Summary
denying request by a plaintiff to seal documents based on § 1040 because “only the government entity holds the privilege.”
Summary of this case from Baird v. Leidos, Inc.Opinion
Case No. 14-cv-03078-JSC
06-22-2015
ORDER
Re: Dkt. Nos. 50, 66, 100
This case arises out of a cyber attack on the global computer network and communication systems of Plaintiff Music Group Macao Commercial Offshore Limited ("Music Group" or "Plaintiff"). Plaintiff asserts that the cyber attack occurred due to the failures of Defendant David Foote ("Defendant"), a technology consultant for the company. Now pending before the Court are Defendant's motion for summary judgment and for leave to file recently produced documents in support thereof and Plaintiff's motions for a continuance of the summary judgment hearing pursuant to Federal Rule of Civil Procedure 56(d) and for leave to file a second amended complaint. Having carefully reviewed the parties' submissions, and having had the benefit of oral argument on June 4, 2015, the Court DENIES Defendant's motion for summary judgment, GRANTS Defendant's motion for leave to file supplemental evidence, DENIES Plaintiff's motion for a Rule 56(d) continuance, and DENIES Plaintiff's motion for leave to file a Second Amended Complaint.
There are also six administrative motions to file under seal pending in connection with these motions. The Court will address these administrative motions separately.
I. BACKGROUND
A. Factual Summary
Plaintiff Music Group is an international company headquartered in the Philippines with over 3,500 employees, offices in seven countries, and $260 million in annual revenues. (Dkt. No. 51-1 at 4, 6, 10.) The company was founded 26 years ago by its current CEO, Uli Behringer ("Behringer"). (Id. at 7.) Defendant David Foote was an employee of Music Group from 2007 to 2008 as its Chief Technology Officer, responsible for development and deployment of software applications. (Dkt. No. 52 ¶ 3.) At that time, Music Group also employed a separate individual as Chief Information Officer, and that person was responsible for the company's network infrastructure. (Id.) In 2010, Plaintiff contacted Defendant seeking assistance with technology issues. (Id. ¶ 4.) In discussions about the possibility of Defendant coming on board, Defendant held himself out as an experienced professional in the Information Technology ("IT") and Information Security ("IS") fields. (Dkt. No. 59 ¶ 4.)
Page numbers herein refer to those that the Court's electronic filing system automatically assign.
1. The August 27, 2010 Agreement
On August 27, 2010, Plaintiff entered into a written agreement (the "Agreement") to provide services to Plaintiff. (Id.) The Agreement that the parties ultimately entered was based on a standard form that Plaintiff's Human Resources Department used to retain consultants. (Dkt. No. 53 ¶ 3.) The Agreement was titled "Consultancy Agreement" and provided that Defendant was "deemed to be an independent contractor and not an employee of [Plaintiff]." (Dkt. No. 5-1 ¶ 1.) Plaintiff agrees that Defendant was hired as a consultant. (Dkt. No. 49-9 at 11 (Plaintiff's 30(b)(6) witness states that Defendant was a consultant).)
The agreement was between Defendant and "Behringer Macao Commercial Offshore Limited," which was how Plaintiff was then known. (See Dkt. No. 49-5 at 11 n.1.)
The Agreement provided that Plaintiff would pay Defendant a minimum of $5,000 per month for Defendant to work remotely with an expected schedule of one 40-hour work week per month. (Dkt. No. 5-1 ¶ 4.) The Agreement further provided that Plaintiff would pay Defendant $125 per hour for additional time worked beyond that amount. (Id.)
The Agreement also set forth the nature of Defendant's responsibilities. Section 2 provides:
Duties(Dkt. No. 5-1 § 2 (emphasis in original).) Section 14 of the Agreement pertains to indemnification. It provides that
The Consultant shall perform his obligations hereunder faithfully and to the best of his ability under the direction of the [company's] CEO and COO. The Consultant shall devote such of his business time, energy and skill as may be reasonably necessary for the performance of his duties. Nothing contained herein shall require the Consultant to follow any directive or to perform any act which would violate any laws, ordinances, regulations or rules of any governmental, regulatory or administrative body, agent or authority, any court or judicial authority, or any public, private or industry regulatory authority.
The Duties will be as follows:
This is to be a big picture evaluation of all IS systems and personnel. Investigate and analyse [sic] the current systems that are in place as well as those that are not being utilized completely or properly. Create a status report, and gap analysis on the short falls that need to be looked at as well as a conclusive report of your recommendations moving forward.
Meet with the COO and work on a strategic plan for the IS departments.
Scope of engagement
*High level strategic vision and guidance for IT/IS projects
*Management and negotiation of external project relationships with focus on SCM and ERP implementation and projects
*Management/Guidance of IT and IS organizations
*IT/IS Budget, Resource, and project rationalization
Consultant shall indemnify and hold harmless [Plaintiff] and its officers, agents, employees, successors and authorized assigns from and against any and all liabilities, damages, costs, losses, claims, demands, actions, and expenses (including reasonable attorneys' fees) arising in consequence of the gross negligence or willful misconduct of the Consultant or a breach by the Consultant of any term herein or gross negligence on the part of the Consultant in connection with the performance of his duties.(Id. § 14.) Other provisions specifically provided that they would apply "[d]uring and after the Term of th[e] Agreement." (See, e.g., id. §§ 7 ("This provision shall survive the termination of this Agreement."), 9 ("[t]he Consultant covenants and agrees that for a period of twelve (12) months from termination . . . "); 10 ("During the term of this Agreement and for a period of six (6) months thereafter . . . "; 11 ("During and after the Term of this Agreement . . . ").)
By its terms, the Agreement was set to last from August 27, 2010 until either party terminated the agreement pursuant to Section 6. (Id. § 3.) Section 6, in turn, explained the circumstances under which either party could terminate the Agreement. First, either party could terminate the Agreement by giving prior written notice to the other party. (Id. § 6.3.) Plaintiff could also terminate the Agreement if, among other grounds for termination, Defendant "is guilty of gross misconduct or any serious or persistent breach of obligations in the provision of the services; . . . brings or is likely to bring [Music Group's] name into disrepute . . . or [ ] has been unable, refused or failed to provide any of the services for fourteen (14) days after being instructed by [Music Group] to do so. (Id. § 6.1.)
2. Defendant's Work at Music Group
Defendant began his work with Plaintiff on August 27, 2010. Plaintiff issued a press release that Defendant helped write announcing that it had appointed Defendant as Chief Technology Officer. (Dkt. No. 67-1; Dkt. No. 59 ¶ 4.) Defendant listed himself as Chief Technology Officer of Music Group on his LinkedIn page, as well. (Dkt. No. 68-1; Dkt. No. 68-2 at 14.) Defendant used the email address "CTO@music-group.com" for correspondence. (See, e.g., Dkt. No. 63 ¶ 7.) Defendant worked more than the single 40-hour week contemplated schedule set forth in the Agreement as evidenced by his income, which exceeds the $5,000 monthly flat rate: Plaintiff paid Defendant $61,540 for 5 months of work in 2010, $189,958.86 in 2011, $240,240 in 2012, and $167,670 for eight months of 2013. (Dkt. No. 60 ¶¶ 4, 6 & Ex. A.)
In the course of his work pursuant to the Agreement, in September 2010 Defendant drafted the status report referred to in Section 2 of the Agreement, labeled "IS and IT Strategy Document," and provided it to Plaintiff. (Dkt. No. 52 ¶ 5; Dkt. No. 49-1 at 32, 38.) In the report, Defendant identified certain problems with Music Group's systems and set forth a strategy for moving forward. (Dkt. No. 70-5 at 55-57.) Some of the problems Defendant identified in this report—namely, (1) IT/IS projects were "incompletely implemented, or misimplemented"; (2) a "high degree of fragmentation in the currently implemented systems"; (3) the "current systems are not updated or upgraded"; and (4) the "[i]nfrastructure is not centrally managed"—were also identified by Presidio, Inc. ("Presidio"), the company Plaintiff hired to assist in its recovery following the cyber attack, as barriers to recovery. (Dkt. No. 59 ¶ 12; Dkt. No. 70-5 at 63.)
During the course of his work, Defendant also signed contracts with third party companies as Music Group's Chief Technology Officer and without first consulting with Behringer. (Dkt. No. 59 ¶ 8; Dkt. No. 70-4 at 8.)
Within the company, Defendant reported to Behringer regularly about his work with the IT and IS departments. (Dkt. No. 59 ¶ 9.) According to Behringer, during those conversations Defendant regularly assured him that the IT and IS systems and infrastructure were secure. (Id.) Defendant made similar representations to the employees of the IT and IS departments. In July 2013 when Plaintiff suffered a network outage, Defendant emailed all Music Group employees, noting that the stability of the company's infrastructure was his responsibility. (Id. ¶ 10; Dkt. No. 67-2 at 2.) Defendant's email footer listed him as the company's Chief Technology Officer. (Dkt. No. 67-2 at 3.)
According to Behringer, all company employees who worked on cyber security reported up the chain of command to Defendant. (Dkt. No. 59 ¶ 7.)
3. The Music Group IT/IS Department
Defendant also advised Plaintiff to hire a team of technology professionals. (Dkt. No. 52 ¶ 6.) Plaintiff heeded that recommendation, hiring Jim Ratchford as Senior Vice President of Technology and Tim Driggers as Global Vice President of Technology Operations. (Dkt. No. 49-11 at 4-5.) Driggers had over 20 direct reports in the company's network technology department. (Id. at 9.) Among them were two individuals Driggers hired, Employee 1 and Employee 2, who both worked out of Music Group's United Kingdom offices. (Id. at 11-12.) Employee 1 was "the manager directly in charge of the network security[.]" (Id. at 12.) Employee 1 reported to Employee 2, who in turn reported up the chain to Driggers. (Id.)
At some point prior to the cyber attack, Defendant recalls recommending to Behringer that Employee 1 and Employee 2 be fired. (Dkt. No. 49-13 at 4; Dkt. No. 49-9 at 30.) Music Group did not heed the suggestion at that time. (Dkt. No. 49-9 at 30.)
