Grifo & Co., PLLC v. Cloud X Partners Holdings, LLC

• Decision Date: 09 September 2020
• Docket Number: Case No. 20-10858
• Parties: GRIFO & COMPANY, PLLC, Plaintiff, v. CLOUD X PARTNERS HOLDINGS, LLC, f/k/a InsynQ, LLC, Defendant.
• Court: U.S. District Court — Eastern District of Michigan

485 F.Supp.3d 885

GRIFO & COMPANY, PLLC, Plaintiff,

v.CLOUD X PARTNERS HOLDINGS, LLC, f/k/a InsynQ, LLC, Defendant.

Case No. 20-10858

United States District Court, E.D. Michigan, Southern Division.

Signed September 9, 2020

Linda M. Watson, Birmingham, MI, Michael Croghan, Clark Hill PLC, Chicago, IL, for Plaintiff.

Lee Janiczek, Lewis Brisbois Bisgaard & Smith LLP, Wayne, PA, John R. Christie, Lewis Brisbois Bisgaard and Smith LLP, Cleveland, OH, for Defendant.

OPINION AND ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS

ROBERT H. CLELAND, UNITED STATES DISTRICT JUDGE

Plaintiff Grifo & Company, PLLC, brings this action for breach of contract, negligence, and gross negligence. (ECF No. 1-1, PageID.16-21.) Defendant Cloud X Partners Holdings, LLC, provided "virtual desktop and cloud data-hosting services," which Plaintiff allegedly utilized to store substantial amounts of business data. (Id. , PageID.10-11, ¶¶ 20-27.) Defendant was subject to a cyberattack and Plaintiff's data was damaged or lost. (Id. , PageID.12, ¶ 32.)

In lieu of filing an answer, Defendant moves to dismiss the complaint. Fed. R. Civ. P. 12(b). (ECF No. 3.) The matter has been thoroughly briefed. (ECF Nos. 5, 6, 8.) The court has reviewed the record and finds a hearing to be unnecessary. E.D. Mich. L.R. 7.1(f)(2). For the reasons provided below, the court will grant in part and deny in part Defendant's motion.

I. BACKGROUND

The following are facts as alleged in Plaintiff's complaint. In a motion to dismiss, the court accepts Plaintiff's factual allegations as true but makes no overt finding as to truth or falsity. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009).

Plaintiff is an accounting firm that was looking for a company to host its data. (ECF No. 1-1, PageID.9-10, ¶¶ 13, 21.) On July 10, 2017, Plaintiff and Defendant executed a "Member Order" whereby Plaintiff and its employees could access a virtual desktop with software used in its accounting practice and Plaintiff could store data on Defendant's network. (Id. , PageID.10-11, ¶¶ 26, 27.) Plaintiff agreed to pay Defendant a monthly membership fee of $594. (Id. , PageID.11, ¶ 28.) The agreement was renewed on an annual basis and was in place for the duration of the events giving rise to this action. (Id. , ¶¶ 29, 30.)

The Member Order states that the agreement "is subject to the included ... Information Privacy Security Policy." (Id. , ¶ 31; id. , PageID.25.) The order also states that "[Defendant] is not responsible for the availability of Subscriber Data." (Id. , PageID.25.) Plaintiff attached the Member Order and the Information Privacy Security Policy to its complaint. (Id. , PageID.25-40.)

On or around July 6, 2019, a cybercriminal embedded a "ransomware" virus in Defendant's internal systems. (Id. , PageID.12, ¶ 32.) After ten days, on July 16, 2019, the ransomware was deployed. (Id. , ¶ 35.) The virus sealed off and encrypted data hosted on Defendant's servers; the cybercriminal demanded payment to remove the encryptions and allow Defendant, and its customers including Plaintiff, to regain access. (Id. , PageID.12-13, ¶ 36.) Defendant immediately took its systems offline, preventing Plaintiff from accessing its virtual desktops and data. (Id. , PageID.13, ¶ 37.)

Plaintiff asked Defendant to return its data, in part to consider paying the ransom. (Id. , PageID.14, ¶ 44.) Defendant refused the request, stating the Plaintiff's data was combined with the data of many other customers and could not be separated. (Id. , ¶ 45.) Defendant then chose not to pay the ransom and as a result "most of [Plaintiff's] data was corrupted and unable to be restored or recovered." (Id. , ¶ 43.) "All of [Plaintiff's] data" was affected, including "1700 tax engagement files," "120 financial engagement files," and "critical practice management files, including ... billing, time entry, and business contacts," all compiled over the course of ten years. (Id. , PageID.15-16, ¶¶ 50, 54.) None of the files were "recovered," but a small subset were "restored." (Id. , ¶ 52.) The restored files lacked "names, ... organizational structure, and ... metadata," requiring "multiple hours per file" to return them to a usable form. (Id. , ¶ 52-53.)

Plaintiff "experienced significant downtime" after the attack "in which it could not operate its business." (Id. , PageID.16, ¶ 55.) Additionally, Plaintiff could not use the information contained in the lost files "to generate additional revenue." (Id. , ¶ 54.)

