IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION SIMPLY DELIVERED, LLC, No. 1:25-cv-01852 Plaintiff, Honorable Joan B. Gottschall v. DEFENDANT THE BAZAAR INC.’S THE BAZAAR, INC., MOTION FOR JUDGMENT ON THE PLEADINGS Defendant.
The Bazaar, Inc. (“The Bazaar”) moves for judgment on the pleadings dismissing Simply Delivered, LLC’s (“Simply Delivered”) Complaint on the merits. The pleadings demonstrate: 1. Simply Delivered established a practice over one year of paying for goods purchased from The Bazaar by credit card. 2. On March 8, 2023, The Bazaar and Simply Delivered agreed to a new transaction (“Sales Order 9054”) that Simply Delivered would pay for by credit card. 3. On March 10, 2023, an imposter intercepted the email communications between The Bazaar and Simply Delivered, changing the payment instructions from credit card to a direct bank transfer using the Automated Clearing House (“ACH”). 4. Simply Delivered knew this was suspicious, and it attempted to confirm those instructions, but it was unable to reach The Bazaar by telephone. 5. Even though Simply Delivered says in the Complaint (at paragraph 8) that it employs “robust cyber security measures to protect its electronic communications and payments” and believes reasonable security measures include “the ability to confirm via telephone the authenticity of communications, especially those regarding bank accounts to where payments should be made,” Simply Delivered disregarded (a) the security measures it advocates, (b) a year of consistent practice, and (c) its express agreement with The Bazaar, and sent payment to the Imposter’s bank account. The Bazaar had no knowledge the Imposter had changed the payment instructions until after Simply Delivered had paid the Imposter. Simply Delivered, however, knew about, and was suspicious of, those changed instructions. It was the only party that could stop the hijacked transaction, or at least delay it until it could confirm the new instructions were authorized by The Bazaar. Simply Delivered cannot now recover the amounts it voluntarily paid the Imposter, and its breach of contract and negligence claims must be dismissed with prejudice. No agreement to pay for Sales Order 9054 by electronic funds transfer was reached, and the only negligence was Simply Delivered’s failure to follow its own security standards and the established practice—and agreed to method—of paying The Bazaar by credit card. STATEMENT OF FACTS The following facts are based on the Complaint and the Verified Answer, sworn to on May 9, 2025 (the “Verified Answer”). Simply Delivered chose to summarize the documents relevant to the Sales Order 9054 transaction, and while it referred to those communications, it did not attach them to the Complaint, because they eviscerate Simply Delivered’s claims. The Bazaar has attached the relevant documents to the Verified Answer. A. Simply Delivered Had a Well-Established Practice of Paying The Bazaar with Its Credit Card. Simply Delivered and The Bazaar began doing business in March 2022 after Jose Rodriguez (“Mr. Rodriguez”) met representatives of Simply Delivered at a trade show in Las Vegas. Verified Ans. ¶ 9(b). Simply Delivered made its first purchase from The Bazaar through Mr. Rodriguez on March 7, 2022. Id. ¶ 9(b)(i). Mr. Rodriguez issued Sales Order 3299 to Simply Delivered for the purchase along with a credit card authorization form. Id. Simply Delivered approved the order and provided its credit card information, making a payment that same day. Id. Simply Delivered made a second purchase from The Bazaar on August 30, 2022. Id. ¶ 9(b)(ii). The Bazaar followed the same procedure as before: Mr. Rodriguez sent Sales Order No. 6647 to Simply Delivered along with The Bazaar’s credit card authorization form, and Simply Delivered paid for the order with its credit card. Id.
