Negligence – Data breach – College

Listen to this article

Where a plaintiff has brought a putative class action against a defendant college arising from a data breach, the defendant’s motion to dismiss should be denied with respect to a negligence claim, as the plaintiff’s allegations plausibly support the inference that the defendant’s cybersecurity program fell below the standard of reasonable care required for an institution handling sensitive personally identifiable information, particularly in the higher education context.

“Plaintiff Kelly Shea brings this putative class action against American International College (‘AIC’) arising from a 2023 data breach in which unauthorized actors allegedly accessed and exfiltrated sensitive personally identifiable information (‘PII’) of current and former AIC students. Shea asserts claims for negligence (Count I), breach of implied contract (Count II), unjust enrichment (Count III), invasion of privacy under G.L.c. 214, §1B (Count IV), a claim under G.L.c. 93A (Count V), and declaratory judgment (Count VI). …

“Shea alleges that, as a condition of admission, AIC required students to provide sensitive PII, including Social Security numbers, driver’s license numbers, dates of birth, and financial account data. … She asserts that AIC promised to protect this information under state and federal law and in its privacy policy, but failed to do so. … Massachusetts law generally imposes no duty to protect another from the criminal acts of a third party absent foreseeable harm. … In the data breach context, courts have held that entities assuming responsibility for safeguarding sensitive PII owe a specific obligation to implement reasonable security measures. … Accepting the allegations as true, AIC’s collection and storage of Shea’s PII gave rise to a duty to employ reasonable measures to protect it from unauthorized access. …

“The Amended Complaint alleges that AIC breached its duty by failing to adhere to industry-recognized best practices for data security, including failing to educate employees on cybersecurity protocols, omitting multi‑factor authentication, maintaining weak password rules, operating with substandard firewall and anti‑malware protections, and failing to encrypt stored PII. … Courts have recognized that such allegations can plausibly support a finding of unreasonable care. Weekes v. Cohen Cleary P.C., 723 F. Supp. 3d 97, 103 (D. Mass. 2024). Taken as true, these allegations plausibly support the inference that AIC’s cybersecurity program fell below the standard of reasonable care required for an institution handling sensitive PII, particularly in the higher education context. …

“Shea alleges that, but for AIC’s failures, her PII would not have been compromised and sold by the hacking group ‘nSafe,’ and that this led to a fraudulent COVID‑related insurance claim. … She further alleges that her mitigation expenditures (credit monitoring and security services) and emotional distress (anxiety and sleep loss) flowed directly from the breach and the fraudulent claim. … Massachusetts law recognizes such harms as cognizable when they are the ordinary, foreseeable results of the risk created. Kent v. Com., 437 Mass. 312, 320, 771 N.E.2d 770, 776–77 (2002). These allegations plausibly establish both factual and proximate causation. …

“The economic loss doctrine generally bars recovery in negligence for purely economic losses absent personal injury or property damage. Cumis Ins. Soc’y, Inc. v. BJ’s Wholesale Club, Inc., 918 N.E.2d 36, 46 (Mass. 2009). An exception exists where the plaintiff plausibly alleges personal injury, which can include sufficiently concrete emotional distress. …

“Shea alleges both emotional distress tied to the fraudulent misuse of her PII and mitigation expenses. At this stage, her emotional distress allegations plausibly qualify as personal injury under the exception. Accordingly, the negligence claim survives as to emotional distress damages and any economic losses directly resulting from that injury, but is dismissed to the extent it seeks recovery for other purely economic mitigation costs. …

“An implied‑in‑fact contract requires the same elements as an express contract, including offer, acceptance (mutual assent), and consideration, but mutual assent may be inferred from the parties’ conduct and relationship. … The plaintiff must plead the existence of such a contract with ‘substantial certainty.’ Durbeck v. Suffolk Univ., 547 F. Supp. 3d 133, 145 (D. Mass. 2021). General statements in privacy policies, without allegations of affirmative acceptance, typically do not suffice. …

