Evergreen Family Health Partners, LLP v. Bank of Burlington, Inc.

• Court: District Court, D. Vermont
• Decided: March 9, 2026
• Docket: 2:25-cv-00363
• Status: Unknown

Opinion

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF VERMONT

EVERGREEN FAMILY HEALTH ) PARTNERS, LLP, ) ) Plaintiff, ) ) Case No. 2:25-cv-363 v. ) ) BANK OF BURLINGTON, INC., ) ) Defendant. )

OPINION AND ORDER Before the Court is the Bank of Burlington, Inc.’s (the “Bank”’s) motion to dismiss this case brought by Evergreen Family Health Partners, LLP (“Evergreen”). ECF No. 14. For the reasons set forth below, the Court grants in part and denies in part the motion to dismiss. I. Factual Allegations1 Evergreen is a “local, multispecialty medical practice, established in 2001, with locations in Williston and Essex Town, Vermont.” ECF No. 12-1 at 4. In early 2024, Evergreen “was

1 These factual allegations are taken from the Amended Complaint. The Court entered a text-only order granting Evergreen’s motion to file an Amended Complaint on July 14, 2025. ECF No. 13. However, though both parties refer to the Amended Complaint, Evergreen never filed the Amended Complaint as its own separate docket entry. Accordingly, the citations in this Opinion are to the Amended Complaint attached as an exhibit to Evergreen’s Motion to Amend Complaint, ECF No. 12-1. investigating its options for opening a new commercial account that would handle the practice’s day-to-day transactional needs.” ECF No. 12-1 at 4. Evergreen went with the Bank,

because it “valued utilizing local business partners” and because it was “persuaded by the Bank’s apparent commitment to fraud protection.” Id. Evergreen alleges that, at the time it opened its account at the Bank, the Bank “prominently advertised its commercial accounts as eligible for ‘Full fraud protection.’” Id. The Bank’s website also “contained other representations regarding its rigorous security for online and mobile banking,” including the following representations: • Stating that “Security Is Our Priority” • Stating that customer accounts were protected through “security that authenticates your computer and various devices” • Stating that, beyond standard User ID, Password, and Multi-Factor Authentication identity verification protections, there was an “additional layer” of monitoring that would leverage “user behavior and device details to identify potentially suspect sessions” • A representation that, if the bank detected “high-risk non-transactional activities” it would require “further authentication” to ensure the propriety of those actions. • Stating that “transaction and use data is analyzed and monitored in real time to identify suspicious activity before it takes place” • Stating that the bank offered a “Positive Pay” fraud protection service, which meant that: “Electronic transactions on your list of approved companies are paid automatically. All others are flagged for your review and decision” and that one could “[m]anage the list of approved companies with Bank of Burlington Online Banking.” ECF No. 12-1 at 5-8. In January of 2024 Evergreen opened a commercial checking account (the “Account”) with the Bank. ECF No. 12-1 at 2. Evergreen “chose to conduct business with the Bank because Evergreen believed the Bank’s representations about stringent security and fraud protection.” Id. at 8. Positive Pay protections were included in the Account. Id. Under the Positive Pay service, Evergreen “did not pre-authorize any individual or entity to receive ACH EFTs.” Id. Both parties signed several agreements when Evergreen opened the Account. As is relevant to this suit, there was an “Account Agreement” and a “Treasury Management Services Agreement.” ECF No. 12-1 at 15-16. The Account Agreement, signed by Michael Johnson and Rebecca Joyce, stated that the account owners agreed to the terms and acknowledged receipt of copies of the agreement and other documents, including an “Electronic Fund Transfers” document. ECF No. 15-1 at 2. The Electronic Fund Transfers document, for its part, stated in an “Unauthorized Transfers” section that: (a) Consumer Liability. Generally, Tell us AT ONCE if you believe your card and/or code has been lost or stolen, or if you believe that an electronic fund transfer has been made without your permission using information from your check. Telephoning is the best way of keeping your possible losses down. You could lose all the money in your account (plus your maximum overdraft line of credit). If you tell us within 2 business days after you learn of the loss or theft of your card and/or code, you can lose no more than $50 if someone used your card and/or code without your permission. If you do NOT tell us within 2 business days after you learn of the loss or theft of your card and/or code, and we can prove we could have stopped someone from using your card and/or code without your permission if you had told us, you could lose as much as $500. ECF No. 15-1 at 30. The TMSA, for its part, sets a primary administrator who may “select and change Security Procedures.” ECF No. 14-1 at 3. The agreement sets out provisions regarding “Security Procedures,” ECF No. 14-1 at 5-7, and these provisions include that: the Security Procedures are commercially reasonable; that the customer agrees to be bound by and liable for funds transfers initiated using the services and security procedures selected by the customer, whether or not the transaction was initiated by the customer or someone authorized to act on the customer’s behalf; that the customer must establish and maintain the confidentiality of and security and control over their aspects of security procedures; that the customer is solely responsible for all transactions or other requests received by the Bank for which the Bank reasonably believes is authorized and must immediately provide notice if the customer suspects an unauthorized request has been made; that the Bank makes no representation, warranty, covenant or agreement that a security

