
The July 19, 2024 CrowdStrike Outage, which has been called the “largest outage in the history of information technology,” disrupted airlines, hospital, hotels, banks, retail businesses, and many other critical cogs in the wheels of commerce. The disruption and adverse publicity surrounding the incident also caused CrowdStrike’s share price to decline as well – over the course of several days following the incident, its shares declined about 30%, representing a market capitalization drop of nearly $12.5 billion. In a world where “everything, everywhere is securities fraud,” this surely seemed like a situation that would produce a securities class action lawsuit. Yet, surprisingly, no securities suit was filed. That is, until now.
On July 30, 2024, a plaintiff shareholder filed a securities class action lawsuit in the Western District of Texas against the company, its CEO, and its CFO. A copy of the complaint can be found here. The complaint purports to be filed on behalf of investors who purchased the company’s shares between November 29, 2023, and July 29, 2024.
The complaint alleges that during the class period, the defendants “repeatedly touted the efficacy” of the company’s Falcon software platform, “while assuring investors that CrowdStrike’s technology was ‘validated, tested, and certified.’”
The complaint alleges that the defendants’ reassuring statements were false and misleading because the defendants failed to disclose that: “(1) CrowdStrike had instituted deficient controls in its procedures for updating Falcon and was not properly testing updates to Falcon before rolling them out to customers; (2) this inadequate software testing created a substantial risk that an update to Falcon could cause major outages for a significant number of the Company’s customers and (3) such outages could pose, and in fact ultimately created, substantial reputational harm and legal risk to CrowdStrike.”
The complaint alleges that the defendants violated Section 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the class.
Discussion
Given the magnitude of the CrowdStrike outage and the extent of its disruptive effect, as well as the magnitude of the decline in the company’s share price, it was a little bit puzzling (at least to me) that we didn’t see a securities suit filing against the company in the days immediately after the outage incident. The filing of a securities suit did seem inevitable, and now the lawsuit has in face been filed. However, now having read the complaint I can see why at least some plaintiffs’ lawyers may have hesitated to jump in on a suit against the company.
In many ways, this complaint reads like more of a mismanagement suit, or perhaps even a Tech E&O lawsuit, than a securities fraud lawsuit. At a minimum, when the time comes for the court to assess the adequacy of the plaintiff’s pleadings, the court will struggle to find allegations of scienter sufficient to satisfy the plaintiff’s pleading requirements.
The company’s legal woes play an interesting role in the plaintiff’s complaint. Among other things, the complaint specifically refers to the July 29, 2024, news reports that Delta Airlines had hired “prominent attorney David Boies” to “seek damages from the Company following the CrowdStrike Outage.” The complaint alleges on that on this news the company’s share price declined another 10%.
Those readers puzzling out exactly how to classify or categorize this new suit might struggle to put it in a standard securities litigation category. It certainly is not a cybersecurity-related securities lawsuit, even though the software being updated in the incident was cybersecurity software.
This new lawsuit is more akin to the securities lawsuit that was filed against BP after the Deepwater Horizon incident or the securities suit that was filed against Arconic after the Grenfell Towers fire. That is, this is yet another case where a company sustained a major operating incident and plaintiffs’ lawyers after the fact have attempted to translate the incident into securities fraud. In other words, this new suit is a classic event-driven lawsuit. To be sure, that doesn’t necessarily mean it is not meritorious; for example, the securities suit filed against BP relating to the Deepwater Horizon incident settled for $175 million.
All of that said, I confess strong personal feelings with respect to the events described in this new complaint. Because of the disruption of the CrowdStrike outage, my wife and I spent the night of July 19/morning of July 20 in the concourse at O’Hare after our flight to Seattle for a wedding was cancelled. We missed the wedding; in fact, we never even made it to Seattle. I travel a lot, so when I say this was one of the worst travel experiences of my life, it has some depth to it. So, great, go ahead and sue CrowdStrike. It may or may not be securities fraud, but it was a horrible mess. The airlines didn’t cover themselves in glory either.