+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

CrowdStrike's terms and conditions say most customers would just get a refund due to the massive outage, cybersecurity lawyer says

Jul 20, 2024, 03:22 IST
Business Insider
The CrowdStrike outage disrupted airlines, causing delays and grounding flights.AP Photo/Ross D. Franklin
  • CrowdStrike's botched update caused flight disruptions, 911 call issues, and medical record blocks.
  • CrowdStrike's terms cap liability to fees paid, limiting compensation for affected companies.
Advertisement

The devastating outages from CrowdStrike's botched security update Friday grounded flights, glitched 911 call lines, and blocked patients from accessing their medical records.

But, according to the cybersecurity company's terms and conditions, CrowdStrike doesn't have to shell out anything more than a simple refund.

The terms for CrowdStrike's Falcon security software — which is used by companies and government agencies around the world — limit liability to "fees paid."

That means that if a company had a claim against CrowdStrike for the damage or lost revenue to its business, the most it could recover is just what it paid to CrowdStrike, according to Elizabeth Burgin Waller, the chair of the Cybersecurity & Data Privacy practice at Woods Rogers.

That means CrowdStrike users who signed the standard terms and conditions can't expect to get more than a refund from the company, Waller said.

Advertisement

"Even if they did cover that lost revenue or downtime, they limit the recovery against CrowdStrike to fees paid," Waller told Business Insider. "So whatever I paid for fees to CrowdStrike, that's what the limitation of liability would be."

Bigger companies using CrowdStrike's software — like some of the airlines or hospital chains affected — may have negotiated different terms and conditions contracts with the cybersecurity company. Those contracts aren't public, and it's possible they contain terms that would hold CrowdStrike liable for more damages, Waller said.

"If you're a huge company, you might have been able to get some negotiation around that," she said.

A representative for CrowdStrike didn't immediately respond to Business Insider's request for comment about how it will enforce its terms and conditions.

To cover all the expenses being paid to deal with the CrowdStrike fallout — including hiring IT people to install another update that fixes the issue on Windows machines, lost employee productivity, fixing issues for customers, and possible legal expenses for publicly traded companies that need to file relevant securities reports for investors — most companies will have to turn to cyber insurers, Waller said.

Advertisement

According to Waller, most cyber insurance companies have policies that cover "contingent business interruption" or "dependent business interruption." Those allow companies to recover damages from insurers against third-party cybersecurity companies they depend on. CrowdStrike's Falcon software, which monitors threats on computers, could qualify.

"If I've got a big stop sign in front of me — terms and conditions against CrowdStrike — or if I can only get a refund, then I need to go look to my own cyber insurance policy," Waller said.

Many such policies cover only malicious events like hacking, Waller said.

"We've just got a software glitch. So I think we're going to see lawsuits filed against cyber insurance carriers for years to come, I imagine, on this outage," Waller said. "This is a pretty big, from a cyber insurance standpoint, I think this is also going to spawn a lot of litigation about what's covered and what is intended under these different policies."

CrowdStrike can expect SEC scrutiny

As for CrowdStrike, it can expect lawsuits from shareholders, customers who want to try to obtain more damages, and likely an investigation from the Securities and Exchange Commission, Waller said.

Advertisement

The company, which is publicly traded, will have to file an 8-K report in the next few days with the SEC that lays out what went wrong with the Falcon update.

By a strange coincidence, the CrowdStrike disaster came a day after a major ruling by a federal judge in Manhattan in favor of SolarWinds — a technology security company that was breached in a 2020 Russian cyberespionage campaign — in a lawsuit brought by the SEC.

The SEC alleged SolarWinds didn't sufficiently update investors and the public about the massive scope of the fallout from the Russian hack. But US District Judge Paul Engelmayer ruled Thursday that the company didn't need to provide the "maximum specificity" the SEC demanded.

That ruling gives some breathing room to CrowdStrike, a $73 billion company, which has a responsibility to update investors and the public about what happened — but now needs to worry less about just how much detail it provides.

"You need to convey the severity of what is happening, but we don't need to be really concerned about the nitty gritty details or what we don't know," Waller said.

Advertisement
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article