Early in the summer, owners of the Colonial Pipeline were hit with a putative class action that was filed in federal court in Georgia.  Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.).  As a short recap, a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality.  The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.

Plaintiff filed suit, alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations]”. (emphasis supplied).

The Complaint alleges a breach of Defendants’ duty of care, including the following acts and omissions: “(1) failing to adopt, implement, and maintain necessary and adequate security measures in order to protect its systems (and, thus, the pipeline); (2) failing to adequately monitor the security of their networks and systems; (3) failure to ensure that their systems had necessary safeguards to be protected from malicious ransomware; and, perhaps most importantly, (4) failure to ensure that they could maintain their critical fuel transmission operations even in the event of computer system failure.”  The Complaint asserts claims for negligence and for declaratory judgment.  An Amended Complaint subsequently asserted claims for negligence, Unjust Enrichment, Public Nuisance, and other statutory violations.

Yesterday, the Defendants moved to dismiss the Amended Complaint and to strike Plaintiff’s class allegations.  Insofar as the Motion to Dismiss was concerned, Defendants’ brief was a grab-bag of various arguments.  For instance, the Defendants argued that federal preemption and the filed rate doctrine preclude all of Plaintiff’s claims.  This was in part, Defendants argued, because Plaintiff’s seek to involve the court in pipeline regulation which is the purview of the Federal Energy Regulatory Commission.  [Note: this may be the first time in which CPW has seen Defendants rely on the nonjusticiability doctrine in a data event/cybersecurity litigation].  Defendants also argued, among other things, that the economic loss rule bars Plaintiff’s negligence claims and in any event, Defendants owed to duty to end-user, retail consumers not to shut down its pipeline.  Additionally, Defendants argued the pleadings incorporate impermissible “fail-safe” classes where membership can only be determined after the merits of the case have been litigated.

How the court comes out on these issues remains to be seen.  And in any event, a second litigation involving the same cyberattack remains pending.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.