Contract Limits vs. Cyber-Fraud Losses: Coffee Capital & Development, LLC v. RPT Restaurant Accounting Services, LLC and Michigan’s “Separate and Distinct Duty” Requirement

Contract Limits vs. Cyber-Fraud Losses:
Coffee Capital & Development, LLC v. RPT Restaurant Accounting Services, LLC and Michigan’s “Separate and Distinct Duty” Requirement

Introduction

Coffee Capital & Development, LLC v. RPT Restaurant Accounting Services, LLC (6th Cir. No. 25-1163, Dec. 18, 2025) is an unpublished but highly instructive decision at the intersection of contract law, negligence, and modern cyber-fraud schemes.

The case arises from a “business email compromise” scenario: a fraudster intercepted emails between Coffee Capital (a Michigan company) and RPT (a Wisconsin restaurant-accounting firm) and, by impersonating a Coffee Capital principal, induced RPT to wire over $100,000 from Coffee Capital’s account to the fraudster. When RPT refused to reimburse the loss, Coffee Capital sued in negligence only—without asserting a breach-of-contract claim—apparently because the parties’ written agreement sharply limited RPT’s contractual liability.

The central legal question was whether, under Michigan law, a service provider that has contracted to move a customer’s money can be sued in tort for negligence when it mistakenly pays a fraudster, even though the parties’ relationship and the disputed conduct are governed by contract. In Michigan, a plaintiff may not transform a breach-of-contract dispute into a tort action unless the defendant owed a duty “separate and distinct” from its contractual obligations.

The Sixth Circuit, applying Michigan law, held that Coffee Capital could not meet that standard. It concluded that:

  • RPT owed Coffee Capital no general common-law duty of due care with respect to the criminal act of the third-party fraudster; and
  • RPT and Coffee Capital did not have a “special relationship” under Michigan common law that would impose an affirmative duty on RPT to protect Coffee Capital from the fraudster’s criminal conduct.

Two concurring opinions, however, highlight that the law in this area—especially regarding cyber-fraud and the “voluntary undertaking” doctrine—is evolving and remains unsettled. One concurrence suggests that a duty in tort might exist when a financial-services provider voluntarily undertakes to transfer a customer’s money but concludes that the plaintiff forfeited that argument by not properly raising it in the district court. The other concurrence emphasizes that the case is, at core, a straightforward attempt to repackage a contract claim as negligence.

As a practical matter, the decision underscores the power of contractual limitations of liability in commercial relationships involving financial transfers and sends a strong message: under Michigan law, plaintiffs cannot sidestep unfavorable contract terms simply by relabeling a breach-of-contract grievance as negligence, at least where no well-defined, extra-contractual duty is shown.

Summary of the Opinion

Parties and Factual Background

Parties. Coffee Capital & Development, LLC is a Michigan company that hired RPT Restaurant Accounting Services, LLC, a Wisconsin-based provider, to perform financial and accounting services. The relationship was memorialized in a written agreement under which Coffee Capital:

  • Authorized RPT to access Coffee Capital’s accounts; and
  • Authorized RPT to transfer funds from those accounts to third-party payees.

The fraud. In 2021, a third-party criminal gained access to (or intercepted) the email communications between Coffee Capital and RPT. After observing legitimate email instructions from Coffee Capital to RPT regarding fund transfers, the fraudster:

  • Emailed RPT while impersonating a Coffee Capital principal, using a slightly misspelled email address;
  • Requested a transfer of $103,490.21 from Coffee Capital’s account to the fraudster’s account; and
  • Successfully induced RPT to execute that transfer.

When the fraudster later requested a second transfer, RPT contacted Coffee Capital directly, at which point both parties discovered the fraud. The stolen funds were never recovered.

Contractual backdrop. The opinion notes (via RPT’s argument) that the written agreement contained an express limitation-of-liability provision that significantly capped RPT’s contractual exposure. Coffee Capital, instead of suing for breach of contract, chose to sue only in negligence, presumably to escape those contractual restrictions and seek full tort damages.

