Elizabeth Burgos (“Burgos"), an employee of defendant Congress Auto Insurance Agency, Inc. (“Congress”), and her flaneé Daniel Thomas (“Thomas”), admitted to sufficient facts and pled guilty to intimidation of a witness, plaintiff Mark Adams (“Adams”). The crime allegedly arose after, and was made possible because, Burgos improperly accessed through Congress personal information about Adams, which enabled Thomas to make a threatening phone call to Adams, causing him fear and emotional distress. In this action, Adams seeks damages from Congress. He contends Congress negligently hired, supervised and retained Burgos, negligently safeguarded Adams’s personal information, and violated G.L.c. 93A. The case came before the court on Congress’s Motion to Dismiss the Complaint and Jury Demand. After hearing, for the reasons described below, the motion is ALLOWED in part and DENIED in part.
BACKGROUND
The Complaint and Jury Demand (“Complaint” or “Compl.”) alleges the following facts, which the court accepts as true for purposes of deciding the motion to dismiss. Iannacchino v. Ford Motor Co. (“Iannacchino”), 451 Mass. 623, 636 (2008).
In July 2012, Burgos and Thomas were engaged to be married. Thomas had previously been convicted of at least one felony. He was then on probation for a federal firearms violation and for violations in the District of Columbia and Massachusetts.1
On July 13,2012, Thomas was driving a 2004 white Mercedez-Benz, which belonged to Burgos, when he took an illegal U-turn and sideswiped Adams’s vehicle in Charlestown, Massachusetts.2 The Mercedez-Benz was later found abandoned in Charlestown. When contacted by police, Burgos told the police that her car must have been stolen.
Burgos’s vehicle was insured through Safety Insurance Company (“Safety”). As part of its investigation of the accident, Safety contacted Adams. On July 24, 2012, Adams “told Safety personal information about himself and his family, and that he was able to identify the driver of the vehicle that hit him.” Compl ¶ 6. Although presumably known to Adams, the Complaint does not describe more particularly what “personal information” Adams shared with Safety.
*474Burgos worked at Congress and, through its computer system, had access to records kept by Safety. Burgos accessed Adams’s confidential personal information in Safety’s files. She passed that information on to Thomas. Shortly thereafter,3 on July 25, 2012, Thomas called Adams on his cellular phone, falsely impersonating a state police officer, telling Adams that the person who hit his car was an extremely dangerous criminal who knew where Adams and his family lived, and warning Adams that he should not attempt to identify the man or testify against him. Adams alleges that “[t]his threatening phone call inflicted a great amount of fear and personal emotional distress upon Mr. Adams and his family.” Id. ¶10. Adams reported the call to the police, who located Thomas. Thomas and Burgos were later charged with witness intimidation in the Charlestown District Court. They “admitted to sufficient facts and pled guilty.” Id. ¶14.
Adams now sues Congress alleging that it was negligent in hiring Burgos (Count I), negligent in supervising Burgos (Count II), negligent in retaining Burgos (Count III), and negligent in failing to employ safeguards designed to prevent an employee from misusing confidential personal information (Count IV). Adams brings a fifth claim for unfair or deceptive acts in trade or commerce in violation of G.L.c. 93A.
DISCUSSION
A.Rule 12(b)(6)
Because Congress filed its motion principally under Rule 12(b)(6) of the Massachusetts Rules of Civil Procedure, the court first addresses the standard under Rule 12(b)(6). When presented with a challenge to the sufficiency of a complaint under Rule 12(b)(6), the court must accept as true the well pled factual allegations of the complaint and draw reasonable inferences from those facts in favor of the plaintiff. Iannacchino, 451 Mass, at 636. The court, however, will “not accept legal conclusions cast in the form of factual allegations.” Schaer v. Brandéis Univ., 432 Mass. 474, 477 (2000). To survive a Rule 12(b)(6) challenge, the complaint must contain factual allegations which, if true, bring a right to relief above the speculative level, Iannacchino, 451 Mass, at 636, “plausibly suggesting (not merely consistent with)” a basis for relief. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 557 (2007). Dismissal is appropriate under Rule 12(b)(6) where the facts alleged in the complaint are insufficient to support a cause of action.
B.Counts I, II and III (Negligence re: Burgos as Employee)
In Counts I, II and III, plaintiff purports to set out claims against Congress for negligent hiring, supervision and retention of Burgos. The allegations in these three counts are equally lacking in factual specificity. Other than the single instance of Burgos accessing (and passing on to Thomas) the personal information that Adams disclosed to Safety, the Complaint is devoid of facts to support these claims.
