CrowdStrike struck back forcefully against Delta Air Lines' claims of negligence and misconduct in a letter sent Sunday to the firm representing Delta, signed by attorney Michael Carlinsky. It's the latest in what has become a public dispute following recovery from the global CrowdStrike outage, which was caused by a faulty software update pushed to Windows servers on July 19.
Delta was the hardest hit major airline carrier — its disruption lasted longer and reached further than what United Airlines, American Airlines and others experienced. As the airline grappled with the scale and length of the outage, it moved to shift some of the blame publicly against the cybersecurity provider.
Delta CEO Ed Bastian told CNBC last week the airline was considering legal action, seeking compensation for the $500 million in costs the airline had endured. “We’re looking to make certain that we get compensated, however they decide to, for what they cost us,” Bastian said.
CrowdStrike pushed the recovery responsibility back on Delta. The airline declined CrowdStrike’s help with systems recovery according to the letter, which was shared with CIO Dive.
"Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage," Carlinsky said in the letter. "Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions — swiftly, transparently, and constructively — while Delta did not."
Carlinksy also directed Delta to preserve information related to its emergency backup, disaster recovery and IT business continuity plans, as well as records of any testing of those plans.
A Delta spokesperson declined to comment on CrowdStrike's letter, but referenced Bastian's statements to CNBC. CrowdStrike, through a spokesperson, said in an email it hopes Delta reconsiders and agrees to work on a joint resolution to the problem.
"Both sides are essentially drawing their battle lines at this point," said Scott Bickley, advisory practice lead at Info-Tech Research.
Recouping the cost
CrowdStrike's outage is projected to cost Fortune 500 airlines $860 million in direct losses, more than $143 million per airline according to Parametrix estimates.
CrowdStrike — a dominant provider of enterprise-grade endpoint protection management — is also grappling with the reputational cost of the outage.
Delta's contract with CrowdStrike includes a limitation of liability clause that caps CrowdStrike's responsibility over disruptions "at an amount in the single-digit millions," the letter said.
Potential lawsuits seeking compensation for Delta's outage and associated costs would have been previously determined by contractual liability stipulations, according to Bickley.
“The standard limitation of liability (LOL) clause for most SaaS agreements caps liability at the actual funds spent on the subscription over a set period of time, usually the previous twelve months," Bickley said in an email. "Many enterprises will negotiate a multiple of this amount or a set capped amount."
Bickley said the provider's liability is likely to match annual spend or a multiple of annual spend if the clause was negotiated.
"Many large enterprises surprisingly do not negotiate these terms and default to the language in the vendors’ agreements, which benefits the vendor," Bickley said. "Delta is likely going to pursue damages outside of the LOL cap and may rely on other legal arguments to bring the claim to a third-party dispute mediation or litigation."
The outage and its operational impact put enterprise focus on automatic software update management, and how IT can best prepare to overcome a prolonged outage of critical systems.
