Opinion
2:21-cv-942-JLB-KCD
07-18-2024
HARBORVIEW REALTY, INC. AND MCGREGOR REAL ESTATE, INC. D/B/A HARBORVIEW RENTALS, Plaintiffs, v. FIFTH THIRD BANK, NATIONAL ASSOCIATION, Defendant. FIFTH THIRD BANK, NATIONAL ASSOCIATION Counter-Plaintiff, HARBORVIEW REALTY, INC. AND MCGREGOR REAL ESTATE, INC. D/B/A HARBORVIEW RENTALS, Counter-Defendants.
ORDER
JOHN L. BADALAMENTI, UNITED STATES DISTRICT JUDGE
This unauthorized wire transfer case stems from a third-party fraudster initiating more than $1.3 million of unauthorized wire transfers and other unauthorized account withdrawals from Plaintiffs' Fifth Third Bank commercial accounts. Although Fifth Third Bank was able to recover $1 million of Plaintiffs' lost funds, Plaintiffs seek to recover the more than $300,000 that Fifth Third Bank was unable to recover. Before the Court are the parties' cross-motions for summary judgment (Docs. 56, 58) and Plaintiffs' motion for sanctions (Doc. 57). Having reviewed the motions, the parties' respective subsequent briefing, and the entire record in this case, the Court rules that the motion for sanctions (Doc. 57) is DENIED, Plaintiffs' motion for summary judgment (Doc. 58) is DENIED, and Defendant's motion for summary judgment (Doc. 56) is GRANTED.
BACKGROUND
Plaintiffs and Counter-Defendants Harborview Realty, Inc. and McGregor Real Estate Inc. d/b/a Harborview Rentals (“Plaintiffs”) provide real estate services on Marco Island, Florida and Naples, Florida, including rental services and real estate services. (Doc. 56-2 at 18-19). Plaintiffs are owned by James McGregor. (Id. at 19).
On August 27, 2018, Plaintiffs entered into a Master Treasury Management Agreement (“MTMA”) with Defendant and Counter-Plaintiff Fifth Third Bank (“Defendant”), which governed Plaintiffs' use of certain banking services. (See Doc. 56-4; Doc. 56 at ¶ 2; Doc. 69 at ¶ 2). On August 31, 2018, Plaintiffs and Defendant entered into an Online Channel Access Agreement (“OCAA”), which governed Plaintiffs' access to and use of Defendant's online commercial banking services. (See Doc. 56-5; Doc. 56 at ¶ 3; Doc. 69 at ¶ 3). Plaintiffs used “Fifth Third Direct,” an online portal, to access their accounts. (Doc. 56-6 at 14, 18; Doc. 56-2 at 32). Plaintiffs' bookkeeper/office manager, Bonnie Holm, was primarily responsible for utilizing Fifth Third Direct to access Plaintiffs' accounts. (Doc. 56-2 at 30; Doc. 56-6 at 13-14). She was the “channel administrator” of the accounts. (Doc. 56-6 at 3637).
The MTMA required the establishment of certain security procedures. (Doc. 56-4 at 6-7). MTMA defines “Security Procedures” as “the Credentials, call-back protocols, and other systems or procedures provided by Bank or its Processors for authenticating Instructions, transactions and use of the Services.” (Doc. 56-4 at 18). The MTMA defines “Credentials” as the “user name, personal identification numbers, identification codes, passwords and other identifying and authentication inputs, security token or authentication device, equipment or software that the Customer uses to access the Services.” (Id. at 17). That in mind, the text of section 8.1 of the MTMA states as follows:
Section 8.1. Establishment. Access to some Services requires the use of Security Procedures, including for Services obtained through an Access Channel and use of the applicable Credentials. The Security Procedures verify the origin and authenticity of Instructions and communications sent to Bank. Where permitted, Customer will select from the Security Procedures for a particular Service from those offered and recommended by Bank in the set-up process for that Service, and agrees to implement changes to the Security Procedures issued by Bank as needed. Customer agrees that such Security Procedures are commercially reasonable and suitable for Customer with respect to Customer's intended use of the applicable Services. The Security Procedures are not designed to detect errors in any Instruction to Bank.(Id. at 6-7). Section 8.3 also recommends that the customer, Plaintiffs here, establish an approval protocol “to prevent unauthorized transactions,” noting that if a customer does not both establish such and require adherence to it, or should the customer mark a transaction as “no approval,” the customer assumes the risks of all transactions that could have been prevented by requiring such protocol or approval as follows:
Section 8.3. Funds Transfers. In connection with the use of Bank's wire transfer, ACH and other electronic funds transfer Services, Bank recommends that Customer establish an approval protocol appropriate for Customer's particular circumstances (including the type, amount and frequency of such transactions) to prevent unauthorized transactions. If Customer does not establish and require adherence to an approval protocol for such funds transfers or if Customer selects a “no approval” option, Customer assumes the risks of all transactions that could have been prevented by requiring such protocol or approval....(Id. at 7).
In a section of the MTMA titled, “Verification,” the agreement explains that if the Bank accepts and acts in good faith on a Payment Order issued to it in the customer's name and in conformance with the MTMA's Security Procedures, the customer is bound by that payment, whether or not the payment was authorized by the customer, if the instruction to the Bank is in the customer's name through the Bank's Channel Services-Fifth Third Direct's online portal-as follows:
Section 8.2. Verification . If Bank accepts and acts in good faith on a Payment Order issued to Bank in Customer's name and in accordance with the Security Procedures and any written agreement between Customer and Bank, the Payment Order is effective as Customer's Payment Order whether or not it is authorized, and Customer is bound by it in accordance with Applicable Law and the terms of this Agreement, including the applicable Service Terms. Any other Instruction communicated to Bank in Customer's name in compliance with the Security Procedures and all access to and use of Services and
Channel Services using the Security Procedures are considered authorized by Customer.(Id.)