Procedural History

  • Coffee Capital sued RPT in Michigan state court, alleging negligence only.
  • RPT removed the case to federal court on the basis of diversity jurisdiction (Coffee Capital is a Michigan citizen; RPT is a Wisconsin citizen; amount in controversy > $75,000).
  • RPT then moved for summary judgment, arguing that:
    • The duties Coffee Capital complained of were entirely contractual; and
    • Under Michigan law, no negligence claim lies unless the defendant owed a duty separate and distinct from the contract.
  • The district court agreed and granted summary judgment to RPT, holding that Coffee Capital had not identified any such separate and distinct duty under Michigan law.
  • Coffee Capital appealed to the Sixth Circuit.

Choice of Law

The contract contained a Wisconsin choice-of-law clause. However, Coffee Capital’s claim sounded in tort (negligence), not contract. Applying Michigan’s choice-of-law rules for torts, the court:

  • Noted that Michigan law presumptively governs tort claims unless there is a “rational reason” to displace it; and
  • Accepted the district court’s conclusion that Michigan law applied because:
    • The injury occurred in Michigan; and
    • The injured party (Coffee Capital) is a Michigan company.

Neither party contested the application of Michigan law on appeal, and RPT conceded that the result would be the same under Wisconsin law. The Sixth Circuit therefore analyzed the dispute purely under Michigan substantive law.

Issues on Appeal

The appeal turned primarily on the duty element of negligence. Coffee Capital advanced two main theories of duty:

  1. General duty of due care: RPT owed Coffee Capital a common-law duty to use reasonable care in its dealings so as not to harm Coffee Capital, independent of the contract.
  2. Special relationship duty: The accountant-client relationship between Coffee Capital and RPT was a “special relationship” under Michigan common law that imposed an affirmative duty on RPT to protect Coffee Capital from the fraudster’s criminal acts.

On appeal (but not meaningfully in the district court), Coffee Capital also gestured toward a third theory: that RPT’s voluntary undertaking of wiring Coffee Capital’s funds gave rise to a separate and distinct duty to exercise reasonable care in carrying out that undertaking. This third theory is central to Judge Nalbandian’s concurrence.

Holdings

The panel unanimously affirmed summary judgment for RPT but did so via partially differing analyses.

  • Majority opinion (Judge Ritz, joined in relevant part by Judges Nalbandian and Mathis):
    • RPT owed Coffee Capital no general common-law duty of due care regarding the fraud, primarily because the criminal conduct of a third-party fraudster was not foreseeable as a matter of law under Michigan precedent.
    • RPT owed Coffee Capital no special-relationship-based duty to protect it from the criminal acts of third parties; the parties’ accountant-client arrangement, standing alone, did not create such a relationship.
    • Therefore, Coffee Capital failed to identify a “separate and distinct” duty independent of the contract; its claim is essentially one for defective contractual performance and lies in contract, not tort. Summary judgment for RPT was proper.
  • Judge Nalbandian’s concurrence:
    • Agrees there was no special-relationship duty to protect Coffee Capital from third-party criminal acts.
    • Acknowledges that Coffee Capital also invoked (on appeal) the voluntary undertaking doctrine—that RPT had a common-law duty to exercise reasonable care when it chose to wire Coffee Capital’s money and to avoid causing harm in doing so.
    • Suggests this voluntary-undertaking theory “has some legs” and may be consistent with Michigan’s modern negligence jurisprudence, especially in light of the prevalence of cyber-fraud; but concludes that Coffee Capital forfeited this theory by not raising it in the district court.
    • Would affirm solely on the basis that: (a) no special-relationship duty exists here; and (b) the voluntary-undertaking duty argument was not preserved.
  • Judge Mathis’s concurrence:
    • Emphasizes the classic contract–tort boundary in Michigan: a tort claim arising out of a contract requires a duty that would exist even if the contract did not.
    • Concludes that RPT’s “sole alleged breach of duty was a breach of its contractual obligation” to make only authorized payments; thus Coffee Capital’s remedy “too, is contractual.”
    • Views Coffee Capital’s negligence claim simply as an impermissible attempt to re-label a breach-of-contract claim in order to circumvent contractual limitations of liability.

Detailed Analysis

I. The Governing Framework: Summary Judgment and Duty Under Michigan Law

The court reviewed the district court’s summary judgment decision de novo. Summary judgment is appropriate when there is no genuine dispute of material fact and the movant is entitled to judgment as a matter of law. Once the movant meets its initial burden, the nonmovant must produce specific facts showing a real issue for trial; mere allegations are not enough.

Under Michigan law, the elements of negligence are:

  1. duty;
  2. breach of that duty;
  3. causation; and
  4. damages.