procedure will be effective and, except as otherwise required by applicable law, the bank shall not have any liability for the breach of a security procedure; and that if the Bank expressly required or recommended one or more of the services or controls but the customer decided not to, or failed to, use that service or control, then the customer will be treated as having assumed the risk of any losses that could have been prevented by that service or control. ECF No. 14-1 at 5-7. Then, under a provision regarding “liability and indemnification,” the TMSA sets forth language including that to the fullest extent allowed by law, the Bank’s liability shall be limited to correcting errors resulting from the bank’s failure to exercise ordinary

care or to act in good faith, and that the customer indemnified the Bank for the customer’s failure to maintain compliance with the agreement and for the Bank’s provision of services in accordance with any instructions or information received from the customer or any person reasonably believed to be the customer or authorized to act on the customer’s behalf. Id. at 8-9. Similar provisions, including that the Bank shall not be under a duty to inquire as to the authority or propriety of any transaction made by an authorized person and that the Bank shall be entitled to act upon the instructions of any person whom the Bank reasonably believes to be an authorized person, and shall

not be liable for any loss arising from any such instruction, were included in the “service-specific terms & conditions” section of the TMSA. ECF No. 14-1 at 14. Also included in the “service-specific terms & conditions” was a description of “ACH Positive Pay/Blocks” that stated in part that: The ACH Positive Pay Service enables you to decision ACH transactions associated with your Account[s] based on the criteria set by you and the instructions you provide to us upon the initial setup of your user configuration. The Primary Administrator…will configure approval criteria for ACH transactions. In the event an ACH Transaction which does not conform to your approval criteria posts to your Account, you will receive a notice to review and decision the item through the Online Banking Services. ECF No. 14-1 at 23. Under the separate “Authorization,” entered into by Michael Johnson and Rebecca Joyce on behalf of Evergreen, only one signature was selected as “required.” ECF No. 14-2 at 2-3. Between January 2024 and December 2024, Evergreen “fully funded its Account so that it had operational capital at or nearly approximately $250,000.00.” Id. During 2024, Evergreen “conducted hundreds of transactions through its Account;” transactions which were overwhelmingly deposits and other credits. Id. Of the “rarely made” debits or other withdrawals from the Account, those transactions were “overwhelmingly either repeating monthly funds transfers to a different Evergreen account, or automatic investment sweeps to another different Evergreen account.” Id.

In 2024 Evergreen sent nine ACH EFTs to three different recipient accounts, the total value of which amounted to just over $50,000.00. Id. The ACH EFTs “demonstrated a consistent usage patterns”: they were each created by Evergreen’s controller; they were each authorized by Evergreen’s partner; they were each a “standard” ACH (with a 1-3 business day processing time, as opposed to “same day”); they were each less than $6,000.00; they were each created from the same Vermont- based internet protocol address. Id. at 8-9. Around January 14, 2025, an “unauthorized actor accessed Evergreen partner Michael Johnson’s computer and/or email

account through fraudulent means,” and obtained Mr. Johnson’s Account login credentials. Id. at 9. The individual used these login credentials to access the Account and to register a new device and change the Account password. Id. On January 14th, between 11:11am and 1:47pm, the individual initiated six “same day” ACH EFTs to six different, external accounts that they had recently linked: this amounted to draining $223,910.00 from the Account. Id. On January 15th, between 12:12pm and 12:37pm, they initiated five more “same day” ACH EFTs to five different, newly-linked external accounts: draining an additional $46,110.00 from the Account. Id. at 10. The next day, the individual attempted two additional ACH EFTs, but these

