CrowdStrike's terms and conditions say most customers would just get a refund due to the massive outage, cybersecurity lawyer says

Jacob Shamsian

July 19, 2024 at 3:33 PM·4 min read

CrowdStrike's botched update caused flight disruptions, 911 call issues, and medical record blocks.
CrowdStrike's terms cap liability to fees paid, limiting compensation for affected companies.
Unless you're a big company that negotiated other terms, you probably need to deal with cyber insurance.

The devastating outages from CrowdStrike's botched security update Friday grounded flights, glitched 911 call lines, and blocked patients from accessing their medical records.

But, according to the cybersecurity company's terms and conditions, CrowdStrike doesn't have to shell out anything more than a simple refund.

The terms for CrowdStrike's Falcon security software — which is used by companies and government agencies around the world — limit liability to "fees paid."

That means that if a company had a claim against CrowdStrike for the damage or lost revenue to its business, the most it could recover is just what it paid to CrowdStrike, according to Elizabeth Burgin Waller, the chair of the Cybersecurity & Data Privacy practice at Woods Rogers.

That means CrowdStrike users who signed the standard terms and conditions can't expect to get more than a refund from the company, Waller said.

"Even if they did cover that lost revenue or downtime, they limit the recovery against CrowdStrike to fees paid," Waller told Business Insider. "So whatever I paid for fees to CrowdStrike, that's what the limitation of liability would be."

Bigger companies using CrowdStrike's software — like some of the airlines or hospital chains affected — may have negotiated different terms and conditions contracts with the cybersecurity company. Those contracts aren't public, and it's possible they contain terms that would hold CrowdStrike liable for more damages, Waller said.

"If you're a huge company, you might have been able to get some negotiation around that," she said.

A representative for CrowdStrike didn't immediately respond to Business Insider's request for comment about how it will enforce its terms and conditions.

To cover all the expenses being paid to deal with the CrowdStrike fallout — including hiring IT people to install another update that fixes the issue on Windows machines, lost employee productivity, fixing issues for customers, and possible legal expenses for publicly traded companies that need to file relevant securities reports for investors — most companies will have to turn to cyber insurers, Waller said.

According to Waller, most cyber insurance companies have policies that cover "contingent business interruption" or "dependent business interruption." Those allow companies to recover damages from insurers against third-party cybersecurity companies they depend on. CrowdStrike's Falcon software, which monitors threats on computers, could qualify.

"If I've got a big stop sign in front of me — terms and conditions against CrowdStrike — or if I can only get a refund, then I need to go look to my own cyber insurance policy," Waller said.

Many such policies cover only malicious events like hacking, Waller said.

"We've just got a software glitch. So I think we're going to see lawsuits filed against cyber insurance carriers for years to come, I imagine, on this outage," Waller said. "This is a pretty big, from a cyber insurance standpoint, I think this is also going to spawn a lot of litigation about what's covered and what is intended under these different policies."

CrowdStrike can expect SEC scrutiny

As for CrowdStrike, it can expect lawsuits from shareholders, customers who want to try to obtain more damages, and likely an investigation from the Securities and Exchange Commission, Waller said.

The company, which is publicly traded, will have to file an 8-K report in the next few days with the SEC that lays out what went wrong with the Falcon update.

By a strange coincidence, the CrowdStrike disaster came a day after a major ruling by a federal judge in Manhattan in favor of SolarWinds — a technology security company that was breached in a 2020 Russian cyberespionage campaign — in a lawsuit brought by the SEC.

The SEC alleged SolarWinds didn't sufficiently update investors and the public about the massive scope of the fallout from the Russian hack. But US District Judge Paul Engelmayer ruled Thursday that the company didn't need to provide the "maximum specificity" the SEC demanded.

That ruling gives some breathing room to CrowdStrike, a $73 billion company, which has a responsibility to update investors and the public about what happened — but now needs to worry less about just how much detail it provides.

"You need to convey the severity of what is happening, but we don't need to be really concerned about the nitty gritty details or what we don't know," Waller said.

