Envision Healthcare, Inc. v. Fed. Deposit Ins. Corp.

Full title: ENVISION HEALTHCARE, INC., Plaintiff, v. FEDERAL DEPOSIT INSURANCE…

Court: UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Date published: Dec 3, 2014

No. 11 CV 6933 (N.D. Ill. Dec. 3, 2014)

Opinion

No. 11 CV 6933

12-03-2014

ENVISION HEALTHCARE, INC., Plaintiff, v. FEDERAL DEPOSIT INSURANCE CORPORATION, as Receiver for First Chicago Bank & Trust, and FEDERAL DEPOSIT INSURANCE CORPORATION, in its corporate capacity, Defendants.

Judge Manish S. Shah

MEMORANDUM OPINION AND ORDER

Envision Healthcare, Inc. was a customer of First Chicago Bank & Trust. Envision claims that in March 2011, a computer hacker stole the log-in information for one of the company's employees, and used that employee's user ID and password to access the bank's online banking system. According to Envision, the hacker then issued a wire-transfer order in the employee's name, which the bank processed the next day. Envision sued the bank in state court, alleging breach of contract, negligence, and breach of the bank's implied duty of good faith and fair dealing. The bank was closed by Illinois authorities two days later, and the Federal Deposit Insurance Corporation was appointed as receiver. The FDIC, substituted as defendant in this case, moves for summary judgment on Counts I, II, and III of Envision's amended complaint. Envision cross-moves for summary judgment on the same counts. For the reasons discussed below, defendant's motion is granted, and Envision's cross-motion is denied.

I. Legal Standard

Summary judgment may be granted where "there is no genuine issue of material fact and . . . the movant is entitled to judgment as a matter of law." Hussey v. Milwaukee Cnty., 740 F.3d 1139, 1142 (7th Cir. 2014) (quoting Jackson v. Indian Prairie Sch. Dist. 204, 653 F.3d 647, 654 (7th Cir. 2011)). A genuine issue of material fact exists "if the evidence is such that a reasonable jury could return a verdict for the nonmoving party." Serednyj v. Beverly Healthcare, LLC, 656 F.3d 540, 547 (7th Cir. 2011) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)). In reviewing a summary-judgment motion or a cross-motion for summary judgment, I must construe all facts, and draw all reasonable inferences from those facts, in favor of the non-moving party. United States v. P.H. Glatfelter Co., 768 F.3d 662, 668 (7th Cir. 2014) (quoting Laskin v. Siegel, 728 F.3d 731, 734 (7th Cir. 2013)).

II. Facts

A. The Cash Management User Agreement

On May 28, 2009, Envision Healthcare entered a banking agreement with First Chicago Bank & Trust. See [106] at 3-4 ¶ 6; see also Exhibit C to the Amended Complaint, [39-1] at 4-7.¹ Daniel Kubik, Envision's controller, signed on behalf of Envision. See [106] at 4 ¶ 7; see also [39-1] at 7-8. This agreement, entitled the Cash Management User Agreement (CMUA), addressed "eBanking" services (i.e., "BeB" services) to be provided by the bank to Envision. See [106] at 2-3 ¶ 5; see also [39-1] at 4. The CMUA provided:

1 Citations to the record are designated by the document number as reflected on the district court's docket, enclosed in brackets. The facts related in this opinion are taken largely from the contracts at issue, as well as from the parties' Local Rule 56.1 statements of uncontested facts (and replies or responses thereto), which set forth the parties' positions concerning the facts material to the motions for summary judgment. I also note that in some instances the parties have filed two separate versions of their briefs and Rule 56.1 statements: one version under seal, and one (redacted) on the public docket. As I do not rely on any of the redacted statements, all citations included here are to the publicly-filed versions of those documents.

[The] Bank will verify that [Envision] has authorized, canceled or amended an entry that constitutes a payment order solely by means of the security procedures inherent in the BeB product. This Security Procedure uses SSL encryption and requires use of a Company ID, User ID and User Password. . . . [Envision] expressly agrees to be bound by any Order, whether or not authorized, issued in its name and accepted by Bank in compliance with the Security Procedure.

[39-1] at 4 ¶ 4. The agreement also stated:

The Bank will act on instructions received under valid Passwords, will have no duty to further verify the identity of any BeB user with valid Passwords and shall not have any liability for transactions occurring on [Envision's] account originated with valid Passwords.

Id. ¶ 3.

The CMUA further provided that once Envision had executed that agreement and the attached "enrollment form" (and the bank had approved the company's use of BeB), Envision would receive a corresponding company ID, user ID, and password. See id. After Envision obtained its BeB credentials, it would then have the ability "to set up additional users to access [its] accounts." Id. Under the CMUA, Envision was "solely responsible for the use by anyone of BeB who utilize[d Envision's] correct Passwords." Id.

