Locks and Security News: your weekly locks and security industry newsletter
4th December 2024 Issue no. 732
Your industry news - first
We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.
LEGAL COMMENT: Crowdstrike/Windows IT Outage
Following last week's Crowdstrike Windows IT outage, Robert Griffiths, Partner in Mishcon de Reya who specialises in technology disputes, commented:
"Major global IT outages, such as today's Crowdstrike Windows Outage, often give rise to claims and litigation further down the line, as organisarions seek to recover any losses that they may have suffered as a result of the downtime. The actions that businesses take in the early stages of any IT outage can be critical in any litigation that follows.
"There are a number of steps that can be taken in the first hours and days in order to maximise the chances of successful outcome.
"It may sound obvious, but a quick fix will help to mitigate losses, and it's always better not to suffer a loss than to later bring a claim to recover that loss. Organisations should dedicate the resources needed by their core IT teams and trusted third party vendors to get critical systems back online as quickly as possible and reduce the impact of the outage. It is important to focus on this before looking at who is to blame and what legal remedies may be available – but it's also important to keep track of steps taken and any costs incurred, as these may form part of a damages claim later.
"Organisations should use all available comms channels to communicate with their stakeholders. If unable to contact customers directly, social media and other comms channels can be used to get more general updates out. It's important to let customers know which systems may be affected, what is being done to try to get systems back online and how they can contact the organisation for further information. However, it's also important to avoid creating hostages to fortune by giving information based on incomplete information or making promises about when systems will return to normal, and steer clear of any statements that might be deemed to accept liability for outages.
"Communication should be two-way if possible. I'd advise organisations to test the temperature of their customer base: what are they complaining about, what losses might they be suffering, who is likely to bring a claim later? Critical information can be gathered during this period that may be useful in bringing or defending a claim in the future so it's important to record all of that information so that it can be relied upon later."
"At times like this, organisations need to be vigilant – bad actors often use the chaos of a major IT outage to gain access to systems. Cloudstrike have already issued guidance to only rely on information about fixes from trusted sources, so ensure teams are aware of that and that they are not relying on unsolicited advice which may be coming from bad actors.
"Organisations can use manual or analogue workarounds where possible, but should ensure they don't compromise safety and security as this could create further problems down the line, particularly with regulators."
"There's a risk of additional liability by failing to comply with contractual requirements in the event of IT outages. Businesses should check customer contracts and follow any pre-agreed processes, for example:
"Early indications are that this is not a cyber-attack and there are no third-party bad actors, which may make it harder for vendors to avoid liability to customers."
"Once the dust has settled, organisations should review contracts with customers to establish the extent of any potential liability. They should also review contracts with vendors to establish whether they might be able bring a claim to recover any losses that they or their customers may have suffered."
Jon Baines, Senior Data Protection Specialist at Mishcon de Reya, added:
"If there has been an inability to access personal data on systems, this could constitute a contravention of data protection law, and if any damage has resulted, businesses might be vulnerable to complaints or claims."
24th July 2024