where a plaintiff adequately alleges a defendant “‘had no intention of [completing work required under the contract]' from the very beginning,” it “constitutes fraud” and the economic loss rule does not apply. Legacy Data Access, Inc. v. Cadrillion, LLC, 889 F.3d 158, 166 (4th Cir. 2018) (quoting Bradley Woodcraft, 251 N.C.App. at 30); see also Foodbuy, LLC v. Gregory Packaging, Inc., 987 F.3d 102, 121 (4th Cir. 2021) (“[T]he North Carolina Court of Appeals has limited the application of the [economic loss rule] to negligence claims.” (citing Bradley Woodcraft, 251 N.C.App. at 30)). Here, Apex alleges that prior to entering the SOW, Defendants deliberately misstated their then current capabilities, which Apex contends shows that they had no intention of completing the contract. See, e.g., Doc. No. 25 at ¶¶ 2, 14-31, 84. Thus, Apex has pled that Defendants breached a duty other than a contractual duty, such that its fraudulent inducement claim is “identifiable and distinct” from the breach of contract claim and thus outside the economic loss rule. See LifeBrite Hosp. Grp. of Stokes, LLC v. Blue Cross & Blue Shield of N. Carolina, 2022 WL 801646, at *4 (M.D. N.C. Mar. 16, 2022); see also Brown v. Secor, 2020 WL 6696101, at *5 (N.C. Super. Nov. 13, 2020) (rejecting argument that fraudulent inducement claim “is bound up with the alleged breach of contract and therefore barred by the economic loss rule” and holding “[t]he economic loss rule does not bar claims for fraudulent inducement”).
North Carolina recognizes “a separate and distinct duty not to provide false information to induce the execution of [a] contract.” Jones v. BMW of N. Am., LLC, 2020 WL 5752808, at *9 (M.D. N.C. Sept. 25, 2020); see also Schumacher Immobilien Und Beteiligungs AG v. Prova, Inc., 2010 WL 3943754, at *2 (M.D. N.C. Oct. 7, 2010) (“[A] party to a contract owes the other contracting party a separate and distinct duty not to provide false information to induce the execution of the contract.”).
Further, Apex has alleged misstatements, which, if proven, plausibly support its claim for fraudulent inducement. Defendants argue that Apex's fraud claims fall short because it has alleged only “non-actionable promissory statements of future intent and sales talk rather than misstatements of pre-existing fact.” Doc. No. 28 at 15. However, Apex's Amended Complaint goes beyond allegations of future promises. Apex has alleged that Defendants falsely represented to Apex that they had existing tools, infrastructure, and resources to deploy Google Chronicle, when they in fact did not. Doc. No. 25 at ¶¶ 15, 17, 21, 23. Moreover, Apex alleges that Defendants still lack those capabilities. Id. ¶ 84. These alleged statements potentially relate to then current facts and support a claim for fraudulent inducement. See Gaming v. Trustwave Holdings, Inc., 2016 WL 5799300, at *4, *5 (D. Nev. Sept. 30, 2016) (denying motion to dismiss fraudulent inducement claim against data security provider that allegedly “misrepresent[ed] that ‘it had the capabilities and experience as a data service security provider to investigate, diagnose, and help remedy the data breach' and that it would perform these tasks”).
To be clear, the Court expresses no view at this stage of the case on whether Defendants pre-contractual sales efforts will ultimately be held to be more than non-actionable “sales talk” or expressions of opinion about the quality of services offered by Defendants. Rather, the Court only finds for purposes of this motion that, accepting the allegations of the Amended Complaint as true, Apex has plausibly pled a claim for fraudulent inducement.
Also, a “[defendants' alleged intent contrary to the promises of future conduct ... can support a finding of a misrepresentation of material fact to state an action for fraud.” See Boeing Co. v. Ten Oaks Mgmt., LLC, 2023 WL 4241679, at *5 (W.D. N.C. June 28, 2023) (citing Glob. Hookah Distributors, Inc. v. Avior, Inc., 401 F.Supp.3d 653 (W.D. N.C. 2019)); Leftwich v. Gaines, 521 S.E.2d 717, 723 (N.C. Ct. App. 1999) (“a promissory misrepresentation may constitute actionable fraud when it is made with intent to deceive the promisee, and the promisor, at the time of making it, has no intent to comply.”). Again, it is Defendants' alleged misrepresentation of their then existing capabilities and their alleged intent at that time not to provide the offered services that combine to support Apex's fraudulent inducement claim. So, while a statement of promissory intent alone is insufficient to support a claim of fraud, a promise of future action together with the contemporaneous intent not to fulfill the promise can plausibly state a claim. Here, Apex has sufficiently alleged both material misstatements and, as discussed further below, Defendants' wrongful intent. Therefore, Apex's allegations of Defendants' misrepresentations are sufficient to plausibly support its claim of fraudulent inducement.
