The Computer Fraud and Abuse Act: revenue protection weapon for airlines

December 5, 2010

Note:  This post is an abridged version of the article I wrote for the Autumn 2010 issue of Issues in Aviation Law and Policy, which is published by the International Aviation Law Institute of DePaul University College of Law.  Click here for the full version.

Until the last few years, airlines sustained significant revenue losses from “bust-outs” by Airlines Reporting Corporation (ARC)-accredited travel agencies.  In a bust-out, an agency’s owners validate and sell vast numbers of tickets in a short period of time to individuals and other agencies, fail to report the sales to ARC, and disappear with the proceeds.  Due to technological innovations and aggressive enforcement activities, primarily driven by ARC, bust-outs are now comparatively rare.

Airlines still suffer revenue losses from ticket-related fraud, but now that type of fraud mostly results from online conduct by persons who are not affiliated with ARC agencies.  Online fraud, primarily the illicit sale of tickets purchased over the Internet by persons using stolen credit and debit card numbers, is a significant source of revenue loss for airlines.  This past summer, federal authorities charged 38 defendants “in a series of indictments that allege an extensive network of black market travel agents who used the stolen identities of thousands of victims as part of a multi-million dollar fraud scheme to purchase airline tickets for their customers.”  News Release, Office of the U.S. Attorney, W. District of Missouri, Black Market Travel Agents – 38 Defendants Indicted in Multi-Million Dollar Fraud (July 9, 2010).  Losses from this scheme allegedly exceeded $20 million.  According to one survey, airlines suffered losses of over $1.4 billion in 2008 due to online fraud.  Airlines Tackle $1.4 Billion Online Fraud Challenge, Cybersource (Mar. 16, 2009).

Airlines also sustain online-related revenue losses from fraud by frequent flyer mileage brokers and website abuse by “screen scraper” travel information providers.  Ironically, just as technology was instrumental in reducing the incidence of bust-outs, it is technology, mainly in the form of the Internet, which makes these other forms of fraud and abuse possible.

Alaska Airlines’s recent successful use of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, in federal court against a defiant, long-time frequent flyer mileage broker demonstrates that the Act can be effectively used to combat online fraud and abuse.  Having the CFAA as a gateway to federal court, through federal question jurisdiction under 28 U.S.C. § 1331, is particularly important for airlines because, in general, cases move more quickly, and summary judgment is more readily available, in federal district courts than in state courts.  Moreover, airlines can no longer depend as heavily as they once did on federal trademark infringement or other Lanham Act causes of action to obtain federal question jurisdiction, as mileage brokers appear to be lessening their use of airline logos, trade names, and other trademarks on their websites in an effort to avoid drawing airlines’ attention.

A CFAA cause of action can serve as a powerful weapon, but, in general, courts are cautious about using the CFAA in a civil setting and thoroughly scrutinize evidence offered by a plaintiff in support of its CFAA cause of action.  As a result, an airline must make sure that its website’s terms of use are correctly set up so they can help support a CFAA cause of action, and as soon as online-based fraud or abuse is detected, an airline needs to take steps to ensure that it will be able to prove the elements of a CFAA cause of action, particularly with respect to the “loss” element, which various federal courts have construed differently.  These protective measures are discussed in detail below.

Introduction to the Act

In the early 1980s, computer hackers began to penetrate government and private computer systems.  Gradually, the public began to become aware of these shadowy figures, who used a combination of telephones and “social engineering” (tricking people into disclosing information) to hack into computer systems and steal information or cause damage.

Oddly, Hollywood provided a major impetus for legislative change to address the hacker problem.  In 1983, the movie “WarGames” was released, and it dramatically increased the public’s – and Congress’ – awareness of computer hacking.  In the movie, a high school-age computer geek unknowingly hacks into a NORAD computer system using his personal computer and a telephone and nearly causes a global nuclear war.  Partly as a result of this movie, and its far-fetched premise that a teenage hacker could cause the launch of nuclear missiles, Congress enacted the CFAA, which was then called the “Counterfeit Access Device and Computer Fraud and Abuse Act of 1984.”  (For those who doubt that a movie featuring the escapades of Matthew Broderick and Ally Sheedy spurred the enactment of federal computer crime legislation, see H.R. Rep. No. 98-894, at 6 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3695 (“For example, the motion picture ‘War Games’ showed a realistic representation of the automatic dialing and access capabilities of the personal computer.”).)

The Report of the House Committee on the Judiciary summarized the need for the legislation as follows:  “The committee concluded that the law enforcement community, those who own and operate computers, as well as those who may be tempted to commit crimes by unauthorized access to them, require a clearer statement of proscribed activity.”

The goal of articulating a “clearer statement of proscribed activity” has been difficult for Congress to achieve, and, as a result, it has repeatedly amended the CFAA over the years.  The amendments have caused the Act’s reach to broaden substantially, just as the prevalence of computers themselves has increased.  For example, the CFAA initially was a criminal statute only.  In 1994, Congress amended the Act to add a civil cause of action, which is now codified at 18 U.S.C. § 1030(g), under which victims of computer fraud or abuse can assert claims against violators of the statute.  Also, the statute was originally intended to control interstate computer crime only, but, with the development of the Internet, virtually all computer use has become interstate use and thus subject to the Act.

The Act’s Civil Cause of Action

Although the CFAA prohibits seven separate types of activities, airline plaintiffs typically proceed against offenders under Section 1030(a)(4), which prohibits a person from “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.”

