CrowdStrike: What We Can Learn

To recap:
1: Delta Airlines uses CrowdStrike’s “Falcon Sensor” for antivirus.

2: 07/19/2024 an update to the Falcon Sensor bricks Delta’s systems, grounding 6,000+ flights and (supposedly) costing $500M.

3: Delta publicly and privately tells CrowdStrike they’re going to pay.

4: CrowdStrike responds to Delta stating they they have a different opinion.

Firstly, if you consume any media about this event, let it be this video: https://www.youtube.com/watch?v=wAzEJxOo1ts&t=619s.

This is created by David Plummer, an old school Windows developer who runs a YT channel (and who has a book!). He does a wonderful job of making tech topics consumable and has tons of wonderful anecdotes. Just a great channel all around. Regardless, watch the video and I guarantee you’ll know more about this than you did 15 minutes ago.

With the facts as established as they’re gonna be, let’s dissect that letter.

Dear David:
I am writing on behalf of my client CrowdStrike, Inc. in response to your letter dated July 29, 2024, in which Delta Air Lines, Inc. raises issues and threatens CrowdStrike with legal claims related to the July 19, 2024 content configuration update impacting the Falcon sensor and the Windows Operating System (the “Channel File 291 incident”).

Can we appreciate how much this letter sounds like the dozens and dozens (and dozens) of letters insurance and risk professionals receive? I guess this just goes to show that the only thing that changes about claims is the dollar figure….

CrowdStrike reiterates its apology to Delta, its employees, and its customers, and is empathetic to the circumstances they faced. However, CrowdStrike is highly disappointed by Delta’s suggestion that CrowdStrike acted inappropriately and strongly rejects any allegation that it was grossly negligent or committed willful misconduct with respect to the Channel File 291 incident. Your suggestion that CrowdStrike failed to do testing and validation is contradicted by the very information on which you rely from CrowdStrike’s Preliminary Post Incident Review.1

Eagle-eyed readers will notice a specific word here: GROSS negligence. And this is why contracts are so important, because by invoking GROSS negligence Delta is attempting to do a couple things.

First, to allow for punitive or exemplary damages which are typically only allowed in cases of “gross” negligence. “But punitive damages aren’t insurable,” an astute insurance person might respond. Yet this isn’t entirely accurate. While many policies do exclude this, some don’t, and whether they even can be insured are subject to individual jurisdictional rules. In fact, most (US) localities actually do allow insuring punitive damages, though with very specific qualifying criteria (usually “vicarious only”). So if you’re an insurance professional, strive for solutions that follow (e.g., covers such “where insurable by law”).

The second reason Delta is alleging gross negligence is because there is certainly a liability cap in their contract. Such caps can be bypassed (either via contract language or by course of law) if the offending party is “grossly” negligent or engages in “willful” misconduct. You hire a vendor and they trip and start a fire, their liability to you is capped. You hire a vendor and they’re an arsonist who intentionally starts a fire, their liability to you is uncapped.

As a risk professional, these liability limitations are some of the most critical yet rubber-stamped parts of contracts. I can’t tell you the number of times I’ve seen a business accept boilerplate language that limits liability to, for example, “the cost of the contract” (i.e., what you’re paying the vendor). I’ve even seen such in architectural/engineering contracts! That’d be like limiting the liability for my auto mechanic to the cost of my brake job – a lot more damage than the few hundred bucks the work cost can result if those brakes don’t work.

Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage. Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions—swiftly, transparently, and constructively—while Delta did not.

While this is speculation, note the verbiage of “CrowdStrike [is not responsible for] Delta’s IT decisions and response to the outage.“. It does not say CrowdStrike wasn’t responsible for the outage, or that CrowdStrike didn’t error, or that they didn’t specifically circumvent system security when rolling out updates. This is clever wording, from a clever attorney, who knew this letter was going public.

Among other things, Delta will need to explain:
● That any liability by CrowdStrike is contractually capped at an amount in the single-digit millions.

Womp womp.