Similarly, section 4.1 of the OCAA provides that “[a]ll use of the Channel Services through the Security Procedures will be considered to have been authorized by Customer.” (Doc. 56-5 at 8). Bonnie Holm testified that “in order for [her] to enter Fifth Third Direct Online and send a wire or an ACH, [she] had to enter [her] I.D., password, and token code.” (Doc. 56-6 at 14, 23). The token code was obtained from a physical token in Plaintiffs' possession that generated different numbers every 30 seconds. (Id. at 17-18; Doc. 56-2 at 37). Plaintiffs do not deny that Ms. Holm entered an I.D., password, and token code to access the account, but they deny that these were the only security procedures. (Doc. 69 at ¶ 9). In support of this denial, Plaintiffs state that “additional security procedures consist of, inter alia, a security algorithm.” (Id.) They cite to the Expert Report of Robert Gregory Litster, which describes that Defendant's “internal security system looks for out-ofpattern digital payment requests” (Doc. 58-16 at 5) and the deposition of Defendant's Financial Crimes Director, which describes this algorithm (Doc. 64-1 at 21). Plaintiffs also point out that “once logged into the account, a user (or fraudster) would not need to reenter a username, password, or token code to initiate a payment transaction.” (Doc. 69 at ¶ 9). That statement is supported by the depositions of Defendant's Financial Crimes Director (Doc. 64-1 at 44-45) and Defendant's Director of Information Security (Doc. 64 at 60, 123).
The deposition of Defendant's Financial Crimes Director was filed under seal. (See Doc. 63).
The deposition of Defendant's Director of Information Security was filed under seal. (See Doc. 63-1).
Ms. Holm signed the Fifth Third Channel Administrator Assignment Request Form, which established her as Channel Administrator, as defined in the OCAA. (Doc. 56-5 at 4; Doc. 56-8 at 3). The Fifth Third Channel Administrator Assignment Request Form has a section titled “Dual Administration Control.” (Doc. 56-8 at 3). It explains that “Dual Administration Control requires two (2) administrators to establish a User (defined in the OCAA) in the Fifth Third Direct system.” (Id.) The form also states that “[f]or the security of your accounts and information, Fifth Third strongly recommends enabling Dual Control Administration.” (Id.) There are two boxes on that form, one labeled, “Enable Dual Administration Control,” and the other labeled, “Do NOT enable Dual Administration Control.” (Id.) There was a checkmark next to the box labeled, “Do NOT enable Dual Administration Control.” (Id.) Plaintiffs deny that they declined the use of Dual Administration Control and indicate that Defendant “unilaterally declined the Dual Administration Control on behalf of Harborview when Fifth Third presented the Fifth Third Administrator Assignment Request Form.” (Doc. 69 at ¶ 10). In support of their view that Defendant unilaterally declined the Dual Administration Control on their behalf, Plaintiffs cite Ms. Holms's deposition, in which she stated that “it looks like, to me, that it was done by Fifth Third Bank. I didn't put that checkmark there.” (Doc. 58-1 at 81). But when asked whether she “ask[ed] the bank to change it,” she responded, “[n]o.” (Id. at 81-82).
Plaintiffs admit that to log into Fifth Third Direct and access Plaintiffs' account, Ms. Holm was required to enter her username, password, and token code, and that Plaintiffs were the only ones who knew this information. (Doc. 69 at ¶ 11; see also Doc. 64-1 at 38, 43). But they reiterate that, once in the account, a user was not required to re-enter the credentials to initiate a wire transfer or ACH. (Id. (citing Doc. 64-1 at 44-45; Doc. 64 at 60, 123)).
Turning back to the text of the MTMA, Plaintiffs agreed to “maintain the complete security and confidentiality of the Security Procedures” and “institute and use prudent internal security procedures and practices to control access to the Services and use of the Security Procedures.” (Doc. 56-4 at 8). The OCAA also imposes a confidentiality obligation upon Plaintiffs as follows:
Customer agrees to maintain the complete security and confidentiality of the Security Procedures and Credentials. Customer's failure to protect the confidentiality and integrity of the Security Procedures may enable an unauthorized person to use the Channel Services and access Customer's accounts and data, and transfer funds from those accounts.
(Doc. 56-5 at 8).
On May 27, 2020 at 1:42 p.m. ET, a fraudster accessed Plaintiffs' accounts via Fifth Third Direct using Plaintiffs' unique username, password, and token code. (Doc. 64-1 at 46; Doc. 56 at ¶ 17; Doc. 69 at ¶ 17). After gaining access, the fraudster initiated seventeen wires and ACH payments from Plaintiffs' accounts for a total amount of $1,315,314.04. (Doc. 56-10 at 3; Doc. 56 at ¶ 18; Doc. 69 at ¶ 18). Defendant states that its internal security system detected a potential fraudulent payment on Plaintiffs' accounts, triggered by a $97,073.15 ACH Payment at 2:07 p.m. ET on the same date. (Doc. 56 at ¶ 19; Doc. 64-1 at 26). Plaintiffs deny that allegation, stating that the first fraudulent activity that Fifth Third detected was actually a 1:42 p.m. incorrect login attempt to Plaintiffs' portal. (Doc. 69 at ¶ 19). In support of their denial, they cite to a spreadsheet showing that the activity score for the 1:42 p.m. login was 996. (See Doc. 58-6 at 2). Christopher Tyo, Fifth Third's Director of Information Security, testified that a higher activity score was typically associated with a higher risk, but he was otherwise unsure of the significance of activity scores. (Doc. 64 at 24; Doc. 58 at ¶ 22; Doc. 70 at ¶ 22). It appears that both statements can be true. The spreadsheet indicates that a higher-than-normal activity score was indicated for the 1:42 p.m. login, but that does not refute Defendant's Financial Crimes Director's testimony that an alert was not generated by Defendant until 2:07 p.m. (See Doc. 64-1 at 3, 26).
Mr. Smith testified that Fifth Third receives thousands of fraud alerts each day on a variety of financial transactions and that, on average, one of every 1,300 fraud alerts associated with wire and ACH transfers is ultimately determined to be fraudulent. (Doc. 64-1 at 80; Doc. 56 at ¶ 21). He testified that this $97,073.15 ACH payment was automatically suspended at 2:07 p.m., and it was routed into a queue for review by a Fifth Third Operations analyst. (Doc. 64-1 at 21, 26-27; Doc. 56 at ¶ 22). The analyst who responded to this alert was Lamar Gentry. (Doc. 64-1 at 21, 27; Doc. 56 at ¶ 23). Mr. Gentry called Plaintiffs at 2:43 p.m. ET. (Doc. 64-1 at 27; Doc. 56 at ¶ 23).
Mr. Gentry spoke with Ms. Holm to determine if the ACH payment was authentic. (Doc. 64-1 at 36-37; Doc. 56 at ¶ 24; see also Doc. 58-14). Ms. Holm stated that she did not initiate that ACH payment and then hung up the phone on Mr. Gentry. (Doc. 64-1 at 37; Doc. 56 at ¶ 25). The content of this phone call was limited to the 2:07 p.m. ACH payment. (Doc. 64-1 at 37; Doc. 56 at ¶ 25). Mr. Gentry attempted to call Ms. Holm again, but his attempt was unsuccessful. He testified that he then reached out to others within Plaintiffs' organization. (Doc. 641 at 74; Doc. 56 at ¶ 26).
