Opinion
22-22454-CIV-MARTINEZ
08-28-2023
JUSTTECH, LLC, Plaintiff, v. KASEY A U.S. LLC, Defendant.
ORDER GRANTING MOTION TO DISMISS
JOSE E. MARTINEZ UNITED STATES DISTRICT JUDGE
THIS CAUSE came before this Court on Defendant's Motion to Dismiss the Complaint (the “Motion”), (ECF No. 15). This Court has reviewed the Motion, pertinent portions of the record, and applicable law and is otherwise fully advised of the premises. Accordingly, after careful consideration, the Motion is GRANTED for the reasons set forth herein.
I. FACTUAL BACKGROUND
Plaintiff JustTech, LLC, is a managed service provider (“MSP”) that provides IT, computer network, print, fax, and copy solution services to its downstream clients in the Mid-Atlantic and Southeast regions. (Compl. ¶ 11, ECF No. 1.) Plaintiff creates, processes, stores, secures, and exchanges electronic data in connection with these services. (AZ.) Defendant Kaseya U.S. LLC is a global technology company that provides MSPs like Plaintiff with IT management and security software and services. (Id. ¶ 16.) Defendant publicly promotes the safety and effectiveness of its software and services against cyberattacks by making representations online and messaging MSP customers. (Id. ¶ 18.)
Since approximately 2016, Plaintiff has paid for Defendant's IT management and security software and services. (Id. ¶ 12.) Plaintiff used Defendant's Virtual System Administrator (“VSA”) software for most of its downstream clients, opting for the on-premises product connected to a local server. (Id. ¶ 13.) In exchange for these services, Plaintiff disclosed its clients' electronic data to Defendant and granted Defendant certain rights to use such data. (Id.) This arrangement was governed by Defendant's end user license agreement (the “EULA”), which users like Plaintiff must agree to without any objections or qualifications when accepting Defendant's software and services. (Id. ¶ 14.) The EULA contains provisions that shield Defendant from liability related to the delivery, performance, or use of its software and services. (Id.) The EULA provides in relevant part that:
Kaseya and its suppliers and licensors shall not be liable or obligated with respect to the subject matter of this agreement... or under any contract, negligence, strict liability or other legal or equitable theory . . . (II) for any cost of procurement of substitute goods, technology, services or rights, or (III) for any incidental, indirect, special, punitive, or consequential damages (including, without limitation, loss of profits, loss of use or data, damage to systems or equipment, business interruption or cost of cover) in connection with or arising out of the delivery, performance or use of the software, documentation, any other materials provided by Kaseya or other services performed by Kaseya ....
[E]xcept for Kaseya's gross negligence or willful misconduct, Kaseya shall not be responsible or liable for the unauthorized access to, alteration of, or deletion, correction, destruction, corruption, damage, loss or failure to secure or store Customer Data.
[T]his Agreement is the entire agreement between Kaseya and Licensee regarding Licensee's use of the Software, and supersedes and replaces any previous communications, representations, or agreements ....(See End-User License Agreement (“EULA”) 5, 8-9, 11, ECF No. 15-1.)
Plaintiff alleges that Defendant understands and has publicly acknowledged that cyberattacks on MSPs present heightened risks and consequences because the attack affects the MSP and its downstream clients. (Id. ¶¶ 20, 24.) Defendant has frequently reported on cyber- and ransomware attacks and provided guidance on how to minimize their associated risks. (Id. ¶ 26.) One risk-prevention method Defendant promotes is to timely discover and “patch” or fix software vulnerabilities. (Id. ¶ 33.) Industry guidelines recommend that third-party users be warned of such software vulnerability risks in a timely manner. (Id. ¶ 31.)
On April 6, 2021, the Dutch Institute for Vulnerability Disclosure (the “DIVD”), an international team of voluntary computer researchers that investigates and reports software vulnerabilities, warned Defendant that its VS A software contained multiple, critical vulnerabilities. (Id. ¶ 36.) These vulnerabilities were critical due to their “zero-day” nature (meaning that hackers could exploit them immediately) and potential to affect Plaintiffs clients in the defense, aerospace, medical, transport, financial, and energy markets. (Id. ¶ 37.) Defendant and the DIVD worked together to address the VS A vulnerabilities, but Plaintiff alleges that progress stalled on patching the vulnerabilities. (Id. ¶ 40.) Scheduled patches of the vulnerabilities were spread out and included dates after the date of the ransomware attack that prompted this dispute. (Id.) Plaintiff alleges that it was unaware of these vulnerabilities in the VS A software, and that Defendant failed to issue any warnings or implement additional cybersecurity measures. (Id. ¶ 41.)
