Xat.Com Ltd. v. Hosting Servs., Inc., Case No. 1:16-cv-00092-PMW
| Decision Date | 02 February 2017 |
| Docket Number | Case No. 1:16-cv-00092-PMW |
| Parties | XAT.COM LIMITED, Plaintiff, v. HOSTING SERVICES, INC. a/k/a 100TB.COM, Defendant. |
| Court | U.S. District Court — District of Utah |
Pursuant to 28 U.S.C. § 636(c), the parties consented to have Chief United States Magistrate Judge Paul M. Warner conduct all proceedings in this case, including trial, entry of final judgment, and all post-judgment proceedings.1 Defendant Hosting Services, Inc., also known as 100TB.com ("100TB"), has motioned the court to dismiss the above captioned case pursuant to Rule 12(b)(1) and Rule 12(b)(6) of the Federal Rules of Civil Procedure.2
On January 20, 2017, the court heard oral argument on 100TB's motion.3 At the hearing, Plaintiff Xat.com Limited ("Xat") was represented by Romaine C. Marshall and Engels Tejeda. 100TB was represented by Paul G. Karlsgodt and Patricia W. Christensen. At the conclusion of the hearing, the court took the motion under advisement. Now being fully advised, the court renders the following Memorandum Decision and Order.
Xat is a social networking website that allows users to exchange instant messages.4 100TB provides web hosting services.5 In 2008, Xat utilized 100TB to host Xat's servers.6While Xat's complaint is vague about what 100TB's hosting services entail, it appears that 100TB's hosting services involve 100TB ensuring the physical security and stability of Xat's servers as well as protecting Xat's servers from digital invasion from unauthorized third parties.
On October 13, 2008, the parties executed a Master Service Agreement ("MSA").7 The MSA outlines the parties' rights and obligations governing 100TB's hosting services. At issue in 100TB's motion is to what extent 100TB is liable under the terms of the MSA.
The MSA provides several stipulations regarding 100TB's liability and indemnification responsibilities. For example, ¶ 9(a) states:
[100TB agrees to] indemnify, defend and hold [Xat], [Xat's] employees, directors and officers . . . from any and all third party actions, liability, damages, costs and expenses (including, but not limited to, those attorneys' fees and expenses charged to [100TB]) arising from, or relating to, personal injury or property damage resulting solely from our gross negligence or willful misconduct . . . .8
Paragraph 11 states:
NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS MSA, IN NO EVENT WILL [100TB] BE LIABLE TO [XAT] OR ANY THIRD PARTY MAKING A CLAIM BASED ON OUR PROVIDING THE SERVICES TO [XAT] FOR (I) LOST PROFITS; (II) LOSS OF BUSINESS; (III) LOSS OF REVENUES; (IV) LOSS OF DATA OR INTERRUPTION OR CORRUPTION OF DATA; (V) ANY CONSEQUENTIAL OR INDIRECT DAMAGES; OR (VI) ANY INCIDENTAL, SPECIAL, RELIANCE, EXEMPLARY OR PUNITIVE DAMAGES (IF APPLICABLE) . . . .9
Paragraph 11 goes on to state that 100TB's "maximum liability shall be one (1) month's fees (or the equivalent thereof) actually received by [100TB] during the month prior to [Xat's] claim."10
Paragraph 11 further stipulates that 100TB's "obligation to indemnify" Xat under the terms of ¶ 9 is not limited by ¶ 11.11
Additionally, the MSA establishes certain promises and standards of care governing 100TB's hosting services. For example, the MSA represents that 100TB has "received 'Safe Harbor' certification under U.S. - EU, and U.S. -Swiss safe harbor frameworks."12 Under the U.S. - EU, and U.S. -Swiss Safe Harbors (collectively "Safe Harbors"), "[o]rganizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction."13
Moreover, 100TB agreed to utilize "industry standard methods" to secure Xat's property.14 100TB also promised to "[m]onitor the network, physical infrastructure, servers and applications on a 24x7x365 basis."15 Furthermore, 100TB's Privacy Policy, incorporated in the MSA, prohibits 100TB from sharing Xat's user data with third parties unless otherwise permitted by 100TB's Privacy Policy.16
In 2015, Xat alleges that 100TB allowed an unauthorized third party to access Xat's servers. Xat claims that over a ten month period, Xat repeatedly warned 100TB that an unauthorized third party was attempting to gain access to Xat's servers through "social engineering."17 Xat asserts that in response to those repeated warnings, 100TB assured Xat thataccess to its servers would be denied and suggested that Xat take certain steps to further secure its servers.18 Xat contends that while it complied with 100TB's instructions, 100TB nevertheless granted a third party unauthorized access to Xat's servers.