Items for Legal Preservation:
1. Delta’s response to the Channel File 291 incident.
2. Delta’s emergency backup, disaster recovery, and IT business continuity plans, and any related testing of those plans.
3. All assessments of Delta’s IT infrastructure, including any gaps and remediation recommendations, for the last five years, including in the wake of the Channel File 291 incident.
4. All decisions to upgrade or not upgrade Delta’s IT infrastructure in the last five years.
5. All scripts and software that Delta has deployed before and after the Channel File 291 incident to address possible Windows group policy corruption issues across the IT estate.
6. All system event logs for the weeks preceding and succeeding the Channel File 291 incident.
7. All encryption-level software that Delta deployed on all its IT infrastructure and the management of this software.
8. All technology and operating systems that Delta utilizes to assign workflow, routes, crews, flight schedules, etc. and any information, documents, or analysis on how that technology interacts with any software that Delta employs on its IT infrastructure.
9. Any data loss following the Channel File 291 incident related to Delta’s workflow routes, crew and flight schedules, and all communications with crew members following the Channel File 291 incident.
10. Delta’s response and recovery to any previous IT outages in the past five years.

Not earth shattering, but I cite the above just to show how problematic legal discovery can be. Can you imagine, as a business owner, coming in and needing to essentially produce a report regarding how you responded to every IT outage over the past 5 years? Now imagine you have services all over the world and 100,000 employees. You may be completely within “the right” of whatever legal dispute you’re having but it’s going to cost you a million bucks just to comply with discovery.

Now certainly some of the above is likely to get reduced in scope for being onerous, but the point is that the majority of expenses and effort happen well before trial, and this is just a “throwaway” letter!

Delta has a big enough checkbook to figure this out, but what about a $100M company? A $10M company? A $1M company? Something like this would ruin them. Hope they know a good insurance person.

What Enron Can Teach Us About D&O Coverage

The Enron saga is, itself, utterly fascinating. If you haven’t had the chance there are several good documentaries about it, one being “Enron: The Smartest Men in the Room”. Unfortunately I don’t believe it’s available on Netflix anymore, but alternate streaming services still have it (here’s an Amazon link). I’m sure there’s more in-depth and technical sources out there but as a relatively “soft” documentary it’s a great film with which to wind down a day. FindLaw.com also has an interesting set of articles if you’re looking for more to peruse.

While perhaps not the most interesting of all the specific topics dealing with Enron, there are some curious lessons in the way insurance played out – especially D&O. If you’re just looking for the take-home point it’s this: even if a defendant pleads guilty that is not considered a “final adjudication” of guilt (I know!), at least in the Enron case. This was surprising to me, as well as to Enron’s D&O insurers I suppose, whom I understand had a total of about $350M in limits put up. Here is an expert explaining the circumstance from an IRMI Whitepaper (I have since lost the link but I *believe* the below is verbatim):

Former Enron CFO Andrew Fastow pleaded guilty in criminal proceedings associated with Enron’s bankruptcy. Yet since the Enron D&O policy forms were written on a “final adjudication” basis, the insurer was obligated to continue defending Mr. Fastow against civil lawsuits because his conduct still had not been subject to “final adjudication.” Although Mr. Fastow had already pleaded guilty to criminal charges, he had not yet been sentenced and until that time could still change his plea. But by continuing to defend Mr. Fastow, other far less culpable directors and officers—including retired directors—had their remaining policy limits depleted. 

My notes say the IRMI article called the “Final Adjudication” language a “minefield”, but I wouldn’t go that far (seriously IRMI?).  However, it is one of the most preferential provisions an insured can secure in a D&O policy – and be careful out there because while it is becoming *more* common it should certainly not be considered the default. While such language may provide for sub-optimal circumstances – such as a “guilty” director getting defense coverage they “shouldn’t” have – the benefit of preserving coverage for alleged fraudulent acts, which are ultimately baseless, far outweighs such consequences. 

