While sitting in Chicago O’Hare on a delay during the CrowdStrike crash, watching the chaos unfold, I couldn’t help but wonder how many law school exams this coming year will include a fact pattern not so loosely based on the event—tort, contract, insurance, cybersecurity; shareholder suits. It makes one wonder: How many industries and fields of practice does the CrowdStrike failure impact, exactly? And with that thought, this article was born.
CrowdStrike is a cybersecurity company that offers cloud-based software to protect businesses from cyberattacks and hackers. On July 19, 2024, as part of regular operations, CrowdStrike released an update for a feature that resulted in a system crash. This caused a global outage that experts estimate crashed more than 8 million computers. The impact involved government entities such as 911 operators, airlines, retailers, hospitals, and countless other industries that rely on Microsoft systems. Initial estimates of the financial impact calculate in the billions. Consequently, CrowdStrike’s stock price dropped almost instantly.
In the immediate aftermath, CrowdStrike released several statements that addressed the financial strength of the company. It contended that finances are strong and that it “maintain[s] insurance policies that are intended to mitigate the potential impact of certain claims.” CrowdStrike’s website also directed the reader to the standard terms and conditions related to customer contracts, including limitations of liability. Its FAQ responses provided a rough outline of the legal issues implicated by the event.
The Immediate and Inevitable Impact
Various parties are likely to initiate suits and assert myriad damages. Possilities include: Travelers claim damages related to extended disruption of travel plans; government entities claim the inability to process 911 calls; corporations claim lost opportunities from operational issues—this includes unexpected retail closure and the inability to electronically execute contracts within negotiated deadlines; CrowdStrike shareholders claim damages related to the substantial reduction in stock price.
CrowdStrike, Microsoft, and their customers also likely suffered reputational harm, as well as investigation and response damages. Insurers may make payments on insureds’ behalf under first-party insurance policies that will undoubtedly lead to subrogated claims. With this, coverage actions may accompany suits seeking first[1]and third-party coverage.
Website Terms and Conditions
CrowdStrike’s website directs readers to the customer agreement, terms, and conditions that seek to limit financial exposure from this type of event. This language contains provisions impacting the viability of suits, including:
- Product and service warranties stating that products will operate without error and CrowdStrike’s services will be performed in a workmanlike manner consistent with industry standard. Nevertheless, limiting any liability for breach of warranty to: the expense to CrowdStrike using commercially reasonable efforts to correct the error or find a work[1]around; or, the customer terminating its use with CrowdStrike returning any unearned prepaid fees.
- Disclaimer of all warranties— express, implied, statutory, or otherwise—except those specifically provided for in the terms and conditions, which specifically states that there is no warranty that CrowdStrike’s offerings or tools will be error free, will operate without interruption, or fulfill any particular customer need.
- Notice that the offerings and tools are not designed or intended for use in hazardous environments that require fail-safe performance or operation. This includes: aircraft navigation, nuclear facilities, communication systems, weapons systems, direct or indirect life[1]support systems, air traffic control, or any application where failure could result in death, severe physical injury, or property damage. Further, that the customer is responsible for ensuring use in an appropriate application.
- Although there is an indemnification provision, CrowdStrike’s obligations are limited to circumstances involving infringement or violation of third[1]party intellectual property rights.
- Limitation of liability expressly stating that CrowdStrike is not liable to customers for any lost profits, revenue, or savings, lost business opportunities, lost data, or special, incidental, consequential, or punitive damages—even if such party advised of the possibility of such damages or losses or such damages or losses were reasonably foreseeable, which limitation applies “notwithstanding any failure of essential purpose of any remedy specified.”
- Governing and choice of law provisions designating California law as governing the agreement, and designating state and federal courts in Santa Clara County California as the exclusive venue for suit for customers with principal offices in North America.
- Dispute resolution provisions applicable to customers with principal offices outside of North America designating New York as governing the rights and duties of the parties and mandating arbitration in various locations for disputes, claims. or controversies arising out of or relating to the agreement.
The enforceability of these provisions will likely be tested in forthcoming claims. Moreover, it is unknown whether all customers signed the same terms and conditions currently available on the CrowdStrike website, or if more favorable terms were negotiated with certain customers. Additionally, while the terms and conditions govern contracting entities, they do not apply to non-signatories such as shareholders, investors, insurers, and travelers.
