CrowdStrike details errors that led to mass IT outage Is today's CrowdStrike outage a sign of the new normal?

What the Delta-Crowdstrike lawsuit may mean for IT contracts

The recent exchange of allegations between Delta and CrowdStrike reveals legal arguments Delta could use to recover the massive losses suffered in the CrowdStrike outage.

Delta Airlines' looming battle to recover the more than half a billion dollars in damages from the CrowdStrike global outage gives enterprises a front-row seat to a legal drama in which no organization is immune.

Delta publicly blamed CrowdStrike for the revenue loss. Its faulty software update released on July 19 crashed Delta's 37,000 Microsoft Windows computers and disrupted the travel plans of 1.3 million customers.

CrowdStrike claimed the poor state of Delta's IT infrastructure had delayed the airline's recovery for several days while rivals American Airlines and United Airlines had their systems up and running much faster.

The exchange provides a hint of the legal arguments central to a possible courtroom battle, lawyers said. CrowdStrike's denial that it was "grossly negligent" or committed "willful misconduct" in releasing the ill-fated update that caused the largest IT outage in history suggests it is ready to defend itself against such legal accusations.

Gross negligence and willful misconduct accuse a defendant of doing something reckless while knowing and disregarding its potential to cause severe damages. The allegations, if successful, would override the liability limit of "single-digit millions" of dollars in Delta contract.

"Those kinds of buzzwords that are probably in the contract would allow Delta, if they were successful, to get out from under whatever that single-digit million cap is," said Joseph Swanson, a partner at Foley and Lardner.

In a letter sent to CrowdStrike lawyers and released publicly, Delta said, "Given CrowdStrike's conduct, there is no liability cap at single-digit millions. The contract does not cap liability or damages for gross negligence or willful misconduct."

CrowdStrike's claim that Delta failed to modernize its IT infrastructure could be in preparation for a defense based on the concept of contributory negligence, Swanson said. That's when a tech company might concede that it screwed up, but the victim made the resulting damages worse by failing to invest in its IT infrastructure adequately.

Contributory negligence would be a difficult argument because technology constantly evolves, and staying up to date is extremely difficult for even well-resourced companies.

Delta will likely argue that it has spent billions of dollars on IT, and no company can get everything right, Swanson said.

Delta appeared to make that argument in its letter, writing, "Delta has achieved its industry-leading reliability and service due, in part, to investing billions of dollars in information technology."

CrowdStrike timeline.
Timeline of CrowdStrike outage events.

Contract lessons in the Delta-CrowdStrike dispute

Contributory negligence, gross negligence and willful misconduct fall under tort law, which covers the harm a company would suffer from the unreasonable acts of another. Proving guilt under those legal terms is complicated and can cost hundreds of thousands of dollars, if not millions, in legal fees, lawyers said.

Losses as huge as Delta's justify spending the money to pursue those claims as well as those centered on breach of contract. Delta has not provided details on how CrowdStrike violated its agreement with the airline.

Nevertheless, enterprises should be aware of several elements of a contract that would be critical in most disputes between organizations and IT vendors, including the Delta-CloudStrike squabble, lawyers said.

First and foremost, the contract must clearly define what the vendor has agreed to do, when it will do it, and how much it will cost, said Brad Frazer, a partner at Hawley Troxell. The statement of work clause is the first thing he asks for when a client comes to him with a problem.

"It's much easier to sue somebody if you've got a statement of work," Frazer said. "Because now we have a clear standard to measure the [vendor's] performance against when we sue."

Negotiating the highest liability limit possible with a vendor is critical. However, it's unlikely ever to cover damages as severe as Delta's. That's because the amount a vendor is willing to pay depends on the size of the contract. A $100,000 agreement, for example, wouldn't make sense if the potential liability were $20 million.

Often, an enterprise is stuck with the liability limit if there were no extenuating circumstances that would force the vendor to pay more. Morvareed Salehpour, head of the law firm Salehpour Legal in Los Angeles, described hitting that ceiling while trying to get more money for a client whose software vendor had suffered a security breach.

"They had been disrupted, their data had been breached, but I felt like I was negotiating with my hands tied behind my back," Salehpour said.

Another crucial contract negotiation is indemnification, which makes the vendor responsible for lawsuits filed against the customer because of a vendor-caused outage or security breach, lawyers said. Delta faces a federal class-action suit seeking refunds for travelers affected by the airline's cancellation of 7,000 flights over five days.

Indemnification also includes protecting the customer from expensive lawsuits accusing the IT vendor of violating another IT provider's intellectual property rights.

"If they don't give me [indemnification], then I might walk away," Frazer said.

Antone Gonsalves is an editor at large for TechTarget Editorial, reporting on industry trends critical to enterprise tech buyers. He has worked in tech journalism for 25 years and is based in San Francisco. Have a news tip? Please drop him an email.

Next Steps

Microsoft, SecOps pros weigh kernel access post-CrowdStrike

CrowdStrike disaster exposes a hard truth about IT

CrowdStrike outage shows business continuity still a DR must

CrowdStrike outage underscores software testing dilemmas

CrowdStrike chaos casts a long shadow on cybersecurity

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
Sustainability
and ESG
Close