Defendant was also warned of cybersecurity concerns from its own employees in the years leading up to the ransomware attack. (Id. ¶ 44.) Between 2017 and 2020, Defendant's engineers and developers warned the company of these concerns, and other employees reported that company executives were made aware of the numerous problems with the VSA software. (Id. ¶¶ 44M5.) Former employees considered Defendant's decision to outsource work to Belarus, a country with close ties to Russia, as another potential security issue because, Plaintiff alleges, many cybercriminals operate in Russia. (Id. ¶ 46.)
A Russian-based criminal operation known as REvil was determined to be the source of the July 2, 2021, ransomware attack on Defendant's VSA software that disrupted operations for Plaintiff and its downstream clients. (Id. ¶ 47.) REvil completed this attack by exploiting the VSA software vulnerabilities. (Id.) Around 12:30 p.m. on July 2, 2021, over one thousand devices managed by Plaintiff became inaccessible and displayed a document explaining that all of Plaintiffs files had been encrypted by a third party and would not be made accessible until Plaintiff followed further instructions. (Id. ¶¶ 48-49.) Plaintiff was informed it would lose this data if it failed to pay $45,000.00 ransom for each encrypted device. (Id. ¶ 49.) All of Plaintiffs downstream clients connected to the VSA software were affected. (Id. ¶ 50.)
Within eight minutes of the attack, Plaintiff shut down the VSA system and instructed its downstream clients to shut down all computers in their systems until further notice. (Id. ¶ 51.) At 4:00 p.m., Defendant publicly disclosed that a “limited,” “potential” attack on its VSA servers took place that afternoon and recommended users to shut down all VSA servers. (Id. ¶ 52.) Defendant claimed to have followed an “established incident response process to determine the scope of the incident and the extent that our customers were affected.” (Id. ¶ 53.) Defendant believed it had identified the source of the vulnerability and began preparing a patch to mitigate its risks. (Id.) On July 11, 2021, Defendant released a patch to its VSA on-premises customers to restore their service. (Id. ¶ 53.) The attack reached more than fifty MSPs (including Plaintiff) and between 800 and 1500 downstream businesses (including Plaintiffs). (Id. ¶ 58.)
In the aftermath of the attack, Plaintiff ceased normal business operations and devoted considerable resources to help itself and its clients recover data. (Id. ¶ 62.) Plaintiff did not charge its clients for any recovery work performed, including the expenses incurred by hiring outside IT contractors. (Id. ¶¶ 62-63.) Plaintiff claims that it was forced to spend time and money to recruit and train new employees as former employees quit. (Id. ¶ 63.) Plaintiff also alleges that it lost current business and opportunities to secure new business. (Id. ¶ 64.) Further, Plaintiff claims that it is anticipating added expenses from the legal claims pursued by Plaintiffs clients. (Id. ¶ 66.)
After the attack, Defendant began making public statements to reassure its MSP customers of Defendant's commitment to protecting their data. (Id. ¶ 70.) On July 7, 2021, Defendant's CEO, Fred Voccola, promised “direct financial assistance to MSPs” impacted by the attack as part of the “Kaseya Cares 2021” program. (Id. ¶ 71.) Voccola stated that Defendant will “be doing millions of dollars of restitution for all of our customers who have suffered” in an interview the following day. (Id. ¶ 72.) Two days after the initial promise was made to provide “direct financial assistance,” Plaintiff informed its clients that they would not be billed for recovery work related to the attack. (Id. ¶ 74.) In August and September 2021, however, Defendant allegedly notified Plaintiff that it had limited funds available to provide the promised financial assistance and could not compensate Plaintiff for its losses. (Id. ¶ 75.) Plaintiff alleges that Defendant neither deflected responsibility for Plaintiffs losses nor asserted a legal defense to payment during these months. (Id. ¶ 77.)
IL LEGAL STANDARD
A court must grant a motion to dismiss for failure to state a claim when the complaint fails to provide grounds for relief beyond labels and conclusions or a “formulaic recitation of the elements of a cause of action.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). When considering a motion to dismiss, this Court is not required to accept conclusory allegations or legal conclusions as true. See, e.g., Am. Dental Ass'n v. Cigna Corp., 605 F.3d 1283, 1290 (11th Cir. 2005). “While legal conclusions can provide the framework of a complaint, they must be supported by factual allegations. When there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief.” Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009). Even taking Plaintiffs factual allegations as true, they must be enough to raise a right to relief above the speculative level. See Bell Atl. Corp., 550 U.S. at 555. To satisfy this pleading standard, however, the complaint need not contain detailed factual allegations. Id.
Courts typically “do not consider anything beyond the face of the complaint and documents attached thereto when analyzing a motion to dismiss.” Fin. Sec. Assur., Inc. v. Stephens, Inc., 500 F.3d 1276, 1284 (11th Cir. 2007) (citing Brooks v. Blue Cross & Blue Shield of Fla., Inc., 116 F.3d 1364, 1368 (11th Cir. 1997)). Courts, however, “may consider a document attached to a motion to dismiss without converting the motion into one for summary judgment if the attached document is (1) central to the plaintiffs claim and (2) undisputed.” Day, 400 F.3d at 1276 (citing Horsley, 304 F.3d at 1134).