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment Simply Delivered made a third purchase from The Bazaar on September 23, 2022. Id. ¶ 9(b)(iii). Mr. Rodriguez sent Sales Order No. 7102 to Simply Delivered along with The Bazaar’s credit card authorization form, and Simply Delivered paid for the order with its credit card. Id. All three of Simply Delivered’s purchases were paid for by credit card. Id. ¶ 9(c). B. Simply Delivered Disregarded Established Practice, Instructions from The Bazaar, and Its Own Suspicions, in Paying the Imposter by ACH Transfer. 1. Simply Delivered Agreed to Purchase Goods from The Bazaar Using Its Credit Card. At another trade show in Las Vegas in February 2023, Simply Delivered negotiated with The Bazaar to purchase additional goods. Id. ¶ 9(e). Mr. Rodriguez followed the same procedure he had for Simply Delivered’s three prior purchases: he documented the sale with Sales Order 9054, sending it to Simply Delivered on March 7, 2023, and Simply Delivered agreed to pay for the goods with its credit card. Id. ¶ 9(f). After Simply Delivered received Sales Order 9054, Mr. Rodriguez and Simply Delivered exchanged emails to confirm exactly what Simply Delivered wanted. Id. ¶ 9(f)(i)-(v). On Wednesday, March 8, Simply Delivered sent Mr. Rodriguez an email stating, “[c]onfirm you can proceed with the order, let me know I can pay you with my credit card.” Id. ¶ 9(f)(vi) (emphasis added). Simply Delivered initially had problems with its credit card, but on Friday, March 10, Simply Delivered told Mr. Rodriguez, “I had issue with my Credit Card last night so they replace my credit card. I will update you once I received the new card or I can give you another card.” Id. ¶ 9(f)(vii)-(x) (emphasis added). Mr. Rodriguez wrote back one minute later, “No worries, let me know Thank you Jose.” Id. ¶ 9(f)(xi). That was the last communication between The Bazaar and Simply Delivered until the following Tuesday, March 14 at 9:16 a.m. Id. 2. The Imposter Intercepts The Bazaar’s Emails with Simply Delivered. At 11:02 am, the Imposter, through the use of Mr. Rodriguez’s company email address1
1 This type of cyberattack is referred to as a Business Email Compromise (“BEC”). See, e.g., J. F. Nut Co. v. San Saba Pecan, A-17-CV-00405-SS, 2018 WL 7286493 (W.D. Tex. July 23, 2018).
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment replied on the thread asking if Simply Delivered “[w]ould you like to make payment through direct ACH deposit.” Id. ¶ 9(g), (g)(i). Simply Delivered knew this was inconsistent with its past practice and with their agreement to pay for Sales Order 9054 by credit card, and it tried to call The Bazaar to confirm the new payment instructions. See id. ¶ 9(g)(ii). The Bazaar’s land lines were down due to an unrelated equipment failure. Id. ¶ 9(g)(v). Simply Delivered remained suspicious about this change in their long-standing practices and express agreement and sent an email asking “[c]an you call me at (832) 606-0354.” Id. ¶¶ 9(g)(ii), (g)(v), 11(b). Neither the Imposter nor anyone at The Bazaar called Simply Delivered. Id. ¶¶ 9(g)(iii), 11(c). Instead, the Imposter replied stating, “I am out of the office on a business conference with limited access to my phone” and “Credit Card payments have been temporarily put on hold for now until further notice, All payments to go through Direct ACH Deposit payment only.” Id. ¶ 9(g)(iv). Simply Delivered remained suspicious and called another customer of The Bazaar, who confirmed that there was a problem with The Bazaar’s landlines. Compl. ¶ 12. Mr. Rodriguez was, in fact, in his office and was conducting business with other customers using his mobile phone. Id. ¶ 9(g)(v). Simply Delivered had Mr. Rodriguez’s mobile phone number, but made no effort to contact him on his mobile phone. Id. ¶¶ 9(g)(v)-(vi), 10(c)- (d). Instead, Simply Delivered responded to the Imposter “[n]o Problem. I will wait till Monday.” Id. ¶ 9(g)(vii).2 3. Simply Delivered Pays on the Imposter’s Terms Without Confirming the Authenticity of Those Terms with The Bazaar. Simply Delivered remained suspicious about the new payment terms, and when the Imposter sent Simply Delivered an email the following Monday, March 13, asking for “any update on payment,” Simply Delivered responded, “all line[s] are busy at your office, can you
2 Simply Delivered said in its Complaint that “time was of the essence in consummating a deal,” but at no point in any of the communications did either side say time was of the essence. Verified Ans. ¶ 9(g)(viii). The original order was made in February, it was negotiated on March 7 and 8, and even though Simply Delivered’s credit card payments were botched on March 9, on March 10 there was no pressure from either side to complete the transaction.
