Only last Friday did many businesses experience the speed and severity of the CrowdStrike IT outage. The sudden disruption forced many companies to halt operations, resulting in substantial financial losses. The estimated damage from the blackout in Australia exceeds A$1 billion. As affected businesses tally their losses, questions about legal responsibility and potential compensation arise, though answers remain complex from a legal standpoint.

CrowdStrike and various government cybersecurity authorities quickly confirmed that the outage was not due to criminal activities like cyberattacks or hacking. This places the matter within civil law, specifically contract and tort law. CrowdStrike's terms and conditions include exclusion clauses that limit liability to "fees paid," effectively capping potential compensation at a simple refund for affected customers. This is a common practice among tech companies to protect themselves from litigation arising from software malfunctions.

Due to these exclusion clauses, businesses seeking redress under contract law may need more options. Some law firms suggest pursuing class action under tort claims, such as negligence. For instance, the New Zealand-based law firm Russell McVeagh noted that if affected organizations' lack of preparedness exacerbated the outage's impact, shareholder claims against those organizations or their directors are also possible. This draws on principles established in landmark cases like the 1932 "Donoghue v Stevenson," which extended the duty of care beyond contractual relationships.

The complexity of potential class action lawsuits is further compounded by the international nature of CrowdStrike's customer base and the company's headquarters in the United States. Any class action must likely be filed across various U.S. states and other countries. The financial stakes are high, and class action lawyers typically take a significant percentage of any settlement, often between 30% and 80%. Given the outage's global scale, such lawsuits could become some of the most important litigation matters in history, dragging on for years.

From an economic perspective, the outage has exposed the risks of relying on centralized services like those provided by CrowdStrike without having secondary options or contingency plans. The incident has disrupted critical sectors, including banking, healthcare, and transportation, with Microsoft estimating that the faulty update affected 8.5 million Windows devices globally. This incident is a stark reminder of the interconnectedness of the global IT ecosystem and the urgency of disaster recovery planning, which is now more critical than ever.

As businesses continue to recover, many will turn to their cyber insurance policies. However, traditional business interruption insurance often excludes non-malicious events like this one. This could lead to further litigation as companies and insurers dispute coverage under various cyber insurance policies. The potential for significant repercussions in the cybersecurity industry is high, making it crucial for all involved parties to be cautious and prepared for the legal and financial challenges ahead.

Source:

https://www.crowdstrike.com/purchase-order-terms/

https://www.crowdstrike.com/terms-conditions/