Specifically, on November 4, 2015, an unknown third party was granted access to Xat's servers.19 The third party allegedly damaged and disabled Xat's servers and stole Xat's proprietary software, including Xat's main database.20 Subsequently, Xat requested that 100TB secure and power down Xat's servers until it could contain the intrusion.21 Xat alleges that 100TB did not power down at least three of Xat's servers, did not turn on 100TB's two-factor authentication, and failed to back up the data on Xat's servers.22
On November 8, 2015, 100TB again granted a third party access to Xat's servers.23 During this second incident, the third party accessed Xat's proprietary log files, databases, source code, and software, and erased system log files from Xat's server.24
Following the attacks, Xat filed the instant lawsuit asserting claims against 100TB for gross negligence, breach of the MSA, unjust enrichment, and equitable indemnification. Xat alleges that it has suffered at least $500,000 in damages as a result of the hacking incidents, including the cost of containing the cyberattacks, the value of lost, stolen, or deleted data, and lost revenue and profit.25 Additionally, Xat alleges that it has incurred costs with reporting the cyberattack to the United Kingdom's Information Commissioner's Office as well as cooperatingwith the appropriate authorities and governmental agencies investigating the cyberattacks.26 Furthermore, Xat seeks a court order:
requiring 100TB to indemnify Xat for any claims related to the Cyberattacks asserted by any third party, including any claims asserted by any regulatory authority or any individual or entity whose information was or may have been exposed during the Cyberattacks, and for any costs and attorneys' fees incurred by Xat related to any of the foregoing . . . .27
In response, 100TB filed the instant motion to dismiss.
In deciding a motion to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure, the court presumes the truth of all well-pleaded facts in the complaint, but need not consider conclusory allegations. Tal v. Hogan, 453 F.3d 1244, 1252 (10th Cir. 2006), cert. denied, 549 U.S. 1209 (2007). The court is not bound by a complaint's legal conclusions, deductions, and opinions couched as facts. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 565 (2007). Further, although reasonable inferences must be drawn in the non-moving party's favor, a complaint will only survive a motion to dismiss if it contains "enough facts to state a claim to relief that is plausible on its face." Id. at 570. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009).
Pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, the court may dismiss a claim for lack of subject matter jurisdiction. Ripeness and mootness challenges are treated as motions to dismiss under Rule 12(b)(1). See SK Fin. SA v. La Plata Cty., Bd. of Cty. Comm'rs, 126 F.3d 1272, 1275 (10th Cir. 1997); Chihuahuan Grasslands Alliance v. Kempthorne, 545 F.3d 884, 891 (10th Cir. 2008).
It appears to the court that the parties have taken a relatively straightforward motion to dismiss and beaten a dead horse, so to speak. Following the routine briefing on 100TB's motion to dismiss, the court granted Xat's motion to file a sur-reply.28 Prior to the court's ruling, 100TB responded to Xat's sur-reply and Xat responded to 100TB's response to Xat's sur-reply.29 The court routinely grants sur-replies with the expectation that counsel will only use sur-replies in narrow circumstances to aid the court. The sur-reply and subsequent responses from counsel were unhelpful and merely rehashed arguments already discussed ad nauseam in the briefing. The court reminds counsel of their obligation to aid the court in ensuring the "just, speedy, and inexpensive determination of every action and proceeding." Fed. R. Civ. P. 1 (emphasis added). Rehashing arguments for the sake of billable hours and the unmistakable urge to have the last word are antithetical to achieving the inexpensive resolution of this case.
Turning to the merits of 100TB's motion, after carefully reviewing Xat's complaint—accepting each of Xat's factual allegations as true—Xat's gross negligence claim and unjust enrichment claim are dismissed. Xat's gross negligence claim and the damages associated with it are bargained for and governed by the MSA. Accordingly, the economic loss rule precludes Xat from recovering in tort what it can recover in contract. Likewise, the MSA governs the dispute between the parties and, therefore, Xat has failed to plead a plausible claim for unjust enrichment. With respect to Xat's remaining claims, Xat has alleged sufficient facts to survive a motion to dismiss.
100TB argues that Xat's gross negligence claim seeks "purely economic damages" which are governed by the MSA and, therefore, barred by the economic loss rule.30 Xat attempts to circumvent the application of...
To continue reading
Request your trial