Mr. McGregor testified that he received calls from a Fifth Third employee regarding this ACH payment at around 2:40 p.m. and 3:00 p.m. on that same day (Doc. 56-2 at 73-75). The employee asked Mr. McGregor and Ms. Holm about the $97,073.15 ACH payment and confirmed that they did not initiate it. (Doc. 58-13 at 4-5). The employee also recommended they call their Fifth Third relationship manager, Glorybelle Hernandez. (Id. at 6). Heeding that recommendation, Mr. McGregor then called Ms. Hernandez. (Doc. 56-2 at 75; Doc. 56-11 at 10-11). Ms. Hernandez missed Mr. McGregor's call but returned his call at approximately 3:30 p.m. (Doc. 56-11 at 14-16). Ms. Hernandez indicates that she learned of the fraudulent ACH payment via a conversation with Ms. Holm, but Mr. McGregor testified that he was the one who spoke with Ms. Hernandez. (See Doc. 56-2 at 7475).
Which of Plaintiffs' representatives spoke with Ms. Hernandez appears to be immaterial.
Defendant's representative later wrote in an email that by around 5:42 p.m, Defendant had placed seven fraud recalls for each of the wire and ACH transfers at issue in this case. (Doc. 56-12 at 1-3). Defendant successfully recovered approximately $1,000,000 of Plaintiffs' funds, such that Plaintiffs now claim their total loss is approximately $311,640. (Doc. 64-1 at 18; Doc. 56-2 at 80).
The parties disagree as to how the fraudster was able to access the accounts. In short, Ms. Holm testifies that she went to her favorites tab on her web browser, clicked the Fifth Third link that she always used in her favorites tab, and inputted her username, password, and token. (Doc. 56-6 at 39, 47; Doc. 69 at ¶38). Ms. Holm testified that the website “wouldn't let [her] do any banking, so [she] closed the tab out and went on with [her] day.” (Id. at 47-48). Her recollection is that the website was down for maintenance. (Id. at 48).
Fifth Third determined that fraudsters created spoofed websites that appeared similar to the actual Fifth Third website, purchased Google advertisements for websites that would lead to the spoofed websites, and then captured Fifth Third customers' credentials once the customer entered them into the spoofed website. (Doc. 64 at 42, 61, 67, 124; Doc. 56 at ¶¶ 35-37). And that is the method by which Mr. Tyo believes that an attacker could have gotten the token information when it was in Ms. Holm's possession. (Doc. 64-1 at 61; Doc. 56 at ¶ 43).
Plaintiffs filed a Motion for Sanctions addressing this testimony and wish for the Court to exclude it. (See Doc. 57; Doc. 69 at ¶¶ 35-37, 42-43). As set forth more fully below, however, Plaintiffs' request lacks a sufficient basis.
Plaintiffs appear to argue that Ms. Holm was redirected to the spoofed website by Fifth Third's own website. (Doc. 69 at ¶ 38; id. at 19). But they do not cite to any direct evidence to back up that claim, other than Ms. Holm's testimony that she attempted to access Fifth Third Direct via her favorites tab, as is her routine practice. It appears that no other evidence supporting this claim exists in this record. Mr. Tyo states that the Fifth Third Direct website could not have redirected a customer to a spoofed website. (Doc. 64 at 78; Doc. 70 at 13).
PROCEDURAL BACKGROUND
Plaintiffs filed their Complaint in the Circuit Court of the Twentieth Judicial Circuit in and for Collier County, Florida, on November 19, 2021. (Doc. 1-1). The Complaint only contains one count - unauthorized wire transfers under Ohio Revenue Code § 1304.51 et seq. The action was removed to this Court on December 18, 2021, on the basis that diversity jurisdiction exists. (Doc. 1). Alleging that the amount in controversy exceeds $75,000, Defendant explained that Plaintiffs are both Florida corporations with their principal places of business in Florida, while Defendant is an Ohio corporation with its principal place of business in Cincinnati. (Id. at 3). Plaintiffs have not refuted any of these statements.
Defendant filed an answer on January 14, 2022, which included affirmative defenses and a counterclaim for breach of contract/indemnification. (See Doc. 14). Plaintiffs filed an answer to the counterclaim on February 3, 2022. (Doc. 19). The parties filed cross-motions for summary judgment on October 27, 2023. (Docs. 56, 58). Plaintiffs also filed a Motion for Sanctions Concerning Spoliation of Evidence
(Doc. 57) (the “Sanctions Motion”).
SANCTIONS MOTION
Because Plaintiffs' Sanctions Motion, if granted, would affect what facts Defendant can present on summary judgment, the Court addresses that motion first. As discussed below, Plaintiffs argue that Fifth Third Bank failed to preserve certain evidence. (Doc. 57 at 3).
Federal Rule of Civil Procedure 37 governs claims for failure to preserve electronically stored information. It provides, in relevant part:
Failure to Preserve Electronically Stored Information. If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court:
(1) upon finding prejudice to another party from loss of the information, may order measures no greater than necessary to cure the prejudice; or
(2) only upon finding that the party acted with the intent to deprive another party of the information's use in the litigation may:
(A) presume that the lost information was unfavorable to the party;
(B) instruct the jury that it may or must presume the information was unfavorable to the party; or
(C) dismiss the action or enter a default judgment.
Four threshold elements must be established for Rule 37(e) to apply: (1) there must have been a duty to preserve ESI; (2) the ESI must have been lost or destroyed; (3) a party failed to take reasonable steps to preserve such ESI; and (4) the ESI cannot be restored or replaced through additional discovery. Id. Under subsection (e)(1), a court may only award sanctions if it finds that there is prejudice to another party from loss of the information. Fed.R.Civ.P. 37(e)(1). Under subsection (e)(2), a court may only award sanctions if it finds that the offending party acted with the “intent to deprive” the opposing side of the ESI. Fed.R.Civ.P. 37(e)(2).
Under subsection (e)(1), to determine whether a party was prejudiced, the Court must evaluate “the information's importance in the litigation.” Fed.R.Civ.P. 37 advisory committee's note to 2015 amendment. Under subsection (e)(2), an “intent to deprive” cannot be inferred from a “finding of negligence or gross negligence.” Id. It is “the equivalent of bad faith in other spoliation contexts.” Skanska USA Civ. Se. Inc. v. Bagelheads, Inc., 75 F.4th 1290, 1312 (11th Cir. 2023) (citing Fed.R.Civ.P. 37(e)(2)).
