Hold Security LLC v. Microsoft Inc, No. 2:2023cv00899 - Document 37 (W.D. Wash. 2023)
Court Description: ORDER granting Defendant's 21 Motion to Dismiss without prejudice. Hold has thirty (30) days from entry of this Order to file an amended complaint. Signed by Judge Marsha J. Pechman. (KRA)
Download PDF
<![CDATA[
Hold Security LLC v. Microsoft Inc Doc. 37 1 2 3 4 5 6 7 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT SEATTLE 8 9 10 HOLD SECURITY LLC., a Wisconsin Limited Liability Corporation, 11 CASE NO. 23-899 ORDER GRANTING MOTION TO DISMISS Plaintiff, 12 v. 13 14 MICROSOFT CORPORATION, a Washington Corporation, 15 16 This matter comes before the Court on Defendant’s Motion to Dismiss. (Dkt. No. 21.) 17 Having reviewed the Motion, Plaintiff’s Response (Dkt. No. 25), the Reply (Dkt. No. 28), and all 18 other relevant material, the Court GRANTS the Motion. 19 BACKGROUND 20 This case arises out of a contract between Plaintiff Hold Security (“Hold”) and Defendant 21 Microsoft for services provided to Microsoft by Hold. Hold brings breach of contract claims and 22 extra-contractual claims based on Microsoft’s alleged misuse of Hold’s services outside the 23 intended use of the contract. 24 ORDER GRANTING MOTION TO DISMISS - 1 Dockets.Justia.com 1 Hold is an internet security company that assists corporations in protecting the security of 2 their users’ online accounts against cyberattacks. (AC ¶ 3.2 (Dkt. No. 17); Response at 1.) One 3 of the services Hold provides is the “Credential Integrity Service.” (AC ¶ 3.2.) This involves 4 recovering stolen data, such as account log in information, and then providing the data to the 5 corporate client who can alert users that their account has been compromised. (Id.) Hold’s 6 pricing model for its services is based on the expected benefit to the clients. (Id. at ¶ 3.3.) Hold 7 factors in how many potential user victims there might be, the type of client, the type of 8 customer the client has, and the type of data being recovered. (Id.) 9 In 2014, Microsoft contacted Hold to obtain services related to recovering stolen account 10 credentials. (AC ¶ 3.5.) Microsoft, through an employee, represented to Hold that it would limit 11 the use of the recovered stolen data “to activities that are designed to prevent or mitigate harm to 12 our customers.” (Id. at ¶ 3.13.) Microsoft assured Hold the data would not be used for any other 13 purpose, and that it would destroy all copies of the data. (Id.) Based on Microsoft’s 14 representations, Microsoft and Hold entered into negotiations “with the explicit and sole 15 objective of protecting certain Microsoft services, brands, and customers.” (Id. at ¶ 3.20.) Hold 16 understood the protected Microsoft domains, services, and brands would be exclusively 17 business-to-consumer – meaning the data supplied by Hold would only be used for Microsoft 18 customers, not other businesses. (Id. at ¶ 3.2.) Hold specifically excluded business-to-business 19 domains, services, and brands so as not to reduce Hold’s potential customer base. (Id.) 20 Hold and Microsoft signed a contract in 2015, which incorporated a 2014 Non-Disclosure 21 Agreement (“NDA”), a Master Supplier Services Agreement (“MSSA”), and a Statement of 22 Work (“SOW”). Microsoft drafted the MSSA using one of its standard form agreements. (AC ¶ 23 3.23.) Hold contends that this means the MSSA contains terms and provisions that are not 24 ORDER GRANTING MOTION TO DISMISS - 2 1 applicable to its agreement with Microsoft. (Id.) Though Hold is silent as to who drafted the 2 SOW, the language indicates both parties had a hand in drafting it. (See AC ¶ 3.24 (“Microsoft 3 and Hold executed a Statement of Work . . . The parties agreed . . .”) 4 5 The following are the relevant contract provisions that the Court required for its analysis: The NDA 6 The NDA provides in the pertinent part: 7 [The parties] will not disclose the other’s confidential information to third parties; and [the parties] will use and disclose the other’s confidential information only for purposes of our business relationship with each other. 8 9 NDA Section 3(a). (Declaration of Jacob Thornburg ISO MTD, Exhibit A, NDA at 2 (Dkt. No. 22).) 10 The MSSA 11 The MSSA provides: 12 Section 1 - Definitions 13 (c): “Deliverables means all IP or other work product developed by Supplier (or a 14 Subcontractor of Supplier for Microsoft under a SOW or as part of the Services; 15 Section 3 – Ownership and use of the parties’ respective IP 16 (e)(1): Ownership of IP Rights in Deliverables. All Deliverables are “work made for hire” 17 for Microsoft under applicable copyright law . . . To the extent any Deliverables do not qualify as 18 work made for hire, Supplier assigns all right, title, and interest in and to the Deliverables, 19 including all IP rights, to Microsoft. Supplier waives, and agrees not to assert, any moral rights 20 that may exist in the Deliverables. 