The Legal Aftermath of the CrowdStrike Outage
Introduction
After causing millions of computer crashes and disrupting businesses worldwide, the cybersecurity company CrowdStrike now faces a wave of legal challenges that are already starting to unfold.
The outcome will hinge on the finer details. The outage affected computers in flight, health care and other industries. CrowdStrike is now sued by multiple instances, even from its own shareholders.
This article reports on how and why they are sued and if they could lose.
Sue, Sue, Sue
The many outages that CrowdStrike has caused entail many costs.
It was already clear at the time of the outage that the companies affected would take legal action against CrowdStrike.
Plymouth County Retirement Association
The Texan pension fund (which are also investors of CrowdStrike) have filed a class action lawsuit against the cyber security company[2].
The Plymouth County Retirement Association claims that they were misled by CrowdStrike, which had assured them that its technology was “validated, tested, and certified.”
The lawsuit alleges that CrowdStrike did not reveal it had weak procedures in place for updating its Falcon software and was not properly testing these updates before releasing them to customers (to be fair, nobody would reveal that).
It also states that this poor software testing created a significant risk that an update to Falcon could lead to major outages for many of CrowdStrike’s customers.
Finally, the lawsuit argues that CrowdStrike didn’t disclose that these outages could cause, and eventually did cause, serious damage to its reputation and legal troubles (I mean, this is somewhat clear…).
Because of this, the lawsuit claims that CrowdStrike’s stock was overpriced until the outage occurred.
CrowdStrike’s “We believe this case lacks merit and we will vigorously defend the company”.
Suing Party
On July 29, Delta[1] notified CrowdStrike and Microsoft that it plans to sue them, claiming it lost $500 million because of the outage.
A class action lawsuit has already been filed by the law firm Labaton Keller Sucharow on behalf of CrowdStrike shareholders, who say they were misled about the company’s software testing. Another law firm, Gibbs Law Group, has announced that it is considering filing a class action lawsuit on behalf of small businesses affected by the outage.
The Fine Print
CrowdStrike could be held liable for financial losses caused by the IT outage, but recovering those losses may be difficult due to the liability limitations in its contracts.
These clauses typically cap the amount CrowdStrike would have to pay, making it hard for customers to claim significant damages. While there’s a possibility for lawsuits based on breach of contract, negligence, or fraud, these are complicated by the contracts’ fine print[3] and legal standards. Non-customers affected by the outage have even fewer options, as they likely can’t sue at all.
Although legal action is still possible, especially given the high stakes, success in court is uncertain due to these contractual protections.
Conclusion
The legal aftermath of the outage raises many questions regarding liability, but also responsibility for companies.
I think now is the right time for the industry to think about how this will be handled in the future. Defining and regulating this will not be easy.
We will probably only see how CrowdStrike handles these major charges and how it will stand up in court.
References
[1] https://www.wired.com/story/crowdstrike-outage-microsoft-delta-lawsuits-analysis/
[2] https://www.forbes.com/sites/kateoflahertyuk/2024/08/02/crowdstrike-is-now-being-sued-by-investors/
