Until last Friday, many businesses hadn’t really dealt with anything quite like the speed and severity of the CrowdStrike IT outage.
Being forced to stop operations is costly. Some estimates put the damage bill from the outage at more than A$1 billion in Australia alone.
As they continue to tally the losses, it’s only natural that affected businesses will be asking who is legally responsible, and whether there’ll be any compensation.
These are great questions, but from a legal point of view the answers will be complex.
Both CrowdStrike and various government cybersecurity authorities were quick to declare that the event was not the result of any criminal behaviour such as a cyberattack or other hacking.
This means the laws relating to these matters fall within the jurisdiction of civil law – in particular, the law of contracts and the law of torts.
Exclusion clauses
CrowdStrike’s security software is used by a wide range of companies and other large organizations. Microsoft, whose tech ecosystem was impacted, estimated the CrowdStrike update affected 8.5 million Windows devices globally.
But as with many other technology products, there is a clear contractual relationship between the consumer (the end user of the product) and the manufacturer (CrowdStrike).
This contract – the sometimes overlooked “terms and conditions” – has to be “signed” electronically by organisations using the software. Signing binds them to these terms – regardless of whether they’ve actually read them or not.
Deep in the fine print of many software product terms and conditions are a series of exclusion clauses. Tech companies often rely on these to protect themselves from litigation for any damage that arises if their software malfunctions.
In the case of CrowdStrike’s Falcon security software, the relevant terms limit liability to “fees paid”. Put more plainly, customers are entitled to no more than a simple refund.
Contract law vs tort law
As you can see, businesses’ options for seeking redress under contract law may be severely limited. This has led some law firms to raise the possibility of pursuing class action under other claims, such as negligence. In a note to clients about the outage, New Zealand-based law firm Russell McVeagh said:
Further, if any lack of readiness on the part of affected organisations exacerbated the scale or duration of the impact that the outage had on them, shareholder claims against those organisations, or their directors, are also a possibility.
To understand how such a class action might be framed, you need to understand some important legal basics surrounding what’s called “tort law” in common law.
Australia and New Zealand follow the legal system known as common law, which was developed in Britain in the 11th century. At a high level, it simply means that courts follow precedents set by the highest court in the jurisdiction.
And the word “tort” simply means a civil wrong. Many legal actions – such as allegations of defamation, trespass, nuisance or negligence – fall under the umbrella of torts.
‘Snail in the bottle’
In 1932, the UK House of Lords heard a case that would forever change the landscape of the common law world – “Donoghue v Stevenson”.
This case is known by its nickname: “the snail in the bottle” case. The simple facts of it involved two friends having an ice cream float made with ginger beer in a Scottish cafe. After one of them had already consumed some of the dessert, they discovered a dead snail in the ginger beer bottle.
The cafe owner could not have known that inside the commercially produced brown bottle of ginger beer was a dead snail. So a tort of negligence was brought by the consumer against the manufacturer of the bottle of ginger beer, Stevenson & Co.
The plaintiff, the bringer of the civil case, had to prove three things for Stevenson, the defendant, to be found liable. First, that a duty of care was owed between the manufacturer and the final consumer. Second, that there was a breach of the duty of care. And finally, that it was reasonably foreseeable that harm would occur from that negligence, resulting in actual damage.
The House of Lords decided in favor of Mrs Donoghue, which extended the notion of duty of care outside of contracts.
Over the next 50 years these tests were refined, and “remoteness of damage” was added to the requirements for proving a case. This meant that in some instances, entities couldn’t be found liable if they were found to be too remote from any harm that occurred.
So could there be a class action?
In Australia, most consumers are protected by legislation known as the Australian Consumer Law.
This legislation provides different remedies and requirements of proof than the common law tortious requirements. But the common law principles of the tort of negligence still apply in tandem.
However, any businesses and organizations looking to pursue class action against CrowdStrike on the tort grounds of negligence would face an extremely complex situation. The outage affected customers in a wide variety of countries, and CrowdStrike itself is headquartered in the United States.
This means such class actions would likely have to be filed in a variety of US states and other countries.
Class action lawyers would charge a percentage of the final settlement, which could be between 30% and 80% of any payout. But they would also take on the risk and pay all the costs, such as for expert witnesses and lawyer preparation.
The scope and scale of the outage mean that if any class actions are eventually launched, it could become one of the largest litigation matters in the world and drag on for many years.
Whatever happens, major insurance companies will continue watching the situation closely, with many businesses now looking closely at what they are covered for under any cyber insurance policies they’d taken out.
Michael Adams, Professor of Corporate Law & Academic Director of UNE Sydney campus, University of New England/ This article is republished from The Conversation under a Creative Commons license. Read the original article.