transfers “were rejected because the $270,020.00 transferred out of Evergreen’s Account on January 14th and 15th left the Account with insufficient funds.” Id. These ACH EFTs were all “conducted from a new device, with an IP address based in New Jersey, immediately after that new device was registered, and immediately after that new device changed Evergreen’s Account login credentials.” Id. at 11. Evergreen did not receive any security notifications or Positive Pay notifications about these ACH EFTs. Id. at 9. On January 17, Iva Smejkal, an employee at the Bank, contacted Evergreen’s controller, Katrina Payea, to inform her that the Account was overdrawn. Id. Payea checked the account,

and told Smejkal that these were not authorized transfers, and that neither she nor Johnson had any affiliation or familiarity with the 11 accounts that had received the money via the ACH EFTs. Id. Smejkal told Payea that these transfers could be reversed because they were timely identified. Id. She said that the Bank had submitted the reversal and would have confirmation in a few days that the transferred funds were returned. Id. On January 21st, after a three-day weekend and federal bank holiday, Payea spoke with Smejkal and Bank employee Jameson Roberts, and the Bank employees “stated that Evergreen’s funds should be returned to Evergreen’s Account by that evening.” Id.

However, the funds were not returned; the Bank employees told Payea that they would need to wait until January 24th to know for sure, and then, on January 24th, told her the funds would not be returned. Id. at 12. On January 27th, Payea contacted the FBI and learned that “without Evergreen’s consent or review—the Bank submitted an Internet Crime Complaint Center (“IC3”) report about the unauthorized transactions.” Id. The IC3 report was prepared by a Bank employee on January 23rd, and the report stated that for each of the 11 ACH EFTs, Evergreen had not contacted the Bank about the fraudulent act and that Evergreen contacted the Bank

on January 17th and informed the Bank that Evergreen had been the victim of an email compromise on January 14th. Id. at 12- 13. However, Evergreen alleges that Evergreen had confirmed all 11 transfers to be unauthorized to Smejkal, and also that Evergreen never told any Bank employee that Evergreen was the victim of an email compromise on January 14th. Id. On January 28th, Evergreen’s management team met with Bank executives. The Bank executives “blamed Evergreen for the fraud,” and “insisted the Bank had no responsibility, obligation, or capability to identify the uncharacteristic and dramatic change in login and Account activity behavior that preceded and included the unauthorized ACH EFTs.” Id. (emphasis

in original). The Bank executives said that the ACH EFTs were not covered by Positive Pay, even though the Account itself was covered by Positive Pay. Id. Evergreen filed its complaint in on March 24, 2025, and the Bank has moved to dismiss. II. Legal Standard To survive a Rule 12(b)(6) motion to dismiss, a pleading “must contain sufficient factual matter, accepted as true, to ‘state a claim for relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)); see also Fed. R. Civ. P. 8(a)(2). “The plausibility standard is not akin

to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 556). The Court must draw all reasonable inferences in favor of the non- moving party, but need not accept conclusory statements. Lanier v. Bats Exch., Inc., 838 F.3d 139, 150 (2d Cir. 2016). In considering the plausibility of a claim on a motion to dismiss, the court may consider “documents attached to the complaint as exhibits, and documents incorporated by reference in the complaint,” Santos v. Kimmel, 154 F.4th 30, 33 (2d Cir. 2025), as well as documents upon which the complaint heavily relies and which are therefore integral to the complaint. See Pearson v. Gesner, 125 F.4th 400, 406 (2d Cir. 2025). III. Timing of Filings

