Learning from the CrowdStrike outage: The importance of assessing liability clauses in IT contracts

Updated on September 23, 2024 by David Lalire

In the rapidly evolving digital landscape, IT services have become the backbone of modern business operations. Companies of all sizes rely on IT service providers for cybersecurity, data management, software updates, and more.

As these services become more integral, so too does the need for clearly defined and thoroughly vetted contractual agreements, particularly regarding liability in the event of service failures or damages. The recent issues related to a CrowdStrike outage underscore the critical importance of carefully evaluating and discussing the liability clauses in IT service contracts.

The CrowdStrike outage: A cautionary tale

On July 19, 2023, CrowdStrike, a leading cybersecurity firm, experienced significant challenges following a routine software update. The update, intended to enhance security, inadvertently led to widespread outages and system disruptions across its client base. These disruptions included loss of connectivity, reduced functionality of critical security tools, and, in some cases, total system shutdowns. Among the most affected were companies in highly regulated industries, including airlines, which rely on seamless cybersecurity operations to ensure safe and efficient services.

The impact on the airline industry was particularly severe. Several major airlines reported system failures that led to flight delays and cancellations, directly affecting thousands of passengers worldwide. The operational disruptions caused by the CrowdStrike outage not only resulted in significant financial losses for the airlines but also damaged customer trust and satisfaction.

Other industries were also significantly impacted. Financial institutions, healthcare providers, and retail companies, all of which rely on constant security monitoring and uninterrupted IT services, experienced operational downtime and data accessibility issues. For these businesses, the consequences included potential breaches, loss of critical data, regulatory penalties, and significant revenue losses. The total financial damage across these sectors could be staggering, as businesses faced both immediate recovery costs and long-term impacts on customer relations and brand reputation.

Evaluating and understanding liability clauses

Liability clauses in IT service contracts are crucial for defining the extent to which a service provider is responsible for any damages that arise from their actions, including software updates, data breaches, or system failures.

These clauses typically outline:

Scope of liability: Specifies what kinds of damages the provider is liable for, such as direct, indirect, or consequential damages.

Cap on liability: Limits the maximum financial compensation a provider may be required to pay in the event of a failure.

Exclusions: Lists specific scenarios where the provider cannot be held liable, such as force majeure events or third-party software failures.

In my experience, IT service providers often attempt to minimize their liability by setting low caps on compensation. A common tactic is to limit their liability to an amount equal to the fees paid for their services over a year. This can be woefully inadequate when compared to the potential damages a business might suffer due to a critical service failure or security breach. For instance, while the contract may limit the provider’s liability to a few thousand dollars, the actual damage caused by an IT disruption could run into millions, leaving the business severely under-compensated and bearing the brunt of the loss.

The CrowdStrike outage is a prime example of how such limitations can be perilous. Businesses affected by the outage may face severe financial consequences far exceeding any liability cap based on service fees. This discrepancy underscores the need for companies to negotiate higher liability caps that reflect the true potential impact of service disruptions.

As we have explored in greater detail in a separate article, careful negotiation of limitation of liability clauses is essential to ensure adequate protection against significant financial risks.

In addition, understanding the potential risks associated with IT services allows businesses to negotiate better terms that mitigate these risks. For instance, businesses can insist on the inclusion of specific damages in the liability scope, negotiate higher liability caps, or ensure that liability clauses are comprehensive and provide adequate financial protection. By anticipating potential issues through thorough contract discussions, businesses can prepare contingency plans, ensuring that their operations continue with minimal disruption even when problems arise.

Clear liability clauses also set the expectations for both parties, reducing the likelihood of disputes and ensuring that both the service provider and the client understand their responsibilities and potential risks.

Verifying insurance coverage

Beyond the liability clauses, it is equally crucial for businesses to verify the insurance coverage of their IT service providers. Ensuring that providers have robust general and professional liability insurance is vital. These policies can offer an additional layer of financial protection if the provider’s liability cap is insufficient to cover the full extent of damages.

Businesses should not only verify the existence of such insurance but also demand that the coverage amounts are substantial enough to cover potential damages. This includes negotiating minimum coverage thresholds in the contract to ensure that, in the event of a significant incident, the business is not left exposed to financial ruin.

Practical steps for businesses

To ensure that liability clauses and insurance coverage in IT service contracts are adequately protective, businesses should:

Engage Legal Experts: Work with legal professionals who specialize in IT contracts to assess and negotiate terms that align with the business’s risk tolerance.

Review Past Incidents: Examine any previous incidents involving the service provider to understand how they were handled and whether the contract terms were sufficient.

Scenario Planning: Consider worst-case scenarios and ensure that the liability clauses and insurance coverage address these adequately.

Regular Updates: Periodically review and update contracts as the business grows or as the service provider’s offerings evolve.

Insurance Verification: Require proof of adequate insurance coverage and ensure that the provider’s policy limits are sufficient to cover potential risks.

The July 2023 CrowdStrike major outage underscores the importance of diligently evaluating and discussing IT service provider liability clauses and insurance coverage.

As businesses continue to rely on digital services, the risks associated with service disruptions or failures cannot be ignored. By ensuring that liability clauses are comprehensive, insurance coverage is adequate, and both are fair, businesses can better protect themselves against the unforeseen and ensure greater operational resilience in the face of IT challenges.

David Lalire
[email protected]

As an experienced legal counsel, I am dedicated to helping you negotiate successful deals and protect your business interests. Currently based in the Paris area, France, I am happy to assist you both in France and internationally.