The Times Australia
Business and Money
Times Media

.

The CrowdStrike outage caused chaos for business – could we see a class action?

  • Written by Michael Adams, Professor of Corporate Law & Academic Director of UNE Sydney campus, University of New England
Graphic showing 'terms of use' floating above a laptop screen

Until last Friday, many businesses hadn’t really dealt with anything quite like the speed and severity of the CrowdStrike IT outage.

Being forced to stop operations is costly. Some estimates[1] put the damage bill from the outage at more than A$1 billion in Australia alone.

As they continue to tally the losses, it’s only natural that affected businesses will be asking who is legally responsible, and whether there’ll be any compensation.

These are great questions, but from a legal point of view the answers will be complex.

Both CrowdStrike and various government cybersecurity authorities were quick to declare[2] that the event was not the result of any criminal behaviour such as a cyberattack or other hacking.

This means the laws relating to these matters fall within the jurisdiction of civil law – in particular, the law of contracts and the law of torts.

Exclusion clauses

CrowdStrike’s security software is used by a wide range of companies and other large organisations. Microsoft, whose tech ecosystem was impacted, estimated[3] the CrowdStrike update affected 8.5 million Windows devices globally.

But as with many other technology products, there is a clear contractual relationship between the consumer (the end user of the product) and the manufacturer (CrowdStrike).

Graphic showing 'terms of use' floating above a laptop screen
Many software providers add ‘exclusion clauses’ to their terms of use. MMD Creative/Shutterstock[4]

This contract – the sometimes overlooked “terms and conditions” – has to be “signed” electronically by organisations using the software. Signing binds them to these terms – regardless of whether they’ve actually read them or not.

Deep in the fine print of many software product terms and conditions are a series of exclusion clauses. Tech companies often rely on these to protect themselves from litigation for any damage that arises if their software malfunctions.

In the case of CrowdStrike’s Falcon security software, the relevant terms[5] limit liability to “fees paid”. Put more plainly, customers are entitled to no more than a simple refund.

Read more: What is CrowdStrike Falcon and what does it do? Is my computer safe?[6]

Contract law vs tort law

As you can see, businesses’ options for seeking redress under contract law may be severely limited. This has led some law firms to raise the possibility[7] of pursuing class action under other claims, such as negligence. In a note to clients[8] about the outage, New Zealand-based law firm Russell McVeagh said:

Further, if any lack of readiness on the part of affected organisations exacerbated the scale or duration of the impact that the outage had on them, shareholder claims against those organisations, or their directors, are also a possibility.

To understand how such a class action might be framed, you need to understand some important legal basics surrounding what’s called “tort law” in common law.

Australia and New Zealand follow the legal system known as common law, which was developed in Britain in the 11th century. At a high level, it simply means that courts follow precedents set by the highest court in the jurisdiction.

And the word “tort” simply means a civil wrong. Many legal actions – such as allegations of defamation, trespass, nuisance or negligence – fall under the umbrella of torts.

‘Snail in the bottle’

In 1932, the UK House of Lords heard a case that would forever change the landscape of the common law world – “Donoghue v Stevenson[9]”.

This case is known by its nickname: “the snail in the bottle” case. The simple facts of it involved two friends having an ice cream float made with ginger beer in a Scottish cafe. After one of them had already consumed some of the dessert, they discovered a dead snail in the ginger beer bottle.

Snail sliding over the top of a glass bottle
The snail in the bottle case set an important precedent in tort law. Oleg Troino/Shutterstock[10]

The cafe owner could not have known that inside the commercially produced brown bottle of ginger beer was a dead snail. So a tort of negligence was brought by the consumer against the manufacturer of the bottle of ginger beer, Stevenson & Co.

The plaintiff, the bringer of the civil case, had to prove three things for Stevenson, the defendant, to be found liable. First, that a duty of care was owed between the manufacturer and the final consumer. Second, that there was a breach of the duty of care. And finally, that it was reasonably foreseeable that harm would occur from that negligence, resulting in actual damage.

The House of Lords decided in favour of Mrs Donoghue, which extended the notion of duty of care outside of contracts.

Over the next 50 years these tests were refined, and “remoteness of damage” was added to the requirements for proving a case. This meant that in some instances, entities couldn’t be found liable if they were found to be too remote from any harm that occurred.

So could there be a class action?

