In May 2021 The Colonial Pipeline found itself the victim of a large-scale ransomware attack resulting in the cooperation having to shut down operations for several days.
This affected many consumers and companies across the East Coast of America who were reliant on Colonial Pipeline fuel.
Just over one year on, we have witnessed three third-party lawsuits arising out of the Colonial Pipeline ransomware attack being dismissed by a Federal Court in Georgia.
Below, is our summation of why these cases were not successful, why class action lawsuits are so difficult to bring success in the U.S., and why this may not be the last we hear of these cases.
In Ramon Dickerson et al. v. Colonial Pipeline Co., the plaintiffs (“downstream customers” of Colonial) brought a putative class action against Colonial alleging that Colonial (or the owners thereof) failed “to properly secure the Colonial Pipeline’s critical infrastructure”.  The plaintiffs claim contained several distinct alleged causes of action, including negligence, violations of consumer protection statutes, breach of public duty, public nuisance, and unjust enrichment.
Counsel to Colonial brought a motion to dismiss the litigation, and the Court held as follows:
1. There was no statutory provision referenced by plaintiffs which provided for any sort of legal duty owed by Colonial to the plaintiffs;
2. Plaintiffs failed to prove that Colonial’s act in shutting down the pipeline in response to the ransomware attack was a deceptive or unfair act, and so there was no statutory violation upon which to base a claim;
3. The remainder of the plaintiffs’ claims could be dismissed as having no basis in law because no special damages were alleged, no public nuisance could be established, and the plaintiffs could not meet the requirement of a benefit conferred on the defendant in order to provide a basis for the unjust enrichment claim.
In the second matter before the court, EZ Mart 1 LLC v. Colonial Pipeline Co, the plaintiff gas station had commenced a putative class action on behalf of gas station owners whose businesses were negatively affected by the disruption in gasoline supply caused by the ransomware attack .
The plaintiff bought fuel from a distributor supplied by Colonial. It alleged that Colonial failed to have proper safeguards in place because the VPN through which the hackers allegedly gained access did not use multifactor authentication. The court dismissed the action, finding that Colonial owed no duty to the plaintiff and that even if duty had been owed, the plaintiff’s claim would have been barred by a specific Georgia law because it was for “pure economic loss”.
In the final matter to be dismissed, Everhart et al v. Colonial Pipeline, the plaintiffs were three individuals who had entered into contracts with Colonial, and whose PII had been exposed in the breach. However, no actual pecuniary injury was alleged, and as such the court dismissed the claim on that basis. The court specifically found that the plaintiff’s contractual relationship with Colonial was not enough, in and of itself, to create a duty or contractual promise from Colonial to the plaintiffs that Colonial would safeguard their information.
These three decisions illustrate the difficulties that privacy class actions face in the U.S. and the paths that defense counsel can take in bringing motions to dismiss at an early stage. It is, frankly, somewhat surprising that the plaintiff’s counsel in these cases were not more careful to establish that the claims brought could at least satisfy the statutory and common law requirements for a cause of action, never mind the level of proof required to achieve a successful result. The unfortunate thing is that while these cases were dismissed, the legal fees expended in getting to that point were likely significant, and that will continue to be the case as counsel continue to test and experiment in order to find a successful formula for the plaintiff’s privacy class actions in the U.S.
What these cases do illustrate, is the need for organizations to have proper risk management in place, along with disaster recovery and incident response plans. While Colonial may have been able to have the claims dismissed, in the absence of cost transfer in U.S. courts, Colonial’s insurers, or Colonial itself, likely incurred hundreds of thousands of dollars in defense costs. CyberClan can help you avoid those costs with proper Risk Management strategies, and can assist companies to be more resilient by assisting with the preparation of disaster recovery and incident response plans. If you have questions about any of the above, please contact us using the form below.