Court Rejects “Obtuse” Defense in a Breach of Contract Claim Relating to a Cyberattack
This case begins with an odd flex, noting that the defendant Expeditors International of Washington, Inc. (Expeditors) “is one of the world’s largest Third Party Logistics (“3PL”) service providers[.]” The court then explains, for the benefit of those of us who do not know that 3PL services existed, that the parties entered into an Distributor Services Agreement (DSA) in 2016, under which Expeditors would receive products from plaintiff POC, USA, LLC (POC), warehouse them, and then distribute them to POC’s customers. Expeditors had a computerized distributions management system for these purposes, which was supposed to provide POC with real-time visibility of its products.
In response to a cyberattack, Expeditors shut down its operations for 90 days. POC alleges that it suffered losses from failure to deliver products during those 90 days and that, as a result of this 90-day hiatus, it lost customers to competitors in the seasonal sporting-goods supply market. POC sued, alleging, breach of contract, breach of implied duty of good faith and fair dealing, negligence, gross negligence, unjust enrichment, and violations of the Washington Consumer Protection Act (“WCPA”). Expeditors moved to dismiss all claims other than the breach of contract claim.
The fun part of the district court’s opinion in POC USA, LLC v. Expeditors International of Washington, Inc. relates to Expeditors argument that it had not breached the duty of good faith and fair dealing. POC alleged the Expeditors had breached the duty “by failing to implement standard industry practices and available cyber protections and an adequate business continuity plan to protect itself and customers from cyber-attacks and their effects.” Expeditors responded that the contract made no mention of a duty to protect against cyberattacks. The court rejects this argument:
This is obtuse. Defendant chose and operated the computer systems the ransomware breached. Defendant presented itself as having competent security and networks for Plaintiff to rely on. Due to Defendant’s computer systems allegedly being vulnerable to a cyber-attack and Defendant’s subsequent shutdown, Plaintiff alleges economic harm from Defendant’s lacking security.
This is good, but I would have preferred “This is obtuse. Periodt!”
The court dismissed POC’s negligence claims because it alleged no special relationship between the parties giving rise to a duty of care other than the one arising from the DSA. The DSA also did not create a bailment, so the court dismissed that claim as well. All other claims survived.