Owners of Colonial Pipeline Hit With Class Action Regarding Allegedly Deficient Cybersecurity Following Hack, Showing All Data Breaches Carry Litigation Risk
This week, owners of the Colonial Pipeline were hit with a putative class action that was filed in federal court in Georgia. Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.). Recall that the Colonial Pipeline supplies the east coast of the United States with gasoline. The pipeline is a critical part of U.S. petroleum infrastructure, transporting around 2.5 million barrels per day of gasoline, diesel fuel, heating oil and jet fuel. It stretches 5,500 miles and carries nearly half of the East Coast’s fuel supply. Earlier this month, a ransomware cyberattack carried out by cybercriminals crippled the Colonial Pipeline’s functionality. The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.
Plaintiff filed suit this week, alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.” The refrain consistently raised in data breach litigations-that the Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations]” (emphasis supplied) is explicitly alleged in the Dickerson complaint. This includes the allegation that Defendants “owed a duty of care to use security measures consistent with industry standards and other requirements in order to ensure that its systems. . . were adequately protected and safeguarded.”
The Complaint alleges a breach of Defendants’ duty of care, including the following acts and omissions: “(1) failing to adopt, implement, and maintain necessary and adequate security measures in order to protect its systems (and, thus, the pipeline); (2) failing to adequately monitor the security of their networks and systems; (3) failure to ensure that their systems had necessary safeguards to be protected from malicious ransomware; and, perhaps most importantly, (4) failure to ensure that they could maintain their critical fuel transmission operations even in the event of computer system failure.” The Complaint asserts claims for negligence and for declaratory judgment.
So far, these allegations track with other recent data breach litigations. But recall that unlike other disputes, the Colonial Pipeline hack did not result in the exfiltration or disclosure of Plaintiff’s (or class members) PII. So what harm exactly does Plaintiff allege here? Good question.
The Complaint alleges that “gas shortages and increased prices for gasoline purchased by consumers and other end-users occurred due to the Defendant’s failure to adequately protect their systems from the aforementioned ransomware attack.” As such, the Complaint seek to certify a nationwide class consisting of “[a]ll entities and natural persons who purchased gasoline from May 7, 2021, through Present and who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein (hereinafter the “Class”).” (emphasis supplied).
To put it otherwise, this case is a recast of consumer pricing class actions in the framework of a cyberattack. As such, Plaintiff will be required to litigate complex and unsettled questions frequently at issue in data breach litigations, including: (1) whether Plaintiff has Article III standing, (2) the adequacy of Defendants’ security practices, (3) whether Defendants owed Plaintiff and class members a legal duty, and (4) issues concerning causation/damages. This is so notwithstanding the central allegation of harm in Plaintiff’s Complaint is that “[f]or the first time in six years, the average price of a gallon of gasoline in the United States exceeded $3”.
This litigation is sure to have some interesting implications going forward for the interplay of consumer class actions and data privacy/cybersecurity litigation. While entities that have been subject to a cyberattack may believe (for good reason) their risk of litigation is reduced if no PII was at issue, this case is a cautionary note that any cybersecurity event carries litigation risk.