Finally, Apex has adequately alleged that Defendants did not intend to comply with the SOW at the time of their alleged misrepresentations. Under Rule 9(b), “intent may be alleged generally.” See Fed.R.Civ.P. 9(b); see also Wilson v. McAleer, 368 F.Supp.2d 472, 478 (M.D. N.C. 2004) (“[A]ll [the plaintiff] needs to survive a motion to dismiss is to set out a scenario that, if proved, suggests the possibility of a fraudulent and deceitful scheme that extended prior to the formation of any contract between plaintiff and defendants and continued through the execution of the contract.”); Packrite, LLC v. Graphic Packaging Int'l, Inc., 2019 WL 2992340, at *6 (M.D. N.C. July 9, 2019) (“[T]he complaint need only ‘contain specific factual matter to permit the plausible inference that the defendant did not intend to honor the agreement at the time of its making.'”). Apex has met that low threshold.
Apex alleges that Fishtech was motivated to induce Apex to sign the SOW to increase Fishtech's attractiveness as an acquisition target. Doc. No. 25 at ¶ 27. Apex further alleges that the SOW's provisions requiring a significant “upfront” payment and limiting Apex's ability to cancel the contract before the end of the contract term are consistent with that goal. Id. at ¶ 25. The Amended Complaint also alleges that Defendants failed to perform under the SOW soon after signing it. Id. at ¶¶ 60-64; see also Boeing Co., 2023 WL 4241679, at *4 (noting that when misstatements are followed by breach in “quick succession [it] suggests that the statements could be found to be a knowing lie when they were made”). And, finally, Apex contends that the number, extent, and detail of Defendants' misrepresentations about Google Chronicle, followed by the alleged failure to deliver, creates an inference of an intent to deceive. Again, it may turn out that Apex is unable to prove its allegations as this case proceeds. However, at this stage, Apex has plausibly alleged a claim of fraudulent inducement.
For example, it may be that Apex, a much larger company, has difficulty proving that it was unlawfully “pressured” to enter into the SOW (which the parties had been negotiating for two months) simply because Fishtech dangled the possibility of a “discount” if the SOW was executed by a date three days in the future.
B. Unfair Trade Practices
Based on the Court's ruling allowing Plaintiff's fraud claim to proceed, the Court will also deny Defendants' motion to dismiss Plaintiff's UDTPA claim. Because fraudulent conduct violates the UDTPA, if Apex's fraudulent inducement claim survives, then its UDTPA claim survives as well. See Doc. No. 28 at 20; see also Unifour Constr. Servs., Inc. v. Bellsouth Telecomm., 594 S.E.2d 802, 808 (N.C. Ct. App. 2004) (“[P]roof of fraud necessarily constitutes a violation of the statutory prohibition against unfair and deceptive acts.”). Accordingly, Apex's UDTPA claim will be allowed to proceed.
Having decided that Apex's UDTPA claim can proceed based on the possibility that Apex will be successful in proving fraud, the Court need not and does not reach the alternate question as to whether Apex has stated a UDTPA claim based on a breach of contract accompanied by “substantial aggravating and egregious conduct.” See Foodbuy, 2022 WL 3102356, at *4. As with Apex's fraud claim, a determination of the merits of that argument must be deferred and will depend on the course of discovery and further proceedings.
C. Unjust Enrichment
“The general rule of unjust enrichment is that where services are rendered and expenditures made by one party to or for the benefit of another, without an express contract to pay, the law will imply a promise to pay a fair compensation therefor.” Cross v. Ciox Health, LLC, 438 F.Supp.3d 572, 589 (E.D. N.C. 2020). Defendants move the Court to dismiss Apex's unjust enrichment claim on the grounds that the Amended Complaint alleges the existence of a binding contract and that an “unjust enrichment claim fails as a matter of law” where the payments claimed as damages were “given pursuant to a contract.” See Weare v. Bennett Bros. Yachts, Inc., 2020 WL 398501, at *8 (E.D. N.C. Jan. 23, 2020). While this is an accurate statement of the law, it is also true that parties may “plead alternative and inconsistent claims.” See Renfinity, Inc. v. Jones, 2022 WL 1102473 (W.D. N.C. Apr. 13, 2022) at *2. Such is the case here. While Apex has not specifically pled its unjust enrichment claim in the alternative (and it will of course not be permitted to recover on its claim for unjust enrichment if an enforceable contract exists between the parties), at this early stage of the case, the Court will allow Plaintiff's alternative claim for unjust enrichment to proceed past Defendants' motion to dismiss.
