Stephenson v. Rackspace Tech.

• Decision Date: 18 May 2023
• Docket Number: SA-22-CV-01296-XR
• Parties: GARRETT STEPHENSON, et al. Plaintiffs v. RACKSPACE TECHNOLOGY, INC, Defendant
• Court: U.S. District Court — Western District of Texas

1

GARRETT STEPHENSON, et al. Plaintiffs v. RACKSPACE TECHNOLOGY, INC, Defendant

No. SA-22-CV-01296-XR

United States District Court, W.D. Texas, San Antonio Division

May 18, 2023

ORDER ON MOTION TO COMPEL ARBITRATION

XAVIER RODRIGUEZ UNITED STATES DISTRICT JUDGE

On this date, the Court considered Defendant Rackspace Technology Inc.'s motion to compel individual arbitration (ECF No 23), Plaintiffs' response (ECF No. 30), Defendant's reply (ECF No. 31), and the parties' arguments at the hearing held on April 6, 2023. After careful consideration the Court issues the following order.

BACKGROUND

These consolidated, putative class action cases arise from a cybersecurity incident purportedly discovered and announced by Defendant Rackspace Technology, Inc. (“Rackspace”) on or about December 2, 2022 (the “Security Incident”), in which unauthorized individuals gained access to its information network through a ransomware attack that allegedly affected over 30,000 Rackspace customers.^[1]Rackspace, a cloud services provider offers a Hosted Exchange environment, which allows clients to avoid hosting email on their own computers or network servers. Thirty-seven Named Plaintiffs purport to represent both nationwide and various state putative classes, alleging claims for damages and injunctive relief relating to the disruption of their email services, which allegedly resulted in the permanent loss of some communications and potential disclosure of sensitive information.^[2]

The parties present competing theories of the cause of Plaintiffs' alleged damages. Plaintiffs assert that the third parties were able to access Rackspace's network because it failed to deploy a security patch provided by Microsoft on November 8, 2022, and that Rackspace's mismanaged response to and communications about the ransomware attack further interrupted their business operations. ECF No. 30 at 9-10.^[3] Rackspace observes that its agreements with Hosted Exchange clients provide that (1) clients are responsible for maintaining routine back-ups of their data, (2) neither party is liable to the other for data loss, (3) Rackspace can suspend email services in the event of an attack, and (4) account credits are the sole remedy for service interruptions. ECF No. 23 at 10-11.

All prospective Hosted Exchange clients must agree to the then-current version of Rackspace's governing terms, including a Master Services Agreement (“MSA”), in order to complete the transaction to begin using the services. See ECF No. 23-2, Decl. of Josh Prewitt (Chief Product Officer of Rackspace) ¶ 15. Hosted Exchange customers typically sign up for Hosted Exchange services through the online cart on the Rackspace website (the “Online Signup Process”). See id. ¶¶ 16-17. The Online Signup Process involves four steps. See id. ¶¶ 20-23.

(1) The customer must first confirm the services requested and click a button labeled “Next Step” in order to proceed. See id. ¶ 20; Ex. 3.

(2) The customer must enter account and contact information and again click a button labeled “Next Step” in order to proceed: See id. ¶ 21; Ex. 4.

(3) The customer must provide an address, and again click a button labeled “Next Step” in order to proceed. See id. ¶ 22; Ex. 5.

(4) Finally, the customer must provide payment information, check a statement agreeing to be bound by each of three hyperlinked agreements- the MSA, the Mail Terms of Service, and the Office 365 Services Terms of Service-and click a button labeled “submit” to complete the transaction. See id. ¶ 23; Ex. 6.

While the vast majority of Hosted Exchange customers sign up for services through the Online Signup Process, some customers register by signing and returning the then-governing terms through an electronic signature program (“eSig Process”). See id. ¶¶ 16-17; Ex. 2. The service order used in the eSig Process expressly incorporates the then-current MSA by reference. Id. ¶ 17. It also requires the customer to agree to the following language:

The Agreement constitutes the complete and exclusive agreement between the parties regarding the subject matter and supersedes and replaces any prior understanding or communication, written or oral. The individual signing represents to Rackspace that they are authorized to sign on behalf of Customer. Customer accepts the terms of the Agreement, including any document or terms referenced above.

Id. ¶ 17; Ex. 2.

