Opinion
C23-1816-RSM
04-11-2024
ORDER DENYING IN PART AND GRANTING IN PART DEFENDANT'S MOTION TO DISMISS
RICARDO S. MARTINEZ UNITED STATES DISTRICT JUDGE
I. INTRODUCTION
This matter comes before the Court on Defendant Expeditors International of Washington, Inc. (“Defendant”)'s Motion to Dismiss for Failure to State a Claim, Dkt. #14. Plaintiff POC USA, LLC (“Plaintiff”) opposes the Motion. Dkt. #20. For the reasons set forth below, the Court DENIES IN PART and GRANTS IN PART Defendant's Motion to Dismiss.
II. BACKGROUND
The Court adopts the following facts from Plaintiff's Complaint, Dkt. #1.
Defendant Expeditors “is one of the world's largest Third Party Logistics (“3PL”) service providers[.]” In March 2016, Plaintiff entered into a Distributor Services Agreement (“DSA”) with Defendant, outlining that Defendant would receive shipments of products manufactured by Plaintiff, warehouse the products, and ship the products to Plaintiff's customers. Defendant would perform these duties using its own computerized distribution management system, and Defendant was required to provide real-time visibility to Plaintiff of its products.
As part of Defendant's service, Defendant highlighted its included Global Security Team, which “manage[s] Expeditors' systems, processes, and service providers with a consistent approach that enables Expeditors to move cargo within Expeditors' network securely.” Defendant's IT infrastructure and software was chosen and provided by Defendant.
In February 2022, Defendant suffered a cyberattack. Instead of paying a ransom, Defendant shut down most of its operating systems. Defendant did not provide services to Plaintiff for almost 90 days. Due to Plaintiff's business involving selling and shipping seasonal sporting goods, Plaintiff claims economic loss from failure to deliver products for those 90 days plus the loss of customers to other seasonal sporting goods providers.
III. DISCUSSION
A. Legal Standard
Rule 12(b)(6) allows for dismissal of a complaint due to a plaintiff's “failure to state a claim upon which relief can be granted.” Fed.R.Civ.P. 12(b)(6). Dismissal may “be based on the lack of cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1988). The complaint must “contain factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face[,]' requiring more than “an unadorned, the defendant-unlawfully-harmed-me accusation.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
When considering a 12(b)(6) motion, the court takes well-pleaded factual allegations as true and views them in a light most favorable to the plaintiff. See Wyler Summit P'ship v. Turner Broad. Sys., Inc., 125 F.3d 658, 661 (9th Cir. 1998). The court does not have to take presented legal conclusions as factual allegations or accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences[.]” See Iqbal, 556 U.S. at 678; Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001). “Dismissal without prejudice and without leave to amend is not appropriate unless it is clear . . . that the complaint could not be saved by amendment.” Creech v. Tewalt, 84 F.4 777, 789 (9th Cir. 2023) (quoting Eminence Cap., LLC v. Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003)).
B. Analysis
Defendant does not challenge Plaintiff's claim for breach of contract but argues that Plaintiff's other claims for breach of implied duty of good faith and fair dealing, negligence, gross negligence, unjust enrichment, and violations of the Washington Consumer Protection Act (“WCPA”) should be dismissed. See gen. Dkt. #14. The Court analyzes these claims in turn below.
a. Implied Duty of Good Faith and Fair Dealing
Under Washington law, “[t]here is in every contract an implied duty of good faith and fair dealing” that “obligates the parties to cooperate with each other so that each may obtain the full benefit of performance.” Rekhter v. Dep't of Soc. & Health Servs., 180 Wn.2d 102, 112, 323 P.3d 1036 (2014) (quoting Badgett v. Sec. State Bank, 116 Wn.2d 563, 569, 807 P.2d 356 (1991)). The implied covenant of good faith and fair dealing “cannot add or contradict express contract terms and does not impose a free-floating obligation of good faith on the parties.” Id. at 113. Instead, “the duty arises only in connection with terms agreed to by the parties.” Id. (citations omitted). The duty can arise “when the contract gives one party discretionary authority to determine a contract term.” Id. (quoting Goodyear Tire & Rubber Co. v. Whiteman Tire, Inc., 86 Wn.App. 732, 738, 935 P.2d 628 (1997)).