On July 14, 2023, Plaintiffs' counsel deposed Mr. Tyo. (See Doc. 64). During the deposition, Plaintiffs asked Mr. Tyo to explain the subject of a chat log between himself and a member of his team. (Doc. 57 at 7-8). Mr. Tyo explained that Defendant became aware that someone had stood up a “spoofed version, basically a clone” of the Fifth Third Direct portal and his team was looking at a certain user I.D. and trying to understand how that specific I.D. showed up in their analysis. (Doc. 57 at 8; Doc. 64 at 41-43). Mr. Tyo also explained that when the bad actor built the website, “they didn't copy everything they needed over, and so . . . the images . . . like the Fifth Third Direct logo, for example, . . . they actually referenced the image that was hosted on [Defendant's] server.” (Id.) Thus, “the only way that [Defendant] [was] able to see this activity was when someone loaded that bad version of [the] site that the attacke[r] had created, it pulled some images from [their] legitimate site. And [they] were able to see that in the logs.” (Id.) The chat log between Mr. Tyo and a member of his team consisted of the team member describing to him “time stamps and IP addresses saying . . . they . . . saw this activity at these times, loading those images into the spoofed version of the site.” (Doc. 57 at 9; Doc. 64 at 41-43). Plaintiffs indicate that the logs Mr. Tyo referenced are web logs (the “Web Logs”) that Defendant used in its analysis to determine the existence of the spoofed website. (Doc. 57 at 9).
Mr. Tyo further explained that the Web Logs “were in existence on the date of the Chat Logs, June 16, 2020, but are now nonexistent and have not been maintained.” (Doc. 57 at 10; Doc. 64 at 50). Plaintiffs point out that an attorney contacted Defendant regarding the fraudulent wire transfer on their behalf on June 19, 2020, and argue that Defendant should have preserved the Web Logs under applicable law because Defendant “should have reasonably anticipated a potential legal action” based on that correspondence. (Id. at 10-11). As such, Plaintiffs argue that Defendant “had a duty to maintain the Web Logs.” (Id. at 11).
Plaintiffs also argue that the information contained in the Web Logs cannot be obtained elsewhere because Google informed Plaintiffs that it “cannot search for activity on its servers by Plaintiff's IP address and cannot provide any activity log associated with the Spoofed Website without an extended URL identifier, which Defendant had access to.” (Id. at 12).
Plaintiffs opine that the Web Logs are “crucial pieces of evidence” and that “any reference or testimony associated with the Web Logs and any access to a spoofed website by means of a Google search should be excluded as the crucial evidence purporting to evidence this was destroyed.” (Id. at 14). In other words, Plaintiffs believe that it is unfair for Defendant to argue that Ms. Holm must have accessed the spoofed website via a Google search or advertisement (as opposed to via her favorites tab) because Plaintiffs are unable to examine the Web Logs, which they presumably believe would help them confirm whether Ms. Holm accessed a spoofed website by clicking on an advertisement on Google or through her favorites tab.
As a result, Plaintiffs seek imposition of the following sanctions:
a. An adverse inference that Plaintiff[s] did not perform an internet search; and
b. An adverse inference that Plaintiff[s] did not land on a spoofed website; and
c. An adverse inference that Plaintiff[s] did not call a fraudulent number; and
d. To preclude Defendant from arguing any claims associated with Plaintiff[s] browsing the internet, Plaintiff[s] landing on a spoofed website, and Plaintiff[s] calling a fraudulent telephone number.
The Court does not consider whether an adverse inference should be drawn as to a fraudulent phone number because Defendant represents that although the Information Security Division viewed a fraudulent Google ad the fraudster used to lure individuals to the website and to call a telephone number listed on such website, “[i]t is unclear that this was the precise Google ad that Plaintiffs clicked or the same telephone number Plaintiffs may have called.” (Doc. 68 at 17). Indeed, Defendant does not argue in its motion for summary judgment that Ms. Holm called any specific telephone number provided to her by a fraudster. (See Doc. 56).
(Doc. 57 at 18).
Defendant, in turn, makes the following arguments. First, Defendant argues that the information was not lost because the minor portion of the Web Logs relevant to Plaintiffs' claim was preserved when it was copied into the chat logs that were produced to Plaintiffs. (Doc. 68 at 8-9). Thus, the relevant information is not “lost” because it was reproduced in the chat logs. (Id.) Next, Defendant argues that it had no duty to preserve the Web Logs because the information contained in them was not relevant. (Id. at 9-11). Third, Defendant argues that its preservation efforts were reasonable because it has a standard six-month retention period for the Web Logs and such retention period was routinely applied, including to the Web Logs in question. (Id. at 12). Lastly, Defendant argues that an adverse inference is not warranted here because Plaintiffs were not prejudiced (if the Court analyzes the motion under Rule 37(e)(1)) and there is no evidence that it intended to deprive Plaintiffs of the information's use (if the Court analyzes the motion under Rule 37(e)(2)). (Id. at 13-17).
Plaintiffs do not make clear which subsection of Rule 37(e) they intended to move under. Regardless of which subsection the Court analyzes the Sanctions Motion under, however, the adverse inferences sought by Plaintiffs are unwarranted.
Even if the Court were to assume that the four threshold elements of Rule 37(e) have been met, under Rule 37(e)(1), the Court nonetheless does not find that Plaintiffs have been prejudiced due to their inability to review the Web Logs. Plaintiffs indicate that the Web Logs are “crucial,” but do not explain why. (See Doc. 57 at 11, 14). Plaintiffs assert that Defendant used the Web Logs to determine the existence of a spoofed website (Doc. 57 at 9), but despite their requests for an adverse inference, Plaintiffs' theory of how a fraudster obtained Ms. Holm's credentials appears to hinge on the existence of such a spoofed website. For example, in their own motion for summary judgment, Plaintiffs state that “[t]he undisputed evidence shows that [the] redirect to the spoofed website, https://express.53.com.se must have happened during the redirect from Fifth Third Direct to Fifth Third Express.” (Doc. 58 at 13). Moreover, in their response to Defendant's motion for summary judgment, Plaintiffs argue that there is a “question of fact as to how Ms. Holm was directed to the spoofed website given the use of her ‘favorites' and the redirection that should have automatically occurred within the Fifth Third website” (Doc. 69 at 2) and that “Fifth Third acted unreasonably in permitting Ms. Holm to be redirected to a spoofed website” (id. at 19). And in their reply in support of their motion for summary judgment, Plaintiffs state that “Fifth Third's website redirected Bonnie Holm to a spoofed website.” (Doc. 72 at 3).
