The other day, I was speaking with some early career cybersecurity professionals about the ongoing issues companies and their customers are facing due to the CrowdStrike error. I mentioned that it’s reminiscent of what we expected with Y2K. I was met with blank stares.
In case, dear reader, you too are unaware of Y2K or have willfully forgotten it, let me refresh your memory.
Long before the advent of the Internet, people programmed computers for use in a wide variety of industries, from science to finance. Computer programs processed data and performed mathematical and scientific functions. Before microprocessors came along, it took a big computer called a mainframe to do even simple calculations.
Even though mainframe computers were huge pieces of equipment, they had very little memory and low processing power. Therefore, computer programmers were judicious with the amount of code they used. It was common practice to use two digits to store years (e.g., “70” for 1970) to save memory and storage space.
By the 1980s, microprocessors began addressing the memory limitations of mainframe computers through various advancements, including the use of semiconductors over magnetic core memory. However, the use of the two-digit shorthand for years continued, even as the Internet quickly emerged, connecting people around the world, and the year 2000 fast approached.
In the late 1990s, it became clear that a crisis was looming due to the two-digit shorthand for years in computer code. “00” would be interpreted by computers as 1900 instead of 2000. This discrepancy could lead to incorrect calculations, data corruption, and system failures. The world got to work to mitigate the issue, including President Bill Clinton, who created a Presidential Council on Y2K in 1998.
The scramble worked. Through various steps, including code updates, testing and validation, and contingency planning, disaster was averted. On November 10, 1999, in announcing that the federal government was prepared, President Bill Clinton said the Y2K “computer problem” would be remembered as the “last headache of the 20th Century and not the first crisis of the 21st.”
What we feared would happen at 12:01 AM January 1, 2000, happened on July 19, 2024, when an estimated 8.5 million devices that run Windows crashed due to a faulty update to a cybersecurity program. CrowdStrike’s update to its Falcon cybersecurity platform included a configuration file with a logic error, leading to system crashes and the infamous “Blue Screen of Death” on impacted computers.
The problematic file confused the security software, causing it to repeatedly crash the operating system. Companies ranging from Delta Airlines to my gym are still dealing with the ramifications of the Falcon crash. Recovery has been difficult because the correction requires that each impacted device be manually reset.
While companies impacted by the CrowdStrike crash are deploying tech support to reset affected devices, they are also likely directing their in-house counsel to scour over the CrowdStrike Terms and Conditions to identify any legal remedies they may have to redress the damages they have incurred. Luckily for us, CrowdStrike has posted its Terms and Conditions online. Unless a company has negotiated an alternative set of terms, the posted terms will apply, and they might save CrowdStrike. CrowdStrike has limited its liability under its standard Terms and Conditions to the amount an impacted customer has paid them during the current term of services. That is, CrowdStrike will give the customer a refund.
Estimates suggest that the damages CrowdStrike customers may incur due to the crash could exceed one billion dollars. A refund is unlikely to cover most customers’ individual damages. Some customers may sue CrowdStrike to challenge the Terms and Conditions while others may rely on separately negotiated terms. More likely, affected parties will seek redress from their insurance providers.
A significant difference between 2024 and Y2K is that the insurance industry now offers products specifically for computer related issues. Lawyers and risk mitigation teams at companies affected by the CrowdStrike crash are reviewing policies to identify applicable coverage and preparing claims. However, we expect there to be a great deal of litigation between insureds and insurers to determine how their policies apply to the CrowdStrike situation. There is a very real possibility for some companies that they will not be made whole by their insurance carrier.
I often encourage business clients to involve me when they are procuring or renewing insurance policies. While it may not be obvious at first, my clients find my participation incredibly enlightening. I frequently uncover coverage gaps and help them assess the financial risks associated with their goods, services, and contractual obligations. Additionally, I communicate with their broker to address any questions a carrier may have about the client’s risk exposure. Having a lawyer on your side can't prevent an issue like the Crowdstrike situation, but we work to insure the risk is limited and the impact to our clients is minimal.
Comments