Summary
denying summary judgment to exclude company-specific risk premium when calculating reduction in value due to alleged company data breach
Summary of this case from Transwestern Pipeline Co. v. Ariz. Dep't of RevenueOpinion
No. 16 C 10495
2018-08-31
James Michael Heiser, Eric S. Silvestri, Joseph Patrick Lombardo, Chapman & Cutler, Chicago, IL, for Plaintiff. Brian Patrick Fredericks, Pro Hac Vice, John Vincent Golaszewski, Pro Hac Vice, Schiller Law Group, P.C., New York, NY, Jeannie Gallucci, Tanzillo Gallucci, LLC, Chicago, IL, for Defendant.
James Michael Heiser, Eric S. Silvestri, Joseph Patrick Lombardo, Chapman & Cutler, Chicago, IL, for Plaintiff.
Brian Patrick Fredericks, Pro Hac Vice, John Vincent Golaszewski, Pro Hac Vice, Schiller Law Group, P.C., New York, NY, Jeannie Gallucci, Tanzillo Gallucci, LLC, Chicago, IL, for Defendant.
MEMORANDUM OPINION AND ORDER
Honorable Edmond E. Chang, United States District Judge
Blue Book Services gathers information about the produce industry and sells that information to subscribers. In July 2016, Blue Book discovered, much to its surprise, that its entire proprietary database of members-only credit rating information had been downloaded and publicly posted to an unaffiliated website. R. 58, PSOF ¶¶ 1, 5, 52, 21-23. After tracing the log-in credentials of the download back to one of its subscribers, Amerihua Produce, Blue Book brought this suit, alleging that Amerihua breached the terms of its membership contract with Blue Book. R. 53, DSOF Exh. A, Compl. After discovery closed, both parties moved for summary judgment. R. 51, Def. Mot. Summ. J.; R. 57, Pl. Resp. and Mot. Summ. J. For the following reasons, both motions are narrowly granted in part but otherwise denied.
Citations to the record are noted as "R." followed by the docket number and the page or paragraph number. Citations to the parties' Local Rule 56.1 Statements of Fact are "DSOF" for Amerihua's Statement of Facts [R. 53]; "PSOF" for Blue Book's Statement of Additional Facts [R. 58]; "Pl. Resp. DSOF" for Blue Book's Response to the Amerihua's Statement of Facts [R. 64]; "Def. Resp. PSOF" for Amerihua's Response to Blue Book's Statement of Additional Facts [R. 70]. If both parties agree on a particular fact, then only the asserting party's Statement is cited.
This Court has subject matter jurisdiction over the case under 28 U.S.C. § 1332. The parties are citizens of different states and the amount in controversy exceeds $75,000. See PSOF ¶¶ 5-6.
I. Background
In deciding each party's respective motions for summary judgment, the Court views the evidence and draws all reasonable inferences in the light most favorable to the non-moving party against whom the motion under consideration is made. Gazarkiewicz v. Town of Kingsford Heights , 359 F.3d 933, 939 (7th Cir. 2004) ; see Matsushita Elec. Indus. Co. v. Zenith Radio Corp. , 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986). Blue Book Services provides credit and marketing information to members of the produce industry by gathering and updating financial and marketing data. PSOF ¶ 1. Subscribers to Blue Book's database can access the full catalogue of information by logging in online and paying an annual fee. See id. ¶¶ 13, 16, 23, 49.
One such subscriber was Amerihua Produce, Inc., a New York importer specializing in garlic and ginger distribution. PSOF ¶¶ 3, 6. In June 2008, Amerihua's CEO, Baozhu Wu, id. ¶ 4, signed a contract with Blue Book and paid an annual membership fee so that he (and Amerihua) could access the Blue Book database. Id. ¶¶ 8-10. The Membership Agreement is the "legal agreement" governing the terms of the membership and Amerihua's "authorized use" of the "software products and any associated media." DSOF Exh. C, Membership Agreement. It specifies that Amerihua is "subject to all the terms set forth in this agreement AND any other agreement (e.g. Terms of Use) that accompanies the Products and Services." Id. Not surprisingly, one provision in the Agreement bans sharing Blue Book's information:
Amerihua's Rule 56.1 Statement of Facts contains 150 paragraphs, which is much more than the 80 allowed by Local Rule 56.1. Unless the Court is missing something or forgotten something said at a status hearing, Amerihua never sought leave to do so. In any event, the Court has considered the additional paragraphs because some expansion would probably have been permitted.
[Members] acknowledge and agree that the Database and all ratings, reports, and information obtained by or through these Products and Services, or by and through Blue Book Membership, are provided for your internal use only, and you may not loan or show or in any way share or distribute such ratings, reports, information, or data to third-parties.
Membership Agreement. The Terms of Use accompanying the Membership Agreement in effect at the time of the breach were updated in 2014, and Blue Book's records show that whoever was using Wu's User ID on June 18, 2014, agreed to those updated Terms. PSOF ¶ 12. But Wu contends he never saw nor agreed to the updated Terms, Def. Resp. PSOF ¶ 12.
An identical provision is included in the first section of the 2014 Terms of Use. DSOF Exh. A, Compl. Att. A, Terms of Use.
After becoming a member, Wu gave out his unique User ID to his three employees, who accessed the database as well. PSOF ¶¶ 15-17. Amerihua continued using the Blue Book database nearly every day, id. ¶ 15, and presumably remained a Blue Book member for the ensuing years before the breach's discovery, see PSOF ¶ 26. On July 28, 2016, Blue Book discovered its proprietary data had been publicly posted to two websites, FreshTerminal.com and Co-produce.com. id. ¶ 52. After contacting Fresh Terminal's proprietor, Mario Zhuo, and sending a cease-and-desist letter, the offending websites were taken down around October 2016. Id. ¶¶ 52-55.
