The damage from the largest computing failure in history – the failure of CrowdStrike's security software update that paralyzed healthcare institutions, banks, airlines, and about 8.5 million computers worldwide over the last weekend – is estimated to exceed one billion dollars. This estimate by Anderson Economic Group includes the direct damage caused to CrowdStrike customers due to the shutdown of their systems and the indirect damage such as overtime pay to their employees to complete the work they couldn't perform during the downtime.
In reality, the extent of the damage seems much higher: individuals and businesses using the services of CrowdStrike's customers suffered damage due to the system shutdown. For example, banking transactions were delayed due to the inability to connect to internet systems used by the customers of affected banks; flights were canceled; surgeries were postponed, and more. In all likelihood, damages also include loss of business opportunities and losses to those who do not directly use CrowdStrike products. Beyond that, the data security company claimed that malicious actors are trying to exploit the chaos and deceive its customers by impersonating it in phone calls and phishing messages. Finally, CrowdStrike's shares dropped by at least 13% after the incident.
Who Is Responsible for These Damages?
Organizations using CrowdStrike's security software are bound by license agreements. The company's terms of use limit its liability to the consideration that the customer paid CrowdStrike for the service. Additionally, the terms provide that in case of software failure, the company can either fix the deficiency or terminate the agreement and refund the customer a pro-rated amount, and the customer is not entitled to further compensation. Therefore, customers suing CrowdStrike for breach of contract face a contractual obstacle. If they do not overcome it, they will be entitled to limited compensation, if at all. However, under certain laws, courts may invalidate contractual provisions limiting the company's liability. For instance, Israeli law provides that an unduly disadvantageous term in a standard-form contract can be voided or modified by the court. Similarly, California law provides that a limitation of liability for indirect damages in a commercial contract is invalid if the limitation is unconscionable.
Businesses and individuals who are clients of organizations directly impacted by the software failure are not bound by CrowdStrike's terms of use and are therefore not restricted by them. In the absence of a contractual relationship between them and CrowdStrike, they can sue the company for negligence. The lawsuit can seek class-action certification. In practice, it is likely these actors will sue the organizations that directly provide the service to them, and those organizations, in turn, will seek indemnity from CrowdStrike.
Can CrowdStrike users seek indemnity for their customer's claims? On one hand, the indemnity clause in CrowdStrike's terms of use provides that the company will indemnify the customer only for claims by third parties for infringement of intellectual property rights. On the other hand, the clause does not explicitly preclude indemnification in other cases. In any case, disgruntled customers left to their own devices to deal with the damage which they are not at fault for, fosters poor publicity for CrowdStrike and its products. Presumably, the company will settle, but CrowdStrike can expect significant legal predicaments in the coming year.
The final type of affected parties is CrowdStrike's shareholders. They were harmed by the decline in the share price. Several law firms in Israel and around the world have already announced they are considering a lawsuit against the company on behalf of its shareholders, alleging unlawful business practices.
The extent of the damage caused by the failure in the update to CrowdStrike's software is still being assessed. As the initial dust storm settles more and more legal proceedings are expected against CrowdStrike and its customers. In an incident such as this, which did not result from a cyber-attack but (apparently) from human error, it remains to be seen how far the courts will extend the company's liability and what impact one mistake will have on its future.