Recently a federal court dismissed a cybersecurity litigation brought in the wake of the May 2021 Colonial Pipeline Ransomware attack. Ramon Dickerson et al. v. Colonial Pipeline Co. et al., No. 1:21-CV-02098 (N.D. Ga. Jun. 17, 2022). Based on the attenuated theories of liability Plaintiffs sought to advance in this litigation, this decision is a win for Colonial Pipeline as well as defendants in other future-filed privacy litigations concerning similar claims. Read on to learn more.
As a refresher, the Colonial Pipeline supplies the east coast of the United States with gasoline. The pipeline is a critical part of U.S. petroleum infrastructure, transporting around 2.5 million barrels per day of gasoline, diesel fuel, heating oil and jet fuel. It stretches 5,500 miles and carries nearly half of the East Coast’s fuel supply. Last year, a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality. The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.
II. The Ramon Putative Class Action
Plaintiffs filed several putative class actions in the wake of the ransomware attack, alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.” This included the allegation that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations]”.
In Ramon, Plaintiffs were individuals who purchased gasoline at retail and contend that they paid higher prices as a result of Colonial’s shutdown. Plaintiffs conceded in the Complaint that they did not purchase their gasoline directly from Colonial, but rather from gas station retailers. They filed suit on behalf of themselves and all others similarly situated against Colonial and other anonymous subsidiaries (collectively, “Defendants”) which may be responsible for the alleged conduct.
Plaintiffs’ Second Amended Complaint (“SAC”) in Ramon asserted six claims: negligence under state law (Count I); declaratory judgment pursuant (Count II); violations of the North Carolina Unfair and Deceptive Trade Practice Act (“NCUDTPA”) (Count III); breach of public duty pursuant to O.C.G.A. § 51-1-7 (Count IV); public nuisance under state law (Count V); and unjust enrichment under state law (Count VI).
III. The Court Grant’s Colonial Pipeline’s Motion to Dismiss the Entire Litigation
Colonial Pipeline moved to dismiss the SAC in its entirety, asserting several arguments as to why each of Plaintiffs’ claims failed. The court agreed, granting Colonial Pipeline’s motion.
First, the Court held that Plaintiffs failed to provide any statutory provision imposing any legal duty on Colonial Pipeline owed to Plaintiffs under Georgia law. Further, Plaintiffs did not demonstrate any common law duty for Colonial to maintain operations despite the ransomware attack (agreeing with Colonial Pipeline that it was not a public utility). Moreover, although Plaintiffs alleged that the ransomware attack was evidence that Colonial Pipeline failed to exercise a duty of care consistent with industry standards to protect itself from cyberattacks, the Court held that showing a violation of industry standards does not conclusively establish any duty under Georgia law.
Second, the Court found that Plaintiffs failed to provide any legal authority to support that shutting down the pipeline in the midst of the ransomware attack in May 2021 and inadequate cybersecurity measures constitutes a violation of NCUDTPA. To plead a NCUDTPA claim, a plaintiff must allege: “(1) defendant committed an unfair or deceptive act or practice; (2) the action in question was in or affecting commerce; and (3) the act proximately caused injury to the plaintiff.” Although Plaintiffs asserted that Colonial Pipeline committed an unfair or deceptive act or practice because they shut down the pipeline when the pipeline could still operate, the Court found this theory failed as a matter of law.
And finally, the Court found Plaintiffs’ other claims fared no better and should also be dismissed. This included for the reason that Plaintiffs failed to allege “special damages” under Georgia law to support some of their claims and that the unavailability of gasoline for retail purchase could not support a public nuisance claim. Additionally, Plaintiffs also did not (and could not) allege a benefit they conferred on Colonial Pipeline as required to support an unjust enrichment claim under Georgia law.
This case is a significant rejection of a consumer pricing based theory of liability premised upon a cybersecurity attack that had widespread impact on the public. As such, this win for Defendants will set the stage for others named in future-filed cases to argue such attenuated claims and theories should be similarly dismissed. For more on this and other developments in data privacy, security and innovation, stay tuned. CPW will be there to keep you in the loop.