III. DISCUSSION
Defendant moves to dismiss the Complaint for failure to state a claim for (1) common law gross negligence (Count I); (2) common law negligent misrepresentation (Counts II and III); (3) common law promissory estoppel (Count IV); and (4) Florida's Deceptive and Unfair Trade Practice Act (the “FDUTPA”) (Count V). Plaintiff argues that it sufficiently pleaded a gross negligence claim and justifiably relied on Defendant's extra-contractual statements in pleading its negligent misrepresentation, promissory estoppel, and FDUTPA claims. This Court addresses each argument in turn.
A. Plaintiff's Gross Negligence Claim (Count I) is Dismissed
To state a claim for gross negligence under Florida law, Plaintiff must plead the elements of an ordinary negligence claim-that Defendant owes Plaintiff a duty, Defendant breached that duty, Plaintiff suffered an injury from Defendant's breach, and Plaintiff sustained damages-and
(1) the existence of a composite of circumstances which, together, constitute an imminent or clear and present danger amounting to more than the normal and usual peril; (2) a showing of chargeable knowledge or awareness of the imminent danger; and (3) an act of omission occurring in a manner which evinces a conscious disregard of the consequences.See Santiago v. Honeywell Int'l, Inc., No. 16-cv-25359, 2021 WL 5066924, at *7 (S.D. Fla. Sept. 29, 2021) (quoting Cortes v. Honeywell Bldg. Sols. SES Corp., 37 F.Supp.3d 1260, 1270 (S.D. Fla. 2014)). Defendant argues that Plaintiff fails to state a claim for gross negligence in Count I because Defendant neither owed Plaintiff a duty beyond the obligations imposed by the EULA nor displayed a conscious disregard of “a clear and present danger” to constitute gross negligence. Plaintiff argues in opposition that Defendant owed a duty of reasonable care in providing its software and services to Plaintiff and was grossly negligent in ignoring the dangers posed by software vulnerabilities on MSPs. This Court agrees with Defendant: Defendant owed no independent duty to Plaintiff outside those duties expressly imposed in the EULA, and Plaintiff failed to sufficiently plead that Defendant's actions constituted gross negligence.
1. DEFENDANT OWED NO INDEPENDENT DUTY TO PLAINTIFF OUTSIDE THOSE DUTIES EXPRESSLY IMPOSED BY THE EULA
Count I fails to state a claim for gross negligence because Defendant did not owe Plaintiff a duty beyond the contractual obligations outlined in the EULA. “[T]o set forth a claim in tort between parties in contractual privity, a party must allege action beyond and independent of breach of contract that amounts to an independent tort.” Kaye v. Ingenio, Filiale De Loto-Quebec, Inc., No. 13-61687-CIV, 2014 WL 2215770, at *4 (S.D. Fla. May 29,2014); HTP, Ltd. v. Lineas Aereas Costarricenses, S.A., 685 So.2d 1238, 1239 (Fla. 1996) (“Where a contract exists, a tort action will lie for either intentional or negligent acts considered to be independent from acts that breached the contract.”). Plaintiff must have, therefore, pleaded the required elements of a negligence claim-including a duty independent of the contract-and shown that the tort is independent of an injury caused by the breach of contract. See Kaye, 2014 WL 2215770, at *4. Plaintiff failed to do either. See id.
Under Florida law, the alleged duty owed by a defendant cannot stem from a contractual relationship between the parties to establish a negligence claim. See Elec. Sec. Sys. Corp. v. S. Bell Tel. & Tel. Co., 482 So.2d 518, 519 (Fla. 3d DCA 1986) (finding that defendant's alleged duty to insert advertisement into local newspaper was not independent of contract with plaintiff); Burdick v. Bank of Am., N.A., 99 F.Supp.3d 1372, 1378 (S.D. Fla. 2015) (dismissing a negligence claim where defendants' alleged duties arose from a mortgage contract and promissory note entered into with plaintiff); Stepakoff v. IberiaBank Corp., No. 22-cv-20286, 2022 WL 16555034, at *5 (S.D. Fla. Oct. 31, 2022) (failing to recognize an independent tort where defendant's alleged “baseline duty of care” to plaintiff was based on terms and conditions of a bank account). Where the defendant's liability is governed by a contractual agreement between the parties, the defendant does not owe the injured party a duty of reasonable care when the contract expressly disclaims liability for the alleged injury. Paszamant v. Ret. Accts., Inc., 776 So.2d 1049, 1053 (Fla. 5th DCA 2001).