Read the original article on Business Insider

Yahoo News
Microsoft outage: CrowdStrike security update impacts airports, hospitals, banks around the world
A massive technology outage has impacted computer systems around the world. Here's what we know.
TechCrunch
Faulty CrowdStrike update causes major global IT outage, taking out banks, airlines and businesses globally
Businesses across the world are reporting IT outages, including Windows "blue screen of death" errors on their computers, in what has already become one of the most widespread IT disruptions in recent years. The outage — linked to a software update from popular cybersecurity firm CrowdStrike — has affected computers running Microsoft Windows at organizations across various sectors, including airlines, banks, retailers, brokerage houses, media companies and railway networks. CrowdStrike's chief executive, George Kurtz, confirmed in a post on X that a "defect" in a content update for Windows hosts had caused the outage, and Kurtz ruled out a cyberattack.
TechCrunch
What we know about CrowdStrike's update fail that's causing global outages and travel chaos
A faulty software update issued by security giant CrowdStrike has resulted in a massive overnight outage that’s affected Windows computers around the world, disrupting businesses, airports, train stations, banks, broadcasters and the healthcare sector. CrowdStrike said the outage was not caused by a cyberattack, but was the result of a "defect" in a software update for its flagship security product, Falcon Sensor. The defect caused any Windows computers that Falcon is installed on to crash without fully loading.
TechCrunch
CrowdStrike outage: How your plane, train and automobile travel may be affected
The CrowdStrike outage that hit early Friday morning and knocked out computers running Microsoft Windows has grounded flights globally. Major U.S. airlines including United Airlines, American Airlines and Delta Air Lines have halted flight operations around the world. According to FlightAware, which is tracking the cancellations live, 7% of United Airlines flights, 8% of American Airlines flights and 12% of Delta flights have been canceled.
Yahoo News
See how the CrowdStrike security update outage impacted travel at airports around the world
In the U.S. alone, more than 26,000 flights have been delayed and more than 2,000 canceled.
Yahoo Finance
CrowdStrike shares fall more than 13% as global IT outage grounds flights, cuts off 911 access
Businesses around the globe came to a halt on Friday after an error caused by cybersecurity firm CrowdStrike took down computer systems.
TechCrunch
CrowdStrike's rivals stand to benefit from its update fail debacle
The CrowdStrike debacle — a bug in the company's Windows software that had the disastrous effect of rendering PCs unusable — has disrupted flights, canceled elective medical treatments, and left many an office worker twiddling their thumbs for hours. Unsurprisingly, it's also tanked CrowdStrike's stock price, even as the company's CEO, George Kurtz, promises a fix and systems begin to crawl back online. While it's difficult to assess at present the business fallout from what's being called the worst IT outage in history, investors appear to be sensing opportunity.
TechCrunch
From the Sphere to false cyberattack claims, misinformation runs rampant amid CrowdStrike outage
On Friday morning, as the East Coast woke up to one of the most widespread IT disruptions ever due to a faulty CrowdStrike update, a priceless image circulated across X, accumulating millions of views. It appeared that the Sphere — the ostentatious new addition to the Las Vegas skyline, with 580,000 square feet of programmable LEDs on its exterior — had succumbed to the blue screen of death. It would be easy to believe this photo was real; after all, we're seeing images of the blue screen of death in airports and hospitals around the world.
TechCrunch
The CrowdStrike outage is a plot point in a rom-com
Around the world, thousands of people like Nicole have had a wrench thrown into their plans due to this outage, which knocked out countless computers running Microsoft Windows. “We were a little bit nervous about [transporting the engagement ring] anyway, but then this just added a whole layer of complexity to it,” Nicole told TechCrunch. Now, the Delta flight she planned to take with her husband early Friday morning has been delayed until 3 p.m. ET at least.
TechCrunch
CrowdStrike chaos leads to grounded aircraft — and maybe an unusual weather effect
Air traffic for many airlines ground to a halt after a buggy update from CrowdStrike took down Windows computers around the world. While the IT outage is causing headaches for travelers, it may also have an unexpected effect on the climate: clearer skies and maybe lower temperatures this evening, according to David Travis, a scientist who has performed pioneering research on how jets can affect the weather. Planes flying at high altitudes frequently leave contrails, the billowy streaks created when jet engines dump water vapor and pollution into the atmosphere.
Yahoo Sports
Global I.T. outage spills over into sports as athletes in the WNBA, NHL and more miss events on Friday
With airlines halted across the country, athletes are affected as Erica Wheeler struggles to make WNBA All-Star Weekend and Kyle Okposo cancels Stanley Cup event.
Yahoo Finance
Stock market news today: S&P 500, Nasdaq post sharpest weekly losses since April amid tech rout
Stocks are facing another rough ride after a global IT outage hit businesses worldwide, with weekly losses in play.
Autoblog
We drive the 2025 Porsche 911 T-Hybrid, updated Miata and Lamborghini Urus | Autoblog Podcast #841
We discuss driving the refreshed 992.2 Porsche 911 models, including the hybrid, and a number of other recently refreshed vehicles.
Yahoo Life Shopping
Shoppers say these sandals are comfier than Birkenstocks — they're down to $28
They feature ample arch support and a contoured footbed, and they've amassed 57,000+ 5-star reviews.
Yahoo Sports
Nationals' Josiah Gray will have season-ending surgery on torn UCL in right elbow
Washington Nationals pitcher Josiah Gray requires season-ending elbow surgery to repair a partially torn UCL. Gray was the Nationals' lone All-Star representative last season.
Engadget
Twitch restores former President Trump’s Twitch account
Twitch restored ex-President Donald Trump's ban on the Amazon-owned platform after a three year absence. c
Yahoo Life Shopping
How much does a stair lift cost in 2024?
When it's time to install a chair lift on your stairs to improve your mobility, consider your budget and needs — the cost of a stair lift can vary widely.
Yahoo Life Shopping
How does online therapy work?
Online therapy is a convenient and effective way to receive counseling at home. Here's what you need to know.
Yahoo Life Shopping
The best stair lift for 2024: Chair lifts that make navigating stairs a breeze
Mobility challenges making daily life difficult? Stair lifts from brands like Stannah and AmeriGlide can help make your home safer and easier to navigate.
Yahoo Life Shopping
'Works like a charm': This compact jump starter is down to $40, an all-time low
With 1,600 amps of peak current, it handles car batteries large and small — and it can charge your phone. Get almost 60% off.

