CrowdStrike Limits Liability?: "Fees Paid" vs. "Fees Paid or Payable"

July 25, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week, let’s consider how the precise wording of limitations of liability clauses can be used to manage risk. This post is prompted by the recent CrowdStrike outage, and particularly, the following article about CrowdStrike’s terms and conditions, which indicates that the protective language in its limitations of liability clause may limit its customers’ recovery of damages:

https://www.msn.com/en-us/money/insurance/crowdstrikes-terms-and-conditions-say-most-customers-would-just-get-a-refund-due-to-the-massive-outage-cybersecurity-lawyer-says/ar-BB1qiaLk

Overview of Limitations of Liability Clauses

Generally, limitations of liability clauses are provisions in contracts that cap the amount of damages that one party can recover from another. In technology contracts, service providers, like CrowdStrike, prefer implementing a favorable limitations of liability clause because it limits risk, generally by capping financial exposure in the event of a breach or other issue. Typically, limitations of liability clauses often exclude specific types of damages, such as consequential damages, and establish a cap on liability. This cap is typically defined using a fixed amount, a formula, or other financial metrics like "fees paid" or "fees paid or payable."

Fees Paid vs. Fees Paid or Payable

Let’s look closer at the "fees paid" or "fees paid or payable" language in some limitations of liability clauses. While this language may seem similar, the legal implications of each of these terms are distinct, and they impact the calculation of potential damages or liability caps in significant ways.

"Fees paid" refers to the money already exchanged between the parties. When a contract uses "fees paid," the party limits its liability to the total amount the other party has already paid up to the point of the claim. Effectively, this type of cap provides a refund, which, in turn, is often further capped to a certain term—for example, “the past 12 months.” So, if a customer entered a valuable contract with a service provider one month before a breach or other incident, “fees paid” language would cap the damages paid by the service provider to the customer to the month of fees paid, assuming the customer indeed paid for that month of service.

“Fees paid” language creates a straightforward, predictable way of limiting liability. Service providers prefer negotiating “fees paid” language because it allows them to manage their risk, quantifying their maximum exposure to revenue already received. However, “fees paid” language may disincentivize customers from paying at all, causing potential cash flow issues for the service provider.  Further, many customers may find this limitation insufficient where their losses exceed the amounts paid.

In contrast, "fees paid or payable" includes both the fees already paid and those that are contractually obligated to be paid, even if unpaid at the time of the claim. Here, the customer that signed the valuable contract and paid for a month of service would be entitled to recover the entire value of the contract in the event of a breach or other incident. This broader scope increases the potential liability cap, encompassing the total contractual commitment.

“Fees paid or payable” language provides more comprehensive coverage to customers, aligning the liability cap with the full economic value of the contract.  On the other hand, this language causes service providers to face higher potential liability, possibly requiring higher insurance premiums or other risk mitigation measures. Further, calculating "fees payable" can be complex, especially if disputes arise over amounts due or contract performance.

Our Thoughts

In today's world, the large technology companies often leave customers with no practical choice but to accept contract terms that don't fully protect their interests. As a result, when critical technology fails, it can disrupt businesses globally, as we saw with the CrowdStrike outage, and leave customers bearing the highest costs (though, in the case of an immense global outage, the cost borne by a service provider may also be ruinous).

It's clear that the wording in liability clauses can greatly impact the financial outcomes for both service providers and customers. The distinction between "fees paid" and "fees paid or payable" is more than just semantic; it carries substantial legal and financial implications. Service providers should prefer "fees paid" to limit their liability to revenue already received, while customers should advocate for "fees paid or payable" to ensure better protection against significant losses, particularly in high-value contracts or contracts related to critical technology.

--- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.