3

Answers to this question Do tech companies like Microsoft & CrowdStrike face almost no legal liabilities for major disruptions? suggest (correctly) that parties to a contract can allocate risk however they choose, including limiting liability for things like one party's negligence.

However, if a 3rd party is damaged, such as the customers of the companies affected by CrowdStrike's "meltdown", does this exclusion have any effect? That is, can they successfully sue CrowdStrike directly for their loss?

Dale M
  • 237,717
  • 18
  • 273
  • 546

2 Answers2

12

You are not bound by a contract you are not a party to

So, in general, an agreement between two parties to limit one's liability to the other will have no effect on another person's cause of action.

However, ...

Almost all such claims will be founded in the tort of negligence, which requires, among other things, that the defendant:

  • owes a duty of care to the plaintiff, and
  • that they breached their duty.

The terms on which they offer their goods and services to their customers may be relevant to both issues.

There are well-established classes of people to whom a duty of care is owed - for example, drivers owe a duty of care to other road users. However, in the CrowdStrike circumstances, "the customers of my customers" are not such a class in general.

Each common law jurisdiction has its own case law to establish who owes a duty of care to whom, but the legal test set out in the English case of Caparo Industries PLC v Dickman [1990] UKHL 2 is illustrative of the general approach:

  • harm must be reasonably foreseeable as a potential result of the defendant's conduct (as established in Donoghue v Stevenson),
  • the parties must be in a relationship of proximity, and
  • it must be fair, just and reasonable to impose liability.

The US position that someone who has suffered only economic loss cannot recover in negligence is a manifestation of the last two points - there is not sufficient "proximity", and it's not "fair, just and reasonable" to hold tortfeasors responsible for losses that are not physical. Even in jurisdictions where such recovery is possible (like England), showing that a duty of care exists is much harder in cases of pure economic loss.

The duty owed is what a reasonable person in the defendant's position would do to minimize or eliminate the harm their acts and omissions can cause.

The terms in their contracts with their customers are relevant because they go to the foreseeability of both who might be affected and the harm that they might suffer. For example, the CrowdStrike terms say:

The offerings and CrowdStrike tools are not fault-tolerant and are not designed or intended for use in any hazardous environment requiring fail-safe performance or operation. Neither the offerings nor crowdstrike tools are for use in the operation of aircraft navigation, nuclear facilities, communication systems, weapons systems, direct or indirect life-support systems, air traffic control, or any application or installation where failure could result in death, severe physical injury, or property damage.

That means that people who might be affected by the customer's misuse of the product in those circumstances are not people that CrowdStrike could reasonably foresee as being affected - because they're not supposed to be in the firing line for the product. This is similar to where a manufacturer of a truck rated for a 2-tonne load would not be liable if the truck failed and injured someone while loaded to 3 tonnes.

In circumstances where there was a more foreseeable risk, say, software running medical diagnostic or treatment machines, an attempt to argue that the patients were not someone to whom a duty of care was owed would fail - they are self-evidently going to be affected by any software failure. Contract clause that amount to " we're not responsible if the thing doesn't do the thing its explicitly meant to do" are not going to help here.

Dale M
  • 237,717
  • 18
  • 273
  • 546
7

You have described the situation where:

  • Party A (CrowdStrike in your example) provides a product or service to Party B (the companies in your example), and
  • Party B provides in turn provides a product or service to Party C (the customers in your example).

The limitation clause or disclaimer of warranty does not control the liability that Party A would have to Party C.

What controls liability between Party A and Party C is the principle of non-recovery for relational economic loss. This is the situation where "the defendant negligently causes personal injury or property damage to a third party. The plaintiff suffers pure economic loss by virtue of some relationship, usually contractual, it enjoys with the injured third party or the damaged property" (Design Services Ltd. v. Canada, 2008 SCC 22 at para 33).

Recovery of relational economic loss is limited to exceptional circumstances, for example: (1) where the claimant (Party C) has a "possessory or proprietary interest in the property [that was damaged]"; (2) "general averages cases"; and (3) where the relationship between the claimant (Party C) and the owner of the damaged property (Party B) constitutes a joint venture (Cooper v. Hobart, 2001 SCC 79 at para 36).

As Dale M notes, these can also be seen as categories where proximity and foreseeability of harm have been established, and thus trigger a a duty of care under ordinary negligence principles.

"In England the situation is clear -- no relational economic loss can ever be recovered" (Bow Valley Husky (Bermuda) Ltd. v. Saint John Shipbuilding Ltd., [1997] 3 SCR 1210, citing Murphy v. Brentwood District Council, [1991] 1 A.C. 398 (H.L.)).

None of the above affects the potential liability between Party B and Party C. E.g. if Party B were an airline, Party C (a customer of the airline) would have all the normal remedies against B, most of which would be provided and limited by the contract of sale.

Jen
  • 87,647
  • 5
  • 181
  • 381