A Georgia judge recently dismissed the bulk of Delta Air Lines’ $500 million lawsuit against cybersecurity firm CrowdStrike Inc., undercutting the airline’s efforts to recover massive damages from last summer’s global IT meltdown.
“We’re pleased several Delta claims have been rejected, and are confident the rest will be contractually capped in the single-digit-millions of dollars or otherwise found to be without merit,” Michael Carlinsky, CrowdStrike’s outside counsel at Quinn Emanuel, said.
In the order issued May 16 by Judge Kelly Lee Ellerbe of the Fulton County Superior Court in Georgia, Delta’s claims alleging intentional misrepresentation and fraud by omission were removed from the case, while the company’s remaining claims — including negligence and computer trespass — may proceed.
The case stems from a July 2024 CrowdStrike software update, which was part of its Falcon platform, that inadvertently disabled more than eight million Windows devices globally, paralyzing systems used by airlines, banks, broadcasters, and retailers, among others.
Following the incident — in which Delta said it had to manually reset 40,000 servers after cancelling 7,000 flights that caused delays for some 1.3 million customers — the airline then sued CrowdStrike, claiming it “suffered over $500 million in out-of-pocket losses from the [July update], in addition to future revenue and severe harm to its reputation and good will,” according to the judge’s decision.
Numerous media reports said Delta was the hardest-hit airline in the July 2024 software update incident. For instance, while it took the airline five days to restore services, competitors American and United Airlines returned to almost-normal operations within three days.
At the same time, CrowdStrike and Microsoft claimed that Delta’s aging IT systems and previous refusal of assistance were to blame for its slower recovery time.
In her May 16 ruling, Judge Ellerbe wrote that while Atlanta-based Delta Air Lines may pursue much of its lawsuit seeking to hold CrowdStrike liable, she tossed out the airline’s most serious allegations — including fraud, product liability, and deceptive business practices — while allowing a much narrower case to continue.
Legal experts say the court was constrained in dismissing the complaint outright because the motion to dismiss standard in Georgia is even more permissive than in federal court and dictates that a court “cannot” dismiss a complaint unless it is “certain” no claim could be brought.
Although Ellerbe agreed that Delta can pursue claims of gross negligence and computer trespass, the ruling suggests that any potential damages will be capped under the terms of the companies’ contract — their Subscription Services Agreement (SSA) — which will likely end up being in the single-digit millions, not the half-billion dollars that Delta originally sought.
Regarding Delta’s gross negligence argument, for instance, the company alleged in its initial lawsuit filed last October that CrowdStrike’s Falcon update on July 19 was deployed “without minimal testing [or] routine quality and assurance” and “without staged deployments, including installing the faulty update onto Delta’s computers without its knowledge or consent.”
Ellerbe found this argument plausible enough to let Delta’s computer trespass claim move forward, writing: “Delta has sufficiently alleged CrowdStrike’s unauthorized access was knowingly committed.”
Additionally, wrote Ellerbe, “as CrowdStrike has acknowledged, its own president publicly stated CrowdStrike did something ‘horribly wrong’ with the July update.”
Ellerbe also allowed Delta’s allegation of computer trespass to proceed, noting that the airline contended in its lawsuit that CrowdStrike deployed the update “contrary to Delta’s election not to receive automatic updates,” leading to an allegation that “the access was made without authorization.”
“Delta has sufficiently alleged [that] CrowdStrike’s unauthorized access was knowingly committed,” Ellerbe wrote.
The court also emphasized that this decision followed Georgia’s permissive dismissal standard, meaning claims aren’t being validated — just allowed to move forward.
CrowdStrike gathers gains
Overall, the ruling favored Austin, Texas-based CrowdStrike on the broader legal front.
For example, Delta’s claims of intentional misrepresentation and fraud by omission — central to its attempt to pursue damages beyond the limits of its contract with CrowdStrike — were dismissed outright by Ellerbe, who said the fraud allegation is “more limited than the claim Delta has alleged.”
Additionally, prior to the ruling, Delta had already withdrawn several allegations in its original lawsuit, including a claim for product liability, as well as an alleged violation of Georgia’s Fair Business Practices Act of 1975.
So Delta’s arguments that CrowdStrike had violated the Georgia Fair Business Practices Act and should be held liable under product liability laws also were ditched by Ellerbe.
“The court finds Delta has failed to state a claim for fraudulent inducement for any alleged misrepresentation prior to June 30, 2022,” Ellerbe ruled, referencing the date of the companies’ SSA.
The judge also expressed skepticism about Delta’s efforts to sidestep contractual damage limits, calling the airline’s logic unconvincing.
“Delta has made some general arguments as to why the economic loss rule is inapplicable which the court does not find persuasive,” Ellerbe wrote, adding later in the ruling that Delta’s interpretation “would eviscerate… the economic loss rule.”
The economic loss rule bars plaintiffs from recovering damages for contractual losses through tort claims — a key issue, given that the companies’ 2022 SSA caps liability and excludes indirect or consequential damages.
“The court rejects this argument that applying the economic loss rule is violative of the contracting parties’ intent,” ruled Ellerbe. “As alleged by Delta, it and CrowdStrike are both successful, sophisticated business entities. If they sought to avoid application of this well-established rule, they could have clearly done so.”
Fallout still unfolding
Despite the dismissal of major claims, Delta’s lawsuit now moves into the discovery phase, focused on gross negligence and computer trespass.
However, some legal analysts expect the proceedings to center less on fault — and more on the fine print of Delta’s contract with CrowdStrike.
In addition to this case, more than 3,000 passenger complaints spurred the U.S. Department of Transportation to launch an investigation into Delta’s handling of the disruption.
Meanwhile, Delta also faces a class action lawsuit from passengers who say the airline refused to issue refunds after the IT meltdown.
It’s also worth noting that to this day, Delta continues to use CrowdStrike’s Falcon platform, the very same platform that Delta alleges CrowdStrike deliberately designed to enable malicious, unauthorized ‘backdoor’ access into Delta’s systems, as noted in Ellerbe’s ruling.