Throughout its briefing, Blue Book has labeled FreshTerminal.com the "Data Breach Website." See Pl. Resp. and Mot. Summ. J. at 1. That is an unnecessarily argumentative label.
To determine the source of the data breach, Blue Book audited its internal systems using a tool that tracks every page visited by licensed Blue Book users. PSOF ¶ 20. The tool tracks the data viewed, the date and time it was retrieved, and the internet connection that accessed it. Id. Blue Book learned that Amerihua's unique user ID, assigned to Wu, accessed 63,054 pages of Blue Book's database on November 26, 2014. Id. ¶ 21. The access rate was nearly 200 pages per minute—a speed impossible for a human user to read. Id. ¶ 22. And during its review, Blue Book discovered that the data posted publicly on the Fresh Terminal and Co-produce websites was identical to the entire database of information downloaded using Amerihua's credentials on that date in November. Id. ¶¶ 23, 25. After this revelation, in around August 2016, Blue Book accused Amerihua of being behind the breach. Id. ¶ 26. Amerihua denied all knowledge and said that it did not download the database at all. Def. Resp. PSOF ¶ 27.
Before the full-database download in November 2014, Zhuo, Fresh Terminal's proprietor, reached out to Wu about a proposal to launch the website. PSOF ¶ 30. Wu discussed forming a business relationship with Zhuo centered around the general business concept of Fresh Terminal. Def. Resp. PSOF ¶ 31. Specifically, Zhuo proposed that Amerihua would invest $800,000 in exchange for a 20% share in the business; Zhuo and Wu did not end up agreeing, however, on any investment terms. PSOF ¶ 41-42. Between September 2014 and the summer of 2015, Wu had around 10-12 communications with Fresh Terminal, and Zhuo visited Amerihua's offices four to five times. Def. Resp. PSOF ¶¶ 36-37. Later, in its marketing materials, Fresh Terminal would compare itself to Blue Book, PSOF ¶ 32, and its business plan identified Wu as an "Advisor" and "Co-founder." Id. ¶ 33. A testimonial attributed to Wu (along with his photo) also appeared on the Fresh Terminal website that discussed the ease and cost-effectiveness of using Fresh Terminal. PSOF ¶ 38-39. Amerihua, for its part, contends that it never authorized Fresh Terminal to use Wu's password or access Blue Book with its credentials, but does not know if its password was stolen. DSOF ¶ 43; Pl. Resp. DSOF ¶ 43.
The parties now cross-move for summary judgment on the breach of contract claim (the sole claim in the case). Blue Book contends that the available evidence proves that Amerihua perpetrated the breach and shared Blue Book's database without authorization, while Amerihua argues that it did not perform or facilitate the data distribution. See Def. Mot. Summ. J.; Pl. Resp. and Mot. Summ. J. But a reasonable jury could see it either way, so neither side wins summary judgment.
II. Standard of Review
Summary judgment must be granted "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a). A genuine issue of material fact exists if "the evidence is such that a reasonable jury could return a verdict for the nonmoving party." Anderson v. Liberty Lobby, Inc. , 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). In evaluating summary judgment motions, courts must view the facts and draw reasonable inferences in the light most favorable to the non-moving party. Scott v. Harris , 550 U.S. 372, 378, 127 S.Ct. 1769, 167 L.Ed.2d 686 (2007). The Court may not weigh conflicting evidence or make credibility determinations, Omnicare, Inc. v. UnitedHealth Grp., Inc. , 629 F.3d 697, 704 (7th Cir. 2011), and must consider only evidence that can "be presented in a form that would be admissible in evidence." Fed. R. Civ. P. 56(c)(2). The party seeking summary judgment has the initial burden of showing that there is no genuine dispute and that they are entitled to judgment as a matter of law. Carmichael v. Village of Palatine , 605 F.3d 451, 460 (7th Cir. 2010) ; see also Celotex Corp. v. Catrett , 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986) ; Wheeler v. Lawson , 539 F.3d 629, 634 (7th Cir. 2008). If this burden is met, the adverse party must then "set forth specific facts showing that there is a genuine issue for trial." Anderson , 477 U.S. at 256, 106 S.Ct. 2505.
III. Analysis
Both parties move for summary judgment on myriad grounds. Amerihua asserts that: (1) no reasonable jury could find that it breached its contract with Blue Book; (2) even if Amerihua breached the contract, Blue Book suffered no damages; and (3) anyway, the contract was invalid and parts of it were unconscionable. R. 56, Def. Br. at 4-5. Amerihua also seeks to bar Blue Book's damages expert. Id. at 12-13. In parrying Amerihua's summary judgment motion, Blue Book also moves for summary judgment, contending that a jury must find that Amerihua breached the contract, and that Blue Book is entitled to attorney's fees. Pl. Resp. and Mot. Summ. J. at 8, 12.
1. Enforceability and Unconscionability
To succeed on a breach of contract claim, a plaintiff must show (1) the existence of a valid and enforceable contract; (2) substantial performance by the plaintiff; (3) a breach by the defendant; and (4) resulting damages. Lindy Lu LLC v. Ill. Cent. R. Co., 368 Ill.Dec. 701, 984 N.E.2d 1171, 1175 (2013). Amerihua argues that Blue Book's breach claim must fail on its face, because the agreement was not a valid and enforceable contract. Def. Br. at 4. A contract will not be enforceable if its formation or terms are unconscionable. See Hanover Ins. Co. v. N. Bldg. Co., 751 F.3d 788, 791, 793-794 (7th Cir. 2014). The question of unconscionability is a legal one, decided by the Court. Id. at 791. Amerihua asserts both procedural and substantive unconscionability to challenge the contract with Blue Book. Def. Br. at 4. Under Illinois law, procedural unconscionability occurs when "impropriety" in the process of "forming the contract deprived a party of a meaningful choice." Kinkel v. Cingular Wireless, LLC , 223 Ill.2d 1, 306 Ill.Dec. 157, 857 N.E.2d 250, 264-65 (2006) (quoting Frank's Maint. & Eng'g, Inc. v. C.A. Roberts Co., 86 Ill.App.3d 980, 42 Ill.Dec. 25, 408 N.E.2d 403, 410 (1980) ). Substantive unconscionability refers to contract terms that are "inordinately one-sided in one party's favor." Kinkel, 306 Ill.Dec. 157, 857 N.E.2d at 267 (quoting Razor v. Hyundai Motor Am., 222 Ill.2d 75, 305 Ill.Dec. 15, 854 N.E.2d 607, 622 (2006) ).
