Class actions stemming from ransomware attacks are becoming increasingly common as the public awakens to the likelihood these episodes often are accompanied by data extradition and breaches, says Michael J. Ruttinger, JD, partner with Tucker Ellis in Cleveland. In the last two years, it has become increasingly common for consumers who are concerned about their own data exposure to file class actions against companies (including cloud software providers and healthcare companies).

The broadest group of potential plaintiffs are persons or other entities who learn their data have been compromised during a ransomware attack and choose to sue the company responsible for protecting that data, alleging failure to take adequate steps to protect against the attack and resulting breach.

“But it is not necessarily consumer- or even data-related. The cyberattack against Colonial Pipeline earlier this year spawned a putative class action on behalf of class members who include more than 11,000 negatively affected gas stations who were allegedly left without sufficient supply due to the attack,” Ruttinger says. “Any time a group of similarly situated entities are harmed by the disruption caused by a ransomware attack, that could provide a potential basis for class action allegations.”

An ounce of prevention is worth a pound of cure, Ruttinger says. Many companies already have plans in place for responding to cyberattacks and breaches. These plans can be strengthened and broadened to account for ransomware attacks. But creating a response plan is not enough. Companies should regularly test their plans to confirm their teams are ready to handle attacks and the potential fallout.

Few class actions based on ransomware attacks have progressed far enough to give a clear picture of their odds of success, Ruttinger says. However, plaintiffs in similar data breach class actions have struggled to demonstrate standing to sue. That challenge only grew with the Supreme Court’s recent decision in TransUnion, LLC v. Ramirez, where the court substantially narrowed a class action brought against one of the nation’s major credit-reporting companies involving unauthorized disclosure of personal data.

“A party seeking to succeed in a ransomware class action will likely need to be able to demonstrate a concrete injury, not just speculation about harm or an alleged statutory violation,” Ruttinger says. “One of the key concerns our clients express over class actions are the lengthy and expensive discovery obligations that sometimes arise, including discovery of electronically stored information. Experienced class action counsel can often help companies streamline and navigate these challenges.”