Defendant argues that Plaintiff cannot bring this claim because Plaintiff “fails to, and cannot, identify a contractual provision obligating Expeditors to prevent and withstand and/or mitigate the impact of a cyber-attack on its services[.]” Dkt. #14 at 10. Plaintiff contends that Defendant breached this implied duty by failing to implement standard industry practices and available cyber protections and an adequate business continuity plan to protect itself and customers from cyber-attacks and their effects. Dkts. #1 at ¶¶ 9, 18-20, 24-31, 58; #20 at 5-9.
The Court finds Plaintiff has sufficiently alleged that Defendant breached its implied duty of good faith and fair dealing. Defendant attempts to circumvent this by saying there is no specific contractual provision obligating it to protect Plaintiff from cyber-attacks but only to upkeep shipment management services. Dkt. #14 at 9. This is obtuse. Defendant chose and operated the computer systems the ransomware breached. Defendant presented itself as having competent security and networks for Plaintiff to rely on. Due to Defendant's computer systems allegedly being vulnerable to a cyber-attack and Defendant's subsequent shutdown, Plaintiff alleges economic harm from Defendant's lacking security. Drawing all inferences in Plaintiff's favor at this stage, the Court finds Plaintiffs have sufficiently alleged that Defendant breached its implied duty of good faith and fair dealing to upkeep a safe, reliable, and working software system.
b. Negligence and Gross Negligence
Defendant argues that Plaintiff's negligence and gross negligence claims fail because the parties have no special relationship, there are no allegations of misfeasance, and Defendant owed no duty to pay the ransom demand. Dkt. #14 at 12-16. Thus, Defendant argues that it cannot be held liable for the criminal acts of another. Id .at 12.
Under Washington law, a claim for negligence must allege “(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the proximate cause of the injury.” Degel v. Majestic Mobile Manor, 129 Wn.2d 43, 914 P.2d 728, 731(1996). The existence of duty “is a question of law and depends on mixed considerations of logic, common sense, justice, policy, and precedent.” Snyder v. Med. Serv. Corp., 145 Wn.2d 233, 35 P.3d 1158, 1164 (2001). “Duty in a negligence action is a threshold question” and “may be predicated ‘on violation of statute or of common law principles of negligence.'” Jackson v. City of Seattle, 158 Wn.App. 647, 244 P.3d 425, 428 (2010) (quoting Burg v. Shannon & Wilson, Inc., 110 Wn.App. 798, 43 P.3d 526, 520 (2002)).
Under Washington law, “an actor ordinarily owes no duty to protect an injured party from harm caused by the criminal acts of third parties.” Parrilla v. King Cty., 138 Wn.App. 427, 157 P.3d 879, 884 (2007). Though the Washington Supreme Court has “not yet found a duty to protect a third party from the criminal acts of another absent a special relationship[,]” it has “recognized under Restatement § 302B that a duty to third parties may arise in the limited circumstances that the actor's own affirmative act creates a recognizable high degree of risk of harm.” Robb v. City of Seattle, 176 Wn.2d 427, 295 P.3d 212, 216 (2013).
Defendant argues that Plaintiff's claims fail because “[t]here was no legal cognizable special relationship” between the parties and no affirmative act of misfeasance by Defendant occurred. Dkt. #14 at 12, 14-15. Plaintiffs argue that Defendant's “enhanced duty of care existed independently of the performance of the DSA contract.” Dkt. #1 at ¶¶ 67, 82.
However, as described above, Plaintiff argues that Defendant's failure to implement effective security was an implied breach of the contract. Plaintiff's argument of an independent duty of care appears to be the same argument of Defendant owing Plaintiff under the contract to provide an effective, safe security system through the computer software Defendant chose and operated. Furthermore, “the failure to implement adequate data security measures does not implicate a legal duty on its own.” Buckley v. Santander Consumer USA, Inc., 2018 WL 1532671, at *5 (W.D. Wash. Mar. 29, 2018). The Court finds that Plaintiff's negligence arguments appear duplicative of Plaintiff's contractual arguments. Furthermore, the Court finds no misfeasance occurred to create an enhanced duty of care because Plaintiff's allegations are, at most, allegations of omissions or nonfeasance, which Defendant can only be held liable for if a special relationship exists. See Veridian Credit Union v. Eddie Bauer, LLC, 295 F.Supp.3d 1140, 1157-58 (W.D. Wash. 2017); Guy v. Convergent Outsourcing, Inc., 2023 WL 4637318, at *3 (W.D. Wash. 2023). The Court finds that no special relationship existed beyond a normal duty of reasonable care. Therefore, the Court dismisses Plaintiff's negligence and gross negligence claims.