The existence of a duty is a question of law for the court. If no duty exists, summary judgment (or summary disposition in Michigan courts) is proper.

Critically, in the contract–tort overlap context, Michigan uses a special “separate and distinct” duty test. When parties are in a contractual relationship, a plaintiff who wants to sue in tort must identify a duty that:

  • arises from common law or statute (not merely from the contract); and
  • would exist even if there were no contract between the parties.

This framework forms the backbone of the court’s analysis of Coffee Capital’s negligence claim.

II. The “Separate and Distinct” Duty Requirement in Michigan

Michigan’s modern approach to contract-related negligence claims is grounded in a series of decisions that the Sixth Circuit draws upon and applies here.

1. From “misfeasance vs. nonfeasance” to “separate and distinct duty”

Historically, Michigan courts sometimes distinguished between:

  • Misfeasance – active misconduct in performing a contract (which could support a tort claim); and
  • Nonfeasance – mere failure to perform contractual duties (which could not).

That framework proved unwieldy. In Fultz v. Union–Commerce Associates, Michigan’s Supreme Court began moving toward the more precise inquiry: would the defendant, apart from the contract, owe the plaintiff any duty at all?

Loweke v. Ann Arbor Ceiling & Partition Co. is the key modern case. It clarifies that:

  • The misfeasance/nonfeasance distinction is no longer the operative test for whether a tort action can be maintained in the contractual setting.
  • Courts must instead ask whether the alleged duty is “separate and distinct” from the duties the defendant assumed under the contract.
  • A separate and distinct duty may arise from:
    • common-law principles (e.g., duties arising from special relationships or general duties to use due care in undertakings), or
    • a statute.
  • If no such separate duty is identified, the claim lies in contract, not tort.

The Sixth Circuit has adopted and applied this framework in prior cases:

  • Ram International, Inc. v. ADT Security Services, Inc. – holding that a claim based solely on alleged failure to perform contractual security services lies in contract.
  • Spengler v. ADT Security Services, Inc. – finding no tort duty where the security company’s obligation to dispatch emergency services arose only from the contract.
  • Miller v. Gettel – emphasizing that when a claim is based solely on failure to perform a contract, it is contractual, not tortious.

In Coffee Capital, the court repeatedly returns to this principle to test whether RPT owed any duty that existed independently of the parties’ agreement.

2. General sources of separate and distinct duties

Loweke and related cases explain that separate and distinct duties commonly arise in two ways:

  1. Special relationships recognized at common law (e.g., landlord–tenant, common carrier–passenger, innkeeper–guest, doctor–patient, etc.), which impose affirmative duties of protection or care; and
  2. The general common-law obligation “to use due care” in the prosecution of any undertaking, i.e., when one voluntarily takes action that could foreseeably injure others if done carelessly.

Coffee Capital attempted to fit its case into both categories:

  • by claiming that RPT owed a general duty of due care; and
  • by asserting that the accountant–client relationship was a special relationship.

The panel rejects both theories on the facts presented.

III. No General Common-Law Duty of Due Care Owed by RPT in This Case

Coffee Capital’s first argument was that RPT owed a general common-law “duty of care” to act reasonably so as to avoid harming Coffee Capital. The court analyzes this claim under Michigan’s multi-factor duty test and focuses heavily on foreseeability, especially in the context of third-party criminal acts.

1. Michigan’s duty factors and the importance of foreseeability

Michigan courts commonly consider these factors in deciding whether to recognize a duty:

  • Foreseeability of the harm;
  • Degree of certainty that the plaintiff suffered injury;
  • Closeness of the connection between the defendant’s conduct and the injury;
  • Moral blame attached to the defendant’s conduct;
  • Policy of preventing future harm; and
  • The burdens and consequences of imposing a duty, including the scope of potential liability.

Foreseeability is frequently treated as a threshold consideration, particularly when the harm arises from criminal acts by third parties. Michigan precedent generally holds that:

  • Criminal activity by its nature is “normally unforeseeable,” and
  • A duty to protect against such criminal conduct typically does not arise unless the defendant had actual or constructive notice of a specific, imminent risk of harm to an identifiable plaintiff.

