On July 19, Jonathan Cardi and his family watched as the departures board at Raleigh-Durham International Airport in North Carolina, turned from green to a sea of red. “Oh my gosh, it was insane,” says Cardi. “Delayed, delayed, delayed, delayed.”
Cardi, a law professor at Wake Forest University and a member of the American Law Institute, was due to fly with Delta Airlines to a conference in Fort Lauderdale, Florida. With thousands of other travelers, he spent the day lining up as staff kept telling people that flights “would be taking off any minute,” he recalls. But when it became clear that planes were going nowhere, he made the 11-hour journey by rental car instead. Others heading to the conference slept at the airport, Cardi later found out.
The chaos was the result of a software update released by cybersecurity company CrowdStrike, which contained a defect that crashed millions of Microsoft Windows computers. The IT outage, which disrupted airlines, financial services, and various other industries, is estimated to have caused more than $5 billion in financial losses. “Because there was so much money lost, there is going to be legal action,” says Cardi, who specializes in the field of law concerned with civil liability for losses or harm.
That legal wrangling is already beginning.
On July 29, Delta informed CrowdStrike and Microsoft of its intent to sue over the $500 million it claims to have lost as a result of the outage. A class action lawsuit has been filed by law firm Labaton Keller Sucharow on behalf of CrowdStrike shareholders, claiming they were misled over the company’s software testing practices. Another law firm, Gibbs Law Group, has announced it is looking into bringing a class action on behalf of small businesses affected by the outage.
In response to WIRED’s inquiry about the shareholder class action, CrowdStrike says, “We believe this case lacks merit, and we will vigorously defend the company.” In a letter to Delta’s legal counsel seen by WIRED, a legal representative for CrowdStrike said that the company “strongly rejects any allegation that it was grossly negligent or committed willful misconduct.” Microsoft declined to comment. Delta’s legal counsel declined an interview request.
Those hoping to recover financial losses will need to find creative ways to frame their cases against CrowdStrike, which is insulated to a great extent by clauses typical of software contracts that limit its liability, Cardi says. Though it may seem intuitive that CrowdStrike be on the hook for its mistake, the company is likely to be “pretty well-guarded” by the fine print, he adds.
Limitation Clause
Despite CrowdStrike conceding responsibility for the outage, neither direct customers nor businesses disrupted by proximity—i.e., the customers of CrowdStrike customers—will find it easy to recover their losses. The first question will be: What specifically would they be suing CrowdStrike for? There are a handful of theoretical options—breach of contract, negligence, or fraud—but none of them are straightforward.
Although customers may argue that CrowdStrike breached its contract in some way, “the amount of money they could recover is likely to be severely limited by the limitation clause,” says Paul MacMahon, associate professor of law at the London School of Economics and Political Science. The purpose of any such clause is to act as a sort of get-out-of-jail-free card, limiting the amount of money a software vendor has to pay out. The specific contents of the contracts entered into by CrowdStrike and its customers will differ from case to case, but the general terms and conditions limit CrowdStrike’s liability to only the amount its customers pay for its services.