Behringer recalls Defendant recommending that Employee 1 be fired after Employee 1 filed a complaint against Defendant with Human Resources. (Dkt. No. 49 ¶ 15.) Employee 1 was eventually terminated after he failed to appear for a meeting with Human Resources regarding that inquiry in August 2013, before the cyber attack occurred. (See Dkt. No. 68-3 at 17-18.) Defendant also recommended that Employee 2 be fired. (Dkt. No. 51 Ex. 4.) Employee 2 was transferred to out of the IT/IS department into a different division at Music Group and stripped of his network administrator rights before the cyber attack occurred. (Id. at 22-23.) Like Employee 1, Employee 2 was eventually terminated after the cyber attack when he failed to appear at a meeting with Human Resources regarding an administrative investigation.
3. The Cyber Attack & its Aftermath
On August 17, 2013, Plaintiff's computer network was subject to an intentional cyber attack. (Dkt. No. 49-13 at 4-5.) The cyber attack rendered Plaintiff's IT and IS systems inaccessible both internally and externally for about one month and destroyed much of its data. (Dkt. No. 59 ¶ 11; Dkt. No. 63 ¶ 8; Dkt. No. 49-15.) The IT and IS systems themselves were inaccessible for even longer. (See Dkt. No. 63 ¶ 8.)
Specifically, by August 18, 2013, all switches and routers in Music Group's data center and offices worldwide were "wiped clean of their configuration, rendering them unusable." (Dkt. No. 49-15 at 2.) A number of servers were also wiped clean and rendered unusable. (Id.) In addition, the company's "Active Directory" was completely wiped out of all user accounts, save four. (Id.)
At Defendant's suggestion, Behringer retained Presidio to assist with data recovery efforts. (Dkt. No. 59 ¶ 12.) Presidio manager Phil Crook urged Behringer to fire Defendant (as well as Ratchford) because they were hindering and jeopardizing Presidio's recovery efforts. (Id.) Behringer apparently heeded that recommendation: Plaintiff sent Defendant a termination letter dated August 28, 2013, which stated in relevant part that Defendant's "services to the Music Group . . . are no longer required" effective August 23, 2013. (Dkt. No. 51-5 at 2.) The termination letter directed Defendant to "immediately discontinue using all work products and other property that belongs to the Company" and reminded Defendant of his "legal obligations to the Company, which survive beyond [his] service contract." (Id.)
Shortly after the cyber attack Plaintiff conducted an internal investigation and concluded that two IT employees had likely carried out the attack. (Dkt. No. 49-15 at 4 (identifying the two individuals as the only employees who fit the profile of individuals who might carry out such an attack; id. at 7 ("Our internal investigations are clearly pointing to our employees [Employee 2] and [Employee 1] as suspects.").) The report notes that the conclusions were reached "in the absence of a formal and thorough forensic investigation" and was instead based only on "inputs and comments . . . from [Music Group] staff who was most closely involved in the recovery effort." (Id. at 2.) Behringer reported the cyber attack to the police in the United Kingdom and identified two employees as the company's main suspects; Behringer later learned that one of them had been arrested, and then released after he denied involvement in the attack. (Dkt. No. 59 ¶ 12 & Ex. E.) Behringer avers that the company still does not know who perpetrated the cyber attack. (Id. ¶ 14.)
B. Procedural History
Plaintiff first brought suit against Defendant for conduct related to the cyber attack in the United States District Court for the District of Washington on December 18, 2013. (Dkt. No. 82-1 ¶ 2; see also Music Grp. Servs. U.S. Inc. v. Foote (hereinafter the "Washington action"), No. 2:13-cv-02271-JCC (W.D. Wash. Dec. 18, 2013), Dkt. No. 1.) The complaint in the Washington action alleged the same causes of action as the complaint and FAC here: breach of contract, negligence, and contractual indemnification. The Washington action was dismissed without prejudice on April 1, 2014 before the parties engaged in any discovery. (W.D. Wash. Dkt. No. 15.) Plaintiff initiated this second action on July 7, 2014. (Dkt. No. 1.) Plaintiff filed the first amended complaint ("FAC") one day later, on July 8, 2014. (Dkt. No. 5) The FAC differs from the original complaint only insofar as the attached Consultancy Agreement was unsigned in the original, but the FAC includes an executed version. (Compare Dkt. No. 1-1, with, Dkt. No. 5-1.)
Following a case management conference in November 2014, the parties commenced discovery. The deadline for fact and expert discovery was set for July 24, 2015. (Dkt. No. 35 at 1.) The parties exchanged substantial discovery and took several depositions by April 14, 2015, when Defendant filed his motion for summary judgment. Plaintiff opposed the motion for summary judgment and, one day later, filed its motion for leave to file a second amended complaint. On May 20, 2015, Defendant filed his motion for leave to file recently-produced documents in support of his summary judgment motion, which Plaintiff opposed. These motions are now fully briefed and ripe for adjudication. The Court heard oral argument on the motions on June 4, 2015.
II. MOTION FOR SUMMARY JUDGMENT
A. Legal Standards
Summary judgment is appropriate if "there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a). The moving party bears the burden of producing evidence negating an essential element of each claim on which it seeks judgment or showing that the nonmoving party cannot produce evidence sufficient to satisfy its burden of proof at trial. Nissan Fire & Mar. Ins. Co., Ltd. v. Fritz Cos., 210 F.3d 1099, 1102 (9th Cir. 2000). "[T]he inferences to be drawn from the underlying facts contained in such materials must be viewed in the light most favorable to the party opposing the motion." United States v. Diebold, Inc., 369 U.S. 654, 655 (1962).
Once the moving party meets its burden, the nonmoving party must show that a material factual dispute exists. California v. Campbell, 138 F.3d 772, 780 (9th Cir. 1998). If the nonmoving party fails to do so, "the moving party wins the motion for summary judgment." Nissan Fire, 210 F.3d at 1103. "But if the nonmoving party produces enough evidence to create a genuine issue of material fact, the nonmoving party defeats the motion." Id.
Along with its opposition to the motion for summary judgment, Plaintiff made a Rule 56(d) request to continue the summary judgment hearing to allow for further evidence to supplement the record. (Dkt. No. 58 at 28-29.) Rule 56(d) provides:
If a nonmovant shows by affidavit or declaration that, for specified reasons, it cannot present facts essential to justify its opposition [to a motion for summary judgment], the court may: (1) defer considering the motion [for summary judgment] or deny it; (2) allow time to obtain affidavits or declarations or to take discovery; and (3) issue any other appropriate order.Generally, Rule 56(d) provides a device for litigants to avoid summary judgment when the non-movant needs to discover affirmative evidence necessary to oppose the motion. See Garrett v. San Francisco, 818 F.2d 1515, 1518 (9th Cir. 1987); see also Celotex Corp. v. Catrett, 477 U.S. 317, 326 (1986). In making a Rule 56(d) motion, a party opposing summary judgment must make clear "what information is sought and how it would preclude summary judgment." Garrett, 818 F.2d at 1518. The movant must specifically identify relevant information and a basis for belief that the information exists, and must also indicate how the information sought could defeat summary judgment. United States v. Real Prop. & Improvements Located at 2366 San Pablo Avenue, Berkeley, Cal., No. 13-cv-02027-JST, 2014 WL 3704041, at *2 (N.D. Cal. July 24, 2014) (citations omitted). Put simply, as the Ninth Circuit stated in Continental Mar. v. Pac. Coast Metal Trades, 817 F.2d 1391, 1395 (9th Cir. 1987), under Rule 56 "the party seeking a continuance bears the burden to show what specific facts it hopes to discover that will raise an issue of material fact." Id.; see also Tatum v. City & Cnty. of San Francisco, 441 F.3d 1090, 1101 (9th Cir. 2006).
Courts generously grant Rule 56(d) motions "unless the non-moving party has not diligently pursued discovery of the evidence." Burlington N. Santa Fe R. Co. v. Assiniboine & Sioux Tribes of Fort Peck Reservation, 323 F.3d 767, 773-74 (9th Cir. 2003) (citations omitted). "Summary denial [of a Rule 56(d) motion] is especially inappropriate where . . . the material sought is also the subject of outstanding discovery requests." Id. at 775 (citations omitted).
B. What Evidence the Court will Consider
Defendant contends that he is entitled to summary judgment on all three claims in the operative pleading. As an initial matter, the parties raise three issues regarding the state of the summary judgment record: (1) Plaintiff objects to the consideration of certain evidence; (2) Defendant seeks to supplement the summary judgment record to add certain documents not submitted with the initial round of briefing; and (3) Plaintiff moves pursuant to Federal Rule of Civil Procedure 56(d) to postpone consideration of summary judgment to allow for a more fulsome evidentiary record. The Court will address each in turn.
1. Evidentiary Objections
a. Defendant's Objections
Defendant also launches a number of objections to evidence on which Plaintiff relied in its opposition to the motion for summary judgment. First, Defendant objects to the declaration of Plaintiff's CEO Uli Behringer to the extent that it discusses the circumstances surrounding the hiring of Defendant. At Behringer's 30(b)(6) deposition, he testified that he did not think he was involved in the negotiation of the Agreement and did not know who signed it on Plaintiff's behalf. (Dkt. No. 77-4 at 5, 7.) Based on this testimony, Defendant argues that Plaintiff "has conceded that it has no knowledge of any pre-contract negotiations or discussions in support of any interpretation" such that Behringer's statements regarding his negotiations with Defendant are absent the personal knowledge that Federal Rule of Evidence 602 requires. Such is not the case. To be sure, Behringer's deposition testimony indicates a lack of personal knowledge about who drafted and signed the Agreement itself, but does not reflect a lack of personal knowledge about other communications or conversations that he had with Defendant.
Defendant also objects to the declaration of Markus Jakobsson, Ph.D ("Jakobsson Declaration," Dkt. No. 62) on the grounds that it is improper opinion evidence because Jakobsson is not a percipient witness to any topic about which he testifies. The Court agrees. However, the Jakobsson Declaration regarding general duties of Chief Technology Officers, cyber attacks, and cyber security sufficiently qualifies as expert opinion consistent with Federal Rule of Evidence 702 based on his substantial experience in the field. The Court notes that Jakobsson admits in his declaration that he has not had adequate time to review the record to reach a final opinion on whether Defendant met the standard of care in this case. Notwithstanding that Jakobsson has not prepared his final expert report given the early filing of this motion for summary judgment, the Court will still consider the Jakobsson Declaration for the limited purpose as expert testimony regarding the cyber security field.
