Last Friday, a massive IT outage caused disruptions to businesses around the world, affecting everything from airlines to 911 operators to retailers. The problem arose when CrowdStrike, a cybersecurity firm, sent out a faulty software update that prompted some computer systems to crash. Although the update was eventually rolled back, the impact of the problem continued to ripple throughout the weekend, as passengers remained stranded in airports, hospitals struggled to reschedule canceled surgeries, and stores adjusted to unexpected closures.

Andrew D. Selbst, a visiting assistant professor of law at Harvard Law School, says it is “hard to predict” the extent of the legal fallout from the CrowdStrike situation. While traditionally, tech companies have generally not been liable for “buggy software,” CrowdStrike could potentially face high-dollar lawsuits from some of its business-to-business customers — subject to the terms of the contracts between the entities, he adds.

“For big businesses that used CrowdStrike, they may have been able to negotiate contracts that talk about how to distribute liability,” says Selbst. “But maybe for smaller companies, they were less likely to be able to push back on the form contract, which likely disclaimed all liability for things like this.”

What the situation does clearly illustrate, he says, “is how fragile our infrastructure is, because there are only a few companies that run much of the world’s software. That’s a problem we should be more concerned with than we seem to be.”

Read the full article

https://hls.harvard.edu/today/harvard-law-expert-discusses-data-breaches-failures-and-the-vulnerability-of-everyday-technology/