When the now-infamous Crowdstrike software update took down businesses around the world in July, lawsuits were inevitable — and they were, with Delta Airlines perhaps the most famous example being its lawsuit against the airline seeking $500 million in damages and hiring lawyer David Boies.
Boyce's wide-ranging list of high-profile clients includes victims of Theranos, Harvey Weinstein and Jeffrey Epstein, and Al Gore in the Bush v. Gore case over the 2000 presidential election results, and he also led the government's antitrust lawsuit against Microsoft in the 1990s.
Even before Delta came forward, shareholders had filed a class action lawsuit against CrowdStrike seeking damages, alleging the company misled shareholders about its software update procedures.
Meanwhile, CrowdStrike has hired the law firm Quinn Emanuel Urquhart & Sullivan to defend the company against an expected barrage of lawsuits, lending credence to the idea that lawyers will make a lot of money from the mistake.
To a lesser extent, Microsoft has also been drawn into the fight, as a glitch in CrowdStrike's software updates only affected Windows machines.
But it's largely a burden CrowdStrike has to shoulder, and the company faces tough legal challenges, said Rob Wilkins, co-chair of the Complex Litigation and Dispute Resolution practice group at Florida law firm Jones Foster.What could save CrowdStrike, however, are contractual limitations on damages that are typically built into enterprise software agreements.
“What I found interesting is that there are contractual limitations on indemnification between CrowdStrike and Delta, and it's likely that other customer contracts have similar contractual limitations on indemnification,” Wilkins told TechCrunch.
However, Delta argues that the glitchy software update constituted gross negligence or willful misconduct on CrowdStrike's part, potentially voiding its contractual caps. Delta's flights were interrupted for five days, while United Airlines experienced only three days of CrowdStrike-related delays. CrowdStrike says Delta had issues with its own internal systems and cannot attribute the outages entirely to CrowdStrike's glitchy updates.
Wilkins said it may be difficult for Delta to prove gross negligence or willful misconduct, which carries a large burden of proof. Shareholders who claim the airline misled and deceived them by failing to warn them about the lack of software testing would also have a very hard time proving that in court.
“Ultimately, did CrowdStrike knowingly misrepresent or fail to represent to investors that all of the security and control procedures for its software platform were up to date?” Wilkins said.
Wilkins said that whatever happens, the individual companies suing CrowdStrike will likely band together to file a class-action lawsuit against the company because individual lawsuits would be costly and unwieldy for all involved. He said it's notable that when a class-action lawsuit arises, more companies tend to want to join.
“Class actions generally bring in people in droves. I wouldn't be surprised if that's the case. And then the Multidistrict Litigation Commission consolidates everything and assigns all the cases across the country to specific federal district courts for discovery-related purposes. That speeds up the process a lot,” he said.
Once that's in place, they tend to have a “bellwether” trial where one lawsuit emerges as a test case for all the other plaintiffs in the class action, and whatever the jury rules, that becomes the roadmap for future settlements. “They can then go back to CrowdStrike and say, 'We lost $20 million from this one company, but there are 15 other companies suing us in a class action based on the same facts and so forth. We should settle,'” he said.
Another complicating factor is the role of insurance companies in indemnifying CrowdStrike and its customers for potential damages in these cases, as those customers' insurance companies may also pursue CrowdStrike to recoup some of the money they paid.
“There's probably insurance and an insurance company will step in and typically defend against these types of events. I haven't seen their specific policy, but the cybersecurity policy I looked at covered this type of negligence. So it depends on what they have and what exclusions their policy has, but insurance is certainly part of it.”
In addition to financial issues, Wilkins said there are reputational issues, and the sooner this is resolved, the sooner CrowdStrike can move forward. The company has hired good lawyers to defend itself, but at the end of the day, it has to settle with shareholders and customers. Those relationships are key to the success of any business.
“The way I see it, their approach to this is to fight, and also to fight with the understanding that they really need to resolve this and move forward, so I expect that.”