Amerihua faces a threshold hurdle in relying on unconscionability. Unconscionability is an affirmative defense. Mandel v. Hernandez , 404 Ill.App.3d 701, 344 Ill.Dec. 322, 936 N.E.2d 1079, 1081 (2010) ; Bank and Trust Co. of Arlington Heights v. Arnold N. May Builders, Inc., 90 Ill.App.3d 454, 45 Ill.Dec. 850, 413 N.E.2d 183, 184 (1980). The Federal Rules require a party to "affirmatively state" any "affirmative defense" in its responsive pleading. Fed. R. Civ. P. 8(c). Failing to comply with the rule may forfeit the defense, so that a defendant could be precluded from later relying on it at summary judgment or trial. Dresser Indus., Inc. v. Pyrrhus AG, 936 F.2d 921, 928 (7th Cir. 1991). Amerihua sets forth eleven affirmative defenses in its answer—none of which are unconscionability. DSOF Exh. B, Answer. "But when parties argue an affirmative defense in the district court, technical failure to plead the defense is not fatal." Dresser, 936 F.2d at 928 (quoting DeValk Lincoln Mercury, Inc. v. Ford Motor Co. , 811 F.2d 326, 334 (7th Cir. 1987) ). Blue Book does not argue that it was unfairly surprised, and it had ample opportunity in the briefings to respond (and no additional discovery was needed on the affirmative defense), so the error does not forfeit the defense. See id.
But even with that save, Amerihua still does not produce evidence supporting its unconscionability arguments. Its main unconscionability argument targets an indemnification clause in the 2014 Terms of Use, which provides that Amerihua shall:
Throughout its brief, Amerihua whispers at unenforceability due to the allegedly one-sided nature of the contract. Def. Br. at 4; DSOF ¶ 4 ("The Blue Book Agreement was not negotiated, and it was Wu's understanding it was a non-negotiable, take-it-or-leave-it agreement."). This form of procedural unconscionability takes into account "the disparity of bargaining power between the drafter of the contract and the party claiming unconscionability." Kinkel , 306 Ill.Dec. 157, 857 N.E.2d at 264. Amerihua hints that it should not be subject to the Terms of Use appended to Blue Book's contract, because the form agreement was "neither negotiated nor negotiable," and mandated Amerihua's conformance with the other agreements accompanying the main one. Def. Br. at 4. When analyzing procedural unconscionability, the Court considers a variety of factors in the contract's surrounding circumstances, including the standing of the parties, the way the parties entered in the contract, whether each party had a reasonable opportunity to understand its terms, and the conspicuousness of the provision at issue. Id. , 306 Ill.Dec. 157, 857 N.E.2d at 264-65 (quoting Frank's Maint. , 42 Ill.Dec. 25, 408 N.E.2d at 410 ). But Amerihua does not develop this argument at all. And in its response, Blue Book disputes that Wu ever attempted any negotiations or expressed any concerns about the contract. Pl. Resp. DSOF ¶ 4. But that is neither here nor there. Amerihua and Bluebook were both sophisticated actors, and it is not per se unconscionable to have a form, take-it-or-leave-it style contract. Amerihua did not contend the appended Terms of Use were ineffective, but rather that Wu did not see them. PSOF Exh. H, Wu Dep. 182:20-183:5; see DSOF ¶ 18. It is not procedurally unconscionable—if Amerihua did not want to accept the terms, it did not need to become a Blue Book member.
Amerihua also argues that the 2014 Terms of Use do not apply and should not govern in this case, because it signed its Membership Agreement in 2008 and Wu testified that he never saw the updated 2014 Terms of Use. DSOF ¶ 18. But Amerihua does not fill out this argument with any further detail or evidence other than the naked assertion that Amerihua's owner did not see the applicable terms. And there is ample evidence that Amerihua accepted the Terms of Use, even if Wu says he never personally saw them. See R. 60, Erickson Dec. Exh. 3, Terms of Use Acceptance Confirmation. Amerihua does not dispute that it accepted the updated Terms of Use when using Blue Book's database in June 2014. See id. ; Erickson Dec. ¶ 8. Amerihua does not argue that the contract does not encompass these updates, nor does it even produce the Terms of Use in effect in 2008. By failing to flesh out this argument, Amerihua has waived it, and the 2014 Terms of Use will be considered part of the contract.
[I]ndemnify and hold [Blue Book] ... harmless from and against any and all claims, costs, damages, losses, liabilities, and expenses (including without limit attorneys' fees and costs) arising out of or in connection with your use of the Products and Services or your breach of this Agreement.
