When the infamous CrowdStrike software update brought down businesses world wide in July, it was inevitable that lawsuits would follow—and so they did. Delta sues the corporate for $500 million in damages, and the hiring of attorney David Boies is maybe essentially the most high-profile example.

Among the big selection of Boies products high profile clients are Theranos, Harvey Weinstein, Jeffrey Epstein’s victims, and Al Gore within the Bush v. Gore case surrounding the 2000 presidential election results. He also led the federal government’s antitrust case against Microsoft within the Nineties.

Even before Delta’s statement, shareholders had already requested a refund by filing a motion class motion lawsuit against CrowdStrike, accusing the corporate of misleading it about its software update procedures.

CrowdStrike, in turn, hired the law firm Quinn Emanuel Urquhart & Sullivan to defend the corporate against an expected wave of lawsuits, lending credence to the assumption that the lawyers would make a fortune from the error.

To a lesser extent, Microsoft also drawn into battle since the flawed CrowdStrike software update only affected Windows computers.

But generally, it’s CrowdStrike’s cross to bear, and the corporate faces a frightening legal challenge, says Rob Wilkins, who works on the Florida law firm Jones Foster, where he co-chairs the firm’s complex litigation and dispute resolution group. But what could save CrowdStrike are contractual limits on damages, that are typically built into enterprise software contracts.

“The interesting thing is that CrowdStrike and Delta have agreed to a contractual limit on damages, and I would assume that other customers will have similar contractual limits on damages,” Wilkins told TechCrunch.

Delta, nevertheless, claims that a foul software update caused gross negligence or intentional misconduct by CrowdStrike that might potentially void your contract limit. Delta service has been disrupted for five daysin comparison with United, which only had three days of CloudStrike-related delays. CrowdStrike said Delta had issues with own internal systems and that the corporate cannot attribute the whole outage to a faulty CrowdStrike update.

Wilkins says Delta can have trouble proving gross negligence or willful misconduct, which carries a major burden of proof. Shareholders alleging the corporate misled and deceived them by failing to warn them in regards to the lack of an adequate software testing regime will even face a major challenge in proving this in court.

“This comes down to the question: Did CrowdStrike intentionally mislead investors or fail to inform them that it was fully up-to-date with all security procedures and controls for its software platform?” Wilkins said.

Wilkins says that whatever happens, the person firms suing CrowdStrike will likely band together to file a category motion lawsuit against the corporate, since individual lawsuits could be costly and unwieldy for everybody involved. It’s value noting, he says, that when a category motion lawsuit does happen, it attracts more firms that wish to be included.

“Usually in class actions, people pile up, and I wouldn’t be surprised if they did, and then everything gets consolidated by a multidistrict litigation panel, assigning all the cases across the country to one particular federal district court to do all the discovery work — and that shortens the process significantly,” he said.

Once that happens, there’s typically a “barrier” process, by which one case is presented as a test case for all the opposite plaintiffs in the category motion, and regardless of the jury’s decision, it’s a roadmap for other settlements in the long run. “Then you can go back to CrowdStrike and say, ‘Look, you got $20 million from this one company, and we have 15 other companies that are suing you in these class actions with the same facts and so on, you should settle,’” he said.

Another complicating factor is the role of insurance firms, which could be expected to guard CrowdStrike and its customers from potential damages in these cases. Customers’ insurance firms could also pursue CrowdStrike to get better some of the payments they made.

“There’s probably insurance there and they’ll probably call the carrier, and they usually defend these things. Although I haven’t seen their specific policy, in the cybersecurity policies I’ve looked at, they would cover this type of negligence. So it depends on what they have and what exclusions they have in their policy, but I see that insurance is part of it.”

Beyond the financial issues, Wilkins says there’s a reputational element, and the earlier that is throughout, the earlier CrowdStrike can move forward. The company has hired good lawyers to defend itself, but at the top of the day, the corporate could have to make peace with its shareholders and customers, and people relationships are crucial to any company’s success.

“I think their approach to this is going to be one of fighting, but also fighting with the knowledge that they really need to solve the problem and move on, so that’s what I would expect.”