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment please call me at (832) 606-0354.” Id. ¶¶ 9(g)(ix)-(x), 11(e). Again, no one – not the Imposter nor anyone at The Bazaar – called Simply Delivered as requested. Id. ¶¶ 9(g)(xi), 11(f). Simply Delivered reiterated that it “wanted to pay with CC I send you on Friday because I just paid my balance last week,” but the Imposter responded “our CC machine is down, and all credit card transactions have been put on hold till further notice. Please kindly send payment through ACH direct deposit to our bank information enclosed.” Id. ¶¶ 9(g)(xiii)-(xiv), 11(g)-(h). Simply Delivered could have waited and confirmed payment instructions when The Bazaar’s phone service was restored on Monday, March 13, or on Mr. Rodriguez’s mobile phone. Instead, it chose to ignore its suspicions, its own “robust cyber security measures to protect its electronic communications and payments,” its course of dealing with The Bazaar, and its agreement on March 8 to pay via credit card. On March 13, Simply Delivered voluntarily tendered the sum of $97,000 via ACH transfer to the bank account information provided by the Imposter. Compl. ¶¶ 8, 12; Verified Ans. ¶¶ 9(g)(xv), (g)(xvii), 11. 4. The Bazaar Had No Knowledge of the Changed Payment Instructions Until After Simply Delivered Had Paid the Imposter. The Imposter was not an employee of The Bazaar and none of his communications with Simply Delivered were authorized by The Bazaar. Verified Ans. ¶¶ 9(g), 10(b), 10(e). Neither The Bazaar nor Mr. Rodriguez was aware of the Imposter’s access to Mr. Rodriguez’s email account until 9:26 am on Tuesday, March 14, 2023. Id. ¶ 10(e). Mr. Rodriguez continued to have access to his email account, but the Imposter was deleting its communications with Simply Delivered from Mr. Rodriguez’s email account as they were sent and received, and Mr. Rodriguez had no reason to believe there was any issue with his account or the payment terms agreed to by The Bazaar and Simply Delivered. Id. Throughout this period, Mr. Rodriguez continued transacting business as usual with other clients. Id. ¶ 9(g)(v). The Imposter was only in communication with Simply Delivered and was not tampering with any of Mr. Rodriguez’s other conversations. Id. ¶ 10(a), (c), (d). Further,
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment Mr. Rodriguez’s last email to Simply Delivered requested that it “let [him] know” how to proceed, giving him no reason to believe Simply Delivered’s delay in following up was due to any reason other than awaiting the updated credit card. Id. ¶ 9(f)(xi). As far as The Bazaar and Mr. Rodriguez were concerned, it was business as usual, until Tuesday March 14 at 9:26 am. 5. The Bazaar Attempted to Resolve the Situation Immediately Upon Learning of the Interference, but the ACH Transfer Was Already Complete. Having heard nothing since Friday, March 10 at 9:09 am, at 9:16 am on Tuesday, March 14, 2023, Mr. Rodriguez sent an email to Simply Delivered asking, “[p]lease advise on your payment.” Id. ¶¶ 9(f)(xi), 13. Simply Delivered responded at 9:26 am, “[a]lready sent the ACH should be cleared before 12:00 pm.” Id. ¶ 13. At 10:26 am, Mr. Rodriguez responded, “call me asap/stop your ach transaction.” Id. ¶¶ 10(f), 13. Simply Delivered informed