Defendant next objects to David Jerome's testimony that "if Foote had done nothing else but ensure that Music Group had a working back-up system, Music Group's recovery would have been much quicker and Music Group would have suffered far less damage." (Dkt. No. 63 ¶ 9.) Jerome was not disclosed as a witness having knowledge about Defendant's responsibilities and contractual duties, nor did he testify in his declaration to having personal knowledge of Defendant's responsibilities. The Court will therefore consider this testimony for the limited purpose of its meaning that Plaintiff would have suffered fewer damages had there been a back-up system in place, but not whether or not it was Defendant's responsibility to make that happen.
Defendant objects to the declaration of Erineo Cruz in its entirety and the documents attached thereto on the grounds that Cruz was not disclosed in Plaintiff's Rule 26 disclosures and that he does not testify to sufficient personal knowledge of the documents that are the subject of his testimony nor does he sufficiently authenticate those documents. "Failure by a party to disclose the identity of witnesses during discovery may result in the court precluding that party from presenting the witnesses at trial." See Haber v. ASN 50th St., LLC, 272 F.R.D. 377, 381 (S.D.N.Y. 2011) (emphasis added). It need not, however. As discovery is ongoing, the Court declines to exclude the Cruz Declaration on this ground. The remaining objections to the Cruz Declaration and the exhibits it references are without merit. Cruz avers that he is Music Group's Vice President in charge of global finances and his job responsibilities include managing the company's accounting systems and finances. (Dkt. No. 60 ¶¶ 1-3.) Cruz testifies that from 2010 to 2013, with two exceptions, he received and reviewed Defendants' invoices for services, true and correct copies of which are attached to his declaration as Exhibit A. (Id. ¶ 4 & Ex. A.) This information is enough to satisfy Rule 602's requirement for personal knowledge and Rule 901's requirements for authentication.
Defendant also objects to the declaration of Maricelle Rosell ("Rosell Declaration, Dkt. No. 64), Plaintiff's Human Resources Manager. Once again, the Court declines to exclude the Rosell Declaration on the ground that Rosell was not identified in Plaintiff's Rule 26 disclosures. The Rosell Declaration describes the personnel files and terminations of Employee 1 and Employee 2, the two Music Group employees at one point thought to have perpetrated the cyber attack. Defendant first objects to the Rosell Declaration on the grounds that Plaintiff "refused to produce the [personnel files] in discovery" and therefore cannot discuss them. The Court specifically determined that Plaintiff need not produce the personnel files but must describe, in an interrogatory response, disciplinary action taken towards any personnel in response to the cyber attack[.]" (Dkt. No. 45 at 4.) Defendant also objects to the Rosell Declaration as inadmissible hearsay barred by Federal Rule of Evidence 802, as it describes the contents of the individuals' personnel files. Ultimately, the Court will disregard this testimony because Plaintiff cannot have it both ways, declining to produce the personnel records for Defendant's review but choosing to describe their contents to their advantage.
Finally, Defendant objects to various portions of the declaration of Music Group CEO Uli Behringer. First, Defendant objects to the extent that Behringer discusses "pre-contract discussions" with Defendant. Defendant objects on the grounds that (1) the discussions are irrelevant because the written contract supersedes prior oral discussions under Rule 401(b); that he has no personal knowledge of these negotiations because he testified that he took no part in negotiating or drafting the consulting agreement; and that his testimony of Defendant's responsibilities is improper opinion under Rule 702. The Court disagrees. As discussed above, Behringer's deposition testimony indicates a lack of personal knowledge about who drafted and signed the Agreement itself, but does not reflect a lack of personal knowledge about other communications or conversations that he had with Defendant. Moreover, as discussed in more detail below, the contract is ambiguous as to the scope of Defendant's duties, therefore extrinsic evidence reflecting the parties' intent is relevant.
Defendant also objects to Behringer's testimony that he does not recall Defendant proposing that Employee 2 be fired, as Plaintiff's requests for admission are binding on the parties. Indeed, Plaintiff admitted that Defendant recommended Employee 2 fired, and this is binding on Plaintiff. See Conlon v. United States, 474 F.3d 616, 622 (9th Cir. 2007). The Court therefore disregards Behringer's testimony that he does not remember Defendant recommending that Employee 2 be fired as such testimony is irrelevant in light of the admission. Defendant also objects to several exhibits that Plaintiff submitted in support of its opposition to the motion for summary judgment. Defendant objects to Exhibit A, the press release announcing Plaintiff's hiring of Defendant as its new Chief Technology Officer, as irrelevant and hearsay. Behringer described writing the press release with Defendant. It is relevant to the parties' intent regarding Defendant's responsibilities and the Court will consider it solely for this purpose. Defendant also objects to Exhibits B and C, contracts with third party vendors, as inadmissible hearsay, improperly authenticated, and not in a category of documents included in Plaintiff's Rule 26 disclosures. The Court will consider these exhibits solely for the purpose of noting Defendant's signature.
Finally, Defendant objects to Exhibits 1, 4 and to the declaration of Allison Dibley as inadmissible hearsay. Exhibit 1 is Defendant's LinkedIn page. Plaintiff cites this evidence to note that Defendant described himself as Chief Technology Officer of Music Group. The Court will consider the LinkedIn page only insofar as it is Defendant's description of himself as Chief Technology Officer, but not for the truth that Defendant was, in fact, Chief Technology Officer. See Fed. R. Evid. 801(d)(2). Exhibit 4 is a report labeled "Security Response" from Presidio, the group hired to assist Music Group with its disaster recovery following the cyber attack. The Court will not consider the report.
b. Plaintiff's Objections
Plaintiff objects to certain statements in the Declaration of Jared M. Ahern ("Ahern Declaration," Dkt. No. 51) filed in support of Defendant's motion for summary judgment as well as certain exhibits that Defendant submitted. Plaintiff first objects to the portion of paragraph 6 of the Ahern Declaration describing the August 28, 2013 termination letter that Plaintiff sent Defendant, to the extent that it states that the "letter made no mention of why [Plaintiff] was terminating Defendant." (Id. ¶ 6.) Plaintiff objects to counsel's interpretation of the letter on the grounds that under Federal Rule of Evidence 1004, the document speaks for itself, rendering further interpretation of the document irrelevant and therefore inadmissible under Rule 402. In addition, Plaintiff argues that defense counsel's opinionated description of what the letter means is improper lay opinion under Rule 701 and improper expert opinion testimony under Rule 702. The Court agrees. The Court will consider the letter itself, but not defense counsel's description of the document's contents.
Plaintiff next objects to paragraph 7 of the Ahern Declaration that states that:
On August 18, 2013, Victor Lau, [Plaintiff's] current Vice President of Technology, wrote an internal report identifying . . . two individuals who worked in the technology department at Music Group, as the perpetrators of the cyber attack that caused all of Music Group's alleged damages in this case. In written discovery responses (which are attached hereto as Exhibit 4), [Plaintiff] . . . represented that the report represented the findings of [Plaintiff's] internal investigation into the attack[.](Dkt. No. 51 ¶ 7.) Plaintiff objects to the statement for the same reasons, and the Court sustains the objection as above. The Court will consider the termination letter as well as Plaintiff's discovery responses, but not counsel's interpretation of what those documents mean.
Lastly, Plaintiff objects to paragraphs 9, 10, and 11 of the Ahern Declaration and the documents they reference—Exhibits 8, 9, and 10—as irrelevant pursuant to Federal Rule of Evidence 402 and, if relevant, substantially more prejudicial than probative pursuant to Federal Rule of Evidence 403. These paragraphs refer to a 2013 lawsuit in the Western District of Washington in which Presidio, Inc., the company Plaintiff hired to help it remediate the effect of the cyber attack, alleged that Plaintiff was in breach of contract for failing to pay Presidio money owed for performing these remediation services. (See Dkt. No. 51 ¶ 9 & Ex. 8.) Plaintiff asserted counterclaims against Presidio, and the case eventually settled after the parties agreed that Plaintiff would pay a sum certain to Presidio. (Id. ¶¶ 10-11; Exs. 9 & 10.) The existence of Plaintiff's obligation to pay Presidio for work arising out of the cyber attack is relevant to whether third party claims exist for the purposes of indemnification, but Defendant does not cite to these paragraphs or exhibits in the argument section of his motion for summary judgment, so their probative value must be limited. The Court agrees that this limited probative value is outweighed by unfair prejudice to Plaintiff. Accordingly, the Court will not consider paragraphs 9 through 11 of the Ahern Declaration and Exhibits 8 through 10 attached thereto.
2. Defendant's Request to File Recently Produced Documents
Defendant requests leave to file six additional documents in support of his fully briefed motion for summary judgment. (Dkt. No. 95.) "A trial court has the inherent authority to control its own docket[.]" Hoeun Yong v. INS, 208 F.3d 1116, 1119 (9th Cir. 2000). A court may allow a party to supplement the summary judgment record after briefing was completed upon a showing of good cause. See N.D. Cal. L.R. 7-3(d) ("Once a reply is filed, no additional memoranda, papers or letters may be filed without prior Court approval[.]"); see, e.g., Quintana v. Claire's Stores, Inc., No. 13-0368-PSG, 2013 WL 1736671, at *2 (N.D. Cal. Apr. 22, 2013); Therasense, Inc. v. Becton, Dickinson & Co., 560 F. Supp. 2d 835, 840 (N.D. Cal. 2008); cf. In re Crown Vantage, Inc., No. C-02-3838 MMC, 2007 WL 128008, *1 at n.2 (N.D. Cal. Jan. 12, 2007) (declining to consider supplemental evidence "because [the party] did not seek advance leave to file additional evidence" pursuant to Local Rule 7-3). Courts have found good cause to supplement the summary judgment record with evidence that was produced after the motion was filed. See, e.g., Quintana, 2013 WL 1738871, at *2.
Here, Defendant filed his motion for summary judgment on April 14, 2015 and it was fully briefed by May 5, 2015. On May 20, 2015, Defendant filed the instant motion for an order allowing him leave to file six documents as supplemental evidence in support of his motion for summary judgment. The supplemental evidence Defendant now seeks to file are employment agreements and job descriptions for high-level IT/IS employees at Plaintiff's company.
