Summary
finding after bench trial that buyer had been in best position to prevent fraudulent misdirection of payment to unauthorized third-party because buyer had opportunity to verify new wire instructions with seller by telephone and holding that buyer thus could not recover second payment made to seller after original payment was misdirected because buyer did not verify new wire instructions
Summary of this case from Prosper Fla. Inc. v. Spicy World of U.S. Inc.Opinion
Case No.: 2:18-cv-01999-APG-BNW
09-03-2020
Robert R. McCoy, Joni A. Jamison, Kaempfer Crowell, Las Vegas, NV, Sihomara L. Graves, Kaempfer Crowell, Reno, NV, for Plaintiff. Jill Paulin Northway, Sgro and Roger, Kevin Aaron Brown, Thomas Friedman, Brown, Bonn & Friedman, LLP, Las Vegas, NV, for Defendant.
Robert R. McCoy, Joni A. Jamison, Kaempfer Crowell, Las Vegas, NV, Sihomara L. Graves, Kaempfer Crowell, Reno, NV, for Plaintiff.
Jill Paulin Northway, Sgro and Roger, Kevin Aaron Brown, Thomas Friedman, Brown, Bonn & Friedman, LLP, Las Vegas, NV, for Defendant.
Findings of Fact, Conclusions of Law, and Order for Entry of Judgment in Favor of Defendant
ANDREW P. GORDON, UNITED STATES DISTRICT JUDGE
On August 4 and 5, 2020, I conducted a non-jury trial of the claims asserted in this case by plaintiff Jetcrete North America LP (Jetcrete) against defendant Austin Truck & Equipment, Ltd. d/b/a Freightliner of Austin (Austin). As required by Federal Rule of Civil Procedure 52(a)(1), I hereby enter my findings and conclusions.
FINDINGS OF FACT
In June 2018, Jetcrete needed to quickly acquire three ready-mix trucks for a mining project. On June 11, 2018, Jetcrete's Manager, Richard Miranda, called Austin to inquire about purchasing the trucks from Austin's inventory. Mr. Miranda was assigned to Austin sales representative James Walpole.
From June 11 through June 13, Messrs. Miranda and Walpole negotiated over the phone and by email and reached an agreement for Austin to sell Jetcrete three new trucks for a total of $518,124.18. Various employees of Jetcrete's parent company, Thyssen Mining Inc., were included in many of the emails because Thyssen performed some administrative functions for Jetcrete, including purchasing and making payments.
On June 13, Mr. Walpole emailed wiring instructions to Mr. Miranda requesting a $6,000 deposit be wired to the account of Freightliner of Austin at JP Morgan Chase Bank in Austin, Texas. The funds were wired that day by Thyssen's accounts payable department. The next day, Mr. Walpole emailed Mr. Miranda confirming receipt of the funds.
At an unknown time, someone hacked into Mr. Walpole's email account. Austin's email platform was hosted by an outside company called Intermedia.net Inc.
On Friday, June 15, Mr. Walpole and Thyssen's Purchasing Administrator Judy Schwartz exchanged purchase orders and invoices finalizing the terms of the deal. Ms. Schwartz and Mr. Miranda confirmed the terms at 12:45 and 1:46 p.m. at their respective locations. See Exh. 10. Almost immediately thereafter, Mr. Miranda received an email, purportedly from Mr. Walpole, saying:
FYI, you have the old wiring instructions which can only accommodate deposits in smaller amounts. we only use those for purchases less than $50k, reason why i sent it for the $6,000. I will send you our other wiring instructions or the balance due first thing Monday morning. Waiting to get it from accounting.