Mr. Rodriguez that it called the bank, and the transfer had been stopped. Id. ¶ 10(g). Simply Delivered later learned that the funds had already been transferred. Simply Delivered has not recovered the funds it paid to the Imposter and now wishes to recover them from The Bazaar. See Compl. ¶ 15. ARGUMENT Under Rule 12(c), a movant is entitled to judgment on the pleadings where, based upon the pleadings, there are no material issues of fact, and the movant is entitled to judgment as a matter of law. United States v. Wood, 925 F.2d 1580, 1581-82 (7th Cir.1991). To survive a motion for judgment on the pleadings, the pleadings must contain sufficient factual matter, accepted as true, to “‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted); Cafasso v. Gen. Dynamics C4 Sys., 637 F.3d 1047, 1054 n.4 (9th Cir. 2011) (applying Iqbal to Rule 12(c) motions because Rule 12(b)(6) and Rule 12(c) motions are functionally equivalent). This requires the allegations in the complaint to “be enough to raise a right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 55 127 S. Ct. 1955, 167 L.Ed.2d 929 (2007). In considering a motion under Rule 12(c), the court treats as true “all well-pleaded facts,”
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment and construes the pleadings “in a light most favorable to the” non-movant. Wood, 925 F.2d at 1581-82. However, the court must disregard rote recitals of the elements of a cause of action, legal conclusions, and conclusory statements. Anderson v. Kimberly-Clark Corp., 570 F. App’x 927, 931 (Fed. Cir. 2014); Buchanan-Moore v. Cnty. of Milwaukee, 570 F.3d 824, 827 (7th Cir. 2009). Moreover, the court may consider documents that are attached to or submitted with the pleadings, as well as documents referenced in the pleadings. Wood, 925 F.2d at 1581-82. Where factual allegations contradict such a document, the document controls. Phillips v. Prudential Ins. Co. of Am., 714 F.3d 1017, 1019-20 (7th Cir. 2013). Simply Delivered failed to plead facts sufficient to support either of its claims for relief in tort or in contract. The facts established by the pleadings and the documents incorporated therein confirm that no contract was formed when Simply Delivered paid the Imposter via ACH electronic funds transfer. Any tort relief is barred by the Economic Loss Doctrine, and, even if Simply Delivered’s claim was not barred, its own negligent acts bar any tort recovery. I. PLAINTIFF’S BREACH OF CONTRACT CLAIM FAILS BECAUSE NO CONTRACT WAS FORMED UNTIL AFTER THE ACH PAYMENT WAS MADE TO THE IMPOSTER. Simply Delivered pled that it “entered into a valid and enforceable agreement with The Bazaar’s agent… by and through its authorized email address [], in which (1) Simply Delivered agreed to pay The Bazaar the sum of $97,726.90 to a bank account directed by the agent; (2) Bazaar’s agent agreed to tender the Goods.” Compl. ¶ 20. Simply Delivered’s factual allegations are insufficient to establish the existence of an enforceable contract with The Bazaar for two reasons: (1) The Bazaar’s offer to sell was an offer to enter into a unilateral contract that could only be accepted by successful payment and not an agreement to pay; and (2) the Imposter was not an agent of The Bazaar and lacked authority to contract on its behalf.