c. Bailment
Under Washington law, bailment “arises generally when personalty is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.” Eifler v. Shurgard Capital Mgmt. Corp., 71 Wn.App. 684, 689 (1993) (internal quotations omitted). For a bailment of personal property to arise, “there must be a change of possession and an assumption or acceptance of possession by the person claimed to be a bailee.” Collins v. Boeing Co., 4 Wn.App. 705, 711 (1971). An ordinary duty of care is owed unless heightened under the contract. See St. Paul Fire & Marine Ins. Co. v. Charles H. Lilly Co., 48 Wash.2d 528, 536 (1956). Parties to a mutually beneficial bailment can contract to limit negligence, but “[i]t is well settled in Washington that professional bailees may not limit their liability for negligence.” Am. Nursery Products, Inc., v. Indian Wells Orchards, 115 Wn.2d 217, 232 (1990). A professional bailee is someone “who deal[s] with the public on a uniform rather than on an individual basis, including primarily owners of parcel checkrooms, owners of parking places, garagemen, and warehousemen.” Id. at 231.
Plaintiff asserts that “Expeditors is a professional bailee” who engaged in an “unfair and/or deceptive practice . . . to limit its liability under the DSA . . . when it knew and should have known it is a professional bailee . . . prohibited as a matter of public policy from limiting their liability.” Dkt. #1 at ¶¶ 92, 93, 96, 115-16. Defendant argues that it is not a professional bailee because the services offered to Plaintiff were particularized and the alleged bailment was incident to the performance of services for which Defendant received compensation. Dkt. #14 at 18.
According to the DSA, “Expeditors offers distribution services” and “agree[d] to provide customized distribution services” to Plaintiff. Dkt. #1-1. Defendant's services to Plaintiff, per the contract, appear to be particularized and not those of a professional bailee. Id. Plaintiff also states in its Complaint that Defendant's obligations to Plaintiff “were special and unique[.]” Dkt. #1 at ¶ 23. Furthermore, at least one other court found in a different instance that Defendant was not a bailee, leading this Court to construe Defendant not as an entity presenting itself to the public as a professional bailee. See Certain Underwriters at Lloyd's v. Expeditors Int'l of Washington, Inc., 584 F.Supp.3d 860, 874 (C.D. Cal. 2022). The Court concludes that Defendant is not a professional bailee.
The Court also concludes that Plaintiff's bailment claim is duplicative of other claims. Any bailee/bailor relationship between the parties was created by the DSA. Though Plaintiff argues that the DSA does not address the situation at hand, i.e., what happens when Defendant fails to protect it against the impacts of cyberattacks, Plaintiff argues that this protection is part of the DSA through Defendant's providing of the software and security systems. See gen. Dkt.1; Dkt. #20 at 20-23. If not contractual, Plaintiff argues for unjust enrichment in the alternative. Dkt. #1 at ¶ 104-12. The terms of the DSA govern the bailment duties here over the commonlaw bailment duties and principles. See Pollok v. Vanguard Grp, Inc., 774 Fed. App'x 407, 408 (9th Cir. 2019) (citing Dan b. Dobbs, et al., The Law of Torts § 68 (2d ed. 2019). Defendant owed a normal duty of reasonable care under the contract as the bailee, and Defendant's alleged breach to provide sufficient services in the wake of cyberattacks is duplicative of other claims. The Court concludes that Defendant is not a professional bailee, and Plaintiff's bailment claim should be dismissed.
d. WCPA
Defendant moves to dismiss Plaintiff's claims under the WCPA because they are based on Defendant's “deceptive” practices as a professional bailee, which Defendant is not. Dkt. #14 at 23. The Court agrees that Plaintiff's claims based on Defendant's alleged deceptive practice of attempting to unlawfully limit its liability as a professional bailee fail. However, the Court finds that Plaintiff has sufficiently alleged WCPA violations to survive Defendant's Motion. See Dkts. #1 at ¶¶ 113-24, #20 at 26.