Thanks,
James
See Exh. 9. Although this email came from Mr. Walpole's correct email address, unbeknownst to Mr. Miranda, the email was authored by the hacker. At nearly the same time, the real Mr. Walpole emailed to Ms. Schwartz and Mr. Miranda confirming the total price and attaching a .pdf with wiring instructions for payment of the $512,124.18 balance. See Exh. 10. Those wiring instructions were the same ones used for the $6,000 deposit. Almost immediately thereafter, Mr. Miranda and Ms. Schwartz received another email—from Mr. Walpole's email address and using the same email string that Mr. Walpole had just used—saying:
I'm sorry to have sent the old wiring instructions again. please ignore the wiring instructions in my previous email. we stopped using those for larger purchases as explained to Richard earlier. I will be sending the updated info shortly or first thing Monday morning. I apologize for the mix up
Thanks,
James
See Exh. 11. Again, unbeknownst to Mr. Miranda and Ms. Schwartz, this email was written by the hacker.
On Monday, June 18, at 7:27 a.m. the hacker sent another email to Mr. Miranda and Ms. Schwartz attaching fraudulent wiring instructions directing Jetcrete to wire the funds to a different bank and different payee from the $6,000 wired deposit, specifically National Equipment & Trucking's account at Bank of America in Austin, Texas. See Exh. 13. The next day, Thyssen wired $512,124.18 to National Equipment & Trucking's account at Bank of America. At 3:00 p.m. that day, Mr. Miranda emailed Mr. Walpole that the funds had been wired. The real Mr. Walpole did not receive that email because the hacker intercepted it and responded the next morning that the funds had been received.
On June 20, Mr. Miranda emailed Mr. Walpole asking when the trucks would be delivered. The hacker intercepted this and other emails to Mr. Walpole and strung Mr. Miranda along for several days, leading him to believe everything was in order. On June 26, the parties finally realized something was amiss, that Mr. Walpole's email had been hacked, and that the wired funds had been stolen.
On June 26, Austin's Vice President and part owner Paul Werner notified Intermedia about the hack and stated that a representative of Jetcrete would contact Intermedia. Intermedia responded that Jetcrete would need the "appropriate account contact entry and security questions." See Exh. 39. Mr. Werner never provided Jetcrete that information because he did not know the security questions. Id. So when Jetcrete's IT Director Mike Selinger contacted Intermedia it refused to speak with him. Over the next few days, Intermedia reached out to Mr. Werner to address the situation but Mr. Werner never responded. Id. Intermedia eventually deleted the data needed to trace the hack under its data retention policy.
Jetcrete was unable to recover the wired funds. Because Jetcrete needed the trucks quickly for its project, it agreed to Austin's demand that it wire another $512,124.18. Jetcrete wired those funds on June 28, after which Austin delivered the trucks.
Jetcrete's First Amended Complaint in this action asserts claims for breach of contract and the implied covenant of good faith and fair dealing, conversion, fraudulent misrepresentation, unjust enrichment, and vicarious liability. Jetcrete abandoned the unjust enrichment claim before trial.
CONCLUSIONS OF LAW
1. Breach of Contract
"Nevada law requires the plaintiff in a breach of contract action to show (1) the existence of a valid contract, (2) a breach by the defendant, and (3) damage as a result of the breach". Saini v. Int'l Game Tech. , 434 F. Supp. 2d 913, 919–20 (D. Nev. 2006) (citing Richardson v. Jones , 1 Nev. 405, 405 (Nev. 1865) ). Jetcrete and Austin were parties to a contract under which Jetcrete agreed to pay Austin $518,124.18 for three ready-mix trucks. Jetcrete paid Austin a $6,000.00 deposit, leaving a balance of $512,124.18. Jetcrete wired the balance in response to the instructions it received from the hacker and the funds were stolen. Because Austin did not receive the funds, it required Jetcrete to send the balance a second time. Once Austin received that payment, it delivered the trucks to Jetcrete.
The parties view the question of breach from the perspective of their own contractual obligations. Jetcrete contends it completed its obligations by wiring the total purchase price, but Austin breached by refusing to deliver the trucks until Jetcrete paid a second time. Austin contends it completed its obligations by delivering the trucks after it received the contracted sale price. Both are correct that they performed their respective contractual obligations. As the plaintiff, Jetcrete has the burden of proving Austin breached the contract. Because Austin delivered the trucks after it received full payment, it did not breach the contract.
