The CrowdStrike Outage and the Importance of Requiring Limitation of Liability Carve Outs in Software Contracts
The recent global tech outage caused by CrowdStrike’s code issue may be the “largest IT outage in history,” but it's certainly not the first time we’ve seen the ripple effects on downstream businesses caused by major companies being hit by code and security flaws. Nor will it be the last.
Many people assume that businesses affected by the IT outage will be able to recoup costs from their own business interruption insurers. But traditional policies, which typically envision and respond only to physical damages interrupting the ability to carry on business as normal, are not written for interruptions to business operations due to computer issues. While Business Network Interruption Insurance can address computer issues, those types of policies are sometimes limited to malicious hacking and the like, which would not cover a case like the CrowdStrike losses.
In addition to business interruption insurance coverage, aggrieved CrowdStrike customers may also look to the CrowdStrike software contract to find out how much can be recouped from CrowdStrike as a result of its error. Unfortunately, they may learn that the contract all but closes the door to any recourse against the software provider.
To learn why, let’s review the sections of the CrowdStrike Terms and Conditions that would apply to claims from this incident.
First, we make a stop at section 8.2—the warranty section:
8.2 Product Warranty. If Customer has purchased a Product, CrowdStrike warrants to Customer during the applicable Subscription/Order Term that: (i) the Product will operate without Error . . .”
This seems promising! “Error” is defined earlier in this contract as “a reproducible failure of a Product to perform in substantial conformity with its applicable Documentation.” Especially given that CrowdStrike has publicly admitted that its own bad code in a software update was the cause of the crash, we’ve got a pretty solid argument that the Product did not operate without Error.
Hope dawns, and then is quickly dimmed as we read on:
Your sole and exclusive remedy and the entire liability of CrowdStrike for its breach of this warranty will be for CrowdStrike, at its own expense to do at least one of the following: (a) use commercially reasonable efforts to provide a work-around or correct such Error; or (b) terminate your license to access and use the applicable non-conforming Product and refund the prepaid fee prorated for the unused period of the Subscription/Order Term.
As CrowdStrike’s lawyers have no doubt been reiterating ad nauseum, they have been making all the commercially reasonable efforts to correct the error, and therefore under the terms, CrowdStrike owes aggrieved customers nothing more under the warranty section. For those thinking, “Okay, but surely there are other warranties, and some common-law concept that you can’t do the digital equivalent of pushing oily rags under my door and blaming me when they catch fire and burn down my business,” you are right, but once again the CrowdStrike lawyers are ahead of you in section 8.6:
8.6 Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES IN THIS SECTION 8, CROWDSTRIKE AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CROWDSTRIKE AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WITH RESPECT TO THE OFFERINGS AND CROWDSTRIKE TOOLS. THERE IS NO WARRANTY THAT THE OFFERINGS OR CROWDSTRIKE TOOLS WILL BE ERROR FREE, OR THAT THEY WILL OPERATE WITHOUT INTERRUPTION OR WILL FULFILL ANY OF CUSTOMER’S PARTICULAR PURPOSES OR NEEDS.
This language, which is fairly standard to software contracts, effectively forecloses anyone from getting very far with any argument about warranties or duties owed, except for those explicitly stated and agreed.
Despite the warranty avenue seeming pretty closed, you know that a good lawyer can come up with a cause of action that allows a customer to bring a suit on other grounds. But, if we keep reading, we learn that CrowdStrike’s Terms and Conditions limit any and all recovery for any reason, and regardless of the number of claims, to “fees paid” for the software during that term:
10. Limitation of Liability. 10.1 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT FOR LIABILITY FOR ANY AMOUNTS PAID OR PAYABLE TO THIRD PARTIES UNDER SECTION 9 (INDEMNIFICATION), CUSTOMER’S PAYMENT OBLIGATIONS, AND/OR ANY INFRINGEMENT OR MISAPPROPRIATION BY ONE PARTY OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY IN CONNECTION WITH THIS AGREEMENT OR THE SUBJECT MATTER HEREOF (UNDER ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STATUTE, TORT OR OTHERWISE) FOR ANY LOST PROFITS, REVENUE, OR SAVINGS, LOST BUSINESS OPPORTUNITIES, LOST DATA, OR SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES OR SUCH DAMAGES OR LOSSES WERE REASONABLY FORESEEABLE; OR (B) AN AMOUNT THAT EXCEEDS THE TOTAL FEES PAID OR PAYABLE TO CROWDSTRIKE FOR THE RELEVANT OFFERING DURING THAT OFFERING’S SUBSCRIPTION/ORDER TERM. THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY SPECIFIED IN THIS AGREEMENT. MULTIPLE CLAIMS SHALL NOT EXPAND THE LIMITATIONS SPECIFIED IN THIS SECTION 10.
The Limitation of Liability section is often referred to as the “LOL,” though usually no one is laughing when it comes into play. However, if you note the section above in the LOL that was not underlined—the exceptions—none of those would apply in this instance. But if we had been tasked with reviewing these terms, you can bet we would have tried to negotiate an exception for a situation like the one that occurred. This exceptions sentence is exactly where we typically put extra carveouts into software contracts we review for our clients. In addition to the indemnification and IP exceptions already there, companies—at least those with the bargaining power to redline software contracts—should demand a carveout for negligence or misconduct. The fortunate companies in this case that do have this kind of exception to the LOL will have a much clearer path to recovery from CrowdStrike.
All this doesn’t mean that there’s no hope for those left out in the cold. As we often counsel our clients, when there’s enough money at stake, people will bring suit regardless of the contractual provisions. (This is sometimes cynically shortened to, “Where there’s a bill, there’s a way.”) That said, the CrowdStrike incident is a good reminder to us all about the value of good contract lawyering, and of paying attention to those nitty gritty terms.
We regularly draft and negotiate contracts for clients. If you have questions about technology or other commercial contracts, feel free to contact us.