On January 23, 2015, Defendant noted Plaintiff's 30(b)(6) deposition for February 18, 2015 and included the topic of "[p]ersonnel responsible for [Plaintiff]'s computer network and communications infrastructure, including internal and external security measures" and production of "[a]ll documents you referred to or referenced in preparing for the deposition." (Dkt. No. 100-8.) The deposition was then moved to March 9 to accommodate one of Plaintiff's persons most knowledgeable. (Dkt. No. 100-1 ¶ 8; Dkt. No. 100-9.) At the March 9 30(b)(6) deposition, Plaintiff's witness testified that every individual identified on Plaintiff's technology department organizational chart had a written employment agreement describing the employee's duties and responsibilities. (Dkt. No. 100-12 at 4-8.) In response to that testimony, the very next day Plaintiff served another discovery request seeking in relevant part "[a]ny and all documents which reflect or refer to the duties of all Music Group employees, identified in the organizational chart produced by [Plaintiff] . . . , including, but not limited to, all written employment agreements as described by [Plaintiff's] 30(b)(6) witness during his testimony on March 9, 2015." (Dkt. No. 100-13 at 4.) The job-description and employment-agreement evidence that Defendant seeks to add to the summary judgment record was produced on April 27 (one document), May 12 (two documents), May 15 (three documents). (See Dkt. No. 75.)
The Court has already determined that such employees' responsibilities are relevant to whether Defendant was contractually responsible to prevent cyber attacks, and thus, to the questions of liability in this action. All of the requested documents were produced after Defendant filed his initial motion. All but one were not produced until after the motion was fully briefed; the exception is the job description for one employee that was produced on April 27, 2015, before Defendant filed his reply.
Ordinarily, production after the motion is fully briefed is good cause to supplement the record. See, e.g., Quintana, 2013 WL 1738871, at *2. Plaintiff argues that it is not, here, because Defendant filed his summary judgment motion early—long before the dispositive motion deadline was even imminent. (See Dkt. No. 73.) Thus, Plaintiff contends that having chosen to file his summary judgment motion early—having made a choice to do so without obtaining the employment agreements—Defendant cannot show good cause to supplement the record now. In the alternative, Plaintiff argues that if the Court grants Defendant's motion to supplement the record, then it should also grant Plaintiff's Rule 56(d) motion to continue the hearing on the summary judgment motion "so that all relevant evidence can be considered[.]" (Dkt. No. 109 at 5.) The Court declines to do so.
The fact that expert discovery has not yet been completed is not a bar to consideration of a summary judgment motion; indeed, "a motion for summary judgment can be brought at any time" and "it is up to the party requesting continuance to provide specific facts they reasonably expect to obtain to oppose the motion." P.A. v. United States, No. C 10-2811 PSG, 2013 WL 3864452, at *7 (N.D. Cal. July 24, 2013). Moreover, Defendant established that he first noticed the 30(b)(6) deposition on topics including job descriptions and served discovery requests seeking job descriptions well before the instant motion was filed; the document request following the 30(b)(6) deposition was served on March 10, 2015. Defendant did not immediately file the instant summary judgment motion, but rather waited over a month while the parties litigated whether Plaintiff had to turn over the employment agreements and job descriptions. Under these circumstances, the Court finds good cause to GRANT Defendant's motion for leave to supplement the summary judgment record to include recently produced documents regarding other IT/IS employees' employment agreements and job descriptions.
C. Summary Judgment
The Court now considers whether Defendant is entitled to summary judgment on all three claims in the FAC or whether genuine issues of material fact in the record prevent a dispositive ruling at this time.
1. Breach of Contract
Defendant first argues that he is entitled to summary judgment on the breach of contract claim. The gravamen of the breach of contract claim is that Defendant breached the Agreement by "failing to provide the agreed-upon IT Services" and as a result is liable for damages stemming from the cyber attack. "A cause of action for damages for breach of contract is comprised of the following elements: (1) the contract, (2) the plaintiff's performance or excuse for nonperformance, (3) defendant's breach, and (4) the resulting damages to plaintiff." Rutherford Holdings, LLC v. Plaza Del Rey, 223 Cal. App. 4th 221, 228 (2014). Here, for the purposes of the instant motion the parties agree that there is a contract—namely, the Agreement—and that Plaintiff performed by paying Defendant in accordance with its provisions. The parties' dispute focuses on whether there was a breach, whether that breach caused damages, and whether such damages are recoverable.
Since this case is in a California federal court on diversity jurisdiction, the choice-of-law rules of California apply. See Coneff v. AT&T Corp., 673 F.3d 1155, 1161 (9th Cir. 2012); see, e.g., Bruno v. Quten Research Inst., LLC, 280 F.R.D. 524, 538 n.7 (C.D. Cal. 2011). Under California choice of law, California law applies unless a party timely invokes the law of a foreign state. Hurtado v. Sup. Ct., 11 Cal. 3d 574, 581 (1974). The parties agree that California law applies to all claims at issue here.
Defendant first asserts that there is no evidence that Foote breached the agreement by failing to fulfill his contractual duties. At bottom, the question of breach for purposes of summary judgment turns on interpretation of Defendant's duties pursuant to the Agreement: the parties dispute whether, under the terms of the Agreement, Defendant was responsible for network security and obligated to implement IT/IS protective measures. Specifically, Plaintiff alleges that Defendant breached Section 2 of the Agreement, which spells out Defendant's contractual duties and the scope thereof:
The Duties will be as follows:(Dkt. No. 5-1 § 2 (emphasis in original).) From Defendant's perspective, the plain language of the Agreement indicates that he was only hired to provide "advice" and not to follow through with implementation or management, and he fulfilled these duties so there is no breach. Plaintiff, for its part, urges that the language of the contract and the parties' conduct indicate that Defendant was hired to manage the IT and IS departments, and part of that responsibility includes ensuring the departments' cyber security, and Defendant's failure to do so constitutes a breach.
This is to be a big picture evaluation of all IS systems and personnel. Investigate and analyse [sic] the current systems that are in place as well as those that are not being utilized completely or properly. Create a status report, and gap analysis on the short falls that need to be looked at as well as a conclusive report of your recommendations moving forward.
Meet with the COO and work on a strategic plan for the IS departments.
Scope of engagement
*High level strategic vision and guidance for IT/IS project
*Management and negotiation of external project relationships with focus on SCM and ERP implementation and projects
*Management/Guidance of IT and IS organizations
*IT/IS Budget, Resource, and project rationalization
Under California law, a contract must be interpreted to give effect to the mutual intention of the parties at the time of they entered the contract. Cal. Civ. Code § 1636. To ascertain the parties' intent, the language of a contract governs its interpretation, if the language is clear and explicit and does not involve an absurdity. Cal Civ. Code § 1638. Thus, when a contract has been reduced to writing and the writing is clear and unambiguous, the intention of the parties is to be ascertained from the writing alone. Cal. Civ. Code § 1639. The words of a contract are to be understood in their ordinary and popular sense. Cal. Civ. Code § 1644.
However, if the court determines that a contract is reasonably susceptible to more than one interpretation, the court may consider extrinsic evidence offered to prove the parties' mutual intent. See Fremont Indem. Co. v. Fremont Gen. Corp., 148 Cal. App. 4th 97, 114 (2007); see also Shum v. Intel Corp., No. C-02-03262-DLJ, 2008 WL 4414722, at *6 (N.D. Cal. Sept. 26, 2008) ("If the court decides, after considering the extrinsic evidence, that the language of the contract is reasonably susceptible to the interpretation urged on the basis of that evidence, the evidence is admitted as evidence to aid in interpreting the contact." (citation omitted)). Evidence of the contracting parties' conduct after executing the contract but before any controversy has arisen as to its effects affords the most reliable evidence of the parties' intent. Kennecott Corp. v. Union Oil Co., 196 Cal. App. 3d 1179, 1189-90 (1987). Put simply, "[t]his rule of practical construction is predicated on the common sense concept that 'actions speak louder than words.'" Crestview Cemetary Ass'n v. Dieden, 54 Cal. 2d 744, 754 (1960); see also Auto. Salesmen's Union v. Eastbay Motor Car Dealers, Inc., 10 Cal. App. 3d 419, 424 (1970) (noting that the parties' conduct reflecting what the contract meant to them should prevail even over the ordinary meaning of the words used in the contract).
Here, there is a triable issue as to whether the terms of the Agreement required Defendant to implement cyber security measures. Certainly there is no provision in the contract that expressly states that Defendant had such an obligation. On the one hand, some language in the Agreement suggests that Defendant had a limited role at Music Group. For example, the Agreement provides that Defendant is hired as a consultant expected to work remotely for only one 40-hour work week per month (Dkt. No. 5-1 § 2), which certainly weighs in favor of a limited role. And the Agreement defined Defendant's duties, in part, as "a big picture evaluation of all IS systems and personnel" (id. § 2), which similarly suggests that Defendant was not tasked with actually implementing any procedures, let alone cyber security measures in particular.
On the other hand, there is other language in the contract that reflects a far broader set of responsibilities. For instance, Defendant's contractual obligation includes "management" of the IT and IS organizations. (Id.) The scope of the word "management" is broad; it could include cyber security responsibilities, or it could not. Put another way, the term "management" is susceptible to more than one interpretation, and therefore Plaintiff's extrinsic evidence of Defendant's role is relevant to what the parties intended it to mean. See Fremont Indem. Co., 148 Cal. App. 4th at 114. Plaintiff has presented enough extrinsic evidence to create a triable question as to whether the parties intended for Defendant's contractual management responsibilities to include cyber security. Defendant apparently held himself out as responsible for such matters, apologizing to the entire company on at least one occasion when the system's security failed. Defendant called himself Chief Technology Officer—in emails, in contracts with third parties, and on his public LinkedIn profile—and expert witness Markus Jakobsson has opined that where, as here, a company has a Chief Technology Officer and no separate chief officer specifically tasked with cyber security, those responsibilities fall to the Chief Technology Officer. Under such circumstances, viewing the Agreement and extrinsic evidence in the light most favorable to Plaintiff as required, see Diebold, Inc., 369 U.S. at 655, the Court cannot conclude as a matter of law that the language of the Agreement unambiguously means that cyber security was not within Defendant's contractual obligations. Rather, whether cyber security responsibilities fell to Defendant is a genuine issue of material fact.