II. STANDARD

Under Federal Rule of Civil Procedure 12(b)(6) a party can move to dismiss a complaint for "failure to state a claim upon which relief can be granted." In considering a motion to dismiss, the court must "construe the complaint in the light most favorable to the plaintiff and accept all factual allegations as true." Laborers’ Local 265 Pension Fund v. iShares Trust , 769 F.3d 399, 403 (6th Cir. 2014). "To survive a motion to dismiss, a complaint must contain factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Ashcroft , 556 U.S. at 678, 129 S.Ct. 1937 (quoting Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. Determining plausibility is "a context-specific task that requires the reviewing court to draw on its judicial experience and common sense." Id. at 679, 129 S.Ct. 1937. The plaintiff must present "more than labels and conclusions." Twombly , 550 U.S. at 545, 127 S.Ct. 1955. "[A] formulaic recitation of a cause of action's elements will not do." Id.

When reviewing a motion to dismiss, the court may consider "documents incorporated into the complaint by reference ... and matters of which a court may take judicial notice" in addition to allegations in the complaint. Tellabs, Inc. v. Makor Issues & Rights, Ltd. , 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007). The court may consider "a document that is not formally incorporated by reference or attached to a complaint" when "[the] document is referred to in the complaint and is central to the plaintiff's claim." Greenberg v. Life Ins. Co. of Va. , 177 F.3d 507, 514 (6th Cir. 1999).

III. DISCUSSION

Defendant moves to dismiss all three counts of Plaintiff's complaint: breach of contract, negligence, and gross negligence. The court will address each claim in turn.

A. Breach of Contract

Defendant presents arguments in its motion that, although not entirely clear, appear to challenge whether Plaintiff adequately pled the elements of a breach of contract claim. In its reply, Defendant points to a contract term that it argues limits Plaintiff's recovery as a matter of law,¹ and raises two other arguments. The court finds the entirety of Defendant's breach of contract arguments unconvincing.

1. Breach of a Legal Duty

Defendant's motion asserts generally that Plaintiff failed to allege a breach of duty. (ECF No. 3, PageID.63-64.) Defendant refers to standards such as "reasonable care," and contends that it did not take "an affirmative act that unreasonably exposed Plaintiff to a risk of harm." (Id. , PageID.64.) Having a "duty" to act "reasonably" so as to mitigate the "risk of harm" are concepts most naturally associated with negligence, not contract law. "A negligence action may ... be maintained [only] if a legal duty exists which requires the defendant to conform to a particular standard of conduct in order to protect others against unreasonable risks of harm. " Bertrand v. Alan Ford, Inc. , 449 Mich. 606, 612, 537 N.W.2d 185, 188 (1995) (emphasis added) (quotation removed).

To bring a successful breach of contract claim under Michigan law, Plaintiff must prove that "(1) there was a contract (2) which the other party breached (3) thereby resulting in damages to the party claiming breach." Miller-Davis Co. v. Ahrens Constr., Inc. , 495 Mich. 161, 178, 848 N.W.2d 95, 104 (2014) (citing Stevenson v. Brotherhoods Mut. Benefit , 312 Mich. 81, 90-91, 19 N.W.2d 494, 498 (1945) ); see Shady Grove Orthopedic Assocs. v. Allstate Ins. , 559 U.S. 393, 417, 130 S.Ct. 1431, 176 L.Ed.2d 311 (2010) ("Federal courts sitting in diversity apply state substantive law.").

Defendant makes little mention of contract law or Plaintiff's breach of contract claim in its motion to dismiss. Nonetheless, Defendant's arguments could be interpreted as claiming that no terms of the parties’ agreement covered Defendant's conduct. If no terms applied, there can be no breach. Miller-Davis Co. , 848 N.W.2d at 104 ; Van Buren Charter Twp. v. Visteon Corp. , 319 Mich. App. 538, 554, 904 N.W.2d 192, 202 (2017) (requiring a plaintiff prove "that the defendant breached [the contract's] terms").

Plaintiff points to terms in the Information Privacy Security Policy, alleged and attached to the complaint, in which Defendant promised various services. See Tellabs, Inc. , 551 U.S. at 322, 127 S.Ct. 2499 (permitting the court to consider "documents incorporated into the complaint by reference"). (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.29.) Under the subsection "Baseline Procedures" in the "Introduction" section of the policy, the terms state that "[m]inimum data security and protection services provide for continuous file systems scanning for virus signatures or activity" and "[c]ompromised files are quarantined in secure systems," among other security precautions. (ECF No. 1-1, PageID.11-12, ¶ 31; id. , PageID.29.) Plaintiff alleges Defendant failed to perform all of these promised services before and during the alleged data breach and cyberattack, thereby establishing a claim for breach of contract. Miller-Davis Co. , 848 N.W.2d at 104. (ECF No. 1-1, PageID.17-18, ¶ 62.)

Other than arguing generally that Plaintiff has not stated a claim for breach of contract, Defendant...