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment A. A Unilateral Contract Can Only Be Accepted by the Defined Performance to the Offeror. The Bazaar’s offer to sell its products to Simply Delivered was an offer to enter into a unilateral contract that could only be accepted upon complete tender of payment. “A unilateral contract arises from a promise made by one party in exchange for the other party's act or performance.” Kuhnhoffer v. Naperville Cmty. Sch. Dist. 203, 758 F. Supp. 468, 470 (N.D. Ill. 1991). In such matters, the offeror “[is] not contractually bound until [the offeree] commence[s] performing.” Id. The Bazaar offered to sell goods to Simply Delivered if it completed tender of payment. The Bazaar’s offer could, therefore, only be accepted by Simply Delivered’s completed payment to The Bazaar. Upon successful payment, the offer would have been accepted and The Bazaar as the offeror would bear an obligation under the contract to send the offeree the goods. Mr. Rodriguez sent Simply Delivered Sales Order 9054 for review on March 7. Verified Ans. ¶ 9(f)(i). Once the Sales Order 9054 was finalized, Mr. Rodriguez sent Simply Delivered The Bazaar’s credit card authorization form, and Simply Delivered provided its credit card information to be used for the purchase. Id. ¶ 9(f)(i)-(viii). However, when Mr. Rodriguez attempted to charge the card, the card was declined. Id. ¶ 9(f)(ix). Simply Delivered did not provide Mr. Rodriguez with another credit card for the payment. Id. ¶ 9(f)(x)-(xi), (g). Instead, on March 13, Simply Delivered transferred the funds via ACH payment to the Imposter who had hijacked Mr. Rodriguez’s conversation with Simply Delivered. Id. ¶¶ 9(g), (g)(xvii), 13; see also Compl. ¶ 12. Simply Delivered did not pay The Bazaar as agreed, and, therefore, did not accept The Bazaar’s offer, and no contract was formed, on March 13. When the cyberattack was discovered on March 14, Simply Delivered tendered payment to The Bazaar via credit card (as agreed), and The Bazaar shipped the goods to Simply Delivered. Compl. ¶ 14; Verified Ans. ¶ 14. Simply Delivered’s claim for breach of contract is based upon its misplaced belief that a contract was already in effect “when it tendered the money [to the Imposter].” Compl. ¶ 22. But
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment there was no agreement to perform until Simply Delivered paid The Bazaar for the goods. The misdirected payment to the Imposter created no obligation to perform on the part of The Bazaar. B. The Imposter Was Not an Agent of The Bazaar and Had No Actual or Apparent Authority to Contract on Its Behalf. Simply Delivered has not (and cannot) alleged facts sufficient to establish an agency relationship between The Bazaar and the Imposter. Simply Delivered bases its claim for breach of contract upon the assertion that the Imposter was “[The] Bazaar’s agent,” Compl. ¶ 20, or alternatively, that the Imposter had “apparent authority to enter into the transaction with Simply Delivered.” Id. ¶ 21. These allegations are legal conclusions that are unsupported by well pleaded facts. The party seeking to impose liability upon a principal for actions taken by an alleged agent bears the burden of proving the agency relationship. Sphere Drake Ins. Ltd. v. Am. Gen. Life Ins. Co., 376 F.3d 664, 672 (7th Cir. 2004). However, in addition to failing to plead any plausible facts to support its theory of agency, Simply Delivered provides no legal authority supporting this contention. See Compl. ¶ 21 (Simply Delivered provides a statement explaining apparent authority without citation to any legal authority). The Complaint and the Verified Answer confirm that there is no basis for the Imposter having actual or apparent authority to act for The Bazaar. “Agency is a fiduciary relationship that arises when one person (a ‘principal’) manifests assent to another person (an ‘agent’) that the agent shall act on the principal's behalf and subject to the principal's control, and the agent manifests assent or otherwise consents so to act.” Toney v. Quality Res., Inc., 75 F. Supp. 3d 727, 742 (N.D. Ill. 2014). An agent’s authority to act on behalf of the principal can be actual or apparent. Id. Actual authority is express and must have been definitely granted, whereas apparent authority arises where the principal, through outward manifestations, holds out the person as his agent. Hoddeson v. Koos Bros., 47 N.J. Super. 224, 232, 135 A.2d 702 (App. Div. 1957). Central to both actual and apparent authority is the principal’s manifestation of assent.