To this end, the Court is not persuaded by Defendant's argument that Plaintiff cannot argue that the Agreement is ambiguous—and therefore cannot present extrinsic evidence of the parties' intent—due to Behringer's 30(b)(6) testimony that, in his opinion, the language of the Agreement is "clear." A lay person may not testify as to a legal conclusion, such as the correct interpretation of a contract. Evangelista v. Inlandboatmen's Union of Pac., 777 F.2d 1390, 1398 n.3 (9th Cir. 1985).
Given that Defendant's duties might have included cyber security, there is also sufficient evidence before the Court to create a genuine issue of material fact as to whether Defendant breached those duties. In his expert opinion, Dr. Jakobsson notes that Music Group should have had "reasonable security measures[,]" including a disaster recover plan that is "critical to a company's ability to respond quickly to a cyber attack and to minimize any damage[.]" (Dkt. No. 62 ¶¶ 5-6.) Based on the record, a reasonable jury could conclude that Defendant breached a duty to ensure cyber security—of course, if and only if he had such duty—by failing to prepare a disaster recovery plan and to ensure secure password management and a working backup system that either failed to prevent the attack in the first instance or increased the damage by hampering the company's recovery. Thus, Plaintiff has presented a triable issue on the question of breach.
There is also a triable issue as to causation and damages—i.e., whether Defendant's purported failure to implement cyber security measures in his management of the IT and IS departments caused Plaintiff's damages. "In breach of contract actions, damages cannot be presumed to flow from liability. It is essential to establish a causal connection between the breach and the damages sought." Metzenbaum v. R.O.S. Assocs., 188 Cal. App. 3d 202, 211 (1986). "The requisite causation, or causal connection, between breach and damages is established when the plaintiff demonstrates that the defendant's breach was a 'substantial factor' in causing the damage." Britz Fertilizers, Inc. v. Bayer Corp., 665 F. Supp. 2d 1142, 1167-68 (E.D. Cal. 2009) (citations omitted). "The term 'substantial factor' has no precise definition, but it seems to be something which is more than a slight, trivial, negligible, or theoretical factor in producing a particular result." US Ecology, Inc. v. California, 129 Cal. App. 4th 887, 909 (2005). For a breach to be a substantial factor in causing damages, it need not be the sole or exclusive cause of the damages. Bruckman v. Parliament Escrow Corp., 190 Cal. App. 3d 1051, 1063 (1987).
However, even "if a breach was a substantial factor in causing the plaintiff's damages, [if] the damages were of a type not reasonably foreseeable at the time of contracting nor within the contemplation of the parties at that time, the damages are not recoverable." Britz Fertilizers, 665 F. Supp. 2d at 1168 (citation omitted). One such scenario occurs "when an independent event intervenes in the chain of causation, producing harm of a kind and degree so far beyond the risk the [defendant] should have foreseen that the law deems it unfair to hold him responsible." Soule v. Gen. Motors Corp., 8 Cal. 4th 548, 583 n.9 (1994); see also Lugtu v. Cal. Highway Patrol, 26 Cal. 4th 703, 725 (2001).
There is evidence in the record from which a reasonable jury could conclude that cyber attacks were foreseeable at the time the parties executed the Agreement. (See Dkt. No. 62 ¶ 4.) Defendant insists that causation is defeated and damages are not reasonably foreseeable due to an intervening event—that is, the intentional attack caused by Plaintiff's own employees—that breaks the chain of causation and vitiates foreseeability. But this argument draws all inferences against Plaintiff and requires a weighing of the evidence—specifically, it gives greater weight to the Music Group preliminary investigation than Behringer's testimony that Plaintiff does not know who perpetrated the attack. Given the genuine dispute regarding who carried out the cyber attack, it cannot be said as a matter of law that the chain of causation is broken and damages were not reasonably foreseeable because the attack was carried out by Plaintiff's own employees. To the contrary, causation and damages remain triable issues. The Court therefore declines to grant summary judgment to Defendant on the breach of contract claim.
2. Contractual Indemnity
Next, Defendant contends that he is entitled to summary judgment on the contractual indemnity claim. The Agreement provides that Defendant shall indemnify Plaintiff for damages, costs, and expenses "arising in consequence of the gross negligence or willful misconduct of the [Defendant] or a breach by the [Defendant] of any term herein or gross negligence on the part of the [Defendant] in connection with the performance of his duties." (Dkt. No. 5-1 § 14.)
California law defines "indemnity" as "a contract by which one engages to save another from a legal consequence of the conduct of one of the parties, or of some other person." Cal. Civ. Code § 2772. "Indemnity generally refers to third party claims." Zalkind v. Ceradyne, Inc., 194 Cal. App. 4th 1010, 1024 (2011); see also Myers Building Indus., Ltd. v. Interface Tech., Inc., 13 Cal. App. 4th 949, 969 (1993) ("Indemnification agreements ordinarily relate to third party claims."). However, "this general rule does not apply if the parties to a contract use the term 'indemnity' to include direct liability as well as third party liability." Dream Theater Inc. v. Dream Theater, 124 Cal. App. 4th 547, 556 (2004). "[E]ach indemnity agreement is 'interpreted according to the language and contents of the contract as well as the intention of the parties as indicated by the contract.'" Wilshire-Doheny Assocs., Ltd. v. Shapiro, 83 Cal. App. 4th 1380, 1396 (2000) (citation omitted). Whether an indemnity provision covers direct liability as well turns on the parties' intent as expressed in the agreement, involving an inquiry into the language of the contract. Zalkind, 194 Cal. App. 4th 1024-25.
For example, in Dream Theater, the indemnity clause stated that indemnification applies "whether or not [the damages] aris[e] out of third party Claims." 124 Cal. App. 4th at 553-54. Likewise, Wilshire-Doheny Associates, Ltd. v. Shapiro, 83 Cal. App. 4th 1380, 1396 (2000), involved two indemnification provisions in a contract between a corporation and its employees. The first provided that the corporation
agrees to indemnify and hold the indemnitees and their assigns, successors, heirs, and personal representatives harmless against any and all claims, suits, demand, actions, causes of action[ ], damages, set-offs, liens, attachments, debts, expenses, judgments, or other liabilities of whatsoever kind or nature arising out of or related to the actions taken by the indemnitees on behalf of [the corporation] and its affiliates.Id. at 1387. The second similarly provided that the corporation "hereby indemnifies and holds [the employee] harmless from any and all claims, actions and liabilities brought against him with respect to his [corporate] capacity . . . or any actions he takes in good faith on behalf of the Corporation." Id. at 1395. Likewise, in Zalkind v. Ceradyne, Inc., 194 Cal. App. 4th 1010, 1016 (2011), the parties entered an asset purchase agreement that contained an indemnity provision stating that:
Ceradyne shall indemnify, hold harmless, and defend the Zalkinds and Quest from and against any and all damages and losses incurred by the Zalkinds and Quest that arise from or are in connection with . . . [a]ny breach or default by [Ceradyne] of its covenants or agreements contained in this Agreement.Id. at 1027. The Court concluded that the "any and all" damages arising from breach language was sufficiently broad to include direct claims. Id.
So it is here. The provision here specifically provides that
Consultant shall indemnify and hold harmless [Plaintiff] and its officers, agents, employees, successors and authorized assigns from and against any and all liabilities, damages, costs, losses, claims, demands, actions, and expenses (including reasonable attorneys' fees) arising in consequence of the gross negligence or willful misconduct of the Consultant or a breach by the Consultant of any term herein or gross negligence on the part of the Consultant in connection with the performance of his duties.(Dkt. No. 5-1 § 14 (emphasis added).) Although it does not include the "whether or not arising out of third party claims" language present in Dream Theater, like Wilshire-Dohney, and Zalkind, the Agreement's provision is broad, requiring indemnity regarding "any and all" costs and damages. Defendant has not identified any language limiting indemnity solely to third party claims. The Court therefore concludes that the indemnification clause covers direct claims, like the one Plaintiff alleges here. Accordingly, the Court cannot conclude as a matter of law that Defendant is not required to indemnify Plaintiff for damages arising out of any gross negligence or breach. As there remains a genuine issue of material fact regarding whether Defendant breached his contractual obligations in the context of the breach of contract claim, so too is there a genuine issue of material fact regarding whether Defendant breached in a manner that would trigger the indemnification provision here. Because it is disputed whether Plaintiff's employees actually perpetrated the cyber attack, Defendant's argument that Plaintiff's own negligence bars indemnity is inapposite.
Defendant's argument that Plaintiff's indemnification claim is time-barred fares no better. Defendant argues that Plaintiff was obligated to make a claim for indemnification against Defendant during the term of the Agreement and as support highlights that there is no language in the indemnification provision stating that it would continue post-termination, while such language appears in other clauses. (Compare Dkt. No. 5-1 § 14, with id. §§ 7, 9, 10, 11.) Tellingly, Defendant does not cite a single authority in support of this argument, and the Court has found none. The Court is hard-pressed to understand how this interpretation would work in practice, as it would require Plaintiff to continue employing Defendant—i.e., keep the Agreement in place and continue to pay him—until it had determined the scope of its damages in order to seek indemnification. Surely this cannot have been the intent of the parties.
Accordingly, the Court concludes that genuine issues of material fact preclude a grant of summary judgment to Defendant on the contractual indemnification claim.
3. Negligence
Lastly, Defendant argues that he is entitled to summary judgment on Plaintiff's claim of negligence. To establish negligence under California law, a plaintiff must establish four required elements: (1) duty; (2) breach; (3) causation; and (4) damages. Ileto v. Glock Inc., 349 F.3d 1191, 1203 (9th Cir. 2003) (citations omitted).
a. Whether Defendant Owed a Legal Duty to Plaintiff
Defendant first contends that he owed no duty to Plaintiff. Duty is a legal issue and must be determined by the court. Isaacs v. Huntington Mem. Hosp., 38 Cal. 3d 112, 124 (1985). A duty of care may arise through statute, contract, the general character of the activity, or the relationship between the parties. J'Aire Corp. v. Gregory, 24 Cal. 3d 799, 803 (1979). In Freeman & Mills, Inc. v. Belcher Oil Co., the California Supreme Court clarified that tort recovery is precluded for non-insurance contractual breaches "in the absence of violation of an independent duty arising from principles of tort law." Freeman & Mills, Inc. v. Belcher Oil Co., 11 Cal. 4th 85, 102 (1995) (quotation marks omitted). Generally, a plaintiff can recover in tort after a contract breach in three situations, only two of which are relevant here: (1) when a product defect causes damage to other property; (2) when a defendant breaches a legal duty independent of the contract and (3) if a "special relationship" existed between the parties. NuCal Foods, Inc. v. Quality Egg LLC, 918 F. Supp. 2d 1023, 1028 (E.D. Cal. 2013) (citations omitted); see also Valenzuela v. ADT Sec. Servs., Inc., 475 F. App'x 115, 117 (9th Cir. 2012); Erlich v. Menezes, 21 Cal. 4th 543, 558 (1999).
