Second Colonial Pipeline Data Incident Litigation Filed on Behalf of. . . . Over Ten Thousand Gas Stations?
CPW covered the Colonial Pipeline cyberattack earlier this year, in which a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality. The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States (as a reminder, the Colonial Pipeline supplies the east coast of the United States with gasoline. The pipeline is a critical part of U.S. petroleum infrastructure, transporting around 2.5 million barrels per day of gasoline, diesel fuel, heating oil and jet fuel. It stretches 5,500 miles and carries nearly half of the East Coast’s fuel supply).
In the wake of the cyberattack, owners of the Colonial Pipeline were hit with a putative class action that was filed in federal court in Georgia. Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.). Plaintiffs in Dickerson alleged that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.” Plaintiffs allege that the Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations]” (emphasis supplied).
The end of last month, a second putative class action complaint was filed concerning the Colonial Pipeline attack, EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.). As in the previous suit, we again see an allegation that the Defendants “failed to implement and maintain reasonable security procedures and practices appropriate to operating the Pipeline” (emphasis added). This is raised in the context of an alleged “duty to adopt reasonable measures to ensure the continued and uninterrupted operation of the Pipeline,” as the “Pipeline is essential infrastructure and a vital artery for the distribution of fuel to most of the eastern United States.”
In this case, Plaintiff here seeks to certify a class action “on behalf of the more than 11,000 gas stations negatively impacted by the Ransomware Attack” that “experienced a fuel shortage, an increase in price paid for gasoline, or an inability to sell fuel to their customers as a result of the Ransomware Attack.” And again, just like in Dickerson, the damages claimed arise not from the exposure of private information, but from increased gas prices caused by the pipe shutdown. Is the start of a trend casting consumer pricing class actions in the framework of a cybersecurity incident by plaintiffs lawyers? Time will tell.
This case raises the difficult questions for the Plaintiff looming in Dickerson (standing, whether a duty was owed, issues of causation). Still, these cases could have a major impact on the future of data privacy/cybersecurity litigation, and it will be important to keep an eye on any major developments.