Because Plaintiffs' only argument with respect to the importance of the Web Logs is that they prove that a spoofed website existed and Plaintiffs do not dispute the existence of a spoofed website, it is unclear how a review of the Web Logs would have provided them with any further information, let alone information that is important to this litigation. See Fed. R. Civ. P 37 advisory committee's note to 2015 amendment.
Moreover, Defendant represents that “the minute portion of the [Web Logs] that is actually relevant to Plaintiffs' claim was in fact preserved-it was copied into the chat logs of the Information Security Division's investigation, which were produced to Plaintiffs.” (Doc. 68 at 8-9; Doc. 64 at 280). And Defendant specifically argues that Plaintiffs have not been prejudiced because they have all of the relevant raw data. (Doc. 68 at 14). Although Plaintiffs obviously could not review the Web Logs because they were unavailable to them, Plaintiffs did not seek leave to file a reply explaining what information they hoped to gain from reviewing the portion of the Web Logs that are reproduced in the chat in their original form or the remainder of the Web Logs.
Upon review of the file and the parties' arguments on summary judgment, the Court cannot fathom what information Plaintiffs hoped to glean from review of the rest of the Web Logs. Accordingly, based on the information provided, the Court finds that because the Web Logs were not important to this matter (and the only portion of them that may have been important was reproduced in a chat log), Plaintiffs were not prejudiced by the destruction of the Web Logs and sanctions under Rule 37(e)(1) are thus unwarranted.
With respect to Rule 37(e)(2), there is absolutely no evidence that Defendant intended to deprive Plaintiffs of the Web Logs. Mr. Tyo testified that the Web Logs were “purged” after six months as part of a standard, routine document retention policy. (Doc. 64 at 52-54; Doc. 68 at 5). Plaintiffs argue that Defendant engaged in “an affirmative act causing the Web Logs to be lost,” but that statement is wholly unsupported by any record evidence. (See Doc. 57 at 11).
“In this Circuit's spoliation precedents, bad faith ‘generally means destruction [of evidence] for the purpose of hiding adverse evidence.” Skanska, 75 F.4th at 1312 (emphasis in original) (citing Tesoriero v. Carnival Corp., 965 F.3d 1170, 1184 (11th Cir. 2020)). Destruction as a part of a routine document retention policy is not necessarily a “get out of jail free” card to avoid Rule 37(e)(2) sanctions. See Skanska, 75 F.4th at 1313 (“[A] hands-off implementation of an ordinary corporate destruction policy is not a silver bullet. We have already explained that we would be ‘highly skeptical of a claim that evidence was unintentionally destroyed ‘pursuant to a routine policy' after a request that the evidence be preserved.”). But here, nothing in the records indicates bad faith on Defendant's part. At most, Defendant was negligent in not realizing that the Web Logs, in their original form, contained evidence that would be relevant to Plaintiffs in this case. Notably, two years after inception of the case, with the benefit of hindsight, the Court is still unsure what information could be gleaned from the raw data in the Web Logs that would help Plaintiffs' case. In fact, the Court is not thoroughly convinced that Defendant was even negligent. In any event, even assuming that Defendant was negligent, mere negligence in destroying evidence does not warrant sanctions. Tesoriero, 965 F.3d at 1186 (in evaluation request for spoliation sanctions, stating that “[m]ere negligence in losing or destroying evidence is not enough to warrant sanctions.... And the right hand not talking to the left is not the same thing as the right hand telling the left to destroy evidence” (citing Bashir v. Amtrak, 119 F.3d 929, 931 (11th Cir. 1997)).
For the reasons set forth above, the Sanctions Motion is DENIED.
SUMMARY JUDGMENT MOTIONS
Summary judgment is appropriate when “there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(a). A dispute is genuine “if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). A material fact is one that “might affect the outcome of the suit under the governing law.” Id. “[A] mere scintilla of evidence” does not create a genuine issue of material fact, so a nonmoving party may not simply state that “the jury might, and legally could, disbelieve the moving party's evidence.” Hinson v. Bias, 927 F.3d 1103, 1115-16 (11th Cir. 2019) (citation and internal quotation marks omitted).
Courts may not make credibility determinations or weigh the evidence when reviewing the record. Latimer v. Roaring Toyz, Inc., 601 F.3d 1224, 1237 (11th Cir. 2010) (“On summary judgment . . . [n]either [the Eleventh Circuit] nor the district court are to undertake credibility determinations or weigh the evidence.”). Instead, courts view evidence and draw all reasonable inferences in the nonmoving party's favor. Rojas v. Florida, 285 F.3d 1339, 1341-42 (11th Cir. 2002). But an “inference is not reasonable if it is ‘only a guess or a possibility,' for such an inference is not based on the evidence but is pure conjecture and speculation.” Daniels v. Twin Oaks Nursing Home, 692 F.2d 1321, 1324 (11th Cir. 1982).
Plaintiffs assert that they are entitled to recover approximately $300,000 from Fifth Third because Fifth Third authorized fraudulent transfers from Plaintiffs' account to a third-party fraudster. (Doc. 58 at 2). Defendant opines that the parties agreed to commercially reasonable security procedures, and Fifth Third acted in good faith when it received payment orders that were initiated in accordance with the parties' security procedures. (Doc. 56 at 4). In their response to Defendant's summary judgment motion, Plaintiffs argue, seemingly in the alternative, that “[a]t minimum, a question of fact exists as to how Ms. Holm's account was compromised and thus summary judgment is not appropriate.” (Doc. 69 at 20).
This matter is governed by Ohio Revised Code Section 1304.57, which corresponds to section 4A-202 of the Uniform Commercial Code. (See Doc. 5 at 6); see Ohio Rev. Code § 1304.57 (referencing UCC 4A-202). Ohio Revised Code Section 1304.57 provides, in relevant part:
(B)(1) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if both of the following apply:
(a) The security procedure is a commercially reasonable method of providing security against unauthorized payments order.
(b) The bank provides that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.
Ohio Rev. Code § 1304.57(B)(1).