For a private WCPA action, “a plaintiff must establish five distinct elements: (1) unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or her business or property; (5) causation.” Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn.2d 778, 780 (1986). “Furthermore, as a more general matter, federal courts applying Washington law have consistently found that a ‘failure to employ adequate data security measures' that ‘result in harm to thousands of customers' is sufficient to constitute an ‘unfair' act under the WCPA.” In re Accellion, Inc. Data Breach Litigation, 2024 WL333893, at *18 (N.D. Cal. Jan. 29, 2024) (citing Veridian, 295 F.Supp.3d at 1162 (W.D. Wash. 2017), Krefting v. Kaye-Smith Enterprises Inc., 2023 WL 4846850, at *8 (W.D. Wash. July 28, 2023), Guy v. Convergent Outsourcing, Inc., 2023 WL 4637318, at *8 (W.D. Wash. July 20, 2023), and Buckley, 2018 WL 1532671, at *4 (W.D. Wash. Mar. 29, 2018). Given this consistent interpretation, construing all interpretations in Plaintiff's favor at this stage, the Court finds that Plaintiff has sufficiently alleged an “unfair” act by Defendant's failure to upkeep adequate software and security systems to safeguard Plaintiff's business operations.
e. Unjust Enrichment
The Court also concludes that Plaintiff sufficiently alleges a claim for unjust enrichment. As both parties agree, unjust enrichment exists as a remedy when no contract exists but a quasicontract implied in law “arises from an implied duty of the parties not based on a contract, or on any consent or agreement.” Heaton v. Imus, 93 Wn.2d 249, 252 (1980); Dkts. #14 at 21, #20 at 23. “Unjust enrichment is the method of recovery for the value of the benefit retained absent any contractual relationship because notions of fairness and justice require it.” Young v. Young, 164 Wn.2d 477, 484 (2008). To establish a claim for unjust enrichment, a plaintiff must show that: (1) a benefit was conferred on the defendant; (2) the defendant had knowledge or appreciation of the benefit; and (3) the defendant's retainment of the benefit without payment of its value is inequitable under the circumstances. Id. at 484-85.
Plaintiff argues that its claim for unjust enrichment is plausible “because nothing in the contract expressly addresses what happens in the event of a cyberattack.” Dkt. #20 at 24. Defendant argues that “[i]t is undisputed that [the parties'] relationship is governed by an express contract.” Dkt. #14 at 22. However, Defendant also argues that no contractual provision under the DSA existed to prevent or protect Plaintiff from cyberattacks. Dkt. #14 at 9-11. Therefore, “there is a fundamental dispute between the parties concerning the scope of that contractual relationship and whether it definitively defines [Defendant's] obligation with respect to protecting Plaintiff[.]” In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 412 (E.D. Va. 2020) (considering claims under Washington law). While the Court is skeptical that the value of Defendant's benefit is measured by the cost of the avoided ransom, the Court finds plausible that the benefit conferred was the costs charged by Defendant for Plaintiff's business during the time of the shutdown. See Dkt. #1 at ¶ 108. The Court concludes that, as an alternative to its express breach of contract claim, Plaintiff has plausibly alleged that if its “express contractual relationship does not govern [Plaintiff's] rights with respect to the protection” from cyberattacks and secure software, Plaintiff has a claim for unjust enrichment. Id.
CONCLUSION
Having reviewed the relevant briefing and the remainder of the record, the Court hereby finds and ORDERS that Defendant Expeditors' Motion to Dismiss for Failure to State a Claim, Dkt. #14, is DENIED IN PART and GRANTED IN PART. Plaintiff's claims for breach of contract, breach of implied covenant of good faith and fair dealing, Washington Consumer Protection Act violations, and unjust enrichment STAND. All other claims (for negligence, gross negligence, and bailment) are DISMISSED.