Defendants argue that the parties here have admitted the existence of a contract (the SOW) so there is no possibility of a claim for unjust enrichment. However, as discussed above, Apex contends that it was fraudulently induced to enter into the SOW so it could possibly be held to be void or unenforceable. In that event, Apex's alternate claim for unjust enrichment may become relevant (an issue the Court need not and does not resolve now).
D. Negligence and Gross Negligence
A “tort action must be grounded on a violation of a duty imposed by operation of law,” not a violation of a duty arising purely from “the contractual relationship of the parties.” Legacy Data Access, Inc. v. Cadrillion, LLC, 889 F.3d 158, 164-65 (4th Cir. 2018) (emphasis in original). Thus, a “tort action does not lie against a party to a contract who simply fails to properly perform the terms of the contract.” Rountree v. Chowan Cty., 796 S.E.2d 827, 830 (N.C. Ct. App. 2017). “It is the law of contract,” not tort law, “which defines the obligations and remedies of the parties in such a situation.” Id. Accordingly, “North Carolina law requires” courts “to limit plaintiffs' tort claims to only those claims which are ‘identifiable' and distinct from the primary breach of contract claim.” Broussard v. Meineke Disc. Muffler Shops, Inc., 155 F.3d 331, 346 (4th Cir. 1998) (quoting Newton v. Standard Fire Ins. Co., 291 N.C. 105, 229 S.E.2d 297, 301 (1976)).
The economic loss rule, which prohibits recovery for purely economic loss in tort when a contract [or] warranty governs the parties' respective rights and obligations, reflects “the fundamental difference between tort and contract claims.” Id. In preventing parties from asserting tort claims for a simple breach of contract, the economic loss rule thus “encourages contracting parties to allocate risks for economic loss themselves.” Lord v. Customized Consulting Specialty, Inc., 182 N.C.App. 635, 643 S.E.2d 28, 30 (2007); see also Moore v. Coachmen Indus., Inc., 129 N.C.App. 389, 499 S.E.2d 772, 780 (1998) (“To give a party a remedy in tort ... would permit the party to ignore and avoid the rights and remedies granted or imposed by the parties' contract.”).
Thus, the Fourth Circuit has “previously rejected ‘attempt[s] by the plaintiff to manufacture a tort dispute out of what is, at bottom, a simple breach of contract claim' as ‘inconsistent both with North Carolina law and sound commercial practice.'” Legacy Data, 889 F.3d at 164 (citing Broussard, 155 F.3d at 346). In Broussard, the defendants contended that various contract provisions allowed them to pay advertising commissions from a particular bank account, while plaintiffs contended that the contract allowed no such thing. Broussard, 155 F.3d at 346 . The court held that because the “crux of this matter is and always has been a contract dispute,” the district court erred in permitting plaintiffs to assert an “extensive” array of tort claims-such as breach of fiduciary duty, fraud, and intentional interference with contractual relations-for the same alleged harm. Id.
The dispute here, as it relates to Apex's negligence and gross negligence claims, is similar to Broussard and Legacy Data because those tort claims in effect simply restate Apex's breach of contract allegations - the asserted failure to provide competent cybersecurity services - as allegedly “negligent” conduct. While Apex argues that Defendants had a “duty by operation of law” to “protect Apex and its data,” Doc. No. 25 at ¶ 107, the alleged breaches of that supposed “duty” are Defendants' alleged failure to monitor, detect, respond, or notify Apex of harmful cyberattacks, which are the same contracted-for services related to cybersecurity as those agreed to under the SOW. Compare Doc. No. 25 at ¶¶ 92-97 with Doc. No. 25 at ¶ 108; see also Doc. No. 30 at 19 (“Defendants breached ... duty to ... monitor and safeguard Apex's information technology systems and networks from the foreseeable risk of data breach.”). Apex's negligence claims are thus not independent of the SOW.