Jetcrete argues that this analysis dodges the real issue as to who should bear the loss of the funds stolen by the hacker. Jetcrete asserts that, because the contract involved the sale of goods, resolution is governed by the Uniform Commercial Code, which Nevada codified in Nevada Revised Statutes Chapters 104 and 104A. Nevada's version of U.C.C. § 3-304 states:
1. If an impostor ... induces the issuer of an instrument to issue the instrument to the impostor, ... by impersonating the payee of the instrument or a person authorized to act for the payee, an endorsement of the instrument by any person in the name of the payee is effective as the endorsement of the payee in favor of a person who, in good faith, pays the instrument or takes it for value or for collection.
....
4. With respect to an instrument to which subsection 1 ... applies, if a person paying the instrument or taking it for value or for collection fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.
Nev. Rev. Stat. § 104.3404 (emphasis added). Austin responds that this section does not apply because it governs negotiable instruments not wired funds. Other courts have cited to U.C.C. § 3-404 when wired funds have been fraudulently diverted by a hacker. See, e.g., Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc. , 759 Fed. Appx. 348, 357 (6th Cir. 2018) ; Bile v. RREMC, LLC , 2016 WL 4487864, at *8 (E.D. Va. August 24, 2016) ; Arrow Truck Sales, Inc. v. Top Quality Truck & Equipment, Inc. , 2015 WL 4936272, at *5-6 (M.D. Fla. Aug. 18, 2015). Those courts relied on § 3-404 ’s rule that "the party who was in the best position to prevent the forgery by exercising reasonable care suffers the loss." Arrow , 2015 WL 4936272, at *5.
Jetcrete argues that Austin was in the best position to avoid the loss by employing reasonable security measures to prevent the hack of Mr. Walpole's email. It contends Mr. Miranda could not have known that some of the emails he received from Mr. Walpole's account were authored by the hacker. On the other hand, it argues, Mr. Walpole received fraudulent emails that contained warning signs (e.g., misspelled company domain names) that should have tipped him off to the hack.
Austin responds that some of the emails Mr. Miranda received contained similar warning signs (e.g., poor grammar and punctuation, different font sizes), so Mr. Miranda is at fault to the same degree Jetcrete condemns Mr. Walpole. Austin points out that it took reasonable security steps by hiring an IT consultant (Shane Poteet of Full Suite Communications), installing Symantec virus scanner software on its system, and hosting its email server at Intermedia. Austin argues that Jetcrete was in the best position to avoid the loss by simply calling Austin to verify the wiring instructions. By not doing so, Jetcrete failed to exercise reasonable care, therefore causing the loss.
It is unknown how and when the hacker broke into Mr. Walpole's email. The data that might show that was deleted by Intermedia. Because Austin did not stop Intermedia from destroying the data, Jetcrete moved in limine for an adverse inference that the lost data would be unfavorable to Austin. ECF No. 39. To obtain that adverse inference, Jetcrete must prove (1) Austin had control over the data and an obligation to preserve it; (2) the destruction or loss was accompanied by a culpable state of mind, which includes negligence; and (3) the evidence that was destroyed is relevant to Jetcrete's claims or Austin's defense. Soulé v. P.F. Chang's China Bistro, Inc. , 2020 WL 959245, at 4 (D. Nev. Feb. 26, 2020) (internal citations and quotation marks omitted). Austin owned the data. See Exh. 502 at p. 3 § 1.2. It had an obligation to preserve it. Gonzalez v. Las Vegas Metro. Police Dep't , 2012 WL 1118949, at *5 (D. Nev. Apr. 2, 2012) ("The duty to preserve [evidence] ... extends to the period before litigation when a party should reasonably know that evidence may be relevant to anticipated litigation."). Although Mr. Werner opened a support ticket with Intermedia, he failed to follow up on Intermedia's responses, which would have allowed Mr. Selinger to investigate the hack. See Exh. 39. It appears that Intermedia destroyed the data after Mr. Werner failed to follow up. The data likely would show when and how the hacker broke into Mr. Walpole's account, which is relevant to whether Austin used reasonable care to secure its email platform. Thus, Jetcrete is entitled to an adverse inference that the lost data would be unfavorable to Austin.
