Delta Airlines v. CrowdStrike: When SaaS Liability Caps May Not Be the Ceiling

As incident response counsel, I’ve often worked alongside CrowdStrike as my client’s forensics vendor and reviewed CrowdStrike’s standard terms many times. So when the company’s July 2024 security update malfunctioned and caused widespread disruption, I was engrossed.

Now, I’m watching Delta Airlines’ lawsuit against CrowdStrike closely.

Delta alleges that the faulty update triggered a massive IT outage that forced the airline to cancel more than 7,000 flights and caused hundreds of millions of dollars in losses. The lawsuit seeks approximately $500 million in damages, much of which appears to consist of lost revenue, operational disruption, and reputational harm: the categories typically swept into consequential damages exclusions in SaaS agreements.

At first glance, most tech transaction lawyers might assume that the Services Agreement (and its limitation of liability clause) defines the outer boundary of exposure.

1. A Limitation of Liability Clause May Not Be the Final Word

In May 2025, a Georgia state court ruled on CrowdStrike’s motion to dismiss. The judge allowed several of Delta’s tort claims (including gross negligence and computer trespass) to survive.

Under Georgia’s “economic loss rule,” purely economic disputes are generally confined to contractual remedies. But the court held that the rule does not apply where a plaintiff plausibly alleges the breach of a duty that exists independent of the contract.

In other words, if a duty arises from law (not just from the Services Agreement), the contractual liability cap may not fully insulate the vendor.

The conventional SaaS playbook assumes the contract defines the outer boundary of risk. That usually means:

• Excluding consequential damages

• Capping liability at fees paid

• Carving out only narrow exceptions

But courts can examine whether certain claims (fraud, gross negligence, statutory violations) arise from duties imposed independently by statute or common law.

Surviving a motion to dismiss is not the same as winning on the merits. But it suggests the court sees enough substance for the claims to proceed.

2. State Computer Trespass Statutes: Part of the Enterprise SaaS Conversation

Delta also alleges that CrowdStrike’s update was independently unlawful under Georgia’s computer trespass statutes (including O.C.G.A. § 16-9-93(b)).

My practice touches federal computer access laws like Computer Fraud and Abuse Act (CFAA), the Stored Communications Act (SCA), and the Electronic Communications Privacy Act (ECPA), which come up in a variety of contexts such as data scraping / unauthorized automation, workplace privacy / employee monitoring, and of course what the layperson would refer to as “hacking.”

But it’s not often that their state analogues (such as this Georgia computer trespass statute) are front of mind in the enterprise SaaS context. I wonder if that may be starting to change!