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment Courts have consistently held that an agent has no apparent authority where the principal itself does not expressly hold out the agent as such, even where it is substantially implied by the agent and seemingly authorized by the principal. See Raclaw v. Fay, Conmy & Co., 282 Ill. App. 3d 764, 767-69, 668 N.E.2d 114 (1996) (denying liability of the principal on theory of apparent agency despite defendant operating out of the principal’s office space and using its phone number); Hoddeson, 47 N.J. Super. at 232 (same holding, defendant impersonated sales representative within principal’s business). Additionally, while Illinois courts have not yet ruled on Business Email Compromise (“BEC”) cyberattacks such as the one at issue in this case, other courts have refused to apply the theory of apparent agency in these instances, because neither party was aware that the hacker existed, and apparent authority is not used to bind the principal for actions of an agent who impersonated the principal. J. F. Nut Co., 2018 WL 7286493 *3. Raclaw, Hoddeson, and J.F. Nut Co. all highlight that one element is dispositive for establishing apparent agency: the principal’s manifestation of assent. The Bazaar never manifested its assent to the Imposter acting on its behalf, neither actually nor apparently. “It is well established that apparent authority must derive from the statements or actions of the alleged principal, not the alleged agent.” Toney, 75 F. Supp. at 744. Instead, Simply Delivered asserts that “the Bazaar/Rodriguez email account had apparent authority to enter into the transaction with Simply Delivered.” Compl. ¶ 21. Simply Delivered never pleads that the Imposter had apparent authority. Instead, it attempts to establish this by alleging that the email account itself had apparent authority, regardless of the identity of the user thereof. Of course, an inanimate object cannot be an agent, and the Imposter’s unauthorized access to that email account has no tendency to prove that The Bazaar manifested assent to the Imposter acting on its behalf. Simply Delivered also cannot claim that it reasonably relied upon any “apparent authority,” given its admitted suspicion of the Imposter’s conflicting payment instructions. See Yugoslav-Am. Cultural Ctr., Inc. v. Parkway Bank & Tr. Co., 289 Ill. App. 3d 728, 737, 682
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment N.E.2d 401 (1997) (explaining that a third party’s reliance upon the apparent authority of an agent must be reasonable). Simply Delivered knew the payment terms had changed, it knew they differed from established practice, and it knew it was unable to confirm those instructions with The Bazaar. Only Simply Delivered could protect itself, and by failing to confirm the payment instructions, it cannot now claim it reasonably relied on any “apparent authority” of the Imposter. Because The Bazaar never authorized the Imposter to act on its behalf nor took any actions to show a manifestation of assent to the Imposter acting as its agent, there are no facts Simply Delivered has, or can, plead that support its contention that the Imposter was acting as an agent of The Bazaar with actual or apparent authority to contract, and any reliance upon the Imposter’s assertions was not reasonable. II. PLAINTIFF’S NEGLIGENCE CLAIM FAILS UNDER THE ECONOMIC LOSS DOCTRINE, CONTRIBUTORY NEGLIGENCE, AND ASSUMPTION OF RISK. Simply Delivered also alleges that The Bazaar owed Simply Delivered a duty of care, that The Bazaar breached that duty of care, and Simply Delivered suffered financial damages as a direct and proximate result of that breach. Compl. ¶ 25. Simply Delivered failed to allege how The Bazaar breached its duty of care; regardless, Simply Delivered is barred from recovery by the Economic Loss Doctrine. Even if Simply Delivered were to amend its pleading to include non-economic harm, and, assuming arguendo, that The Bazaar breached a duty of care, Simply Delivered assumed the risk of the cyberattack by paying the Imposter without confirming the new payment instructions to an unverified, never-before-used bank account were authorized by The Bazaar. A. Illinois’ Economic Loss Doctrine Bars Tort-Based Recovery for Economic Loss. Plaintiff pled that “Simply Delivered has and will continue to suffer financial damages” as a “direct and proximate result of Bazaar’s breach.” Compl. ¶ 27. Simply Delivered does not allege that it suffered non-economic harm because of The Bazaar’s alleged negligence. Simply
