CrowdStrike’s DevOps failure spawns litigation
Limitations of liability, the economic loss rule, and more…
The largest global IT meltdown ever, caused by CrowdStrike’s rolling out a defective patch that rendered millions of systems inoperable, has spawned a wave of litigation, as I predicted and pointed out earlier, and now reported in Wired.
Damage vs. Damages
The damage that resulted was enormous, but there remains the question of ‘damages’, what those impacted can recover from CrowdStrike.
Limitations of liability
Companies who subscribed to CrowdStrike’s software are subject to the particular limitations of liability in their contracts with CrowdStrike. CrowdStrike’s terms and conditions generally limit their liability to the cost of their service or subscription. Limitations of liability are not absolute, however, and courts have interpreted and applied them differently; some strictly, others broadly.
Economic loss rule
Third parties impacted by the outages — and they are legion — but without a contractual relationship with CrowdStrike will have to deal with the economic loss rule. At least in the United States, courts have applied this common-law doctrine, however unevenly, to bar recovery in tort, e.g., negligence, in the absence of contract, when the negligence of others results in purely economic loss.
Results
Plaintiffs, whether first- or third-party vis-à-vis CrowdStrike, will have to deal with these obstacles to recovering damages. The legal theories and their application will be tested, and there may be some creative advancement of claims.
The enormity of the meltdown may be the watershed moment that leads to regulatory and jurisprudential reform. Regulators in different jurisdictions may be more willing to step in and shape software contracts and permissible scopes of limitations of liability, possibly expanding consumers’ and downstream rights. Courts may find it necessary to redefine and bring greater uniformity to limitations of liability and the economic loss rule. In doing so, they may carve out more legal ground for software makers to be held liable for negligence.
The outage will and should spark greater emphasis on strengthening software makers’ DevOps to ensure that their programs and updates run well and do not cause such damage. And that’s a good thing.