To be sure, the Complaint alleges conclusoiy elemental allegations for each cause of action. But it sets forth no facts plausibly suggesting a basis for relief. For example, Adams alleges that Congress breached its duty to exercise reasonable care in hiring employees (Count I) “when it hired Burgos, an employee whom it knew or should have known was unfit to have access to sensitive or confidential information,” Compl ¶24; breached its duty to supervise employees who have access to sensitive information “by failing to properly supervise its employee, Ms. Burgos,” id. ¶29; and breached its duty not to employ people who were unfit for their job responsibilities, “when it retained Ms. Burgos in a position in which she would have access to sensitive or confidential information, despite the fact that [it] knew and/or should have known that she was unfit for that responsibility.”4 Id. ¶35. The Complaint does not suggest any information that was known or should have been known to Congress about Burgos before she was hired that would have suggested that she was unfit to be hired. The Complaint does not suggest any way in which Congress failed to supervise Burgos in particular, or any action by Burgos before she accessed Adams’s information that hinted she had a specific need for training or additional supervision. And the Complaint does not suggest what Congress knew or should have known over the course of Burgos’s employment that would have suggested that she was not fit to be retained as an employee.
Under Iannacchino, a plaintiff must do more than plead the factual elements. Adams has done nothing more. He certainly has not set forth facts plausibly suggested a basis for relief. Accordingly, Counts I, II and III shall be dismissed.
C.Counts IV (Negligence)
In Count IV, Adams alleges that Congress “had a duty to keep the confidential personal information given to [sic] secure and protected, and to ensure that the confidential personal information is not misused, distributed, or made public.” He alleges that Congress “breached this duty when it allowed [Burgos] to have access to Plaintiffs confidential information without reasonable safeguards designed to prevent an employee from misusing the information.” Compl. ¶¶41, 42. In this regard, Adams also alleges that Congress, through its electronic computer system, was able to access confidential information in Safety’s records, that “Burgos had access to the electronic systems of Congress Insurance” simply “because she was a managing employee of Congress Insurance," id. ¶¶15-17 (emphasis added), and that she was able to access and misuse the confidential information Adams gave to Safety. Id. ¶¶13, 15.
Congress first argues that Adams’s negligence claim is barred by G.L.c. 93H (effective Oct. 31, 2007), which, it contends, may only be enforced by the Attorney General. Chapter 93H requires the promulgation *475of regulations covering “any person that owns or licenses personal information about a resident of the commonwealth,” which are “designed to safeguard the personal information of residents of the commonwealth.”5 G.L.c. 93H, §2. Chapter 93H defines “[p]ersonal information” narrowly to be the combination of at least a person’s first initial and last name, together with at least one of the following: the person’s Social Security number, driver’s license number, state-issued identification card number, financial account number, or credit or debit card number, provided the information is not lawfully obtained from publicly available information. See G.L.c. 93H, §l(a). A person’s name, plus his or her address, cellular telephone number, or narrative claim information disclosed to an insurer, are not included in the definition of “personal information” in G.L.c. 93H, §l(a). Chapter 93H is explicit that it “does not relieve a person or agency from the duiy to comply with requirements of any applicable general or special law... regarding the protection and privacy of personal information.” G.L.c. 93H, §5. The Attorney General is authorized to bring an action to enforce Chapter 93H. See G.L.c. 93H, §6 (‘The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.” (Emphasis added).)
Chapter 93H does not occupy the field. Nothing in Chapter 93H bars a common-law negligence claim, see, e.g., Katz v. Pershing, LLC, 672 F.3d 64, 75 (1st Cir. 2012) (addressing negligence-based claim on the merits, rather than as preempted by Chapter 93H), nor would the court be quick to conclude that a common-law claim was preempted by a statutory construct absent “direct enactment or necessary implication.” Lipsett v. Plaud, 466 Mass. 240, 244 (2013), quoting Eyssi v. Lawrence, 416 Mass. 194, 199-200 (1993). Indeed, the Supreme Judicial Court “has ‘long held that a statutory repeal of the common law will not be lightly inferred; the Legislature’s ’’intent must be manifest." ’ “ Lipsett, 466 Mass, at 244-45, quoting Passatempo v. McMenimen, 461 Mass. 279, 290 (2012).
Chapter 93H provides neither an express statutory preemption of common-law claims, nor an implication from a fair reading of the statute that the legislature intended to bar the kind of negligence claim advanced here. There is no inconsistency between the statutory scheme laid out in Chapter 93H and a common-law remedy for negligence that results in the disclosure of a person’s identifying information, particularly as here where the plaintiff can allege actual harm from the disclosure.6 In addition, the definition of “personal information” set out in Chapter 93H is a narrow one, which does not include the type of information apparently at issue here (i.e. Adams’s name, address, cell phone number, and narrative report about the incident to Safety). It is not reasonable to assume that the legislature, by enacting Chapter 93H, intended to insulate an employer from liability when, through its negligence, an employee is able to access information that is sensitive and ultimately used to cause harm to a person simply because that information does not fall within the statutory definition of “personal information” in Chapter 93H.