2. Application to business email compromise

The court reasons that RPT’s obligations here involved exposure to third-party criminal conduct: a fraudster’s hacking and impersonation. Drawing on cases like Brown v. Brown (an employer’s alleged duty to protect an employee from assault by another employee) and decisions such as Ison v. Pickard and Stacy v. HRB Tax Group, the court reiterates that:

  • Criminal harm is generally unforeseeable as a matter of law absent specific notice of danger; and
  • The existence of prior offensive or problematic conduct is not, without more, enough to make a subsequent criminal act legally foreseeable.

Coffee Capital did not allege that RPT had notice of a specific risk of fraud against Coffee Capital or that RPT knew (or should have known) that such a crime was imminent. The panel therefore concludes that:

  • The fraudster’s criminal conduct was not reasonably foreseeable as a matter of law; and
  • RPT therefore had no general duty of due care to protect Coffee Capital from this fraud under Michigan negligence law.

The majority opinion also indicates that even if foreseeability were assumed, Coffee Capital did not meaningfully explain how the other duty factors (moral blame, policy considerations, burden on the defendant, etc.) weighed in favor of recognizing a new, broad duty in this commercial context. Merely asserting that RPT “must have some duty” because it handled client funds is not enough to survive summary judgment.

3. Tension with the concurring view

Judge Nalbandian’s concurrence, while ultimately agreeing with the result, signals some discomfort with applying the “criminal acts are unforeseeable” rule too rigidly in the cyber-fraud context. He notes:

  • Given the pervasiveness of cybercrime and email impersonation scams, it is increasingly plausible that sophisticated accounting firms should foresee attempts to defraud their clients using spoofed emails.
  • There is a “plausible argument” that when a company voluntarily undertakes to wire a client’s funds, it should reasonably foresee the risk of fraud and take modest steps—even simple ones like verifying an odd email address—to avoid causing harm.

Nonetheless, because Coffee Capital did not squarely raise a voluntary undertaking theory in the district court, Judge Nalbandian would decline to decide whether Michigan law would impose such a duty on these facts. He therefore accepts, for this case, the majority’s conclusion that no general duty of due care was shown.

IV. No Special Relationship Between Coffee Capital and RPT

Coffee Capital’s second main argument was that its accountant-client relationship with RPT constituted a special relationship under Michigan common law, thereby creating an affirmative duty on RPT to protect Coffee Capital from third-party criminal acts.

1. Forfeiture question

RPT argued that Coffee Capital had forfeited this theory by not adequately raising it at the summary judgment stage. In its district court briefing, Coffee Capital:

  • Used the language of “relationship” and alluded to duties arising from the accountant–client context; and
  • Mentioned traditional special relationships (common carrier–passenger, innkeeper–guest, doctor–patient),

but did not clearly develop a discrete, doctrinal “special relationship” argument separate from its generic “duty of care” assertions. Under Sixth Circuit precedent, parties generally forfeit arguments not adequately presented in response to a summary judgment motion.

The majority opinion is cautious: it notes the likely forfeiture but chooses to address the merits, concluding that even if the special-relationship theory were preserved, it fails.

2. What is a “special relationship” under Michigan law?

In Michigan, the default rule is that there is no duty to protect another from the criminal acts of a third party. A duty to protect arises only when:

  • There is a recognized special relationship between the parties; and
  • The relationship, combined with the foreseeability of harm, justifies imposing such a duty.

Traditionally, Michigan recognizes only a narrow set of special relationships, such as:

  • Landlord–tenant;
  • Common carrier–passenger;
  • Innkeeper–guest; and
  • Doctor–patient.

These relationships share features such as:

  • An imbalance of control or power;
  • An expectation that one party will protect the other; and
  • A high degree of dependency or vulnerability on one side.

Courts are generally reluctant to expand this category, especially in commercial contexts between sophisticated parties.

3. The accountant–client relationship here

The majority finds that Coffee Capital failed to show that an accountant–client relationship of this type qualifies as a special relationship under Michigan law.

  • There is no Michigan authority squarely holding that an accountant generally owes a fiduciary or special-relationship duty of this kind to its clients.
  • In Banker & Brisebois Co. v. Maddox, the Michigan Court of Appeals explicitly noted the absence of a general fiduciary duty owed by accountants to clients.
  • In Grifo & Co. v. Cloud X Partners Holdings, a federal court applying Michigan law rejected the claim that a data-hosting provider owed a special-relationship duty to its commercial client, warning against expanding “special relationships” to broad, modern commercial settings without clear state-court direction.

