CrowdStrike Outage Updates,
Litigation,
Standards, Regulations & Compliance
Passengers’ Nuisance Claim Against CrowdStrike Dismissed Under Airline Deregulation Act
A federal judge has dismissed a lawsuit against CrowdStrike, brought by airline passengers who accused the company of negligence and public nuisance due to a problematic software update that disrupted flight operations in 2024. U.S. District Judge Robert Pitman ruled that the claims were preempted by the Airline Deregulation Act (ADA), stating that the damages were intricately linked to essential airline services such as ticketing and boarding.
In his decision, Judge Pitman noted that CrowdStrike, while a cybersecurity vendor, played a critical role in the functioning of air travel by providing essential software updates that directly impacted airline operations. According to the judge’s 11-page ruling, the plaintiffs’ assertion that CrowdStrike’s services were only tangentially related to airline operations was insufficient, given the direct ramifications of the faulty update.
The lawsuit, initiated by plaintiffs including Julio del Rio and Jack Murphy, alleged that they and “tens of thousands” of others were stranded for extended periods due to the disruption caused by CrowdStrike’s software. This incident was part of wider legal challenges the company faces following a July 2024 software update that affected an estimated 8.5 million systems.
In contrast, a separate lawsuit filed by Delta Airlines has progressed, with a Georgia judge allowing most claims to proceed. Delta has accused CrowdStrike of executing software updates without its consent and circumventing Microsoft’s certification processes.
Implications of the Airline Deregulation Act
Judge Pitman’s dismissal reflects a broad interpretation of the ADA, particularly concerning the types of services affecting airlines. His ruling emphasized that since the plaintiffs’ claims were centered around disruptions like delayed and canceled flights, the ADA’s preemption applied, thus shielding CrowdStrike from state-level legal actions despite being a third-party vendor.
“The ADA was designed to prevent a haphazard patchwork of state laws governing the airline industry,” Pitman stated. CrowdStrike’s Chief Legal Officer, Cathleen Anderson, expressed gratitude for the court’s decision, highlighting the broader implications for cybersecurity vendors engaged with airline operations.
The plaintiffs argued that CrowdStrike was negligent in deploying the update without adequate testing, leading to various personal economic damages, including lodging costs and missed work days. However, the court underscored that these grievances were intrinsically tied to airline operations, asserting that the overarching impacts governed by the ADA could not be overlooked.
This case raises important considerations regarding cybersecurity’s intersection with critical infrastructure. As CrowdStrike’s software played a pivotal role in flight operations, it invites further scrutiny on how service disruptions can affect broader industry standards. The implications of this ruling underscore the necessity for cybersecurity firms to maintain stringent operational protocols to safeguard against potential disruptions that could lead to significant liabilities.
Judge Pitman elaborated that, unlike disputes unrelated to airline services, the connections drawn in this case were substantial. Allowing tort claims against vendors affecting airline services could inadvertently lead to extensive changes in how cybersecurity vendors operate. Should such lawsuits proceed, it could prompt changes in vendor practices specifically for the airline industry, potentially inflating costs and altering service dynamics.
