CrowdStrike condemns Delta’s allegations of negligence in bitter letter

CrowdStrike responded forcefully to Delta Air Lines’ claims of negligence and misconduct in a letter sent Sunday to the company representing Delta, signed by attorney Michael Carlinsky. It is the latest instance of public litigation following CrowdStrike’s recovery from a global outage that was caused by faulty software update made available on Windows servers on July 19.

Delta was the hardest hit major airline — its disruptions were longer and more widespread than those experienced by United Airlines, American Airlines, and others. As the airline grappled with the scale and length of the outage, it took steps to publicly shift some of the blame to the cybersecurity vendor.

Delta CEO Ed Bastian told CNBC last week that the airline considering taking legal actionseeking compensation for $500 million in costs incurred by the airline. “We want to make sure we get compensation, no matter what they decide, for what it cost us,” Bastian said.

CrowdStrike shifted responsibility for recovery to Delta. The airline rejected CrowdStrike’s help in recovering its systems, according to the letter, which was shared with CIO Dive.

“Delta’s public threats of lawsuits distract from this work and have contributed to the misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage,” Carlinsky said in the letter. “If Delta continues down this path, Delta will need to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions — promptly, transparently, and constructively — when Delta did not.”

Carlinksy also ordered Delta to retain information relating to its emergency backup, disaster recovery and IT business continuity plans, as well as records of any testing of those plans.

A Delta spokesman declined to comment on CrowdStrike’s letter, but referred Bastian’s comments to CNBC. CrowdStrike, through a spokesperson, said in an email that it hopes Delta will consider the matter and agree to work toward a collaborative resolution.

“Both sides are basically setting their battle lines at this stage,” he said. Scott Bickley, Head of Consulting at Info-Tech Research.

Cost recovery

CrowdStrike outage is expected to cost Fortune 500 airlines $860 million in direct losses, or more than $143 million per airline according to Parametrix estimates.

CrowdStrike, a leading provider of enterprise-class endpoint protection management solutions, is also grappling with reputation cost associated with failure.

Delta’s agreement with CrowdStrike includes a limitation of liability clause that limits CrowdStrike’s liability for the disruptions “to an amount in the range of several million,” the letter says.

Accordingly, potential lawsuits seeking compensation for Delta’s power outage and related costs would previously be resolved under the contractual liability provisions Bickley.

“A standard limitation of liability (LOL) clause for most SaaS contracts limits liability to the actual funds spent on the subscription during a set period of time, usually the previous twelve months,” Bickley said in an email. “Many companies will negotiate a multiple of this amount or a set cap.”

Bickley said the supplier’s liability would likely be equal to the annual outlay, or a multiple of the annual outlay, if the clause was negotiated.

“Many large companies surprisingly do not negotiate these terms and default to the language of their supplier agreements, which benefits the supplier,” Bickley said. “Delta will likely seek damages beyond the LOL limit and may rely on other legal arguments to take the claim to mediation or third-party litigation.”

The failure and its impact on operations forced companies to focus on automatic management of software updatesand how IT can best prepare to overcome prolonged interruption of critical systems.