The majority underscores that the relationship between Coffee Capital and RPT:

  • Was created and defined by a negotiated, written agreement,
  • Involved two sophisticated commercial entities, and
  • Included explicit limitations on RPT’s liability.

Coffee Capital itself conceded that the relationship “existed because of the Agreement,” undercutting any claim that the relationship, standing alone, created a duty independent of the contract.

4. Foreseeability and analogy to Hill v. Sears

The majority again emphasizes that the fraud was not foreseeable as a matter of law. It analogizes to Hill v. Sears, Roebuck & Co., where the Michigan Supreme Court held that the limited contractual relationship between a homeowner and a service technician (who had access to the home to install an appliance) did not create a special relationship imposing a duty on the technician to act for the homeowner’s benefit regarding hazards created by third parties.

The court reasons that:

  • RPT’s access to Coffee Capital’s accounts “for a particular purpose” is analogous to the technician’s access to the house for a limited installation purpose; and
  • This sort of limited, task-specific access does not create the kind of open-ended, protective duty characteristic of traditional special relationships.

Additionally, Michigan courts consistently treat criminal acts as unforeseeable absent particularized notice of impending harm (see Graves v. Warner Bros., Buczkowski v. McKay, Papadimas v. Mykonos Lounge, Stacy). There was no such notice here.

5. Contrast with Bell and Stacy (identity theft and tax-preparation cases)

Judge Nalbandian’s concurrence acknowledges that Michigan courts have, in limited situations, imposed protective duties in contexts involving identity theft and misuse of sensitive data:

  • In Bell v. Michigan Council 25 of AFSCME, a union was found to owe a duty to protect members from identity theft when the union used social security numbers in a way that exposed them to criminal misuse.
  • In Stacy v. HRB Tax Group, Inc., the Sixth Circuit predicted that Michigan law would impose a similar duty on a tax-preparation company to protect its clients’ personal information.

But the concurrence notes that those contexts involve particularly sensitive personal information (social security numbers, tax returns) and an elevated expectation of confidentiality, and that extending this reasoning to a broad range of commercial service providers (like restaurant-accounting firms handling account transfers) would be a significant doctrinal expansion. In Grifo, a federal court declined to take that step for cloud data-hosting.

Both the majority and concurrences ultimately conclude that Michigan law has not yet embraced such an expansion for ordinary commercial fund-handling arrangements like the one between Coffee Capital and RPT.

V. The Concurrences: Voluntary Undertaking and the Contract–Tort Boundary

A. Judge Nalbandian: Voluntary Undertaking and Cyber-Fraud Foreseeability

Judge Nalbandian’s concurrence is significant because it foregrounds a theory that may shape future cyber-fraud and fund-transfer litigation: the voluntary undertaking doctrine.

Under longstanding Michigan law (e.g., Clark v. Dalman, Loweke, Courtright v. Design Irrigation, Inc., Nelson v. Northwestern Savings & Loan Ass’n), a party who undertakes an action—whether pursuant to contract or not—owes a common-law duty to perform that undertaking with due care so as not to unreasonably endanger others’ person or property. This duty exists in addition to any contractual obligations.

Coffee Capital framed this as follows: when RPT chose to wire Coffee Capital’s money, it assumed a duty to exercise reasonable care in doing so, which includes taking reasonable precautions against foreseeable fraud. Under this view:

  • The key question is not whether third-party criminal conduct was foreseeable, but whether harm to Coffee Capital’s property (its money) was a foreseeable result of careless execution of the transfer.
  • The fraudster’s criminal act is relevant, but it does not automatically negate foreseeability when RPT is the one actually moving the funds.

Judge Nalbandian finds this theory “plausible” and notes that, given the ubiquity of cybercrime and email spoofing, it may well be foreseeable to a professional fund-handler that fraudsters will try to induce fraudulent transfers. He references a Michigan Court of Appeals decision, Moench v. Frankenmuth Credit Union, which—on facts analogously involving a financial institution transferring a client’s funds—recognized a credit union’s common-law duty to use due care when engaged in a money-transfer undertaking, without resorting to a special-relationship theory.

Nevertheless, Judge Nalbandian concludes that the voluntary-undertaking argument is not properly before the court because:

  • Coffee Capital did not clearly present this theory in the district court; instead, it argued only from a “special relationship” perspective; and
  • The Sixth Circuit generally refuses to consider new theories raised for the first time on appeal.