Here, Defendant did not owe Plaintiff an extracontractual duty of care because their relationship is based on a contract that limits Defendant's liability. Although Plaintiff alleges that Defendant had the duty “to act carefully and to exercise reasonable care in connection with and arising from its providing Plaintiff IT management and security software and services [,]” (see Compl. ¶ 80), the EULA-which undisputedly governs the Parties' relationship, (See Compl. ¶ 14) -does not contain any such language, (See EULA). Plaintiff further argues that Defendant owed it an extra-contractual duty to protect Plaintiffs and Plaintiffs clients' electronic data, (See Pl.'s Resp. 6, ECF No. 18), but the EULA expressly disclaims Defendant's liability for disruptions to its customers' data, (See EULA 5).
Plaintiff cannot, therefore, impute extracontractual duties of care to Defendant, see Paszamant, 776 So.2d at 1053, and Plaintiff does not allege that Defendant had a duty to deliver and oversee the use of its software and services, or duty to protect Plaintiffs' and Plaintiffs' clients' electronic data, beyond the obligations imposed by the EULA, see Elec. Sec. Sys. Corp., 482 So.2d at 519 (affirming trial court's dismissal of a plaintiffs intentional tort claims because claims were based solely on a breach of a contract governing parties' relationship); Stepakoff, 2022 WL 16555034, at *5 (finding that defendant owed no duty beyond those imposed by terms and conditions that governed parties' relationship). Moreover, the EULA governs Defendant's liability and expressly disclaims liability for damages in connection with the delivery, performance, or use of its software and services. (See EULA 9.) In other words, Defendants are not responsible for disruptions and damages that Defendant expressly disclaimed in the EULA, (See EULA 8-9); Paszamant, 776 So.2d at 1053.
Accordingly, this Court finds that Plaintiff failed to sufficiently plead that Defendant owed Plaintiff a duty outside the contractual obligations of the EULA, so Plaintiffs gross negligence claim fails. The Motion is, therefore, GRANTED in this regard, and Count I is DISMISSED.
2. EVEN WERE PLAINTIFF TO HAVE SUFFICIENTLY PLEADED THAT DEFENDANT OWED PLAINTIFF AN EXTRACONTRACTUAL DUTY OF CARE, PLAINTIFF CANNOT PLEAD THAT DEFENDANT WAS GROSSLY NEGLIGENT
Count I also fails to state a claim for gross negligence because Plaintiff cannot sufficiently plead that Defendant's actions leading up to the ransomware attack exhibited a conscious disregard for the dangers associated with software vulnerabilities. Again, to state a gross negligence claim, Plaintiff must, in addition to the elements of negligence, plead
(1) the existence of a composite of circumstances which, together, constitute an imminent or clear and present danger amounting to more than the normal and usual peril; (2) a showing of chargeable knowledge or awareness of the imminent danger; and (3) an act of omission occurring in a manner which evinces a conscious disregard of the consequences.Santiago, 2021 WL 5066924, at *7 (quoting Cortes, 37 F.Supp.3d 12 at 1270).
A conscious disregard of a clear and present danger may be found when those aware of the dangerous conditions ignore prior mishaps. See Moradiellos v. Gerelco Traffic Controls, Inc., 176 So.3d 329, 335 (Fla. 3d DCA 2015) (distinguishing cases where no prior dangerous conditions were reported from cases where prior dangerous circumstances were ignored). Here, Plaintiff failed to allege facts showing that Defendant acted with a conscious disregard for the dangers posed by software vulnerabilities on MSPs. Defendant did not ignore a dangerous condition once it was alerted to it; rather, Defendant took steps to increase security once the DIVD notified it of the VSA vulnerabilities, as exemplified by the scheduled patches. (See Compl. ¶ 40.) Although Plaintiff argues that Defendant failed to prevent, discover, and timely patch software vulnerabilities, (See Compl. ¶ 92), Defendant did not display a conscious disregard for the associated risks because it knew of the heightened risks posed by cyberattacks on MSPs, (see Compl. ¶ 24), and consequently chose not to ignore the dangers presented but rather cooperate with the DIVD to alleviate these dangers, see Moradiellos, 176 So.3d at 336 (“On this record, [the defendant's inaction] created a possibility of harm, which is required to prove simple negligence. But they did not create a condition in which an accident would probably and most likely occur, which is required to prove gross negligence.”); Pyjek, 116 So.3d at 477- 478 (holding that defendant's decision to ignore a dangerous condition despite knowledge of that dangerous condition was evidence of a conscious disregard of a clear and present danger).
Therefore, even had Plaintiff sufficiently pleaded that Defendant owed Plaintiff an extracontractual duty of care, Plaintiff cannot sufficiently plead that Defendant's actions displayed a conscious disregard for the dangers posed by software vulnerabilities. Accordingly, even were Plaintiff to have sufficiently pleaded that Defendant owed Plaintiff an extracontractual duty of care, the Motion would still be due to be GRANTED in this regard, and Count I of the Complaint would still be due to be DISMISSED.
