When a faulty update from cybersecurity vendor Crowdstrike crashed 8.5 million Microsoft systems, the travel industry ground to a halt. But one company appeared to struggle with returning to normality more than most: Delta Air Lines.
In October, the US airline sued Crowdstrike for $500m (£388m). In the company’s Q3 earnings call, Delta estimated the incident cost the business $380m (£295m) in lost revenue and $170m (£132m) in associated expenses. The two firms are now engaged in a legal battle, exchanging public statements and lawsuits.
Legal experts claim Delta is unlikely to win its lawsuit but a victory could have significant implications for software liability.
Delta vs Crowdstrike lawsuit: what happened?
The faulty software update issued by Crowdstrike on 19 July was responsible for one of the largest IT outages in history. This update had access to the Microsoft kernel – the core of any operating system – where it had access to memory on client devices. Many users encountered a never-ending ‘blue screen of death’ and had to reboot their devices manually.
Banks, hospitals, media groups, retailers, delivery companies and manufacturers were impacted by the incident. Airports and airlines were also forced to close.
Delta cancelled 7,000 flights in the five days following the Crowdstrike IT outage, several thousand more than its the next worst-performing airline operator United Airlines. As other airlines resumed operations days after the faulty update, Delta continued to struggle – ultimately prompting a probe from the US Department of Transportation.
We are opening Pandora’s Box… cybersecurity business will become impossible
Delta is accusing Crowdstrike of breach of contract and negligence. In a lawsuit, Delta alleged Crowdstrike “caused a global catastrophe” because it “cut corners, took shortcuts and circumvented the very testing and certification processes it advertised, for its own benefit and profit”.
Crowdstrike counter-sued to establish it was not liable and claims Delta refused help throughout the incident. It’s seeking a declaratory judgment and legal fees as a result.
“Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernise its antiquated IT infrastructure,” a Crowdstrike spokesperson said.
Could Delta win its lawsuit?
In order to win, Delta will need to prove Crowdstrike acted with gross negligence, says liability lawyer Ramzy Ladah. It’s one thing to claim faulty software caused an outage, he says, but another to prove Crowdstrike didn’t take adequate precautions on testing or monitoring.
Delta must show the failure exceeded any regular mistakes and crossed into reckless or careless behaviour in order to circumvent the liability limits set out in its contract. Liability caps protect companies, such as Crowdstrike, by limiting their financial exposure, but a gross negligence claim could see Delta seek higher damages beyond indemnity coverage, Ladah says.
If Delta wins, this would create a full spectrum of problems for everybody
Delta would have to prove that Crowdstrike’s actions led to Delta’s problems, according to Benson Varghese, managing partner of law firm Varghese Summersett. It would have to show that the software flaw caused the damages which is particularly difficult in cybersecurity due to its complexity, he adds.
The lawsuit becomes more complex if Delta’s internal practices contributed to its operational difficulties. Legal disputes often amount to who can prove they did everything reasonable to prevent harms.
Proving negligence wouldn’t be impossible, but it would be a “long shot”, according to Ilia Kolochenko, cybersecurity practice lead at Platt Law. Going to court would most probably involve a drawn out “fierce battle of expert witnesses”, he says.
Kolochenko believes the breach of contract claim may have a better chance, but notes that most vendor contracts expressly exclude or cap damages, leaving the plaintiff with only a nominal victory in court. “Here, the plaintiff’s legal and judicial costs are poised to be much larger than the judgement,” he says.
The potential impact of Delta versus Crowdstrike
However, if the lawsuit did go to court, a Delta victory could set a major precedent and could encourage other impacted Crowdstrike customers to file their own lawsuits against the company. “If Delta wins, this would create a full spectrum of problems for everybody, where IT and cyber vendors start urgently reviewing their contracts,” says Kolochenko.
Varghese adds that such a win would ensure that cyber firms were held to a higher standard of care – and put vendors in the legal firing line, even if a client is not following best practice. Providers would then likely protect themselves against liability through additional disclaimers and safeguards.
Conversely, says Varghese, a Crowdstrike win would reassert that clients are responsible for their cybersecurity posture and encourage companies to take more responsibility for their cybersecurity operations.
Protracted legal battles rarely end well for either organisation involved, so Kolochenko says it’d be best for everyone if they simply settled. “I think the best outcome for everybody – Delta, Crowdstrike and society – is to settle quietly and forget about this case,” he adds. “Otherwise we are opening Pandora’s Box. Everybody will be suing each other and cybersecurity business will become impossible.”
