The outage caused by the CrowdStrike update is already being talked about as the largest IT failure in history, reportedly impacting 8.5 million devices and thousands of businesses. Once the immediate effects of the outage on impacted businesses have been resolved and devices brought back online, we expect that the focus will turn to what IT providers and customers can learn from the CrowdStrike outage to mitigate against similar future events.
IT providers and customers, many of whom use standard terms of business similar to those offered by CrowdStrike, are reminded of the importance of the Unfair Contract Terms Act 1977 (UCTA). This act plays a crucial role in regulating how liability can be limited and/or excluded in standard business contracts. The recent outage serves as a timely reminder of UCTA's significance in a business-to-business (B2B) context.
In this article we consider how UCTA principles may be applied to standard terms of business, such as those used by CrowdStrike, found here.
UCTA and breach of standard terms of business
UCTA sets out a framework where a party that contracts using its standard terms of business cannot exclude or limit its liability for a breach of contract unless the terms of the contract on which it seeks to rely are reasonable. UCTA has a wide remit and, to the extent UCTA prevents the exclusion or restriction of any liability, it also prevents a party unreasonably: (a) making the liability or its enforcement subject to restrictive or onerous conditions; and (b) excluding or restricting any right or remedy in respect of the liability, or subjecting a person to any prejudice in pursuing any such right or remedy.
The UCTA “reasonableness test” is applied subjectively, having regard to the circumstances which were (or ought reasonably to have been) known to or in the contemplation of the parties at the time when the contract was made. Where a party is seeking to limit its liability to a specified sum of money, consideration should also be given to the level of resources an affected party could expect to be available to it, should the liability arise.
The question as to whether a clause is “reasonable” under UCTA is a question of fact in each case. Factors which may be relevant when assessing the reasonableness of a particular clause include:
- the relative bargaining strength of the parties;
- the breadth of the relevant clause (whether it excludes all liability or still provides for a satisfactory remedy);
- the ability of the innocent party to insure against the loss;
- the availability of alternatives in the marketplace; and
- whether the innocent party was legally represented.
Generally speaking, the “reasonableness test” is likely to be satisfied if a clause is properly negotiated, the parties are legally represented and appropriately insured, and they understand the relevant contractual risks. The test is more difficult to meet when parties are contracting on one party's standard terms of business, as standard terms are not individually negotiated and tend to be heavily favourable to the party whose standard terms are being relied on.
The courts have previously found that that UCTA will only apply if the entire contract was on standard business terms, i.e., UCTA will not apply if there have been any material changes to the terms in general, not just to a liability or exclusion clause. The terms must be “effectively untouched” for UCTA to apply. Please see here for further analysis of that decision.
This is a relevant consideration for both parties, when considering whether UCTA controls exclusions and/or limits of liability under standard terms of business. For further information on how courts have applied the reasonableness test, particularly in relation to fraudulent breaches of contract, please see here.
Below, we consider how UCTA may apply to IT suppliers’ standard terms of business, such as the CrowdStrike Ts&Cs.
Standard IT terms of business – how may UCTA apply to exclusions and limits of liability?
Many IT service provider standard terms of business include clauses that specify remedies for defects and breaches of warranties and limit the suppliers’ liability. For example, clause 8.2 of the CrowdStrike Ts&Cs (available here) specifies a sole and exclusive remedy for a breach of CrowdStrike’s Product Warranty. This Product Warranty is limited to (1) its products operating without “Error” (i.e., without a “a reproducible failure of a Product to perform in substantial conformity with its applicable Documentation”); and (2) a warranty regarding installation at time of delivery. These are the only warranties CrowdStrike provides for its products that subsist during the term of the contract, all other warranties, whether express or implied being expressly disclaimed and excluded, under clause 8.6.
