CrowdStrike’s global IT outage has inspired many to file lawsuits against the software company, but plaintiffs’ success in such litigation isn’t certain.
Shutterstock.com/CLS Digital Arts
When CrowdStrike updated its cybersecurity platform Falcon on 19 July it caused millions of computers on its corporate and government clients’ systems to crash. The aviation industry was notably affected by the outage; American Airlines, United Airlines and Delta Air Lines canceled over 3,000 flights and delayed over 11,000 flights.
According to a class action filed on 30 July by fliers affected by that outage, CrowdStrike was negligent and owed them a duty to take reasonable steps in maintaining, operating and updating its software. The plaintiffs in that US District Court for the Western District of Texas lawsuit seek to represent a class of all US passengers affected by the outage and over $5 million in damages.
The cybersecurity provider also faces a class action from stockholders in Austin, Texas federal court that alleges the company filed false statements regarding its risk and software.
CrowdStrike customer Delta Air Lines has also been hit with a class action by passengers affected by the outage who claimed Delta refused or ignored their requests for a prompt refund. The passengers also alleged that Delta refused to provide all affected passengers with meal, hotel and ground transportation vouchers and continues to deny or ignore requests for reimbursements for those unexpected expenses, according to the class action filed on 6 August in the US District Court for the Northern District of Georgia.
Delta has not yet filed a response to that class action claim. However, the airline noted in a US Securities and Exchange Commission (SEC) filing that it would be pursuing legal claims to recover at least $500 million in damages from CrowdStrike and Microsoft – Microsoft didn’t roll out the software bug but millions of computers running on the Microsoft Windows operating system were affected.
Companies typically face class actions after a high-profile data incident and CrowdStrike is no exception. However, courts haven’t always sided with investors and those personally affected by data incidents.
An Atlanta federal judge in 2022 dismissed a putative class action against Colonial Pipeline that was filed by “‘downstream consumers’” who didn’t directly purchase gas from Colonial but paid higher gasoline prices after Colonia shut down its oil pipeline in May 2021 after a ransomware attack. The judge ruled, in part, that the plaintiffs didn’t cite any legal requirement for Colonial to maintain uninterrupted services.
IT software provider SolarWinds was also able to fend off investors who claimed the company’s board ignored cybersecurity red flags before a massive cyber attack was discovered in 2020. The Delaware Court of Chancery ruled in 2022 that the investors didn't prove that the board failed to implement, monitor or oversee cybersecurity controls. While it was successful in that matter, SolarWinds still faces claims from the SEC that it didn’t adequately disclose its cybersecurity risk and the significance of previous data incidents.
In June the US Supreme Court has also agreed to decide if the US Court of Appeals for the Ninth Circuit incorrectly allowed Meta stockholders to pursue claims that Meta bolstered share prices by not fully disclosing the risk of misusing users’ personal data, after Meta knew Cambridge Analytica had misused Facebook users’ data.