I denied that motion without prejudice to Jetcrete presenting evidence at trial to support it. Jetcrete now renews the motion for an adverse inference. ECF No. 51 at 6-7.
--------
But that does not end the inquiry because an adverse inference can be rebutted. Austin argues in rebuttal that it hired an IT security consultant, installed Symantec virus detection software, and paid Intermedia to host its email platform. No email platform is impervious to hacking and even the most sophisticated entities and governments have been hacked. Jetcrete seems to suggest a form of strict liability for hacks: because Austin's email platform was hacked, it must be liable for the resulting damage of Jetcrete's wiring funds to the wrong account. Such a rigid standard is not practical in today's business environment. And it is contrary to the standard Jetcrete invokes, that the court must determine which party was in the best position to avoid the loss. Austin has demonstrated that it took reasonable steps to protect its email platform, thereby undercutting somewhat, if not completely, the adverse inference.
Even if Austin failed to use reasonable care, that must be weighed against Jetcrete's actions, especially if Jetcrete, too, failed to use reasonable care. After Mr. Miranda and Ms. Schwartz received the fake emails changing the wiring instructions, Jetcrete and Thyssen failed to confirm the validity of the new instructions. Mr. Miranda testified that he relied on Thyssen's Purchasing Department to verify the wiring instructions, but that did not happen. A simple phone call to Mr. Walpole or anyone else at Austin would have revealed the fraud and avoided the loss. The failure to do so is especially disconcerting after Jetcrete received conflicting email instructions within minutes of each other. See Exhs. 9, 10, 11.
The hack of Mr. Walpole's email account created the scenario for the loss. But Jetcrete was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone. Thus, even under an analysis based on Nevada Revised Statutes § 104.3404, Jetcrete should suffer the loss. Arrow , 2015 WL 4936272, at *5. Cf. S. Pac Co. v. Bd. of R Comm'rs of Cal. , 78 F. 236, 252 (C.C.N.D. Cal. 1896) ("They being in pari delictu , the law gives aid to neither.").
Finally, Jetcrete argues that Austin should be liable under an "agency by estoppel" theory, citing to the Restatement (Third) of Agency § 2.05. Jetcrete contends that Austin should be bound by the actions of the hacker, as if the hacker was Austin's agent, because the hacker utilized Mr. Walpole's email account as if he was Austin's agent. While Nevada courts often look to the Restatements for guidance, no Nevada court in the last 99 years has recognized this theory and none has ever applied it. See Robertson v C.O.D. Garage Co. , 45 Nev. 160, 199 P. 356, 359 (1921) (mentioning the theory of "agency by estoppel" but declining to apply it). I am loathe to create Nevada law. But even if Nevada recognized the "agency by estoppel" theory, it would not save Jetcrete. The theory is limited to situations where the principal "intentionally or carelessly caused" the injured party to believe the fraudulent actor was acting on behalf of the principal. See Restatement (Third) of Agency § 2.05 (2006). Under the facts of this case, I do not find that Austin carelessly caused Jetcrete to believe the hacker was Mr. Walpole.
Jetcrete has failed to prove that Austin breached the contract so I deny this claim.
2. Jetcrete's Other Claims
Jetcrete argues that its "agency by estoppel theory also supports finding in Jetcrete's favor on its other claims." See Jetcrete's Proposed Findings of Fact and Conclusions of Law, ECF No. 47 at 18. Neither of the parties made any further arguments in support of Jetcrete's other claims in any of their post-trial briefs. See ECF Nos. 51, 54, 55. Because I have rejected that theory under the facts of this case, and because Jetcrete has not proven the elements of those claims under Nevada law, I deny all of Jetcrete's other claims.
CONCLUSION
I THEREFORE ORDER the clerk of the court to enter judgment in favor of defendant Austin Truck & Equipment, Ltd. and against plaintiff Jetcrete North America LP on all of the claims asserted in this case.