Analyzing the impact of the massive CrowdStrike outage
While sitting in Chicago O’Hare on a delay during the CrowdStrike crash, watching the chaos unfold, I couldn’t help but wonder how many law school exams this coming year will include a fact pattern not so loosely based on the event—tort, contract, insurance, cybersecurity; shareholder suits. It makes one wonder: How many industries and fields of practice does the CrowdStrike failure impact, exactly? And with that thought, this article was born.
CrowdStrike is a cybersecurity company that offers cloud-based software to protect businesses from cyberattacks and hackers. On July 19, 2024, as part of regular operations, CrowdStrike released an update for a feature that resulted in a system crash. This caused a global outage that experts estimate crashed more than 8 million computers. The impact involved government entities such as 911 operators, airlines, retailers, hospitals, and countless other industries that rely on Microsoft systems. Initial estimates of the financial impact calculate in the billions. Consequently, CrowdStrike’s stock price dropped almost instantly.
In the immediate aftermath, CrowdStrike released several statements that addressed the financial strength of the company. It contended that finances are strong and that it “maintain[s] insurance policies that are intended to mitigate the potential impact of certain claims.” CrowdStrike’s website also directed the reader to the standard terms and conditions related to customer contracts, including limitations of liability. Its FAQ responses provided a rough outline of the legal issues implicated by the event.
The Immediate and Inevitable Impact
Various parties are likely to initiate suits and assert myriad damages. Possilities include: Travelers claim damages related to extended disruption of travel plans; government entities claim the inability to process 911 calls; corporations claim lost opportunities from operational issues—this includes unexpected retail closure and the inability to electronically execute contracts within negotiated deadlines; CrowdStrike shareholders claim damages related to the substantial reduction in stock price.
CrowdStrike, Microsoft, and their customers also likely suffered reputational harm, as well as investigation and response damages. Insurers may make payments on insureds’ behalf under first-party insurance policies that will undoubtedly lead to subrogated claims. With this, coverage actions may accompany suits seeking first[1]and third-party coverage.
Website Terms and Conditions
CrowdStrike’s website directs readers to the customer agreement, terms, and conditions that seek to limit financial exposure from this type of event. This language contains provisions impacting the viability of suits, including:
The enforceability of these provisions will likely be tested in forthcoming claims. Moreover, it is unknown whether all customers signed the same terms and conditions currently available on the CrowdStrike website, or if more favorable terms were negotiated with certain customers. Additionally, while the terms and conditions govern contracting entities, they do not apply to non-signatories such as shareholders, investors, insurers, and travelers.
Lawsuits already filed and Those on the Way
The first suit filed as a result of the CrowdStrike event was a proposed class action by investors in federal court in Austin, Texas. Venue is not governed by the terms and conditions since the suit is not by a customer. A pension fund located in Texas also filed suit claiming CrowdStrike misled it regarding software updating procedures, including representations that cybersecurity software was validated, tested, and certified. Investor damages are based on stock prices precipitously dropping from an all-time high to the low from a year and a half earlier. Nevertheless, derivative shareholder suits face an uphill battle as shareholders will have to demonstrate that information was likely to mislead or deceive shareholders. Discovery will be costly, time intensive, and invasive.
One of the most high-profile claims to date has been by Delta Air Lines, which has threatened to sue CrowdStrike for damages totaling over $500 million for over five days of business disruption. Delta Air Lines CEO Ed Bastian spoke publicly regarding the losses, including the reputational harm suffered by Delta. He openly referenced a potential suit against CrowdStrike and said Delta hired litigation counsel.
Reports suggest Delta suffered some of the worst disruptions, with estimates that Delta flight cancellations made up 70% of all flight cancellations attributable to the incident. A proposed class action was also filed by passengers against Delta alleging it failed to take appropriate steps to respond to the outage. In this regard, Delta’s disruption lasted over five days of losses while competitors, such as United, reported only three days of interruption.
In response to litigation threats, CrowdStrike and Microsoft publicly stated that the customer agreement’s terms and conditions bar Delta’s claims. Delta countered with allegations of gross negligence or willful misconduct that should void any terms under such circumstances. It remains to be seen what evidence, if any, Delta can produce to meet the higher burden of proof applicable to such claims. Even if a finder of fact agrees, Delta faces issues of causation. In this regard, CrowdStrike and Microsoft contend Delta experienced internal system issues. As such, the extent of its damages is not attributable solely to the CrowdStrike outage.
While Microsoft does not appear to be named in litigation to date, it seems likely as the CrowdStrike update only affected Windows machines. Similar issues involving customer loss will exist in any claims against Microsoft, including terms and conditions. To date, it outwardly appears CrowdStrike and Microsoft are aligned in response to potential claimants. In the event of litigation, however, crossclaims and third-party claims may be unavoidable absent agreement not to pursue such claims.
Claims by customers whose operations resulted in bodily harm, such as 911 operators and hospitals are likely to be met with resistance. This will be based on the provisions disclaiming liability in such instances and expressly placing the burden of proper use on the customer. Nevertheless, it is expected that entities that are not CrowdStrike customers, but are serviced by CrowdStrike customers, will pursue claims for damages arising from the incident’s resulting chain reaction. Such claims will see defenses of foreseeability and no legal duty. Still, CrowdStrike will face challenges from parties that are not signatories to the legal disclaimers in the customer terms and conditions.
Insurer subrogation claims for carriers covering loss for first party claims to customers (and entities serviced by CrowdStrike customers) will also be in the mix. These insurers, however, will stand in the shoes of their insureds. Thus, they will face the same challenges their insureds face, including overcoming the defenses arising from the terms and conditions.
Claimants may also attempt to avoid the enforceability of the arbitration and choice of law provisions. Arguments will span from lack of mutual agreement to the contract being against public policy. Certain states may have general business laws that void one-sided contracts and seek to regulate deceptive business practices.
Implications for the Insurance Industry
Cyber risk, directors and officers, and property and casualty policies are potentially implicated by the CrowdStrike incident. Those potentially being sued—CrowdStrike, Microsoft, and their customers who are in turn being sued by those they service—will seek coverage for these third-party claims. This will interject coverage issues for analysis including: the duty to defend versus indemnify; an insured’s right to independent counsel; whether there is a covered occurrence; and whether there are any applicable exclusions. The CrowdStrike event will further the ongoing discussion surrounding silent cyber coverage in bodily injury and property damage policies. First-party insurance claims are also implicated for policies that provide investigation and response coverage, and coverage in the event of IT vendor outages. Those entities that only secured coverage in the event of a malicious event, and entities without business interruption and dependent business interruption coverage may be left without any applicable coverage, but may nevertheless seek renumeration through pursuit of claims against their insurance broker. Also implicated are travel insurers who issue coverage for flights, cruises and other trip related activities also face an increase in claims.
As with any insurance coverage claim, outcomes will vary depending on the precise terms of the policy in question, facts and circumstances of the claim, and venue. Many industries will be surveying how the CrowdStrike claims evolve and resolve.
Clyde & Co. professionals discuss this year's key trends
Kelly E. Petter, Esq. is partner at Gerber Ciano Kelly Brady LLP. kpetter@gerberciano.com
