On Friday July 19, 2024, CrowdStrike® Holdings, one of the largest cybersecurity technology companies in the world, announced that a faulty software update caused a global computer outage which ultimately disrupted many important aspects of a modern data-driven world. Airlines were forced to ground flights, banks were forced to postpone transactions, hospitals and 911 centers were forced to postpone emergency situations, courts were forced to close, and many global businesses and governments that rely on cloud-based CrowdStrike® as their cybersecurity provider were forced to limit operations. Because CrowdStrike’s AI-Native programs require very deep and privileged access into its customers’ IT systems, it can create a huge impact in an AI and data driven world, if there is a failure, as here, with a code error in a software update.
According to its website, CrowdStrike® is used by 43 of 50 U.S. states, 298 of the Fortune 500 companies, 8 of the top financial services firms, 7 out of the top 10 manufacturers, 6 out of the top 10 healthcare providers, and 8 out of the top 10 technology firms. Thankfully, CrowdSrike’s CEO George Kurtz, announced via X (formerly known as Twitter) that the outage was not caused by any security breach or cyberattack and reiterated that the customers of CrowdStrike® were protected. A failure such as this is known as a single-point failure in the IT industry, or otherwise an error in a single part of a system that creates a technical issue across many industries, and across various functions/communications of networks. The single-point failure is a real-world example of the initiation of a generative AI (dubbed AI-Native by CrowdStrike®) and data-internet-computer domino effect which can create an IT Blackout. IT experts are already raising questions about over-centralization and a lack of redundancy in the cybersecurity industry. CrowdStrike® uses AI powered behavioral analysis and machine analytics to predict user behavior and patterns, and to foresee and head off cyber threats.
Companies with contracts with CrowdStrike® will likely be exploring remedies if they suffered damages in real dollars or opportunity time. There may also be downstream commerce issues where certain institutions were impacted and their downstream customers were also impacted. There will be examinations of this event on both the technical and legal sides of the equation. It is not inconceivable that class actions may be filed even in anticipation of multiple claimants. Legal actions are expected against CrowdStrike® itself and claims up and down the commerce stream between clients, vendors and customers. Defendants may turn to their cybersecurity insurance carriers to attempt to navigate the complicated world of data privacy, cybersecurity, data breach and related insurance coverages. Many such policies for small businesses carry small liability limits and self-eroding policies brought down in limits by defense costs. These cyber data insurance policy endorsements or riders to such policies may get a workout. Investigating immediately the scope and availability of insurance coverage will be key assisting clients in litigation.
A single-point failure poses many questions, even though a company like CrowdStrike® is essentially a back-office product designed to protect data from attack. It is not Google or Bing in the forefront, but a failure like this one, even in the background, can cause visible and front-end issues across a broad spectrum of programs (like Microsoft) and businesses, as this event demonstrates. CrowdStrike® is known as “endpoint security”, but it relies on what it calls AI-Native technology which can be placed into the forefront of the data world very quickly. Its products are heavily reliant on AI technology. How reliant are we on only a handful of cybersecurity cloud vendors? Should an event such as this cause regulators to closely monitor the vulnerability of this occurring again? Will future regulations lead to overregulation? But, most importantly, how prepared is your organization when a single failure causes a system to shut down entirely? What is the plan B? Additionally, a global IT outage potentially presents claims, litigation and lawsuits as organizations attempt to recoup losses that were suffered during the downtime. The actions your organization takes when an IT/cybersecurity outage occurs matter and every company needs to be aware of “Security Breach Notification Laws” in every state for their affected customers and clients. Litigation will certainly ensue from these types of events and businesses will need lawyers with knowledge of cybersecurity, data protection, artificial intelligence and the workings of the internet to protect their interests.
CrowdStrike® is a federally registered trademark of CrowdStrike, Inc. a Delaware Corporation