News

Life

Entertainment

Finance

Sports

New on Yahoo

CrowdStrike's terms and conditions say most customers would just get a refund due to the massive outage, cybersecurity lawyer says

CrowdStrike can expect SEC scrutiny

Recommended Stories

Microsoft outage: CrowdStrike security update impacts airports, hospitals, banks around the world

Faulty CrowdStrike update causes major global IT outage, taking out banks, airlines and businesses globally

What we know about CrowdStrike's update fail that's causing global outages and travel chaos

CrowdStrike outage: How your plane, train and automobile travel may be affected

See how the CrowdStrike security update outage impacted travel at airports around the world

CrowdStrike shares fall more than 13% as global IT outage grounds flights, cuts off 911 access

CrowdStrike's rivals stand to benefit from its update fail debacle

From the Sphere to false cyberattack claims, misinformation runs rampant amid CrowdStrike outage

The CrowdStrike outage is a plot point in a rom-com

CrowdStrike chaos leads to grounded aircraft — and maybe an unusual weather effect

Global I.T. outage spills over into sports as athletes in the WNBA, NHL and more miss events on Friday

Stock market news today: S&P 500, Nasdaq post sharpest weekly losses since April amid tech rout

We drive the 2025 Porsche 911 T-Hybrid, updated Miata and Lamborghini Urus | Autoblog Podcast #841

Shoppers say these sandals are comfier than Birkenstocks — they're down to $28

Nationals' Josiah Gray will have season-ending surgery on torn UCL in right elbow

Twitch restores former President Trump’s Twitch account

How much does a stair lift cost in 2024?

How does online therapy work?

The best stair lift for 2024: Chair lifts that make navigating stairs a breeze

'Works like a charm': This compact jump starter is down to $40, an all-time low