In the enrollment form attached to the CMUA, see id. at 8, Envision could designate a "Company Administrator" who would have "maintenance authority over [Envision's] Passwords." Id. By designating someone as such an Administrator, Envision "authorized [the bank] to establish and issue initial passwords" to that person. Id. Molly Hamideh was listed as the appointed Company Administrator for Envision Healthcare in the enrollment form executed by Daniel Kubik on May 28, 2009. See id.; see also [106] at 5 ¶ 10.²

2 Envision contends that the parties also contemplated the appointment or use by Envision of another type of "administrator"—one who, unlike the "Company Administrator" described in the enrollment form, would have the ability to determine which individuals at Envision were authorized to issue wire-transfer orders, and for which accounts. See [106] at 4-5 ¶¶ 9, 10; see also [144] at 10 ¶ 10. Envision contends that Molly Hamideh was never appointed as such an "administrator." See [106] at 4-5 ¶¶ 9, 10; [144] at 11 ¶ 11. But Envision does not dispute that Hamideh was listed as the Company Administrator in the enrollment form signed by Daniel Kubik on May 28, 2009. She therefore received a valid password for online banking, and as discussed below, that is the only relevant fact in light of the contractual provisions at issue here.

Also included in the enrollment form signed by Kubik was a section entitled "Requested Services for Company Accounts." See [39-1] at 8. In this section was a table in which specific bank-account numbers could be "indicated" for use with specific eBanking services, such as "Wire," "Remote Deposit," and "Loan Sweep." See id. In the form signed by Kubik on May 28, 2009, this table was left blank. See id.; see also [144] at 8-9 ¶ 6.³

3 In support of its statement that the table in the enrollment form was not filled in, Envision cites in its Local Rule 56.1 statement to Exhibit D to the Amended Complaint. See [106] at 19 ¶ 6. Defendant objects to this Rule 56.1 statement because Exhibit D contains no such table. See [144] at 8-9 ¶ 6. Defendant is correct that Exhibit D to the Amended Complaint—a "confidentiality agreement" not at issue here—does not contain any tables. See [39-1] at 9-10. The enrollment form attached to the CMUA (appended to the Amended Complaint not as Exhibit D but as Exhibit C) does contain a "Requested Services" table, however, and the table was, as Envision says, left blank in that document. See [39-1] at 8. I therefore assume that Envision's reference to "Exhibit D" was a typographical error, and that Envision intended instead to refer to Exhibit C.

B. The Wire Transfer Agreement

Also on May 28, 2009, Daniel Kubik executed on behalf of Envision Healthcare a "Wire Transfer Agreement" with First Chicago Bank & Trust. See Exhibit E to the Amended Complaint, [39-1] at 12-13; see also [106] at 6 ¶¶ 14-15. This agreement authorized the bank "to initiate a funds transfer from any of [Envision's] accounts," based on "payment orders received by [the bank] in writing with [Envision's] original signature" or the original signature of one of Envision's "Authorized Agents." [39-1] at 12 ¶ 2. The agreement further provided that such Authorized Agents should be named in Exhibit A to that document. See id. ¶ 2(a).

Exhibit A to the Wire Transfer Agreement included a table in which the names of any Authorized Agents, and "the account numbers from which they [were] authorized to request transfers," could be listed. See id. at 13. The table in Exhibit A to the Wire Transfer Agreement executed by Daniel Kubik in May 2009 was left blank. See id.; see also [144] at 8-9 ¶ 6.

C. The March 31, 2011 Wire Transfer

On March 31, 2011, someone used the log-in information of Envision employee Molly Hamideh to sign on to First Chicago Bank's BeB website and issue a wire-transfer order from one of Envision's accounts (No. *4804). See [106] at 15-16 ¶¶ 37-39. The bank processed the order the next day (April 1) and wired $125,760.90 out of Envision's *4804 account to a third-party bank account in Phoenix, Arizona. See id. at 16 ¶¶ 39, 40; see also [144] at 21 ¶ 32.

Envision maintains that it was not Molly Hamideh who ordered the wire transfer on March 31, 2011, but an unknown individual who was merely posing as Hamideh, and who had fraudulently obtained her ID and password information through a "phishing" scam. See [106] at 15 ¶ 37; see also [144] at 20 ¶ 30.⁴ Accordingly, on April 4, 2011, Envision notified the bank of its belief that an unauthorized transfer had been processed against the company's account. See [106] at 17 ¶ 43. Only $945.30 of the transferred funds were recovered. See [144] at 24 ¶ 38.

4 Defendant disputes this statement, see [144] at 20 ¶ 30; [145] at 18 ¶ 30, and contends that it was Hamideh herself who ordered the transfer of funds, see [106] at 17 ¶ 42.

