On Friday, July 19, businesses large and small around the globe experienced prolonged interruptions in their computer systems. Reports pegged the issue to a security update pushed out by CrowdStrike, a cybersecurity company, that caused the Microsoft Windows operating system to crash.
Many organizations are looking to evaluate their positions with respect to insurance coverage for business interruption losses, potential contractual recourse, and other related issues. Looking ahead, many businesses will need to identify and track the full extent of the loss they have suffered, and may continue to suffer.
The loss can include disrupted operations, loss of revenue, loss of opportunities, recovery costs, legal fees, and loss of consumer and investor confidence. All of these can lead to contractual and indemnity issues.
These points were among those discussed at a recent webinar by law firm Brown Rudnick
Some key facts about the impact of the CrowdStrike outage highlighted
- Reports that 70% of Fortune 500 companies and more than have of Fortune 1000 companies were affected.
- Flights: over 3,000 cancelled and over 11,000 delayed.
- Microsoft estimated 8.5 million Windows devices affected.
- CrowdStrike serves approximately 29,000 customers.
As befits a legal webinar, one of the key questions covered was lawsuits – in other words who can be sued in a situation where multiple mission critical systems are all dependent on a single point of failure, as well as who may sue in these circumstances.
An interesting scenario outlined by one of the lawyers who happened to be travelling during this time illustrates the extent of the vulnerability of some systems to a single point of failure very clearly. Airline ground staff explained to him that:
- Baggage could not be processed because the system controlling the routing of this to the plane was down.
- Even if the luggage was carried to the plane manually it could not be loaded on to the plane safely because the systems weighing it and trimming the plane load were down.
- Even if all the passengers and luggage did board, the plane would still be unable to take off because the system certifying the pilots as cleared to fly the plane was down.
So in connection with a lawsuit one of the key things businesses will need to do is to check the contractual provisions on the maintenance and upgrade of all software affected. A key question in this specific context is: are there explicit provisions around testing before the updates are pushed out?
An expectation to test for every possible contingency will not be held as one that is realistic by the courts.
Another key question is who precisely an organization’s contract is with. While it is likely that there are a lot of direct agreements between CrowdStrike and large businesses, it is entirely possible that many affected organizations will be dealing with contracts with intermediaries who act as agents, with CrowdStrike simply being a sub-contractor.
There was broad agreement amongst the group that the pushing of code into a production system without adequate testing could potentially constitute negligence. But the lawyers were very careful to reiterate that, right now, very little information is available on the cause of the incident and what has been published by CrowdStrike in its preliminary post-incident report is not sufficient for an informed opinion.
It is quite clear that when it comes to complex systems an expectation to test for every possible contingency will not be held as one that is realistic by the courts. And so a decision may well come down to a consideration of what constitutes reasonable obligation or practice in a scenario such as this.
Classifying data and software
Some legal uncertainty also stems from the fact that courts have gone different ways (at least in the US) on the relationship of data and software and how to classify these: intangibles? Goods? Services? This question has been problematic – nowhere more so than in connection with an update such as this which affects something at the kernel level, where the operating system and the actual computer hardware interact.
The group highlighted the fact that another aspect complicating matters from a lawsuit perspective is that this is a global issue affecting firms that may have separate contractual agreements with CrowdStrike, Microsoft, other vendors and that those agreements may well differ depending on geography and jurisdiction. This will almost certainly result in different types of liability and may lead to arms or affiliates of the same company having a very different litigation experience depending on where they are located as well as the specific jurisdiction clauses in their contracts.
The tenor of the discussion dispelled any doubts about not seeing CrowdStrike and many of the affected parties in court in the near future.
The discussion then turned to insurance because many organizations that employ multi-party systems would usually look to have this type of event covered as part of their insurance. It is, of course, entirely possible that there might be exclusions – for example where the potentially insured event is caused by third party software errors.
15 key steps for organizations
Here the discussion was eminently practical and is best summarized as a series of key steps organizations should be taking now:
- If you have insurance policies check their terms.
- Check, in particular, how long you have to ‘give notice’.
- Give notice as soon as it is reasonably practicable.
- Give notice even in an instance where you do not have complete understanding of your loss or potential loss – the notice does not have to be a long missive: “It’s better that it’d be Hemingway rather than Faulkner!”
- This is critical because some policies will have trigger notices that are as short as 48/72 hours and may include other contractual limitation periods that are shorter than those that might be provided by statute.
- Make sure you give notice to the right person / party – some organizations may want to give notice to their broker who then gives notice to the insurer on their behalf.
- If have been affected or are being affected by the loss – track the loss. This is critical and also potentially useful from a tax perspective as well.
- Set up a specific accounting code for the loss. It is much more difficult and expensive to track a loss retrospectively and this applies to insurance as well as any future litigation where you will be required to evidence your losses.
- Business interruption is nothing new when it comes to insurance policies, but the wording of insurance policies when it comes to systems lags behind IT / cyber policies. Therefore it is essential to ‘stick to the facts’ and avoid unnecessary assumptions (for example – it was a ‘blank’ event)
- The key here is that both contractually and from the perspective of an insurance claim you may unwittingly create a narrative about what happened before you understand what the consequences of that narrative are when it comes to an insurance or court claim.
- When giving notice, simply state the bland facts – there was an event and this is how it affected us.
- A legal wrinkle worth noting is that the insurance company may also pay for your litigation costs. Standard property policies typically have something called “Sue and Labor coverage”, which is a language from old Marine policies that you still see in in many property policies. The idea is they will pay for you to mitigate your losses.
- You have to let insurance companies know you’re intending to start litigation even if you don’t have a traditional “Sue and Labor” coverage.
- It is also absolutely critical to mitigate your losses.
- One final piece of advice from Palley, referencing author Mark Twain’s “when in doubt, tell the truth” was to stick to the truth in all of this. “Sometimes the truth is that you just don’t know, and it is not reasonable to expect you to know.”!
One of the cases that the panellists drew attention to involved SouthWest Airlines which sued its insurer after the denial of a claim under its cyber risk insurance policy.
A systems failure resulted in flight delays and cancellations that led to SouthWest incurring $77m in losses. The insurer refused the claim arguing that the costs incurred were discretionary and not covered under the policy or excluded by its clauses.
The Fifth Circuit Court of Appeals overturned a lower court decision concluding that the costs incurred by the airlines were not excluded from coverage.
This decision is, no doubt, being studied very closely by many lawyers preparing for what is likely going to be a flurry of litigation activity in the near future.