Melanie A. Conroy of Pierce Atwood LLP writes:
In a recent blog post, we explained how Webb v. Injured Workers Pharmacy, LLC has become a touchstone for courts analyzing Article III standing in data breach class actions, citing Shea v. American International College as a recent example. This post explores the Shea decision in greater depth.
On September 5, 2025, Judge Angel Kelley of the U.S. District Court for the District of Massachusetts issued a mixed ruling on a motion to dismiss in Shea v. American International College. The decision reflects the developing contours of data breach litigation in this jurisdiction, particularly with respect to standing, the economic loss doctrine, and the viability of implied contract and invasion of privacy claims.
How the AIC Cyberattack Sparked a Student Class Action
The case arises out of a late-2023 data breach at American International College (“AIC”), during which attack hackers allegedly exfiltrated over 5,000 gigabytes of unencrypted data containing the personal information of more than 11,000 current and former students over nineteen days. AIC discovered the activity, engaged a forensic firm, and mailed breach notices in May 2024.
Plaintiff Kelly Shea, a former student, brought a putative class action asserting negligence, breach of implied contract, unjust enrichment, invasion of privacy under G.L. c. 214, § 1B, Chapter 93A, and declaratory judgment. AIC moved to dismiss across the board, arguing lack of Article III standing and failure to state a claim.
Concrete Harm: How Actual Misuse, Mitigation and Distress Secured Standing
The Court rejected AIC’s threshold standing challenge.
Read more at The National Law Review.