21 (Thornburg Decl. Ex. B.) 22 The SOW 23 The SOW provides: 24 ORDER GRANTING MOTION TO DISMISS - 3 1 Section 3 – Description of Services and Delivery Schedule 2 (b): Services. Microsoft has asked Supplier to deliver compromised “Account Credential 3 Data” that have been recovered by the Supplier from sites on the Internet in order to reveal and 4 protect against threats to services, brands and domains owned by Microsoft. “Account Credential 5 Data” are defined as lists of pairs of user id and password where user id is in form of a valid e- 6 mail address [RFC 2822] only and password is non-blank. 7 Supplier will conduct an extensive search of its data sources to provide Microsoft all 8 currently held Account Credential Data as a one-time deliverable as a ‘catch-up’ . . . 9 Per the line item details below, Supplier will provide compromised Account Credential Data on a 10 11 daily basis: 1) Supplier will be collecting compromised accounts from sites on the Internet; the 12 methods of which are proprietary to the Supplier. Supplier’s proprietary methods for 13 gathering Account Credential Data from sites on the Internet shall not be considered 14 Supplier IP incorporated into the Deliverables. 15 Compromised Account Credential Data will be used to check against Microsoft’s own 16 services, brands and domains in order to protect Microsoft customers. The reason for including 17 third-party account credential data is that Microsoft customers are able to use third-party user 18 credentials (e.g., john@contoso.com) on Microsoft brands and services. 19 20 21 22 All services shall be treated as Microsoft Confidential Information unless otherwise designated by Microsoft. Details - Supplier will on a daily basis collect and deliver to Microsoft compromised Account Credential Data for the following domains (The asterisk ‘*’ indicates matching of any 23 24 ORDER GRANTING MOTION TO DISMISS - 4 1 and all characters; e.g., hotmail.* would match for hotmail.com, hotmail.co.uk, hotmail.fr and 2 many others): 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 • • • • • • • • • • • microsoft.* hotmail.* live.* outlook.* msn.* passport.* windowslive.* msncs.com skype.* nokia.* xbox.* • • • • • • • • • bing.* office365.* office.* legallery.* microsoftstore.com onmicrosoft.com microsoftonline.com onmschina.cn *.TLD (third-party login credentials, e.g., ‘contoso.com’) The SOW also provides a payment and delivery schedule, which outlines the dates by which Hold must deliver all services to Microsoft and what Microsoft will pay in return. (SOW Sections 4, 5.) (Thornburg Decl. Ex. C.) The Lawsuit The parties performed pursuant to the contract from 2015 until 2020. (AC ¶ 3.31.) In 2020, Hold discovered Microsoft was using the data in a matter it believed to be outside the scope of the contract in the following three ways: First, Microsoft allegedly employed an updated version of its Active Directory Federation Service (“AD FS”) “enabling federated identity and access management.” (AC ¶ 3.32.) Hold alleges Microsoft used the data provided by Hold in order to create the AD FS. (Id.) Though Hold provides no information on what the AD FS is or how it works, it claims the AD FS does not protect Microsoft customers per se, but instead, is a business to business authentication service that directly competes with Hold. (Id.) Hold claims Microsoft breached the 23 24 ORDER GRANTING MOTION TO DISMISS - 5 1 contract when it developed the AD FS because it uses the data outside the scope of the contract. 2 (Response at 6.) 3 Second, Microsoft allowed third parties to use the data through Microsoft’s web browser 4 Edge. (AC ¶ 3.40.) The intent behind Edge is to protect the internet as a whole, therefore when 5 someone logs into any online account using Edge the data is used to confirm the log in 6 credentials. (Id.; Response at 6.) This application of the data applies regardless of whether the 7 account is for a Microsoft owned domain or not. (Response at 6.) Hold claims Microsoft 8 breached the contract when it implemented this service into Edge, because it goes beyond the 9 scope of protecting Microsoft customers. (Id.) Third, Microsoft acquired LinkedIn and GitHub after the parties entered into the contract, 10 11 and Microsoft used the data in its administration of these newly acquired domains. (AC ¶¶ 3.33- 12 3.34.) Hold argues that the list of domains contained in Section 3(b) “Details” limits the 13 domains that Microsoft may use the data for. (Response at 5.) Hold claims Microsoft breached 14 the contract when it began using the data for LinkedIn and GitHub. (Id.) 15 Hold then brought this action seeking damages for Microsoft’s alleged breach of contract. 16 Hold contends Microsoft breached the contract by using the data outside the scope, and breached 17 the NDA for using the data beyond the two parties’ business relationship. Microsoft brings this 18 Motion to Dismiss arguing that the unambiguous language of the contract directly contradicts 19 Hold’s allegations. 20 21 22 23 ANALYSIS A. Legal Standard Under Fed. R. Civ. P. 12(b)(6), a court may dismiss a complaint for “failure to state a claim upon which relief can be granted.” Dismissal is appropriate only where a complaint fails to 24 ORDER GRANTING MOTION TO DISMISS - 6 1 allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. 