This case was originally filed in state court on March 24, 2025, and the Bank removed the case to federal court on March 31, 2025. ECF Nos. 1, 6. On May 13 the Bank filed a motion to dismiss the complaint. ECF No. 11. On June 3rd, Evergreen filed a motion to amend its complaint. ECF No. 12. On July 14, this Court denied without prejudice the motion to dismiss for failure to state a claim, and granted the motion to amend the complaint. Fourteen days later, on July 28th, the Bank filed anew its motion to dismiss for failure to state a claim. Evergreen argues that the Bank’s motion to dismiss is

untimely because Evergreen’s amended complaint was amended as- of-right under Federal Rule of Civil Procedure 15(a)(1)(B), because it was filed within 21 days after service of a Rule 12(b) motion. ECF No. 15 at 23. Under Federal Rule of Civil Procedure 15(a)(3), “any required response to an amended pleading must be made within the time remaining to respond to the original pleading or within 14 days after service of the amended pleading, whichever is later.” Accordingly, Evergreen argues that the Bank should have filed its second motion to dismiss by June 17th, and that this Court should deny the motion to dismiss as untimely. ECF No. 15 at 25. In this case, the Court does not consider the second motion

to dismiss to be untimely. Evergreen docketed its amended as- of-right complaint not as an amended complaint but as a motion to amend the complaint. The amended complaint was served on the Bank as an attachment to the motion. The Bank’s motion to dismiss was still pending and, as the Bank points out, “when a plaintiff properly amends her complaint after a defendant has filed a motion to dismiss that is still pending, the district court has the option of either denying the pending motion as moot or evaluating the motion in light of the facts alleged in the amended complaint.” Pettaway v. Nat’l Recovery Sols., LLC, 955 F.3d 299, 303-304 (2d Cir. 2020). It was not unreasonable for the Bank to wait to see if the Court would rule on its

motion or grant the motion to amend the complaint. When the Court denied the motion to dismiss as moot and granted the motion to amend, it was reasonable for the Bank to assume it had an additional 14 days to respond. The Court notes that ordinarily, when a motion to amend is granted, a party will then re-file the amended complaint as a separate docket entry and the responding party would arguably have had 14 days from the time of that new docket entry to file a response. Here, Evergreen never refiled its amended complaint as a separate entry on the docket after the Court granted its motion. The Bank filed within 14 days of the Court’s order granting the motion to amend the complaint, and the Court will not penalize the Bank by

denying the motion as untimely. IV. Analysis Both the claims and the motion to dismiss in this case reference the Uniform Commercial Code (“UCC”), which was adopted in Vermont’s statutes at 9A V.S.A. § 9-101 et seq. The UCC has provisions concerning fund transfers, and the Second Circuit— when addressing New York’s adoption of the same UCC provisions— has explained that “Article 4-A [of the UCC] governs the procedures, rights, and liabilities arising out of commercial electronic funds transfers.” Fischer & Mandell, LLP v. Citibank, N.A., 632 F.3d 793, 797 (2d Cir. 2011). “[C]ommon law claims arising from electronic funds transfers are precluded

when such claims would impose liability inconsistent with the rights and liabilities expressly created by Article 4-A.” Id.

1. Count I: Breach of Contract To recover damages for breach of contract in Vermont, a party must show the existence of a contract, material breach of a contractual duty, and damages. See Ben & Jerry’s Home-made, Inc. v. Coronet Priscilla Ice Cream Corp., 921 F. Supp. 1206, 1212 (D. Vt. 1996) (existence of contract and breach of contractual duty); Foti Fuels, Inc. v. Kurrle Corp., 2013 VT 111, ¶ 34 n.4 (recovery on the basis of damages). Because “Article 4-A permits some of its provisions to be varied by agreement,” a common law breach of contract claim “is not

preempted by Article 4-A to the extent the provisions are not inconsistent with Article 4-A or they fall within one of the areas where a variance is permitted.” Fischer & Mandell, LLP v. Citibank, N.A., 632 F.3d 793, 797 (2d Cir. 2011). The Bank argues that the breach of contract claim should be dismissed because the Bank acted “in conformance with the contract” and because the Bank’s actions were “otherwise consistent with the requirements of UCC, section 4A.” ECF No. 14 at 14. The Bank argues that, because its security procedures were adequate and were followed, it cannot be held liable for breach of contract here. According to the Bank, because the parties had a written contract “where Evergreen identified

