CrowdStrike is facing lawsuits after a major outage disrupted services, potentially causing over $5 billion in losses. However, a limitation of liability clause may protect CrowdStrike from paying significant damages.
Key Takeaways:
CrowdStrike, a leading cybersecurity firm, is facing a wave of lawsuits following a significant service outage on July 19, 2024.
The incident, which lasted several hours, disrupting operations for several high-profile clients, including airlines, financial services, healthcare providers and more, was caused by a faulty software update that crashed millions of Microsoft Windows computers. The outage is believed to have caused more than $5 billion in losses, according to The Guardian.
Delta Air Lines: On July 29, Delta informed CrowdStrike and Microsoft of its intent to sue over the $500 million it claims to have lost as a result of the outage. Delta was meanwhile hit with a proposed class action alleging the company failed to properly refund fliers or provide passengers with promised meal, hotel, and transportation vouchers after the outage.
Shareholder Class Action: A class action lawsuit has been filed by law firm Labaton Keller Sucharow on behalf of CrowdStrike shareholders, claiming they were misled over the company’s software testing practices.
Small Business Class Action: Another law firm, Gibbs Law Group, has announced it is looking into bringing a class action on behalf of small businesses affected by the outage.
CrowdStrike has issued a public statement acknowledging the outage and the impact on its clients. The company emphasized that it worked swiftly to restore services and has taken steps to prevent similar incidents in the future.
On the shareholder class action: “We believe this case lacks merit, and we will vigorously defend the company,” CrowdStrike told WIRED.
On the Deta lawsuit: In a letter to Delta’s legal counsel, a legal representative for CrowdStrike said that the company “strongly rejects any allegation that it was grossly negligent or committed willful misconduct.” Kevin Benacci, senior director of corporate communications at CrowdStrike, told WIRED that Delta’s legal threats should be seen as “public posturing” that “is not constructive to any party.”
CrowdStrike's contracts with its clients likely include a limitation of liability clause, which could significantly cap its financial responsibility for the damages claimed by the plaintiffs. Such clauses are designed to protect service providers from excessive financial exposure in the event of unforeseen incidents, such as the recent outage.
However, the enforceability of these clauses can be contentious, especially when the outage causes widespread damage or is seen as a result of gross negligence. Plaintiffs may argue that the severity of the outage and its impact on critical infrastructure like air travel should override the contractual limitations.
Those hoping to recover financial losses will need to find creative ways to frame their cases against CrowdStrike, and “the amount of money they could recover is likely to be severely limited by the limitation clause,” Paul MacMahon, associate professor of law at the London School of Economics and Political Science, told WIRED.
To recover a more significant sum, Delta and other customers would have to convince a court that the clause is inherently unfair and therefore unenforceable, McMahon said.
For the broader cybersecurity industry, this case could have far-reaching implications, especially regarding how contracts are structured and the extent to which service providers can limit their liability in the event of significant outages.
Although CrowdStrike has conceded to causing the outage and billions of dollars’ worth of damage, the cost may be ultimately borne predominantly by its customers and other affected businesses.
To prevent software providers from shifting liability for coding blunders onto customers and the businesses that depend on them, members of the IT industry are calling for regulatory reform.
Brian Fox, CTO at software supply chain company Sonatype, told WIRED, “Reform around liability is probably the only thing that is going to make businesses sit up and pay attention to things that engineers have been highlighting forever: We need to do a better job with architecture, testing, and security.”