But there’s a second consideration to all of this as well.  What if instead of “guilty”, Andrew Fastow had pleaded no contest?  Is a plea of nolo contendere a “Final Adjudication”?  The short answer is… “No!”  But do bear in mind that jurisdictions vary. This “Policyholder Advisor Alert” from the law firm Anderson Kill (NY) does a great job of explaining how the variations on the “Final Adjudication” clause in policy can play out, both theoretically and practically:

The most advantageous conduct exclusions are triggered only by a final and non-appealable adjudication against the policyholder. Conversely, insurance companies may interpret references to “determinations in fact,” “adverse admissions,” or other potentially non-final determinations as giving them license to adopt an earlier trigger. Triggers like “written admission by the Insured” or “plea of nolo contendere or no contest regarding such conduct” make it more likely that the insurance company will apply the exclusion. An insurance company might attempt to latch onto a statement by the policyholder’s representative at deposition or a preliminary finding of fact by the court. Even an exclusion that lacks only the “non-appealable” component could be fodder for an insurance company to argue against coverage, even if an incorrect result is overturned on appeal.

 

Final, non-appealable adjudication language ensures the policyholder gets its full “day” in court and pushes the coverage decision further into the future, increasing the likelihood of a settlement that avoids the conduct exclusion altogether.

You will note that they specifically mention some provisions which state “an admission by the insured” or similar – this is because carriers are inserting these into “Final Adjudication” clauses with regularity, though not always. Again, it’s important to know how your particular provisions work.

Another topic to discuss, which the above Anderson Kill article touches on, is severability. This is the portion of your policy, usually hidden in the “warranty” and “state conditions” and similar pages that people tend not to read. In short, severability determines whether one insured’s actions impute/affect another insured’s coverage. For example if one director is found guilty of fraud what happens to the coverage for the other directors? What happens to the coverage for the corporation? What happens if the CEO knowingly falsified and signed the coverage application – will that exclude coverage for other individuals?

This, again, is something that is going to be unique to each carrier. However, I am happy to say that many offer decently advantageous “severability” clauses either in their base form or via endorsement. When you’re looking at these you want to pay attention to two key areas:

1. What happens if one director is found guilty – is coverage preserved for “innocent” insureds?

In this case I would say most policies I’ve personally dealt with do preserve coverage. Smaller D&O policies or “add-on” D&O coverage may not be as generous but my experience shows this isn’t a contentious ask.

2. What happens if the application is falsified?

This scenario is typically more complex as, while many carriers will provide details in this situation, they vary widely in to whom the falsification is “imputed”. The more generous provisions will state something along the lines of “if an application is falsified by [C-Level Executives/Directors] it’s imputed to the corporation but not to other directors and officers”. In such a situation, a CEO falsifying an application would remove coverage for the corporate entity, but not for other executives. This is also why D&O carriers often insist that applications be signed by particular individuals.

D&O policies are some of the most complex beasts out there, and such complexity isn’t often known until the crisis arrives. So if you have the time, I highly suggest you look at not only Enron data (I picked that simply because of its fame and the info is plentiful), but anything else you can get your hands on. These types of policies, being “relatively” new to the scene and non-standard are also going to be highly sensitive to jurisdictional changes (jurisdiction itself being a concern when you have a policy for a national or international client!).

Three Tips for Leased Employees 

So many businesses lease employees that it’s hardly given a second thought. Yet I cannot think of one single insurance policy that doesn’t include the word “Employee” in there somewhere – even (and especially) the ones you may not think about, like Cyber. This is relevant because, typically, when a carrier defines a term it’s to limit coverage in some capacity.

Because of this, it’s very important to understand your clients’ employee situations. Are there “standard” employees, are there independent contractors, is there seasonal or temporary help, are there volunteers, etc. etc. All of this plays into the various insurance policies and sometimes in completely different ways. Here are three tips to handle leased employees but these should be thought of as the start of your investigation, not the end of it.

1:   Always, always, always check the definition of “Employee” because it’s usually used to exclude something. 