Here, Plaintiff alleges that Defendant "breached his duty of care to Plaintiff and was grossly negligent when he failed to perform his obligations under the defined services of the [Agreement.]" (Dkt. No. 5 ¶ 21.) Seizing on this language, Defendant urges that Plaintiff's "negligence claim relies on the contract" and since Defendant "did not owe a duty of care to [Plaintiff] separate and apart from his contractual duties, . . . the cause of action for negligence fails as a matter of law." (Dkt. No. 49-5 at 28-29.)
Plaintiff, for its part, contends that two of the scenarios identified in NuCal Foods are present here: (1) a "special relationship" exists between the parties, and (2) Defendant breached a legal duty independent of the contract—either his fiduciary duty as Plaintiff's agent or his duty to provide professional services pursuant to the standard of care for such services. The Court will address each in turn.
First, Plaintiff contends that Defendant owed Music Group an independent tort duty based on the parties' "special relationship." The California Supreme Court recognized the "special relationship" exception to recovery for negligence arising out of a contractual breach in J'Aire Corp. v. Gregory, 24 Cal. 3d 799 (1979). In J'Aire, a tenant brought a negligence action against a contractor for lost profits stemming from the contractor's failure to timely complete construction. Id. at 802-04. The parties were not in contractual privity; the contractor had entered an agreement with the owner of the property, but not with the tenant-lessee. See id. J'Aire set forth an exception to the general rule that a contractor is not liable to a third party for purely economic damages, noting that a "special relationship" may exist between a contractor and a tenant such that the contractor may be liable in tort if certain criteria are present. Id. at 804-05. Those criteria include:
(1) the extent to which the transaction was intended to affect the plaintiff, (2) the foreseeability of harm to the plaintiff, (3) the degree of certainty that the plaintiff suffered injury, (4) the closeness of the connection between the defendant's conduct and the injury suffered, (5) the moral blame attached to the defendant's conduct and (6) the policy of preventing future harm.Id. at 804. Because all six criteria were present in J'Aire, the court found a "special relationship" created a legal duty and therefore allowed the tenant to recover in tort for lost profits stemming from the contractor's breach. Id. at 804. The California Supreme Court specifically limited the case's holding to circumstances when "the injury is not part of the plaintiff's ordinary business risk." Id. at 808. In J'Aire's wake, California courts have applies these "special relationship" factors to instances where the parties are in privity of contract. See, e.g., Ott v. Alfta Laval Agr., Inc., 31 Cal. App. 4th 1439, 1448, 1454 (1995) ("The cases, beginning with J'Aire, are clear and consistent in permitting recovery even when the economic injury is the only injury alleged; nor is absence of a contract remedy a requisite.").
Applying the J'Aire factors to the present case, the Agreement was clearly intended to affect Plaintiff. Second, the harm was foreseeable, as the Jakobsson Declaration explains, cyber attacks were commonplace during the time the parties executed the Agreement. Third, it is certain that Plaintiff suffered injury in the form of actual destroyed data and time and resources dedicated to rebuilding and recovering the damaged systems. Other factors, however, weigh against a finding of a special relationship. The degree of closeness between Defendant's alleged conduct and Plaintiff's injury could be greater. Nor does "moral blame" or public policy encourage a finding of a special relationship; especially where a contract exists, the Court is hesitant to expand the blame or responsibility onto an individual as opposed to the company that hired and oversaw that person. Likewise, prevention of future harm might be effected just as well without a finding of a special relationship, as the onus would be placed on companies, not just their hires, to monitor tasks. The Court therefore declines to find a "special relationship" of the type mentioned in J'Aire to all employee-employer or consultant-consultee relationships.
Next, Plaintiff argues that Defendant owed an independent legal duty to Plaintiff: a fiduciary duty based on his role as Plaintiff's agent. California law defines an agent as "one who represents another, called the principal, in dealings with third persons." Cal. Civ. Code § 2295. An agency relationship may be implied form the circumstances and conduct of the parties. Michelson v. Hamada, 29 Cal. App. 4th 1566, 1579-80 (1994). Mere contractual relationships, without more, do not give rise to fiduciary relationships. Oakland Raiders v. Nat'l Football League, 131 Cal. App. 4th 621, 633-34 (2005). However, "when one assumes to act as the agent for another, he may not, when challenged for these acts, deny his agency[.]" People v. Robertson, 6 Cal. App. 514, 517 (1907).
Defendant objected to this argument on the grounds that it was not pleaded in the complaint and cannot be raised for the first time in an opposition to a summary judgment motion. The Court will address the agency argument despite denying Plaintiff's request for leave to amend to include additional facts supporting an agency relationship. There is no harm to Defendant in doing so, as Plaintiff's argument is a non-starter.
The evidence before the Court establishes that Defendant owed Plaintiff a duty as its agent insofar as Defendant signed contracts with third parties on the company's behalf and without seeking prior approval from anyone else within the company. It is well established that "[a]gents owe their principal a fiduciary duty." See, e.g., Chem. Bank v. Sec. Pac. Nat'l Bank, 20 F.3d 375, 377 (9th Cir. 1994) ("The very meaning of being an agent is assuming fiduciary duties to one's principal[.]" (citation omitted)). A fiduciary relationship imposes duties of full disclosure and loyalty. See Rookard v. Mexicoach, 680 F.2d 1257, 1262 (9th Cir. 1982). The complaint does not allege breach of a fiduciary duty, though, which may arise when, for example, a corporate officer engages in self-dealing to the detriment of his company. See Bacon v. Soule, 19 Cal. App. 428, 434 (1912) (noting that the fiduciary relationship is "founded upon the trust or confidence reposed by one person in the integrity and fidelity of another, and . . . precludes the idea of profit or advantage resulting from the dealings of the parties and the person in whom the confidence is reposed"). Instead, the breaches alleged in the complaint do not arise from Defendant's actions as Plaintiff's supposed agent, but as purported Chief Technology Officer. Thus, the fiduciary/agent argument is not a path to establishing duty for the purposes of the negligence claim alleged here.
Trying a different tack, Plaintiff contends that Defendant owed a duty to Music Group based on the provision of professional services as a Chief Technology Officer. While "professional negligence breaches a duty that exists only because the parties have a contractual agreement, [ ] it has been recognized that an action for professional negligence constitutes both a tort and a breach of contract." City & Cnty. of San Francisco v. Cambridge Integrated Servs. Grp., Inc., No. C 04-1523 VRW, 2007 WL 1970092, at *4 (N.D. Cal. July 2, 2007) (quoting Loube v. Loube, 64 Cal. App. 4th 421, 430 (1998)); see also Moreno v. Sanchez, 106 Cal. App. 4th 1415, 1435 (2003). Thus, California courts "apply a rule that negligent failure to exercise reasonable care and skill in undertaking to perform a professional services contract is a tort as well as a breach of contract." Id. Put another way, in such cases, the plaintiff "must show (1) the duty of the professional to use such skill, prudence and diligence as other members of the profession commonly possess and exercise; (2) breach of the duty; (3) a causal connection between the negligent conduct and the resulting injury; and (4) actual loss or damage resulting from that professional negligence." Architectural Res. Grp., Inc. v. HKS, Inc., No. C 12-5787 SI, 2013 WL 568921, at *4 (N.D. Cal. Feb. 13, 2013); Giacometti v. Aulla, LLC, 187 Cal. App. 4th 1133, 1137 (2010). To meet the first element, the plaintiff must establish that there is a particular standard of care associated with the given profession; the rule has been held to extend to professionals practicing in the fields of law, Jackson v. Rogers & Wells, 210 Cal. App. 3d 336, home inspection, Moreno, 106 Cal. App. 4th at 1428, home construction, Architectural Res. Grp., Inc., 2013 WL 568921, at *5, insurance agents and brokers, Hydro-Mill Co. v. Hayward, Tilton & Rolapp Ins. Assocs., Inc. , 115 Cal. App. 4th 1145, 1153 (2004), and environmental consultants, Mission Oaks Ranch, Ltd. v. Cnty. of Santa Barbara, 65 Cal. App. 4th 713, 723-25 (1998), overruled on other grounds in Briggs v. Eden Council for Hope & Opportunity, 19 Cal. 4th 1106, 1123 n.10 (1999).
Plaintiff has not cited any case in which a court applied professional negligence to an IT consultant or Chief Technology Officer, and the Court has found none. Thus, no court has found that a person performing in Defendant's role owes a duty to perform at a particular level of care such that an individual performing such role owes a professional duty to use such skill, prudence and diligence as other members of the profession commonly possess and exercise. However, Plaintiff has cited sufficient evidence to raise a genuine issue of material fact as to whether a particular standard of care is associated with the role of Chief Technology Officers. Although Jakobsson concedes that in the field of internet technology and security "[t]here is no industry wide standard regarding whether responsibilities for a company's [IT] and network security are assigned to a company's IT department or [IS] department or to another department . . . or for which company executive bears ultimate responsibility for a company's IT and network security," he has stated the following to support the conclusion that Defendant was responsible:
Save one unpublished, non-citable California case in which the Court dismissed the plaintiff's claim that defendant breached his duty by failing to use the skill and care ordinarily exercised by similar experienced "computer experts" as time-barred. Argent v. Bluto, No. B161628, 2004 WL 1178763, at *7 (Cal. Ct. App. May 28, 2004).