B. Plaintiff's Negligent Misrepresentation Claims (Counts II and III) Are Dismissed
To plead a negligent misrepresentation claim under Florida law, Plaintiff must allege: (1) a misrepresentation of material fact that Defendant believed to be true but which was actually false; (2) Defendant was negligent in making the misrepresentation because it should have known it was false; (3) Defendant intended to induce Plaintiff to rely on the misrepresentation; and (4) Plaintiff was injured acting in justifiable reliance upon the misrepresentation. See McGee v. JP Morgan Chase Bank, NA, 520 Fed.Appx. 829, 831 (11th Cir. 2013) (citing Simon v. Celebration Co., 883 So.2d 826, 832 (Fla. 5th DCA 2004)). Defendant argues that Plaintiff failed to state a claim for negligent misrepresentation because Plaintiff cannot rely on Defendant's extra- contractual representations of its software and services or its restitution efforts. Plaintiff argues in opposition that it justifiably relied on Defendant's promotions of its software and services and promises of compensation given Defendant's prominence in the software security space and financial assets. This Court agrees with Defendant that Counts II and III fail to state a claim because Plaintiff cannot sufficiently justifiably rely on Defendant's extra-contractual representations that are superseded by the EULA. .
1. PLAINTIFF CANNOT SUFFICIENTLY PLEAD THAT IT JUSTIFIABLY RELIED ON DEFENDANT'S PRE-CONTRACTUAL PROMOTIONS OF ITS SOFTWARE AND SERVICES
Plaintiff cannot sufficiently plead that it acted in justifiable reliance on Defendant's representations of its software and services that were later superseded by the EULA. “[A] party cannot recover under a theory of negligent misrepresentation for misrepresentations that are adequately dealt with or expressly contradicted in a later written contract.” Creative Am. Educ., LLC v. Learning Experience Sys., No. 9:14-CV-80900, 2015 WL 2218847 at *4 (S.D. Fla. May 11, 2015). A party cannot allege that it was injured acting in justifiable reliance on a misrepresentation when the statement is directly related to the subject matter of the parties' agreement. See Tyco Safety Prods. Can., Ltd. v. Abracon Corp., No. 08-80604-CIV, 2008 WL 4753728, at *3 (S.D. Fla. Oct. 28, 2008) (dismissing a negligent misrepresentation claim based on the same non-compliant parts complained of in distributor's breach of contract claim); Taylor v. Maness, 941 So.2d 559, 564 (Fla. 3d DCA 2006) (dismissing a negligent misrepresentation claim where conduct complained of could not be differentiated from conduct described in plaintiffs breach of contract claim). Reliance on extra-contractual statements is unjustifiable where the alleged misrepresentations are governed by a contract containing a merger clause. See Altenel, Inc. v. Millennium Partners, LLC, 947 F.Supp.2d 1357, 1370 (S.D. Fla. 2013) (noting that a merger clause can preclude a claim based on extra-contractual representations); Bates v. Rosique, 777 So.2d 980, 982 (Fla. 3d DCA 2001) (prohibiting buyer from taking contradictory position when pleading a misrepresentation claim where governing contract unambiguously superseded prior agreements and representations); Garcia v. Santa Maria Resort, Inc., 528 F.Supp.2d 1283, 1292-- 1293 (S.D. Fla. 2007) (precluding property investors from claiming that their purchases served federal security law purposes where contract stated that property was for personal use only).
Here, Plaintiff cannot allege that it acted in justifiable reliance on Defendant's pre-contractual promotions of its software and services because these alleged misrepresentations relate directly to the products and services the EULA expressly governs. See Tyco Safety Prods., 2008 WL 4753728, at *3 (finding that plaintiff was unable to plead a negligent misrepresentation claim based on the same subject matter covered in the parties' contract). Moreover, Plaintiff cannot justifiably rely on Defendant's pre-contractual statements related to the safety and security of its software and services because the EULA contains a merger clause that supersedes all previous representations. (See EULA 11); Bates, III So.2d at 982 (prohibiting buyer from pleading a position inconsistent with what contract outlined); Garcia, 528 F.Supp.2d at 1292-93 (preventing investors from claiming property served a purpose other than what contract provided). Plaintiff cannot now allege that it detrimentally relied on Defendant's pre-contractual statements because the EULA expressly “supersedes and replaces any previous communications, representations, or agreements . . . whether oral or written.” (See EULA 11.)
Therefore, Plaintiff cannot sufficiently plead that it acted in justifiable reliance on Defendant's representations of its software and services because these statements relate directly to the EULA, and the EULA supersedes all prior statements made by Defendant. Accordingly, the Motion is GRANTED in this regard, and Count II is DISMISSED.
