In 2022, Plaintiff Calvary Design Team, Inc. (“Calvary”), a developer of custom automation solutions and robotics platforms, retained Defendant Winslow Technology Group, LLC (“Winslow”), an IT company, to assist Calvary in overhauling its data center. Defendant Wasabi Technologies, LLC (“Wasabi”) sold data storage and protection products that Calvary agreed to use in connection with Winslow’s services. In 2023, Calvary experienced a ransomware attack that resulted in deletion of its stored electronic data until it paid a $4 million ransom.
Calvary then brought suit against Winslow and Wasabi, asserting claims for negligence and gross negligence, among other claims. Winslow and Wasabi moved to dismiss, arguing that the economic loss doctrine barred the negligence claims. The Superior Court (BLS) disagreed.
The Court began by recognizing case law applying the economic loss doctrine to bar claims arising from breaches of sensitive consumer data (such as credit card data). The Court distinguished Calvary’s claims from that case law, however, explaining that the threat actor in Calvary’s case “did not simply hack into and access Calvary’s system and data; it used the access it gained to delete Calvary’s data, such that Calvary no longer had access to it until it paid the demanded ransom.” The Court further agreed with Calvary that “deletion of valuation data constitutes destruction of property” and that its complete loss of data was “sufficiently tangible to qualify as property damage so as to avoid the economic loss doctrine.”
Given the prevalence of ransomware attacks, this decision is instructive for those who seek to hold IT companies liable in connection with data loss stemming from those attacks.
