Court Ruling Expands Liability for Ransomware Data Loss in Landmark Cybersecurity Case
A Massachusetts Superior Court judge has ruled that the economic loss doctrine does not bar negligence claims in a case involving a 2023 ransomware attack that destroyed a tech company’s critical data. The decision in Calvary Design Team, Inc. v. Wasabi Technologies, LLC, et al. marks a significant shift in how courts may treat cybersecurity failures, particularly when electronic data is permanently erased.
Key Details of the Incident
- Who: Calvary Design Team, a New York-based automation and robotics firm, sued Winslow Technology Group (a Massachusetts IT services provider) and Wasabi Technologies (a cloud storage vendor) after a LockBit 3.0 ransomware attack in September 2023.
- What Happened: A hacker infiltrated Calvary’s systems, deleted all cloud-stored data, and demanded a $4 million ransom for restoration. The attack exploited weak security controls, including the absence of multi-factor authentication (MFA) a feature Wasabi offered but Calvary had not enabled.
- Legal Claims: Calvary alleged negligence, gross negligence, breach of contract, fraudulent misrepresentation, and violations of Massachusetts’ consumer protection law (Chapter 93A).
Court’s Ruling: Data Destruction Qualifies as Property Damage
Judge Christopher K. Barry-Smith denied the defendants’ motion to dismiss, finding that:
- The economic loss doctrine does not apply because the complete deletion of Calvary’s data constituted property damage, not just economic loss. Unlike prior data breach cases (where courts barred claims over unauthorized access or financial fraud), this attack involved permanent destruction of business-critical data.
- Contract and negligence claims survive, though the fraudulent misrepresentation claim was dismissed for lack of evidence of intent.
- A limitation of liability clause in Winslow’s contract may still restrict damages, but the judge ruled it did not warrant dismissal at this stage.
Expert Reactions: A Double-Edged Sword for Cybersecurity Liability
- B. Stephanie Siegmann (cybersecurity attorney): Supported the ruling, arguing that data is property with economic value, and its destruction should not be shielded by the economic loss doctrine. However, she noted Calvary’s failure to implement MFA a basic security measure could undermine its negligence claims at trial.
- Colin J. Zick (data security attorney): Criticized the decision, warning it could increase costs for IT service providers and lead to higher prices or business closures. He questioned whether temporary data loss (restored after ransom payment) truly qualifies as property damage.
- Michael P. Burke (cybersecurity attorney): Agreed with the ruling, stating that gross negligence claims should override contractual liability limits when data is wiped out.
Broader Implications
The case sets a precedent that ransomware attacks resulting in data destruction may expose IT vendors and cloud providers to negligence lawsuits, even when contracts limit liability. However, the ruling also highlights the shared responsibility between businesses and service providers in implementing security measures like MFA.
The decision is expected to influence future cybersecurity litigation, particularly in cases where data loss rather than mere exposure is the primary harm.
Source: https://masslawyersweekly.com/2026/03/31/economic-loss-doctrine-ransomware-data-loss-negligence/
Winslow Technology Group cybersecurity rating report: https://www.rankiteo.com/company/winslow-technology-group
Calvary Robotics cybersecurity rating report: https://www.rankiteo.com/company/calvaryrobotics
Wasabi Technologies cybersecurity rating report: https://www.rankiteo.com/company/wasabitechnologies
"id": "WINCALWAS1774953031",
"linkid": "winslow-technology-group, calvaryrobotics, wasabitechnologies",
"type": "Cyber Attack",
"date": "9/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Automation and robotics',
'location': 'New York, USA',
'name': 'Calvary Design Team, Inc.',
'type': 'Tech company'}],
'attack_vector': 'Exploited weak security controls (absence of MFA)',
'data_breach': {'data_encryption': 'Data was permanently deleted, not '
'encrypted',
'sensitivity_of_data': 'High (business-critical)',
'type_of_data_compromised': 'Business-critical data'},
'date_detected': '2023-09',
'description': 'A Massachusetts Superior Court judge ruled that the economic '
'loss doctrine does not bar negligence claims in a case '
'involving a 2023 ransomware attack that destroyed a tech '
'company’s critical data. The attack exploited weak security '
'controls, including the absence of multi-factor '
'authentication (MFA), leading to the permanent deletion of '
"Calvary Design Team's cloud-stored data.",
'impact': {'data_compromised': 'All cloud-stored data permanently deleted',
'legal_liabilities': 'Potential negligence and breach of contract '
'claims',
'operational_impact': 'Permanent destruction of business-critical '
'data',
'systems_affected': 'Cloud storage systems'},
'investigation_status': 'Ongoing (case in litigation)',
'lessons_learned': 'The economic loss doctrine may not shield IT vendors and '
'cloud providers from negligence claims when ransomware '
'attacks result in permanent data destruction. Businesses '
'and service providers share responsibility for '
'implementing basic security measures like MFA.',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'corrective_actions': 'Implement MFA and review '
'security protocols to '
'prevent future attacks',
'root_causes': 'Lack of multi-factor '
'authentication (MFA) and weak '
'security controls'},
'ransomware': {'data_encryption': 'No (data was deleted, not encrypted)',
'ransom_demanded': '$4 million',
'ransomware_strain': 'LockBit 3.0'},
'recommendations': 'Implement multi-factor authentication (MFA) and other '
'basic security controls to mitigate ransomware risks. '
'Review contractual liability limits in light of potential '
'negligence claims.',
'references': [{'source': 'Massachusetts Superior Court Ruling'}],
'regulatory_compliance': {'legal_actions': 'Negligence, gross negligence, '
'breach of contract, and consumer '
'protection law claims',
'regulations_violated': 'Potential violations of '
'Massachusetts’ consumer '
'protection law (Chapter '
'93A)'},
'stakeholder_advisories': 'IT service providers and cloud vendors may face '
'increased liability for ransomware attacks '
'resulting in data destruction. Businesses should '
'ensure basic security measures are in place to '
'avoid negligence claims.',
'threat_actor': 'LockBit 3.0 ransomware group',
'title': 'Calvary Design Team v. Wasabi Technologies, LLC, et al. - '
'Ransomware Data Destruction Case',
'type': 'Ransomware',
'vulnerability_exploited': 'Lack of multi-factor authentication (MFA)'}