2. PLAINTIFF CANNOT SUFFICIENTLY PLEAD THAT IT JUSTIFIABLY RELIED ON DEFENDANT'S POST-CONTRACTUAL PROMISES OF COMPENSATION
Plaintiff cannot sufficiently plead that it justifiably relied on Defendant's restitution representations due to their relation to the EULA. Even were the facts such that Plaintiff could sufficiently plead justifiable reliance on Defendant's post-contractual promises of compensation, Count III is due to be dismissed because Plaintiff failed to plead justifiable reliance with sufficient particularity.
A negligent misrepresentation claim must satisfy the heightened pleading standard under Federal Rule of Civil Procedure 9(b) to “alert[] defendants to their precise misconduct and protect[] defendants against baseless charges of fraudulent behavior.” Ceithaml v. Celebrity Cruises, Inc., 207 F.Supp.3d 1345, 1352-1353 (S.D. Fla. 2016). Vague and indefinite statements cannot be justifiably relied on to establish a negligent misrepresentation claim. See, e.g., Century 21 Admiral's Port, Inc. v. Walker, 471 So.2d 544, 545 (Fla. 3d DCA 1985). Failure to specify “the who, what, when, where, and how” of alleged misrepresentations precludes a claim for negligent misrepresentation. Ceithaml, 207 F.Supp.3d at 1353 (citing Garfield v. NDC Health Corp., 466 F.3d 1255, 1262 (11th Cir. 2006)). The representations made in a pre-negotiation agreement could not be justifiably relied on because they constituted a mere “agreement to agree” rather than an enforceable promise and imposed no obligations on the party making them. Bankers Tr. Co. v. Basciano, 960 So.2d 773, 777-778 (Fla. 5th DCA 2007).
Statements made during the performance of a contract cannot establish a claim for negligent misrepresentation unless the statements are independent of the contract's subject matter. Altamonte Pediatric Assocs., P.A. v. Greenway Health, LLC, No. 8:20-cv-604-T-33JSS, 2020 WL 5350303, at *5-6 (M.D. Fla. Sept. 4, 2020) (dismissing a negligent misrepresentation claim where alleged misrepresentations were made within contract itself and claim was brought during contractual period). Here, Plaintiff cannot establish a negligent misrepresentation claim based on Defendant's restitution representations because these statements are overly vague and not independent of the substance covered in the EULA. See Century 21 Admiral's Port, Inc., 471 So.2d at 545 (holding that vague or indefinite statements cannot establish justifiable reliance).
Defendant's promises of restitution cannot establish a negligent misrepresentation claim because the details of the compensation are too indefinite to be justifiably relied on. See id. (“We affirm on a holding that since the time for performance was left subject to future agreement, the appellants had no right to rely on the representation made.”). Defendant's announcement that it would provide “direct financial assistance to MSPs” as part of its “Kaseya Cares 2021” program, (See Compl. ¶ 74), does not sufficiently specify who out of the several MSPs affected by the attack will be compensated, what form of compensation will be provided, when the compensation will be provided, or how the compensation will be calculated and, thus, precludes a claim for negligent misrepresentation, see Ceithaml, 207 F.Supp.3d at 1353 (requiring plaintiff to specify “the who, what, when, where, and how” of alleged misrepresentations when pleading negligent misrepresentation claim). Moreover, Defendant's promises cannot be relied on because Defendant's statements do not impose any definite obligations on Defendant or outline definite terms of compensation. See Bankers Tr., 960 So.2d at 777-778 (finding that agreement could not be justifiably relied on because it failed to assign accountability to the parties or set out definite terms).
Further, Plaintiff cannot rely on Defendant's promises of restitution to establish a claim because these statements relate directly to Defendant's contractually defined liability and were made while the EULA was in effect. See Altamonte Pediatric Assocs., 2020 WL 5350303, at *5-6. Just as the alleged misrepresentation regarding the terms of the insurance policy took place while the contract governed the parties' relationship and could not be differentiated from the contract's substance, see id., Defendant's promises to provide “direct financial support” to its MSP customers were made while the EULA controlled Plaintiffs relationship with Defendant and are directly related to the section of the EULA describing Defendant's limited liability, (See EULA 89).
Plaintiff further argues that the restitution representations need not specify all relevant details, (See Pl.'s Resp. 11), but these statements are nevertheless too indefinite to be justifiably relied on because the “who, what, when, where, and how” of Defendant's compensation efforts are left subject to future consideration, see Ceithaml, 207 F.Supp.3d at 1353. Therefore, this Court finds that Plaintiff cannot sufficiently plead that it justifiably relied on Defendant's restitution representations because these statements are too indefinite regarding the terms of compensation and are directly related to Defendant's contractually defined liability.
