The CrowdStrike update that crippled businesses, disrupted consumer travel plans, and knocked French and British broadcasters offline has, as expected, led to a flurry of lawsuits filed by investors and customers of both CrowdStrike and other affected companies.

However, the incident could also go the other way: software liability.

The general consensus among legal experts is that CrowdStrike is likely protected by its General Terms and Conditions not to refund customers more than they paid for the product, limiting software liability in what the company now calls “the Channel File 291 Incident.” But the fact that affected businesses and consumers have few options for seeking damages is likely to spur legislation and state regulations to hold companies accountable for such mayhem, said Chinmayi Sharma, an associate professor of law at Fordham University.

“This is an extremely interesting and important example of why the call for greater software liability is urgent, from the perspective of protecting critical infrastructure and protecting consumers,” she said. “There are these enormous barriers in the existing doctrine that prevent users, licensees, purchasers of software and third parties from successfully bringing lawsuits against software manufacturers, and so I think this is going to be an exemplary example of why reform is necessary to address those enormous barriers.”

On July 19, CrowdStrike pushed out an update to its sensors to detect additional attacks that leverage a particular Windows feature known as “named pipes.” According to the firm, August 6 Root Cause Analysisthe update—a channel file numbered 291—”defined 21 input parameters, but the integration code … provided only 20 input values ​​to compare against.” The difference caused an out-of-bounds memory read, causing the Windows systems that received and applied the update to crash with the Blue Screen of Death.

The bad update affected 8.5 million computers, causing at least $5.4 billion in damage to the Fortune 500 and caused widespread operational disruptions, particularly among airlines and healthcare institutions.

In a statement filed with the SEC on August 8Delta, the hardest-hit airline, estimated a direct hit to revenue of $380 million from refunding customers for canceled flights and $170 million in recovery costs. The company canceled 7,000 flights in five days, angering customers but also saving a meager $50 million in fuel because of the cancellations.

“An operational disruption of this length and scope is unacceptable, and our customers and employees deserve better,” Delta CEO Ed Bastian said in the filing. He added: “We are pursuing legal action against CrowdStrike and Microsoft to recover damages caused by the outage, totaling at least $500 million.”

Legal cases already pending

Delta is far from the only one facing litigation. CrowdStrike is facing class-action lawsuits from investors after its stock fell more than 36%, from $343 on July 18, the day before the bad update, to less than $218 on Aug. 2.

The incident has led to numerous shareholder lawsuits, not only against CrowdStrike, but also against Delta. Some of the current lawsuits include:

The incident has led to an investigation by the US House Committee on Homeland Security.

While investor lawsuits and government investigations will have different goals, customer lawsuits like Delta’s and the potential lawsuit from small businesses will be an uphill battle. As CrowdStrike’s attorneys noted in a letter to Delta, business customers would have to explain why liability limits in defined contracts should be considered irrelevant, detail every action taken or not taken to recover from the outage, and explain the ways in which their infrastructure is designed to be resilient.

“Delta’s public threats of litigation distract from (our remediation) efforts and have contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage,” the company’s attorney stated in the letter“Should Delta choose to pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions – promptly, transparently, and constructively – when Delta did not.”

And what about the increasing shareholder lawsuits?

“We believe the lawsuit has no merit and we will vigorously defend the company,” a CrowdStrike spokesperson said. Dark reading.

The long road to software liability

Still, the outage and its legal fallout could only fuel efforts to hold software companies more accountable for their products. Right now, the bar is so high for successfully bringing a case against a software maker that most lawyers aren’t even willing to try, Fordham’s Sharma says.

“The way these cases are being handled gives us a lot of insight into how high these barriers are and what needs to be reformed,” she says, adding: “We don’t have a lot of case law on this … so this will be very exemplary in showing exactly what the contours of these barriers are.”

The software liability landscape is pretty volatile right now. While it may seem simple on the surface — “software makers should be held accountable for unsafe software” — even the question of who’s liable can quickly become complex, as the interaction between Delta Airlines, CrowdStrike, and Microsoft illustrates.

Software liability legislation and regulation should solve this problem and many others, the Atlantic Council’s Cyber ​​Statecraft Initiative said in a statement. a 32-page analysis published earlier this year.

“Software security is a ‘shared responsibility’ problem: users of software, in addition to developers, have significant control over cybersecurity outcomes through their own security practices,” the report said. “Torture already has concepts of ‘comparative negligence’ where the injured party’s conduct contributed significantly to the harmful outcome. Policymakers may wish to map this concept explicitly into the software context to balance certain policy goals.”

Even if software liability rules were established, CrowdStrike would likely exceed those requirements, said Brian Fox, CTO of Sonatype, a software integrity firm. He pointed out that “a series of relatively minor errors led to an eventual collision when one final factor was put in place.” While some have alleged that the company failed to test its updates, it’s more likely that the company simply failed to consider all possible scenarios — a common mistake, he said.

“We urgently need reform to rebalance corporate risk-taking on behalf of their customers, (but) the details of how this problem has unfolded likely make it just one part of the case study for reform,” Fox says. “This is unfortunately very typical of software and highlights why we are not yet ready for perfectly strict liability standards.”