Co. hit by ransomware attack can sue IT firms for negligence | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

• Judge ruled economic loss doctrine does not bar negligence claims in ransomware data loss case
• Court found destruction of electronic data qualifies as property damage
• Claims for negligence, contract breach, and Chapter 93A violations survive dismissal
• Fraudulent misrepresentation claim dismissed for lack of intent evidence

---

The economic loss doctrine does not apply to bar negligence claims brought by a tech company that suffered damages from a ransomware attack that occurred after it implemented the defendants’ data storage services, a Superior Court judge has found.

Plaintiff Calvary Design Team suffered a ransomware attack in 2023. After paying to recover its stored electronic data, the plaintiff sued Winslow Technology Group and Wasabi Technologies for negligence and gross negligence, in addition to contract-based claims.

The plaintiff had retained Winslow Technology in 2022 as a consultant to overhaul its data center. Wasabi Technologies sold the plaintiff cloud-based data storage and protection products used in the upgrade of Calvary’s data storage systems.

The defendants moved to dismiss, contending Calvary’s negligence claims were barred under the economic loss doctrine.

Judge Christopher K. Barry-Smith, sitting in the Business Litigation Session, denied the motion. While he acknowledged that some courts have applied the doctrine to bar negligence claims arising from breaches of sensitive consumer data, he concluded there was no bar in the case before him.

“The precedent applying the economic loss doctrine to data breaches typically involves either consumers whose information has been improperly accessed causing them some harm (the risk of unauthorized transactions, the inconvenience of monitoring accounts), or credit card issuers who allege harm in addressing the aftermath of a data breach (whether contractual liability for unauthorized transactions or the costs of replacing credit cards),” Barry-Smith wrote. “The courts in those cases did not consider a company’s complete loss of its electronic data, albeit temporarily. Nor did they address the question whether a company’s loss of the entirety of its electronic data qualifies as property damage. In the context of this case, Cavalry’s complete loss of electronic data is sufficiently tangible to qualify as property damage so as to avoid the economic loss doctrine.”

In addition, the judge denied the defendants’ motion to dismiss the plaintiff’s contract and negligent misrepresentation claims, as well as claims for unfair or deceptive acts and practices in violation of Chapter 93A.

But Barry-Smith granted the defendants’ motion to dismiss a claim for fraudulent misrepresentation, concluding the plaintiff failed to allege facts that plausibly support an inference that either defendant intentionally deceived Cavalry or intentionally made a false statement.

The 17-page decision is Calvary Design Team, Inc. v. Wasabi Technologies, LLC, et al., Lawyers Weekly No. 09-013-26.

Significant hurdles ahead

Counsel for the parties did not respond to requests for comment.

Boston cybersecurity and data protection attorney B. Stephanie Siegmann said she agreed with the ruling on the application of the economic loss doctrine.

“What we had here was a ‘wiper attack’ where [the hacker] deletes the data and then your data is gone,” she said. “It’s clearly a destruction of property. The judge found very appropriately that, these days, data is property and that data has economic value. As the judge very succinctly said in his opinion, data was destroyed — property was destroyed — and the economic loss doctrine is inapplicable in this type of situation.”

According to Siegmann, a critical factor in the plaintiff becoming a victim of a ransomware attack was the company’s failure to avail itself of certain security features offered by Wasabi, notably multi-user authentication and multi-factor authentication.

The judge found very appropriately that, these days, data is property and that data has economic value.

— B. Stephanie Siegmann, Boston

“Multi-factor authentication can block 99 percent of account compromise attacks,” Siegmann said. “It’s something federal agencies have been telling small businesses, large businesses — all businesses — to do since at least 2022.”

Siegmann said the plaintiff’s failure to take advantage of a multi-factor identification security feature would be a significant obstacle in establishing liability at either the summary judgment stage or at trial.

“A third-party actor essentially exploited Calvary’s failure to secure its account with the methods provided by Wasabi,” Siegmann said. “Calvary makes the argument that even if they did [avail itself of Wasabi’s security features], the third-party actor still would have gotten into the account, but I don’t know if they can prove that. It will be a battle of experts. And it will be very difficult for an expert to argue Calvary acted responsibly and reasonably in the current threat environment.”

Siegmann added that, going forward, the plaintiff will have a hard time overcoming a limitation of liability clause in Winslow’s “Statement of Work,” or SOW, provided to Calvary governing the IT company’s provision of services.

While not granting a dismissal on the basis of the limitation of liability clause, Barry-Smith did find that the clause “unambiguously” barred Winslow’s contractual liability for consequential or similar damages arising under the SOW. Further, the judge acknowledged that Calvary’s contractual claims based on allegations that Winslow did not perform contracted services were “severely limited” by the limitation on damages in the SOW.

Boston data security attorney Colin J. Zick expressed reservations about the judge’s analysis of the economic loss doctrine with respect to Calvary’s claims.