2 Twombly, 550 U.S. 544, 570 (2007). A claim is plausible on its face “when the plaintiff pleads 3 factual content that allows the court to draw the reasonable inference that the defendant is liable 4 for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). The court must accept 5 all facts alleged in the complaint as true and make all inferences in the light most favorable to the 6 non-moving party. In re Fitness Holdings, Int’l, Inc., 714 F.3d 1141, 1144-45 (9th Cir. 2013). 7 But “conclusory allegations of law and unwarranted inferences will not defeat an otherwise 8 proper motion to dismiss.” Vasquez v. Los Angeles Cnty., 487 F.3d 1246, 1249 (9th Cir. 2007). 9 B. 10 Breach of Contract Claims Contract interpretation is generally a question of law for the Court. Berg v. Hudesman, 11 115 Wn.2d 657, 663 (1990). Under Washington law, courts follow the “objective manifestation” 12 theory of contracts. Hearst Commc’ns, Inc. v. Seattle Times Co., 154 Wn.2d 493, 503 (2005). 13 This requires courts to “determine the parties’ intent by focusing on the objective manifestations 14 of the agreement, rather than on the unexpressed subjective intent of the parties. Id. (internal 15 citation omitted). Thus, when interpreting contracts, courts should “generally give words in a 16 contract their ordinary, usual, and popular meaning unless the entirety of the agreement clearly 17 demonstrates a contrary intent.” Id. at 504. If the language of a contract is clear and 18 unambiguous, the Court must “enforce the contract as written; it may not modify the contract or 19 create ambiguity where none exists.” Lehrer v. State Dep’t of Social & Health Servs., 101 Wn. 20 App. 509, 515 (2000). “Language is ambiguous if, on its face, it is fairly susceptible to more than 21 one reasonable interpretation.” Mendoza v. Rivera-Chavez, 88 Wn. App. 261, 268 (1997). 22 “[A]mbiguous contract language is strictly construed against the drafter.” Jones Assocs., Inc. v. 23 Eastside Props., Inc., 41 Wn. App. 462, 468 (1985). 24 ORDER GRANTING MOTION TO DISMISS - 7 1 All of Hold’s arguments rely on extrinsic evidence to show the unexpressed intent of the 2 parties and to modify the contract. Because the contract is clear and unambiguous, Hold’s 3 arguments fail. 4 1. Breach of the MSSA and SOW 5 The crux of Hold’s breach of contract claims is that Microsoft used the Account 6 Credential Data outside the scope of the contract in two ways: (1) through its development of AD 7 FS and Microsoft Edge; and (2) its use of the data for LinkedIn and GitHub. The Court finds the 8 Amended Complaint fails to allege sufficient facts that, taken as true, violate the contract. 9 a. Development of AD FS and Microsoft Edge 10 Hold’s first allegations of breach pertains to Microsoft’s use of the account data for the 11 development of AD FS and Microsoft Edge. (Response at 10.) The Court finds this claim fails 12 because Hold does not allege sufficient facts to state a claim for relief. 13 Hold’s argument regarding Microsoft’s use of the data for the development of AD FS and 14 Microsoft Edge is unconvincing because it fails to explain how the use of the data in this way 15 violates the contract. Hold argues Section 3(b) of the SOW limits Microsoft’s use of the data 16 exclusively to protecting Microsoft customers. (Response at 10.) Section 3(b) states the data 17 “will be used to check against Microsoft’s own services, brands and domains to protect 18 Microsoft customers.” Hold claims that Microsoft retained “unmatched data” – that is stolen 19 login credentials that do not “match” the login credentials of any account maintained by 20 Microsoft – to create and operate AD FS and Edge. (Id. at 10-11.) The insinuation of this is that 21 there is not a Microsoft customer to protect because the data does not “match” an existing 22 account. But the Amended Complaint fails to explain what AD FS is, let alone how it works and 23 how it benefits non-Microsoft customers. Instead, the Court is left to assume what Hold means 24 and make inferential leaps that it is not required to make. All the Complaint alleges is ORDER GRANTING MOTION TO DISMISS - 8 1 Microsoft’s development of AD FS benefited Microsoft itself and created a business-to-business 2 authentication service that competes with Hold. (AC ¶ 3.32.) It is unclear how a business-to- 3 business service does not protect Microsoft customers as required by section 3(b). A business-to- 4 business service theoretically still means the businesses using the service are Microsoft 5 customers. 6 Similarly, Hold’s allegations regarding the use of data for Microsoft Edge is insufficient. 