When a company has not retained a Chief Information Officer ("CIO") or Chief Information Security Officer ("CISO"), network security typically falls on the shoulders of the Chief Technology Officer ("CTO"), especially when the CTO is charged with planning and managing the network infrastructure, and when network security personnel report up the chain of command to the CTO.(Dkt. No. 62 ¶ 3.) Thus, here, a reasonable jury could find that Defendant was the CTO and that, as CTO, he was responsible for network security. Further, there is enough evidence before the Court from which a reasonable jury could find that other members of the corporate IT security profession would have taken certain steps to better protect Music Group from a cyber attack; Jakobsson describes reasonable security measures that companies take to deal with the threat of cyber attacks, including implementation of a disaster recovery and backup plans and secure password management. (Dkt. No. 62 ¶¶ 4-7.) It may be that there is no particular standard of care for Chief Technology Officers or IT consultants with respect to cyber security. Although not strong, with the Jakobsson declaration Plaintiff has eked out just enough to create a genuine issue of material fact as to whether there is. Thus, Plaintiff's evidence creates a triable issue as to whether an individual in Defendant's position owes an independent tort duty based on the provision of professional services.
b. Whether Plaintiff Has Established a Prima Facie Case of Causation
In addition to establishing that Defendant owed a duty of care, to recover for negligence the Plaintiff must also prove causation. "To establish liability in negligence, it is a fundamental principal of tort law that there must be . . . a breach of [a legal] duty which is the proximate cause of the resulting injuries." Ileto, 349 F.3d at 1206 (citation and footnote omitted). Proximate cause "limits the defendant's liability to those foreseeable consequences that the defendant's negligence was a substantial factor in producing." Mendoza v. City of Los Angeles, 66 Cal. App. 4th 1333. "Whether an act is the proximate cause of injury is generally a question of fact; it is a question of law where the facts are uncontroverted and only one deduction or inference may reasonably be drawn from the facts." Ileto, 349 F.3d at 1206 (internal quotation marks and citation omitted).
Here, as with causation in the context of Plaintiff's contract claims, Defendant insists that causation is absent as a matter of law because Plaintiff "has admitted that the cyber attack (and therefore all of its claimed damages) was caused by an intentional act" of two of its employees. (Dkt. No. 49-5 at 29.) But this argument makes credibility determinations, weighs evidence, and draws inferences against Plaintiff which is inappropriate at summary judgment, as discussed above. Accordingly, Defendant has not established that Plaintiff will be unable to meet its burden of demonstrating causation at trial.
Though perhaps not the likely or probably outcome, a reasonable jury could find that Defendant failed to perform as Chief Technology Officer with the skill and care normally used in the field, and that his failure to meet that standard caused at least some portion of Music Group's damages stemming from the cyber attack. Thus, Defendant is not entitled to summary judgment on the negligence claim.
4. Plaintiff's Rule 56(d) Request
Pursuant to Rule 56(d), Plaintiff requested a delay of determination of Defendant's summary judgment motion on the grounds that two general categories of further evidence are needed in order to properly resolve the motion: (1) additional fact discovery to shed further light on Defendant's role and responsibilities at Music Group, which is relevant to determining whether Defendant was responsible for IT-related security or not; and (2) expert discovery regarding the foreseeability of cyber attacks, the relevant standard of care for a professional providing cyber security services, and whether Defendant breached that duty. (See Dkt. No. 61.) Plaintiff has identified two fact witnesses whose depositions are outstanding and one expert witness who has yet to produce a report. However, while such information may well be relevant to the issue, Plaintiff's request is moot given the denial of Defendant's motion for summary judgment.
Plaintiff's Rule 56(d) request for continuance is also denied to the extent that further discovery might reveal the extent to which Defendant interacted with third parties as Music Group's agent. Such information is only relevant to Plaintiff's theory that Defendant is liable based on his role as Music Group's fiduciary. But as discussed above, Plaintiff's fiduciary-duty theory fails; Defendant's role as fiduciary does not give rise to breach of contract or negligence because the alleged misconduct does not arise out of his role as a fiduciary or agent of Music Group, but out of his role as de facto Chief Technology Officer.
Accordingly, the Court DENIES Plaintiff's Rule 56(d) request.
* * *
In sum, genuine issues of material fact preclude summary judgment on all three claims.
III. MOTION FOR LEAVE TO AMEND THE COMPLAINT
A. Legal Standard
Federal Rule of Civil Procedure 15(a) provides generally that leave to amend the pleadings before trial should be given freely "when justice so requires." Fed. R. Civ. P. 15(a)(2). The Ninth Circuit has emphasized that leave to amend is to be granted with "extreme liberality." DCD Programs, Ltd. v. Leighton, 833 F.2d 183, 186 (9th Cir. 1987) (citation omitted). Under this rule, in determining whether justice requires leave to amend, courts consider five factors initially listed in Foman v. Davis, 371 U.S. 178, 182 (1962): "bad faith, undue delay, prejudice to the opposing party, futility of amendment, and whether the plaintiff has previously amended the complaint." Johnson v. Buckley, 356 F.3d 1067, 1077 (9th Cir. 2004). Amendments seeking to add claims are to be granted more freely than amendments adding parties. Union Pac. R. Co. v. Nev. Power Co., 950 F.2d 1429, 1432 (9th Cir. 1991). "[I]t is the consideration of prejudice to the opposing party that carries the greatest weight." Eminence Capital, LLC v. Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003) (citation omitted). "The party opposing leave to amend bears the burden of showing prejudice." Sherpa v. SBC Telecomm'cns, Inc., 318 F. Supp. 2d 85, 870 (N.D. Cal. 2004) (citation omitted).
In contrast, when a plaintiff seeks to file an amended complaint after the leave-to-amend deadline set forth in a court's scheduling order, the plaintiff's ability to amend is "governed by Rule 16(b), not Rule 15(a)." Johnson v. Mammoth Recreations, Inc., 975 F.2d 604, 607 (9th Cir. 1992); Zamora Zamora v. City of San Francisco, No. 12-cv-02734-NC, 2013 WL 4529533, at *2 (N.D. Cal. Aug. 26, 2013) (citation omitted). Here, the Court's Pretrial Order did not include a deadline for amending the pleadings. (Dkt. No. 35 at 1.) Accordingly, the liberal standard set forth in Rule 15 applies.
"Absent prejudice, or a strong showing of any of the [other] Foman factors, there exists a presumption under Rule 15(a) in favor of granting leave to amend." Eminence Capital, LLC v.
Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003). While "[d]elay alone is insufficient to justify denial of leave to amend," Jones v. Bates, 127 F.3d 839, 847 (9th Cir. 1997), "late amendments to assert new theories are not reviewed favorably when the facts and the theory have been known to the party seeking amendment since the inception of the cause of action," Acri v. Int'l Ass'n of Machinists & Aerospace Workers, 781 F.2d 1393, 1398 (9th Cir. 1986).
Ultimately, the decision to grant or deny a request for leave to amend rests in the discretion of the trial court. California v. Neville Chem. Co., 358 F.3d 661, 673 (9th Cir. 2004). The court's "discretion to deny leave to amend is particularly broad where plaintiff has previously amended the complaint." City of L.A. v. San Pedro Boat Works, 635 F.3d 440, 454 (9th Cir. 2011). The Court has discretion to grant or deny leave to amend even after a motion for summary judgment has been filed. Ferris v. Santa Clara Cnty., 891 F.2d 715, 720 (9th Cir. 1989). "However, district court cases within the Ninth Circuit do indicate that where there is a summary judgment motion pending, leave to amend may be denied when the plaintiff has not made a substantial showing to support the amendment." Oncology Therapeutics Network Connection v. Virginia Hematology Oncology PLLC, No. C 05-3033 WDB, 2006 WL 334532, at *13 (N.D. Cal. Feb. 10, 2006) (citation omitted); see also Maldonado v. City of Oakland, No. C 01 1970 MEJ, 2002 WL 826801, at *4 (N.D. Cal. Apr. 29, 2002) (citing Schwarzer, Tashima & Wagstaffe, Fed. Civ. Procedure Before Trial § 8:420.1 (2002 ed.)). A court in this District has concluded that:
in this Circuit, whether there is a summary judgment motion pending is a factor the Court may consider in assessing whether there has been undue delay and/or prejudice to the defendant. Typically, summary judgment motions are brought after the parties have substantially developed the case through discovery. Under those circumstances . . . the Court should take special care to ensure that plaintiff is not abusing the system and that defendants will not be unduly prejudiced.
Oncology Therapeutics Network Connection, 2006 WL 334532, at *13 (emphasis in original). Put another way, "trial courts [should] more closely scrutinize whether amendment is appropriate after the parties have conducted a great deal of discovery and expended substantial resources developing the case as originally framed." Id. at 14; see also Schlacter-Jones v. Gen. Tel., 936 F.2d 435, 443 (9th Cir. 1991), overruled on other grounds by Cramer v. Consol. Freightways, Inc., 255 F.3d 683, 692 (9th Cir. 2001) (noting that filing a motion for leave to amend while a summary judgment motion is already pending "weighs heavily against allowing leave").
B. Discussion
Plaintiff seeks leave to amend the FAC to allege a new cause of action for breach of fiduciary duty and to include additional factual allegations in support of Plaintiff's previously existing claims. The amendments mostly pertain to the relationship between the parties and Defendant's conduct with third parties on Plaintiff's behalf—facts that, in Plaintiff's view, demonstrate that Defendant was acting as Plaintiff's agent. (See Dkt. No. 66 at 3 ("[T]he facts that have come to light through discovery support a claim that at the very least [Defendant] acted as an agent of [Plaintiff].").)
As a threshold matter, and contrary to Defendant's argument, this is not the type of scenario in which the Court's discretion to decide whether to grant leave to amend is particularly narrow given earlier grants of such leave. See San Pedro Boat Works, 635 F.3d at 454. This is not a case in which Plaintiff has repeatedly amended its theories of liability or continually sought to include new facts to support its claims to no avail. Instead, Plaintiff's claims have remained entirely consistent since it initially brought suit against Defendant in Washington; other than an amendment to substitute a signed agreement in lieu of an unexecuted version, this is the first time Plaintiff has sought to change the substance of the complaint in this action.
