Crisis Management Tips: Navigating the Legal Ramifications of the Global Microsoft Outage

On Friday, July 19, businesses large and small around the globe experienced prolonged interruptions in their computer systems.  Reports pegged the issue to Microsoft software used to operate computer systems and the security updates that were pushed into the software by CrowdStrike, a cybersecurity company. 

Thankfully, CrowdStrike publicly announced that the issue is being resolved.  It remains unclear whether that has resulted in users regaining full access to and use of their computer systems.  More time may elapse before users are fully restored and have fully functional systems. 

A number of our clients have already reached out to us to evaluate their positions with respect to insurance coverage for business interruption losses and other related issues. Looking ahead, many businesses will need to identify and track the full extent of the loss they have suffered, and many continue to suffer.  While there is not a typical piece of malware or cyber hack exposing data as in many other high-profile cyber incidents, the losses to business are just as real.  The loss can include disrupted operations, loss of revenue, loss of opportunities, recovery costs, legal fees and loss of consumer and investor confidence.  All of these can lead to contractual and indemnity issues.

The recovery will have many legal implications and just the monetary component of recovery may come from more than one source.  For example, many businesses will need to look at the contracts they have in place for indemnity and insurance clauses.  They also will need to look at their own insurance policies and the insurance policies of others.  Of course, Microsoft and CrowdStrike will have many questions to answer in the coming months.

The range of users affected by the outage is quite broad and demonstrates the severity of this incident. Airlines probably received the most attention on Friday, as thousands of travelers were delayed and potentially stranded, while staring at blue error screens instead of arrival and departure information.  However, hospitals were similarly affected, as were the full array of health care industry businesses.  They were prevented from carrying out vital business activity and from accessing information. In the same regard, some 911 call centers lost operation and hotels and other travel-related businesses did as well.

Financial systems suffered inoperability, including trading platforms, banks, retail payment systems and other Microsoft-based transactional systems and platforms.  The financial cost of the outage remains to be calculated.  There are reports that more 311,000 instances of global outages were reported before the software was repaired.  The impact of such business interruptions can create far-reaching ripple effects.  Not all of them will be resolved quickly.

Microsoft announced on X that the Microsoft 365 apps had been mitigated by mid-day Friday, but issues continued for hours afterward.  Microsoft also experienced issues with the functionality of its cloud services Azure, which may not be related but did not help the overall failures of the software. Similarly, CrowdStrike announced that the issue with its update had been identified and isolated and that a fix was deployed.