In other words, the risk of loss for an unauthorized transfer initiated by a fraudster remains with Defendant unless Defendant can show that “(1) the bank and customer agreed that the authenticity of payment orders would be verified pursuant to a security procedure; (2) the agreed-to security procedure is commercially reasonable; and (3) the bank proves that it accepted the orders in good faith and in compliance with the security procedure and any written agreement or instruction of the customer.” Fed. Ins. Co. v. Benchmark Bank, No. 2:17-cv-135, 2020 WL 635654, at *7 (S.D. Ohio Feb. 11, 2020) (quoting Experi-Metal, Inc. v. Comerica Bank, No. 09-14890, 2011 WL 2433383, at *1 (E.D. Mich. June 13, 2011)).
I. Commercial reasonableness of agreed-to security procedures.
Ohio Revised Code § 1304.56 defines “security procedure” as “a procedure established by agreement of a customer and a receiving bank for the purpose of verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or detecting error in the transmission or the content of the payment order or communication.” Ohio Rev. Code § 1304.56. Security procedures “may require the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices.” Id.
Here, the parties agreed that access to some services required “the use of Security Procedures, including for Services obtained through an Access Channel and use of the applicable Credentials.” (Doc. 56-4 at 6). The MTMA specified that “[t]he Security Procedures verify the origin and authenticity of Instructions and communications sent to Bank.” (Id. at 6). Similarly, the OCAA specified that “[a]ccess to [the] Channel Services is subject to Security Procedures.” (Doc. 56-5 at 8). Thus, the Court concludes that the parties agreed to security procedures as defined in Ohio Rev. Code § 1304.56. Indeed, the parties do not seem to argue otherwise. (See Docs, 56, 58). But the parties disagree as to what security procedures they agreed on, whether such procedures were commercially reasonable, and whether Defendant has proved that it accepted the orders in question in good faith and in compliance with the security procedures.
“Security Procedures” is a defined term in the MTMA, meaning “the Credentials, call-back protocols, and other systems or procedures provided by Bank or its Processors for authenticating Instructions, transactions, and use of the Services.” (Doc. 56-4 at 18). In the OCAA, “Security Procedures” means “use of Credentials, call back protocols, tokens, software and other systems or procedures to verify the authenticity of the use of a Channel Service.” (Doc. 56-5 at 5).
Plaintiffs argue that the algorithm used by Defendant is one of the security procedures that the parties agreed to because it is “exactly the type of ‘software and[/or] other systems or procedures to verify the authenticity of the use of a Channel Service” contemplated by the parties in the OCAA. (Doc. 69 at 11-13). Defendant disagrees, asserting that “a bank's internal fraud detection procedures are not ‘security procedures' under Ohio Rev. Code § 1304.57.” (Doc. 56 at 16). In support of its argument, Defendant cites UCC Article 4A-201 comment 1, which states that the term “security procedures” “does not apply to procedures that the receiving bank may follow unilaterally in processing payment orders.” (Doc. 56 at 16).
The Court need not decide whether the algorithm is a part of the security procedures because, even if the security procedures consisted solely of the use of a username, password, and token code, Plaintiffs have admitted that such procedures are commercially reasonable. (Doc. 58 at 12). Commercial reasonableness of a security procedure is a question of law. Ohio Rev. Code § 1304.57(C). For the reasons set forth below, independent of Plaintiffs' admission, the Court finds that the required use of a username, password, and token code, under these circumstances, was commercially reasonable. It would defy logic if further procedures, such as an algorithm-based test, when used in addition to procedures that the Court has found are commercially reasonable, would suddenly make such procedures commercially unreasonable.
“A security procedure is not commercially unreasonable simply because another procedure might have been better or because the judge deciding the question would have opted for a more stringent procedure.” Ohio Rev. Code § 1304.58 comment 4. “The standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank, which is a lower standard.” Id. (emphasis added). Thus, in determining commercial reasonableness, the Court considers (1) “[t]he wishes of the customer expressed to the bank;” (2) “[t]he circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank;” (3) “[a]lternative security procedures offered to the customer;” and (4) “[s]ecurity procedures in general use by customers and receiving banks similarly situated. Id. at § 1304.57(C)(1)(a)-(d).
Here, there is no record evidence that Plaintiffs expressed any specific wishes to Defendant with respect to any security procedures or that Defendant knew of any specific circumstances that would affect the security procedures. But there is record evidence that Plaintiffs rejected a further security procedure that would enable “Dual Administration Control,” requiring two administrators to establish a User in the Fifth Third Direct system even though the form stated that Defendant “strongly recommends enabling” it. (Doc. 56-8 at 3). Ms. Holm, who signed the form, indicated that the checkmark declining such procedure was ticked by Defendant, stating “I didn't put that checkmark there.” (Doc. 58-1 at 81). When asked whether she “ask[ed] the bank to change it,” she responded “[n]o.” (Id. at 81-82). Regardless of who checked the box, Ms. Holm signed the form and effectively rejected the alternative additional security procedure by allowing the ostensibly incorrect box to remain checked. (Doc. 56-8 at 3). Finally, Defendant's expert concludes that the use of a username, password, and token code were “commercially reasonable, suitable, and complied with industry standards and practices,” citing to materials by the Federal Financial Institutions Examination Council (FFIEC), the FBI, and the Association for Financial Professionals. (Doc. 56-13 at 16-18). Plaintiffs do not object to this opinion and provide no evidence to counter it.
The Court finds Plaintiffs' arguments as to Ms. Holm's testimony that “she did not choose to reject the DAC procedure” wholly unavailing as a matter of law. (See Doc. 69 at 13-16). Ms. Holm signed the Assignment Request Form and there is no evidence of fraud that induced her signature. Thus, her later testimony that she did not mean to sign the document rejecting the Dual Administration Control, taken as true because the Court cannot make credibility determinations at this stage, is irrelevant. Orrand v. Scassa Asphalt, Inc., No. 2:12-cv-1131, 2014 WL 4272722, at *6-7 (S.D. Ohio Aug. 29, 2014) (“It will not do for a man to enter into a contract, and, when called upon to respond to its obligations, to say that he did not read it when he signed it, or did not know what it contained.... A contractor must stand by the words of his contract; and, if he will not read what he signs, he alone is responsible for his omission.”) (quoting McAdams v. McAdams, 80 Ohio St. 232 (Ohio 1909)), aff'd, 794 F.3d 556 (6th Cir. 2015).
Plaintiffs' only argument is that “it is not commercially reasonable for Fifth Third to redirect its customers from one website to another.” (Doc. 58 at 12). Indeed, it is undisputed that when a customer visits “Fifth Third Direct,” the customer is automatically redirected to “Fifth Third Express.” (Doc. 64 at 15-16; Doc. 58 at ¶ 25; Doc. 70 at ¶ 25). Although it is true that the FFIEC Guidance provides that internet browsers should be prevented from allowing redirects, Plaintiffs' argument is confused because the redirect from Fifth Third Direct to Fifth Third Express is not a security procedure. Thus, whether such redirect is compliant with the FFIEC's recommendations is not relevant to whether the security procedures agreed to by the parties are commercially reasonable.