Accordingly, the Motion is GRANTED in this regard, and Count III is DISMISSED.
C. Plaintiff's Promissory Estoppel Claim (Count IV) is Dismissed
To state a claim for promissory estoppel under Florida law, Plaintiff must allege: (1) the plaintiff detrimentally relied on a promise made by the defendant; (2) the defendant should have reasonably expected the promise to induce action or forbearance on the part of the plaintiff or a third person; (3) that injustice can only be avoided by enforcing the promise. W.R. Townsend Contracting, Inc. v. Jensen Civil Const., Inc., 728 So.2d 297, 302 (Fla. 1st DCA 1999). Defendant argues that Plaintiff failed to state a claim for promissory estoppel because Plaintiff cannot demonstrate that Defendant made any definite promises or that the actions Plaintiff took in response to Defendant's promises of compensation were reasonable and detrimental. Plaintiff argues in opposition that Defendant should have reasonably expected Plaintiff to act on those promises and that Plaintiffs reliance caused it to expend resources and continue its business with Defendant to Plaintiffs detriment. This Court agrees with Defendant that Count IV should be dismissed for failure to sufficiently plead that Plaintiff reasonably and detrimentally relied on Defendant's statements.
The terms of a promise must be definite in relation to the remedy sought to demonstrate reasonableness under a promissory estoppel claim. See Fried v. Stiefel Lab 'ys, No. 1 l-CV-20853, 2012 WL 4364300, at *10 (S.D. Fla. June 8, 2012) (finding discussions of potential compensation between employee and CEO too indefinite to induce reasonable reliance because parties never agreed on method of compensation). It is unreasonable to rely on promises of compensation where the “comprehensive, integrated written contract” that governs the parties' relationship does not mention such compensation. Harris v. Sch. Bd. of Duval Cnty., 921 So.2d 725, 735 (Fla. 1st DCA 2006) (failing to find detrimental reliance on an oral promise of reimbursement where the governing contract made no mention of such reimbursement).
Detrimental reliance on a promise must be demonstrated by the plaintiff taking some action as a result of the defendant's promise that is ultimately detrimental to the plaintiff. See Mangravite v. Univ, of Mia.,No. 10-cv-22895, 2010 WL 4702358, at *3 (S.D. Fla. Nov. 12, 2010) (dismissing claim for promissory estoppel where professor could not demonstrate how he was harmed by accepting job under notion that he would eventually become tenured and was later denied this status).
Here, Plaintiff did not sufficiently plead that the resources it expended constituted a reasonable response to Defendant's restitution representations or that its continued business with Defendant was detrimental. (See Compl ¶ 115.) Defendant could not have reasonably expected Plaintiff to allocate resources to itself and its clients and take responsibility for such expenses when Defendant had not definitively identified how and to what extent it would compensate its MSP customers. See Fried, 2012 WL 4364300, at *10 (lacking grounds to induce reasonable reliance where method of compensation was not solidified). Plaintiff's reliance on Defendant's promises of restitution is, as pleaded, also unreasonable because the EULA does not discuss compensation in response to cyber-attacks. (See EULA at 8-9); Harris, 921 So.2d at 735 (failing to find detrimental reliance where reimbursement was orally promised but not mentioned in parties' contract). Moreover, Plaintiff cannot show that the actions it took in response to Defendant's promises of restitution were detrimental because Plaintiff cannot sufficiently plead how its continued relationship with Defendant in the aftermath of the attack was detrimental to itself or its clients. See Mangravite, 2010 WL 4702358, at *3 (failing to find detrimental reliance where plaintiff received less than anticipated but still benefitted from relationship with defendant).
Because Plaintiff failed to allege that its actions constituted a reasonable response to Defendant's promises of compensation and that it relied on these promises to its own detriment, the Motion is GRANTED in this regard, and Count IV is DISMISSED.
D. Plaintiff's FDUTPA Claim (Count V) is Dismissed
Under Florida law, unfair or deceptive acts or practices in the conduct of any trade or commerce are unlawful. § 501.204(1), Fla. Stat. (2022). To state a claim under FDUTPA, Plaintiff must show: “(1) a deceptive act or unfair practice; (2) causation; and (3) actual damages.” Angelo v. Parker, 275 So.3d 752, 755 (Fla. 1st DCA 2019) (quoting Baptist Hosp., Inc. v. Baker, 84 So.3d 1200, 1204 (Fla. 1st DCA 2012)). An unfair practice “offends established public policy” and is “immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers.” Samuels v. King Motor Co. of Fort Lauderdale, 782 So.2d 489, 499 (Fla. 4th DCA 2001). A deceptive act occurs where there is a “representation, omission, or practice that is likely to mislead consumers acting reasonably in the circumstances, to the consumers' detriment.” State v. Beach Blvd. Auto. Inc., 139 So.3d 380, 387 (Fla. 1st DCA 2014). Under FDUTPA, actual damages are “the difference in the market value of the product or service in the condition in which it was delivered and its market value in thp condition in which it should have been delivered according to the contract of the parties.” Rollins, Inc. v. Heller, 454 So.2d 580, 585 (Fla. 3d DCA 1984). Defendant argues that Count V should be dismissed because Plaintiff failed to sufficiently plead an unfair practice or deceptive act and actual damages as required by the statute. Plaintiff argues in opposition that Defendant's misrepresentations about its software and services and false promises of compensation constitute an unfair practice or deceptive act. This Court agrees with Defendant.