7 All Hold states is that Edge provides protection to the internet as a whole and creates a business- 8 to-business service. Again, this allegation is devoid of sufficient facts to explain how the use of 9 Edge works, how it goes beyond the scope of protecting Microsoft customers and why a 10 business-to-business service violates the agreement. And to the extent that Hold argues 11 Microsoft violated the contract by retaining the “unmatched data,” the Court notes that nowhere 12 in the MSSA or the SOW does it discuss “unmatched data” and what Microsoft may or may not 13 do with it. 14 Rather than relying on the language of the contract, Hold seeks to bring in extrinsic 15 evidence regarding the negotiations leading up to the formation of the contract. Hold claims the 16 negotiations make clear the data was only to be used for business-to-consumer purposes. (AC ¶ 17 3.2.) Hold’s argument is unavailing because the contract makes no mention of limiting the data 18 to business-to-consumer. And Hold’s use of extrinsic evidence to demonstrate intention 19 independent of the contract is expressly prohibited under Washington law. Hearst, 154 Wn.2d at 20 503 (extrinsic evidence is relevant only to determine the meaning of specific words and terms 21 used, not to show an intention independent of the instrument or to vary, contradict or modify the 22 written word). Hold points only to the contract provision that requires Microsoft to use the data 23 24 ORDER GRANTING MOTION TO DISMISS - 9 1 for Microsoft customers, but fails to allege how AD FS and Edge do not protect Microsoft 2 customers. 3 Hold’s argument that there is ambiguity also fails because the contract provision is not 4 ambiguous. Hold argues there is ambiguity in the provision in Section 3(b) that reads: 5 “Compromised Account Credential Data will be used to check against Microsoft’s own services, 6 brands, and domains in order to protect its customers.” (Response at 12.) (emphasis in original). 7 Hold contends the examination of extrinsic evidence is needed to determine the meaning and 8 intent of this provision. Hold argues this phrase limits Microsoft’s use of the data to checking 9 Microsoft user accounts against the nineteen domains listed in Section 3(b) “Details.” (Id. at 12- 10 13.) But nothing about this provision is, on its face, ambiguous. And Hold does not argue the 11 term is subject to two interpretations. Rather, Hold’s argument hinges on introducing extrinsic 12 evidence such as emails prior to the contract, its benefits based pricing, and services options to 13 clarify the intent of the parties and thereby limit what Microsoft may do with the data. 14 (See Response at 12-13.) Again, this runs contrary to Washington law, and the provision, on its 15 face, is not susceptible to multiple interpretations. The Court finds the provision is not 16 ambiguous such that extrinsic evidence is required to clarify its meaning. 17 Hold fails to allege sufficient facts that Microsoft’s use of the data for AD FS and Edge 18 violate the contract. The Court GRANTS Microsoft’s Motion as to Hold’s Breach of Contract 19 claim for AD FS and Edge. 20 21 b. Microsoft’s use of the data for domains not listed in Section 3(b) “Details” Hold attempts to limit the domains that Microsoft may use the data for to the list of 22 nineteen contained in Section 3(b) “Details,” and argues that because LinkedIn, GitHub, AD FS 23 and Edge are not listed there, the use of the data for these domains violates the contract. This 24 ORDER GRANTING MOTION TO DISMISS - 10 1 argument fails because there is no language limiting Microsoft’s use of the data to these domains 2 in the contract. 3 Hold argues Microsoft’s use of the data is limited to the list of domains set forth in 4 Section 3(b) “Details.” (Response at 11.) But a plain reading of the “Details” section does not 5 appear to limit Microsoft’s use of the data to the nineteen domains listed. Instead, the section 6 provides the list of domains is where Hold should collect account compromised data from – 7 “Supplier will on a daily basis collect and deliver to Microsoft compromised Account Credential 8 Data for the following domains . . .” (SOW Section 3(b) “Details”.) This section outlines Hold’s 9 obligations, specifically which domains it should collect the data from and how frequently. The 10 section is silent as to Microsoft’s obligations. Simply because the section provides parameters for 11 where the data comes from does not mean those parameters apply to Microsoft’s use of the data. 12 Because there is nothing to suggest Microsoft may only use the data to check for compromised 13 accounts on those nineteen domains, the Court finds this argument fails. 14 Hold argues ambiguity exists as to the “Details” provision. (Response at 13.) The Court 15 disagrees. Hold contends that the list of nineteen domains, when coupled with an explanatory 16 sentence earlier in Section 3(b) that “[t]he reason for including third-party account credential 17 data is that Microsoft customers are able to use third-party user credentials . . . on Microsoft 18 brands and services” limits Microsoft’s use of the data to those domains. (Id.; AC ¶ 3.25.) Hold 19 argues that Microsoft may disagree with it, but that in itself creates an ambiguity. (Response at 20 13.) The problem with this argument is three-fold. First, a disagreement between the parties on a 21 specific provision does not inherently create an ambiguity. Second, there is no language in the 22 contract that incorporates the “Details” provision into the earlier one. And third, even if the 23 earlier provision incorporates the nineteen domains, there is still no language that limits 24 ORDER GRANTING MOTION TO DISMISS - 11 1 Microsoft’s use of the data to those domains. Per the contract, Microsoft was to use the data to 2 check against its own services, brands, and domains. Microsoft’s acquisition of LinkedIn and 3 GitHub, along with its development of AD FS and Edge, are Microsoft’s own services, brands 4 and domains for which the data may be used. The Court finds there is no ambiguity as to the 5 “Details” provision and that Microsoft is not limited to the nineteen domains listed therein. 