Moreover, a security procedure is deemed commercially reasonable if (1) “[t]he security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer” and (2) “[t]he customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.” Id. at § 1304.57(C)(2)(a)-(b). As to the first factor, the Court has already found that Plaintiffs refused Dual Administration Control, which the Court finds would have been commercially reasonable under the circumstances. (See Doc. 56-8 at 3; see also Doc. 56-13 at 15 (“If Harborview had implanted Dual Control when they were given the choice on August 27, 2018, there would have been no loss.”)). And, as to the second factor, the MTMA states that “[i]f Bank accepts and acts in good faith on a Payment Order issued . . . in Customer's name and in accordance with the Security Procedures . . . the Payment Order is effective . . . whether or not it is authorized, and Customer is bound by it ....” (Doc. 56-4 at 7).
Thus, having reviewed the parties' arguments, and in light of the evidence supporting each of the factors in each of the tests under Ohio Revised Code § 1304.57(C), the Court finds that the agreed-to security procedures are commercially reasonable under these specific circumstances.
II. Whether Defendant accepted the fraudulent orders in good faith, in compliance with the agreed-to security procedures, and any written agreement or instruction from Plaintiffs.
Plaintiffs argue that even if the security procedures were commercially reasonable, Defendant nevertheless did not process the fraudulent payment orders in good faith. (Doc. 58 at 14-21). Defendant disagrees. (Doc. 56 at 22-25). “Whether the receiving bank complied with the procedure is a question of fact.” Ohio Rev. Code § 1304.58 comment 4.
Under the Ohio Revised Code, “good faith” is defined as “honesty in fact and the observance of reasonable commercial standards of fair dealing.” Ohio Rev. Code § 1304.51(A)(9) (indicating that “[g]ood faith has the same meaning as in section 1301.201 of the Revised Code); Ohio Rev. Code § 1301.201(B)(20). This definition has both a subjective (“honesty in fact”) and objective (“observance of reasonable commercial standards of fair dealing”) component. Benchmark, 2020 WL 635654, at *12; see also Regions Bank v. Kaplan, No. 17-15478, 2021 WL 4852268, at *11 (11th Cir. Oct. 19, 2021) (analyzing similar language in a different statute and stating that the “honesty in fact” component is subjective, while the “fair-dealing” component is objective). Plaintiffs do not argue and this Court does not find that Defendant neglected to accept the payment orders honestly. The Court has not identified anything in the record to suggest such. Thus, the Court will focus its analysis on the objective prong.
“[T]he objective good faith inquiry concerns a bank's acceptance of payment orders in accordance with those security procedures” and any written agreement or instruction of the customer.” Benchmark, 2020 WL 635654, at *12 (citing Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611, 623 (8th Cir. 2014)). “‘[T]echnical compliance is not enough under Article 4A; instead the bank must abide by its security procedures' and any written agreements or instructions of the customer ‘in a way that reflects the parties' reasonable expectations as established by reasonable commercial standards of fair dealing.'” Id. (quoting Choice Escrow, 754 F.3d at 623) (alterations omitted).
After careful review and viewing the evidence in the light most favorable to the non-moving parties, the Court is satisfied that Defendant acted in good faith in processing the payment orders. Defendant's expert, Mr. Litster, the only expert who has opined on whether Defendant acted in good faith, concludes that the actions taken by Defendant “were taken in good faith, in addition to meeting or exceeding standards of commercial reasonableness.” (Doc. 56-13 at 19). Mr. Litster's reasoning is that Defendant “executed transfers from the Fifth Third Direct platform only after [Plaintiffs'] employee's user name, password, and token code were supplied to [Defendant].” (Id.) And when Defendant's “internal processes detected potential suspicious activity, they immediately and diligently followed up on those alerts, significantly reducing the loss due to fraud.” (Id.) Mr. Litster explains:
It is extremely difficult to assess whether or not Fifth Third's response time met or exceeded “industry standards.” The reason: Banks simply do not share that information with anyone outside their immediate department or operating group. To do so would potentially expose that information to fraudsters, who would utilize it when targeting that bank's customers. That said, in my professional, expert opinion, . . . [Defendant]'s time in detecting the fraud, reaching out to the customer, and moving to stop the fraudulent transfers not only met industry standards, but was an exceptional effort.(Id.) Mr. Litster's testimony is uncontroverted. The record is dehors evidence that Defendant failed to abide by commercially reasonable standards of fair dealing.
Moreover, as in Benchmark, Plaintiffs were aware that pursuant to the MTMA, “[t]he Security Procedures are not designed to detect errors in any Instruction to [the] Bank.” (Doc. 56-4 at 7); Benchmark, 2020 WL 635654, at *12 (explaining that the banking customer “was aware that pursuant to the ACH Agreement executed between the parties, the purpose of the security procedures in place was ‘for verification of authenticity and not to detect an error in the transmission or content of an Entry”). Specifically, the Benchmark court found that the banking customer “knew that Benchmark [Bank] employees were not checking whether a receiving entity had a relationship to or prior history with [the banking customer], whether a recipient's name was of Eastern European origin, or where an originating IP address was located.” 2020 WL 645654, at *12. Here, too, Plaintiffs knew or, having read the MTMA, should have known, that Defendant was not specifically monitoring its instructions for specific names or IP addresses.
Plaintiffs' protestations that they “had the reasonable expectation that [Defendant] would inquire into every transaction with a requisite Activity Score” is nothing more than Monday morning quarterbacking. (Doc. 58 at 17). Plaintiffs have pointed to absolutely no evidence in the record that would indicate that they should have reasonably expected Defendant to flag all transactions with a requisite Activity Score or that failure to flag every transaction with a requisite Activity Score is a failure to act within reasonable commercial standards. Indeed, the MTMA states that Defendant applies software and other programs to “select certain Instructions for further review and verification” but the MTMA also states that Defendant “has no obligation to use or comply with any such Additional Programs, and [Plaintiffs] agree[d] that these additional procedures are NOT a substitute for proper Account controls and management on its part.” (Doc. 56-4 at 7-8).
