Legal implications of the Crowdstrike incident: a wake-up call for IT security
On July 19, a serious IT security incident shook the digital world. A faulty update by the renowned security company Crowdstrike for its Falcon software led to massive computer failures at companies and organizations worldwide. The effects were dramatic: airplanes were grounded, hospitals had to cancel operations and numerous companies were faced with significant operational disruptions. Organizations in the USA, Germany, India and Australia were particularly affected, underlining the global dimension of this incident.
This article not only highlights the facts of the incident, but also gives you valuable insights into the legal implications. We also provide concrete recommendations for action to guide companies and organizations if they are affected by a cyber incident. For this reason, the recommendations for action are formulated in general terms. In times of increasing digital networking and dependence on IT systems, this incident shows once again how important it is to be prepared for such scenarios – both technically and legally. As legal experts, we would like to inform you about the possible legal consequences and options for action following a cyber incident.
What happened?
The Crowdstrike Falcon security software update released on July 19 was originally intended to improve the software’s protection features. Instead, it led to widespread system failures for the company’s customers. As many IT service providers also use this security software, there was a chain reaction as the IT service providers’ systems failed.
Crowdstrike Falcon, a leading product for Enterprise Detection and Response (EDR), offers comprehensive protection for end devices in corporate networks. To ensure its effectiveness, Crowdstrike uses a system of continuous updates. These updates are distributed via channel files, that allow dynamic improvements and new detection rules to be seamlessly delivered to the installed Falcon sensors. These Falcon sensors are installed on servers and end devices. A faulty update led to crashes and the so-called “Blue Screen of Death” on Windows systems.
Thousands of organizations worldwide reported disruptions, with estimates of tens of thousands of systems affected Crowdstrike responded with a workaround within a few hours. However, this is not an emergency patch that can be automatically applied to the affected systems, but a work instruction for IT managers on how to reset the affected systems. The IT managers then had to implement this manually for the affected systems, which tied up considerable resources in the affected companies.
It is suspected that Crowdstrike did not adequately test the faulty update before it was released and thus overlooked the cause of the error. Even if the incident was not a targeted cyberattack, the global impact shows just how fragile the IT world can be. It is particularly piquant that the cause was triggered by security software that was actually designed to prevent such incidents.
However, this is probably also one of the reasons for the massive impact, as security software often has very extensive rights and privileges in IT systems so that regular software can be monitored and threats can be contained and eliminated.
Legal implications
This incident raises a number of complex legal issues. Specifically, the question of Crowdstrike’s responsibility and liability for the massive IT outage is currently under discussion. Although exact figures are not yet known, the press is reporting the largest IT incident in history. IBM estimates the cost of a data leak in 2023 at EUR 4.3 million(https://de.newsroom.ibm.com/2023-07-11_IBM-Bericht-Ein-Datenleck-kostet-deutsche-Unternehmen-durchschnittlich-4,3-Millionen-Euro). Although the Crowdstrike incident is not a data leak (as far as we currently know), the scale shows the financial dimension of cyber incidents.
Crowdstrike could be held liable for negligence in the development and testing of the update, and the duty of care in the provision of security software is particularly high. Depending on the contractual situation, IT service providers and other stakeholders could also be liable for damages caused by the failure to detect or rectify the problem in good time. It depends on the detailed questions that still need to be clarified as to whether gross negligence should be assumed. This would also have an impact on the application of any limitations of liability. First of all, it must be clarified whether provisions in the general terms and conditions are effective at all with regard to choice of law and place of jurisdiction. If companies have made individual agreements, it depends on the individual case.
As far as is known, the incident did not result in a data leak. Reporting obligations under the GDPR are therefore unlikely to apply. Nevertheless, data protection law can regularly be the starting point for claims against an IT service provider. If an order processing contract has been concluded with an IT service provider, this can help to gather further information about the incident. This is because these contracts regularly provide for monitoring and auditing options. It should also be remembered that deploying the faulty update constitutes a breach of the technical and organizational measures. This is because under data protection law, there are possible violations of the GDPR requirements for ensuring the security of processing (Art. 32 GDPR). This could give rise to liability on the basis of the data processing agreement.
However, affected companies could also be liable. Contractually, there could be breaches of service level agreements (SLAs) with customers and business partners, as well as possible breaches of supply contracts or other business agreements due to business interruptions. Affected companies could also be liable if they did not have adequate contingency plans in place. Even if you appear to have been the victim of the incident, this raises the question of whether you are liable to your own customers and business partners for errors relating to your own IT security measures. This is because legislators in Germany and the European Union are constantly raising the legal requirements with numerous statutory regulations. These include the NIS2 Directive, DORA and some sector-specific regulations from the Digital Act, which increase the IT security requirements for hospitals and medical practices.
For companies and organisations affected by a cyber incident, it is important to document the duration and extent of the disruption as well as all measures taken to rectify the problem. Damage and losses incurred should also be quantified with a view to subsequent claims for compensation. This also applies to the working hours and specific activities carried out by employees who are now involved in rectifying the damage.
In the event of a cyber incident, reporting and transparency obligations must also be checked and observed. As a rule, the internal reporting channels must first be completed and all relevant functions (e.g. IT security, data protection, legal department, communications, HR) must be informed. It should also be checked whether and to what extent there are reporting obligations to authorities, e.g. the Bundesamt für Sicherheit in der Informationstechnik (BSI) or the data protection supervisory authorities. It should also be clarified whether and to what extent there are reporting and information obligations towards customers and other business partners.
Irrespective of any legal obligation, it must always be clarified what and how employees and business partners are informed. After all, if a company is paralyzed by a cyber incident, this often takes several days or even weeks. If no one responds to emails or the telephones are unavailable, this quickly leads to speculation. If you have taken out a cyber insurance policy, you must also pay attention to any information obligations. Finally, depending on the type of incident, you need to clarify whether the police and security authorities should be informed and involved. It should be noted that these companies often offer extensive assistance.
To better protect against similar incidents in the future, we recommend implementing a multi-level security concept that is not dependent on a single solution and establishing a structured process for software updates, including testing in an isolated environment before broad rollout, where possible due to the technical dependencies of the software solution. Develop detailed contingency plans for different scenarios and implement a robust backup system with regular recovery testing.
Effects
The Crowdstrike incident could have far-reaching consequences for the IT security industry and the regulatory environment. The requirements for security software providers are likely to become stricter, particularly with regard to testing procedures and quality assurance. In addition, there could be an increase in court proceedings to clarify liability issues in the event of IT security incidents, which may create precedents for product liability in security software. It is also to be expected that fraudsters and cyber criminals will use the incident to obtain money. In this respect, such requests should be viewed critically.
There are also questions about dependence on big tech companies. Lina Kahn, the head of the US Federal Trade Commission (FTC), is very much in favor of splitting up the big tech companies with market power. In the wake of the Crowdstrike incident, she has positioned herself accordingly on Platform X.
As experts in IT law and data protection, we can help you overcome the legal challenges associated with the Crowdstrike incident and similar IT security issues. Our range of services includes the legal analysis and assessment of your individual situation, support in communicating with authorities, business partners and customers, advice on optimizing your contracts and general terms and conditions as well as representing your interests in negotiations and in court. Together we can master the remaining challenges in the dynamic environment of IT security, protect your company in the best possible way and assert your claims in the best possible way.
Do not hesitate to contact us if you have any questions or need support. Together we can master the legal challenges in the dynamic environment of IT security and protect your company in the best possible way.