United States District Court District of Massachusetts
) Zoll Medical Corp., ) ) Plaintiff, ) ) v. ) ) Civil Action No. Barracuda Networks, Inc., et al., ) 20-11997-NMG ) Defendant. ) )
MEMORANDUM & ORDER
GORTON, J. This action arises out of a data breach which compromised the confidential, protected health information (“PHI”) of more than 277,000 patients of Zoll Services LLC (“Zoll Services”), an indirect subsidiary of Zoll Medical Corporation (“Zoll Medical”) (together, “Zoll” or “plaintiffs”). Pending before the Court is the motion of defendants Barracuda Networks, Inc. (“Barracuda”) and Sonian Inc. (“Sonian”) (together, “defendants”) to dismiss the complaint filed by plaintiffs. For the reasons that follow, that motion will be allowed in part and denied in part. I. Background Zoll Medical is a Massachusetts-based corporation that develops and markets medical devices and software solutions that help advance emergency health care. It is the indirect parent corporation of Zoll Services, a Nevada-based limited liability company that commercializes the “LifeVest wearable cardioverter defibrillator”. In the course of commercializing that product, Zoll Services often receives emails from physicians containing patient information, such as patient names, addresses,
demographics and health information. In order to manage and secure that data, plaintiffs rely upon a limited number of third-party service providers. To that end, in 2012 Zoll Medical entered into a Hosting Services Agreement (the “Hosting Agreement”) with Apptix, Inc. (“Apptix”) whereby Apptix agreed to provide plaintiffs with a product that would safely store their emails and other data. Apptix has since been acquired by Fusion, LLC (“Fusion”), a New Jersey limited liability company with its principal place of business in Georgia. Separately, in 2014, Zoll Lifecor Corporation, the predecessor to Zoll Services, entered into a Business Associate
Agreement (“the BAA”) with Apptix pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) wherein Apptix allegedly agreed, inter alia, to use appropriate safeguards to prevent the unauthorized use or disclosure of PHI and to ensure that any of its subcontractors or vendors to whom it provides PHI agreed to do the same. In the course of performing its obligations under the Hosting Agreement and the BAA, Apptix entered into a contract with Sonian to provide its customers with software and related services for the management of customer communications and email (“the OEM Agreement”). Sonian is a Delaware corporation that has since been acquired by Barracuda, another Delaware
corporation with its principal place of business in California. Plaintiffs allege that Barracuda holds itself out to the public as “an expert in data security”, namely, in archiving emails in a secure environment with controls that ensure that only authorized personnel have access to the data stored within the archive. Despite that representation, plaintiffs and Fusion contend that, with respect to their data, Barracuda failed to implement adequate safeguards which ultimately led to the subject data breach. The data breach began on November 8, 2018, when a Barracuda employee allegedly left a data port open in its system during a
standard migration of data within its network. None of Barracuda’s supervisory, security or oversight mechanisms detected the error until approximately seven weeks later, on December 28, 2018. In the meantime, the confidential and protected health information of plaintiffs’ patients was apparently accessed by unauthorized third parties. Barracuda finally contacted Apptix with respect to the data breach in January, 2019, advising that it recently discovered that a very small number of user emails stored in an application known as Sonian EA were compromised as a result of unauthorized access to our system by a third party.