D. Procedural History

In July 2011, Envision filed a breach-of-contract suit against First Chicago Bank & Trust in the Circuit Court of Cook County, Illinois. See [1-1]. Envision alleged that the bank had breached its agreement with Envision by honoring a wire-transfer order that was unauthorized (Count I). See id. at 7. Also included in Envision's complaint were claims that the bank had been negligent (Count II) and that the bank had breached its implied duty of good faith and fair dealing (Count III). See id. at 8-9. Two days after Envision filed suit, the bank was closed by the Illinois Department of Financial and Professional Regulation. See [106] at 2 ¶ 3. The Federal Deposit Insurance Corporation was appointed as the bank's receiver, see id., and the FDIC removed the case to federal court, see [1].⁵

5 The FDIC filed its notice of removal pursuant to 12 U.S.C § 1819(b)(2)(B). See [1] at 1; id. at 4 ¶ 12. This section provides:

Except as provided in subparagraph (D), the [FDIC] may . . . remove any action, suit, or proceeding from a State court to the appropriate United States district court before the end of the 90-day period beginning on the date the action . . . is filed against the [FDIC] or the [FDIC] is substituted as a party.

12 U.S.C. § 1819(b)(2)(B) (emphasis added). Subparagraph (D) of that section states:

Except as provided in subparagraph (E), any action—(i) to which the [FDIC], in [its] capacity as receiver of a State insured depository institution by the exclusive appointment by State authorities, is a party other than as a plaintiff; (ii) which involves only the preclosing rights against the State insured depository institution, or obligations owing to, depositors, creditors, or stockholders by the State insured depository institution; and (iii) in which only the interpretation of the law of such State is necessary, shall not be deemed to arise under the laws of the United States.

Envision ultimately amended its complaint, asserting against FDIC (in its capacity as receiver) the same contract, negligence, and breach-of-good-faith claims originally asserted against the bank. See [39] at 7-10 (Counts I-III).⁶ Before me are FDIC-Receiver's motion for summary judgment, [72], and Envision's cross-motion for summary judgment, [82], on Counts I, II, and III of the amended complaint.

6 Envision also included in its amended complaint a claim against FDIC in its corporate capacity (Count IV), alleging the wrongful denial of an insured-deposit claim. See [39] at 10-11. Although Envision initially (cross-)moved for summary judgment on Count IV as well as on Counts I through III, see [105] at 1, 13-15, FDIC-Corporate moved to strike that portion of Envision's motion and corresponding brief. That motion was granted by Judge Lefkow, to whom this case was originally assigned. See [96]. I therefore consider the parties' arguments and statements of fact only insofar as they pertain to Counts I, II, and III of Envision's amended complaint.

III. Analysis

A. Breach of Contract (Count I)

Envision asserts that the bank breached the Cash Management User Agreement by processing the wire-transfer order issued with Molly Hamideh's BeB username and password on March 31, 2011. See [136] at 2. The CMUA provides that the agreement "is subject to applicable federal laws and the laws of the State of Illinois." [39-1] at 7 ¶ 20. Illinois generally enforces choice-of-law provisions in contracts, see Lyon Fin. Servs., Inc. v. Ill. Paper and Copier Co., 732 F.3d 755, 758-59 (7th Cir. 2013) (citing Hofeld v. Nationwide Life Ins. Co., 59 Ill.2d 522 (1975)), and neither party here contends that Illinois law should not govern the CMUA. Thus, I follow Illinois law in assessing the breach-of-contract claim.

To prove a breach of contract in Illinois, the plaintiff must show the existence of "a valid contract, performance by the plaintiff, breach by the defendant, and damages." Norem v. Lincoln Benefit Life Co., 737 F.3d 1145, 1148 (7th Cir. 2013) (citing Elson v. State Farm Fire & Cas. Co., 295 Ill.App.3d 1 (1998)). Envision contends that the bank breached paragraph 4 of the Cash Management User Agreement when the bank processed the online wire-transfer request made under Molly Hamideh's BeB user information on March 31, 2011. See [136] at 2 (citing [39-1] at 4 ¶ 4.). Paragraph 4 of the CMUA states:

[The] Bank will verify that [Envision] has authorized, canceled or amended an entry that constitutes a payment order solely by means of the security procedures inherent in the BeB product. This Security Procedure uses SSL encryption and requires use of a Company ID, User ID and User Password.

[39-1] at 4 ¶ 4.

Illinois generally follows the "four corners" rule of contract interpretation, which provides that in interpreting a contract, the court must "initially look[] to the language of the contract alone." Air Safety, Inc. v. Teachers Realty Corp., 185 Ill.2d 457, 462 (1999) (citations omitted). If, on its face, the contractual language is unambiguous, the contract is interpreted as a matter of law, without the use of extrinsic (i.e., "parol") evidence. See id. (citation omitted).

