It was inevitable that lawsuits would ensue when the CrowdStrike software update, which is now infamous, brought down companies worldwide in July. And they have
The most high-profile example may be Delta’s lawsuit against the company for up to $500 million in damages and the employment of attorney David Boies.
Theranos, Harvey Weinstein, victims of Jeffrey Epstein, and Al Gore in Bush v. Gore, which revolved around the results of the 2000 presidential election, are among the numerous high-profile clients of Boies. In addition, he was the lead attorney in the government’s antitrust lawsuit against Microsoft during the 1990s.
Before Delta came forward, shareholders were already seeking their compensation. They filed a class action lawsuit against CrowdStrike, alleging that the company had misled them about its software update procedures.
CrowdStrike retained the law firm Quinn Emanuel Urquhart & Sullivan to defend the company against the anticipated onslaught of legal action. This decision reinforced the notion that attorneys would profit significantly from this error.
Microsoft has also been implicated in the conflict to a lesser extent because the CrowdStrike software update was defective and only affected Windows machines.
However, Rob Wilkins, co-chair of the complex litigation and dispute resolution practice group at Jones Foster, a Florida law firm, asserts that CrowdStrike is primarily responsible for the situation and is confronted with a formidable legal obstacle. However, contractual limitations on damages typically included in enterprise software contracts could save CrowdStrike.
In an interview with TechCrunch, Wilkins stated, “I was intrigued by the contractual damage limit between CrowdStrike and Delta. I anticipate the other customers’ contracts will also contain a similar damage limit.”
Delta is asserting, however, that CrowdStrike’s gross negligence or willful misconduct was the cause of the defective software update, which could potentially invalidate the contractual limit. Delta’s service was disrupted for five days, while United experienced delays related to CloudStrike for only three days.
CrowdStrike has stated that Delta has encountered complications with its internal systems and that the company cannot directly link the entire disruption to the faulty update from CrowdStrike.
According to Wilkins, Delta may encounter challenges in substantiating proof of gross negligence or willful misconduct, which imposes a substantial burden of proof. Additionally, shareholders who have accused the company of defrauding them by failing to notify them of the absence of a software testing regimen face substantial obstacles in substantiating their claims in court.
“The question is as follows: Did CrowdStrike intentionally misrepresent or fail to inform the investors that it was fully compliant with all of its security procedures and control procedures regarding its software platform?” Wilkins stated.
Wilkins predicts that the companies prosecuting CrowdStrike will likely collaborate to file a class action lawsuit against the company, as the cost and complexity of individual lawsuits will be prohibitive for all parties. He emphasizes that the presence of a class action often serves as an incentive for additional companies to participate.
“I would not be surprised if people pile on in-class actions, and then everything is consolidated into a single federal district court for all discovery-related purposes by the multidistrict litigation panel. This significantly reduces the process,” he said.
Once that is established, a “bellwether” trial is typically conducted, in which a single case is presented as a test case for all other plaintiffs in the class action. Regardless of its outcome, the jury’s decision serves as a guide for future settlements.
“You can then return to CrowdStrike and assert that you have been sued for $20 million by a single company, and we have 15 additional companies that are suing you in these class actions with the same facts. Therefore, you should settle,” he stated.
Another complicating factor is the role of insurance companies, which would protect CrowdStrike and its customers from potential damages in these situations. The clients’ insurance companies may also pursue CrowdStrike to recover some of their payments.
“Insurance coverage is probably in place, and the carrier will likely be summoned to provide defense.” The cybersecurity policies I reviewed would encompass this negligence, although I have not seen their specific policy yet. Therefore, it is contingent upon the terms of their policy and its exclusions; however, I anticipate that insurance will be a component.
According to Wilkins, there is a reputational component in addition to the monetary issues, and the sooner these issues are resolved, the more quickly CrowdStrike can progress. The company has retained competent attorneys to represent it; however, it will ultimately be required to reconcile with shareholders and customers, which are essential for the success of any enterprise.
“It appears to me that their strategy for resolving this issue will be to engage in combat, but they will also do so with the recognition that they must move forward.”