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment Delivered’s entire basis for bringing this case is premised upon its prayer for recovery of its financial loss in the transaction with the Imposter. See Compl. ¶ 12. Illinois’ Economic Loss Doctrine prohibits recovery for economic losses suffered under claims of negligence, barring any right to relief for Simply Delivered on this claim. See Moorman Mfg Co. v. National Tank Co., 91 Ill.2d 69, 82 (1982) (establishing the Economic Loss Doctrine in Illinois and prohibiting recovery under a theory of negligence for solely economic loss). There is no doubt that this doctrine applies to claims involving a data breach or cyberattack. See Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 817 (7th Cir. 2018) (applying the Economic Loss Doctrine and barring a class action brought by a bank on behalf of its customers against a merchant who suffered a data breach of its customers’ information). Simply Delivered’s negligence-based claims must, therefore, be dismissed with prejudice. 1. Even if Simply Delivered Had Claimed Non-Economic Loss, Comparative Negligence and Assumption of Risk Bar Any Recovery Here. a. Simply Delivered failed to exercise ordinary care. Illinois operates under a modified comparative negligence theory and prohibits a plaintiff from recovering where its own negligence was more than 50% responsible for causing the harm. Ford-Sholebo v. United States, 980 F. Supp. 2d 917, 996-97 (N.D. Ill. 2013) (“Section 2–1116 of the Illinois Code of Civil Procedure, 735 Ill. Comp. Stat. 5/2–1116(c), bars a plaintiff whose comparative negligence “is more than 50% of the proximate cause of the injury or damage for which recovery is sought” from recovering damages.”). A party exercises ordinary care if they act “as would an ‘ordinary careful person’ or a ‘reasonably prudent person.’” Colburn v. Mario Tricoci Hair Salons & Day Spas, Inc., 2012 IL App (2d) 110624, 972 N.E.2d 266, 276; see also Wilder Binding Co. v. Oak Park Tr. & Sav. Bank, 135 Ill. 2d 121, 131-33, 552 N.E.2d 783 (1990) (Calvo, J., dissenting) (discussing ordinary
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment care in the payor/payee context) (explaining that summary judgment should have been granted because there was no issue of fact as to whether the bank defendant failed to exercise ordinary care in failing to take steps to verify checks before issuing payment). Here, Simply Delivered disregarded a consistent practice in paying for goods and ignored its own suspicions that the
change in payment terms may not have been authorized. Simply Delivered and The Bazaar had engaged in three successful transactions prior to the one at issue. Each transaction was conducted in the same fashion: Mr. Rodriguez would create a sales order including the products selected by Simply Delivered, he would send this sales order to Simply Delivered for review, and upon approval, he would send The Bazaar’s credit card authorization form for the transaction. Verified Ans. ¶ 9(b)(i)-(iii). That exact procedure Mr. Rodriguez followed for Sales Order 9054, until March 10, when the Imposter hijacked the communications. Id. ¶ 9(f). The changed payment terms alerted Simply Delivered something was wrong. It tried to call Mr. Rodriguez on Friday, March 10, and again on Monday, March 13 to confirm the new
payment instructions. Id. ¶¶ 9(g)(ii), (g)(x), 11(e). When they could not get through on Mr. Rodriguez’s office landline, they asked him to call them, which he did not do. Id. ¶¶ 9(g)(ii)- (iii), (g)(x)-(xi), 11(e)-(f). Simply Delivered even called another customer of The Bazaar confirming the phone service was down. Id. ¶ 11(d); Compl. ¶ 12. In the face of those acknowledged concerns, Simply Delivered continued to insist, on Friday and again on Monday, that it wanted to make the payment by the established, and agreed to, method—credit card. Id. ¶¶ 9(g)(i)-(vii), (xiii), 11(g). What Simply Delivered did not do was await confirmation before making the $97,000 payment by a heretofore never used and unverified method to an unknown bank account. Compl. ¶12. Simply Delivered’s failure to take precautionary steps before paying
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment the Imposter with an ACH transfer to an unverified bank account was the intervening, proximate cause of its alleged harm, and its own negligence bars recovery.