authorized users, the number of persons required to make transactions, and the manner of verification,” and where Evergreen “had the obligation to safeguard against the theft of its account and login information and agreed to bear the loss in the event it was compromised,” the Bank did not breach the contract and, instead, “Evergreen seeks to hold the Bank to something other than the term of their contract.” Id. The Bank bases its argument upon 9A V.S.A. § 4A-202, which states, in relevant parts (b), (c) and (f), that: (b) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the bank’s obligations under the security procedure and any agreement or instruction of the customer, evidenced by a record, restricting acceptance of payment orders issued in the name of the customer. . . . (c) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated. A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in a record to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the bank’s obligations under the security procedure chosen by the customer. … (f) Except as provided in this section and in subdivision 4A—203(a)(1) of this title, rights and obligations arising under this section or section 4A-203 of this title may not be varied by agreement. 9A V.S.A. § 4A-202(b), (c), and (f). 9A V.S.A. § 4A-201 further provides that “‘Security procedure’ means a procedure established by agreement of a customer and a bank for the purpose of (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission or the content of

the payment order or communication. A security procedure may require the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices.” 9A V.S.A. § 4A-201. Here, the Bank points to the Treasury Management Services Agreement (“TMSA”) that the parties entered into. The TMSA sets a primary administrator, who may “select and change Security Procedures.” ECF No. 14-1 at 3. Under the separate “Authorization,” only one signature was required. ECF No. 14-2 at 2-3. As the Bank puts it: “The thief was able to authorize the ACH EFTs because the Authorization only requires one signature for approval and the thief was using Mr. Johnson’s

credentials, which allow for same-day transactions.” ECF No. 14 at 9. In sum: because Evergreen agreed to the security procedures, and because the Bank followed those security procedures, the Bank argues that there was no breach of contract. Evergreen responds with reference to two separate provisions from the account agreements. Evergreen points to the Account Agreement’s Electronic Fund Transfers disclosure, which stated that Evergreen’s liability would be limited to “no more than $50” if unauthorized EFTs were reported within two business days, and “as much as $500” if notification was not made within two business days. ECF No. 12-1 at 14. Curiously, the Bank

never addresses this provision of the contract, other than to say, in its reply brief, that it “primarily concerns ATM cards and ATM access codes.” ECF No. 17 at 7. Evergreen, for its part, insists that the UCC is not inconsistent with these provisions because “nearly all [of the UCC]s terms can be varied by agreement”. ECF No. 15 at 11 (citing 9A V.S.A. § 4-103(a)). As quoted above, § 4A-202(f) provides that “[e]xcept as provided in this section and in subdivision 4A—203(a)(1) of this title, rights and obligations arising under this section or section 4A- 203 of this title may not be varied by agreement.” 9A V.S.A. § 4A-202 (f). Section 4A-203(a)(1), for its part, provides that, “[i]f an accepted payment order is not, under subsection 4A-

202(a) of this title, an authorized order of a customer identified as sender, but is effective as an order of the customer pursuant to subsection 4A-202(b) of this title, the following rules apply: (1) By express agreement evidenced by a record, the receiving bank may limit the extent to which it is entitled to enforce or retain payment of the payment order.” 9A V.S.A. § 4A-203(a). Here, the payment order was not authorized by Evergreen or by an agent of Evergreen—it was sent by a scammer. 9A V.S.A. § 4A-202(a) (“A payment order received by the receiving bank is the authorized order of the person identified as sender if that person authorized the order or is otherwise bound by it under

the law of agency.”). However, depending on whether or not the “security procedure” at issue here was followed by the Bank, it may be that the order was effective. See 9A V.S.A. § 4A-202(b). If not authorized but effective pursuant to 202(b), then § 203(a)(1) applies, and the Bank may, by express agreement evidenced by a record, “limit the extent to which it is entitled to enforce or retain payment of the payment order.” Here, the Electronic Fund Transfers disclosure provides such a limit—it limits Evergreen’s risk of loss to “no more than $50” if unauthorized EFTs were reported within two business days, and “as much as $500” if notification was not made within two business days.2 See, e.g., 9 V.S.A. § 4A-203, Official Comment

¶ 6 (“The effect of Section 4A-202(b) may also be changed by an agreement meeting the requirements of Section 4A-203(a)(1). Some customers may be unwilling to take all or part of the risk of loss with respect to unauthorized payment orders even if all of the requirements of Section 4A-202(b) are met. By virtue of Section 4A-203(a)(1), a receiving bank may assume all of the