“Shea alleges that AIC required her to provide PII as a condition of enrollment and that its privacy policy promised not to transfer such information without notice. … She does not allege affirmative acceptance of these assurances or conduct by AIC establishing mutual assent to contractual terms. Unlike in In Re Shields [Health Care Grp., Inc., 721 F. Supp. 3d 151 (D. Mass. 2024)], there is no special statutory or fiduciary overlay here that might bolster an inference of mutual assent. This specific ruling addresses only implied‑in‑fact contracts and does not foreclose recovery under an implied‑in‑law theory, such as unjust enrichment which is analyzed separately below. Because Count II in the Amended Complaint fails to allege facts showing mutual assent with the required certainty, the breach of implied‑in‑fact contract claim is dismissed. …

“To state a claim for unjust enrichment, a plaintiff must allege: (1) a benefit conferred on the defendant; (2) the defendant’s knowledge of the benefit; and (3) retention of the benefit under circumstances making it inequitable without payment. …

“Shea alleges she conferred monetary and informational benefits on AIC (tuition, fees, PII), reasonably expected that part of her payments would fund cybersecurity, and that AIC retained these benefits while failing to provide reasonable data security. … These allegations are analogous to In re Shields: Shea alleges a relationship in which the nature of the transaction (here, between a higher education institution and its students) supports the inference that part of the fees paid necessarily covered the cost of safeguarding sensitive personal information collected as a condition of enrollment. While she does not allege a separate ‘cybersecurity fee,’ she pleads a reasonable expectation, grounded in the nature of the transaction, that such protections were included in the services for which she paid. At the pleading stage, these allegations are sufficient to state a claim for unjust enrichment. The motion to dismiss the unjust enrichment claim in Count III is therefore denied. …

“Here, Shea attributes the intrusion to nSafe, a third‑party hacking group, which accessed and disseminated her PII. … She alleges no facts suggesting that AIC itself gathered or disseminated her private information, or otherwise acted intentionally to intrude upon her privacy. … Although her allegations of emotional distress and mitigation expenses may satisfy the ‘substantial or serious interference’ prong, the absence of purposeful conduct by AIC is dispositive. Because Shea has not alleged intentional acts by AIC that resulted in the gathering or dissemination of her private information, Count IV fails as a matter of law and is dismissed. …

“The Declaratory Judgment Act, 28 U.S.C. §§2201–2202, provides a remedy but not an independent basis for jurisdiction. … In the data breach context, courts have found allegations of ongoing risk and continuing mitigation efforts sufficient to satisfy §2201(a). …

“Shea alleges that her PII remains publicly accessible via nSafe’s dark web posting and in AIC’s possession, creating an ongoing risk of misuse. … She also alleges continued mitigation costs and emotional distress. … These allegations plausibly establish a live controversy of sufficient immediacy and reality. While the Court retains discretion to withhold declaratory relief, allowing the claim to proceed at this stage will permit factual development on AIC’s remedial measures and the persistence of risk. Accordingly, the motion to dismiss the request for declaratory relief in Count VI is denied. …

“For the foregoing reasons, Defendant’s Motion to Dismiss [Dkt. 15] is granted in part and denied in part. The Court concludes that Plaintiff has plausibly stated claims for negligence (Count I), unjust enrichment (Count III), and declaratory judgment (Count VI). The Motion is therefore denied as to those claims, which will proceed to discovery.

“The Motion is granted as to the breach of implied contract (Count II) and invasion of privacy claims (Count IV), which are dismissed in their entirety.

“Plaintiff has voluntarily dismissed Count V.”

Shea v. American International College (Lawyers Weekly No. 02-482-25) (13 pages) (Kelley, J.) (Civil Action No. 1:24-CV-114499-AK) (Sept. 5, 2025).

Click here to read the full text of the opinion.