Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case. Ltd. v. Hosting Services, Inc.

United States District Court, D. Utah, Central Division

February 2, 2017

HOSTING SERVICES, INC. a/k/a 100TB.COM, Defendant.


          Paul M. Warner Chief United States Magistrate Judge.

         Pursuant to 28 U.S.C. § 636(c), the parties consented to have Chief United States Magistrate Judge Paul M. Warner conduct all proceedings in this case, including trial, entry of final judgment, and all post-judgment proceedings.[1] Defendant Hosting Services, Inc., also known as (“100TB”), has motioned the court to dismiss the above captioned case pursuant to Rule 12(b)(1) and Rule 12(b)(6) of the Federal Rules of Civil Procedure.[2]

         On January 20, 2017, the court heard oral argument on 100TB's motion.[3] At the hearing, Plaintiff Limited (“Xat”) was represented by Romaine C. Marshall and Engels Tejeda. 100TB was represented by Paul G. Karlsgodt and Patricia W. Christensen. At the conclusion of the hearing, the court took the motion under advisement. Now being fully advised, the court renders the following Memorandum Decision and Order.


         Xat is a social networking website that allows users to exchange instant messages.[4]100TB provides web hosting services.[5] In 2008, Xat utilized 100TB to host Xat's servers.[6] While Xat's complaint is vague about what 100TB's hosting services entail, it appears that 100TB's hosting services involve 100TB ensuring the physical security and stability of Xat's servers as well as protecting Xat's servers from digital invasion from unauthorized third parties.

         A. The Master Service Agreement

         On October 13, 2008, the parties executed a Master Service Agreement (“MSA”).[7] The MSA outlines the parties' rights and obligations governing 100TB's hosting services. At issue in 100TB's motion is to what extent 100TB is liable under the terms of the MSA.

         The MSA provides several stipulations regarding 100TB's liability and indemnification responsibilities. For example, ¶ 9(a) states:

[100TB agrees to] indemnify, defend and hold [Xat], [Xat's] employees, directors and officers . . . from any and all third party actions, liability, damages, costs and expenses (including, but not limited to, those attorneys' fees and expenses charged to [100TB]) arising from, or relating to, personal injury or property damage resulting solely from our gross negligence or willful misconduct . . . .[8]

         Paragraph 11 states:


         Paragraph 11 goes on to state that 100TB's “maximum liability shall be one (1) month's fees (or the equivalent thereof) actually received by [100TB] during the month prior to [Xat's] claim.”[10] Paragraph 11 further stipulates that 100TB's “obligation to indemnify” Xat under the terms of ¶ 9 is not limited by ¶ 11.[11]

         Additionally, the MSA establishes certain promises and standards of care governing 100TB's hosting services. For example, the MSA represents that 100TB has “received ‘Safe Harbor' certification under U.S. - EU, and U.S. -Swiss safe harbor frameworks.”[12] Under the U.S. - EU, and U.S. -Swiss Safe Harbors (collectively “Safe Harbors”), “[o]rganizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.”[13]

         Moreover, 100TB agreed to utilize “industry standard methods” to secure Xat's property.[14] 100TB also promised to “[m]onitor the network, physical infrastructure, servers and applications on a 24x7x365 basis.”[15] Furthermore, 100TB's Privacy Policy, incorporated in the MSA, prohibits 100TB from sharing Xat's user data with third parties unless otherwise permitted by 100TB's Privacy Policy.[16]

         B. Hacking of Xat's Servers

         In 2015, Xat alleges that 100TB allowed an unauthorized third party to access Xat's servers. Xat claims that over a ten month period, Xat repeatedly warned 100TB that an unauthorized third party was attempting to gain access to Xat's servers through “social engineering.”[17] Xat asserts that in response to those repeated warnings, 100TB assured Xat that access to its servers would be denied and suggested that Xat take certain steps to further secure its servers.[18] Xat contends that while it complied with 100TB's instructions, 100TB nevertheless granted a third party unauthorized access to Xat's servers.