This may seem like common sense but it bears mentioning. Policies, especially non-standard ones like Professional Liability, define “employee” very differently. For example, a Professional Liability policy might not include “leased employees” as employees since such individuals are expected to have their own coverage (perhaps from the leasing firm). 

Or, even when certain classes of individuals (like “leased employees”) are granted coverage, very strict limits can apply.  For example, sometimes the coverage your policy offers is limited to whatever that leased individual has elsewhere – so your $2M limit could only $500K if that’s what the leased employee brings for themselves. It’s also common to restrict coverage only for your vicarious liability for that leased individual and not their individual/direct liability.

Another extreme example of where the definition matters is in Crime policies. Insuring Agreement I (“Employee Theft”) is almost always the broadest coverage available, covering basically any dishonest act by an employee not otherwise excluded. Many crime policies are written with only this insuring clause and this is usually the Crime coverage you see added into Package policies. If a client operates on a permanent-contractor basis, where a good portion of staff are all independent contractors, they need a fitting definition of “employee” because otherwise that entire insuring agreement is useless.

To digress a bit: on Crime policies this can cut both ways. While “Employee Theft” is usually very generous coverage there are sometimes qualifications. For example, many policies require that an employee be identifiable for a theft to be covered under Insuring Agreement I. Thus there can exist a situation where technically not having someone considered an employee could be beneficial, assuming you’ve got coverage for the theft under another Insuring Agreement. But this is really a quirk only and definitely not a mark in the favor of exempting people from the definition of “Employees”. 

Sometimes Employee is undefined in a policy. This is typically a good thing since undefined terms are construed in the insured’s favor. However, I’ll take a broad, inclusive definition of employee (e.g. one that simply states what “Employee” includes, like “Employee includes a leased worker, temporary worker, and contract worker”) over an undefined definition any day. This is only a personal preference, but I am much happier when I can point to policy language itself to show that a “leased employee” is an “employee” rather than relying upon assumed interpretive benefit. 

2:   Make sure your definitions/coverage are consistent and complimentary. 

Just as important as knowing who is an employee is making sure that flows across your entire insurance program. For example, does your Umbrella define employee in the same manner?

This question becomes crucial if you’ve amended the underlying at all, such as to specifically include/exclude particular individuals as employees or if you’ve amended the underlying to include/exclude injury to these employees. A cautionary tale comes from the Business Auto side: Employees as Insureds. 

Employees as Insureds allows you to have a BAP cover an employee-driver directly in situations where (e.g.) they use their personal auto in the business. You do this by adding an endorsement specifically including “Employees” as insureds. This is a great deal for individuals such as executives who both constantly use their vehicles for business and have significant assets to protect. 

The problem arises if you don’t also pay attention to your Excess/Umbrella. All Umbrellas, yes even “Follow Forms”, have their own terms and conditions.  Often these mirror unendorsed standard wording.  For example, take a look at ISO’s wording (pg. 10 of 17): it specifically excludes employees driving their own auto, just like an unendorsed BAP (emphasis added): 

[Who is an Insured is…] 

  1. Anyone else while using with your permission a “covered auto” you own, hire or borrow is also an insured except:

 

(2) Your “employee” if the “covered auto” is owned by that “employee” or a member of his or her household.   

Now some comprehensive “additional insured” type wording might do the trick, but again look at ISO:   

  1. Any additional insured under any policy of “underlying insurance” will automatically be an insured under this insurance.

If coverage provided to the additional insured is required by a contract or agreement, the most we will pay on behalf of the additional insured is the amount of insurance required by the contract, less any amounts payable by an “underlying insurance”. 

Additional Insureds are usually just that – those persons or entities listed, specifically, as an “Additional Insured”, not those parties who fall under the “Who Is an Insured” section. Remember, we’re adding Employees as Insureds, not as Additional Insureds. Insureds get primary coverage; AIs don’t. They are separate and distinct entities for good reason. I don’t think ISO’s language cuts it when we add Employees as Insureds to an underlying Auto policy. 

The argument can be made that this wording is vague, and to be construed in the insured’s favor and that additional insured here (undefined) means any party for whom you’ve added any sort of coverage for on the underlying. 