Barracuda informed neither Apptix nor the Zoll plaintiffs that the data port had remained open, undetected for several weeks and, instead, allegedly misrepresented that the data breach was minor. Once Zoll Medical received notification of the breach, it and its subsidiaries began an investigation into the event to determine whether customer PHI had been accessed. As part of that investigation, plaintiffs requested from Barracuda additional information regarding the data breach but Barracuda purportedly refused to cooperate, compelling plaintiffs to hire an independent forensics firm, Kroll, Inc., to assist in the investigation. Thereafter, plaintiffs issued a press release advising the public that its data had been breached, including communications which contained PHI. In April, 2019, a class action lawsuit was filed against Zoll Medical and Zoll Services in the Circuit Court of Kanawha County, West Virginia by individuals claiming that their PHI had been the subject of the data breach. That action has since been settled, leaving Zoll Services liable to its patients for any injury resulting from the “data breach event”. Plaintiffs contend that they have also suffered investigation, mitigation and remediation costs associated with the incident, as well as harm to their reputation. In November, 2020, plaintiffs filed the instant action against Barracuda and Sonian, alleging (1) negligence (Count I);
(2) breach of implied warranty of merchantability (Count II); (3) breach of implied warranty of fitness (Count III); (4) breach of written contract—third party beneficiary (Count IV) and (5) equitable indemnity (Count V). Defendants now move to dismiss the complaint for failure to state a claim. II. Motions to Dismiss A. Legal Standard To survive a motion under Fed. R. Civ. P. 12(b)(6), the subject pleading must contain sufficient factual matter to state a claim for relief that is actionable as a matter of law and
“plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible if, after accepting as true all non-conclusory factual allegations, the court can draw the reasonable inference that the defendant is liable for the misconduct alleged. Ocasio-Hernandez v. Fortuno-Burset, 640 F.3d 1, 12 (1st Cir. 2011). When rendering that determination, a court may not look beyond the facts alleged in the complaint, documents incorporated by reference therein and facts susceptible to judicial notice. Haley v. City of Boston, 657 F.3d 39, 46 (1st Cir. 2011). A court also may not disregard properly pled factual allegations even if actual proof of those facts is
improbable. Ocasio-Hernandez, 640 F.3d at 12. Rather, the relevant inquiry focuses on the reasonableness of the inference of liability that the plaintiff is asking the court to draw. Id. at 13. B. Application i. Negligence A plaintiff asserting a negligence claim must establish the basic elements of duty, breach, causation and damages. See Colter v. Barber-Greene Co., 525 N.E.2d 1305, 1313 (Mass. 1988). To state a claim for negligence, a plaintiff typically must allege damages beyond pure economic loss, as “purely economic
losses are unrecoverable . . . in the absence of personal injury or property damage”. FMR Corp. v. Boston Edison Co., 613 N.E.2d 902, 903 (Mass. 1993).
Free access — add to your briefcase to read the full text and ask questions with AI
United States District Court District of Massachusetts
) Zoll Medical Corp., ) ) Plaintiff, ) ) v. ) ) Civil Action No. Barracuda Networks, Inc., et al., ) 20-11997-NMG ) Defendant. ) )
MEMORANDUM & ORDER
GORTON, J. This action arises out of a data breach which compromised the confidential, protected health information (“PHI”) of more than 277,000 patients of Zoll Services LLC (“Zoll Services”), an indirect subsidiary of Zoll Medical Corporation (“Zoll Medical”) (together, “Zoll” or “plaintiffs”). Pending before the Court is the motion of defendants Barracuda Networks, Inc. (“Barracuda”) and Sonian Inc. (“Sonian”) (together, “defendants”) to dismiss the complaint filed by plaintiffs. For the reasons that follow, that motion will be allowed in part and denied in part. I. Background Zoll Medical is a Massachusetts-based corporation that develops and markets medical devices and software solutions that help advance emergency health care. It is the indirect parent corporation of Zoll Services, a Nevada-based limited liability company that commercializes the “LifeVest wearable cardioverter defibrillator”. In the course of commercializing that product, Zoll Services often receives emails from physicians containing patient information, such as patient names, addresses,
demographics and health information. In order to manage and secure that data, plaintiffs rely upon a limited number of third-party service providers. To that end, in 2012 Zoll Medical entered into a Hosting Services Agreement (the “Hosting Agreement”) with Apptix, Inc. (“Apptix”) whereby Apptix agreed to provide plaintiffs with a product that would safely store their emails and other data. Apptix has since been acquired by Fusion, LLC (“Fusion”), a New Jersey limited liability company with its principal place of business in Georgia. Separately, in 2014, Zoll Lifecor Corporation, the predecessor to Zoll Services, entered into a Business Associate
Agreement (“the BAA”) with Apptix pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) wherein Apptix allegedly agreed, inter alia, to use appropriate safeguards to prevent the unauthorized use or disclosure of PHI and to ensure that any of its subcontractors or vendors to whom it provides PHI agreed to do the same. In the course of performing its obligations under the Hosting Agreement and the BAA, Apptix entered into a contract with Sonian to provide its customers with software and related services for the management of customer communications and email (“the OEM Agreement”). Sonian is a Delaware corporation that has since been acquired by Barracuda, another Delaware
corporation with its principal place of business in California. Plaintiffs allege that Barracuda holds itself out to the public as “an expert in data security”, namely, in archiving emails in a secure environment with controls that ensure that only authorized personnel have access to the data stored within the archive. Despite that representation, plaintiffs and Fusion contend that, with respect to their data, Barracuda failed to implement adequate safeguards which ultimately led to the subject data breach. The data breach began on November 8, 2018, when a Barracuda employee allegedly left a data port open in its system during a
standard migration of data within its network. None of Barracuda’s supervisory, security or oversight mechanisms detected the error until approximately seven weeks later, on December 28, 2018. In the meantime, the confidential and protected health information of plaintiffs’ patients was apparently accessed by unauthorized third parties. Barracuda finally contacted Apptix with respect to the data breach in January, 2019, advising that it recently discovered that a very small number of user emails stored in an application known as Sonian EA were compromised as a result of unauthorized access to our system by a third party.
