Last Friday, on 19 July, a serious IT security incident shook the digital world. A faulty update by the Crowdstrike security technology company of its Falcon software led to massive computer failures at companies and organisations worldwide. In Austria, Vienna Airport, various airlines and several hospitals were affected by the disruption.
What happened?
The faulty update released on 19 July of the Crowdstrike Falcon security software, which is also used by many IT service providers, led to widespread system failures and crashes of Windows systems, and the so-called "Blue Screen of Death". It is estimated that tens of thousands of systems worldwide were affected by the outages. Crowdstrike responded with a workaround solution within a few hours. However, it was not an automatic update of the affected systems, but a work instruction for IT managers on how to reset them. It took considerable time and resources in the companies affected to implement these instructions. Currently, there is speculation in the media that Crowdstrike did not adequately test the faulty update. The consensus is that - as far as we know at this point - the incident on 19 July was not a cyberattack, and thus no data leak was caused.
Potential legal implications
The incident raises a number of complex legal issues, i.e. the question of Crowdstrike's responsibility and liability for the massive IT outage.
On the one hand, Crowdstrike could have acted negligently when developing and testing the update; in general, the level of due diligence obligations for providers of security software is particularly high. On the other hand, depending on the contractual situation, IT service providers using the product may also be liable for damages due to the fact that the problem was not identified or fixed in good time - these are questions which must be examined on a case-by-case basis. Furthermore, IT service providers could also be liable as processors under the GDPR. The installation of a faulty update could, for example, constitute a breach of the GDPR requirements to ensure the security of processing (Art. 32 GDPR).
Moreover, the companies affected by the Crowdstrike incident could also be liable to customers and business partners for contractual obligations they were unable to fulfil due to the system failures. Every company affected by this incident should document the duration and extent of the disruption, damage, losses and expenses as well as the measures taken to fix the problem. This applies both to the assertion of their own claims and the defence of potential claims against their company.
As a general rule, every company should implement multi-level security concepts to protect itself against IT failures and cyber incidents, including detailed emergency plans and a robust backup system.
Effects
The Crowdstrike incident could have far-reaching consequences for the IT security industry and the regulatory environment. The requirements for security software providers are likely to become stricter, particularly with regard to testing procedures and quality assurance. Furthermore, we might see an increase in the number of court cases to clarify issues of liability for IT security incidents, which may set precedents for product liability in respect of security software.
As experts in IT law and data protection, we are here to help you meet the legal challenges associated with the Crowdstrike incident and similar IT security issues. Our range of services includes the legal analysis and assessment of your individual situation, support in communication with authorities, business partners and customers, advice on optimising your contracts and General Terms and Conditions, and representing your interests in negotiations and in court. Together, we can master the legal challenges arising in the dynamic environment of IT security, protect your company and assert your claims in the best possible way.
Please do not hesitate to contact us if you have any questions or if you need support.