No inherent legal duty to be good at cybersecurity

Colonial operates a large oil pipeline and had a very bad ransomware attack in 2021 that shut down the pipeline for five days.

Some individuals that purchased gas and paid higher prices as a result of the shutdown sued Colonial for negligence (among other things) under Georgia law.

The District Court for the Northern District of Georgia has now dismissed that lawsuit:

Plaintiffs provide no Georgia statutory or common law authority for the proposition that industry standards impose a duty of care to protect against cyberattacks generally, nor do they provide support that the particular industry standards they allege have been recognized by Georgia courts.

June 17, 2022 Order Granting Motion to Dismiss at 11-12 [N.D. GA, Case 1:21-cv-02098-MHC]

And because plaintiffs could not allege exposure of personal data or any other violation of statute or legal duty, the complaint was dismissed.

Now if Colonial had said it was good at cybersecurity, and then events suggested they were not in fact good at cybersecurity, they would definitely have drawn a few shareholder derivative suits and maybe even an SEC investigation. See Matt Levine (“everything is securities fraud”).

But there is no inherent duty to be good at cybersecurity. (Yet.)