October 18, 2021

Volume XI, Number 291

Advertisement
Advertisement

October 18, 2021

Subscribe to Latest Legal News and Analysis

October 15, 2021

Subscribe to Latest Legal News and Analysis

Owners of Colonial Pipeline Hit With Class Action Regarding Allegedly Deficient Cybersecurity Following Hack, Showing All Data Breaches Carry Litigation Risk

This week, owners of the Colonial Pipeline were hit with a putative class action that was filed in federal court in Georgia.  Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.).  Recall that the Colonial Pipeline supplies the east coast of the United States with gasoline.  The pipeline is a critical part of U.S. petroleum infrastructure, transporting around 2.5 million barrels per day of gasoline, diesel fuel, heating oil and jet fuel.  It stretches 5,500 miles and carries nearly half of the East Coast’s fuel supply.  Earlier this month, a ransomware cyberattack carried out by cybercriminals crippled the Colonial Pipeline’s functionality.  The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.

Plaintiff filed suit this week, alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  The refrain consistently raised in data breach litigations-that the Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations]” (emphasis supplied) is explicitly alleged in the Dickerson complaint.  This includes the allegation that Defendants “owed a duty of care to use security measures consistent with industry standards and other requirements in order to ensure that its systems. . . were adequately protected and safeguarded.”

The Complaint alleges a breach of Defendants’ duty of care, including the following acts and omissions: “(1) failing to adopt, implement, and maintain necessary and adequate security measures in order to protect its systems (and, thus, the pipeline); (2) failing to adequately monitor the security of their networks and systems; (3) failure to ensure that their systems had necessary safeguards to be protected from malicious ransomware; and, perhaps most importantly, (4) failure to ensure that they could maintain their critical fuel transmission operations even in the event of computer system failure.”  The Complaint asserts claims for negligence and for declaratory judgment.

So far, these allegations track with other recent data breach litigations.  But recall that unlike other disputes, the Colonial Pipeline hack did not result in the exfiltration or disclosure of Plaintiff’s (or class members) PII.  So what harm exactly does Plaintiff allege here?  Good question.

The Complaint alleges that “gas shortages and increased prices for gasoline purchased by consumers and other end-users occurred due to the Defendant’s failure to adequately protect their systems from the aforementioned ransomware attack.”  As such, the Complaint seek to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021, through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).” (emphasis supplied).

To put it otherwise, this case is a recast of consumer pricing class actions in the framework of a cyberattack.  As such, Plaintiff will be required to litigate complex and unsettled questions frequently at issue in data breach litigations, including: (1) whether Plaintiff has Article III standing, (2) the adequacy of Defendants’ security practices, (3) whether Defendants owed Plaintiff and class members a legal duty, and (4) issues concerning causation/damages.  This is so notwithstanding the central allegation of harm in Plaintiff’s Complaint is that “[f]or the first time in six years, the average price of a gallon of gasoline in the United States exceeded $3”.

This litigation is sure to have some interesting implications going forward for the interplay of consumer class actions and data privacy/cybersecurity litigation.  While entities that have been subject to a cyberattack may believe (for good reason) their risk of litigation is reduced if no PII was at issue, this case is a cautionary note that any cybersecurity event carries litigation risk.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 140
Advertisement

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Advertisement
Advertisement
Advertisement