Do tech companies like Microsoft & CrowdStrike face almost no legal liabilities for major disruptions?

Question

In regards to a widespread technology meltdown, reportedly caused by Microsoft and CrowdStrike, the New York Times states that the "immediate and harmful" impact included:

• Airlines canceled flights and airports fell into chaos in the United States, Europe and Asia.

• In the United States, operators of 911 lines in multiple states could not respond to emergencies.

• Parts of Britain’s National Health Service reported problems.

• New driver’s licenses could not be issued in some areas.

• Some television broadcasters could not go on the air.

The above referenced article claims that the economic and legal penalties are so trivial that companies like Microsoft and CrowdStrike have almost no legal incentive to change their apparently flawed practices and designs:

The outages underscored an uncomfortable reality that software companies face few liabilities for major disruptions and cybersecurity incidents. The economic and legal penalties for such significant outages can be so minimal that companies are not motivated to make more fundamental changes. While a car manufacturer would face stiff penalties for faulty brakes, a software provider can often issue another update and move on.

Thomas Parenty is a cybersecurity consultant and a former U.S. National Security Agency analyst.

“Until software companies have to pay a price for faulty products, we will be no safer tomorrow than we are today,” Mr. Parenty said.

Is this assertion correct, that companies have almost no legal incentive (criminal or civil) to not harm other corporations, or the general public, with defective or poorly designed software?

The jurisdiction of this question is global, given that companies like these typically provide tech services globally.

Answer 1

Preface: the disruption was not caused by Microsoft, that was just the platform being used (along CrowdStrike Falcon) by the affected entities. It's completely normal that Microsoft Windows may crash when using a faulty driver. It's also acceptable for Falcon to use a driver for its intended purpose. What is not acceptable is the CrowdStrike published an update with a broken driver which crashes the hosts.

You cannot claim directly to CrowdStrike a liability for those actions. The onus is on those that directly provide the service.

In the United States, operators of 911 lines in multiple states could not respond to emergencies.

This is a big failure by the 911 lines if they are not able to function. They must have crisis plans for contingencies so the service continues being given (typically, the service is redirected to a different call-center). On the other hand, an individual center not working is per se not a problem, as long as the service itself is provided (I don't know if they then bill one another, but that's up to them to resolve later).

Some television broadcasters could not go on the air.

Here television broadcasters suffer the loses directly.

Airlines canceled flights and airports fell into chaos in the United States, Europe and Asia.

(note: some airlines were not affected at all, and this may be a bit of exaggeration, but let's go along with it)

This is a problem of the airlines and/or airports. If you had a flight canceled, the airline should compensate you (not CrowdStrike). Note that the airline chose to use this product exclusively (thus creating such risk if that product failed). Moreover, they would have had no alternative system should their systems go down (e.g. some people got hand-written boarding passes).

Maybe some of these companies might be able to pass those losses to CrowdStrike, depending on their license agreements. Or they might fully bear the responsibility of failing to provide their service when CrowdStrike failed. Also note that, depending on which systems they deployed this agent, their number, the count of IT people they employed and how spread out their systems were, the time to recovery would vary significantly.

These companies made a number of decisions (which were quite reasonable, by the way) which turned our to lead to a bad outcome on a failure from CrowdStrike. That has caused them an important financial loss on this day (and they may continue having to refund customers, etc).

CrowdStrike itself, while not liable to the people with cancelled flights or who didn't had their driver license issued, will face claims from their clients. Moreover, after this enormous failure in checking their release, a number of clients will switch to a different solution, reducing their income. Their shares have already fallen 20%. Plus, they have suffered a really big dark mark on their brand, and it will be much harder for them to attract new clients.

Despite not having a direct legal liability for these events, this won't be cheap at all for CrowdStrike.

Answer 2

The short answer is that liability is universally waived contractually in software licensing agreements.

As noted in a comment from Jen, "the customers (e.g. passengers) of the directly harmed entity (e.g. an airline) cannot generally claim against the software providers because of the principle of non-recovery for relational economic loss."

Waivers of liability for ordinary negligence, or for strict liability in tort, are normally effective. Waivers of liability for intentional conduct or conduct that is carried out in bad faith (e.g. if the software company deliberately tried to sabotage your company) are not valid.

The law is not quite as uniform on whether conduct that constitutes gross negligence, is reckless, or is willful and wanton can waived. Some jurisdictions do not allow this either. But if a simple screw up causes a huge amount of harm, this doesn't make the mistake "gross negligence". These standards of mens rea involve disregard of a clear and serious risk that was known or that any reasonable person would have been patently aware of, without actually having any desire to harm someone.

There are some statutory liabilities that cannot be waived because a statute says so. But for the most part, the kinds of liabilities to which software companies are exposed when their software goes wrong are not as a result of statutory liabilities that expressly remove the ability to waive those liabilities by statute.

Also, sometimes, even when a contractual waiver is not fully effective to eliminate all liability, it may be effective to limit the damages that may be imposed in the event of a breach of a legal duty. For example, a contractual waiver might limit liability to the amount paid by the consumer or exclude consequential damages, even when it can't totally eliminate its liability.

Certainly, governments in the U.S. and elsewhere have the legal authority to prohibit waivers of liability in particular situations. This isn't the default rule, but it also isn't uncommon (especially outside the U.S.). But, so far, legislatures have largely declined to enact legislation of this kind.

Answer 3

Section 8.6 of the Crowdstrike Terms and Conditions reads

Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES IN THIS SECTION 8, CROWDSTRIKE AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CROWDSTRIKE AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WITH RESPECT TO THE OFFERINGS AND CROWDSTRIKE TOOLS. THERE IS NO WARRANTY THAT THE OFFERINGS OR CROWDSTRIKE TOOLS WILL BE ERROR FREE, OR THAT THEY WILL OPERATE WITHOUT INTERRUPTION OR WILL FULFILL ANY OF CUSTOMER’S PARTICULAR PURPOSES OR NEEDS. THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure safe use of an Offering and the CrowdStrike Tools in such applications and installations. CROWDSTRIKE DOES NOT WARRANT ANY THIRD PARTY PRODUCTS OR SERVICES.

Here they say that their software isn't error free and they say that they don't guarantee that it'll do anything useful. They even state that the software shouldn't be used in life critical systems like air control systems.

They also state that it's always up to the customer to ensure that it works as it should.

These are terms that their customers agree to.

The unfortunate and surprising thing, imo, in this incident is, that there are so many companies that install software on critical infrastructure that auto-updates without the companies ensuring that the machines will keep working.

All software has errors and if auto-updating is a general practice then it's a miracle that something like this doesn't happen more often.

Answer 4

It's a quid pro quo. Suppose you want to use my software instead of employing an army of clerks using a paper system for which you would be wholly responsible. Software is inherently more risky than clerk systems since there aren't armies of smart humans. But, it's more profitable. That's YOUR decision to go there, not mine.

You could write it from scratch and bear total liability. It's important to remember that.

Or, you could use my stuff. So as a developer, my bargain with you is that if you agree to recognize the fallability of software and accept the risk for same and absolve me of it to great degree, then you have my permission to use my software.

Why does it have to be like that? Because if I must absorb all liability for all knock-on effects which originated from use of my software, then I would be unable to obtain liability insurance and could not operate as a business, with the result that you'd have no software at all.

So that would tale you back to writing it 100% in-house, and liability would be 100% back to you anyway.

And then instead of one well-maintained shared codebase failing spectacularly for 1 day every few years, you'd have "1000 points of little failures" as the elder George Bush might say, with random websites going down every day from independent failures in their poorer-maintained codebases. Overall it would be worse.