6 The Court finds Hold has failed to allege sufficient facts that would give rise to a breach 7 of contract claim with regard to Microsoft’s use of the data outside the list of nineteen domains. 8 The Court GRANTS Microsoft’s Motion as to Hold’s Breach of Contract claim for Microsoft’s 9 use of the data for AD FS, Edge, LinkedIn, and GitHub. c. 10 11 The term “Deliverable” Hold argues the data provided to Microsoft is not a “Deliverable” as defined in the 12 MSSA, or is at least ambiguous as applied to the data. The Court finds this argument 13 unconvincing. 14 When looking at the MSSA and the SOW as a whole, the term “Deliverable” 15 incorporates the data provided by Hold. Deliverables in the MSSA is defined as “all IP or other 16 work product developed by Supplier . . . for Microsoft under a SOW or as part of the Services.” 17 (MSSA Section 1(c).) Though the data may not be “developed” by Hold in the traditional sense, 18 Hold searches for specific account data and compiles that data for Microsoft. The searching and 19 accumulation of data is the “Service” that Hold was hired for, and the data is the “Deliverable” 20 produced as part of that Service. This interpretation is also supported by language in Section 3(b) 21 of the SOW, which provides: “Supplier will conduct an extensive search of its data sources to 22 provide Microsoft all currently held Account Credential Data as a one-time deliverable as a 23 ‘catch-up.’” (emphasis added). Section 4 of the SOW also provides a schedule under which Hold 24 should provide the “Deliverables.” The repeated use of the term “Deliverable” as a synonym for ORDER GRANTING MOTION TO DISMISS - 12 1 the data suggests the data is in fact a Deliverable. Further, the contract omits Hold’s proprietary 2 methods from being considered a Supplier IP incorporated into the Deliverables. (SOW Section 3 3(b)(2).) The parties’ exclusion of Hold’s methodology suggests they knew to exclude certain 4 material and could have also excluded the data, but deliberately chose not to. 5 Hold makes two arguments in response. First, Hold argues the data is not a “deliverable” 6 as defined in the SOW because it is not an IP or work product developed by Hold. (Response at 7 13.) Hold claims because the data provided to Microsoft is the same data Hold collects and uses 8 in providing security services for all its customers, it is not something that was “developed” for 9 Microsoft. (Id.) Rather, Hold argues it simply provided Microsoft with “access” to the data. (Id. 10 at 13-14.) Hold claims that even if the Court agrees with Microsoft, it must find the term 11 “Deliverable” ambiguous. (Id.) 12 Hold’s argument is unconvincing. Nowhere in the MSSA or SOW does it reference 13 providing Microsoft with “access” to the data. The language of the contract repeatedly states 14 Hold will “deliver” the data to Microsoft or “provide” the data to Microsoft. (SOW Section 15 3(b).) Similarly, Section 3(b) states that “Supplier will conduct an extensive search. . .” and 16 Supplier will collect compromised accounts on a daily basis. (Id.) This does not suggest that 17 Hold did nothing for Microsoft other than allow it access to already accumulated compromised 18 account data. And the “Details” section specifically provides which domains Hold should collect 19 the data from. This specification contradicts Hold’s argument that this is the same data it collects 20 for all clients. Though the Amended Complaint repeatedly uses the term “access” regarding the 21 account data, neither the MSSA nor the SOW give any indication that Microsoft is only being 22 granted access to the data. Rather, a contextualized reading of the contract indicates the data is a 23 Deliverable as defined in the MSSA. The Court finds the term “Deliverable” is not ambiguous. 24 ORDER GRANTING MOTION TO DISMISS - 13 1 Second, Hold argues that its services do not qualify as “work for hire” under copyright 2 law, and the clause granting ownership of the Deliverables produced pursuant to the “work for 3 hire” do not apply to it. This argument fails because the MSSA contains a catch-all provision for 4 the Deliverables. Without needing to determine whether Hold’s services were “work for hire” 5 under applicable copyright law, the MSSA includes a provision giving Microsoft ownership of 6 the Deliverables even if the work does not qualify as “work for hire.” (MSSA Section 3(e)(1).) 7 (“To the extent any Deliverables do not qualify as work made for hire, Supplier assigned all 8 right, title and interest in and to the Deliverables, including all IP rights to Microsoft.”) 