Legal Fallout from CrowdStrike's Internet Outage: Class Action Lawsuits

In this post, I highlight the liability and protections tech companies build into their terms and conditions, significantly limiting their exposure to financial claims. I also suggest that shareholders and regulatory bodies like the SEC could play a more active role in addressing these issues.

So, here is what has been happening at the nexus of U.S. law and the July 19 CrowdStrike outage:

First Lawsuit:

On July 30, 2024, one of CrowdStrike shareholders (Plymouth County Retirement Association) filed a federal class action suit against CrowdStrike, its CEO, and CFO. The suit alleges false and misleading statements of the Company about the reliability of CrowdStrike’s software, leading to the outage which caused “substantial legal liability and massive reputational damages” to Crowdstrike, and therefore, substantial financial losses for shareholders - almost 32% fall in share prices between July 19 and 30.

Investors who purchased CrowdStrike shares between November 29, 2023, and July 29, 2024, still have time to act - until September 30, 2024, to petition for lead plaintiff status.

Second Lawsuit:

On August 5, 2024, this time, airline passengers filed a class action in the Western District of Texas. The plaintiffs include passengers affected by the IT outage, with CrowdStrike Holdings as the sole defendant. The lawsuit accuses CrowdStrike of negligence and failure to disclose risks associated with the software update, which caused significant travel disruptions and financial damages. The complaint seeks compensation for affected passengers.

Third Lawsuit:

A separate class action was filed against Delta Airlines by passengers on August 6, 2024, in the Northern District of Georgia, alleging Delta’s refusal to reimburse passengers for unexpected expenses related to the internet outage. The plaintiffs seek damages for themselves, and other affected passengers who “were forced to spend thousands of dollars in unexpected expenses, including flights from other airlines, hotels, rental cars, ground transportation, and food.” Although Delta has not yet sued CrowdStrike, it may pursue claims for damages totaling at least $500 million. Delta recently said the outage cost $380 million in lost revenue and $170 million in expenses.

Given the scale of the affected individuals, these lawsuits will test how liability is addressed for the indirect impacts of technological failures. The outcome will hinge on causation and whether the courts find CrowdStrike had a duty of care to those indirectly affected. Despite potential limitations in CrowdStrike's terms and conditions, these class actions may still hold the company accountable.

I remain an advocate of class action suits as they play a vital role in democratizing legal recourse, allowing groups to pursue justice collectively. In CrowdStrike’s case, these lawsuits offer a mechanism for recovery, particularly when widespread harm is alleged.