Lawsuits already filed and Those on the Way
The first suit filed as a result of the CrowdStrike event was a proposed class action by investors in federal court in Austin, Texas. Venue is not governed by the terms and conditions since the suit is not by a customer. A pension fund located in Texas also filed suit claiming CrowdStrike misled it regarding software updating procedures, including representations that cybersecurity software was validated, tested, and certified. Investor damages are based on stock prices precipitously dropping from an all-time high to the low from a year and a half earlier. Nevertheless, derivative shareholder suits face an uphill battle as shareholders will have to demonstrate that information was likely to mislead or deceive shareholders. Discovery will be costly, time intensive, and invasive.
One of the most high-profile claims to date has been by Delta Air Lines, which has threatened to sue CrowdStrike for damages totaling over $500 million for over five days of business disruption. Delta Air Lines CEO Ed Bastian spoke publicly regarding the losses, including the reputational harm suffered by Delta. He openly referenced a potential suit against CrowdStrike and said Delta hired litigation counsel.
Reports suggest Delta suffered some of the worst disruptions, with estimates that Delta flight cancellations made up 70% of all flight cancellations attributable to the incident. A proposed class action was also filed by passengers against Delta alleging it failed to take appropriate steps to respond to the outage. In this regard, Delta’s disruption lasted over five days of losses while competitors, such as United, reported only three days of interruption.
In response to litigation threats, CrowdStrike and Microsoft publicly stated that the customer agreement’s terms and conditions bar Delta’s claims. Delta countered with allegations of gross negligence or willful misconduct that should void any terms under such circumstances. It remains to be seen what evidence, if any, Delta can produce to meet the higher burden of proof applicable to such claims. Even if a finder of fact agrees, Delta faces issues of causation. In this regard, CrowdStrike and Microsoft contend Delta experienced internal system issues. As such, the extent of its damages is not attributable solely to the CrowdStrike outage.
While Microsoft does not appear to be named in litigation to date, it seems likely as the CrowdStrike update only affected Windows machines. Similar issues involving customer loss will exist in any claims against Microsoft, including terms and conditions. To date, it outwardly appears CrowdStrike and Microsoft are aligned in response to potential claimants. In the event of litigation, however, crossclaims and third-party claims may be unavoidable absent agreement not to pursue such claims.
Claims by customers whose operations resulted in bodily harm, such as 911 operators and hospitals are likely to be met with resistance. This will be based on the provisions disclaiming liability in such instances and expressly placing the burden of proper use on the customer. Nevertheless, it is expected that entities that are not CrowdStrike customers, but are serviced by CrowdStrike customers, will pursue claims for damages arising from the incident’s resulting chain reaction. Such claims will see defenses of foreseeability and no legal duty. Still, CrowdStrike will face challenges from parties that are not signatories to the legal disclaimers in the customer terms and conditions.
Insurer subrogation claims for carriers covering loss for first party claims to customers (and entities serviced by CrowdStrike customers) will also be in the mix. These insurers, however, will stand in the shoes of their insureds. Thus, they will face the same challenges their insureds face, including overcoming the defenses arising from the terms and conditions.
Claimants may also attempt to avoid the enforceability of the arbitration and choice of law provisions. Arguments will span from lack of mutual agreement to the contract being against public policy. Certain states may have general business laws that void one-sided contracts and seek to regulate deceptive business practices.
Implications for the Insurance Industry
Cyber risk, directors and officers, and property and casualty policies are potentially implicated by the CrowdStrike incident. Those potentially being sued—CrowdStrike, Microsoft, and their customers who are in turn being sued by those they service—will seek coverage for these third-party claims. This will interject coverage issues for analysis including: the duty to defend versus indemnify; an insured’s right to independent counsel; whether there is a covered occurrence; and whether there are any applicable exclusions. The CrowdStrike event will further the ongoing discussion surrounding silent cyber coverage in bodily injury and property damage policies. First-party insurance claims are also implicated for policies that provide investigation and response coverage, and coverage in the event of IT vendor outages. Those entities that only secured coverage in the event of a malicious event, and entities without business interruption and dependent business interruption coverage may be left without any applicable coverage, but may nevertheless seek renumeration through pursuit of claims against their insurance broker. Also implicated are travel insurers who issue coverage for flights, cruises and other trip related activities also face an increase in claims.
As with any insurance coverage claim, outcomes will vary depending on the precise terms of the policy in question, facts and circumstances of the claim, and venue. Many industries will be surveying how the CrowdStrike claims evolve and resolve.