On July 18, 2024, Texas-based cybersecurity company CrowdStrike, issued a defective update for its Falcon software that caused certain networks running Microsoft Window’s operating systems to crash. CrowdStrike’s Falcon software is a widely-used endpoint detection and security, employed by 298 of the Fortune 500 companies including many major global banks, healthcare providers, airlines, and energy companies, as well as the U.S. government. Microsoft estimates that approximately 8.5 million Windows devices were directly affected by flawed update. However, victims of the defective update may not see a massive payday for their inconvenience.
After receiving the faulty update, companies using both CrowdStrike Falcon and Microsoft’s Windows saw large, “blue screens of death” instead of their administrative portals causing their daily operations to halt. The crash resulted in grounded flights, 911 calls glitching, patients unable to access their medical records, and even the inability to pay estimated federal taxes online. The defect required manually booting affected PCs into recovery mode, deleting the bad file, and restarting, which cannot be done remotely. The inability to cure the defect remotely required impacted companies and agencies to deploy technology specialists to various locations across the country. And for an industry with a massive talent gap, endeavors to remediate the defect will likely take several days or weeks, despite CrowdStrike issuing its “fix” within a few hours of the initial update’s release.
With the temporary security gap caused by CrowdStrike’s downtime, bad actors immediately tried to capitalize, with phishing attempts substantially increasing as of Friday morning. While the effects of a security lapse are not yet fully realized, many companies have already suffered business losses, with several global airline carriers receiving attention for grounded flights, cancellations, and delays. With the lost profits and expenses incurred through the interruption, the airlines and other impacted entities are (undoubtedly) looking to recover from CrowdStrike.
Software vendor contracts are of utmost importance (especially now). Software service agreements should limit the manufacturer’s liability for unanticipated defects or errors. Some agreements disclaim all liability, whereas other contracts limit damages to the value (or percentage thereof) of fees paid under the agreement. Absent unlawful provisions within the applicable contract, courts will enforce the agreement as written.
CrowdStrike’s terms of service agreement limit entities seeking recovery against the software giant to those fees previously paid to CrowdStrike for the Falcon software. Therefore, CrowdStrike’s financial bleeding resulting from this event is somewhat limited, with courts unlikely to abrogate the contract’s provisions.
In August 2023, the US District Court for the Southern District of Florida, granted a motion to dismiss claims against a software vendor in JustTech, LLC v. Kaseya US LLC, 2023 U.S. Dist. LEXIS 151834 | 2023 WL 5529845 (S.D. FL, 2023). Therein, a dispute arose between a managed service provider (“MSP”) and Kaseya, a global technology company that provided MSPs with IT management and security software (the “VSA software”). In April 2021, Kaseya learned of a zero-day vulnerability impacting the VSA software and a Russian-based ransomware attack then followed, crippling Kaseya’s clients and their clients’ downstream clients. Kaseya released software patches, but operational business losses mounted, and Kaseya was sued for negligence. Kaseya filed a motion to dismiss these claims since its software licensing agreement (the “EULA”) was carefully crafted to disclaim duties and liability to all parties, including direct customers, impacted by software issues. The plaintiff could not rely on representations made outside of the actual EULA to support a lawsuit.
The JustTech matter will support CrowdStrike’s eventual argument, in response to future lawsuits, that all liability is limited to that permitted by Falcon’s EULA. With the existence of a contract between CrowdStrike and its customers, Courts are unlikely to impose extracontractual duties of care on CrowdStrike.
Impacted businesses are best advised to seek recovery through available insurance proceeds. Depending on the coverage options, certain insurance policies may produce “contingent business interruption” or “dependent business interruption” benefits, which may allow for recovery of more damages than simply a refund from CrowdStrike.
Comments