- Delta Air Lines seeks damages from CrowdStrike and Microsoft for a July software outage.
- The outage forced Delta to cancel 6,000 flights, potentially costing $350 million to $500 million.
- CrowdStrike's liability may be limited to refunds, making significant compensation unlikely.
Delta Air Lines is gearing up to demand money following an outage that sent the world, including the airline, into chaos.
The carrier hired star attorney David Boies to seek damages from CrowdStrike and Microsoft for the July 19 computer outage that forced Delta to cancel about 6,000 flights, CNBC reported on Monday.
Boies has represented Theranos founder Elizabeth Holmes, Al Gore in the 2000 presidential election, and the US government in an antitrust case against Microsoft in 1998.
His law firm, Boies Schiller Flexner, and Delta did not respond to Business Insider's requests for comment sent outside regular business hours.
While no lawsuit has been filed, Delta plans to seek compensation from CrowdStrike and Microsoft, CNBC reported.
Delta's stock was little changed after closing on Monday, but CrowdStrike's stock was down 5.5% in after-hours trading.
Earlier this month, CrowdStrike disrupted business globally, after a defect in a software update from the cybersecurity firm caused many thousands of Microsoft computer systems to shut down.
Analysts estimated that Delta, which was one of the worst-hit airlines, will suffer between $350 million to $500 million hit to earnings this quarter because of reputational damages and ticket refunds, Bloomberg reported last week.
Liability limited to refunds
But Delta and its new team of Boies-led lawyers might not be able to get much from CrowdStrike, experts say.
The cybersecurity firm's terms and conditions say that CrowdStrike doesn't have to shell out anything more than a refund.
The terms for CrowdStrike's Falcon security software — which is used by companies and government agencies around the world — limit liability to "fees paid."
This means that if companies like Delta had a claim for damage or lost revenue, CrowdStrike would only pay those companies the cost of the software, Elizabeth Burgin Waller, the chair of the Cybersecurity & Data Privacy practice at Woods Rogers, told Business Insider earlier this month.
"Delta would have to overcome the harsh limitation of liability provisions that CrowdStrike drafted into its contract with customers," Haim Ravia and Dotan Hammer, cyber and privacy partners at law firm Pearl Cohen, wrote in a note to Business Insider.
For any negligence claims, "Delta would need to prove that its harm was reasonably anticipated," the lawyers said.
Even individuals hoping to seek damages from CrowdStrike through proposed class action lawsuits may have little luck.
A class action against CrowdStrike would face challenges demonstrating whether the harm suffered is similar throughout the entire class, the partners at Pearl Cohen said. This means that individual victims, small companies, and large companies cannot group together against CrowdStrike, since the harm to them is different.
Mauricio Sanchez, a senior director at a tech market research firm Dell'Oro Group, said that CrowdStrike may not have to pay at all.
"While it will be a miserable summer for CrowdStrike lawyers, as they defend themselves from customers with torches and pitchforks, I don't see CrowdStrike having to pay much, if any, compensation," Sanchez told trade publication Fierce Network last week.
A recent case — this one about hacking, not just a software update gone wrong — offers some precedent for how big customers like Delta could fare in court.
In 2020, hackers broke into Texas-based SolarWinds' systems and added malicious code to the company's software system. More than 30,000 customers then were unwittingly sent software updates that included the hacked code, which led to hackers spying on company and government organizations.
Earlier this month, a US judge dismissed most of a Securities and Exchange Commission lawsuit accusing SolarWinds of defrauding investors by hiding security weaknesses.
Between customer agreements that favor CrowdStrike and SolarWinds largely beating the SEC, CrowdStrike stands a good chance in court, Sanchez said.
Andrew Selbst, an assistant professor at UCLA School of Law, told Harvard Law Today last week that customers could sue over negligence, a common class action lawsuit.
"Ultimately, they're difficult to win," he said.
Another consequence for CrowdStrike could be regulation, especially from the Federal Trade Commission.
"The FTC has a pattern of settling with these companies and keeping them under a consent decree for 20 years or so," Selbst said. "But with the FTC, you don't get individual customers receiving damages or compensation. This is just a regulatory regime, and they receive fines payable to the federal government."