Colonial Pipeline hit with Negligence Lawsuit Over Ransomware Attack
How a cyber attack can go from bad to worse.
Well, that didn’t take long.
The cyber-attack that hit Colonial Pipeline has now resulted in a class-action lawsuit filed in the U.S. District Court for the Northern District of Georgia about 10 days after the ransomware attack first hit Colonial.
This post is not intended to heap more bad news onto Colonial; instead, I want to demonstrate how a cyber event can trigger things from bad to worse in a short time.
Now, the average business owner may be thinking: “look, I’m a small or even medium-sized business. I’m nowhere near the size of Colonial, so this isn’t relative to me”.
I want to challenge that thinking.
Sure, most firms we work with aren’t anywhere near the size of Colonial, so you may not be facing the same magnitude of loss as Colonial, but what I want to demonstrate is the potential scope of a cyber claim you could be facing.
I produced a video on the ransom demand Colonial paid and talked about how the ransom of almost $5M may be only a small portion of the eventual cyber claim when you consider the business interruption claim, forensics, IT, PR, Crisis Management costs, and more that could have rolled up to about $40M. That can be viewed here.
The class-action suit that Colonial now faces is being brought due to Colonial’s negligence in failing to deploy adequate cybersecurity measures to secure and prevent an event that did occur, which resulted in slow down of the U.S. economy and gasoline shortages and price increases borne by consumers. Plaintiffs who may join this suit are just about any consumer who paid more for gasoline during the shortage across 17 states. Potentially an extensive class which may result in very high costs for Colonial.
So, the costs on top of the ransom, the business interruption, and all the experts needed to remediate the initial cyber claim may end up looking like peanuts once defense costs and settlements are totaled up for this class action. That, of course, will take years to wind its way through the system, but we’re probably looking at tens of millions if not hundreds of millions of dollars.
Now, how can this impact a small or medium-sized business?
Pretty much the same way it’s unfolding for Colonial.
Sure, a ransomware event hitting your firm isn’t going to make the nightly news, but your customers, vendors, and others will learn about it. You may need to pay a ransom to recover your data.
You’ll definitely need to hire experts to help you navigate through the maze of state and federal regulatory issues and manage the crisis for you.
You may have notification costs to deal with. And, like Colonial, you may face a negligence lawsuit. It could come from a disgruntled customer, vendor, or employee alleging failure to maintain safe data practices, or it could come from an opportunistic law firm looking to form a class.
That’s a lot of potential costs following a cyber event.
How much will it cost?
That we don’t know, but what it does make me think is that the $1M cyber policies most small and medium-sized firms carry are probably not sufficient. The cyber landscape has shifted over the past year or so, which means you should be looking at higher limits on your renewals or even mid-term.
If you haven’t purchased cyber insurance yet, please reconsider and do it. Cyber is still relatively cheap and easy to get. Don’t wait. I explain that a cyber policy provides you two things when an event occurs. The first is a team of experts ready to assist you in unraveling the attack or event, and the second is a bucket of money to help pay for the experts and recover and, if necessary, pay for potential lawsuits.
Have other questions or issues regarding cyber risk and cyber insurance? Click the button below and let’s schedule a call to chat further about it. I work with a variety of firms across the U.S. and would love to hear from you!