Paragraph 4 of the CMUA is unambiguous. Under the above-quoted provision of that agreement, the bank must verify that Envision has authorized an online payment order—here, a wire-transfer order—"solely by means of the security procedures inherent in the BeB product." [39-1] at 4 ¶ 4 (emphasis added). In other words, as long as the bank follows the "inherent" BeB security procedures, it has fulfilled its duty to verify that an instruction was indeed authorized by the account-holder. But what are the security procedures inherent in the BeB product? The CMUA explains what these are, too. According to the agreement, the security procedure for BeB "requires use of a Company ID, User ID and User Password." Id. Thus, so long as the bank verifies that an online wire-transfer instruction was issued by someone using valid BeB log-in information, the bank has followed the relevant security procedures and has satisfied its obligations under paragraph 4 of the CMUA.

Envision claims that the bank breached paragraph 4 of the agreement by processing a wire-transfer order made with Molly Hamideh's BeB user information, since Hamideh was not actually authorized to order such transfers. See [136] at 2. Hamideh was not so authorized, says Envision, because she was not listed in the Wire Transfer Agreement as being able to wire money out of the *4804 account, and because that particular account was not listed in the enrollment form (attached to the CMUA) as requiring online wire-transfer service. See [105] at 6-7, 8 (noting that the relevant tables in those documents were left blank). In essence, Envision seeks to hold the bank liable for failing to verify that the valid BeB credentials used to issue a payment order were indeed the credentials of someone who had been formally authorized by Envision to wire money out of a specific account. But, as just explained, this is not what the CMUA required.

Under paragraphs 3 and 4 of the CMUA, the bank needed only to confirm that the instruction it received online came from someone using valid BeB log-in credentials. Envision admits that the alleged "hacker" in this case used Hamideh's username and password, see [136] at 2, and nowhere contends (or presents evidence indicating) that the log-in information used was invalid. To impose on the bank an additional obligation—that is, a duty to ensure that each instruction it received was from a BeB user formally authorized to issue that particular order—would be to shoulder the bank with a burden it never agreed to carry. See [39-1] at 4 ¶ 4 ("[Envision] expressly agrees to be bound by any Order, whether or not authorized, issued in its name and accepted by [the] Bank in compliance with the Security Procedure.") (emphasis added); id. ¶ 3 ("The Bank will act on instructions received under valid Passwords . . . and shall not have any liability for transactions occurring on [Envision's] account originated with valid Passwords."); id. at 5 ¶ 11 ("[Envision] assume[s] sole responsibility for any unauthorized use of [its] account's Passwords, and shall . . . hold the Bank harmless from all . . . losses and damages related to or arising out of any unauthorized transactions."). Thus, whether Molly Hamideh was formally authorized—either at the time Envision executed the CMUA or at some later time—to wire money out of the *4804 account is immaterial to whether the bank fulfilled its duties under paragraph 4 of the CMUA.

In short, even assuming that (1) Molly Hamideh was not formally authorized by Envision to issue wire-transfer orders for the company's *4804 account, (2) it was not Hamideh herself who issued the wire-transfer order on March 31, 2011, but a hacker impersonating her, and (3) conducting online wire transfers was not a service Envision opted into with the bank—I find that no reasonable jury would conclude that the bank breached paragraph 4 of the CMUA by processing the March 31, 2011 order. If an online order were placed with a valid password, the bank promised it would verify the validity of the password, no more, and the parties agreed the bank would not be liable for any transaction (authorized or not) conducted while using that password.⁷ Accordingly, defendant is entitled to judgment as a matter of law on Envision's breach-of-contract claim. Defendant's motion for summary judgment on Count I of the complaint is therefore granted, and Envision's cross-motion for summary judgment on Count I is denied.