While I don’t buy that argument I’d certainly make it if it were my client’s assets on the line. But this goes back to my point about preferring a definition in black-and-white rather than relying on interpretive benefit. I’m not sure if there’s case law on the specific matter of what constitutes an Additional Insured in ISO’s umbrella, and maybe it is meant to include situations like this, but I don’t want to find out the hard way. Further, most Umbrella policies you see will NOT be ISO-standard; one little word change and the whole situation is different. 

Long story short on point 2 – each policy will define “employee” differently and you need to make sure they play nice together.

  1. Having only leased employees does not mean you can skip Work Comp (really).

For reasons best put in its own article, having only leased employees does not allow one to forego Workers Compensation coverage. For the curious, I’d suggest this IRMI article on the topic. The “too long; did not read” version is this you can be held civilly liable for injury to leased employees (n.b. you can be held liable under Work Comp statutes as well but we’re assuming the leasing company provided this). 

This means three things: (1) you can get sued for their injury, (2) the “Exclusive Remedy” of Work Comp doesn’t apply to you, and (3) your CGL won’t cover it due to the Employer’s Liability exclusion. 

There is an ad hoc solution in that ISO has the following endorsement: CG 04 24 – “Coverage for Injury to Leased Workers”. This amends the definition (Remember point #2! Check your excess!) of “employee” on the CGL to not include leased workers for the purposes of the Employer’s Liability exclusion. Since leased worker is no longer an employee, the employer’s liability exclusion will not apply to leased workers. Thus, you get Employer’s Liability coverage under the CGL for injury to leased workers. 

Even with the bargaining power to secure this, it is a stop-gap for a very specific situation only. The only other option, as silly as it sounds, is for your client who does not have “employees” to buy a Workers’ Compensation policy. This might be equally hard to accomplish, and may mean a minimum premium state “Pool” policy, but is probably the better option. 

With a standalone Comp policy you get Work Comp coverage in addition to Employer’s Liability.  Sure, if your leased employees are actually not “employees”, and if the leasing company has their own coverage, and if you’re named as an Alternate Employer, then you probably don’t need true Work Comp coverage. But “probably” is not “definitely”. 

Second – when you have a standalone Work Comp policy you can also schedule it to the excess and it will work like you think it will. Whereas if you’re amending underlying coverage you again run into the lack of congruity between your underlying and excess. It’s just the more elegant solution. 

Conclusion. 

These are by no means the only things to look out for when dealing with leased employees but I will say they are probably some of the most important. Even a minor situation can turn real ugly simply because someone is or is not considered an “employee”. Don’t rely on 1099s, don’t rely on the client – read the language and see how the policy interacts with employees. 

And “leased” employees aren’t the whole picture by any stretch. For further reading, The Law of ‘Leased Worker’ and ‘Temporary Worker’ Under a CGL Policy) (free account allows 100 articles/month) offers a good in-depth legal interpretation of “Leased” vs. “Temporary” in the CGL. 

CAT Express v. Muriel (previously Hammer) – Employee/Independent Contractor Status and the Limit of IL DOI to Adjudicate

This is a piece of case law that has me pretty confused. If anyone has any insight please contact me!

The IL First District Appellate Court recently issued a ruling in CAT Express v. Mureil. The ‘overview’ of this is:

CAT Express is a trucking company that purchased an IL Workers Compensation Assigned Risk “Pool” policy. They declared 6 clerical employees and paid about $1200 in premium. Upon audit the carrier (Liberty) categorized CAT Express’s [no idea how a possessive apostrophe works there to be honest –ed] independent contractor truckers as “employees”. This boosted premium to over $350K.

CAT engaged NCCI, who handles IL Work Comp rating disputes, and NCCI declined to hear stating they cannot determine whether someone is an employee but can only interpret NCCI Work Comp rating and rules. NCCI advised CAT of their right to appeal to the Director of Insurance (at the time Jennifer Hammer but the pleading was updated to reflect the current Director, Robert Muriel). The DOI investigated and said that these independent contractor truck drivers were employees for purposes of Work Comp premium and that the audit of $350K was appropriate.

