Majority of customers, affected by the recent CrowdStrike outage on July 19 leading to the Blue Screen of Death (BSOD), might only be eligible for a refund. According to a report by Business Insider, despite the devastating technical outages from CrowdStrike’s botched security update, the company doesn’t have to shell out anything more than a simple refund.
The update caused widespread disruptions, including flight cancellations, problems with 911 calls, and restricted access to medical records.
Limited Liability in CrowdStrike’s Terms & Conditions
CrowdStrike’s terms and conditions limit the company’s liability to the amount paid for the software. This means that businesses hit by the outage wouldn’t be able to claim compensation for lost revenue or damages unless they negotiated a different contract beforehand.
Elizabeth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers, told Business Insider that the standard terms and conditions for CrowdStrike’s Falcon security software cap liability at “fees paid.
This translates to companies only being able to recover the cost of their CrowdStrike subscription, even if they suffer significant business losses due to the outage.
“Even if they covered lost revenue or downtime, they limit the recovery against CrowdStrike to fees paid,” Waller told Business Insider.
Large Companies May Have Different Agreements
Waller suggests that larger companies, such as airlines or hospital chains impacted by the outage, might have negotiated separate contracts with CrowdStrike that offer more protection. These contracts are not publicly available, but they could potentially hold CrowdStrike accountable for a wider range of damages.
“If you’re a huge company, you might have been able to get some negotiation around that,” she said.
CrowdStrike hasn’t yet responded to inquiries about how it plans to enforce its terms and conditions in this situation.
Cyber Insurance May Offer Relief
According to Waller, most companies will likely turn to cyber insurance to cover the costs associated with the CrowdStrike outage. These expenses include hiring IT personnel to install the fix, lost employee productivity, addressing customer issues, and potential legal fees for publicly traded companies.
Many cyber insurance policies cover “contingent business interruption” or “dependent business interruption”, which allows businesses to recoup damages from third-party cybersecurity companies they rely on, potentially including CrowdStrike’s Falcon software.
“If I’ve got a big stop sign in front of me — terms and conditions against CrowdStrike — or if I can only get a refund, then I need to go look to my own cyber insurance policy,” Waller said.
However, Waller clarifies that some cyber insurance policies might only cover situations involving malicious events like hacking.
“We’ve just got a software glitch. So I think we’re going to see lawsuits filed against cyber insurance carriers for years to come, I imagine, on this outage,” Waller said. “This is a pretty big deal, from a cyber insurance standpoint, and I think this is also going to spawn a lot of litigation about what’s covered and what is intended under these different policies.”
Potential Lawsuits and SEC Scrutiny for CrowdStrike
Waller predicts that CrowdStrike can expect legal challenges from shareholders, customers seeking greater compensation, and likely an investigation from the Securities and Exchange Commission (SEC).
As a publicly traded company, CrowdStrike is obligated to file an 8-K report with the SEC within the next few days, detailing the cause of the Falcon update malfunction.
Interestingly, this event comes just after a federal judge in Manhattan ruled in favor of SolarWinds, a tech security company compromised in a 2020 Russian cyberespionage campaign, against an SEC lawsuit. The SEC argued that SolarWinds failed to adequately inform investors and the public about the full extent of the hack’s impact. However, Judge Paul Engelmayer disagreed, stating that the company wasn’t required to provide the “maximum specificity” demanded by the SEC.
This ruling offers some leeway for CrowdStrike, a $73 billion company. While they have a responsibility to update investors and the public, they might not need to disclose every intricate detail.
“You need to convey the severity of what is happening, but we don’t need to be really concerned about the nitty gritty details or what we don’t know,” Waller said.
Australian Minister Warns of Scams
Meanwhile, Australia’s Minister for Cyber Security, Clare O’Neil, issued a series of tweets urging Australians to be extremely cautious of any suspicious texts, calls, or emails claiming to assist with the CrowdStrike outage.
O’Neil highlighted the importance of protecting vulnerable individuals, including elderly relatives, from potential scams. She encouraged reporting suspicious communications through Scamwatch.
The Minister acknowledged reports of scams where criminals impersonated airlines offering to resolve flight delays and technical support personnel proposing to fix affected technology.
O’Neil assured the public that supermarkets were experiencing minimal issues and there were no food shortages. She emphasized the importance of remaining patient with workers restoring systems across various sectors.
Finally, O’Neil advised that both CrowdStrike and Microsoft are nearing completion on automatic fix to the issue with an update which should increase the speed at which systems across the economy are back online.