District of Massachusetts Allows Higher-Ed Student Data Breach Claims to Survive

In a recent blog post, we explained how Webb v. Injured Workers Pharmacy, LLC has become a touchstone for courts analyzing Article III standing in data breach class actions, citing Shea v. American International College as a recent example. This post explores the Shea decision in greater depth.

On September 5, 2025, Judge Angel Kelley of the U.S. District Court for the District of Massachusetts issued a mixed ruling on a motion to dismiss in Shea v. American International College. The decision reflects the developing contours of data breach litigation in this jurisdiction, particularly with respect to standing, the economic loss doctrine, and the viability of implied contract and invasion of privacy claims.

How the AIC Cyberattack Sparked a Student Class Action

The case arises out of a late-2023 data breach at American International College (“AIC”), during which attack hackers allegedly exfiltrated over 5,000 gigabytes of unencrypted data containing the personal information of more than 11,000 current and former students over nineteen days. AIC discovered the activity, engaged a forensic firm, and mailed breach notices in May 2024.

Plaintiff Kelly Shea, a former student, brought a putative class action asserting negligence, breach of implied contract, unjust enrichment, invasion of privacy under G.L. c. 214, § 1B, Chapter 93A, and declaratory judgment. AIC moved to dismiss across the board, arguing lack of Article III standing and failure to state a claim.

Concrete Harm: How Actual Misuse, Mitigation and Distress Secured Standing

The Court rejected AIC’s threshold standing challenge. Plaintiff alleged that hackers exfiltrated her Social Security number and other identifiers, which were later trafficked on the dark web, and that a fraudulent health insurance claim was subsequently submitted in her name. She also alleged mitigation costs and emotional distress, including anxiety and sleep loss. The court held that these allegations, taken together, went beyond speculative future risk and established concrete injury, traceability, and redressability, relying on Webb and distinguishing cases where plaintiffs pled only an increased risk of future harm.

Emotional Distress Sidesteps Economic Loss Doctrine in Negligence Claim

The negligence claim survived in part. The court held that AIC owed a duty to employ reasonable safeguards as an institution that collects and stores sensitive PII as a condition of enrollment. Allegations of substandard cybersecurity practices—unencrypted storage, weak access controls, missing MFA, inadequate training and defenses—plausibly stated a breach of that duty. Causation was adequately pled given the alleged sequence from breach to misuse and resulting mitigation efforts and emotional distress. While the economic loss doctrine generally bars recovery for purely economic harms, plaintiff’s emotional distress plausibly qualified as personal injury at the pleading stage, allowing the negligence claim to proceed (with limitations on purely economic mitigation damages not tied to that injury).

Tuition and Trust: Unjust Enrichment Claim Survives Based on Security Expectations

The Court denied dismissal of the unjust enrichment claim. Although plaintiff did not identify a specific “data security fee,” she plausibly alleged that tuition and fees conferred a benefit reasonably expected to include the cost of adequate data security. AIC allegedly retained that benefit while failing to provide reasonable protections. The court found these allegations analogous to In re Shields Health Care Grp., Inc., where plaintiffs’ expectation that service payments included data protection was sufficient to state a claim. At the pleading stage, and pled in the alternative to contract claims, plaintiff’s allegations were sufficient.

Court Allows Declaratory Judgment Claim Amid Ongoing Data Risks

The court allowed the declaratory judgment claim to proceed, finding a live controversy given alleged ongoing risks from data that remains in circulation on the dark web and in AIC’s possession, along with continuing mitigation efforts. Discretionary relief may be revisited on a fuller record.

The Dismissed Claims: Implied-in-Fact Contract, Invasion of Privacy and Chapter 93A

The implied-contract theory failed because the complaint did not allege facts showing mutual assent to specific data-security obligations. General references to privacy policies and institutional practices, without allegations of affirmative acceptance or conduct evidencing agreement, were insufficient to establish an implied-in-fact contract. The invasion of privacy claim under G.L. c. 214, § 1B, was also dismissed, with the court reiterating that the statute requires intentional conduct, not negligent failure to prevent third-party access. Plaintiff voluntarily dismissed her Chapter 93A claim for failure to serve the statutory demand letter.

Data Breach Litigation Lessons for Colleges, Companies, and Counsel

The Shea decision underscores that a claim based on fraudulent misuse tied to stolen PII, combined with mitigation efforts and distress, distinguishes actionable injury from speculative risk. The First Circuit’s decision in Webb continues to shape standing analysis: allegations of both misuse and mitigation suffice, while speculative risk alone does not. The case also serves as a reminder that the economic loss doctrine is not absolute. The doctrine remains a key defense in negligence claims based on data breaches, but courts may permit claims to proceed if plaintiffs allege concrete emotional distress, even when damages are purely financial. For these reasons, defendants should scrutinize and challenge conclusory distress allegations.

Another takeaway: privacy policies alone rarely create implied contracts. Institutions should nonetheless avoid language that implies contractual obligations absent clear assent. Unjust enrichment claims remain viable when the nature of the relationship supports a reasonable expectation that fees fund data security. Institutions should build a clear record on what payments actually cover. For risk management, document security controls, enforce MFA and encryption, train personnel, and expedite breach notifications to reduce exposure related to both standing and merits. These measures also address forward-looking relief, as declaratory or injunctive claims may survive if plaintiffs allege ongoing risk. Robust incident response and remediation undercut these claims.

As data breach class actions continue to proliferate, Shea reflects the evolving landscape  in the First Circuit. The decision’s reasoning highlights how courts in the District of Massachusetts are parsing the boundaries between actionable injury, recoverable damages, and claims that will not survive Rule 12 scrutiny.