On July 19, Jonathan Cardi and his family watched as the departures board at Raleigh-Durham International Airport in North Carolina, turned from green to a sea of red. “Oh my gosh, it was insane,” says Cardi. “Delayed, delayed, delayed, delayed.”
Cardi, a law professor at Wake Forest University and a member of the American Law Institute, was due to fly with Delta Airlines to a conference in Fort Lauderdale, Florida. With thousands of other travelers, he spent the day lining up as staff kept telling people that flights “would be taking off any minute,” he recalls. But when it became clear that planes were going nowhere, he made the 11-hour journey by rental car instead. Others heading to the conference slept at the airport, Cardi later found out.
The chaos was the result of a software update released by cybersecurity company CrowdStrike, which contained a defect that crashed millions of Microsoft Windows computers. The IT outage, which disrupted airlines, financial services, and various other industries, is estimated to have caused more than $5 billion in financial losses. “Because there was so much money lost, there is going to be legal action,” says Cardi, who specializes in the field of law concerned with civil liability for losses or harm.
That legal wrangling is already beginning.
On July 29, Delta informed CrowdStrike and Microsoft of its intent to sue over the $500 million it claims to have lost as a result of the outage. A class action lawsuit has been filed by law firm Labaton Keller Sucharow on behalf of CrowdStrike shareholders, claiming they were misled over the company’s software testing practices. Another law firm, Gibbs Law Group, has announced it is looking into bringing a class action on behalf of small businesses affected by the outage.
In response to WIRED’s inquiry about the shareholder class action, CrowdStrike says, “We believe this case lacks merit, and we will vigorously defend the company.” In a letter to Delta’s legal counsel seen by WIRED, a legal representative for CrowdStrike said that the company “strongly rejects any allegation that it was grossly negligent or committed willful misconduct.” Microsoft declined to comment. Delta’s legal counsel declined an interview request.
Those hoping to recover financial losses will need to find creative ways to frame their cases against CrowdStrike, which is insulated to a great extent by clauses typical of software contracts that limit its liability, Cardi says. Though it may seem intuitive that CrowdStrike be on the hook for its mistake, the company is likely to be “pretty well-guarded” by the fine print, he adds.
Limitation Clause
Despite CrowdStrike conceding responsibility for the outage, neither direct customers nor businesses disrupted by proximity—i.e., the customers of CrowdStrike customers—will find it easy to recover their losses. The first question will be: What specifically would they be suing CrowdStrike for? There are a handful of theoretical options—breach of contract, negligence, or fraud—but none of them are straightforward.
Although customers may argue that CrowdStrike breached its contract in some way, “the amount of money they could recover is likely to be severely limited by the limitation clause,” says Paul MacMahon, associate professor of law at the London School of Economics and Political Science. The purpose of any such clause is to act as a sort of get-out-of-jail-free card, limiting the amount of money a software vendor has to pay out. The specific contents of the contracts entered into by CrowdStrike and its customers will differ from case to case, but the general terms and conditions limit CrowdStrike’s liability to only the amount its customers pay for its services.
In the letter to Delta’s counsel, CrowdStrike’s representative claims the company’s liability is capped at the “single-digit millions,” far short of the $500 million the airline claims to have lost. To recover a more handsome sum, says MacMahon, Delta and other customers would have to convince a court that the clause is inherently unfair and therefore unenforceable, or otherwise argue that CrowdStrike had in some way committed fraud.
“It’s going to hinge on the peculiarities of the individual contractual arrangements that one business has with another,” says Colm McGrath, senior lecturer in law at King’s College London and co-editor of the Journal of Professional Negligence. But when dealing with “big boy commercial entities,” says McGrath, courts are typically inclined to uphold the terms of any agreements that result from “hard-nosed negotiations with one another in clear understanding of the risks.”
Rosemary Rivas, a partner at Gibbs Law Group leading the investigation into bringing a class action on behalf of small businesses—both CrowdStrike customers and those affected by the outage indirectly—declined to comment on the challenges posed by the CrowdStrike terms and conditions, saying only that the firm is “speaking to a wide range of businesses” as part of its investigation.
Businesses without a direct contractual relationship with CrowdStrike, meanwhile, though unaffected by any limitation clause, “probably won’t have a claim in the first place,” MacMahon says. They will not be able to sue for breach of contract, because there isn’t one. Neither could they sue for negligence, because the relevant laws apply only to personal injury or property damage, not economic loss.
The situation in which CrowdStrike finds itself, says MacMahon, is similar to that of the company whose container ship destroyed a bridge in Baltimore in March. Although the collapse will have been costly for any business that might otherwise have used the bridge, the losses are purely financial—and likewise for businesses disrupted by the IT outage in July. “They have no claim, I’m sure,” says MacMahon.
However, the various barriers will not prevent legal cases from being brought against CrowdStrike, experts say, given the extent of the financial losses involved. There have been few landmark lawsuits that put to the test the kinds of liability limitations included in software contracts, says Brian Fox, CTO at software supply chain company Sonatype, creating an opening for CrowdStrike customers to challenge them. “This could be a watershed moment,” he says.
“The fun and challenge of law is that you and I could negotiate a contract in which I exclude [from liability] everything under the sun, but you don’t know if that’s going to work until you find out in court,” McGrath says. “It could well be that the court decides that what you agreed in the contract is simply not permitted within the bounds of the law in a given jurisdiction.”
There are also separate reasons for which an organization might pursue legal action. In the very public back-and-forth between Delta and CrowdStrike, for example, there may be an element of posturing, McGrath says. “Whatever game you are playing through litigation, sometimes it’s about making sure you get the legal remedy you think is due. But sometimes, it’s about PR and publicity. In big commercial entities, I suspect there is a careful discussion about which of two imperatives is the more pressing.”
In its letter to Delta, CrowdStrike points to the length of time it took Delta to recover from the outage in comparison to other airlines that restored operations far more quickly. “Delta’s public threat of litigation … has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage,” CrowdStrike’s representative wrote. The letter also includes forceful rhetoric warning of CrowdStrike’s willingness to defend itself: “While litigation would be unfortunate, CrowdStrike will respond aggressively, if forced to do so, in order to protect its shareholders, employees, and other stakeholders.”
In a statement provided to WIRED, Kevin Benacci, senior director of corporate communications at CrowdStrike, said that the company has expressed regret and apologized to all of its customers already, and suggested that Delta’s legal threats should be seen as “public posturing” that “is not constructive to any party.” “We hope that Delta will agree to work cooperatively to find a resolution,” says Benacci.
The reality may ultimately be that, though CrowdStrike has conceded to causing the outage, and billions of dollars’ worth of damage was incurred, the cost will be borne predominantly by its customers and other affected businesses. Especially so if only a fraction of the costs are covered by cyber insurance, as has been reported.
Members of the IT industry, like Fox, are calling for regulatory reform to prevent software providers from shifting liability for coding blunders onto customers and, in turn, the businesses that depend on them. “Until this point, it’s been a little bit inside baseball; only people seeing the unintended consequences up close really cared,” Fox says. “Reform around liability is probably the only thing that is going to make businesses sit up and pay attention to things that engineers have been highlighting forever: We need to do a better job with architecture, testing, and security.”
But for the time being, says McGrath, “the blunt, practical reality is that litigants, whether consumers or big businesses, have to work within the legal system they are operating in.”
Source : Wired
