On 19 July 2024, a cybersecurity firm, CrowdStrike, released an update to a configuration file from its Falcon cybersecurity system which caused the Windows operating system to blue screen and crash (commonly referred to as the 'blue screen of death'), leading to a worldwide IT outage. The outage affected many businesses operating critical infrastructure, such as public transportation, airlines, health and financial services. The only intervention to restore the affected devices was to boot the device into safe mode and manually delete the corrupted file, which is a very manual and time-consuming process. It has been reported that the IT outage caused an estimated loss of USD5.4 billion in damages.
From a contractual perspective, the CrowdStrike issue brings to the fore the IT industry's long-held standards around exclusions of liability for certain types of damages. It also raises the debate as to whether customers (as a collective) and/or governments need to introduce measures which seek to, on the one hand, continue to encourage innovation and investment into new technologies but on the other hand, recognise the critical role that IT plays in everyday functions of businesses and the potential for disruption as was in the CrowdStrike incident. In this regard, the common standard adopted across most IT contracts is that a party's liability is often excluded for indirect, consequential, and/or special damages and most contracts do not allow as a standard, third parties to benefit from any contractual protections between a service provider and customer. In the CrowdStrike example, CrowdStrike's standard Terms of Service on its website contained these traditional exclusions and further caps on liability. The question is: do customers (as a collective) and/or governments need to intervene in order to introduce measures which seek to sufficiently 'punish' errant service providers by changing the current industry position around a limitation of liability, or will this result in a stifling of innovation and/or increase in IT costs or unintended consequences? Until such time as the industry settles this debate, it is likely that service providers will continue to adopt such standard industry positions in future, and as in the CrowdStrike incident, continue to place customers at risk.
So what can customers do in the interim?
In the absence of a customer having the negotiating power to amend what is largely standard industry positions, customers can seek to protect themselves through other technical and non-technical mechanisms, which from a contractual perspective, should at the very minimum include the following:
- Acceptance testing: Customers should ensure that their agreements with IT service providers contain provisions mandating (i) acceptance testing to be conducted by the service provider; (ii) documentation of acceptance criteria; and (iii) documentation of the acceptance testing procedure. Importantly, customers should be cautious in accepting "deemed acceptance" clauses in their agreements. Deemed acceptance clauses introduce risks for the customer in that the respective software, patch, or new release will be deemed to have been accepted by the customer if specific conditions are met, such as the customer failing to notify the service provider of any defects within a specified time period.
- Service levels: Service levels are contractual mechanisms used by customers to ensure that service providers meet the required service standard. In the event that the service provider's performance falls below any specific service level, it may, where specifically negotiated, attract a service credit (penalty for non-compliance). Customers should ensure that they have properly documented and defined the services applicable to the software or system being contracted for. Furthermore, customers should consider documenting which service levels are critical to their business and attaching a more hefty penalty and/or other appropriate remedies to address the breach of such service levels.
- Indemnity: the customer considers negotiating an appropriate indemnity which requires the service provider to indemnify the customer against any third-party claims brought against the customer as a result of an IT outage (where this outage is attributable to the service provider). This may be controversial as it is highly unlikely that any well-governed service provider will accept a blanket indemnity, especially if coupled with unlimited liability.
- Incident response and resolution: The incident should be assigned a priority level together with appropriate response and resolution times. It is recommended that the agreement includes an incident classification matrix which is tailored to the customer's environment and business requirements.
- Disaster recovery: customers should require that service providers have built redundancy into their services to ensure continuity of services. An example is where one data centre fails, traffic can be routed to a secondary data centre to ensure a seamless continuation of services. Disaster recovery services should be documented in a disaster recovery plan which should be updated annually and a copy of which must be provided to the customer.
- Business continuity planning: Customers should ensure that their agreements with IT service providers cater for business continuity planning and require the service provider to test their business continuity plans on an annual basis and to report to the customer on the outcome of such testing and as well as to provide a copy of the plan itself.
- Termination rights and exit assistance: Customers should ensure that their agreements provide for the right to terminate the agreement with the service provider, in case of, for example, repetitive breaches of service levels. Upon termination (for whatever reason), the service provider shall (i) provide the customer with its data (in a readable and useable format); and (ii) assist the new service provider in taking over the services.
The large-scale IT outage serves as an important reminder to many companies that although you may be contracting for services with large IT service providers, this does not mean that their systems are 100% fault-proof, that the systems will be error or bug-free, or that it will never experience any downtime. IT system crashes and downtime is a reality of this digital era and remains an important consideration that customers must address through clauses in their agreements with IT service providers. It is crucial for companies to continuously review their agreements and to ensure that appropriate clauses are included in contracts with IT service providers to account for any new or arising threats and risks and also to address real-world issues which could potentially affect a service.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.