DSOF Exh. 1, Compl. Att. A, Terms of Use. According to Amerihua, the provision is unenforceable, because its plain language requires that Amerihua indemnify Blue Book for attorneys' fees for any litigation—even malicious or unsuccessful suits. Def. Br. at 6. And because Illinois law prescribes that courts "strictly construe" contractual attorneys' fee provisions, Chapman v. Engel , 372 Ill.App.3d 84, 310 Ill.Dec. 6, 865 N.E.2d 330, 333 (2007), Amerihua contends that the contractual provisions must be interpreted to award fees regardless of outcome and is thus unconscionable. Def. Br. at 5. In support, Amerihua cites Bank of America N.A. v. Oberman, Tivoli & Pickert, Inc., for the proposition that this allegedly one-sided provision goes against Illinois public policy. 12 F.Supp.3d 1092 (N.D. Ill. 2014) ; Def. Br. at 5-6. But Oberman does not come close to supporting Amerihua's argument. In that case, the defendant-company tried to argue that a similar fee-shifting provision was unreasonable, citing to an unpublished Illinois Appellate Court decision, Atlantis Products, Inc. v. Meridian Fence & Security, L.P. , 2012 WL 6968326, at *9 (Ill. App. Ct. Mar. 22, 2012). In Atlantis, the plaintiff sought to enforce the attorney's-fees provision even though the plaintiff itself had breached a material term in the contract. Atlantis, 2012 WL 6968326 at *9. Not surprisingly, the Illinois Appellate Court held that allowing a breaching party to collect attorneys' fees would be unfair. Id. But Atlantis did not mention unconscionability, let alone rely on that doctrine to invalidate the contract. Rather, the opinion simply invoked the proposition that a breaching party cannot itself enforce the contract. Id. And, as pointed out by Oberman, the Illinois Appellate Court "distinguished its holding from cases in which the nonbreaching parties were allowed to collect attorneys' fees." 12 F.Supp.3d at 1100.
Under Illinois Supreme Court Rule 23, an unpublished case may not be cited as precedent by any party except in limited circumstances that do not apply here. So Atlantis is not being cited here for precedential effect, but instead to explain the flaw in Amerihua's argument.
Just like Amerihua does here, the defendants in Oberman argued that a lack of limiting language "indicating that an attorneys' fees provision" must only apply to a " ‘prevailing party’ " rendered the provision unenforceable. Id. at 1101. But Oberman was "untroubled" by the "absence of language explicitly limiting" recovery to fees when a party prevailed, holding that "[a]lthough it would be unreasonable for the Court to award attorneys' fees to a non-prevailing party, the failure of a fee-shifting provision to explicitly limit the award of attorneys' fees to a prevailing party does not render the provision unreasonable and unenforceable." Id. (cleaned up). The Court agrees: it is a simple matter of contract interpretation (and common sense) that a non-prevailing party would not be entitled to fees, and the absence of "prevailing party" language is not a telltale sign of unconscionability. Amerihua's argument borders on frivolity.
2. Breach of Contract
Getting into the heart of the matter, both parties counter-move for summary judgment on the breach of contract claim. Blue Book asks for summary judgment on several alleged breaches (and if it wins, then also on attorneys' fees), whereas Amerihua denies liability on any breach and asks for summary judgment as well. As described above, but worth repeating, Blue Book must present evidence of an enforceable contract, substantial performance on its part, breach by Amerihua, and damages. Lindy Lu, 368 Ill.Dec. 701, 984 N.E.2d at 1175. On the first two elements, the contract is a valid and enforceable one (see supra Section III.1.), and there is no viable argument on the table that Blue Book did not perform its part in providing the contracted services and keeping its information secure. That leaves breach and damages. On the element of breach, Blue Book argues that Amerihua breached the contract by (1) failing to keep Blue Book's data confidential and (2) exceeding the number of authorized licenses by internally disclosing its password. See Pl. Resp. and Mot. Summ. J. at 8, 11. The Court addresses each in turn.
Amerihua takes glancing shots at whether Blue Book's information was truly deserving of confidentiality, and whether Blue Book took enough steps to keep its information secure. See Def. Br. at 11. But Amerihua does not colorably claim that the data breach occurred on Blue Book's end—say, for example, as a result of some hacking of Blue Book's systems, or that Blue Book's information was so insignificant as to not deserve the protection garnered by its own contract. See id. ; see also Pl. Resp. and Mot. Summ. J. at 19-20. Indeed, whether the information was truly proprietary or not is neither here nor there. See Def. Resp. PSOF ¶ 49. Amerihua signed a contract agreeing not to "share or distribute" specified information, without a condition that there be an independent finding as to its proprietary nature. DSOF ¶ 8. In support, Amerihua only cites to one case regarding the breach of an explicit confidentiality agreement—in a restrictive-covenant case—which does not apply here. Def. Br. at 11 (citing Tax Track Sys. Corp. v. New Investor World, Inc., 478 F.3d 783, 787 (7th Cir. 2007) ). And Amerihua does not present evidence that Blue Book's system was compromised—and in fact, never sought to discover any information on that point—so that argument is foreclosed. See Def. Resp. PSOF ¶ 48; R. 63, Heiser Dec. ¶ 8. In any event, Amerihua does not allege that it was unable to access Blue Book's database, or that it did not get a service that Blue Book promised. PSOF ¶¶ 13, 15; see generally DSOF. Thus, there is no material dispute that Blue Book fulfilled its end of the bargain.
A. "Share or Distribute"
Under the contract, Amerihua agreed that Blue Book's services were provided for its "internal use only" and that it would not "loan or show or in any way share or distribute" Blue Book's data to third parties. DSOF ¶ 8. The parties do not dispute that. Id. ; Pl. Resp. DSOF ¶ 8. But the parties vehemently disagree on what this obligation entails. See Pl. Resp. DSOF ¶ 9. Amerihua contends that the provision only bans intentional distribution of Blue Book's data, DSOF ¶ 9, while Blue Book argues that the agreement required Amerihua to use its "best efforts to prevent" unauthorized disclosure. Pl. Resp. DSOF ¶ 9. Both sides want summary judgment on this point—but neither has earned it.