9 Assuming, arguendo, Hold’s services are not “work for hire,” Microsoft would still own the 10 11 Deliverables given the language contained in Section 3(e)(1). Because Hold fails to explain how the definition “Deliverables” is subject to multiple 12 interpretations, the Court finds “Deliverables” is not ambiguous such that extrinsic evidence is 13 needed. 14 The Court finds Hold’s Breach of Contract claims fail because it does not allege 15 sufficient facts that would give rise to relief. The Court also finds the contract is not ambiguous 16 and does not require extrinsic evidence to interpret the contract. The Court GRANTS Microsoft’s 17 Motion as to Hold’s Breach of Contract claim. 18 2. Breach of the NDA 19 Hold alleges Microsoft breached the NDA when it utilized the data to “serve Edge users, 20 new customers from the acquisitions of LinkedIn and GitHub, and through the creation of AD 21 FS.” (AC ¶ 5.7.) The Court finds this argument fails because it ignores unambiguous provisions 22 of the contract. 23 24 ORDER GRANTING MOTION TO DISMISS - 14 1 The NDA prohibits Hold and Microsoft from using the other’s confidential information 2 for purposes other than the business relationship. (NDA Section 3.) The NDA is incorporated 3 into the MSSA in Section 6(a)(1) of the MSSA – something neither party disputes. (MSSA at 9.) 4 Critically, the SOW provides that “[a]ll Services shall be treated as Microsoft Confidential 5 Information unless otherwise designated by Microsoft.” (SOW Section 3(b).) The SOW defines 6 Hold’s services, in part, as “providing to Microsoft all currently held Account Credential Data as 7 a one-time deliverable,” and thereafter providing daily deliverables. (SOW Section 3(b).) As 8 such, a plain reading of the contract suggests the data is part of the Services provided and is 9 therefore Microsoft’s confidential information, not Hold’s. 10 Hold argues the Services discussed in the SOW only describe the act of providing the 11 data to Microsoft. (Response at 20.) Therefore, the provision of data to Microsoft might qualify 12 as Microsoft Confidential Information, but the data itself does not qualify. (Id.) This argument 13 requires mental gymnastics that run contrary to a more logical reading of the contract. In order to 14 find Hold’s argument persuasive, the Court would have to find the “Services” defined in the 15 SOW only pertain to Hold’s collection of the data, not the data itself. This interpretation conflicts 16 with a clause in the SOW that specifically disclaims Hold’s proprietary methods for gathering 17 the data from being incorporated into the Deliverables. (SOW Section 3(b)(2).) Hold’s argument 18 therefore asks the Court to find that Hold’s proprietary methods are not owned by Microsoft but 19 are nonetheless Microsoft’s confidential information, while the data provided is not. To hold 20 both to be true would be a bizarre interpretation of the contract. It is more reasonable to find the 21 Services discussed in the SOW, the purpose of which is to deliver the Account Credential Data, 22 includes the data. Bryne v. Ackerlund, 108 Wn.2d 445, 454 (1987) (“Where one construction 23 would make a contract unreasonable, and another, equally consistent with its language, would 24 ORDER GRANTING MOTION TO DISMISS - 15 1 make it reasonable, the latter more rational construction must prevail.”) As such, the Court finds 2 Hold’s argument unconvincing. 3 Even assuming the data is not owned by Microsoft or considered Microsoft confidential 4 information under the SOW, Hold still fails to adequately allege how Microsoft’s use of the data 5 goes beyond the business relationship. Again, Hold argues that Microsoft’s use of the data to 6 serve Edge users, new customers, and for AD FS expands into business-to-business protection, 7 which is outside the scope of agreement. (AC ¶ 5.7.) But as the Court already explained, whether 8 the data was used for business-to-consumer or business-to-business is irrelevant, so long as the 9 data was used to protect Microsoft customers. The Complaint fails to explain how Edge and the 10 AD FS serves non-Microsoft customers. And, again, the list of nineteen domains is not outside 11 the scope of the agreement because that simply describes the domains Hold should accumulate 12 data from. Because Hold fails to allege sufficient facts to demonstrate that Microsoft violated the 13 14 NDA by using the data for AD FS, Edge, LinkedIn and GitHub, the Court finds this claim fails. 15 The Court GRANTS Microsoft’s Motion as to the Breach of NDA claim. 16 C. Extra-Contractual Claims 17 1. Unjust Enrichment 18 Hold brings an unjust enrichment claim against Microsoft alleging that because Microsoft 19 used the data in ways not envisioned by the parties, it has been unjustly enriched. The Court 20 disagrees. 