First came the ransomware attacks, now come the lawsuits
Eddie Darwich and his wife Abeer had been running the EZ Mart fuel station on Castle Hayne Road in Wilmington, N.C., for 11 years the day the gas dried up.
At first he was skeptical of the other gas station owners who were calling him with news of a strange computer hack attack on Colonial Pipeline, the company that ran the network of fuel pipes serving much of the U.S. East Coast. The pipeline had been shut down, and a rush on gas was brewing as panicked drivers bought extra fuel.
"I didn't believe it," he said in a recent phone interview. "There's no way in hell something like this would happen in the United States."
But it was true. On May 12, five days after an employee in Colonial's control room discovered the hack, Darwich's pumps ran dry. He desperately called his supplier, who told him the only thing he could do was wait. Darwich wasn't the only one who needed gas: Thousands of stations in a dozen states were in the same bind.
"For more than a month I did not see my customers," he said. "It hurt a lot."
Now he's suing Colonial Pipeline, accusing it of lax security, to get some of that money back. He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It's just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks.
Another lawsuit filed against Colonial in Georgia in May seeks to get damages for regular consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP seeking to mount a similar effort. Colonial isn't the only company that's been targeted. Another suit was launched in June against the San Diego based hospital system Scripps Health after it was hit by a ransomware attack.
Cybersecurity lapses at major companies have led to big class-action lawsuits and settlements in the hundreds of millions of dollars. Retailer Target eventually paid $10 million to consumers and $39 million to banks after hackers broke into its systems and stole personal information in 2013. Home Depot brokered a similar settlement with shoppers who had their credit card info stolen from the home improvement store's computers.
But ransomware attacks have the potential to affect people in ways that go far beyond simply having their personal information stolen and sold online.
Ransomware hackers deploy software that locks the owner of the targeted computer system out of their machines, and demands a cryptocurrency payment in return for handing back control.
In a world where everything runs on computers, these attacks can cause havoc. Hospitals have had to postpone surgeries. A small Maryland town hit by the sprawling Kaseya IT software hack lost 17 of its 19 computers, forcing them to stop billing residents for their electricity and blocking paychecks from going out to town employees. And in the case of Colonial Pipeline, hundreds of gas stations were shut down, leading to huge lines of cars waiting for what little fuel remained.
The rise in suits may mean companies and organizations that are hacked are no longer just on the hook for reimbursing people who had their data stolen. They could now be liable for all kinds of damages that go well beyond a heightened risk of identity theft or credit card fraud.
"This is an extremely developing and increasing area," said John Yanchunis, a veteran class action lawyer with Morgan and Morgan who worked on data breach lawsuits against Yahoo, Equifax and Target. His firm is involved in the lawsuit against Colonial which seeks to represent gas station owners affected by the hack.
American companies are great at selling things, said Yanchunis. But the level of cybersecurity protection at most firms, even giant ones that handle millions of peoples' information, is still not where it needs to be, he said.
"One thing they have not done and one thing they're not good at is protecting their information system because it costs money, and it's not money that goes to increase profit," he said.
In the early years of big data breaches, courts themselves were reluctant to acknowledge that having ones' information stolen off a companies' computer system could lead to actual harm, said Daniel Solove, a professor at George Washington University Law School and the founder of cybersecurity and privacy training firm TeachPrivacy. But after years of repeated hacks, more courts have begun to recognize that cybersecurity lapses can hurt real people in real ways, he said.
Either way, most cases end up in settlements, as companies opt to pay off hack victims instead of trying to fight costly, protracted court battles.
"Even if you're going to win it's a lot cheaper to settle than it is to fight," Solove said.
The number of ransomware attacks has ballooned over the last year as more criminals realize the potential for making money and ransomware groups start selling their tech to other, less technically-sophisticated criminals.
Whereas traditional cyber attacks meant hackers had to find a buyer for the information they stole to make money, ransomware attacks allow hackers to get paid more quickly and reliably as desperate companies try to regain access to their systems.
Legislators are debating potential solutions, like dissuading victims from paying hackers by providing them government money to rebuild their networks. Former Cybersecurity and Infrastructure Security Agency director Chris Krebs has suggested the government could require a certain level of security from companies that work in critical fields, like utilities.
But even for companies with relatively good security, hacks can be difficult to completely avoid. It only takes one employee clicking on a fake link or downloading a shady attachment for hackers to break into an otherwise secure system.
"Companies with good security sometimes have lapses," Solove said. There isn't a unified legal standard laying out what sort of security a company needs to have to keep it from liability if it loses its customers' information or suffers a ransomware attack.
"It really isn't clear what the standard of care is. It's tricky, all you have to do is fail on one thing," he said.
That means the potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue.
In Darwich's case, it took 10 days before he started getting gas again, all the while watching the big-brand chain gas station down the road from him getting fuel trucked in from elsewhere. The EZ Mart makes most of its money from in-store sales of cigarettes, coffee and snacks, and without gas to draw people, their revenue dropped. By the time Darwich had fuel again, some of his longtime patrons had started going elsewhere.