He therefore joins the judgment affirming summary judgment, but explicitly leaves open whether, in a future case properly framing the issue, Michigan law would recognize such a duty in the fund-transfer context.

B. Judge Mathis: A Clean Contract–Tort Separation

Judge Mathis’s concurrence rests almost entirely on the classical contract–tort distinction. He emphasizes:

  • Under cases like Hart v. Ludwig, Brock v. Consolidated Biomedical Laboratories, Rinaldo’s Construction Corp. v. Michigan Bell Telephone Co., and Spengler, Michigan allows tort claims arising out of contractual settings only where the defendant owed a duty that would exist even if the contract had never been made.
  • Here, RPT’s only alleged wrong was making an unauthorized wire transfer, in violation of its contractual obligation to make only Coffee Capital-approved payments.
  • That obligation emanates solely from the contract; there is no independent common-law duty on an accounting service provider to pay only those third parties that its client has designated.

Consequently, Judge Mathis concludes that Coffee Capital’s claim is purely contractual and cannot be recast as negligence. On his view, the “separate and distinct duty” inquiry does not even approach the more nuanced questions raised in Judge Nalbandian’s concurrence; it is resolved at a foundational level: if the duty exists only because the parties contracted, the claim belongs in contract.

VI. Precedents Cited and Their Influence

The opinion (and concurrences) rely on a set of Michigan and federal cases that structure the analysis. Key groups of precedents include:

1. Duty in negligence and third-party criminal acts

  • Brown v. Brown – An employer was sued for failing to protect an employee from criminal assault by another employee. The Michigan Supreme Court held that an employer generally cannot foresee, and therefore is not liable for, such criminal acts absent notice of imminent harm to an identifiable victim.
  • Graves v. Warner Bros., Buczkowski v. McKay, Papadimas v. Mykonos Lounge – Michigan cases reiterating that criminal conduct is ordinarily unforeseeable as a matter of law and that duties to protect arise only in narrow circumstances.
  • Stacy v. HRB Tax Group, Inc. – A Sixth Circuit case applying Michigan law to hold that a tax-preparation company had a duty to protect clients’ identities in light of a special relationship and the sensitive nature of the data involved.
  • Hill v. Sears, Roebuck & Co. – Michigan Supreme Court declined to recognize a special relationship between a homeowner and an appliance installer that would impose an affirmative duty on the installer to protect the homeowner from third-party-created hazards.

These cases collectively support the majority’s conclusion that:

  • Special-relationship duties are narrowly confined; and
  • Criminal acts are typically unforeseeable absent specific, individualized notice.

2. The contract–tort divide and “separate and distinct” duties

  • Hart v. Ludwig and Brock v. Consolidated Biomedical Laboratories – Foundational Michigan and Sixth Circuit cases stating that a tort action may lie only where there exists a legal duty independent of the contract.
  • Rinaldo’s Construction Corp. v. Michigan Bell Telephone Co. – Emphasizes that the existence (or non-existence) of a separate legal duty is the fundamental principle distinguishing contract and tort claims.
  • Fultz v. Union–Commerce Associates and Loweke v. Ann Arbor Ceiling & Partition Co. – Developed and clarified the “separate and distinct duty” analysis under Michigan law, moving away from the misfeasance/nonfeasance test and toward a duty-focused inquiry.
  • Spengler v. ADT Security Services, Inc. and Ram International, Inc. v. ADT Security Services, Inc. – Federal applications of Michigan law holding that obligations solely arising from security-service contracts support contract, not tort, claims.

These precedents frame both the majority’s and Judge Mathis’s reasoning that Coffee Capital’s complaint pertains essentially to RPT’s performance (or misperformance) of contractual duties that cannot, absent an independent duty, give rise to a negligence action.

3. Voluntary undertaking and due care in performance

  • Clark v. Dalman, Courtright v. Design Irrigation, Inc., Nelson v. Northwestern Savings & Loan Ass’n – Recognize the basic rule of common law that anyone engaged in “the prosecution of any undertaking” must exercise due care to avoid unreasonably endangering the person or property of others, irrespective of contractual ties.
  • Loweke – Confirms that this basic rule continues to operate in contractual settings and can give rise to a separate and distinct duty.
  • Moench v. Frankenmuth Credit Union (as summarized by Judge Nalbandian) – A Michigan Court of Appeals case that, on similar facts, recognized a credit union’s duty to use due care in transferring a client’s funds, apparently without relying on a special-relationship theory.