Absent the SOW, Defendants had no common law or statutory duty to provide cybersecurity services, to monitor or safeguard Apex's systems, or to detect and report any cyberattack. Still, Apex seeks to ground Defendants' claimed tort duty on their alleged “unique access to and control over Apex's corporate data, specialized expertise, and pivotal role in preventing large-scale cyberattacks.” Doc. No. 25 at ¶ 107. This argument proves too much. If inside access to private locations, data or other information and “specialized expertise” are sufficient to create a duty which may be the basis for a claim of negligence (and the award of extracontractual damages) then most service providers, from plumbers to business consultants to IT workers, would be at risk of being accused of negligence anytime a client was unhappy with their services. This is not the law in North Carolina (or elsewhere so far as the Court is aware). Rather, when a party fails to perform a contract, the proper remedy is determined by the law of contracts, not torts. Rountree, 796 S.E.2d at 830.
In sum, the “crux of [Apex's negligence claim] ... is ... a contract dispute,” which is governed by contract law and barred by the economic loss doctrine. See Legacy Data, 889 F.3d at 165-66; see also Severn Peanut, 807 F.3d at 94-95 (dismissing negligence claim that “claim[ed] a remedy in tort for [the defendant's] breach of . . . the very same duty as that underlying [the plaintiff's] breach of contract claim”); Moore v. Coachmen Indus., Inc., 499 S.E.2d 772, 780 (N.C. Ct. App. 1998) (the “economic loss doctrine prevents plaintiffs from recovering on their negligence claim against defendants” where the transaction is governed by contract law).
Similarly, the economic loss rule bars Apex's gross negligence claim since it, too, “really arise[s] out of [the defendant's] performance on the contract.” Broussard, 155 F.3d at 346-47 (dismissing gross negligence claim); Jerman v. AT&T Corp., 2022 WL 2835428, at *2-3 (W.D. N.C. July 20, 2022), aff'd, 2023 WL 2136375 (4th Cir. Feb. 21, 2023) (dismissing gross negligence claim that “ar[o]se[] out of the same harm underlying the breach of contract action”). Apex's gross negligence claim, like its negligence claim, arises from the same breach of duty and alleged injury as Apex's breach of contract claims. Compare Doc. No. 25 at ¶¶ 92-98 (pleading breach of contract based on allegation that Defendants “breached [their] duty to detect and report security events,” which caused “$25 million in losses”) with Doc. No. 25 at ¶¶ 115, 121 (pleading gross negligence based on allegation that Cyderes “breached [its] duty” “to monitor and safeguard Apex's information-technology systems,” which caused “$25 million in losses”). Apex's gross negligence claim will therefore also be dismissed.
E. Limitation of Liability
Finally, in addition to moving to dismiss Apex's tort and statutory claims discussed above, Defendants ask the Court to, as a matter of law, limit the damages that Apex can recover to the amount paid to Defendants under the “limitation of liability” provision in the SOW. The Court will decline this request because the Court agrees with Apex that it would be premature to rule on this issue at this early stage of the proceedings. While it appears from the Amended Complaint that the SOW is the product of negotiations between sophisticated companies and the Defendants are correct that the unambiguous language of a commercial contract must be enforced as written, Galloway as Tr. of Melissa Galloway Snell Living Tr. Dated May 1, 2018 v. Snell, 384 N.C. 285, 288, 885 S.E.2d 834, 836 (2023), it remains uncertain (as discussed above) whether the SOW was fraudulently induced. If, as alleged, the SOW was wrongfully obtained then it would plainly be inappropriate to limit Apex's recovery based on a provision in that document. See Kessing v. Nat'l Mortg. Corp., 278 N.C. 523, 536, 180 S.E.2d 823, 831 (1971) (“The courts of this State will not lend their aid to the enforcement of a contract which is unlawful ...). Thus, any ruling on the application of the SOW “limitation of liability” provision must await a full development of the record and a decision on the validity of the SOW as against Apex.
IV. ORDER
NOW THEREFORE IT IS ORDERED THAT:
1. Defendants' Motion to Dismiss (Doc. No. 27) is GRANTED in part and DENIED in part as described above; and
2. This case shall proceed towards a decision on the merits on the remaining claims in the absence of a voluntary resolution of the dispute among the parties.
SO ORDERED ADJUDGED AND DECREED.