“Here, the court acknowledged that the data loss was temporary — that there was a ransom paid and the data was recovered,” Zick said. “What we don’t see is the court dealing with the tension between characterizing that situation as a complete loss of property and then the fact that it was recovered. Yes, [Calvary] had to pay something to get it back, but that to me is different. It’s not a permanent destruction; this was a temporary deprivation followed by restoration. And the restoration required a payment. And the payment was an economic loss.”

Zick said he viewed the decision as an understandable effort by the judge to provide a party that suffered significant losses with a means of redress.

“But it ignores the fact that they had entered into a contract,” Zick said. “This is not a situation where it’s an individual consumer going against a big company without the ability to negotiate the terms. This is a case involving parties of presumably equal bargaining strength.”

Zick said he is currently handling a similar case involving a motion to dismiss on the basis of the economic loss doctrine. He said the Calvary decision places providers of internet technology services in an unenviable position in terms of managing liability exposure.

“It will fundamentally change the nature of services,” he said. “If these cases start to move past motions to dismiss, prices are going to go up. There’s no free lunch. You can’t just shift these costs to the service providers. Some service providers will go out of business, others will charge higher rates. Ultimately, there will be a cross-subsidization if there’s a move away from the enforcement of the economic loss doctrine.”

Michael P. Burke, a cybersecurity attorney in Boston, said he is involved in a similar case recently filed in New York. Given that Calvary’s complaint included claims for gross negligence, he said he agreed with Barry-Smith’s ruling that the economic loss doctrine did not warrant dismissal.

“The economic loss doctrine was developed to prevent people from getting around [the terms of] their contracts by making tort claims,” Burke said. “But there’s also case law saying that where there’s gross negligence, these damages limitations and contractual terms that limit recovery shouldn’t be enforced. If you contract with someone to store and manage your data, and they allow it to be wiped out, the result of applying a damages limitation or the economic loss doctrine to those claims would be unjust.”

Data wipe

The plaintiff’s complaint notes that Calvary is a New York company in the business of designing, building and developing custom turnkey automation solutions, robotics platforms, and material handling systems. The two defendants are both Massachusetts companies that partner to provide IT services to clients.

Winslow provides services related to data storage systems and data protection, and Wasabi provides cloud-based data backup and data protection products.

In August 2022, Calvary contacted Winslow for a quote for managed services to overhaul Calvary’s data center. The following January, the parties entered into an agreement under which Winslow would deploy and manage Calvary’s data systems, including a cloud-based data storage system through Wasabi.

On Sept. 6, 2023, Cavalry was the victim of a Lockbit 3.0 ransomware attack. According to Cavalry, a “threat actor” infiltrated a system Winslow had configured and installed, allowing the hacker to access Cavalry’s data. While Cavalry was denied access to its local data storage system, the company believed at the time that its data was safe within Wasabi’s cloud-based backup storage.

However, Cavalry would later learn that the threat actor was able to use its access to its local system to obtain Calvary’s credentials and change the Wasabi account’s password. The hacker used the new password to change the Cavalry email assigned to the Wasabi account. Using the new non-Calvary email address, the hacker directed Wasabi to delete all of Cavalry’s data.

Upon realizing that it had no means to recover its business-critical data, Calvary paid the $4 million ransom demanded by the hacker and the data was restored.

In April 2025, Calvary sued Winslow and Wasabi. In a later amended complaint, the plaintiff asserted claims for negligence, gross negligence, breach of contract, breach of the implied covenant of good faith and fair dealing, fraudulent and negligent misrepresentation, and unfair or deceptive acts or practices in violation of Chapter 93A.

Economic loss doctrine inapplicable

Addressing the defendants’ motion to dismiss, Barry-Smith explained that the economic loss doctrine was developed “in part to prevent the progression of tort concepts from undermining contract expectations.”

To avoid application of the doctrine, the judge wrote, plaintiffs must “establish that the injuries they suffered due to the defendants’ negligence involved physical harm or property damage, and not solely economic loss.”

In arguing that Cavalry’s negligence and gross negligence claims were barred by the economic loss doctrine, the defendants cited a number of cases in which courts have applied the doctrine to bar negligence claims arising from breaches of sensitive consumer data.

Barry-Smith found the case before him distinguishable from those data breach precedents, emphasizing the “critical role” that a company’s electronic data plays in a business, particularly a business like Cavalry’s that relies on technology and intellectual property.

“Here, the alleged threat actor did not simply hack into and access Calvary’s system and data; it used the access it gained to delete Calvary’s data, such that Calvary no longer had access to it until it paid the demanded ransom,” Barry-Smith wrote. “And, rather than seeking the costs associated with reissuing credit cards, or monitoring consumer financial data, Calvary seeks the money it paid to avoid the complete, permanent loss of its critical data.”