Barracuda informed neither Apptix nor the Zoll plaintiffs that the data port had remained open, undetected for several weeks and, instead, allegedly misrepresented that the data breach was minor. Once Zoll Medical received notification of the breach, it and its subsidiaries began an investigation into the event to determine whether customer PHI had been accessed. As part of that investigation, plaintiffs requested from Barracuda additional information regarding the data breach but Barracuda purportedly refused to cooperate, compelling plaintiffs to hire an independent forensics firm, Kroll, Inc., to assist in the investigation. Thereafter, plaintiffs issued a press release advising the public that its data had been breached, including communications which contained PHI. In April, 2019, a class action lawsuit was filed against Zoll Medical and Zoll Services in the Circuit Court of Kanawha County, West Virginia by individuals claiming that their PHI had been the subject of the data breach. That action has since been settled, leaving Zoll Services liable to its patients for any injury resulting from the “data breach event”. Plaintiffs contend that they have also suffered investigation, mitigation and remediation costs associated with the incident, as well as harm to their reputation. In November, 2020, plaintiffs filed the instant action against Barracuda and Sonian, alleging (1) negligence (Count I);
(2) breach of implied warranty of merchantability (Count II); (3) breach of implied warranty of fitness (Count III); (4) breach of written contract—third party beneficiary (Count IV) and (5) equitable indemnity (Count V). Defendants now move to dismiss the complaint for failure to state a claim. II. Motions to Dismiss A. Legal Standard To survive a motion under Fed. R. Civ. P. 12(b)(6), the subject pleading must contain sufficient factual matter to state a claim for relief that is actionable as a matter of law and
“plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible if, after accepting as true all non-conclusory factual allegations, the court can draw the reasonable inference that the defendant is liable for the misconduct alleged. Ocasio-Hernandez v. Fortuno-Burset, 640 F.3d 1, 12 (1st Cir. 2011). When rendering that determination, a court may not look beyond the facts alleged in the complaint, documents incorporated by reference therein and facts susceptible to judicial notice. Haley v. City of Boston, 657 F.3d 39, 46 (1st Cir. 2011). A court also may not disregard properly pled factual allegations even if actual proof of those facts is
improbable. Ocasio-Hernandez, 640 F.3d at 12. Rather, the relevant inquiry focuses on the reasonableness of the inference of liability that the plaintiff is asking the court to draw. Id. at 13. B. Application i. Negligence A plaintiff asserting a negligence claim must establish the basic elements of duty, breach, causation and damages. See Colter v. Barber-Greene Co., 525 N.E.2d 1305, 1313 (Mass. 1988). To state a claim for negligence, a plaintiff typically must allege damages beyond pure economic loss, as “purely economic
losses are unrecoverable . . . in the absence of personal injury or property damage”. FMR Corp. v. Boston Edison Co., 613 N.E.2d 902, 903 (Mass. 1993). This limitation on the recovery of purely pecuniary harm is known as the economic loss doctrine. Here, defendants contend that the economic loss doctrine bars plaintiffs’ claim for negligence. Plaintiffs, on the other hand, maintain that their negligence claim falls within an exception to the economic loss doctrine. They argue that the economic loss doctrine does not preclude recovery of purely economic loss on a negligence claim arising out of an independent, noncontractual legal duty. In particular, plaintiffs claim that the duty of Barracuda to keep Zoll’s confidential customer information secure from unauthorized
access arises from HIPAA and common law privacy principles separate from any agreement between the parties. In the alternative, plaintiffs submit that they reasonably and foreseeably relied on defendants’ promise to Fusion that it would keep the PHI of Zoll’s customers secure, and that Massachusetts law recognizes reasonable reliance on a defendant’s promise to a third party as an exception to the economic loss doctrine. With respect to the alleged common law duty to maintain privacy, plaintiffs cite Portier v. NEO Tech. Solutions, No. 17- cv-30111, 2019 WL 7946103 (D. Mass. Dec. 31, 2019). In Portier,
the district court held that because defendant employer undertook the affirmative acts of collecting and storing [plaintiff] employees’ personal and financial information on its internet accessible computer system, it had a common law duty to exercise reasonable care to protect the data from the foreseeable risk of a data breach.
