Negligence – Ransomware attack – Economic loss doctrine

Listen to this article

Where negligence claims have been brought by a plaintiff that suffered a ransomware attack that resulted in the deletion of its stored electronic data until it paid the requested ransom, a motion to dismiss those claims should be denied because the plaintiff’s complete loss of electronic data is sufficiently tangible to qualify as property damage so as to avoid the economic loss doctrine.

“In 2023, the plaintiff, Calvary Design Team, Inc. (‘Calvary’), suffered a ransomware attack that resulted in the deletion of its stored electronic data until it paid the requested ransom. Thereafter, it commenced this action against Winslow Technology Group, LLC (‘Winslow’), a consultant it hired in 2022 to assist it in overhauling its data center, and Wasabi Technologies, LLC (‘Wasabi’), the company that sold it data storage and protection products during that process. After the court dismissed Calvary’s original complaint without prejudice, see Docket No. 36, Calvary filed its First Amended Complaint (‘FAC’), which asserts claims for breach of contract, negligence, and multiple related causes of action. The defendants again move to dismiss. After a hearing on December 11, 2025, and for the reasons stated below, the motions are allowed in part and denied in part. …

“Wasabi and Winslow contend that Cavalry’s negligence and gross negligence claims are barred by the economic loss doctrine. …

“Courts have applied the doctrine to bar negligence claims arising from breaches of sensitive consumer data. …

“The defendants urge me to apply these data breach precedents in this case. However, Cavalry’s claim is factually different from the above cases. Here, the alleged threat actor did not simply hack into and access Calvary’s system and data; it used the access it gained to delete Calvary’s data, such that Calvary no longer had access to it until it paid the demanded ransom. And, rather than seeking the costs associated with reissuing credit cards, or monitoring consumer financial data, Calvary seeks the money it paid to avoid the complete, permanent loss of its critical data.

“In arguing that the economic loss doctrine does not apply, Cavalry therefore focuses on its actual lost data, in contrast to the above cases, where all relevant parties still possessed their data, but its value was reduced because it was accessed by unauthorized third parties. For this reason — because the deletion of valuable data constitutes ‘destruction of property,’ which goes beyond mere diminution in value — Calvary argues that the economic loss rule does not apply. … I agree with Cavalry.

“Given the critical role that a company’s electronic data often plays in a business — particularly a business like Cavalry’s that relies on technology and intellectual property, data qualifies as property. Neither defendant disputes that conclusion. They instead rely on the data breach precedent and its conclusion that diminution in the value of data is not property damage. As already discussed, however, the facts here significantly differ from those cases. The precedent applying the economic loss doctrine to data breaches typically involves either consumers whose information has been improperly accessed causing them some harm (the risk of unauthorized transactions, the inconvenience of monitoring accounts), or credit card issuers who allege harm in addressing the aftermath of a data breach (whether contractual liability for unauthorized transactions or the costs of replacing credit cards). The courts in those cases did not consider a company’s complete loss of its electronic data, albeit temporarily. Nor did they address the question whether a company’s loss of the entirety of its electronic data qualifies as property damage. In the context of this case, Cavalry’s complete loss of electronic data is sufficiently tangible to qualify as property damage so as to avoid the economic loss doctrine.

“… I have determined above that the economic loss doctrine does not apply to Cavalry’s claims. Further, on the question of duty, Cavalry has the better argument: that even when a contract exists, a plaintiff may bring a claim for negligence in performing that contractual duty. …

“Finally, I agree with Cavalry that the defendants’ superseding cause defense to negligence cannot be decided at this early stage because it requires factual development including, among other things, the foreseeability of the intervening wrongful conduct.

“For these reasons, Cavalry’s negligence claims may proceed. This conclusion notwithstanding, the contracts governing the parties’ relationship, once established, are likely to impact Cavalry’s negligence claims. Some of those impacts are discussed in the next section. Any such future findings or rulings, however, do not prevent Cavalry from bringing negligence claims in the first place. In addition, because the claims for gross negligence differ from the negligence claims only by degree, those claims will survive along with the negligence claims. Whether Cavalry can muster facts to support a claim for gross negligence is a question left for summary judgment. …

“Liability for unfair or deceptive acts and practices in violation of c. 93A, §§2 and 11 is a fact-intensive undertaking, turning on all relevant facts and circumstances. Because all or part of Cavalry’s contract and tort claims survive, its c. 93A claim should be determined on a more complete factual record. The FAC alleges a plausible claim for unfair or deceptive conduct. …

“For these reasons, Winslow’s motion to dismiss is allowed as to Count IX alleging fraudulent misrepresentation, but is otherwise denied. However, the restriction on liability in Paragraph 11 of the Terms and Conditions in the [Statement of Work (SOW)] between Winslow and Cavalry, which precludes consequential damages for loss of data, seriously restricts the damages Cavalry can seek from Winslow on its contract claim, and possibly other claims. Likewise, Wasabi’s motion to dismiss is allowed as to Count XI alleging fraudulent misrepresentation, but is otherwise denied. The Wasabi Customer Agreement’s impact, if any, on Cavalry’s claims must await further proceedings on the formation of and enforceability of any contract between Wasabi and Cavalry.”

Calvary Design Team, Inc. v. Wasabi Technologies, LLC, et al. (Lawyers Weekly No. 09-013-26) (17 pages) (Barry-Smith, J.) (Suffolk Superior Court) (Civil Action No. 2584CV00908-BLS-1) (Feb. 19, 2026).

Click here to read the full text of the opinion.