The Court notes that Plaintiffs also rely wholly on counsel argument to make this point, rather than evidence in the record, which is inappropriate at this stage of the proceedings. See Lehrfield v. Liberty Mut. Fire Ins. Co., 396 F.Supp.3d 1178, 1183 (S.D. Fla. 2019) (stating that “attorney argument is not evidence”) (citation omitted); see also Bryant v. U.S. Steel Corp., 428 Fed.Appx. 895, 897 (11th Cir. 2011) (“True, her attorney argues that her recollection had been refreshed, but counsel's argument is not evidence,” and affirming summary judgment).
Indeed, the only record evidence about how activity scores are used is Defendant's response to Plaintiffs' interrogatories, stating that “the activity score number is utilized by [Defendant's] Fraud Analyst in their analysis of various transactions after a fraud alert has already been triggered. In other words, the activity score does not play a role in whether a specific transaction is flagged for review.” (Doc. 58-7 at 7) (emphasis added). It is an after-the-fact investigatory tool.
Plaintiffs' citation to Experi-Metal does not help their argument. (See Doc. 58 at 17-18); see Experi-Metal, Inc., 2011 WL 2433383. First, that case is not binding on this Court. But even if it were, that case is distinguishable from this case. In Experi-Metal, the court found that the defendant failed to satisfy its burden of showing that it satisfied the good faith requirement, but that opinion seems to be based, in large part, on the Court's finding that the defendant's expert was “not qualified to provide an expert opinion with respect to the reasonable commercial standards of fair dealing applicable to banks responding to phishing incidents due to his admitted lack of experience as a banker with Internet banking systems, specifically online wire transfer activity and ‘phishing' issues.” Experi-Metal, Inc., 2011 WL 2433383, at *12-13. Here, Mr. Litster-again, the only expert opining on whether Defendant acted in good faith-appears eminently qualified to opine on the commercial reasonableness of Defendant's actions. (See Doc. 56-13 at 2, 22). And Plaintiffs have not objected to Mr. Litster's testimony or argued that it should be limited in any way.
Next, Plaintiffs argue that Defendant failed to act in good faith when its employees only spoke to Plaintiffs about the one (first) ACH transaction and not the previous wires before then that were flagged by Plaintiffs as unauthorized after this ACH transaction. (Doc. 58 at 20-21). This argument is based on an email change between Defendant's employees, which Plaintiffs interpret to be an “acknowledg[ment] that the fraud analyst should have reviewed the full account but did not.” (Id. at 20). The Court does not agree with this interpretation of the emails-they neither establish that an analyst should have reviewed the whole account nor that he did not.
The Court also disagrees with Plaintiffs' contention that if Defendant “had enough information to automatically suspend at least one fraudulent transaction,” it was not good faith to “ignore[] the same indicia thereof in multiple subsequent transactions.” (Doc. 69 at 18). It is undisputed that thirteen payments via ACH and wire transfers were approved after the 2:07 p.m. ACH was flagged as fraudulent. (See Doc. 56-10). But Mr. Litster acknowledged that the fraudster was logged onto Fifth Third Direct for almost two-and-one-half hours and that the fraudster initiated seventeen wires and ACH payments from the accounts. (Doc. 5613 at 6). Mr. Litster also acknowledged that Defendant's personnel identified multiple wire transfers and ACH payments after a 3:30 p.m. phone call with Ms. Hernandez. (Id. at 7). But Mr. Litster still found that Defendant's efforts “in responding to the suspicious activity alert, reaching out to [Plaintiffs], and working to maximize the recovery of funds that the fraudster attempted to steal were commercially reasonable, and met or exceeded the standards and practices in the banking industry.” (Doc. 56-13 at 19). Plaintiffs have provided no evidence to rebut Mr. Litster's expert opinion. In other words, there is no genuine issue of material fact.
Finally, Plaintiffs argue that they had a reasonable expectation that the redirect on Fifth Third's website would not bring Ms. Holm to a spoofed website. (Doc. 69 at 19-20). But there is no evidence in the record before this Court that Fifth Third's website redirected Ms. Holm to a spoofed website. (Contra Doc. 56-13 (“Fifth Third personnel have testified that on May 27, 2020, the Fifth Third Direct website was not ‘down for maintenance' at any time. Fifth Third personnel also testified that the Fifth Third Direct website was not ‘hacked' in May of 2020, and there was no possibility of ‘redirection' from the actual Fifth Third Direct website to a spoofed website.”)). There is only Plaintiffs' attorney's conjecture (see id.; see also Doc. 72 at 3), which is not evidence relevant at the summary judgment stage. See Lehrfield, 396 F.Supp.3d at 1183; see also Bryant, 428 Fed.Appx. at 897.
Plaintiffs' argument that Defendant failed to act in good faith amounts to, at worst, pure attorney argument--not evidence--which a jury would be instructed that it could not consider as evidence. See Hinson, 927 F.3d at 1115-16 (“It is not enough for the nonmoving party to ‘merely assert[] that the jury might, and legally could, disbelieve' the moving party's evidence.... Instead, the nonmoving party must present ‘affirmative evidence' that would allow a reasonable jury to rule for him") (quoting Anderson, 477 U.S. at 252). Neither save Plaintiffs from summary judgment. In short, the Court grants Defendant's motion for summary judgment because viewing the paucity of evidence presented by Plaintiffs in the light most favorable to them, Plaintiffs have not come close to rebutting Defendant's expert testimony that Defendant acted in a manner comporting with commercially reasonable standards.
CONCLUSION
For the reasons set forth above, Defendant's Motion for Summary Judgment (Doc. 56) is GRANTED, Plaintiffs' Motion for Sanctions (Doc. 57) is DENIED, and Plaintiffs' Motion for Summary Judgment (Doc. 58) is DENIED. No later than August 1, 2024, Defendant must inform the Court as to how it wishes to proceed with its counterclaim for breach of contract/indemnification (Doc. 14 at 14-15) in light of this Order. Moreover, this Order has been temporarily entered under seal because it references certain documents that were filed under seal. (See Docs. 64, 64-1). It appears to the Court that there is no information herein that would justify this Order remaining under seal and will remove the seal on August 1, 2024, unless either of the parties requests otherwise before that date. To be clear, the documents previously filed under seal (Docs. 64, 64-1) will remain under seal.
The Court recognizes the parties' frustration here, and it has done its best to ferret out Plaintiffs' claim. Given the disposition of the motions here, the Court urges the parties to amicably come to resolution on Defendant's counterclaim; that is, should Defendant decide that it is prudent to move forward on its breach of contract/indemnification counterclaim in the first instance. Should Defendant move to dismiss its counterclaim, the Court would be inclined to grant the motion and dismiss it without prejudice.