Rackspace asserts that, at all relevant times, the governing terms have required Hosted Exchange customers to agree that Rackspace can periodically update its terms, and the updates become effective on the customer's next renewal date, through a provision substantially similar to the language below:

Some terms are incorporated into the Agreement by reference to pages on the Rackspace website and Rackspace may revise those terms from time to time (including the MSA). Except where otherwise designated, such revisions are effective and supersede and form part of the Agreement as of the time: (i) Customer enters into a new Service Order referencing the revised terms; (ii) a Service Order automatically renews pursuant to the Agreement; or (iii) the parties enter into an agreement for a Renewal Term or account transfer (in which case Customer acknowledges that it has reviewed and accepted the then-current version of the terms).

Id. ¶ 26; Ex. 8 (emphasis added). The “Agreement” as defined in the MSA, “means, collectively, the MSA and any terms incorporated by reference in the MSA, and any applicable Service Order, Product Terms, or other addenda which govern the provision of Services.” Id., Ex. 8 at Schedule 1 (Defined Terms). For Hosted Exchange customers, these collective agreements and terms include, among others, the MSA, the Mail Terms of Service, and the Global Security & Privacy Practices. See id. ¶ 34.

Thus, according to Rackspace, if a Hosted Exchange customer allows its services, which are renewed monthly, to continue after Rackspace's governing terms have been updated, that customer agrees to be bound by the updated terms as of the date of the service renewal. Id. see also id. ¶ 28; Id., Ex. 7 (Service Order related to an Agreement executed through the Online Signup Process reflecting a monthly term); Id., Ex. 2 (Service Order related to an Agreement executed through the eSig Process reflecting a monthly term). Because Rackspace updated its MSA on June 21, 2022, Rackspace asserts that the June 2022 version of the MSA became effective for all Hosted Exchange Customers no later than July 21, 2022. See id. ¶ 28; Ex. 8. Therefore, Rackspace argues, every Hosted Exchange Customer that was affected by the December 2, 2022 Security Incident is bound by the June 21, 2022 MSA. See id.

Section 10 of the June 2022 MSA contains a broad arbitration provision and class action waiver:

Where stated to be subject to arbitration in Schedule 2, any dispute or claim relating to or arising out of the Agreement shall be submitted to binding arbitration. The arbitration shall be conducted in the state and county (or equivalent geographic location) of the non-asserting party's principal business offices in accordance with the Commercial Rules of the AAA in effect at the time the dispute or claim arose. The arbitration shall be conducted by one arbitrator from AAA or a comparable arbitration service. The arbitrator shall issue a reasoned award with findings of fact and conclusions of law. Either party may bring an action in any court of competent jurisdiction to compel arbitration under the Agreement, or to enforce an arbitration award.

Id. ¶ 29; Ex. 8. § 10.2. Schedule 2 provides that where, as here, the contracting entity is Rackspace US, Inc., all disputes shall be resolved through arbitration. Id. at Schedule 2. In addition, Section 10.3 of the MSA states, “No claim may be brought as a class or collective action, nor may Customer assert such a claim as a member of a class or collective action that is brought by another claimant.” Id., Ex. 8 § 10.3.

Based on the arbitration clause and class action waiver, Rackspace now moves to compel individual arbitration in this matter and dismiss or, alternatively, stay this case pending arbitration. See ECF No. 23. Plaintiffs urge the Court to deny the motion, arguing that (1) their claims fall outside the scope of the arbitration clause, (2) the arbitration clause does not bind Plaintiffs who entered into an agreement with Rackspace before the incorporation of an arbitration clause, and (3) the arbitration clause is procedurally and substantively unconscionable. See ECF No. 30. The Court held a hearing on April 6, 2023, and took the motion under advisement.

DISCUSSION

I. Legal Standard

The Fifth Circuit has established a two-step inquiry in determining whether the parties have agreed to arbitrate a claim. “The first is contract formation-whether the parties entered into any arbitration agreement at all. The second involves contract interpretation to determine whether this claim is covered by the arbitration agreement.” Kubala v. Supreme Prod. Servs., Inc., 830 F.3d 199, 201 (5th Cir. 2016) (emphasis in original). In the absence of a valid clause delegating the threshold issue of arbitrability to the arbitrator, both steps are questions for the Court. Id. Where the parties' contract delegates the question of arbitrability to the arbitrator, however, a court possesses no authority to decide whether the parties' dispute falls within the scope of the agreement. Henry Schein, Inc. v. Archer & White Sales, Inc., 139 S.Ct. 524, 529 (2019).

Although there is a strong presumption favoring arbitration, the presumption arises only after the party seeking to compel arbitration proves that a valid arbitration agreement exists. TRC Envt'l Corp. v. LVI Facility Servs., Inc. 612...