A party cannot demonstrate an unfair practice or deceptive act based on alleged misrepresentations that are expressly contradicted in a written contract when making a FDUTPA claim. TRG Night Hawk Ltd. v. Registry Dev. Corp., 17 So.3d 782, 784-785 (Fla. 2d DCA 2009) (barring a FDUTPA claim based on reliance of alleged misrepresentations where parties entered into a contract disclaiming any prior representations); Rosa v. Amoco Oil Co., 262 F.Supp.2d 1364, 1368-1369 (S.D. Fla. 2003) (dismissing a FDUTPA claim because it was unreasonable to rely on alleged misrepresentations that differentiated from the written contract). FDUTPA claims are also barred where there are no actual damages alleged as defined by the statute. See Rodriguez v. Recovery Performance & Marine, LLC, 38 So.3d 178, 180 (Fla. 3d DCA 2010) (labeling down payment and loan payments for a boat as consequential damages whereas actual damages were limited to the “difference between the market value of the []boat as delivered and its market value as it should have been delivered.”); Urlingv. Helms Exterminators, Inc., 468 So.2d 451,454 (Fla. 1st DCA 1985) (holding that FDUTPA allows a consumer to recover damages for the diminished value of goods or services received but not consequential damages for property related to the consumer's use of such goods or services).
Here, Plaintiff cannot rest its FDUTPA claim on Defendant's alleged misrepresentations of its software and services or promises of restitution because these representations were superseded by the EULA, and Plaintiff failed to allege actual damages in connection with them. Plaintiff cannot depend on Defendant's promotions of its software and services to demonstrate an unfair practice or deceptive act because the EULA expressly replaces all prior representations. (See EULA 11); TRG Night Hawk Ltd., 17 So.3d at 784 (dismissing a FDUTPA claim based on alleged misrepresentations that were expressly disclaimed in a later written contract). Further, Plaintiff cannot rely on the promises of compensation because these statements define Defendant's liability differently from what is outlined in the EULA. See Rosa, 262 F.Supp.2d at 1368 1369 (precluding reliance on statements which differentiate from contract to establish a FDUTPA claim).
Moreover, Plaintiff cannot recover under FDUTPA because it failed to allege actual damages. The expenses Plaintiff incurred while acting under the impression that Defendant would provide restitution cannot be attributed to the value of the VSA software when it was initially delivered to Plaintiff and thus cannot be categorized as actual damages. (See Compl. ¶ 119); see Rodriguez, 38 So.3d at 181. Plaintiffs attempt to recover damages for lost property and business opportunities is barred by FDUTPA as these represent consequential damages stemming from Plaintiffs use of the VSA rather than any defect in the software when it was originally received by Plaintiff. See Urling, 468 So.2d at 454 (denying recovery of consequential damages for property related to consumer's use of goods or services under FDUTPA).
This Court finds that Plaintiff failed to state a claim under FDUTPA because it did not sufficiently plead an unfair practice or deceptive act and actual damages as required by statute.
Accordingly, the Motion is GRANTED in this regard, and Count V of the Complaint is DISMISSED.
IV. CONCLUSION
Accordingly, it is ORDERED AND ADJUDGED that:
1. The Motion, (ECF No. 15), is GRANTED.
2. Counts I-V of the Complaint are DISMISSED.
3. If Plaintiff so chooses, it has until and including Monday, September 11, 2023, to file an amended complaint that addresses the deficiencies set forth herein. Plaintiffs failure to do so will result in dismissal without prejudice and without further warning.
DONE AND ORDERED
While this Court is generally constrained to review the four corners of the Complaint in determining whether to grant a motion to dismiss for failure to state a claim, this Court may consider documents attached to Defendant's Motion when the document “is (1) central to the plaintiffs claim and (2) undisputed.” Day v. Taylor, 400 F.3d 1272, 1276 (11th Cir. 2005) (citing Horsley v. Feldt, 304 F.3d 1125, 1134 (11th Cir. 2002)). Because the EULA is central to the Complaint and it is undisputed that the EULA attached to Defendant's Response to the Motion is authentic, this Court considers the EULA in addressing the Motion. See id.