21 Under Washington law, “[u]njust enrichment occurs when one retains money or benefits 22 which in justice and equity belong to another.” Bailie Communications v. Trend Business Sys. 23 61 Wn. App. 151, 160 (1991). The three elements required for an unjust enrichment claim are (1) 24 ORDER GRANTING MOTION TO DISMISS - 16 1 a benefit conferred on one party to another; (2) appreciation and knowledge of the benefit by the 2 party receiving it; and (3) acceptance of the benefit under circumstances that make it inequitable 3 for the receiving party to retain the benefit without paying its value. See, e.g., Dragt v. 4 Dragt/DeTray, LLC, 139 Wn. App. 560, 576 (2007). But unjust enrichment is “the method of 5 recovery for the value of the benefit retained absent any contractual relationship because notions 6 of fairness and justice require it.” Young v. Young, 164 Wn.2d 477, 484 (2008). A plaintiff who 7 is party to a valid contract may not bring a claim for unjust enrichment for issues arising under 8 the contract’s subject matter. United States ex rel. Walton Tech., Inc. v. Weststar Eng’g, Inc., 9 290 F.3d 1199, 1204 (9th Cir. 2002) (applying Washington law). 10 Hold alleges the parties intended the data provided to Microsoft to be used to match the 11 account credentials to then-existing Microsoft customers, or specified Microsoft domains. (AC ¶ 12 6.2.) Microsoft promised to destroy any credentials not matched to customers or domains. (Id. at 13 ¶ 6.4.) Because Microsoft retained the credentials for its own use and benefit, i.e., development 14 of Edge and AD FS, as well as its application for later existing customers, it has been unjustly 15 enriched. (Id. at ¶¶ 6.7-6.8.) 16 Hold’s allegations fail for three reasons. First, there is an existing contracting, which deals 17 exclusively with the account credential data. Second, Microsoft conferred a benefit to Hold when 18 it paid Hold for delivering the data. (SOW Section 5 – Payment.) Third, the language in the 19 contract says nothing about matching the data to then-existing customers, or what Microsoft 20 would do with any data that did not match existing customers. The contract defines the account 21 credential data as “lists of pairs of user id and password where user id is in form [sic] of a valid 22 e-mail address [RFC-2822] only and password is non-blank.” (SOW Section 3(b).) The contract 23 also states the data would be used “to check against Microsoft’s own services, brands and 24 ORDER GRANTING MOTION TO DISMISS - 17 1 domains in order to protect Microsoft customers.” There is no language limiting the duration 2 Microsoft could use the data or what it must do with any unmatched data. As such, the use of the 3 data is defined in a valid contract, and Hold was properly compensated. The Court GRANTS the 4 Motion as to Hold’s Unjust Enrichment claim. 5 2. Promissory Estoppel 6 Hold’s promissory estoppel claim relates to Microsoft’s use of the unmatched data and its 7 alleged promise not to destroy the data. (AC ¶ 7.2.) Because there is a valid contract that 8 discusses the use of the data, the Court finds this claim fails. 9 Similar to unjust enrichment claims, “the doctrine of promissory estoppel does not apply 10 where a contract governs” the conduct at issue. Spectrum Glass Co., v. Pub. Util., Dist. No. 1 of 11 Snohomish Cnty., 129 Wn. App. 303, 317 (2005). Hold argues that its promissory estoppel claim 12 should not be dismissed because: (1) the use of unmatched data falls outside the scope of the 13 contract, (2) the ambiguous provisions of the contract require extrinsic evidence to determine the 14 meaning of the contract, and (3) if the Court agrees with Microsoft’s interpretation of the 15 contract, then Microsoft fraudulently induced Hold into signing the agreements, thus voiding the 16 contract. (Response at 22.) 17 Hold’s promissory estoppel claim fails for the same reasons as the unjust enrichment claim. 18 The contract is valid, discusses how Microsoft may use the data, and the contract is not 19 ambiguous. As to whether Microsoft fraudulently induced Hold, this is the first time Hold makes 20 this allegation. And Hold does little more than declare that if the Court agrees with Microsoft, 21 then the contract is the result of fraudulent inducement. This conclusory allegation fails to sway 22 the Court. The Court GRANTS Microsoft’s Motion as to Hold’s Promissory Estoppel claim. 23 24 ORDER GRANTING MOTION TO DISMISS - 18 1 3. Tortious Interference with a Business Expectancy 2 Microsoft moves to dismiss Hold’s tortious interference claim on the grounds that Hold 3 failed to allege sufficient facts that would give to a claim for relief. Hold does not oppose this 4 portion of the motion to dismiss. 5 Under Local Civil Rule 7(b)(2), “if a party fails to file papers in opposition to a motion, 6 such failure may be considered by the court as an admission that motion has merit.” This applies 7 to the failure to respond to individual claims in a motion to dismiss. See Leonard v. Reconstruct 8 Company, N.A., No. 15-5866 RJB 2016 WL 304802, at *8 (W.D. Wash. Jan. 26, 2016), aff’d 9 sub nom., Bruce v. Reconstruct Co., N.A., 719 F. App’x 713 (9th Cir. 2018); Edwards v Caliber 10 Home Loans, No. C16-1466-JCC, 2016 WL 9185356, at *2 (W.D. Wash. Dec. 12, 2016.) 11 (finding plaintiffs’ failure to respond to portions of defendants’ argument can be construed as 12 conceding the argument has merit); Piacentini v. United States, No. C96-5763RJB, 1997 WL 13 176375, at *2 (W.D. Wash. Jan. 13, 1997) (same). The Court finds Hold’s failure to respond to 14 Microsoft’s Motion for this claim is acknowledgement the argument has merit. The Court 15 GRANTS Microsoft’s Motion as to this claim. 