Id. at *20. The district court concluded that plaintiff employees could recover purely pecuniary losses notwithstanding the economic loss doctrine. Id. Plaintiffs’ reliance on Portier is misplaced. In that case, the district court concluded that a “special relationship” existed between plaintiff employees and defendant employer, and that the special relationship gave rise to a duty on the employer’s part to safeguard personally identifiable information provided to it by the employees. Id. at *21. Unlike the
Portier plaintiffs, plaintiffs here cannot identify a similar relationship with defendant. Moreover, an exception to the economic loss doctrine would be inappropriate in this case. While in Portier the transfer of private information was at most incidental to the object of the employment relationship, here the storage and protection of sensitive data was exactly what the parties contracted among themselves to do. See Wyman v. Ayer Properties, LLC, 11 N.E.3d 1074, 1080 (Mass. 2014) (explaining that the economic loss rule was “developed in part to prevent the progression of tort concepts from undermining contract expectations”), see also 74
Am. Jur. 2d Torts § 23 (stating that the purpose of the economic loss doctrine is to “maintain the distinction or boundary between contract law and tort law”). Plaintiffs’ attempts to locate an independent legal duty in Barracuda’s ostensible HIPAA obligations are equally unavailing. Plaintiffs have neither furnished any authority in support of their position that HIPAA creates a tort duty nor specified from which provisions the ostensible duty arises. Although the Court is not aware of any case addressing the issue of whether HIPAA creates a duty under tort law, the Court finds it instructive that federal courts have declined to recognize the existence of a private statutory right of action under the statute. See Miller v. Nichols, 586 F.3d 53 (1st Cir. 2009), see also Acara
v. Banks, 470 F.3d 569, 571-72 (5th Cir. 2006), Sneed v. Pan American Hosp., 370 Fed. App’x 47, 50 (11th Cir. 2010). Finally, plaintiffs have not alleged actual reliance on any promise made by defendants to Fusion. The reliance exception to the economic loss doctrine “applies only where the plaintiff reasonably and foreseeably relied on the defendant's promise to someone other than the plaintiff.” Cumis Ins. Soc’y, Inc. v. BJ’s Wholesale Club, 2008 WL 2345865, aff’d, 918 N.E.2d 36 (Mass. 2009). Here, plaintiffs have not alleged that they reasonably relied upon, or even were aware of, the agreement between Barracuda and Fusion. Consequently, plaintiffs cannot
employ the reliance exception to circumvent the economic loss doctrine. ii. Breach of Implied Warranties of Merchantability and Fitness Massachusetts law provides that manufacturers impliedly warrant to customers that their products will be merchantable and “fit for the ordinary purposes for which such goods are used”. Back v. Wickes Corp., 378 N.E.2d 964, 969 (Mass. 1978) (quoting M.G.L. c. 106, § 2-314(2)(C)). To succeed on a claim for breach of implied warranty of merchantability, a plaintiff must show that 1) defendant manufactured or sold the subject product, 2) that product contained a defect or unreasonably dangerous condition rendering it unsuitable for its ordinary
use, 3) plaintiff was using the product in a manner that defendant intended or reasonably could have foreseen and 4) the defect or dangerous condition was a legal cause of plaintiff’s injury. Lally v. Volkswagen Aktiengesellschaft, 698 N.E.2d 28, 43 (Mass. App. Ct. 1998). Massachusetts law also provides for an implied warranty of fitness with respect to goods used for a particular purpose. M.G.L. c. 106, § 2-315. That warranty is similar to the warranty of merchantability but applies only where the seller at the time of contracting has reason to know any particular purpose for which the goods are required and that the buyer is relying on the seller's skill or judgment to select or furnish suitable goods.