2 Neither party briefed whether or not the Electronic Fund Transfers disclosure conflicts with other provisions of the contract. risk of loss with respect to unauthorized payment orders or the customer and bank may agree that losses from unauthorized payment orders are to be divided as provided in the

agreement.”). Accordingly, the Court finds that Evergreen has made out a plausible breach of contract claim based upon the language in the Electronic Fund Transfers disclosure. Evergreen also points to the “ACH Positive Pay” provisions involving fraud protection at the Bank. Evergreen alleged that the Account included Positive Pay protections, that Evergreen “did not pre-authorize any individual or entity to receive ACH EFTs;” that “any and all ACH EFTs initiated would need to be reviewed and approved by Evergreen,” and yet Evergreen “did not receive any Positive Pay notifications to ‘allow’” the transfers at issue “as a precondition to their processing.” ECF No. 12-1 at 8, 10, 15. Though the Bank argues that it followed the

security procedures in place, it does not directly address whether these ACH Positive Pay procedures were part of those security procedures. Yet the ACH Positive Pay procedures, as described in the Amended Complaint, appear to fall within the definition of security procedures contemplated by the UCC. See, e.g., 9 V.S.A. § 4A-203, Official Comment ¶ 3 (“The customer may provide the bank with a list of authorized beneficiaries and prohibit acceptance of any payment order to a beneficiary not appearing on the list. Such limitations may be incorporated into the security procedure itself or they may be covered by a separate agreement or instruction.”). Again, based upon the Amended Complaint, it is possible

that the Positive Pay protections were a part of the security procedure.3 Whether or not they were followed is a question for discovery. As far as the ACH Positive Pay provisions are concerned, if it comes out in discovery that the Bank followed all of the security procedures and that it was only the two- factor authentication (declined by Evergreen) that would have stopped the fraud, then the Bank may move for summary judgment on that basis. But the Bank has not pointed to any provisions of the UCC that would require the claim to be thrown out at the motion to dismiss stage simply because Evergreen—in reliance on

3 The Bank argues that the Positive Pay transactions were not received by Evergreen because “Evergreen chose to allow approval by one person, including transfers. Once the thief changed the password and registered a new device, the notification/verifications went to the thief, not Evergreen. This was the result of Evergreen’s decisions, not the Bank.” ECF No. 17 at 6. However, those are not the facts as alleged in the Amended Complaint. In the Amended Complaint, Evergreen says that (1) even though the Account was covered by positive pay fraud protection, the Bank denied that these EFTs were covered by positive pay (ECF No. 12-1 at 20); and (2) Evergreen did not receive any notifications or requests to authenticate the EFTs. ECF No. 12-1 at 9-10. Though the Bank argues that this means that the thief received notifications, that is not in the Amended Complaint: all that the Amended Complaint states is that Evergreen did not receive notifications. The Amended Complaint plausibly alleges that the Bank failed to provide the positive pay services—enough for Evergreen to get discovery on this issue. the rest of the provisions of the contract—chose to only have single-factor authentication while believing that there were other security procedures in place.

The Court denies the motion to dismiss on the breach of contract claim, both because the Court finds that Evergreen has made out a plausible breach of contract claim based upon the language in the Electronic Fund Transfers disclosure, and because the Court finds that Evergreen has made out a plausible breach of contract claim based upon the ACH Positive Pay provisions and whether or not the Bank followed the security procedure. 2. Count II: Negligence In Vermont, the economic-loss rule “prohibits recovery in tort for purely economic losses.” Long Trail House Condo. Ass’n v. Engelberth Const., Inc., 2012 VT 80, ¶ 10, 192 Vt. 322, 59

A.3d 752 (quotation omitted). The Vermont Supreme Court has explained that “[t]he rule serves to maintain a distinction between contract and tort law” because “[i]n tort law, duties are imposed by law to protect the public from harm, whereas in contract the parties self-impose duties and protect themselves through bargaining.” Id. (quotation omitted). It is mainly “the duties that exist between the parties” that “determine[s] application of an exception to the economic-loss rule.” Veljovic v. TD Bank, N.A., 2025 VT 38, 342 A.3d 941, ¶ 12. “Vermont law recognizes that, in some circumstances, a plaintiff asserting a negligence claim may be able to recover for purely economic losses where there is a special relationship between

the plaintiff and the defendant, and the defendant has assumed the responsibility not to violate a professional duty owed to the plaintiff.” Id. In Sutton v. Vermont Regional Center, 2019 VT 71A, 212 Vt. 612, the Vermont Supreme Court identified facts that support the existence of a special relationship. The facts include: (1) whether the defendant “initiated a close relationship” with the plaintiff; (2) whether the defendant endorsed an action to “members of the public generally” or through personal solicitation and individualized relationships; and (3) whether the defendant targeted “a narrow class of identified people” who “relied on” the defendant’s representations. Id. at ¶ 33. Of note, “Sutton v. Vermont Regional Center is the sole case where