Turning to the Foman factors, the Court begins with prejudice—the "touchstone of the inquiry"—as in its absence, the presumption in favor of amendment applies. See Eminence Capital, 316 F.3d at 1187. Defendant has not met its burden of showing that allowing the requested amendments will prejudice him: (1) the newly asserted fiduciary duty claim is based almost entirely on information that has already been disclosed during the course of discovery, (2) since it is based on the relationship between the parties and Defendant's conduct with third parties, the facts giving rise to the claim are already within Defendant's knowledge, and (3) to the extent further discovery is needed, there is still one month until the July 24, 2015 discovery deadline. See Sherpa, 318 F. Supp. 2d at 870. Further, Plaintiff's opposition to Defendant's pending motion for summary judgment relies on the theories and facts alleged in the amended complaint; in other words, the amendments will not necessarily require another round of briefing.
Likewise, the Court concludes that Plaintiff did not seek to amend in bad faith. Notably, Plaintiff alerted Defendant and the Court in November in the parties' joint case management statement that filing an amended pleading was a possibility. (See Dkt. No. 32 § V.) Amending in light of newly discovered evidence is not bad faith. Defendant's argument to the contrary is unavailing.
Nonetheless, the Court next concludes that Plaintiff unduly delayed in failing to include the facts pertaining to Defendant's conduct with third parties sooner. In support of its motion Plaintiff submits the declaration of its attorney Allison Dibley, who avers that:
Due to the extensive loss of data and significant turnover of the personnel in the Information Technology ("IT") and Information Systems ("IS") departments following the cyber attack at issue in this matter, I am informed and believe that Music Group has had extreme difficulty in locating and producing documents. Following the review of recovered emails, and the March 5, 2015 deposition of [Defendant], Plaintiff discovered facts supporting the additional claim and factual assertions.(Dkt. No. 66-1 ¶ 4.) This vague assertion falls short of justifying Plaintiff's delay in amending the complaint, especially given the heightened level of scrutiny required to justify leave to amend once a summary judgment motion is already pending. See Oncology Therapeutics Network Connection, 2006 WL 334532, at *13. In particular, with respect to the new allegations about agency, the Dibley Declaration fails to explain what "recovered emails" it eventually reviewed or what testimony Defendant offered that allowed it to discover the facts it now seeks to add to the complaint. In its reply, Plaintiff represented that its amendments are based on discovery of emails produced on April 1, 2015, that included third-party contracts that Defendant signed on behalf of Plaintiff as its Chief Technology Officer. (Dkt. No. 82-1 ¶ 5; see also Dkt. No. 59 at Exs. A, B.) The problem for Plaintiff is this: even if Plaintiff did not have those emails, it knew at the time of filing the initial complaint that Defendant held himself out as Chief Technology Officer, so it could have brought the claim at that time. Given Plaintiff's 10-month delay in seeking leave to amend this claim points heavily to undue delay. See Kaplan v. Rose, 49 F.3d 1363, 1370 (9th Cir. 1994) (giving greater weight to undue delay factor where facts and theories sought to be added were known to moving party early in the litigation). On the other hand, even if Plaintiff had known about the facts but delayed in seeking leave to amend, it is well established that "delay by itself is not a sufficient reason to deny a motion to amend[.]" Serpa v. SBC Telecommc'ns, Inc., 318 F. Supp. 2d 865, 872 (N.D. Cal. 2004) (citing United States v. Webb, 655 F.2d 977, 980 (9th Cir. 1981)).
But the buck stops for Plaintiff at the last Foman factor, "[f]utility of amendment[, which] can, by itself, justify the denial of a motion for leave to amend." Bonin v. Calderon, 59 F.3d 815, 845 (9th Cir. 1995). Futility is found "[w]here the theory presented in the amendment is lacking in legal foundation, or where previous attempts have failed to cure a deficiency and it is clear that the proposed amendment does not correct the defect[.]" Serpa, 318 F. Supp. 2d at 872 (citation omitted). Although Defendant does not argue that Plaintiff's amendments would be futile, the Court reaches this conclusion easily.
Plaintiff seeks to amend its pleading in two main ways: first, to include additional facts to support its claim that Defendant acted as Music Group's agent to use his role as agent and therefore fiduciary to support the negligence claim; and second, to bring an additional claim for breach of fiduciary duty. The Court already addressed why the agent-principal relationship cannot serve as the independent tort duty giving rise to a negligence claim here—i.e., even if Defendant owed Music Group a duty as its agent, the alleged breach of that duty does not arise out of his role as agent or his actions with respect to third parties. Thus, such amendments are futile.
Amending the complaint to allow Plaintiff to bring a claim for breach of fiduciary duty would also be futile. To state a claim for breach of fiduciary duty, a complaint must allege the existence of a fiduciary duty, its breach, and damages resulting therefrom. City of Atascadero v. Merrill Lynch, Pierce, Fenner & Smith, 68 Cal. App. 4th 445, 483 (1998). "The absence of any one of these elements is fatal to the cause of action." Pierce v. Lyman, 1 Cal. App. 4th 1093, 1101 (1991). Plaintiff concedes that Defendant owes no fiduciary duty to Music Group based on his role as its employee or consultant. Instead, Plaintiff alleges that Defendant owes Music Group a fiduciary duty arising out of his role as its de facto Chief Technology Officer, on the grounds that executives and officers have a fiduciary duty to their corporations.
Music Group is a company incorporated in the foreign country of Macau with its registered offices in that country, as well. (See Dkt. No. 5 ¶ 1.) Still, at oral argument the parties agreed that California law applies to the question of whether Defendant owes a duty to the corporation as its fiduciary. --------
It is without dispute that executives and officers of a corporation owe a fiduciary duty to the corporation under California law. Plaintiff concedes that Music Group's board of directors—nor anyone else authorized to do so under the company's bylaws— never appointed Defendant to serve as Chief Technology Officer or any other executive position. Instead, Plaintiff bases its claim on Defendant's purported role as de facto officer. Plaintiff was unable to cite any cases holding that such a role creates a fiduciary duty. This omission is unsurprising given that under California law, an individual is a corporate officer—and therefore owes a fiduciary duty—when the individual has been appointed as a corporate officer by the board of directors or otherwise under the procedures set forth in the corporation's articles or bylaws. See Cal. Corp. Code § 312. It is therefore the actual appointment that creates corporate officer-ship triggering the fiduciary duty and other attendant responsibilities. Thus, "[t]he distinction between an agent or employee and an officer is not determined by the nature of the work performed, but by the nature of the relationship and the particular corporation." Bruce v. Travelers Ins. Co., 266 F.2d 781, 784 (5th Cir. 1957); Select Portfolio Servicing, Inc. v. Evaluation Solutions, L.L.C., No. 3:06-cv-582-J-33MMH, 2006 WL 2691784, at *9 (M.D. Fl. Sept. 20, 2006) (same) (citation omitted).
Nevertheless, the law recognizes limited exceptions where an individual will be held to his fiduciary duty as a de facto officer that has the same fiduciary duties as a de facto director. In re Globe Drug Co., 104 F.2d 114, 117 (9th Cir. 1939); McKeehan v. Pac. Fin. Corp., 120 Cal. App. 578 (1932). First, courts will recognize a de facto officer where the apparent officer assumes possession of an office under the claim and color of an election or appointment and actually discharges the duties of that office. See Select Portfolio Servicing, Inc., 2006 WL 2691784, at *10 (citing In re Walt Disney Deriv. Litig. , 906 A.2d 27, 48 (Del. 2006); South Seas Corp. v. Sablan, 525 F. Supp. 1033, 1038 (D. N. Mariana Is. 1981). Under this path to de facto officer-ship, "the corporation must take some action that looks like a formal appointment or election" to create a de facto officer. Id. Such facts have not been alleged here, so Plaintiff's breach of fiduciary duty claim does not sufficiently plead that Defendant is a de facto officer by way of a legally insufficient appointment or election process.
Nor does Plaintiff's complaint plead that Defendant is a de facto officer in the second manner. California courts recognize a de facto officer as one who has no legal authority to act, but who presents himself or herself as having that authority "with the acquiescence" of the involved party. See In re Redev. Plan of Bunker Hill, 61 Cal. 2d 21, 42 (1964). The goal of this limited exception is to protect innocent third parties during the course of transactions with corporate officers that present themselves as having authority to act. See Mar. Forests Soc'y v. Cal. Coastal Comm., 36 Cal. 4th 1, 54 (2005); Oakland Pavilion Co. v. Donovan, 19 Cal. App. 488, 493-94 (1912). However, courts have long held that this exception only does not create de facto officer duties or liabilities "where the rights of the public are not affected, nor where all the parties interested have knowledge that the person pretending to be an officer is not an office de jure; for in such a case the reason of the rule no longer exists, and the law should not be involved for protection." Rozecrans Gold Mining Co. v. Morey, 111 Cal. 4th 114, 117 (1896) (dicta); Mar. Forests Soc'y, 36 Cal. 4th at 54; see also 2 Fletcher, Cyclopedia of the Law of Private Corporations (2005) Directors, Other Officers and Agents § 385. Plaintiff's allegations do not create fiduciary duty through de facto officer-ship, since the rights of the public are not at issue here and instead this is a dispute between two private parties that both had full knowledge that Defendant was not an actual, de jure, appointed or elected corporate officer. See Rozecrans Gold Mining Co., 111 Cal. 4th at 117; Mar. Forests Soc'y, 36 Cal. 4th at 54.
Thus, no fiduciary duty arises under the facts alleged in the proposed second amended complaint, so leave to amend to include a breach of fiduciary duty claim would be futile. And even were it not, Plaintiff unduly delayed in seeking to add the claim. Plaintiff has known since before even the first action was filed that it—and Defendant—held Defendant out as a Chief Technology Officer. There is no excuse for the delay.
* * *
Undue delay and futility compel the conclusion that leave to amend is not appropriate here. Thus, the Court DENIES Plaintiff's motion for leave to file a Second Amended Complaint.
VI. CONCLUSION
For the reasons described above, Defendant's motion for summary judgment is DENIED. Defendant's motion for leave to file supplemental evidence in support of summary judgment is GRANTED. Plaintiff's motions for a Rule 56(d) continuance and for leave to file a second amended complaint are DENIED.
The case is referred to Magistrate Judge Spero for a settlement conference to occur within the next 90 days or is otherwise convenient to Judge Spero.
This Order terminates Docket Nos. 50, 66, and 100.
IT IS SO ORDERED. Dated: June 22, 2015
/s/_________
JACQUELINE SCOTT CORLEY
United States Magistrate Judge