These cases underlie Judge Nalbandian’s view that a voluntary-undertaking duty may exist in this cyber-fraud fund-transfer context, even though it was not properly preserved in Coffee Capital.

4. Special relationships and data or identity protection

  • Bell v. Michigan Council 25 of AFSCME – Imposed a duty on a union to protect members from identity theft based on its handling of social security numbers, treated as a special-relationship scenario.
  • Stacy v. HRB Tax Group, Inc. – Extended Bell’s reasoning to tax-preparation services, predicting that Michigan law would impose a similar duty.
  • Grifo & Co. v. Cloud X Partners Holdings, LLC – Declined to recognize a special-relationship duty between a commercial client and a cloud data-hosting provider, warning against unwarranted doctrinal expansion in commercial settings.

These cases collectively support the view that while Michigan recognizes protective duties in specific, identity-sensitive contexts, it has not (yet) extended such duties broadly to all commercial service providers handling financial information or funds.

VII. Practical and Doctrinal Impact

1. Limits on tort liability for commercial fund-handling providers

The most immediate impact of Coffee Capital is on entities—such as accounting firms, payment processors, and financial-service providers—that move funds on behalf of commercial clients under written agreements. The case reinforces that:

  • When a loss arises from the provider’s alleged mishandling or misdirection of funds in performance of the contract, the claim will ordinarily be treated as contractual;
  • Plaintiffs must show a clearly defined, independent duty under Michigan law to maintain a negligence action; and
  • Courts are reluctant to find a “special relationship” in such commercial contexts, particularly between sophisticated entities that have expressly allocated risk by contract.

Practically, this makes contractual limitations of liability, indemnity clauses, and risk allocation provisions hugely consequential. Where such clauses sharply cap liability (as RPT’s contract apparently did), a plaintiff who omits a contract claim or cannot overcome these clauses may be left without a substantive remedy even if the service provider plainly made a costly mistake.

2. Cyber-fraud and the foreseeability of criminal acts

Another important dimension is the ongoing interaction between cyber-fraud and tort law. The majority, by adhering to the traditional rule that criminal acts are “normally unforeseeable,” implicitly treats business email compromise and impersonation scams as falling within that same category.

Judge Nalbandian’s concurrence, however, suggests that this doctrine may be strained in the modern environment where:

  • Business email compromise is common and well-documented;
  • Fraudsters frequently employ simple techniques (such as slightly misspelled email addresses) that could be detected with minimal checks; and
  • Financial-service providers are arguably best positioned to identify and mitigate such risks.

The concurrence points toward a potential evolution in Michigan law, whereby courts might:

  • Distinguish between a duty to protect against outside criminal acts (which might still require a special relationship) and
  • A duty in voluntary undertakings not to cause harm when moving another’s money, even where the harm is triggered by a fraudster’s intervention.

Coffee Capital, because of the forfeiture problem, does not resolve that latter question. It therefore leaves open the possibility that, on better-developed facts and arguments, Michigan courts might impose a voluntary-undertaking duty on entities like RPT in cyber-fraud scenarios.

3. Appellate practice: preserving theories at the trial level

The case also has procedural significance. The panel underscores that:

  • Parties must clearly articulate all legal theories of duty and liability at the summary judgment stage.
  • A litigant cannot expect the appellate court to entertain a substantially new theory (such as the voluntary-undertaking duty) that was not squarely presented and developed before the district court.

For practitioners, this is a reminder to:

  • Plead both contract and tort claims, where supportable, and
  • Explicitly invoke all relevant duty theories (general duty of care, special relationship, voluntary undertaking, statutory duties) in response to summary judgment motions.

4. Normative concerns and potential legislative or contractual responses

From a policy perspective, the outcome may appear harsh: a fraudster steals over $100,000; the party with control over the funds makes an error; yet the injured party is effectively barred from full recovery because of contractual and doctrinal limitations.

