Search Articles
(CN) — Passengers stranded by a July 2024 software outage urged a three-judge Fifth Circuit panel Monday to let them pursue negligence claims against cybersecurity provider CrowdStrike, arguing the Airline Deregulation Act of 1978 does not bar their state-law claims.
The case, Del Rio et al. v. CrowdStrike, stems from a faulty software update that crippled Microsoft Windows systems worldwide, grounding flights at Delta, United, American and other major carriers. Passengers filed a proposed class action seeking damages for missed connections, hotel stays, lost wages and other costs of travel chaos. A federal District Court in Texas dismissed the suit last June, with U.S. District Judge Robert L. Pitman, a Barack Obama appointee, ruling the claims were preempted by the ADA. The plaintiffs appealed.
At issue is the ADA’s preemption clause, which bars states from enacting or enforcing any law “related to a price, route or service of an air carrier.” Attorney Anthony Parkhill, arguing for the passengers, told the court the negligence claims fall outside that language.
“The developer in this case pushed a software update that caused one of the largest global IT outages in history,” he said. “All of the allegations of negligence in this case pertain to the negligent software development practices used by CrowdStrike.”
Parkhill stressed CrowdStrike sold “an undifferentiated software product” used by more than half the Fortune 500, “similar to other basic business inputs that airlines must purchase.” The duty at the heart of the claim, he argued, was not airline-specific.
“Duties, not injuries, drive the analysis,” he said, citing First Circuit precedent. Even though the harm flowed from flight delays, the regulatory “bite” of the lawsuit would not force airlines to change how they operate.
The panel wanted him to elaborate on the distinction.
“This case is about delayed flights, right?” U.S. Circuit Judge Stuart Kyle Duncan, a Donald Trump appointee, asked early on.
Parkhill agreed the injuries stemmed from travel disruption but insisted the proper focus is on the duties a verdict would impose on CrowdStrike ex ante, not the downstream effects on passengers. U.S. Circuit Judge Andrew S. Oldham, also a Trump appointee, later posed a hypothetical: Could passengers sue the airlines themselves over negligently choosing CrowdStrike and still seek lost wages or emotional distress damages?
Parkhill said yes, so long as the claims stayed within the express terms of the contract of carriage. But he insisted the third-party vendor’s generic software obligations were different.
Arguing for CrowdStrike, attorney Samantha L. Chaifetz urged the panel to begin, as Supreme Court precedent requires, with the complaint itself.
“This is a complaint that, through and through, every count is premised in key ways on the relationship to and connection with airline services,” she said. The plaintiffs repeatedly tied CrowdStrike’s duty to its contractual relationship with the airlines and to the foreseeability of massive flight disruptions. The damages sought were precisely the kinds of incidental costs Congress left to market forces when it deregulated the industry, she argued. Chaifetz also emphasized that cybersecurity is no peripheral vendor service.
“Cybersecurity services that CrowdStrike’s product [provides] are core to the provision of airline services,” she said, noting that TSA mandates such protections and that the plaintiffs’ own complaint repeatedly described how integral the software was to keeping planes flying on schedule. Allowing suits against vendors would trigger “an explosion of liability” not priced into contracts, she warned, forcing airlines to renegotiate indemnification deals and ultimately raising ticket prices, the very outcome the ADA was designed to prevent.
U.S. Circuit Judge Priscilla Richman, a George W. Bush appointee, questioned whether Congress intended to protect third-party vendors at all. Chaifetz replied that the statute’s text contains no defendant-identity limitation; preemption turns on whether the claim relates to airline services, not who is sued. She noted courts have routinely preempted claims against website operators, data processors and other vendors whose work touches passenger information or booking systems.
The panel explored hypotheticals. Richman asked about a defective wiring component used across industries that caused aircraft delays; Chaifetz distinguished personal-injury product-liability cases (often analyzed under implied preemption) from the economic harms at issue with CrowdStrike. Duncan wondered aloud whether a successful suit against CrowdStrike would have “no effect whatsoever on how airlines operate.” Parkhill insisted it would not because the airline itself was not accused of negligence.
The decision may have implications for a broad range of technology vendors whose products underpin modern airline operations.
Follow @gabetynesSubscribe to our free newsletters
Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.