5 Things To Watch In Delta’s Lawsuit Against CrowdStrike

A Georgia judge has allowed parts of Delta’s lawsuit over the July 2024 outage to proceed, though CrowdStrike’s attorney said he continues to be ‘confident’ that any liabilities will ultimately be negligible.

While a Georgia judge has declined to dismiss parts of Delta’s lawsuit against CrowdStrike — over the July 2024 IT outage caused by the cybersecurity vendor — CrowdStrike’s attorney said he continues to be “confident” that any liabilities will ultimately be negligible.

The lawsuit from Atlanta-based Delta, which was filed in Fulton County Superior Court last fall, has sought significant damages from CrowdStrike in connection with the global Windows outage and resulting flight disruptions over five days.

[Related: CrowdStrike CEO George Kurtz On ‘Incredible’ Partner Response, Microsoft Collaboration After Massive Outage]

On May 16, Judge Kelly Lee Ellerbe ruled that parts of the Delta lawsuit can proceed while also dismissing other parts of the complaint against CrowdStrike.

"We’re pleased several Delta claims have been rejected, and are confident the rest will be contractually capped in the single-digit-millions of dollars or otherwise found to be without merit,” said Michael Carlinsky, CrowdStrike’s outside counsel at Quinn Emanuel, in a statement provided to CRN by email.

Delta did not immediately respond to a request for comment.

Delta had said in its initial lawsuit that it “suffered over $500 million in out-of-pocket losses” from the July 19 outage and signaled it would seek at least that amount from CrowdStrike.

Delta was by far the hardest hit U.S. airline in the incident, cancelling approximately 7,000 flights in total during a disruption that lasted well into the following week.

CrowdStrike and Microsoft have both blamed the elongated recovery time at Delta on what they’ve described as outdated IT systems at Delta, as well as a refusal by the airline to accept offers of assistance.

What follows are five things to watch in Delta’s lawsuit against CrowdStrike.

‘Gross Negligence’ Argument

The initial lawsuit filed by Delta brought accusations against CrowdStrike including “gross negligence.” Delta contended that CrowdStrike’s Falcon update on July 19 was deployed “without minimal testing [or] routine quality and assurance” and “without staged deployments, including installing the Faulty Update onto Delta’s computers without its knowledge or consent.”

In the Georgia court ruling on May 16, Ellerbe allowed Delta to proceed with the accusation in the lawsuit, writing that “these allegations are sufficient to state a claim for gross negligence.”

“As CrowdStrike has acknowledged, its own president publicly stated CrowdStrike did something ‘horribly wrong’ with the July Update,” the judge wrote.

‘Trespass’ Argument

Ellerbe also allowed an allegation by Delta of “computer trespass” to proceed.

Delta has contended in its lawsuit that CrowdStrike deployed the July 19 update “contrary to Delta's election not to receive automatic updates,” leading to an allegation that “the access was made without authorization,” the judge wrote.

“Delta has sufficiently alleged CrowdStrike's unauthorized access was knowingly committed,” Ellerbe wrote.

Arguments Rejected, Withdrawn

The Georgia court ruling dismissed an allegation by Delta of Intentional Misrepresentation/Fraud by Omission.

The fraud allegation is “more limited than the claim Delta has alleged,” Ellerbe wrote, while “the Court finds Delta has failed to state a claim for fraudulent inducement for any alleged misrepresentations prior to June 30, 2022,” when a Subscription Services Agreement was reached between CrowdStrike and Delta.

Additionally, prior to the ruling, Delta had already withdrawn several allegations in its original lawsuit.

The withdrawn counts include a claim for product liability as well as an alleged violation of Georgia's Fair Business Practices Act of 1975.

Limitation Of Liability

Carlinsky, CrowdStrike’s outside counsel, contended in the statement that remaining allegations in the Delta lawsuit will be found to be not legally valid or have liability that is minimal — capped in the single-digit-millions of dollars — in accordance with the contract between the two companies.

In a previous response to Delta’s lawsuit, CrowdStrike pointed to “limitation of liability” and “exclusion of consequential damages” provisions in the June 2022 contract between the companies. The provisions “limit the parties’ liability and excludes any indirect, incidental, punitive, or consequential damages of any kind,” CrowdStrike said in the previous filing.

In the Georgia ruling, Ellerbe noted that Delta has made “general arguments” for why the company should be allowed to seek damages beyond those allowed under the contract, suggesting that a state “economic loss rule” does not apply to the lawsuit. However, “the Court does not find [Delta’s arguments] persuasive” in this instance, Ellerbe wrote.

CrowdStrike’s ‘Comeback’

The continuation of the Delta lawsuit against CrowdStrike comes even as the impacts to the vendor’s business have appeared to be minimal in the months following.

CrowdStrike has consistently beat quarterly expectations since the incident, and in March, Co-founder and CEO George Kurtz told analysts that CrowdStrike had achieved a “comeback story” since the incident as the company exceeded Wall Street expectations for its most recent quarter.

Even amid the unprecedented difficulties of recent quarters, CrowdStrike has seen its partnerships with MSSPs, global system integrators and other partners become a greater focal point than ever before, Kurtz said during the quarterly call.

For instance, “partners sourced 60 percent of our new business in the fiscal year [2025], validating our partner-first strategy and ecosystem investments,” he said.