Taupier v. Davol, 400 F. Supp. 3d 430 (D. Mass. 2020) (internal citations omitted). In contrast, the implied warranties of merchantability and fitness do not apply to contracts for the rendition of services. White v. Peabody Constr. Co., Inc., 434 N.E.2d 1015, 1022 (Mass. 1982) (holding that claim for breach of implied warranties could not be brought because contract was not for sale of goods), see also Mattoon v. City of Pittsfield, 775 N.E.2d 770, 783-84 (Mass. App. Ct. 2002) (holding that because provision of services was “predominant factor” in contract for municipal water distribution the implied warranties of fitness and merchantability did not apply). Here, plaintiffs allege that defendants breached the implied warranties of fitness and merchantability with respect
to Sonian’s email archive and data import/export technology licensed to Apptix under the OEM Agreement. They do so notwithstanding their contention that the OEM Agreement is a contract for services. Defendants maintain that the implied warranties were waived and, if the contract was for services, they do not apply as a matter of law. The Court need not address the question of whether the OEM Agreement is a contract for goods or for services because the OEM Agreement waives the implied warranties of fitness and merchantability. A valid waiver of the warranty of merchantability “must mention merchantability and in the case of
a writing be conspicuous”, and a valid waiver of the warranty of fitness must be written and conspicuous. M.G.L. c. 106, § 2- 316(2). A provision is conspicuous if a reasonable person against whom it is to operate would have noticed it. See M.G.L. c. 106, § 1-201(10). Whether a term is conspicuous is for the Court to decide. Id. In making that determination, the Court takes into account the location of the clause, the size of the type, any special highlighting, such as boldface, capitalization or underlining, the clarity of the clause, and the sophistication of the contracting parties.
Logan Equipment Corp. v. Simon Aerials, Inc. 736 F.Supp. 1188, 1197 (D. Mass. 1990). Here, the OEM Agreement expressly and conspicuously limits the warranty protections available for programs and services that defendants agreed to provide under the Agreement. In particular, Section 11 of the Agreement provides in relevant part that 11.1 Sonian agrees to provide the Services to [Apptix] in accordance with the Service Level Agreement attached hereto . . . 11.2 Except for the warranties provided in Section 11.1, OEM acknowledges and agrees that Sonian disclaims all other warranties whether express, implied or statutory, with respect to the Services, and specifically disclaims the implied warranties of merchantability, fitness for a particular purpose, noninfringement or any warranties arising from that course of dealing, usage or trade practice. Sonian does not warrant that the services shall be uninterrupted or error free.
(capitalization removed and emphasis added). The “Services” include one-time imports of email. A reasonable person entering into the OEM Agreement would have understood that special attention was to be paid to Section 11.2. The text of Section 11.2 is entirely capitalized, one of only two sections of the OEM Agreement to receive such emphasis. Further, it is located in the body of the agreement and its language and meaning are clear. Finally, the OEM Agreement was drafted by sophisticated parties. Thus, because the waivers of the implied warranties of merchantability and fitness are conspicuous, in writing, and make mention of “merchantability”, they are valid and the warranties are waived.