7 Envision alleges in its complaint that the bank also breached the Wire Transfer Agreement (WTA). See, e.g., [39] ¶¶ 55-57. As defendant points out, however, the complaint does not identify a specific provision of the WTA that Envision claims was breached, see [97] at 5-6. (Envision does, in its opening brief, refer in passing to paragraph 9 of the WTA, see [105] at 6, but this paragraph merely limits the bank's liability to "negligence in performing its obligation under" that agreement, see [39-1] at 12 ¶ 9.) In response, Envision argues not that a particular provision of the WTA was breached, but that, in light of what the parties agreed to in the WTA, the bank violated paragraph 4 of the CMUA. See [136] at 1-2. As discussed above, however, the language in paragraph 4 of the CMUA speaks for itself. Envision does not offer a theory of breach of the WTA separate and apart from the bank's alleged failure to comply with paragraph 4 of the CMUA. Therefore, I do not decide whether the bank may have independently breached the WTA. See Judge v. Quinn, 612 F.3d 537, 557 (7th Cir. 2010) (undeveloped arguments are waived).
In any event, I am not persuaded that the WTA applies in this case. In its explanation of how the bank purportedly breached the CMUA, Envision refers to paragraph 2 of the Wire Transfer Agreement. See [136] at 2. This paragraph addresses how certain wire-transfer payment orders may be "authorized" by Envision, see [39-1] at 12 ¶ 2(a) (describing how individuals may be named as Envision's "Authorized Agents," authorized specifically to wire-transfer funds out of designated accounts)—and so Envision argues that Molly Hamideh, at least within the meaning of the WTA, was not authorized by Envision to transfer money out of the *4804 account. But the type of payment order contemplated by the WTA, see [39-1] at 12 ¶ 2 (discussing payment orders received only "in writing with [Envision's] or [its] Authorized Agent's original signature") (emphases added), appears to be quite different from that contemplated by the CMUA—which, as discussed above, concerns online requests made with a user ID and password, see [39-1] at 4 ¶¶ 3-4. That the online requests addressed in the CMUA are distinct from the written payment orders described in the WTA is further evidenced by the fact that each of these two agreements includes its own "security procedure": while BeB orders are verified by checking that a user's ID and password are valid, id. at ¶ 4, the written wire-transfer orders covered by the WTA are verified by making sure that the name on the order "corresponds to one . . . previously specified" to the bank as authorized for making that request, id. at 13 ¶ 13.

B. Negligence (Count II)

Envision also asserts that the bank acted negligently by processing the wire-transfer order that issued from Molly Hamideh's BeB user account on March 31, 2011. See [39] ¶¶ 60-63 (Count II); see also [105] at 6-13; [136] at 3-5. Defendant argues that Envision cannot proceed with this claim as a matter of law—and thus defendant is entitled to summary judgment on Count II of the complaint—because it is barred by the economic-loss doctrine. See [97] at 8-9. I agree.

The economic-loss doctrine—known as the Moorman doctrine in Illinois⁸—precludes plaintiffs from recovering in tort "for purely economic losses arising out of a failure to perform contractual obligations." Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547, 567 (7th Cir. 2012) (citing Moorman Mfg. Co. v. Nat'l Tank Co., 91 Ill.2d 69 (1982)). As Envision here seeks only to recover the money it lost from the purportedly unauthorized wire transfer (and related costs), see [39] at 9, Count II of Envision's complaint is barred by Moorman unless the duty that was allegedly breached arose outside the contract. See Wigod, 673 F.3d at 567 (citing Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 159 Ill.2d 137 (1994)). Thus, "the key question is whether the defendant's duty arose by operation of contract or existed independent of the contract." Id. (citing Catalan v. GMAC Mortg. Corp., 629 F.3d 676, 693 (7th Cir. 2011)).

8 The parties agree that Illinois law applies to Envision's negligence claim. See, e.g., [97] at 8-11; [136] at 4.

The duties of care that the bank allegedly breached in 2011 arose expressly from the contracts entered into by Envision and the bank. See, e.g., [105] at 6 (stating that the bank acted negligently in processing the March 31, 2011 wire-transfer order because, "[a]ccording to the contracts, Molly Hamideh could not issue wire transfers . . . and Account No. *4804 was never authorized for outgoing wire transfers") (emphasis added).⁹ In its response brief, Envision argues that the bank was also under an independent, common-law duty to exercise reasonable care in providing any services that the bank had (by contract) agreed to undertake, and is therefore liable for any harm resulting from a failure to exercise such care. See [136] at 4 (quoting Vancura v. Katris, 238 Ill.2d 352, 382 (2010)). There are several problems with this argument.

9 Envision also argues that the bank was negligent because it failed to maintain a sufficiently secure eBanking system, see [105] at 12-13; see also [39] ¶ 62, but fails in its opening brief to articulate an applicable duty of care.

First, the common-law duty of care identified by Envision does not apply to the bank in this case and, therefore, cannot subject defendant to liability here. The duty of reasonable care discussed in Vancura—that is, the duty of care as defined in Section 323 of the Restatement (Second) of Torts—imposes liability on service-providers only for physical harm, not mere economic loss. See Vancura, 238 Ill.2d at 382 ("One who undertakes . . . to render services . . . is subject to liability to the other for physical harm resulting from his failure to exercise reasonable care" (quoting Restatement (Second) of Torts § 323 (1965)) (emphasis added); see also id. (observing that "section 323 [is] explicitly limit[ed] to situations in which the plaintiff has suffered 'physical' or 'bodily' harm"). Envision alleges only economic harm, so Section 323 of the Restatement cannot save its negligence claim from Moorman preclusion.¹⁰

