BlogLine

CrowdStrike-Delta lessons for third-party risk management

11/12/24

pic

By: Danielle A. Ocampo

The world cannot unsee images of the “blue screen of death” across millions of Windows devices on July 19, 2024.1 CrowdStrike, an American Cybersecurity SaaS provider of its Falcon endpoint detection product, released a defective update to customer Microsoft systems that resulted in a global IT outage. Airlines, hospitals, banks, and governments, among other organizations, were inoperable.

Through a preliminary investigation, CrowdStrike later explained the error was attributed to a logic flaw in the Falcon sensor configuration update and was deployed to millions of systems as a failure in CrowdStrike’s development process.2 Contrary to popular belief, CrowdStrike did not suffer a data breach at the hands of a third-party threat actor. However, the risks that came with the security vulnerabilities from this outage are not the only concerns companies and CrowdStrike face in retrospect.  

Undoubtedly, companies with Microsoft systems relying on CrowdStrike Falcon are calculating their losses from being inoperable. Delta Airlines certainly is.  

On October 25, 2024, Delta filed its lawsuit in Georgia state court against CrowdStrike for $500 million in losses due to the faulty update that “crippled Delta’s operations for several days, forced thousands of flight cancellations and delays, and adversely affected more than a million Delta customers.”3 Delta alleges gross negligence, breach of contract, intentional misrepresentation or fraud by omission, and computer trespass, among other causes. According to Delta, it did not enable automatic updates, but Delta alleges that CrowdStrike imposed the faulty update to its system without consent. Based on CrowdStrike’s ‘admission’ of its systems’ shortcomings, Delta further alleges gross negligence where CrowdStrike deployed the update without testing and staged deployments. 

That same day, CrowdStrike responded with its lawsuit against Delta in federal court in the Northern District of Georgia.4 CrowdStrike seeks a declaratory judgment that the controversy between the parties is governed under the parties’ services agreement, which limits CrowdStrike’s liability and bars “indirect, incidental, punitive, or consequential damages.” CrowdStrike further petitioned the court to declare CrowdStrike neither grossly negligent nor having committed willful misconduct. The parties’ contract identified the Georgia state court as the choice of law. However, CrowdStrike argues that the venue in Georgia federal court is proper because of (i) questions around Delta’s compliance with federal laws as required by the agreement and (ii) Delta’s motions to dismiss two Delta consumer federal class actions to preempt plaintiffs’ claims under the federal Airline Deregulation Act, which would also involve questions of federal law.  

The CrowdStrike-Delta lawsuits demonstrate the importance of contract negotiations in cybersecurity vendor engagements. Limitations of liability and choice of law are important considerations in the negotiation process. Both companies and vendors need to think broadly when assigning liability to account for not just cyber-attacks but for technical and human error as well. Human errors are inevitable, from phishing attacks to faulty software updates. The facts that trigger revisiting the terms of the agreement are no longer limited to data breaches, and there are risks that both parties cannot control.  

As the world becomes increasingly interconnected and data-driven, the technical vendor supply chain necessarily continues to grow. Companies need to vet their vendors prior to procurement and implement procedures to audit vendor practices to hold them accountable throughout the engagement. This is reasonable security. Conversely, no SaaS product will ever be perfect. Vendors and companies need to use contracts and audits as tools to manage their expectations around risks accordingly.  

For more information, please contact Danielle A. Ocampo at danielle.ocampo@fmglaw.com or your local FMG attorney.

  1. https://www.forbes.com/sites/daveywinder/2024/07/20/blue-screen-of-death-microsoft-says-turn-it-off-and-on-again-and-again-and-again/ ↩︎
  2. CrowdStrike published its Root Cause Analysis report on August 6, 2024. ↩︎
  3. Delta Air Lines, Inc. v. CrowdStrike, Inc., No. 24CV013621 (Ga.Super. Oct. 25, 2024) ↩︎
  4. CrowdStrike, Inc. v. Delta Air Lines, Inc., No. 1:24CV04904 (N.D. Ga. Oct. 25, 2024) ↩︎

Share

Save Print