[the Vermont Supreme Court] has held that a special relationship existed sufficient for the [special relationship] exception to apply.” PeakCM, LLC v. Mountainview Metal Sys., LLC, 2025 VT 50, 346 A.3d 444, ¶ 36. Here, Evergreen has not identified specific facts “that establish a relationship of trust, confidence, or reliance” that would not be barred by the economic-loss rule. Veljovic at ¶ 15. Nor can the Court find that, on the basis of the relationship of an account holder and a bank alone, there is a special relationship. See id. at ¶ 19 (holding that there was

no special relationship between an account holder and a bank “without a showing that [the account holder] placed her trust, confidence, and reliance in the bank”); see also Marcoux v. Wettstein, No. 2:25-cv-00309, 2025 U.S. Dist. LEXIS 263901, 2025 WL 3707137, at *45 (D. Vt. Dec. 22, 2025) (“A duty, however, even a fiduciary one, does not per se create a special relationship. Were that the case, there would be a plethora of special relationship cases under Vermont Law.”).4 The Court grants the motion to dismiss the negligence claim. 3. Count III: Deceptive Acts or Practices in Violation of State and Federal Laws

4 As the Bank points out, other courts, when faced with their own versions of the economic loss doctrine, have found similarly. See, e.g., Oolut v. JPMorgan Chase Bank N.A., No. CV H-23-4822, 2024 WL 5274648, at *3 (S.D. Tex. Mar. 22, 2024) (“Plaintiffs' negligence claims are solely based on the loss of money valued at $82,642.91 because of alleged fraudulent money transfers. The alleged loss and any liability of JPMorgan arise from the depositor-bank relationship the parties shared. That relationship was formed and governed through contract” and the economic loss doctrine bars the Plaintiffs’ negligence claim); Pavlovich v. Nat’l City Bank, 435 F.3d 560, 569 (6th Cir. 2006) (“With respect to similar custody arrangements, courts in other jurisdictions have prevented plaintiffs from bringing tort actions where the defendant bank owed no duty of care independent of its contractual obligations.”). Under Count III of its Amended Complaint, Evergreen brings a claim for “deceptive acts or practices in violation of Vermont’s Consumer Protection Law (9 V.S.A. § 2453) and the

Federal Trade Commission Act (FTCA) § 5(a)”. ECF No. 12-1 at 18. Evergreen alleges that “[t]he Bank solicited Evergreen’s business with website advertisements stating that commercial accounts receive a ‘[f]ull fraud protection package,’” and that this protection included “specific and detailed explanations about ‘real time’ monitoring of online account activity that would ‘identify suspicious activity before it takes place.’” ECF No. 12-1 at 19. Evergreen argues that it reasonably interpreted the Bank’s online marketing and advertisements “to mean that the Bank would be employing not only basic cybersecurity protections capable of detecting suspicious activity conducted through the online and mobile banking

platforms, but that the Bank’s cybersecurity tools were the most cutting edge available within the banking industry.” ECF No. 15 at 15. The Bank argues that Evergreen cannot base a claim of consumer fraud upon a mere breach of contract claim. ECF No. 14 at 20-22. Yet this argument oversimplifies Evergreen’s Amended Complaint—Evergreen has cited amongst its allegations specific advertisements and offers from the Bank. ECF No. 12-1 at 19. The Bank next argues that Evergreen fails to satisfy the elements of a claim under the VCPA: that a “plaintiff must establish a deceptive act or practice by demonstrating that: (1)

