Earlier this year, CPW covered the Colonial Pipeline cyberattack and the two putative class actions filed in reaction to that cyberattack, (Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.) and EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.)). Recall these putative class actions ensued after a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality. The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.
Dickerson purports to represent a class of consumers who contend the paid higher prices at the pump as a result of the shutdown. EZ Mart, in turn, purports to represent a class of gas stations that claim to have suffered fuel shortages or have paid excessively high prices for gas. These consumers and gas stations are located on the east because the Colonial Pipeline supplies nearly half of the East Coast’s fuel supply. In both Dickerson and EZ Mart, plaintiffs seek to hold Colonial Pipeline liable because it allegedly “failed to implement and maintain reasonable security measures, procedures, and practices appropriate” to its business.
Colonial Pipeline has moved to dismiss both putative class actions on similar grounds. Colonial Pipeline has also moved to strike the class action allegations in both cases as representing purported “fail-safe” classes, arguing that ascertaining the classes would require ascertaining liability.
Colonial Pipeline moves to dismiss both suits in their entirety as preempted by the federal regulatory scheme for gas pipelines. More interesting for this blog, however, is Colonial Pipeline’s effort to dismiss the negligence claims because Colonial Pipeline owes no duty to consumers or gas stations. Colonial Pipeline explains that it does not bear duties customers so far removed from its work decrying the imposition of such a duty to prevent “economic ripple effects” as an being an “absurdity.” Colonial Pipeline also seeks to bar plaintiffs’ claims based on the economic loss rule.
Plaintiffs, in turn, argue that their dependence on the pipeline gives rise to an ordinary duty of care. Plaintiffs add that this duty of care is non-contractual and, therefore, not barred by the economic loss rule.
The outcome of these cases – specifically the extent to which downstream duties can be implicated by data breaches – could have a major impact on the future of data privacy/cybersecurity litigation, and it will be important to keep an eye on any major developments.