It is true that summary judgment, for one side or the other, is sometimes appropriate when deciding questions of contract interpretation, because that type of interpretation involves a question of law. Gomez v. Bovis Lend Lease, Inc., 387 Ill.Dec. 119, 22 N.E.3d 1, 4 (Ill. App. Ct. 2013). In the run-of-the-mill case, the Court gives effect to the parties' intentions by applying the plain meaning of the contract's language in light of the contract as a whole. Id.
Blue Book sweepingly asserts that the ban against distributing Blue Book's information means that any distribution that is traced back to Amerihua's login credentials constitutes a breach, even if Amerihua did not do the distributing. Pl. Resp. at 8. That makes no sense. The pertinent Membership Agreement provision says that "you may not loan or show or in any way share or distribute such ratings, reports, information, or data to third-parties" (emphasis added). There is no strict liability provision in the Agreement. So if Amerihua did not actually do the distributing, then it matters not that its login credentials were used by someone else to do the distributing. That would not be a breach of the contract's ban on distribution. And Blue Book asked Wu point-blank whether he shared his credentials with anyone outside the company—or at the very least Fresh Terminal. Wu says no. DSOF ¶ 43 ("Amerihua never authorized such use by Fresh Terminal, as testified to by Wu, who made clear that he had neither given, nor authorized, the use of Amerihua's Blue Book password by any third party, including Fresh Terminal."); DSOF Exh. D, Wu Dep. 64:20-66:20; DSOF Exh. N, Phone Log. At the summary judgment stage, this denial of a fact that is clearly within Wu's personal knowledge must be credited. It is as simple as that. Scherer v. Rockwell Int'l Corp. , 975 F.2d 356, 360 (7th Cir. 1992) (quoting Fed. R. Civ. P. 56(e) ).
To support its motion, Blue Book points to another provision of the Terms of Use. Amerihua agreed to "use best efforts to prevent, any unauthorized use, copying, or disclosure" of Blue Book information. Terms of Use at 1; Def. Br. at 4; R. 68, Def. Reply and Resp. to Mot. Summ. J. at 7-8. But "best efforts" is not defined in the contract. Terms of Use; Membership Agreement; see Pl. Resp. DSOF ¶ 66. Neither side offers an interpretation. More importantly, Blue Book did not present any evidence that Amerihua failed to take best efforts, relying only on the fact that the information was downloaded using Amerihua's login credentials. R. 71, Pl. Reply at 16. Sure, a jury could rely on that as a piece of circumstantial evidence that Amerihua dropped the ball, but it is nowhere near enough evidence that a jury would be required to find that Amerihua failed to take best efforts.
On the flip side, it is passing strange that Amerihua thinks that the record evidence requires summary judgment in its favor. Blue Book has presented plenty of circumstantial evidence suggesting that Amerihua shared its password with Zhuo and Fresh Terminal: Blue Book's internal audit shows Amerihua's ID accessed the whole database on November 26, 2014, PSOF ¶ 21; the publicly available version on Fresh Terminal was identical to Blue Book's database as of that download, PSOF ¶ 23; and Amerihua's president, Wu, had myriad contacts and a potential business relationship brewing with the proprietor of Fresh Terminal, PSOF ¶¶ 29-39. A jury could very, very easily find that the circumstantial evidence proves that Wu provided either the login credentials or the downloaded information to Fresh Terminal.
B. Multiple User Licenses
Independent of the distribution of information, Blue Book accuses Amerihua of breaching another provision of the contract. Pl. Resp. at 12. Under the Terms of Use, Blue Book members may use the database with the "number of users limited to the number of user licenses designated" by the membership agreement. Terms of Use § 2(b). Those "passwords" and "access codes" are "not to be shared with any other person." Id. § 2(c). For Amerihua, Wu had the only user license when it was a Blue Book member. See Erickson Dec. Exh. 2; DSOF Exh. C, Membership Agreement; PSOF ¶ 19. But he concedes that he gave his password to at least three of his employees, allowing them to access the Blue Book database without unique user licenses—even though he knew he was not supposed to do that under the contract. PSOF ¶¶ 16-18; Def. Resp. PSOF ¶ 18 (disputing that limitation only applied to third-parties).
Despite Wu's concession, Amerihua argues that the Terms of Use actually authorizes all employees of a "single legal entity"—like Amerihua—to use one license issued to the entity. Def. Reply and Resp. to Mot. Summ. J. at 17. It is true that the Terms of Use can be an agreement with "a single legal entity," which is the phrase used in the first sentence of the Terms. But the pertinent—and more specific—license provision expressly restricts the number of users to the number of user licenses : "Blue Book Members may use the Web Site with the number of users limited to the number of user licenses...." Terms of Use § 2(b). So the contract clearly contemplated that even a single legal entity may require more user licenses if it wanted more than one user. Wu had only one user license. See Erickson Dec. Exh. 2; DSOF Exh. C, Membership Agreement; PSOF ¶ 19. He breached the restriction on the number of users.
Amerihua also contends that, even if there was a breach of the user-limit provision, there are no damages arising from this breach. But Wu already admitted that the other employees used the site on an almost-daily basis, so a jury could reasonably find that some damages arose from the breach. To be sure, the damages might be extremely limited (such as the cost of the additional user licenses), but it is not necessarily zero. This is a jury question (though the parties would be foolhardy to expend fees and effort in taking that issue all the way to trial).
