Aftermath of the IT glitch at Crowdstrike “Falcon Sensor”

Last Friday, a bug in the “Falcon Sensor” security software led to massive IT problems. Windows PCs were affected worldwide. Air traffic had to be temporarily suspended not only in the USA, but also in some parts of Germany, for example at BER and HAM airports. Work is underway to solve the problem and the PCs should be working smoothly again within a short time. However, this may not be the end of the aftermath for the airlines – and other affected companies.

Many flights had to be canceled or could only be operated with delays. As passengers in this constellation could in principle be entitled to compensation under Regulation (EC) No. 261/2004, the question arises as to whether the airlines could claim exemption from liability under Art. 5 Para. 3 of Regulation (EC) No. 261/2004 in the event of an error in the security software. Even if, at first glance, there is a lot to be said for this, as the software error could not be controlled by the airline and also had an external impact on operations. However, it is to be feared that claim management companies will attempt a similar argument as in the ATC slot cases, in which they claim that also functional IT is part of the airlines’ sphere as normal exercise of activity. When defending these cases, it will therefore be necessary to explain the specific cause and exact impact on operations and the flight disruption. In addition, there is also the issue of reasonable measures with regard to rebooking efforts, as not all airlines are likely to have been equally affected by the disruption.

But lawsuits based on the Passenger Rights Regulation are unlikely to be the only claims that airlines could be exposed to. For example, it is not yet clear whether the IT breakdown could also become a gateway for cyber criminals who extract or encrypt data from the servers. Nor can it be ruled out that personal data could be leaked in other ways. On the basis of the General Data Protection Regulation (GDPR), the ECJ has also awarded non-material damages to consumers whose personal data has been misused. On the basis of Art. 82 GDPR, any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation for this damage from the controller. This controller is the airline if data has been leaked from its servers as a result of this data breach, i.e. data of its customers has been affected. This claim does not exist if the airline can prove that it has taken all technical and organizational measures in accordance with the GDPR. However, it is not only a technical but also a legal challenge to provide this evidence in full during the legal proceedings. Similar to passenger claims for compensation, there are also specialized consumer law firms in the field of data protection that advertise and assert passengers’ possible claims for damages. This is already a known consequence of cyber security attacks suffered in the recent past. It is therefore to be feared that the current IT incident could therefore also result in a large number of lawsuits here if there is a data outflow.

However, the airline’s defense against these claims for damages is still possible and can be very successful. This is because, according to the case law of the ECJ (most recently: judgments of May 4, 2023, C-300/21 and December 14, 2023, C-340-21), the injured party must not only prove the non-material damage that actually occurred, but also the causality between the data leakage and the alleged damage. In our experience, this represents a hurdle for plaintiffs in court. Therefore, this should be a focus of the defense, which requires special effort and involvement on the part of the airline. However, there is then a good chance of defending such claims.