Delta Air Lines customers may find CEO Ed Bastian’s contention that a service provider should compensate customers for losses when their service fails a bit surprising. He’s referring to the costs incurred by the airline because of the CrowdStrike incident — not those caused by a delayed or rerouted Delta flight.
The two aren’t that different. In both cases, the service provider limits its liability for losses. CrowdStrike included language limiting its liability in contracts with customers. Delta enjoys similar protections from its contract of carriage. Both firms can foresee circumstances where their failure could generate significant losses for their customers to the extent that it wouldn’t be profitable for them to operate if they risked incurring them. Thus, they contractually disclaim them.
While many think it is unlikely that CrowdStrike will be found liable, this is not guaranteed. If, for example, CrowdStrike engaged in deliberate deception regarding its service, that fraud could potentially overcome contractual protections. However, given the service’s strong track record of the service — up until the incident — this seems unlikely.
Also contributing to Delta’s difficulty in recouping its losses is that others affected by the outage recovered much faster than Delta did. Presuming that other airlines and businesses were using the service to a similar extent and in a similar way, this would tend to suggest that Delta bears at least some — and perhaps a lot — of responsibility for its delay in restoration. Given that a CrowdStrike failure is not the only thing that could cause a similar response need from the airline, this incident seems to demonstrate that they may be underprepared for tech incident response.
Liability is a crucial way to ensure that service providers don’t take excessive risks or place expediency or their profit motive in front of their service to their customers. There is a balance between preventing companies — whether cybersecurity firms or airlines — from being driven out of business from minor failings that have effects on customers that are disproportionate to the fees that they paid for the service and the need to bear responsibility. However, if providers must shoulder the risk of all losses, this will drive fees up to cover insurance costs — or potentially result in some customers being unable to buy the service at any price due to uncapped risks and uninsurability.
Enterprise customers, like Delta, have significant negotiating power with their vendors and may be able to negotiate responsibility for losses in vendor contracts if they choose. If vendors are unwilling to sell their product under those terms, the airline must decide whether to buy it under mutually agreeable terms or forgo it. Airlines, like most businesses, can procure insurance to cover risks if they choose to and should consider this as part of their overarching risk management strategy.
If Bastian thinks service providers should cover all losses associated with service failure, he may want to start with covering the losses incurred by Delta’s customers from this incident — beyond meals, hotels and rebookings. Delta can be logically held responsible for the failure of their suppliers by their customers — if contractual protections are to be ignored — and even more so if the airline’s lack of preparation exacerbates the effect of the vendor failure. Ironically, if Delta succeeds in recovering against CrowdStrike, it may be making an argument that its customers could leverage against the airline itself.
In the future, Delta may want to mitigate the effect of IT vendors’ failures on its operations. It would also be well-served to identify the effect of service outages and failures on its operations and ensure that it negotiates adequate contractual compensation for these outages or procures insurance to transfer all or some of the risk. It shouldn’t expect a court to set aside a negotiated agreement to provide it with compensation.
In the short term, Delta customers may find solace in the fact that the airline’s CEO is just as frustrated with his supplier as they may be after a flight gets canceled, rerouted or delayed.