Amerihua argues that this theory of liability was absent from the Complaint. Def. Reply and Resp. to Mot Summ. J. at 17. But several allegations in the Complaint address the need to keep passwords and access codes secure from "any other person" or business. DSOF Exh. A, Compl. ¶¶ 77, 92, 93. In a notice-pleading regime, the claim is sufficiently present in the Complaint. See Fed. R. Civ. P. 8(a). And if Amerihua wanted more specifics on Blue Book's breach theories, it could have issue a contention interrogatory. See Zenith Elecs. Corp. v. WH-TV Broadcasting Corp. , 395 F.3d 416, 420 (7th Cir. 2005) (affirming denial of evidence on a subject after party failed to respond to contention interrogatory with description of theory). Plus, Blue Book quizzed Wu about the user restriction, so Amerihua was on sufficient notice of the theory.
C. "Use" of Blue Book Database
In yet another form of its sweeping strict-liability argument, Blue Book argues Amerihua must indemnify Blue Book for all of the damages caused by the data distribution. The indemnification provision in the Terms of Use says that Amerihua shall cover all of Blue Book's damages "arising out of or in connection with [Amerihua's] use of the Products and Services...." Terms of Use § 5. Blue Book contends that because Amerihua's credentials were used to download the same version of the database that later appeared on FreshTerminal.com, the damages arose out of Amerihua's "use" of the system. This argument runs into the same evidentiary problem as discussed earlier: Blue Book asserts that Wu had a direct hand in turning over the database information to FreshTerminal.com. Wu denies it. So the indemnification provision is not a sure winner for Blue Book. Just because Amerihua's credentials may have been used for the download does not mean that Amerihua is responsible for the ensuing damages. The indemnification provision is triggered by damages arising out of "your" use of Blue Book's products and services, Terms of Use § 5, so this provision too is not strict liability based on the use of Amerihua's credentials by someone else. The strict-liability theory of indemnification is rejected.
D. Attorneys' Fees
The other indemnification argument that Blue Book advances is that Amerihua, having breached the restriction on the number of users, must now pay all of the attorney's fees incurred by Blue Book in this case. Pl. Resp. and Mot. Summ. J. at 13. To be sure, there is generally nothing wrong with contractual fee-shifting provisions. See Montgomery Ward & Co., Inc. v. Wetzel, 98 Ill.App.3d 243, 53 Ill.Dec. 366, 423 N.E.2d 1170, 1178 (1981). Here, the Terms of Use's indemnification provision says that Amerihua will indemnify Blue Book "against any and all claims, costs, damages, losses, liabilities, and expenses (including without limit attorneys' fees and costs) ...." Terms of Use § 5.
But the indemnification provision requires fee-shifting only for those fees "arising out of ... your breach of this Agreement." Terms of Use at 3. So Blue Book is only entitled to those fees arising out of the breach in question. So far, that is just the breach of the limit on the number of users, which is a sliver of this case and would not justify anywhere near all of the fees incurred. Indeed, prevailing parties are only entitled to "reasonable attorney fees." Erlenbush v. Largent, 353 Ill.App.3d 949, 289 Ill.Dec. 386, 819 N.E.2d 1186, 1190 (2004). That means only those fees reasonably incurred on the successful claim will be awarded under the indemnification provision. See Harter v. Iowa Grain Co., 220 F.3d 544, 559-560 (7th Cir. 2000) (applying Illinois law) ("With respect, we believe that Illinois authorities require a more direct link between the losing party's acts and the winning party's attorney's fees than a ‘but for’ relation. At some point, [plaintiff's] opponents must take responsibility for their own trial strategy."). And the damages arising out of the users limitation (as discussed earlier) have yet to be determined; the final dollar amount will inform what fees were reasonably expended in pursuing that particular theory of breach. So, at an appropriate time, the Court will order the parties to undergo the Local Rule 54.3 process, which almost surely will result in deciding the fees on the briefs rather than sending it to a jury. For now, then, Blue Book's motion for summary judgment in a sum-certain for its attorneys' fees is denied.
3. Affirmative Defenses
In its answer, Amerihua pled a series of affirmative defenses. See DSOF Exh. B, Answer at 12-13. Of course, the defendant bears the burden of proof on each of its affirmative defenses. Employers Ins. Of Wausau v. Titan Int'l., Inc., 400 F.3d 486, 490 (7th Cir. 2005). Here, Blue Book challenges the basis and lack of evidence for each of Amerihua's pleaded affirmative defenses. Pl. Resp. and Mot. Summ. J. at 13-17. Amerihua made no effort to respond. Amerihua has therefore waived its affirmative defenses.
The purported affirmative defenses comprised: (1) failure to state a claim, (2) statute of limitations, (3) waiver and/or laches, (4) no legally cognizable damages, (5) failure to mitigate damages, (6) defendant acted with due care and in good faith, (7) foreseeability or proximate cause, (8) defendant breached no "legal duty," (9) attorneys' fees for bad faith litigation, (10) plaintiff's damages were due to its own conduct, and (11) reservation of rights to assert other defenses. See DSOF Exh. B, Answer at 12-13. Many of those defenses are not really "affirmative" defenses.
Even if Amerihua had not waived those defenses, Blue Book's motion would still be granted. Amerihua's Rule 30(b)(6) witness conceded that there were no facts to support any of the asserted defenses. PSOF ¶ 51; see PSOF Exh. H, Wu Dep. 168:11-170:14. So Blue Book's motion for summary judgment is granted against each of Amerihua's asserted affirmative defenses.
4. Expert Evidence on Damages
In its own motion for summary judgment, Amerihua argues that it must be granted summary judgment for the breach of contract claims because Blue Book has not suffered any damages. Def. Br. at 12. Amerihua contends that the evidence offered by Blue Book's expert, C. Kenneth White, runs afoul of Daubert and must be excluded under Federal Rule of Evidence 702. See Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579, 589, 113 S.Ct. 2786, 125 L.Ed.2d 469 (1993). With that testimony removed, Amerihua figures, Blue Book has failed to prove damages.
