This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 2 minute read

You Should be Looking at Your IT Contracts Differently after CrowdStrike Outage

You’ve undoubtably heard of and may have been directly affected by the widespread Windows system crash that was apparently caused by a software upgrade released by the cybersecurity company CrowdStrike.  The outage has had an enormous financial impact and Delta airlines alone claims $500 million in damages.  Delta says that it will sue both Microsoft and CrowdStrike as a result.  See, https://www.wsj.com/business/airlines/delta-ceo-says-crowdstrike-tech-outage-costs-could-reach-500-million-3b7f5a13.  CrowdStrike has indicated the Windows system crash was caused by a “bug” in a software update that was pushed to its customers. See https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/.  Although some terms and conditions are available on-line, we aren’t privy to the exact contracts that Delta has with Microsoft and CrowdStrike.  In any event, many IT contracts (software licenses, SaaS agreements, and IT services contracts) include limitations of liability (“LOL”) provisions and limitations of warranty (“LOW”) provisions.  These provisions protect IT vendors.  Rarely do they protect customers.

Most LOL provisions restrict a customer’s ability to obtain any “consequential” or downstream damages from a vendor.  Consequential damages usually include items such as lost profits, lost business opportunities, and lost data, even if these losses were reasonably foreseeable.  Vendors may insist on including LOL provisions since the provisions apply equally to both the customer and the vendor.  However, since the customer’s risks are often higher than the vendor’s risks (e.g., customer’s nonpayment), these “equivalent” provisions usually favor the vendor.  LOW provisions further limit a customer’s recovery of damages caused by vendors.  For example, many LOW provisions relating to cyber security promise that the vendor’s services will operate without error.  However, such LOW provisions also state the customer’s sole remedy is a refund, or that the vendor will use reasonable efforts to correct the error.  But so long as the vendor uses a reasonable effort to correct the error, the vendor isn’t violating the agreement even if the error is never corrected.  Many contracts require that updates be implemented and some LOW provisions nullify any stated warranties if the customer doesn’t implement an update provided by the vendor.  Thus, it’s important for customers to understand how updates that, for example, might be automatically pushed to various platforms could negatively impact a systems performance, or whether the customer needs or wants more control over how updates are implemented into its systems.

For at least these reasons, it’s critical for customers to understand how these and other provisions in many IT contracts limit and potentially eliminate the possibility of recovering damages caused by the vendor.  When systems are running smoothly and major interruptions are rare, customers might accept the above-mentioned provisions as being “standard” or “market.”  However, thinking about the severity of potential outages and pushing back during negotiations on LOLs and LOWs could put your company in a much better position should another CrowdStrike-like outage occur.

Tags

ip