Is there a claim? – The legal implications of the CrowdStrike incident

A brief overview of potential claims arising from the faulty update that affected thousands worldwide.

What happened?

On 19 July 2024 CrowdStrike, a leading cybersecurity company, released an update that caused some of its customers' systems to crash or malfunction. The update was intended to fix a vulnerability in the “Falcon” software, but the update had a bug that caused Falcon to block legitimate applications and processes, resulting in operational disruptions and service outages for thousands of customers. CrowdStrike quickly rolled back the update and apologised for the incident, but the damage was already done.

While the full fall out from the incident will not be known for some time, it is certain to have some legal implications.  Given the financial impact, we have considered some of the headline claims that may arise.  

What are the legal claims?

The CrowdStrike incident could trigger a variety of legal claims from different parties, depending on the nature and extent of the harm suffered. Some of the possible claims are:

• Insurers: Businesses that suffered losses or faced claims from their customers due to the incident could seek coverage from their insurers under their business interruption or liability policies (particularly those that cover cyber risks). The success of these claims would depend on the timely notification of the incident to the insurers, and whether the policies cover the type and extent of the losses or claims. Some policies may have exclusions or conditions that could limit or deny the coverage for cyber-related incidents or third-party claims.  A careful review of the policies in place will be required.  
• Claims against CrowdStrike/suppliers: Customers who experienced operational issues or lost revenue due to the faulty update may have a claim against CrowdStrike (or the party providing the CrowdStrike service/update). The success of these claims would depend on the terms and conditions of the contract between CrowdStrike and its customers, and whether there are any exclusions or limitations of liability.  It will be vital to follow the contractual chain to ascertain specific obligations.  Additionally, some contracts may have “force majeure” clauses that, depending on the wording of the clause, could excuse CrowdStrike from liability if the incident was caused by unforeseeable circumstances beyond its control.
• Customers against Businesses: Businesses may also face claims from customers who were unable to access their services or products. The success of these claims would again depend on the contractual obligations and liabilities of the businesses, and whether they communicated effectively with their customers and offered any remedies or compensation. Some contracts may also have “force majeure” clauses that could protect the businesses from liability, although this will depend on the strict wording of the clause.

What are the implications?

The CrowdStrike incident highlights the importance of cybersecurity and risk management for businesses and customers alike. It also shows the complexity and uncertainty of the legal landscape surrounding cyber incidents, and the need for clear and comprehensive contracts, policies, and procedures to deal with them. 

What next?

Businesses and customers should review their contracts and policies carefully and seek legal advice if they have any questions or concerns about their rights and obligations in the event of a cyber incident.