But Amerihua is wrong on at least one front. Even without White's damages calculation, Blue Book has presented evidence of damages, so Amerihua is not entitled to summary judgment on that basis. It is true that to defeat summary judgment, a plaintiff must "show damages" that it has suffered. Transp. & Transit Assocs., Inc. v. Morrison Knudsen Corp., 255 F.3d 397, 401 (7th Cir. 2001) (affirming summary judgment when plaintiff could not show one instance of damages). In a perfect world, an exact amount would be preferable, but the "demonstration need not be precise"—the plaintiff just "must have a sensible basis for its claim." Id. (citing Oakleaf of Ill. v. Oakleaf & Assocs., Inc., 173 Ill.App.3d 637, 123 Ill.Dec. 288, 527 N.E.2d 926, 933 (1988) ). Setting aside the valuation of Blue Book's brand and the company itself (the features that White's report analyzes), Blue Book has shown that it suffered damages in working to get its membership-only information taken down from FreshTerminal.com and Coproduce.com. See, e.g. , PSOF ¶¶ 49, 52, 53, 54; Heiser Dec. ¶ 12. Blue Book had to undertake an investigation and then send cease-and-desist letters. See id. Blue Book did suffer at least those damages, so summary judgment must be denied.
Amerihua still moves to exclude White's expert testimony as a basis for damages, and it is sensible to decide that motion to provide the parties with more information for settlement negotiations. Federal Rule of Evidence 702 appoints district courts as gatekeepers of expert testimony based on scientific, technical, and other specialized knowledge. Kumho Tire Co., Ltd. v. Carmichael , 526 U.S. 137, 147, 119 S.Ct. 1167, 143 L.Ed.2d 238 (1999) ; Daubert , 509 U.S. at 579, 113 S.Ct. 2786. Rule 702 permits a witness to offer opinion testimony if the witness is qualified based on "knowledge, skill, experience, training, or education" in the pertinent field. Mihailovich v. Laatsch , 359 F.3d 892, 918 (7th Cir. 2004). Even if the witness qualifies as an expert, the district court still must ensure that the evidence "is sufficiently reliable to qualify for admission." Id. Under Rule 702, the three requirements for reliability are: "(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case." Id. (quoting Fed. R. Evid. 702 ). To make this evaluation, the district court must "scrutinize proposed expert witness testimony to determine if it has ‘the same level of intellectual rigor that characterizes the practice of an expert in the relevant field.’ " Lapsley v. Xtek, Inc. , 689 F.3d 802, 805 (7th Cir. 2012) (quoting Kumho Tire , 526 U.S. at 152, 119 S.Ct. 1167 ). Whether to allow expert testimony rests within the discretion of the district court. Id. at 810.
In order to win a damages award for the distribution's impact on the company (as distinct from investigation costs), Blue Book will need to prove the damages to a reasonable certainty. Oakleaf, 123 Ill.Dec. 288, 527 N.E.2d at 295. It purports to do this through the expert report of White. Amerihua first challenges that White is not qualified to testify as an expert in this case, arguing that he does not meet any of the purported "Gold Standards" for expert testimony set forth by their own rebuttal expert, Stan Smith. Def. Br. at 14. The argument goes that because White does not have a doctorate degree, has never taught a college course, and has not authored a university textbook, he is not a witness "qualified as an expert by knowledge, skill, experience, training, or education." Def. Br. at 14; Fed. R. Civ. P. 702. But the list of factors picked by Amerihua are not conclusive and are most definitely not required by Daubert and Kumho Tire. And as the Seventh Circuit has explained, "[t]he notion that [ Daubert ] requires particular credentials for an expert witness is radically unsound." Tuf Racing Prod., Inc. v. Am. Suzuki Motor Corp. , 223 F.3d 585, 591 (7th Cir. 2000). Experts can take many forms, and Amerihua's definition would essentially foreclose a wide swath of experts qualified by "skill, experience, [and] training." Fed. R. Civ. P. 702. White has been an independent financial consultant since 2003, and before that, he held senior positions at Ernst & Young as a certified public accountant. R. 54, DSOF Sealed Exhibits Exh. V, White Report (sealed) at 36. More importantly, he has over 40 years of professional experience with specialization in valuation and damage analyses. Id. He has a bachelor's degree in accounting and a master's degree in business administration, on top of passing the CPA examination. Id. He has similarly served as an expert in myriad cases. Id. Just because White has focused his career on applying his skills to concrete cases rather than teaching courses or publishing articles does not disqualify him from expert analysis—nor does Rule 702 suggest as much. See Kumho Tire, 526 U.S. at 148-49, 119 S.Ct. 1167 ; Tuf Racing, 223 F.3d at 591.
Blue Book takes issue with Amerihua not including sworn statements from its expert in its summary judgment materials. But that is unnecessary—Smith's expert report (as is White's) is obviously reducible to testimony at trial. Fed. R. Civ. P. 56(c)(2).
Getting to the heart of the report, Amerihua primarily takes issue with the reliability of White's methods. Def. Br. at 15. White used an "income approach" to calculate the damage allegedly done to Blue Book's value based on the unauthorized download and disclosure of its confidential database. White Report (sealed) at 3. He then used a "market observations approach" to determine the value effect on similar data breaches suffered by other companies to corroborate his valuation impact. Id. The income approach entails determining the present value of a business by discounting its future cash flows based on the costs of capital and underlying future risks entailed in continuing the company. Id. at 18. Amerihua specifically targets White's use of a "company-specific risk premium," Def. Br. at 16, which White used to determine Blue Book's Weighted Average Cost of Capital (the discount rate) calculation both before and after the unauthorized download of data. White Report (sealed) at 21. So the company-specific risk premium (call it CSRP for short) purports to account for the difference in the pre- and post-unauthorized download discount rate calculations measuring Blue Book's worth. Id. at 23. Put another way, it is meant to account for the incremental risks associated with Blue Book after the supposed breach. Id.