Defendant next argues that the allegations in the complaint are insufficient to state a claim with the requisite factual specificity to meet the Iannacchino standard. The court disagrees. These factual allegations, although still thin, are more than merely con-clusory allegations. They demonstrate that Burgos was a “managing employee,” who, as a result, had access to Congress’s electronic systems, and through those systems had access to Safety’s records. It also plausibly suggests that Congress did not have sufficient processes in place to assure that only those employees who needed to access Safety’s information could do so, to protect against the misappropriation or misuse of confidential information, and to bar employees from accessing information about a claim as to which an employee might have a conflict of interest.
Finally, defendant argues that, as a matter of law, the intervening willful criminal act by Burgos and Thomas interrupts the causal chain between any negligence by Congress and any harm to Adams, thus barring plaintiff from recovering for negligence by Congress. The existence of an intervening or superseding cause is an affirmative defense on which the defendant has the burden of proof. The question of whether an intervening cause will insulate a contemporaneous or prior negligent actor from liability is dependent on a number of factors and better left to a later stage of the proceedings. See, e.g., Christopher v. Father’s Huddle Café, Inc., 57 Mass.App.Ct. 217, 227-28 and n. 15 (2003), and quoting Restatement (Second) of Torts §439 (1965). In this case, the alleged continuing negligence of Congress was concurrent with, and Burgos allegedly accessed Adams’s personal information provided to Safety close in time to, Thomas’s threatening phone call. On these facts, the court cannot say at this point that there is no set of facts that could support liability for Congress in the face of Thomas’s criminal conduct. The question will have to await factual development.
D. Countv. (G.L.c. 93A)
In Count V, Adams alleges a claim for violation of G.L.c. 93A, contending that Congress’s negligence was an unfair or deceptive trade practice, Compl. ¶48, as was Congress’s “failures to meet the Commonwealth’s standards regarding the protection of confidential personal information for residents of the Commonwealth.” Id. ¶49. Both aspects of Adams’s claim fail.
Negligence itself does not constitute a violation of Chapter 93A. Squeri v. McCarrick, 32 Mass.App.Ct. 203, 207 (1992). The allegation that Congress “fail[ed] *476to meet the Commonwealth’s standards regarding the protection of confidential personal information” adds nothing more. Such an allegation is simply another way to restate negligence.
To the extent the allegation in paragraph 49 of the Complaint is intended to sweep within the scope of G.L.c. 93A the statutory proscriptions and regulatory requirements enacted under the authority of G.L.c. 93H, it is conclusory and factually insufficient. A violation of at least some regulations may serve as the basis for a claim under G.L.c. 93A. See, e.g., KLairmont v. Gainsboro Restaurant, Inc., 465 Mass. 165, 170 (2013) (Building Code). Such a claim, however, must be pled with at least some factual detail. The Complaint does not plead that Burgos accessed “personal information” within the meaning of G.L.c. 93H; does not allege how, if at all, Chapter 93H or any regulation applies in this instance; and does not plead facts to suggest that Congress breached any specific “standard! ) regarding the protection of confidential personal information” applicable in the Commonwealth. Accordingly, Count v. shall be dismissed.
For these reasons, it is ORDERED as follows:
ORDER
The Motion to Dismiss the Complaint and Jury Demand is ALLOWED in part insofar as Counts I, II, III and v. are dismissed. The motion is DENIED as to Count IV.
The Complaint alleges Thomas was “a known felon.” Compl. ¶12. It does not allege who was aware of Thomas’s prior felony conviction, or whether anyone at Congress knew either of Burgos’s relationship with Thomas or of Thomas’s felonious past.
Although it is not specifically alleged, it appears Thomas fled the scene.
It is not alleged whether Burgos accessed Adams’s information on July 24 or July 25, 2012.
Adams’s additional allegation that Congress breached a duty by permitting Burgos to have access to Adams’s confidential information, although it was notnecessaiy for herjob duties, Compl. ¶36, is a variation on the theme.
Chapter 93H also requires the report of a security breach and the report of any occurrence where an unauthorized person accesses personal information. G.L.c. 93H, §§3, 4. Adams does not argue or allege that this provision is implicated in this case.
Katz demonstrates the need for the Attorney General to be able to enforce Chapter 93H, precisely because individuals often may be unable to demonstrate the kind of cognizable damage—as is alleged here—necessary to maintain a claim for failing to take security precautions to safeguard certain personal data. See Katz v. Pershing, LLC, 672 F.3d at 79-80.