The decision may therefore:

  • Encourage commercial clients to negotiate stronger contractual protections, such as:
    • Higher liability caps for fund-transfer errors;
    • Representations and warranties regarding cybersecurity and identity-verification procedures;
    • Indemnity provisions specifically addressing third-party fraud; or
    • Insurance requirements (e.g., cyber-liability, crime, or E&O coverage).
  • Prompt financial-service providers to clarify in their contracts the scope of any duties (or disclaimers thereof) related to fraud detection and verification of payment instructions.
  • Potentially lead to legislative or regulatory developments that specifically address allocation of loss in business email compromise cases, analogous to how Article 4A of the UCC and banking regulations address certain wire-transfer disputes (though those rules were not at issue here).

While the opinion is “not recommended for publication” and therefore not binding precedent, it will likely be cited as persuasive authority in future Sixth Circuit and Michigan federal cases involving similar negligence claims tethered to commercial fund transfers and cyber-fraud.

Complex Concepts Simplified

Several doctrinal points in the opinion may be opaque to non-specialists. In simplified terms:

  • Summary Judgment: A procedural device allowing the court to decide a case without a trial when there are no genuine disputes of material fact and the movant is entitled to win under the law. Here, the court assumed the key facts in Coffee Capital’s favor but held that, even on those facts, RPT owed no legal duty in tort.
  • Duty in Negligence: Not every mistake or harm is legally actionable. A defendant is liable in negligence only if the law recognizes an obligation (a “duty”) to act with reasonable care toward the plaintiff in the circumstances. In contractual settings, the question is whether there is a duty besides “do what you promised in the contract.”
  • “Separate and Distinct” Duty: In Michigan, if parties have a contract, a plaintiff cannot sue in negligence for merely failing to perform the contract. The plaintiff must show a duty that would exist even if the contract did not—for example, a duty arising from general common law, a special relationship, or a statute.
  • Special Relationship: A narrow category of relationships (like landlord–tenant or doctor–patient) in which the law imposes an affirmative duty on one party to protect the other from harm, including harm caused by third parties. Courts are cautious about adding new relationships to this list, especially in commercial settings.
  • Voluntary Undertaking: When a person or business decides to do something (e.g., transfer funds, repair a structure), they must do it with reasonable care, so as not to unreasonably endanger others’ person or property. This duty exists apart from any contract. Judge Nalbandian believes this doctrine might apply to fund-transfer services but finds the argument forfeited here.
  • Foreseeability (especially of criminal acts): A harm is “foreseeable” if a reasonable person in the defendant’s position would anticipate that their conduct might result in that type of harm. Criminal acts by third parties are usually treated as unforeseeable in Michigan unless the defendant had specific notice of an imminent threat.
  • Forfeiture of Arguments: If a party fails to clearly present a legal theory to the trial court (for example, in response to a summary judgment motion), appellate courts typically will not consider that theory for the first time on appeal. This is what happened to Coffee Capital’s voluntary-undertaking theory.

Conclusion

Coffee Capital v. RPT Restaurant Accounting Services reinforces and clarifies several important propositions in Michigan law as applied by the Sixth Circuit:

  • A plaintiff cannot simply recast what is fundamentally a breach-of-contract dispute as a negligence claim to circumvent contractual limitations of liability.
  • In contractual relationships, a negligence claim requires a separate and distinct duty rooted in common law or statute, not merely in the contract itself.
  • Ordinary commercial accountant-client or fund-handler relationships, even where the provider has access to a client’s accounts, do not, without more, amount to the kind of special relationship that imposes an affirmative duty to protect against third-party criminal acts.
  • Under current Michigan precedent, third-party criminal conduct—such as business email compromise— is generally deemed unforeseeable absent specific notice of a particularized risk, which heavily militates against recognizing a general duty of care to protect against such fraud.
  • However, the concurring opinion by Judge Nalbandian signals that the law is not settled regarding the duty owed by entities that voluntarily undertake to move another’s money in an era of pervasive cyber-fraud; on a properly preserved record, Michigan courts may be asked to reconsider the foreseeability analysis in this context.

For now, the case stands as a strong reminder that, in Michigan, the primary vehicle for redress in disputes over mishandled or misdirected commercial fund transfers remains the law of contract, not tort. Parties engaging financial-service providers should therefore pay close attention to the risk allocation, security standards, and liability-limitation clauses in their agreements, as those provisions may ultimately define the outer boundary of their remedies when cyber-fraud strikes.

Case Details

Year: 2025
Court: Court of Appeals for the Sixth Circuit

Comments