         Specifically, on November 4, 2015, an unknown third party was granted access to Xat's servers.[19] The third party allegedly damaged and disabled Xat's servers and stole Xat's proprietary software, including Xat's main database.[20] Subsequently, Xat requested that 100TB secure and power down Xat's servers until it could contain the intrusion.[21] Xat alleges that 100TB did not power down at least three of Xat's servers, did not turn on 100TB's two-factor authentication, and failed to back up the data on Xat's servers.[22]

         On November 8, 2015, 100TB again granted a third party access to Xat's servers.[23]During this second incident, the third party accessed Xat's proprietary log files, databases, source code, and software, and erased system log files from Xat's server.[24]

         Following the attacks, Xat filed the instant lawsuit asserting claims against 100TB for gross negligence, breach of the MSA, unjust enrichment, and equitable indemnification. Xat alleges that it has suffered at least $500, 000 in damages as a result of the hacking incidents, including the cost of containing the cyberattacks, the value of lost, stolen, or deleted data, and lost revenue and profit.[25] Additionally, Xat alleges that it has incurred costs with reporting the cyberattack to the United Kingdom's Information Commissioner's Office as well as cooperating with the appropriate authorities and governmental agencies investigating the cyberattacks.[26]

         Furthermore, Xat seeks a court order:

requiring 100TB to indemnify Xat for any claims related to the Cyberattacks asserted by any third party, including any claims asserted by any regulatory authority or any individual or entity whose information was or may have been exposed during the Cyberattacks, and for any costs and attorneys' fees incurred by Xat related to any of the foregoing . . . .[27]

         In response, 100TB filed the instant motion to dismiss.


         In deciding a motion to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure, the court presumes the truth of all well-pleaded facts in the complaint, but need not consider conclusory allegations. Tal v. Hogan, 453 F.3d 1244, 1252 (10th Cir. 2006), cert. denied, 549 U.S. 1209 (2007). The court is not bound by a complaint's legal conclusions, deductions, and opinions couched as facts. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 565 (2007). Further, although reasonable inferences must be drawn in the non-moving party's favor, a complaint will only survive a motion to dismiss if it contains “enough facts to state a claim to relief that is plausible on its face.” Id. at 570. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009).

         Pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, the court may dismiss a claim for lack of subject matter jurisdiction. Ripeness and mootness challenges are treated as motions to dismiss under Rule 12(b)(1). See SK Fin. SA v. La Plata Cty., Bd. of Cty. Comm'rs, 126 F.3d 1272, 1275 (10th Cir. 1997); Chihuahuan Grasslands Alliance v. Kempthorne, 545 F.3d 884, 891 (10th Cir. 2008).


         It appears to the court that the parties have taken a relatively straightforward motion to dismiss and beaten a dead horse, so to speak. Following the routine briefing on 100TB's motion to dismiss, the court granted Xat's motion to file a sur-reply.[28] Prior to the court's ruling, 100TB responded to Xat's sur-reply and Xat responded to 100TB's response to Xat's sur-reply.[29] The court routinely grants sur-replies with the expectation that counsel will only use sur-replies in narrow circumstances to aid the court. The sur-reply and subsequent responses from counsel were unhelpful and merely rehashed arguments already discussed ad nauseam in the briefing. The court reminds counsel of their obligation to aid the court in ensuring the “just, speedy, and inexpensive determination of every action and proceeding.” Fed.R.Civ.P. 1 (emphasis added). Rehashing arguments for the sake of billable hours and the unmistakable urge to have the last word are antithetical to achieving the inexpensive resolution of this case.

         Turning to the merits of 100TB's motion, after carefully reviewing Xat's complaint- accepting each of Xat's factual allegations as true-Xat's gross negligence claim and unjust enrichment claim are dismissed. Xat's gross negligence claim and the damages associated with it are bargained for and governed by the MSA. Accordingly, the economic loss rule precludes Xat from recovering in tort what it can recover in contract. Likewise, the MSA governs the dispute between the parties and, therefore, Xat has failed to plead a plausible claim for unjust enrichment. With respect to Xat's remaining claims, Xat has alleged sufficient facts to survive a motion to dismiss.

         I. Gross Negligence

         100TB argues that Xat's gross negligence claim seeks “purely economic damages” which are governed by the MSA and, therefore, barred by the economic loss rule.[30] Xat attempts to circumvent the application of the economic loss rule in two ways. First, Xat argues that the Safe Harbors, 100TB's position as a bailee, and the special relationship between the parties, create separate tort duties distinct from the MSA.[31] Second, Xat claims that the economic loss rule does not apply because 100TB's gross negligence resulted in harm to Xat's personal property.[32]

         For the reasons that follow, Xat's gross negligence claim is dismissed. The duties alleged by Xat merely recast 100TB's contractual duties in terms of tort. Moreover, there are no allegations before the court that Xat suffered property damage outside the scope of the MSA. Accordingly, Xat's gross negligence claim is barred by the economic loss rule.

