What has happened?
An update to CrowdStrike Falcon (cyber security software designed to monitor and protect computers) which in many cases was deployed automatically, is causing Microsoft Windows computers to crash, with a so-called "Blue Screen of Death". The problem is particularly acute because when the computers do crash in that way, they are rendered completely inoperable. This means that manual intervention (and in some cases, physical attendance) is required to fix each affected device (whether that's employee laptops, servers, cash points, ePOS (electronic point of sale) devices etc). That is the case even though CrowdStrike has rolled back the problem update: this will not automatically fix the problem. Disruption is therefore likely for a significant amount of time.
What legal issues does this present?
Clearly, a number of legal issues arise here:
Regulatory compliance: In many sectors (for example, financial services or critical national infrastructure), operational outages can be notifiable if the effect is significant enough.
Data protection and privacy: There is nothing to indicate this incident is malicious. However, where personal data is rendered inaccessible by an outage, that can be notifiable to data privacy regulators.
Supply chain issues: If you are experiencing disruption either directly yourself, or because a supplier is disrupted, this could give rise to contractual liability. If you need any assistance to review and interpret your existing contracts to determine whether force majeure clauses or other relevant provisions that may apply, or to assess the viability of claims (either against you or for you), please let us know.
Insurance Claims: You might have cover under business interruption insurance (or other policies). If you would like any assistance in assessing your cover, or progressing any claims, please let us know.
IT suppliers: This incident relates to patch management (effectively the testing of software updates/patches prior to deployment). To the extent you have outsourced this to an external supplier, there might be causes of action there.
Business continuity planning: In the longer term, given the disruption that is occurring, many companies will be looking critically at their incident response procedures, policies and processes. Please let us know if you would like any assistance here.
Please do not hesitate to reach out to anyone in the team if you'd like any assistance on these or other issues.
Key contacts
Andrew Moir
Partner, Intellectual Property and Global Head of Cyber & Data Security, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.