Background
Ramon Cruceta worked as a pipefitter at J.C. Cannistraro LLC (JCC) from 2015 until June 30, 2020. In or about October 2020, JCC’s information technology manager discovered unusual activity on the company’s computer network. An investigation revealed that the network had been encrypted by ransomware. Notably, JCC’s firewall vendor, Fortinet, had previously warned the company about a vulnerability and had released a software upgrade to address it, but JCC had not installed the update before the attack occurred.
JCC notified its current employees of the ransomware attack and potential data breach by email and through the company intranet on October 7, 2020. Because Cruceta had already left the company by that time, he did not receive the notification. He first learned that his personal information had been compromised in December 2020, when an Experian alert informed him that his Social Security number had been detected on the dark web.
In February 2023, Cruceta filed suit in Superior Court alleging that JCC’s negligence in failing to maintain and update its firewall software caused the data breach, the theft of his Social Security number, and its publication on the dark web. He also raised claims for invasion of privacy under G. L. c. 214, § 1B, and fraud. His alleged injuries consisted of emotional distress, anxiety, and a constant daily fear of potential identity theft and financial harm. Cruceta did not allege any specific monetary damage or actual financial loss resulting from the breach.
The Court’s Holding
The Massachusetts Appeals Court, reviewing the grant of summary judgment de novo, affirmed the Superior Court’s decision. The panel held that Cruceta failed to demonstrate an essential element of his negligence claim: cognizable injury. While the court acknowledged sympathy for individuals affected by data breaches, it found that Cruceta’s alleged harm — the mere appearance of his Social Security number on the dark web — was insufficient to state a claim for negligence or negligent infliction of emotional distress.
For his negligent infliction of emotional distress theory, the court noted that Massachusetts law requires “objective corroboration of the emotional distress alleged,” such as evidence of physical manifestation of that distress. Cruceta presented no such corroboration. For his simple negligence theory, he failed to allege any cognizable damage, such as monetary loss. The possibility of future injury, though real, was not enough to sustain the claim.
The court also found that Cruceta had waived his challenges to summary judgment on his invasion of privacy and fraud claims by failing to address them in his opening appellate brief. The panel noted that even if it were to reach the merits of those claims, Cruceta failed to allege that JCC intended to disseminate his Social Security number or intended to deceive anyone — elements necessary to sustain those causes of action. The court denied JCC’s request for appellate attorney’s fees.
Key Takeaways
- Under Massachusetts law, the mere exposure of personal data on the dark web, without evidence of actual financial loss or objectively corroborated emotional distress, is insufficient to survive summary judgment on a negligence claim against an employer.
- Claims for negligent infliction of emotional distress in the data breach context require objective corroboration — such as physical symptoms — beyond allegations of anxiety and fear of future harm.
- Appellate arguments not raised in an opening brief are deemed waived; raising them for the first time in a reply brief is too late under Massachusetts appellate procedure.
- Employers who experience data breaches may still face litigation risk, but plaintiffs must allege and demonstrate concrete, nonspeculative injury to proceed past summary judgment.
Why It Matters
This decision underscores the high bar that Massachusetts courts set for data breach plaintiffs who cannot point to concrete, realized harm. In an era of frequent ransomware attacks, many individuals whose personal information is exposed on the dark web experience genuine anxiety about potential identity theft. Yet as this case illustrates, courts in Massachusetts continue to require more than speculative future injury or unsubstantiated claims of emotional distress to sustain a negligence action. Plaintiffs must demonstrate either actual financial loss or objectively corroborated emotional harm.
The ruling is also significant for employers and organizations that handle sensitive employee data. While the decision affirms that summary judgment is appropriate when a plaintiff cannot prove injury, it does not absolve employers of their duty to maintain cybersecurity safeguards. The factual record here — including JCC’s failure to install a known security patch — suggests that the outcome might differ where a plaintiff can demonstrate tangible damages flowing from a breach. For data breach litigants in Massachusetts, the message is clear: standing and injury remain the critical gatekeeping elements.