Also known as a "discounted cash flow method." White Report (sealed) at 18.
Amerihua contends that White's method is not reliable because the CSRP calculation relies on, in Amerihua's view, some subjective factors. Def. Br. at 16-17. White relied on six factors: operating history, barriers to entry, legal risk from a breach, product risk, brand name recognition, and cost of debt. White Report (sealed) at 23-24. Based on those factors, he concluded that the CSRP increase is between 1.25% and 2.5%. Id. From there, White gets to a damages valuation by using the discount rate number to discount the cash flows for the income method, and the difference between the pre- and post-breach potential violations results in a damages range of $790,000 to $1,475,000. Id. at 25.
Amerihua contends that White picked six factors out of fourteen CSRP factors, Def. Br. at 16, yet the only possible support for that argument is DSOF ¶ 126. But that citation does not prove that, nor does Amerihua ever detail what the other factors are or how they should have been applied.
To be sure, on the surface, Amerihua's concern with the subjectivity of the approach is well-taken. White does not specifically detail how the factors end up in the percentage range of 1.25-2.5%. There is no mathematical formula that another expert could plug data into to test the result (or generate a different one based on different data). But that is precisely the point: there is no simple (or even complex) equation that applies to all scenarios for valuing a company. At some point, expertise has to be applied, and that expertise is based on training and experience rather than invocation of a formula. And other courts have approved of this valuation method and allowed experts to rely on company-specific risk premiums in their calculations. See, e.g. , La Playita Cicero, Inc. v. Town of Cicero , 2017 WL 1151066, at *3 (N.D. Ill. Mar. 28, 2017) (citations omitted); see also Buchwald v. Renco Grp. , 539 B.R. 31, 44 (S.D.N.Y. 2015) ("[I]t is undisputed that the Capital Asset Pricing Model generally, and the use of company-specific risk premium in general, are part of accepted methodologies in corporate valuation."). The method is also highlighted in textbooks. See White Report (sealed) at 24. It must also be said that Amerihua's argument for excluding White on this basis are under-developed. It is also worth pointing out that Amerihua's own expert testified that CSRP "may have some validity." Heiser Dec. Exh. 7, Smith Dep. 115:16-116:24. In light of all this, although a jury could reject the valuation method's reliability, the method is reliable enough for the jury to consider it.
White does not say that he has or would use this same method if he were valuing a company outside of the context of litigation. That fact would bolster the reliability of his method.
Both Amerihua and Blue Book submitted declarations by their respective experts. In both expert's declarations, however, they appear to offer new opinions; Smith's declaration especially appears to be an untimely served rebuttal report. See Fed. R. Civ. P. 26(a)(2)(B)(i). If either expert had additional opinions to offer, then he should have supplemented his report before the close of discovery. Fed. R. Civ. P. 26(a)(2)(E). An expert cannot give opinions on issues not addressed in his or her report—when one does, the proper remedy is exclusion. Ciomber v. Cooperative Plus, Inc., 527 F.3d 635, 641 (7th Cir. 2008) ; Fed. R. Civ. P. 37(c)(1). The time for supplements has since passed. What's more, Smith actually issued a rebuttal report but did not opine on his criticisms of the CSRP or attack its credibility there. R. 71, Pl. Reply at 15; see DSOF ¶ 141 (referring to an Exh. X, Smith Report). Summary judgment is not the appropriate time for experts to offer new opinions. By presenting new opinions in summary judgment declarations, neither side has an effective opportunity to respond. Both declarations are excluded. See Haley v. Kolbe & Kolbe Millwork Co., 863 F.3d 600, 610 (7th Cir. 2017).
With regard to the data underlying the opinion, the data itself is sufficiently reliable. For his income approach, White used Blue Book's projections for the end of 2016 and the full year 2017—with those 2017 projections being prepared at roughly the same time that the breach was discovered, so it provides a basis for what Blue Book thought its value would be absent the data disclosure. White Report (sealed) at 4. This is significant, for example, because a 10-year projected valuation for 2017 from, say, 2007 would necessarily have less relevance than the one performed in 2016. White was able to compare this data against the valuations of other companies suffering data breaches. Id. at 5. In arriving at the valuation, he also analyzed financial projections prepared by Blue Book, interviewed its management to discuss the company's operation, analyzed publicly available data from Securities and Exchange Commission filings, and read deposition excerpts. Id. at 14. The data used in the analysis survives Rule 702.
Lastly, Amerihua criticizes White for arriving at a range of damages rather than a precise number. But Amerihua offers no precedent saying that damages ranges are per se unreasonable. See Def. Br. at 13; Pl. Resp. and Mot. Summ. J. at 23. As discussed earlier, there is no one grand mathematical equation that generates a precise damages number in these situations. Indeed, it might even be more suspicious if an expert purported to be able to pin down an exact damages figure for a data breach. The motion to exclude White's report is denied.
IV. Conclusion
In sum, Blue Book wins summary judgment on only two grounds. First, liability for Amerihua's breach of the user-number restriction; the limited damages on that breach still must be decided at trial (if the parties push it that far). Second, the so-called affirmative defenses are dismissed. Amerihua wins summary judgment only against Blue Book's strict-liability theory. All other aspects of the summary judgment motions are denied, including the motion to bar White's expert report.
The parties shall start settlement negotiations within seven days of the issuance of this Opinion. Blue Book shall make a renewed settlement demand, followed by a response from Amerihua no later than seven business days later. If the parties want a settlement referral to the magistrate judge (or they want the Court to hold a settlement conference), then they may jointly contact the courtroom deputy. The status hearing of October 11, 2018 is accelerated to September 20, 2018 at 10:45 a.m.