As I previously noted (here), late last week a CrowdStrike shareholder initiated a securities class action lawsuit against the company and certain of its executives based on allegations relating to the company’s alleged role in the recent global IT outage. As I think we all fully understood at the time, the company’s legal woes would hardly be contained to that single lawsuit. As might be expected, additional lawsuits have also started to arise, including an action filed against the company on Monday on behalf of all airline passengers whose air travel was disrupted by the IT outage. A copy of the new complaint against CrowdStrike can be found here.

The Lawsuit

The new lawsuit was filed in the Western District of Texas on August 5, 2024, by three individuals who claim to have suffered travel disruption as a result of CrowdStrike’s allegedly negligent software security update of its Falcon platform.

The three individuals filed the lawsuit on their own behalf and on behalf of “all persons who had a flight delayed or cancelled as a result of the CrowdStrike Outage.” The plaintiffs also filed the complaint on behalf of three subclasses: All California citizens who had a flight delayed or cancelled as a result of the CrowdStrike outage; all Ohio citizens who had a flight delayed or cancelled as a result of the CrowdStrike outage; and all Pennsylvania citizens who had a flight delayed or cancelled as a result of the CrowdStrike outage.

The complaint alleges that CrowdStrike’s Falcon platform is used by many of the world’s largest companies, including companies in the aviation industry. The faulty Falcon update, the complaint alleges, disrupted airline and airport IT systems, “causing a cascade of flight delays and cancellations as airlines struggled to operate with their computer systems offline.”

The complaint alleges that CrowdStrike’s flawed update “not only interfered with airlines – it also severely interrupted the lives of the millions of people traveling in the days immediately following the CrowdStrike Outage.” The outage “grounded thousands of flights and delayed thousands more, often stranding travelers in airports thousands of miles away from their intended destination for hours – and even days.” The delays were not the only consequence for travelers; “many travelers had no option but to spend hundreds of dollars or more on additional meals, lodging, or other travel arrangements as they desperately sought a way to their destination. “

The crux of the complaint is its allegations that CrowdStrike’s “failure to properly develop, test, and deploy the Falcon update caused the CrowdStrike Outage and delayed or cancelled Plaintiffs’ and Class members’ flights. These delays and cancellations in turn forced Plaintiffs and Class members to incur additional expenses and damages. This action seeks to remedy these consequences of CrowdStrike’s negligence.”

The complaint alleges claims on behalf of the plaintiffs and on behalf of the class for “negligence, violation of the California Unfair Competition Law, and public nuisance.” The complaint seeks declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, equitable relief, and all other relief authorized by law.

Discussion

Given the extent of the CrowdStrike outage’s impact, the purported class on whose behalf these plaintiffs filed this action is massive. There would seem to be little doubt that many of the members of this putative class suffered damages as a result of the impact of the IT outage. The question would seem to be whether or not these aggrieved individuals have any legal basis on which to pursue these claims against CrowdStrike.

A threshold issue would seem to be whether or not CrowdStrike had legal duties to the prospective claimants of the type that would support the claims the plaintiffs seem to assert. The supposed relationship between CrowdStrike and the airlines passengers is at best indirect and remote; the plaintiffs seek to overcome the distance between themselves and CrowdStrike by alleging that the harms the IT outage caused were foreseeable. Whether or not the supposed connection between CrowdStrike and the passengers is sufficient to support a legal basis for the plaintiffs’ claims remains to be seen.

Another potential barrier to any recovery by the passengers from CrowdStrike would seem to be that if the passengers have any gripe, it is with the airlines, not CrowdStrike. The obligations of the airlines to compensate passengers in the event of flight delays and cancellations are well-established and defined by various conventions and protocols. It could well be that the passengers’ efforts to claim against CrowdStrike is an effort to circumvent the limitations of these conventions and protocols. To the extent the passengers assert claims against the airlines, the airlines in turn could seek themselves to go against CrowdStrike, as indeed appears to be the case on behalf of one airline, Delta.  

There is also an interesting causation issue. The software update caused certain Microsoft software to fail to perform, which in turn caused the the airlines flight scheduling software to fail; the airlines’ flight scheduling software disruption is what caused the flight delays and cancellations. There are several causal steps between CrowdStrike and the harmed passengers. The question will be whether the causal sequence is sufficiently remote and indirect that the CrowdStrike cannot be held responsible for the harm.

In any event, it is worth noting that this lawsuit was filed solely against CrowdStrike; it does not name any directors, officers, or employees as defendants. In light of the fact that the complaint asserts only entity claims, this new lawsuit is unlikely to trigger the company’s D&O insurance policy. D&O insurance for public companies, such as CrowdStrike, provide entity coverage only for securities claims. This new lawsuit does not assert any securities law claims, and so there would appear to be no entity coverage available under the company’s D&O insurance policy for this new suit.

The company may well seek to have other coverages in its insurance program respond to this complaint; it is going to be an awkward fit for any policy, but certainly the company may seek to find coverage for the claim under its CGL policy; its Cyber liability policy; and its Tech E&O policy. Others with more detailed knowledge of these other coverages may be better positioned than I am to assess whether the company could secure coverage for this lawsuit under these other policies.

The one thing I will say is that my wife and I are members both of the putative class and of the subclass of Ohio citizens whose flights were delayed or cancelled, as we had our flight to Seattle on July 19 both delayed and cancelled. As aggrieved as we are, our out-of-pocket costs were minimal, consisting of one airport meal for each of us, for a total of about thirty bucks. We didn’t incur any hotel costs for the absolutely horrible reason that we spent the night in the concourse at O’Hare. Others may have suffered more substantial out of pocket costs and may feel much more aggrieved. The question is whether there is a legal theory that supports a claim for damages against CrowdStrike on behalf of the aggrieved passengers.