His law firm, Boies Schiller Flexner, and Delta did not respond to requests for comment.
While no lawsuit has been filed, Delta plans to seek compensation from CrowdStrike and Microsoft, CNBC reported.
Delta’s stock was little changed after closing on Monday, but CrowdStrike’s stock was down 5.5 per cent in after-hours trading.
Earlier this month, CrowdStrike disrupted business globally, after a defect in a software update from the cybersecurity firm caused many thousands of Microsoft computer systems to shut down.
Analysts estimated that Delta, which was one of the worst-hit airlines, will suffer a hit to its earnings of US$350 million to US$500 million this quarter because of reputational damages and ticket refunds, Bloomberg reported last week.
But Delta and its new team of Boies-led lawyers might not be able to get much from CrowdStrike, experts say.
The cybersecurity firm’s terms and conditions say that CrowdStrike doesn’t have to shell out anything more than a refund.
The terms for CrowdStrike’s Falcon security software – which is used by companies and government agencies around the world – limit liability to “fees paid”.
This means that if companies like Delta had a claim for damage or lost revenue, CrowdStrike would only pay those companies the cost of the software, Elizabeth Burgin Waller, the chair of the Cybersecurity & Data Privacy practice at Woods Rogers, said earlier this month.
Even individuals hoping to seek damages from CrowdStrike through proposed class action lawsuits may have little luck.
Mauricio Sanchez, a senior director at a tech market research firm, Dell’Oro Group, said that CrowdStrike may not have to pay at all.
“While it will be a miserable summer for CrowdStrike lawyers, as they defend themselves from customers with torches and pitchforks, I don’t see CrowdStrike having to pay much, if any, compensation,” Sanchez told trade publication Fierce Network last week.
A recent case – this one about hacking, not just a software update gone wrong – offers some precedent for how big customers like Delta could fare in court.
In 2020, hackers broke into Texas-based SolarWinds’ systems and added malicious code to the company’s software system. More than 30,000 customers then were unwittingly sent software updates that included the hacked code, which led to hackers spying on company and government organizations.
Earlier this month, a US judge dismissed most of a Securities and Exchange Commission lawsuit accusing SolarWinds of defrauding investors by hiding security weaknesses.
Between customer agreements that favour CrowdStrike and SolarWinds largely beating the SEC, CrowdStrike stands a good chance in court, Sanchez said.
Andrew Selbst, an assistant professor at UCLA School of Law, told Harvard Law Today last week that customers could sue over negligence, a common class action lawsuit.
“Ultimately, they’re difficult to win,” he said.
Another consequence for CrowdStrike could be regulation, especially from the Federal Trade Commission.
“The FTC has a pattern of settling with these companies and keeping them under a consent decree for 20 years or so,” Selbst said.
“But with the FTC, you don’t get individual customers receiving damages or compensation. This is just a regulatory regime, and they receive fines payable to the federal government.”