16 4. Breach of Implied Covenant of Good Faith and Fair Dealing 17 Hold argues Microsoft breached the implied covenant of good faith and fair dealing when 18 it retained the unmatched data and used the data outside the scope of the contract. Because 19 Hold’s allegations are merely conclusory and do not contain sufficient facts, the Court finds this 20 claim does not meet the Rule 12(b)(6) standard. 21 A duty of good faith and fair dealing is implied in every contract. Badgett v. Sec. State 22 Bank, 116 Wn.2d 563 (1991). This duty required the parties to a contract to cooperate with each 23 other so that each may obtain the full benefit of performance, even if the parties have different 24 ORDER GRANTING MOTION TO DISMISS - 19 1 requirements under the contract. Id. (internal citation omitted). But this duty does not require a 2 party to accept a material change in the terms of its contract. Id. (internal citation omitted). The 3 implied duty of good faith and fair dealing arises out of the obligations created by a contract and 4 only exists in relation to the performance of specific contract terms. Keystone Land & Dev. Co. 5 v. Xerox Corp., 152 Wn.2d 171 (2004). 6 Hold alleges Microsoft’s retention of the unmatched data and its use of the data outside 7 the scope of the contract violate the covenant of good faith and fair dealing. (AC ¶¶ 9.1.-9.10.) 8 To support its claim, Hold again points to precontractual negotiations and promises that 9 Microsoft would delete any unmatched data, and Hold’s assumption the data would only apply to 10 the domains outside the nineteen listed. (Id. at ¶¶ 9.4-9.6.) As the Court has already discussed, 11 the contract does not limit Microsoft’s use of the data. But, to the extent that Microsoft used the 12 data for purposes other than to protect its customers, Hold may have a valid claim. The problem 13 with this is the same problem Hold has with its breach of contract claims – it fails to explain how 14 Microsoft’s use of the data in Edge and AD FA does not protect Microsoft customers. The 15 current complaint does not sufficient allege that Microsoft breached its duty of good faith and 16 fair dealing. The Court GRANTS Microsoft’s Motion as to this claim. 17 5. Declaratory Judgment 18 Hold seemingly seeks declaratory judgment as a stand-alone, catch all remedy in case all 19 of its other claim fail. The Court finds this remedy is already provided for through Hold’s other 20 claims and should be dismissed. 21 Hold brings a claim for relief under the Declaratory Judgment Action under RCW 22 7.24.050. (AC ¶ 10.3.) The Washington Supreme Court has historically “limited the operation of 23 the uniform declaratory judgment act to cases where there is no satisfactory remedy at law 24 ORDER GRANTING MOTION TO DISMISS - 20 1 available.” Hawk v. Mayer, 36 Wn.2d 858, 866 (1950). Requests for declaratory judgement that 2 merely impose the remedies provided for in other claims are duplicative and may be dismissed 3 on that basis. Swartz v. KPMG LLP, 476 F.3d 756, 766 (9th Cir. 2007) (adopting opinion of 4 Swartz v. KPMG LLP, 401 F.Supp.2d 1146, 1154-55 (W.D. Wash. 2004)). Hold appears to use this cause of action as a catch all in case its other claims fail. In its 5 6 Response brief, Hold explains that it included a “cause of action for declaratory relief to ensure 7 such relief is available regardless of the legal theory accepted by the Court.” (Response at 26.) 8 But regardless of whether the Court is persuaded by any of Hold’s legal theories, Hold’s claims 9 for relief still include declaratory judgment as a remedy. Hold’s separate cause of action is 10 therefore duplicative. The Court GRANTS Microsoft’s Motion to Dismiss Hold’ Declaratory 11 Judgment claim. 12 CONCLUSION The Court GRANTS Microsoft’s Motion to Dismiss. The majority of Hold’s claims rely 13 14 on extrinsic evidence to demonstrate an unexpressed intent of the contract. Hold failed to 15 convince the Court that the contract contained ambiguous language such that extrinsic evidence 16 is needed. And even when taking all factual allegations of the complaint as true, the Court finds 17 that Hold failed to allege sufficient factual grounds to support a plausible claim for relief. The 18 Court GRANTS Microsoft’s Motion to Dismiss without prejudice. Polich v. Burlington 19 Northern, Inc., 942 F.2d 1467, 1472 (9th Cir. 1991) (“Dismissal without leave to amend is 20 improper unless it is clear, upon de novo review, that the complaint could not be saved by any 21 amendment.”) Hold has thirty (30) days from entry of this Order to file an amended complaint. 22 // 23 // 24 ORDER GRANTING MOTION TO DISMISS - 21 1 The clerk is ordered to provide copies of this order to all counsel. 2 Dated December 5, 2023. 3 A 4 Marsha J. Pechman United States Senior District Judge 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ORDER GRANTING MOTION TO DISMISS - 22
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
