To recap:
1: Delta Airlines uses CrowdStrike’s “Falcon Sensor” for antivirus.
2: 07/19/2024 an update to the Falcon Sensor bricks Delta’s systems, grounding 6,000+ flights and (supposedly) costing $500M.
3: Delta publicly and privately tells CrowdStrike they’re going to pay.
4: CrowdStrike responds to Delta stating they they have a different opinion.
Firstly, if you consume any media about this event, let it be this video: https://www.youtube.com/watch?v=wAzEJxOo1ts&t=619s.
This is created by David Plummer, an old school Windows developer who runs a YT channel (and who has a book!). He does a wonderful job of making tech topics consumable and has tons of wonderful anecdotes. Just a great channel all around. Regardless, watch the video and I guarantee you’ll know more about this than you did 15 minutes ago.
With the facts as established as they’re gonna be, let’s dissect that letter.
Dear David:
I am writing on behalf of my client CrowdStrike, Inc. in response to your letter dated July 29, 2024, in which Delta Air Lines, Inc. raises issues and threatens CrowdStrike with legal claims related to the July 19, 2024 content configuration update impacting the Falcon sensor and the Windows Operating System (the “Channel File 291 incident”).
Can we appreciate how much this letter sounds like the dozens and dozens (and dozens) of letters insurance and risk professionals receive? I guess this just goes to show that the only thing that changes about claims is the dollar figure….
CrowdStrike reiterates its apology to Delta, its employees, and its customers, and is empathetic to the circumstances they faced. However, CrowdStrike is highly disappointed by Delta’s suggestion that CrowdStrike acted inappropriately and strongly rejects any allegation that it was grossly negligent or committed willful misconduct with respect to the Channel File 291 incident. Your suggestion that CrowdStrike failed to do testing and validation is contradicted by the very information on which you rely from CrowdStrike’s Preliminary Post Incident Review.1
Eagle-eyed readers will notice a specific word here: GROSS negligence. And this is why contracts are so important, because by invoking GROSS negligence Delta is attempting to do a couple things.
First, to allow for punitive or exemplary damages which are typically only allowed in cases of “gross” negligence. “But punitive damages aren’t insurable,” an astute insurance person might respond. Yet this isn’t entirely accurate. While many policies do exclude this, some don’t, and whether they even can be insured are subject to individual jurisdictional rules. In fact, most (US) localities actually do allow insuring punitive damages, though with very specific qualifying criteria (usually “vicarious only”). So if you’re an insurance professional, strive for solutions that follow (e.g., covers such “where insurable by law”).
The second reason Delta is alleging gross negligence is because there is certainly a liability cap in their contract. Such caps can be bypassed (either via contract language or by course of law) if the offending party is “grossly” negligent or engages in “willful” misconduct. You hire a vendor and they trip and start a fire, their liability to you is capped. You hire a vendor and they’re an arsonist who intentionally starts a fire, their liability to you is uncapped.
As a risk professional, these liability limitations are some of the most critical yet rubber-stamped parts of contracts. I can’t tell you the number of times I’ve seen a business accept boilerplate language that limits liability to, for example, “the cost of the contract” (i.e., what you’re paying the vendor). I’ve even seen such in architectural/engineering contracts! That’d be like limiting the liability for my auto mechanic to the cost of my brake job – a lot more damage than the few hundred bucks the work cost can result if those brakes don’t work.
Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage. Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions—swiftly, transparently, and constructively—while Delta did not.
While this is speculation, note the verbiage of “CrowdStrike [is not responsible for] Delta’s IT decisions and response to the outage.“. It does not say CrowdStrike wasn’t responsible for the outage, or that CrowdStrike didn’t error, or that they didn’t specifically circumvent system security when rolling out updates. This is clever wording, from a clever attorney, who knew this letter was going public.
Among other things, Delta will need to explain:
● That any liability by CrowdStrike is contractually capped at an amount in the single-digit millions.
Womp womp.
Items for Legal Preservation:
1. Delta’s response to the Channel File 291 incident.
2. Delta’s emergency backup, disaster recovery, and IT business continuity plans, and any related testing of those plans.
3. All assessments of Delta’s IT infrastructure, including any gaps and remediation recommendations, for the last five years, including in the wake of the Channel File 291 incident.
4. All decisions to upgrade or not upgrade Delta’s IT infrastructure in the last five years.
5. All scripts and software that Delta has deployed before and after the Channel File 291 incident to address possible Windows group policy corruption issues across the IT estate.
6. All system event logs for the weeks preceding and succeeding the Channel File 291 incident.
7. All encryption-level software that Delta deployed on all its IT infrastructure and the management of this software.
8. All technology and operating systems that Delta utilizes to assign workflow, routes, crews, flight schedules, etc. and any information, documents, or analysis on how that technology interacts with any software that Delta employs on its IT infrastructure.
9. Any data loss following the Channel File 291 incident related to Delta’s workflow routes, crew and flight schedules, and all communications with crew members following the Channel File 291 incident.
10. Delta’s response and recovery to any previous IT outages in the past five years.
Not earth shattering, but I cite the above just to show how problematic legal discovery can be. Can you imagine, as a business owner, coming in and needing to essentially produce a report regarding how you responded to every IT outage over the past 5 years? Now imagine you have services all over the world and 100,000 employees. You may be completely within “the right” of whatever legal dispute you’re having but it’s going to cost you a million bucks just to comply with discovery.
Now certainly some of the above is likely to get reduced in scope for being onerous, but the point is that the majority of expenses and effort happen well before trial, and this is just a “throwaway” letter!
Delta has a big enough checkbook to figure this out, but what about a $100M company? A $10M company? A $1M company? Something like this would ruin them. Hope they know a good insurance person.