On July 19, Jonathan Cardy and his family watched as the departures board at Raleigh-Durham International Airport in North Carolina changed from green to solid red. “Oh my god, it was insane,” Cardy said. “Delay, delay, delay, delay.”
Cardy, a law professor at Wake Forest University and a member of the American Law Association, had been scheduled to fly Delta to a conference in Fort Lauderdale, Florida. He recalled waiting in line all day with thousands of other travelers as officials repeatedly told him the flight was about to depart. But when it became clear the plane wasn’t going anywhere, he instead opted for an 11-hour trip in a rental car. Cardy later learned that other passengers heading to the conference had been sleeping at the airport.
The disruption was caused by a flawed software update released by cybersecurity firm CrowdStrike that crashed millions of Microsoft Windows computers. The IT outage caused disruption to airlines, financial services and a range of other industries and is estimated to have resulted in economic losses of more than $5 billion. “There will be legal action because of the magnitude of the losses,” said Cardy, who specializes in the area of ​​law relating to civil liability for loss and damage.
The legal battle has already begun.
On July 29, Delta Air Lines notified CrowdStrike and Microsoft of its intention to sue them for $500 million it claims it lost because of the outage. Law firm Labaton Keller Sucharow filed a class-action lawsuit on behalf of CrowdStrike shareholders, alleging they were misled about the company’s software testing practices. Another law firm, Gibbs Law Group, announced it was considering filing a class-action lawsuit on behalf of small businesses affected by the outage.
In response to WIRED’s inquiries about the shareholder class action lawsuit, CrowdStrike said, “We believe that the lawsuit is without merit and will vigorously defend the Company.” In a letter to Delta’s legal counsel reviewed by WIRED, CrowdStrike’s legal representatives said the company “strongly denies any allegations that it engaged in gross negligence or willful misconduct.” Microsoft declined to comment. Delta’s legal counsel declined an interview request.
Those hoping to recover financial losses will have to find creative ways to sue CrowdStrike, which is heavily protected by clauses limiting liability that are common in software contracts, Cardy said. While it may seem intuitive that CrowdStrike could be held liable for mistakes, he added, the company is likely “pretty well protected” by the fine print.
Restrictions
Even though CrowdStrike admitted liability for the outage, neither its direct customers nor the businesses disrupted by the proximity (i.e., customers of CrowdStrike’s customers) will have an easy time recovering their losses. The first question is, on what specific grounds should they sue CrowdStrike? There are a few theoretical options (breach of contract, negligence, fraud, etc.), but none of them are straightforward.
While customers may claim that CrowdStrike breached the contract in some way, “the amount they can recover will likely be significantly limited by statutory covenants,” says Paul McMahon, an associate professor of law at the London School of Economics and Political Science. The purpose of these clauses is to act as a kind of get-out-of-court card, limiting the amount the software vendor must pay. The specifics of the contracts CrowdStrike and its customers enter into vary from case to case, but typical contract terms limit CrowdStrike’s liability to only what the customer pays for its services.