b. Simply Delivered assumed the risk of the transaction. Even if Simply Delivered could establish that The Bazaar was negligent, and that Simply Delivered was not the primary cause of its own injury (neither of which it can do), Simply Delivered assumed the risk of the transaction by failing to verify the change payment term. Simply Delivered, as the buyer, was in the better position to assess the risk of the transaction. Courts have consistently held that the buyer or payor is “the party in the best position to prevent the fraud.” Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 Fed.Appx. 348, 357 (6th Cir. 2018); see also Peeples v. Carolina Container, LLC, No. 4:19-cv- 21-MLB, 2021 WL 4224009 *8 (N.D. Ga. Sept. 16, 2021); see also Jetcrete North America LP v. Austin Truck & Equipment, Ltd., 484 F.Supp.3d 915, 920 (D. Nev. 2020). Jetcrete is particularly relevant to this case as it also involves a BEC, like the one at issue. 484 F.Supp.3d at 920. In Jetcrete, one of the defendant’s sales representative email accounts was hacked, with
the hacker communicating with plaintiff without the sales representative’s knowledge. Id. The hacker sent payment instructions conflicting with those previously provided by the sales representative. Id. However, the plaintiff failed to confirm the validity of the new instructions – not even with a simple phone call – and tendered payment to the hacker. Id. Accordingly, the court held that even though “the hack of [defendants’] email account created the scenario for the loss,” the buyer “was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone,” and, as such, the buyer “should suffer the loss.”
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment Id. (applying UCC Article 3, which is not at issue in this case, however, the assessment of risk analysis is the same). Like the buyer in Jetcrete, Simply Delivered was in the best position to prevent the loss by taking the reasonable precaution to verify the new payment instructions, before following
them. By not doing so, Simply Delivered assumed the risk of loss in making payment to the new and unverified source. Like Jetcrete, Simply Delivered was in the best position to prevent the loss by verifying the new, and previously unheard of, payment instructions, and by failing to do so, Simply Delivered assumed the risk of any loss resulting from its conduct. RELIEF REQUESTED This is not a complicated case, and the correspondence between The Bazaar and Simply Delivered establish that Simply Delivered knew the changed payment instructions were suspicious, but it proceeded to make payment according to them without verifying with The Bazaar. On that basis, The Bazaar respectfully requests the Court enter judgment on the pleadings in its favor, dismissing the Complaint with prejudice. By: /s/ Hal Michael Clyde Hal Michael Clyde
Hal Michael Clyde, pro hac vice MClyde@perkinscoie.com Mary Grace Thurmon, pro hac vice Dated: June 2, 2025 MThurmon@perkinscoie.com PERKINS COIE LLP 3150 Porter Drive Palo Alto, California 94304-1212 Telephone: +1.650.838.4300
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment CERTIFICATE OF SERVICE I, Hal Michael Clyde, certify that on June 2, 2025, I electronically filed the foregoing with the Clerk of the Court using the CM/ECF system, which will send notification of such filing to all attorneys of record. I also certify that I served the foregoing by email to the following attorneys: I certify under penalty of perjury that the foregoing is true and correct. DATED this 2nd day of June.
/s/ Hal Michael Clyde Hal Michael Clyde PERKINS COIE LLP 3150 Porter Drive Palo Alto, California 94304-1212 Phone: +1.650.838.4300 Fax: +1.650.838.4350
Case No. 1:25-cv-01852 Defendant’s Motion for Judgment