On July 19, Jonathan Cardi and his family watched as the departures board at Raleigh-Durham International Airport in North Carolina turned from green to a sea of red. “Oh my God, it was crazy,” Cardi says. “Delays, delays, delays, delays.”
Cardi, a law professor at Wake Forest University and a fellow at the American Law Institute, was scheduled to fly Delta Airlines to a conference in Fort Lauderdale, Florida. He and thousands of other travelers spent the day waiting in line while staff kept telling people “the planes are going to start taking off any minute,” he recalled. But when it became clear the planes weren’t going anywhere, he instead took an 11-hour ride in a rental car. Others traveling to the conference were sleeping at the airport, Cardi later learned.
The chaos was the result of a software update released by cybersecurity firm CrowdStrike that contained a flaw that caused millions of Microsoft Windows computers to crash. The IT outage, which has disrupted airlines, financial services and many other industries, is estimated caused financial losses exceeding $5 billion. “Because there was so much money lost, there will be legal action to take,” says Cardi, who specializes in the area of law that involves civil liability for loss or damage.
The legal wrangling has already begun.
On July 29, Delta informed CrowdStrike and Microsoft of its intention to file a lawsuit in connection with $500 million, he claims, was lost as a result of a failure. The class action lawsuit is was submitted by the law firm Labaton Keller Sucharow on behalf of CrowdStrike shareholders, alleging they were misled about the company’s software testing practices. Another law firm, Gibbs Law Group, has announced is considering filing a class action lawsuit on behalf of diminutive businesses affected by the outage.
In response to WIRED’s inquiry about the shareholder class action lawsuit, CrowdStrike says, “We believe this case lacks merit and will vigorously defend the company.” In a letter to Delta’s attorney, seen by WIRED, CrowdStrike’s legal representative said the company “strongly denies any allegations that it was grossly negligent or engaged in willful misconduct.” Microsoft declined to comment. Delta’s attorney declined an interview request.
Those hoping to recover financial losses will have to find inventive ways to frame their cases against CrowdStrike, which is largely protected by clauses typically found in software contracts that limit its liability, Cardi says. While it may seem intuitive that CrowdStrike would be liable for its mistake, the company will likely be “pretty well protected” by In small print– he adds.
Limitation clause
Even though CrowdStrike admitted liability for the outage, neither direct customers nor companies disrupted by the proximity—i.e., customers of CrowdStrike customers—will have an uncomplicated time recovering their losses. The first question is: What exactly could they sue CrowdStrike for? There are a few theoretical options—breach of contract, negligence, or fraud—but none of them are straightforward.
While customers may claim that CrowdStrike breached its contract in some way, “the amount they could recover would likely be severely limited by a statute of limitations clause,” says Paul MacMahon, an assistant professor of law at the London School of Economics and Political Science. The purpose of such a clause is to act as a kind of get-out-of-jail-free card, limiting the amount of money a software vendor must pay out. The specific terms of the agreements between CrowdStrike and its customers will vary from case to case, but general terms and conditions limit CrowdStrike’s liability solely to the amount customers pay for the services.