         A. Independent Duty

         “The economic loss rule prevents recovery of economic damages under a theory of tort liability when a contract covers the subject matter of the dispute.” Reighard v. Yates, 2012 UT 45, ¶ 14, 285 P.3d 1168. The purpose underlying the economic loss rule is to mark a “fundamental boundary between contract law, which protects expectancy interests created through agreement between the parties, and tort law, which protects individuals and their property from physical harm by imposing a duty of reasonable care.Davencourt at Pilgrims Landing Homeowners Ass'n v. Davencourt at Pilgrims Landing, LC, 2009 UT 65, ¶ 18, 221 P.3d 234 (quotations and citation omitted).

         The economic loss rule does not apply every time tort and contract claims meet. Under the independent duty principle, if the plaintiff can point to separate duties-one in contract and one in tort-the economic loss rule does not bar a plaintiff's tort claims. See, e.g., Reighard, 2012 UT 45, ¶ 14 (“Whether the economic loss rule applies depends on whether a duty exists independent of any contractual obligations between the parties.” (quotations and citation omitted)); Hermansen v. Tasulis, 2002 UT 52, ¶ 17, 48 P.3d 235 (“When an independent duty exists, the economic loss rule does not bar a tort claim. . . .”). “The independent duty principle is a means of measuring the reach of the economic loss rule.” Reighard, 2012 UT 45, ¶ 14. Where the tortious conduct “does not overlap” with the duties “contemplated in contract, ‘the economic loss rule does not bar a tort claim because the claim is based on a recognized independent duty of care and thus does not fall within the scope of the rule.'” Id. at ¶ 21 (quoting Hermansen, 2002 UT 52, ¶ 17).

         Xat claims that 100TB owes it two duties to Xat that are independent of the MSA. First, Xat argues that the Safe Harbors and corresponding United Kingdom Data Protection Act of 1998 impose an independent duty on 100TB to take certain steps to protect Xat's data.[33]Furthermore, Xat argues that the Safe Harbors apply to 100TB regardless of whether or not the parties executed the MSA. Second, Xat alleges that 100TB, as a bailee of Xat's property, owed Xat an independent duty to protect Xat's data.[34]

         i. Safe Harbors

         Xat's reliance on the Safe Harbors to create an independent duty is without weight. The application of the independent duty principle depends on the duties contemplated in the MSA compared to the duties alleged by Xat. When the duty breached overlaps with a duty contemplated by a contract, any breach must be “enforced pursuant to contract law.” Reighard, 2012 UT 45, ¶ 21 (quoting Grynberg v. Questar Pipeline Co., 2003 UT 8, ¶ 43, 70 P.3d 1). Indeed, the purpose of contract law is to protect “expectancy interests created through agreement between the parties” Sunridge Dev. Corp. v. RB & G Eng'g, Inc., 2010 UT 6, ¶ 28, 230 P.3d 1000 (citations omitted). Therefore, “[a]ll contract duties, and all breaches of those duties-no matter how intentional-must be enforced pursuant to contract law.” Grynberg, 2003 UT 8, ¶ 43.

         In the MSA, 100TB represents that it has “received ‘Safe Harbor' certification under U.S. - EU, and U.S. - Swiss safe harbor frameworks.”[35] According to Xat's allegations, the Safe Harbors require 100TB to “take reasonable precautions” to protect Xat's personal user data from “loss, misuse and unauthorized access, disclosure, alteration and destruction.”[36] By certifying 100TB is compliant with the Safe Harbors, 100TB created an expectancy interest whereby Xat can seek damages for breach. Indeed, if this representation proves to be false-that 100TB is not compliant with the Safe Harbors-Xat has a viable breach of contract claim against 100TB. Furthermore, Xat's argument that 100TB's duties under the Safe Harbors would exist regardless of the MSA is fundamentally flawed. 100TB would not have agreed to host Xat's servers without executing the MSA.[37] Accordingly, Xat has failed to demonstrate the Safe Harbors impose an independent duty not bargained for under the terms of the MSA.

         ii. Bailment Relationship

         In addition to the Safe Harbors, Xat attempts to create a separate tort claim by arguing 100TB breached its duty as a bailee of Xat's data.[38] Xat claims that the “special relationship between the parties” imposes an independent duty of care on 100TB to safeguard Xat's property.[39] Xat's independent duty analysis misses the mark for two reasons.

         First, Xat's bailment argument ignores fundamental principles of bailment law. Xat does not allege that 100TB had the authority to limit Xat's access to Xat's servers. McPherson v. Belnap, 830 P.2d 302, 304 (Utah Ct. App. 1992) (“The bailor must actually or constructively deliver the property to the bailee in such a way as to entitle the bailee to exclude others from possession during the bailment period, including the owner/bailor.”). To the contrary, Xat routinely had access to its servers during ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.