These days, nothing is sacred. Even the most reputable companies can face unexpected challenges and outages, and legal action that results from those. Just a few weeks ago, security giant CrowdStrike experienced a significant meltdown that exposed critical flaws in their contractual safeguards. When a faulty software update crashed over eight million computers worldwide, including those of major corporations like Delta Air Lines, the fallout for CrowdStrike was swift and severe. They immediately saw a 32% drop in share price, a $25 billion loss in market value, and a class action lawsuit from shareholders alleging “false and misleading” statements about the company’s software testing. (Source: Cyber Security Hub)
This incident is an extreme reminder of how important it is to have airtight contracts in place to protect your business from unforeseen liabilities. While some may argue that CrowdStrike should have been smarter and more careful with its software releases, we all know that mistakes are not just possible, they’re probable.
We decided to examine how the right contractual provisions can shield your company from substantial damages when things go wrong, drawing on the CrowdStrike example and other high-profile cases. We’ll also outline some practical steps our attorneys recommend to better your chances of an unassailable contract, both for existing agreements and future deals.
CrowdStrike: A cautionary tale
The crisis began when CrowdStrike released a software update that contained a critical bug, inadvertently crashing over 8.5 million Microsoft Windows computers worldwide, according to a post-incident review published in the company’s blog. The outage disrupted operations for numerous organizations, including major airlines, banks, and hospitals. The severity of the situation was compounded by the slow response time; it took ten days (!) to fully resolve the issue. Shareholders have banded together to sue, alleging that CrowdStrike executives made “false and misleading” statements about the thoroughness of their software testing procedures.
Key contractual oversights or failures
Several contractual oversights heightened the fallout from the incident. We explored various sources to collect their oversights here, including Security Week, law.stackexchange, and channel e2, among others. First, there was a lack of explicit terms regarding the liability for software failures. Without clearly defined limitations on damages, the company became vulnerable to significant financial claims from affected parties. Second, the absence of a robust indemnity clause meant that CrowdStrike had to shoulder the financial burden of compensating for losses incurred by clients and partners due to the outage.
Additionally, the company’s contracts lacked explicit provisions for crisis management, including communication protocols and compensation mechanisms for affected clients. This oversight led to even more reputational damage, as the company’s response (a controversial issuance of $10 UberEats gift vouchers) was widely condemned as inadequate.
Finally, the contracts did not adequately address the potential consequences of software bugs, exposing the company to allegations of negligence and insufficient quality assurance.
Other notable failures we can learn from
Yes, Crowdstrike’s actions were insufficient, to say the least. But they’re certainly not the first company to steer off course in this way.
In 2017, Equifax suffered one of the largest data breaches in history, exposing the personal information of over 147 million people! The incident was primarily caused by a failure to patch a known vulnerability, coupled with inadequate security practices. The fallout? Massive legal liabilities, significant damage to the company’s reputation, and regulatory fines amounting to hundreds of millions of dollars.
Boeing faced a major crisis following two fatal crashes in 2018 involving its 737 MAX aircraft. Investigations revealed that software flaws in the Maneuvering Characteristics Augmentation System (MCAS) played a big role in the accidents. The incidents resulted in a global grounding of the aircraft, numerous lawsuits, and a significant loss of trust in Boeing’s safety standards.
Both of these incidents demonstrate how profound the consequences of inadequate contracts are.
What do watertight contracts look like?
First, let us clarify that the explanation provided here does not constitute legal advice and is not legally binding. That being said, implementing these key things can bring a contract closer to being invulnerable.
Clear terms and conditions
Clear terms and conditions are essential in business agreements to set expectations and define the scope of obligations for all parties involved. They’re the foundation for a contract, outlining each party’s specific duties, rights, and responsibilities. Clarity in these provisions helps prevent misunderstandings and disputes by providing a clear reference point for what was agreed upon.
Well-drafted terms and conditions also ensure that all parties have a mutual understanding of the contract’s objectives and deliverables, reducing the risk of disagreements down the line.
Limitation of liability clauses
These are key to limiting a company’s potential financial exposure if things go wrong. They specify the extent to which each party is responsible for damages arising from breaches of the contract and can cap a business’ exposure to a predetermined amount, often tied to the value of the contract or a specific dollar amount. This limitation is particularly important in technology contracts, where the consequences of failures can be extensive and costly. It protects the company from potentially crippling financial liabilities, ensuring that any claims for damages do not exceed a manageable threshold.
Force Majeure and indemnity clauses
A force majeure clause relieves parties from performing their contractual obligations when extraordinary events beyond their control, such as natural disasters or other “acts of God,” prevent them from fulfilling the contract. Consider what you would do if you couldn’t complete a job you were contracted for due to rain, tornadoes, or floods. A force majeure clause ensures that neither party is unfairly held liable for failures due to unforeseen and uncontrollable circumstances.
Indemnity clauses, on the other hand, provide a mechanism for one party to compensate the other for certain damages or losses that may occur during the contract’s execution. These clauses shift the risk of specific losses, such as legal fees or damages from third-party claims, away from one party. They’re useful in protecting against losses that may arise from actions or negligence by the other party.
Actionable tips for keeping your contracts clear!
To protect your business from potential contractual liabilities, consider these best practices:
- Make sure you have clearly defined terms and conditions: These should outline each party’s roles, responsibilities, and deliverables.
- Incorporate detailed liability clauses: Specify the extent and boundaries of liability in the contract. Also, include a cap on damages, linked to the contract value or a specific amount.
- Include indemnity clauses: These need to clearly state which party is responsible for covering legal costs and damages arising from third-party claims.
- Add Force Majeure clauses: From natural disasters to government actions, these provide a legal basis for non-performance under uncontrollable circumstances.
- Use clear and precise language: Avoid legal jargon and ambiguous terms! Clear language lets you articulate obligations, rights, and remedies in a way that both you and the other party understand, reducing the risk of misinterpretation.