In Australia, most consumers are protected by legislation known as the Australian Consumer Law[11]. This legislation provides different remedies and requirements of proof than the common law tortious requirements. But the common law principles of the tort of negligence still apply in tandem.

Close up of blue screen error message
Many users encountered the dreaded ‘blue screen of death’ during the outage. QINQIE99/Shutterstock[12]

However, any businesses and organisations looking to pursue class action against CrowdStrike on the tort grounds of negligence would face an extremely complex situation. The outage affected customers in a wide variety of countries, and CrowdStrike itself is headquartered in the United States.

This means such class actions would likely have to be filed in a variety of US states and other countries.

Class action lawyers would charge a percentage of the final settlement, which could be between 30% and 80% of any payout. But they would also take on the risk and pay all the costs, such as for expert witnesses and lawyer preparation.

The scope and scale of the outage mean that if any class actions are eventually launched, it could become one of the largest litigation matters in the world and drag on for many years.

Whatever happens, major insurance companies will continue watching the situation closely[13], with many businesses now looking closely at what they are covered for under any cyber insurance policies they’d taken out.

Read more: The Crowdstrike outage showed that risk management is essential. Why are so many businesses reluctant to do it?[14]

References

  1. ^ estimates (www.abc.net.au)
  2. ^ declare (www.crowdstrike.com)
  3. ^ estimated (blogs.microsoft.com)
  4. ^ MMD Creative/Shutterstock (www.shutterstock.com)
  5. ^ terms (www.businessinsider.com)
  6. ^ What is CrowdStrike Falcon and what does it do? Is my computer safe? (theconversation.com)
  7. ^ raise the possibility (www.nzherald.co.nz)
  8. ^ note to clients (www.russellmcveagh.com)
  9. ^ Donoghue v Stevenson (www.bailii.org)
  10. ^ Oleg Troino/Shutterstock (www.shutterstock.com)
  11. ^ Australian Consumer Law (consumer.gov.au)
  12. ^ QINQIE99/Shutterstock (www.shutterstock.com)
  13. ^ watching the situation closely (www.theaustralian.com.au)
  14. ^ The Crowdstrike outage showed that risk management is essential. Why are so many businesses reluctant to do it? (theconversation.com)

Authors: Michael Adams, Professor of Corporate Law & Academic Director of UNE Sydney campus, University of New England

Read more https://theconversation.com/the-crowdstrike-outage-caused-chaos-for-business-could-we-see-a-class-action-235215

The Times Features

FedEx Australia Announces Christmas Shipping Cut-Off Dates To Help Beat the Holiday Rush

With Christmas just around the corner, FedEx is advising Australian shoppers to get their presents sorted early to ensure they arrive on time for the big day. FedEx has reveale...

Will the Wage Price Index growth ease financial pressure for households?

The Wage Price Index’s quarterly increase of 0.8% has been met with mixed reactions. While Australian wages continue to increase, it was the smallest increase in two and a half...

Back-to-School Worries? 70% of Parents Fear Their Kids Aren’t Ready for Day On

Australian parents find themselves confronting a key decision: should they hold back their child on the age border for another year before starting school? Recent research from...

Democratising Property Investment: How MezFi is Opening Doors for Everyday Retail Investors

The launch of MezFi today [Friday 15th November] marks a watershed moment in Australian investment history – not just because we're introducing something entirely new, but becaus...

Game of Influence: How Cricket is Losing Its Global Credibility

be losing its credibility on the global stage. As other sports continue to capture global audiences and inspire unity, cricket finds itself increasingly embroiled in political ...

Amazon Australia and DoorDash announce two-year DashPass offer only for Prime members

New and existing Prime members in Australia can enjoy a two-year membership to DashPass for free, and gain access to AU$0 delivery fees on eligible DoorDash orders New offer co...

Business Times

Will the Wage Price Index growth ease financial pressure for hous…

The Wage Price Index’s quarterly increase of 0.8% has been met with mixed reactions. While Australian wages continue to i...

Protecting Your Business from Cyber Threats: The Critical Role of…

In today’s digital world, cybersecurity threats pose a significant risk to businesses of all sizes. A data breach can lead ...

Kyndryl ANZ appoints new Head of Strategic Partnerships and Allia…

Former Head of Marketing to lead and grow Kyndryl’s local channel ecosystem and bolster technological capabilities Kyndr...