10 Counsel for Envision misquotes the phrase "physical harm" as "[harm]." [136] at 4. This substitution is misleading. The very case counsel purports to quote says that Section 323 of the Restatement cannot apply where (as here) only economic losses are alleged. See Vancura, 238 Ill.2d at 382-83. ("In the present case, plaintiff has suffered only economic damages. . . . We therefore reject [the] argument that plaintiff's negligent training claim is controlled by . . . section 323 of the Restatement."). Counsel's use of brackets to replace "physical harm" with "[harm]" was likely quite deliberate. The attorneys who submitted Envision's response brief are advised that an attempt to mislead a court by manipulating quotations from the case law could expose them to sanctions. See Monee Nursery & Landscaping Co. v. Int'l Union of Operating Eng'rs, Local 150, AFL-CIO, 348 F.3d 671, 677 n. 4 (7th Cir. 2003) ("[A]n intentional misstatement of law before a court is a serious offense that violates Rule 3.3(a) of the Model Rules of Professional Conduct . . . and can lead to sanctions under Rule 11(c) of the Federal Rules of Civil Procedure." (citing Teamsters Local No. 579 v. B & M Transit, Inc., 882 F.2d 274, 280 (7th Cir. 1989))). No rule to show cause will issue in this case; this footnote should serve as an adequate deterrent to future missteps.

Banks are, however, generally subject to a duty of reasonable care toward their depositors. See Mutual Service Cas. Ins. Co. v. Elizabeth State Bank, 265 F.3d 601, 613-14 (7th Cir. 2001) (applying Illinois law). This duty arises from the position of trust that banks occupy with respect to the funds placed in their custody. See id. at 613. As this duty of care exists "irrespective of the terms of the contract" a bank may otherwise have with its customer, it is conceivable that the Moorman doctrine would not bar a tort claim founded on the alleged breach of such a duty. See id. at 617-18 (discussing but not deciding the issue). Envision does not identify this particular duty or argue that it applies here. Regardless, its existence is not enough to preserve Envision's negligence claim because the Uniform Commercial Code, as adopted by the Illinois legislature, governs the situation presented here.

In Illinois (and elsewhere), the UCC generally governs the relationship between a bank and its customers. See 810 ILCS 5/4-101 et seq. The Moorman doctrine seeks to "maintain the integrity of [the] carefully articulated body of rules in the UCC." Mutual Service, 265 F.3d at 617 (citation omitted) (internal quotation marks omitted). Thus, common-law principles may supplement the UCC—and so may provide the foundation for an action in tort—only where particular provisions of the UCC have not displaced those rules. See id. at 614, 617; Dixon, Laukitis, and Downing, P.C. v. Busey Bank, 993 N.E.2d 580, 587-88 (Ill. App. Ct. 2013) (discussing Mutual Service). In other words, a negligence claim asserted against a bank, based solely on economic loss, cannot proceed if specific provisions of the UCC have already delineated the bank's responsibilities in the circumstances at hand. See Dixon, 993 N.E.2d at 588; cf. Mutual Service, 265 F.3d at 614.

Such is the case here. Envision contends that the bank was negligent in honoring the wire-transfer order issued from Molly Hamideh's BeB user account on March 31, 2011. See [105] at 6-13; [136] at 5. But Article 4A of the UCC already sets forth a detailed scheme concerning the bank's rights and responsibilities when presented with an electronic payment order such as the one at issue. See generally 810 ILCS 5/4A ("Funds Transfers"). Section 202(b) of that article, for example, governs whether such a payment order is deemed effective—even if not "authorized" under Section 202(a)—where, as here, the "bank and its customer have agreed that the authenticity of payment orders issued . . . in the name of the customer as sender will be verified pursuant to a security procedure." Id. at 5/4A-202(b). Section 203(a) sets forth the circumstances in which a payment order deemed "effective" may nonetheless be unenforceable, and Section 204 provides remedies for when the bank accepts a payment order that is unauthorized or unenforceable. See id. at 5/4A-203(a)(2), 5/4A-204(a). Article 4A, in other words, has displaced common-law rules that might otherwise prescribe a bank's obligations when processing electronic wire-transfer orders. See Travelers Cas. & Sur. Co. of Am. v. Bank of Am., N.A., No. 09 C 06473, 2010 WL 1325494, at *2 (N.D. Ill. Mar. 30, 2010) ("Article 4A displaces common law causes of action that are covered by its provisions . . . .").¹¹

11 Even Envision agrees that the UCC applies to its cause of action against the bank. See [136] at 4-5 (arguing that the bank breached its duty of care as set forth in Section 5/4A-202(b) of the Code).

Envision also argues that the bank was negligent in maintaining adequate security procedures in the first instance. See [105] at 12-13. But Article 4A of the UCC provides that procedures for verifying authorization of an electronic payment order need only be "commercially reasonable," 810 ILCS 5/4A-202(b), and enumerates which factors a court must consider in determining whether the specific procedure employed was indeed reasonable, see id. at 5/4A-202(c). Thus, here, too, the UCC has displaced the common law.