Finally, plaintiffs’ awareness or lack thereof of the waiver provisions in the OEM Agreement is immaterial. The Massachusetts Supreme Judicial Court has held that a subsequent purchaser cannot possess greater warranty rights as to the seller than the original purchaser. Theos & Sons, Inc. v. Mack Trucks, Inc. 729 N.E.2d 1113, 1118 (Mass. 2000). Theos controls the present case. Defendants’ disclaimer of the implied warranties as to Apptix renders them waived as to plaintiffs. iii. Breach of Written Contract—Third Party Beneficiary Under Massachusetts law, only intended beneficiaries may
enforce a contract. See Miller v. Mooney, 725 N.E.2d 545, 549– 50 (2000). Massachusetts courts apply the Restatement (Second) of Contracts (1981) test to determine whether a third party is an intended beneficiary of a promise. Id. That test provides that (1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to perform in the beneficiary is appropriate to effectuate the intention of the parties and either (a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or (b) the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.
Restatement (Second) of Contracts § 302 (1981). To ascertain the intention of the parties, courts “look at the language and circumstances of the contract”. Anderson v. Fox Hill Village Homeowners Corp., 676 N.E.2d 821, 822 (Mass. 1997). A contract does not confer third-party beneficiary status upon a nonparty unless its language and circumstances show that the parties “clearly and definitely” intended it to benefit that party. Cumis Ins. Soc’y, Inc. v. BJ’s Wholesale Club, Inc., 918 N.E.2d 36, 44 (Mass. 2009)(internal punctuation omitted) (citing Anderson, 676 N.E.2d at 822). Here, the terms of the OEM Agreement between defendants and Apptix make clear that the Zoll plaintiffs were not intended third-party beneficiaries of the agreement. Indeed, the intent of the OEM Agreement, as described in the provisions limiting the rights and duties thereunder to Apptix, its successors, and assigns and requiring Fusion to enter into separate, subsequent agreements with downstream customers is clear. The intent was for Barracuda to provide Apptix with a product to market and license as its own, thereby rendering Apptix, now Fusion, responsible for the relationship between Apptix and downstream customers, i.e. the Zoll plaintiffs. Thus, because the OEM Agreement does not “clearly and definitely” demonstrate an intent to benefit Zoll, Zoll is not a third-party beneficiary of the contract. iv. Equitable Indemnity Under Massachusetts law, a right to indemnification may
arise under three circumstances, namely, 1) an express agreement, 2) a contractual right implied from the nature of the relationship between the parties and 3) a common law tort-based right. See Araujo v. Woods Hole, Martha’s Vineyard, Nantucket Steamship Auth., 693 F.2d 1, 2 (1st Cir. 1982). Plaintiffs allege that the third circumstance of common law tort-based equitable indemnification, applies here. Tort-based equitable indemnification is available to a party who “did not join in the negligent act of another but was exposed to liability because of that negligent act.” Hernandez v. City of Boston, 277 F.Supp.3d 176, 180 (D. Mass. 2017) (quoting Rathbun
v. Western Mass. Elec. Co., 479 N.E.2d 1383, 1385 (Mass. 1985)). It has usually been available only where the party seeking indemnity was passively or vicariously at fault. Araujo, 693 F.3d at 3. Where the party seeking indemnification was itself responsible for acts or omissions proximately causing plaintiff's injury, courts have found tort-based equitable indemnification to be inappropriate. Id. Here, Zoll has sufficiently pled a claim for equitable indemnity from Barracuda. Zoll has alleged that it is liable for damages as a result of the West Virginia class action, that the damages were the result of Barracuda’s negligence and that any fault by Zoll was passive or vicarious in nature. Barracuda’s response that Zoll is not without fault itself
misses the mark. With respect to a motion to dismiss, the Court accepts as true all well-pled facts set forth in the complaint and draws all reasonable inferences therefrom in favor of the pleading party. Haley, 657 F.3d at 46. Whether Zoll was negligent itself is not an issue suitable for resolution at this juncture. ORDER For the foregoing reasons, defendants’ motion to dismiss (Docket No. 18) is ALLOWED, in part, DENIED, in part. Counts I, II, III and IV of the complaint are hereby DISMISSED but Count V for equitable indemnity is not.
Plaintiff Zoll’s request to amend its complaint is DENIED. So ordered.
_/s/ Nathaniel M. Gorton__ Nathaniel M. Gorton United States District Judge
Dated September 21, 2021