When the now infamous CrowdStrike software update took down companies all over the world in July, it was inevitable that lawsuits would follow — and follow they have. Delta suing the company for as much as $500 million in damages and hiring lawyer David Boies is perhaps the highest-profile example.
Among Boies’ wide range of high-profile clients are Theranos, Harvey Weinstein, victims of Jeffrey Epstein, and Al Gore in Bush v. Gore around the results of the 2000 presidential election. He also led the government’s antitrust case against Microsoft in the 1990s.
Even before Delta came forward, shareholders were looking for their pound of flesh, filing a class action lawsuit against CrowdStrike alleging that the company had misled them regarding its software update procedures.
For its part, CrowdStrike hired the law firm Quinn Emanuel Urquhart & Sullivan to defend the company against the expected onslaught of legal action, giving credence to the idea that lawyers were going to make big bucks off of this mistake.
To a lesser extent, Microsoft has also been drawn into the battle because the faulty CrowdStrike software update only affected Windows machines.
But for the most part, it’s CrowdStrike’s cross to bear, and it is facing a daunting legal challenge, says Rob Wilkins, who works at Florida law firm Jones Foster, where he co-chairs the complex litigation and dispute resolution practice group. What could save CrowdStrike, however, is contractual limits on damages, which are typically built into enterprise software contracts.
“What I found was interesting is that there’s a contractual limit on damages between CrowdStrike and Delta, and I assume that there’s going to be a similar type of contractual limit on damages in the other customers’ contracts,” Wilkins told .
Delta is alleging, however, that the bad software update amounted to gross negligence or willful misconduct on CrowdStrike’s part, which could potentially void the contractual cap. Delta service was disrupted for five days, compared with United, which faced only three days of CloudStrike-related delays. CrowdStrike says that Delta has had issues with its own internal systems and that the company can’t attribute the entire outage to the faulty update from CrowdStrike.
Wilkins says Delta could have problems proving gross negligence or willful misconduct, which carries a significant burden of proof. Shareholders alleging the company misled and defrauded them by not warning them about their lack of a software testing regimen also face significant challenges proving that in court.
“It comes down to: Was CrowdStrike intentionally misrepresenting or failing to tell the investors that it was completely up to date with respect to all of its security procedures and control procedures with respect to its software platform?” Wilkins said.
Wilkins says that whatever happens, the individual companies suing CrowdStrike will likely come together to file a class action suit against the company because individual suits will get costly and unwieldy for everyone involved. It’s worth noting, he says, that once there is a class action, that tends to attract more companies that want to be included.
“Typically with class actions, people pile on, and I wouldn’t be surprised if that’s the case, and then you see everything being consolidated into a by the multidistrict litigation panel, assigning all the cases across the country to one particular federal district court for all discovery-related purposes — and that cuts down significantly on the process,” he said.
Once that is in place, there tends to be a “bellwether” trial, where one case is floated as a test case for all the other plaintiffs in the class action, and however the jury decides, that’s a road map for other settlements moving forward. “Then you can go back to CrowdStrike and say, ‘Look, you got hit for $20 million by this one company, and we’ve got 15 other companies that are suing you in these class actions with the same facts, etc., you should settle,’” he said.
One other complicating factor is the role of insurance companies, which would be covering CrowdStrike and its customers against possible damages in these cases. The customers’ insurance companies might be coming after CrowdStrike as well to get back some portion of the payments they made.
“There’s probably insurance there, and they’re probably going to have the carrier come in, and usually they defend these things. While I haven’t seen their specific policy, in cybersecurity policies that I reviewed, it would cover this type of negligence. And so it depends on what they have, and what exclusions they have in their policy, but I do see insurance being a part of it.”
In addition to the monetary issues, Wilkins says there is a reputational component, and the sooner this all goes away, the sooner CrowdStrike can move forward. The company has hired good attorneys to defend itself, but at the end of the day, the company will have to make peace with shareholders and customers, relationships that are key to the success of any business.
“It seems to me that their approach to this is going to be to fight, but also to fight with the understanding that they really need to resolve it and move on, so that’s what I would expect.”