there was a representation, practice, or omission by the Bank that was likely to mislead consumers; (2) plaintiff interpreted the message reasonably under the circumstances; and (3) the misleading effects were material, meaning that the conduct influenced plaintiff’s conduct regarding the transaction.” Ianelli v. U.S. Bank, 2010 VT 34, ¶ 10, 187 Vt. 644, 646, 996 A.2d 722, 726 (2010) (citation omitted).5 The Court finds that the Amended Complaint has alleged these things in a manner sufficient to survive a motion to dismiss. Though the Bank appears to argue that Evergreen misinterpreted any marketing or advertisements because “[t]hey described the Bank’s services relating to fraud protection and security, and the contract

terms provide a more detailed description of both those services and the user responsibilities in regard to using the systems,” ECF No. 17 at 7, Evergreen has in fact alleged several specific representations—such as those about real time fraud protection— that, Evergreen alleges, the Bank did not even have the capability to carry out. ECF No. 12-1 at 13.

5 Of note, the Vermont Supreme Court listed these elements as ones a plaintiff must establish “to survive summary judgment.” Id. The Court denies the motion to dismiss on Count III. 4. Count IV: Negligent Misrepresentation The Amended Complaint alleges that the Bank made negligent

misrepresentations which consisted of marketing solicitations about fraud prevention security features, that Evergreen justifiably relied upon these misrepresentations and that, when the Bank did not have the capability to conduct the fraud prevention of “real time” monitoring, caused Evergreen to be damaged by unauthorized activities. ECF No. 12-1 at 21-22. The Bank argues that the negligent misrepresentation count should be dismissed for several reasons, including that “the claim is barred by the economic loss rule because banking is an arm’s length transaction that does not involve a special relationship[.]” ECF No. 14 at 16. As with its negligence claim, Evergreen responds by comparing its negligent misrepresentation allegations to those present in Sutton v. Vermont Regional Center, and arguing that liability for an

economic loss can be recognized in cases where a duty of care was caused by specific circumstances—here, when the actor induces someone to conduct business with representations of services that are false. ECF No. 15 at 20 (citing Sutton v. Vt. Reg’l Ctr., 2019 VT 71A, ¶ 31 n.7; also citing Restatement (Third): Liab. for Econ. Harm § 5). Again, the Court notes that in Sutton, the Vermont Supreme Court found that the economic-loss rule was not a bar to the plaintiffs’ claim because they had alleged sufficient facts to

make out a special relationship “between defendants and plaintiffs such that they may recover for their purely economic losses.” Sutton, 2019 VT at ¶¶s 30, 33. These facts included initiating a close relationship with plaintiffs by recruiting them to invest their life savings by “promising exceptional oversight and management of the investment;” demonstrating “awareness of the risk that it was inducing the plaintiffs to undertake” and moreover representing that it would minimize that risk; personally soliciting individual investors; and entering into “individualized relationships with each plaintiff[.]” Id. at ¶ 33. The Vermont Supreme Court held that this kind of a relationship, where the defendants “intended to influence a

narrow class of identified people—prospective investors in the Jay Peak Projects—and those who actually invested relied on their representations and promised oversight”, could give rise to liability for purely economic harm. Id. Here, whether with regard to its negligence claim or its negligent misrepresentation claim, Evergreen does not sufficiently allege facts of a special relationship, such as a narrow class of identified people or individualized relationships. The Court finds here that the relationship described in the Amended Complaint is not a “special relationship” that would give rise to negligence liability for purely economic harm.

The Court grants the motion to dismiss the negligent misrepresentation claim. 5. Count V: Violation of the Uniform Commercial Code In its motion to dismiss and reply brief, the Bank argues that Evergreen’s UCC claim must fail “because the transfers were performed using commercial [sic] reasonable security procedures that Evergreen agreed to in its contract with the Bank.” ECF No. 14 at 10; see also ECF No. 17 at 5. As set forth above, the Court finds that whether the Bank followed the security procedures at issue is a factual question that the parties may explore in discovery. Accordingly, the Court denies the motion to dismiss on this basis. V. Conclusion

For the reasons set forth above, the Court denies the motion to dismiss Count I (breach of contract), Count III (deceptive acts or practices), and Count V (breach of the UCC). The Court dismisses Count II (negligence) and Count IV (negligent misrepresentation). DATED at Burlington, in the District of Vermont, this 9th day of March 2026. /s/ William K. Sessions III Hon. William K. Sessions III U.S. District Court Judge