The UCC supports contract-based causes of action for purported violations of the Code's provisions. But Envision has brought no such claims, instead grounding Count II of its complaint in tort. For the reasons discussed above, a tort-based claim is barred under the Moorman doctrine and so cannot proceed as a matter of law. Envision argues, however, that because the Cash Management User Agreement and Wire Transfer Agreement each state that the bank may be liable for its negligence, Envision's negligence claim necessarily must be permitted. See [136] at 3. But Envision misunderstands the import of the provisions it cites.

The CMUA states that the bank "shall be liable only for its negligence . . . in performing th[e] services" required by that agreement. [39-1] at 6 ¶ 14 (emphasis added). Similarly, the WTA provides that the bank will be liable "only for its negligence in performing its obligation under this Agreement." [39-1] at 12 ¶ 9 (emphasis added). In other words, the "negligence" clauses further cabin the bank's liability under the two agreements by requiring the plaintiff to prove not just that the bank failed to meet an obligation as contracted, but that the bank did so negligently. The "negligence" clauses, in short, raise the bar for prevailing on a breach-of-contract claim under either agreement—a bar that, as explained above, Envision has failed to clear in the first instance. On these facts, the "negligence" clauses do not provide a separate, tort-based cause of action on which Envision may base its suit.

Defendant's motion for summary judgment on Count II of the complaint is therefore granted. Envision's cross-motion for summary judgment on Count II is accordingly denied.

B. Breach of the Duty of Good Faith and Fair Dealing (Count III)

Envision also contends that, in processing the wire-transfer order issued using Molly Hamideh's BeB log-in information, the bank breached a duty of good faith and fair dealing implied in the Cash Management User Agreement and Wire Transfer Agreement. See [39] ¶¶ 64-67. Defendant argues that this claim, too, fails as a matter of law, because in Illinois there is no such independent cause of action. See [97] at 11-12. I agree.

In Illinois, the duty of good faith and fair dealing is implied in every contract. See Seip v. Rogers Raw Materials Fund, L.P., 408 Ill.App.3d 434, 443 (2011). This duty requires a party "vested with contractual discretion to exercise it reasonably, and not arbitrarily, capriciously, or in a manner inconsistent with the reasonable expectations of [the] parties." Id. (citing Kirkpatrick v. Strosberg, 385 Ill.App.3d 119, 131 (2008)). It is not, however, "an independent source of duties for the parties to a contract." Id.; see also Iowa Physicians' Clinic Med. Found. v. Physicians Ins. Co. of Wis., 547 F.3d 810, 812 (7th Cir. 2008) (discussing Illinois courts' "steadfast refusal," other than in insurance-contract cases, "to recognize an independent tort arising from the breach of [the implied good-faith] covenant") (citation omitted).

In practice, this means two things: first, a claim for breach of an implied duty of good faith and fair dealing cannot stand on its own, but must be included as a theory of liability within a larger breach-of-contract claim, see Wilson v. Career Educ. Corp., 729 F.3d 665, 674 (7th Cir. 2013) (discussing Illinois law) (citation omitted); second, even if appropriately pleaded, the good-faith duty is merely a tool of construction used to determine the parties' intent where two conflicting interpretations of a contract are possible, see Seip, 408 Ill.App.3d at 443 (citing Fox v. Heimann, 375 IH.App.3d 35, 42 (2007)); see also Cramer v. Ins. Exch. Agency, 174 Ill.2d 513, 523-24 (1996)) (noting that, where one possible construction imputes bad faith to a party but the other does not, the latter should be adopted) (citing Martindell v. Lake Shore Nat'l Bank, 15 Ill.2d 272, 286 (1958)).

Envision has not pleaded its duty-of-good-faith theory (Count III) as part of its breach-of-contract claim (Count I), as it was required to do. See [39]. Moreover, Envision has not adequately explained how the good-faith duty even comes into play as a necessary tool of construction in this case. Use of the good-faith construction tool typically occurs where one party to the contract has been given, per the terms of that agreement, "broad discretion in performing its obligations." Gore v. Ind. Ins. Co., 376 Ill.App.3d 282, 286 (2007) (citing Dayan v. McDonald's Corp., 125 Ill.App.3d 972, 990 (1984)). A party has broad contractual discretion where, for example, it is "peculiarly within the power of that party" to bring about a condition precedent to the contract, Dayan, 125 Ill.App.3d at 990, or has unrestricted discretion in terminating an at-will employment contract, see id. In such instances, an implied covenant of good faith is read into the agreement, imposing a reasonable limitation on the exercise of that discretion. See id. at 990-91.

