On Friday afternoon, 26 July 2024, I was just introducing myself on a video conference when my laptop stopped working and shut down. Whilst scrambling to restart my laptop, I looked around the office, and many of my colleagues were in the same state of confusion. We would soon come to know that we were part of a worldwide event described as the largest IT outage in history. The incident, caused by a faulty software update from cybersecurity company CrowdStrike, resulted in 8.5 million Windows computers crashing globally. The impact was immediate, with widespread business interruption ensuing. This article will explore your business’s rights and options if it was affected by the CrowdStrike outage.
Possible Options
The CrowdStrike outage demonstrates the significance of connectivity in today’s world, with many individuals and businesses facing frustration and inconvenience. A preliminary report from CrowdStrike suggests a flawed technical update caused the outage. Regardless, you, as the business owner, will want to understand your legal and financial options when network disruptions such as this one significantly impact your operations.
Consider the following hypothetical. You are a small to medium business that relies heavily on internet and network connectivity for daily operations. The outage disrupts your company’s internet and phone systems, rendering essential tools and communication channels inaccessible. In this case, there are limited actions you can take, including:
- postponing operations until connectivity was restored;
- attempting to work offline with limited functionality; or
- diverting resources to an alternative location with network access.
Regardless of the approach taken, your business experiences significant productivity losses, potential project delays, and disruptions to client or customer interactions for the duration of the outage. This interruption to normal business operations likely impacts revenues, profitability, and client/customer relationships.
Compensation Claims
Business owners are assessing the financial impact of the Crowdstrike outage, and there has been much discussion about compensation claims. Already, there is talk of class actions and government intervention; however, financial compensation options for businesses are likely limited.
Importantly, in using CrowdStrike’s services, you are subject to its Terms and Conditions, which aim to significantly curb the company’s liability exposure. They include, for example:
- Disclaimers (Section 8.6): CrowdStrike does not guarantee uninterrupted services or fulfilment of particular needs. These disclaimers aim to make breach claims impossible.
- A total liability cap (Section 10.1): CrowdStrike restricts its total liability to fees paid for the affected product during that subscription period. This potentially restricts businesses from claiming recovery of their full losses.
Even if these limits were not in place, the Terms and Conditions are subject to California state law and courts. As a result, legal action would be expensive for Australian businesses that make a claim.
The combined effect of the above means that direct claims against CrowdStrike would be difficult and costly. This has left many businesses feeling frustrated and uncertain about their recourse options.
Continue reading this article below the formAustralian Consumer Law
It is important to note that the Australian Consumer Law (ACL) provides statutory guarantees that prevent standard contract terms from being invalidated. The ACL allows consumers to seek refunds, replacements, or compensation for service failures, potentially overriding CrowdStrike’s liability limits. However, it can be challenging to make claims against CrowdStrike, a United States-based company under the ACL in Australia.
Risk Management
If your business has taken Business Continuity Insurance, you may be able to claim some relief. This type of insurance is designed to cover the costs and losses associated with disruptions to business operations, such as the recent outage. By filing a claim with your insurer, businesses with this coverage may be able to mitigate some of the financial fallout from the incident.
For businesses without such insurance, the road to recovery may be more challenging. As a result, you may consider consulting an insurance broker about obtaining insurance for these unprecedented circumstances.
Terms and Conditions
The outage also highlights the importance of carefully reviewing contracts for both service providers and their customers.
For service providers, having clear contract terms can limit your legal and financial exposure if service disruptions or outages occur. For instance, there may be liability limitation clauses, force majeure clauses for uncontrollable events, and specification of applicable laws.
As the customer of a service provider, you should thoroughly understand your contracts. Key clauses to review include:
- the scope of services promised;
- service level commitments;
- compensation if obligations are not met; and
- rights to terminate the agreement.
Having stronger provisions can provide options for recourse if prolonged outages significantly impact operations.
The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.
Key Takeaways
As one of many businesses affected by the CrowdStrike outage, you may have experienced significant inconvenience, frustration, and costs. However, CrowdStrike’s terms and conditions significantly limit its liability exposure, making it difficult for you to make a direct claim against it. While the Australian Consumer Law could potentially override CrowdStrike’s liability limits, it would be challenging to make claims against a United States company. Instead, consider employing your Business Continuity Insurance to claim some relief through your insurer. Overall, the outage highlights the importance of implementing robust risk management strategies and carefully reviewing contracts with IT service providers.
If you have further questions about claims against CrowdStrike, our experienced litigation lawyers can assist as part of our LegalVision membership. You will have unlimited access to lawyers to answer your questions and draft and review your documents for a low monthly fee. Call us today on 1800 485 742 or visit our membership page.
Frequently Asked Questions
As CrowdStrike is from the United States, it would be more difficult for you as an Australian business to make a claim against them based on Australian law. If you have Business Continuity Insurance, you may consider seeking relief via insurance instead.
An essential part of limiting negative impacts in IT outages is reviewing your agreement with the service provider. Ensure there are contractual ways for you to hold them accountable for failing to reach the service level commitment they agreed to. Furthermore, ensure you implement comprehensive IT risk management policies in your business.
We appreciate your feedback – your submission has been successfully received.