A customer’s remedy for a breach of the warranty that a product will operate without Error is limited to CrowdStrike doing one of the following at its expense: “(a) [using] commercially reasonable efforts to provide a work-around or correct such Error; or (b) [terminating the customer’s] license to access and use the applicable non-conforming Product and [refunding] the prepaid fee prorated for the unused period of the Subscription/Order Term.”
A sole and exclusive remedies clause will be subject to the same UCTA “reasonableness” test as an exclusion clause. If we consider the remedies above as an example, a customer may argue that they are unlikely to entirely compensate customers who were affected by the IT outage, given that the outage rendered many devices running CrowdStrike unusable and would have caused significant flow-on losses for businesses. The clause may not provide a satisfactory remedy and therefore there may be an argument that it could be considered “unreasonable”. However, the exclusion of express and implied warranties in clause 8.6 is still subject to the warranties in clause 8.2, i.e., clause 8.6 is not a blanket exclusion on remedies. If it was, it would be more likely to be considered “unreasonable” under UCTA.
UCTA also requires that the “reasonableness” analysis be conducted based on the parties’ knowledge when the contract was made. The requirement of reasonableness must be satisfied in relation to the provisions of the contract as a whole, not just the parts of the contract on which the customer is seeking to rely. For example, in this case, while termination and refund or a workaround may not be satisfactory remedies for a CrowdStrike error that caused a global IT outage, such remedies may be more satisfactory for the types of errors the parties anticipated would happen during the course of agreement. As CrowdStrike’s Ts&Cs define “Error” as “a reproducible failure of a Product to perform in substantial conformity with its applicable Documentation”, the remedy provided by CrowdStrike in clause 8.2 would be more appropriate if the documentation said that software would do x but the software did not do x. This would point against a clause being considered unreasonable.
Further, for a party to establish that a clause is unreasonable, it must be able to show that the other party took unfair advantage or that it is so unreasonable that it cannot properly have been understood or considered. That is likely to be challenging. For example, it is likely that a number of business customers would have some advice at their disposal prior to entering into such contracts. This would be a point against an exclusion clause being considered unreasonable.
International supply contracts
UCTA controls on exclusions and limitations of liability do not apply to international supply contracts for the supply of goods. Under UCTA, an international supply contract is either a contract for the sale of goods, or it is one in pursuance of which the possession or ownership of goods passes, and it is made by parties whose places of businesses are in the territories of different “States”.
There are also further factors to consider, namely whether the goods are carried from one State to another, where offer and acceptance of the contract has taken place, and if the contract provides for the goods to be delivered to the territory of a State outside of the territory where those acts were done.
The analysis of whether an agreement, such as the CrowdStrike Ts&Cs, is an international supply contract would require an assessment of the particular contract and goods and services provided to the customer. For example software deployed via a SaaS model may not constitute a supply of goods. Such an analysis is outside of the scope of this article, but it is a key point to consider for a party wishing to test the “reasonableness” of a clause using UCTA.
What about “bundled” services?
Although it is sometimes the case that software (such as that provided by CrowdStrike) is bundled with another supplier’s (main supplier) software, those terms (and indeed, most supplier terms) would state that any third party software (i.e., CrowdStrike software) is subject to the terms of the relevant third party. Accordingly the UCTA assessment needs to be undertaken in relation to the third party’s terms and conditions and not the main supplier's terms.
Key takeaways
Events with wide reaching implications such as the CrowdStrike outage should serve as a trigger for providers and customers alike to review their contractual rights and obligations. It is important that legal frameworks such as the UCTA “reasonableness” test are kept front of mind in such scenarios, as they may provide legal remedies to customers if they are found to apply.
Service providers on the other hand, may need to consider the terms they provide to customers. One-to-many providers, such as CrowdStrike, have to strike a balance between appropriate exclusions that protect them from disproportionate liability in scenarios such as this where one action has a significant impact on the global IT ecosystem. However, they also have to ensure that their customers are provided with appropriate legal remedies that do not cut across legal frameworks, such as UCTA.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.