Envision argues that paragraph 4 of the CMUA and paragraph 2 of the WTA provided such discretion to the bank here because, according to Envision, these paragraphs vested in the bank the discretion to honor (or not) a given wire-transfer order. See [136] at 6. I disagree. Paragraph 4 of the CMUA states that the bank "will verify that [Envision] has authorized . . . a payment order solely by means of the security procedures inherent in the BeB product." [39-1] at 4 ¶ 4. This provision does not vest in the bank broad or unrestricted discretion in deciding whether to process a payment order made online through its BeB system; the provision states that the bank "will verify" proper authorization "solely" using procedures set forth explicitly in that contract. Nor does this paragraph place within the bank's power the ability to bring about (or not) a condition precedent to the contract. In fact, it's the other way around: the bank's contractual obligation (i.e., to verify authorization through the BeB security procedure) is not triggered unless and until Envision—or someone claiming to represent Envision—submits a payment order online.

Paragraph 2 of the WTA is set up in a similar fashion.¹² Under that paragraph, Envision "authorizes and directs" the bank to initiate a funds transfer whenever the bank "receives from [Envision] a payment order which on its face complies with the Security Procedure established by this agreement." [39-1] at 12 ¶ 2. Again, the bank's obligation (to verify authorization) is triggered by someone else's action, and even when triggered, the bank is hardly imbued with broad discretion in fulfilling it. Under the terms of the contract, the bank must verify that the name on the written payment order corresponds to one previously identified to the bank as belonging to someone who has authority to issue such orders. See id. at 12-13 ¶¶ 2, 13.

12 As explained above at footnote 7, I am not convinced that the WTA applies in this case. However, as Envision discusses the WTA in its arguments concerning Count III of the complaint, see [136] at 6, I also address it here.
--------

Envision's claim for breach of an implied duty of good faith and fair dealing cannot proceed as a matter of law. Defendant's motion for summary judgment on Count III of the complaint is therefore granted, and Envision's cross-motion for summary judgment on Count III is denied.

IV. Conclusion

Envision's online-banking information was purportedly stolen, resulting in an alleged diversion of more than $125,000 from one of the company's accounts. While it is unfortunate that Envision has been unable to recover the majority of those funds, the bank did not break its promise to its customer—the bank promised to check the validity of the online password used to order a transaction, no more. For the reasons discussed above, defendant's motion for summary judgment on Counts I, II, and III of the amended complaint, [72], is granted; Envision's cross-motion on the same counts, [82], is denied. ENTER:

/s/_________

Manish S. Shah

United States District Judge
Date: 12/3/14

Id. § 1819(b)(2)(D) (emphasis added). Subparagraph (D) does not limit the FDIC's ability to remove a case to federal court where "the institution of which the [FDIC] has been appointed receiver could have invoked the jurisdiction of such court." Id. § 1819(b)(2)(E).

Although the FDIC did not address subparagraph (D) in its notice of removal, this subparagraph would have impeded the district court's initial exercise of jurisdiction over this case: (1) First Chicago Bank & Trust was a state bank, and the FDIC was appointed as receiver of the bank by state authorities (here, the Illinois Department of Financial and Professional Regulation), see Exhibit B to FDIC's Notice of Removal, [1-1] at 24; (2) plaintiff's original claims against the bank (breach of contract, negligence, and breach of the implied duty of good faith and fear dealing) involved only Envision's pre-closing rights against that depository institution, and required interpretation of only state law, see id. at Exhibit A, [1-1] at 3-29; and (3) FDIC in its capacity as receiver was and is a party to this suit as a defendant, not a plaintiff. (Subparagraph (E) would not have erased the jurisdictional bar under subparagraph (D), since Envision's original complaint does not suggest that the bank, before closing, could have invoked federal jurisdiction.) The FDIC did not address subparagraph (D) in its notice of removal. See generally [1].

Nonetheless, I find that federal jurisdiction (now) exists under 12 U.S.C. § 1821. Under that section, the FDIC as receiver for a failed bank may settle uninsured and unsecured claims on the receivership. See id. § 1821(d)(4)(B)(i). Once a claimant has filed such a claim with the FDIC, that entity has 180 days to decide whether to allow or disallow the claim. See id. § 1821(d)(5)(A)(i). If, however, the FDIC fails to render a decision within that time, the claimant may "file suit on such [a] claim (or continue an action commenced before the appointment of the receiver) in the district or territorial court of the United States for the district within which the [failed bank] is located." Id. § 1821(d)(6)(A). In the event such suit is filed or continued, the district court "shall have jurisdiction to hear such claim." Id. Such is the case here. See [8] (granting a motion by the FDIC to stay the action pending administrative review of Envision's claims against the bank); [15, 17] (granting the parties' joint motion to resume the litigation after the 180-day statutory review period expired).