CAT Express appealed. The subject of the appeal was actually never heard as the First District IL Appellate court asked the parties to submit supplemental briefs to explain why the Director of Insurance even had the authority to determine employee status in the first place. Both parties did, and they concurred that the Director did have that authority.

Long story short – the court found these briefs uncompelling and rules the Director of Insurance *did not* have authority to determine employment status for purposes of premium calculation. I would suggest reading the opinion, but they make a handful of specific notes:

    1. The Director/Department has only the authority vested to it by legislation, and that authority is [that which] “may be necessary and proper for the efficient administration of the insurance laws of this State” [such as enforcing rules].
    2. The Director/Department does have the authority to hear appeals for the application of rating systems/rules, such as hearing appeals from NCCI’s rulings.
    3. The Director/Department erred in taking up this matter after NCCI declined. In short, the determination made – that these independent contractor truckers were employees – is outside the “necessary and proper” administration of insurance law and is instead a legal determination that should be made by courts. The Director had no jurisdiction over this particular dispute.

The reason I find this puzzling is that I’ve been through NCCI dispute processes, up to presenting in front of the board for my district, and determining employees *for the purposes of premium only* is absolutely a function of the rules and ratings of NCCI. For coverage disputes absolutely not, but who is and is not an employee (or more specifically what payroll should and should not be captured) is in their manual.

So I’m not sure why NCCI declined or if such was appropriate – perhaps it was the way the grievance was worded. I no longer have access to NCCI online so I can’t review the specific parts of the manual that apply.

Secondly, and more broadly, the classification of a party for the purposes of premium calculation seems exactly within the “necessary and proper” purview of the Director. I am emphasizing “for the purposes of premium calculation” as that is from the ruling itself – the court uses that specific phrase.

To clarify: The determination of “employee” is only for purposes of generating premium. The Department classification is not, to my knowledge, relevant in any other capacity. For example, being an “employee” for purposes of Work Comp premium doesn’t mean you’re also an “employee” for, say, benefits eligibility.

That said I am out of my comfort zone; I suppose there could be some legal ramification of which I am unaware. Perhaps there is precedent that a determination of employee status on WC is a de facto determination elsewhere under law. If that is the case I would follow the theory, but no such information was provided in the opinion.

As a rhetorical tool – assuming the classification of “employee” for Work Comp rating is inconsequential elsewhere, review the situation while changing the term. For example, instead of using “employee status” use “chargeable exposure”. Is it proper for a Director of Insurance to determine the chargeable exposure for Work Comp policies? Perhaps I’m being a tad disingenuous but I do think doing such can be clarifying.

This is especially true because there are situations where those whose payroll is captured (for premium purposes) on a policy may not be eligible for benefits. Or, more often, those whose payroll isn’t captured are ultimately eligible for benefits. In fact this happens quite a lot and is why I suggest having work comp even if you have no employees; because the legal determination of an employee is separate and distinct from the premium determination of an employee (though it is true they try to be aligned as much as possible).

[UPDATE]
I found Davis v. Ed Hickman, P.A., March 2020 (editorial here; full opinion here) which is an Arkansas Appeals Court decision that found a worker was not entitled to benefits even though his payroll was captured for purposes of Work Comp premium and explicitly states that payroll being captured for purposes of work comp premium is simply a factor in determining employee/independent contractor status and not a determinant by itself. Granted AR DOI legislative authority may be broader, and I’m not sure how a “Work Comp Commission” ruling compares to a DOI appeal, but it’s still another piece that adds confusion.
[/UPDATE]

For what it’s worth I don’t have a horse in this race – I don’t particularly care where a matter is adjudicated as long as it’s transparent and fair. I do admit to incredible frustration as a broker when dealing with Workers Compensation; it is by far the most troublesome policy to administrate and inquiries are often met with conflicting responses. So if you’re reading any level of annoyance in this post, that’s probably why.