The Act defines a “protected computer” as a computer “which is used in or affecting interstate or foreign commerce or communication.”  Thus, as noted above, the Act covers, in essence, any computer that is connected to the Internet, which means that it covers virtually all modern computers.  Certainly, any computer that hosts an airline’s website or frequent flyer mileage program constitutes a “protected computer” under the Act.

To prevail on a claim under Section 1030(a)(4), an airline plaintiff must prove that the defendant caused a “loss” to the airline “during any 1-year period . . . aggregating at least $5,000 in value.”  The Act defines the term “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  The “cost of responding to an offense” includes the “consequential” costs incurred in investigating an offense and taking remedial measures in response to it.

An airline plaintiff that has sustained a “loss” through violations of the Act is entitled to “maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”  Actions must be brought within two years of the offensive conduct or the date of the discovery of the actionable damage.

History of Cases Brought by Airlines Under the Act

In court, airlines have had some successes with CFAA causes of action.  Although issues regarding whether defendants have accessed airline computers “without authorization” or have “exceed[ed] authorized access” have been litigated in several cases, the primary battleground has been the issue of whether the airline plaintiff has been able to prove that it sustained a “loss” within the meaning of Section 1030(c)(4)(A)(i)(I).

Southwest’s Cases

Of all airlines, Southwest Airlines has been, by far, the most active in bringing CFAA causes of action in court.  Southwest’s experiences in litigating the “loss” element of the CFAA cause of action in the three cases are instructive.

Southwest v. FareChase.  In 2003, Southwest sued a software company that developed and licensed software that had the ability to send out “a robot, spider, or other automated scraping device” via the Internet to obtain fare, route, and schedule information from southwest.com, as well as a company that was using such software, pursuant to a license, for use by its corporate traveler customers.  Southwest Airlines Co. v. FareChase, Inc., 318 F. Supp. 2d 435, 437 (N.D. Tex. 2004).  In its complaint, Southwest claimed that the defendants’ activities directed at southwest.com were unauthorized and were deceiving Southwest’s customers by providing them with incomplete and inaccurate information.  Southwest alleged 12 causes of action in its complaint, including a CFAA cause of action.

The defendant that had been using the software moved to dismiss, among other things, Southwest’s CFAA claim pursuant to Federal Rule of Civil Procedure 12(b)(6) because the complaint supposedly had failed to adequately allege “loss” and unauthorized access to southwest.com.  The court rejected both arguments.

As to the “loss” issue, the court held that, because the complaint alleged “loss” aggregating at least $5,000 pursuant to Section 1030(e)(11), Southwest did not need to also allege “damage” to its computer or data pursuant to Section 1030(e)(8), as the defendant had contended.  The court also held that Southwest had adequately alleged unauthorized access under the CFAA because southwest.com’s Use Agreement, which was accessible from all pages on the site, specifically informed users that the use of “automated scraper devices” on the site was prohibited.

Southwest v. BoardFirst.  In 2006, Southwest sued BoardFirst to prevent it from continuing to assist Southwest customers trying to obtain “A” boarding passes, which allow the holder to board flights earlier during the boarding process.  Southwest Airlines Co. v. BoardFirst, L.L.C., 2007 WL 4823761 (N.D. Tex. 2007).  Southwest customers would provide their name, flight confirmation number, and credit card information to BoardFirst.  BoardFirst personnel then would log onto Southwest’s website using the customer’s personal information and attempt to secure an “A” boarding pass.  If BoardFirst obtained an “A” pass, the customer would be charged a fee.

In its complaint, Southwest alleged, among other things, that BoardFirst’s conduct violated the CFAA, and Southwest moved for summary judgment on its claims.  The court held that Southwest was not entitled to summary judgment on its CFAA claim.  The court agreed with Southwest that, by logging on to southwest.com, BoardFirst had been “intentionally access[ing]” Southwest’s computer within the meaning of the CFAA.  However, the court asked the parties to provide additional briefing on the issue of whether BoardFirst had acted “without authorization” or had “exceed[ed] authorized access,” as well as whether the court should apply the “rule of lenity” in interpreting the CFAA in the context of the case.  The rule of lenity “counsels courts to construe ambiguities in a criminal statute, even when applied in a civil setting, in a narrow way.”

The court then addressed whether Southwest had satisfied the CFAA requirement that it show a “loss” of more than $5,000 in a one year period due to BoardFirst’s conduct.  To support its “loss” claim, Southwest had submitted the declaration of its corporate representative on damages, which stated that “Southwest spent at least $6,500 within a single one year period in investigating and responding to BoardFirst’s unauthorized access to Southwest’s computer system.”

The court ruled that, although “investigative and responsive costs fit within the concept of ‘loss’ as used in the CFAA,” the corporate representative’s declaration was “fairly conclusory,” and thus inadequate to establish “loss,” because the declarant had failed “to identify the precise steps taken by Southwest in ‘investigating and responding to’ BoardFirst’s unauthorized access.”  This failure, according to the court, prevented it from being able to determine if Southwest’s response costs were “reasonable,” as required by the Act’s definition of the term “loss.”  However, Southwest did succeed in shutting down BoardFirst’s operations; on the basis of Southwest’s breach of contract claim, the court permanently enjoined BoardFirst from continuing to use southwest.com to obtain boarding passes for its customers.

Southwest v. Harris.  In 2007, Southwest sued eight defendants, alleging that they had engaged in brokering of the airline’s Rapid Rewards frequent flyer plan miles and awards.  In its complaint, Southwest advanced a CFAA cause of action, its only federal cause of action, as well as numerous state statutory and common law causes of action.

The defendants moved to dismiss the complaint for lack of subject matter jurisdiction, alleging that they had not “accessed” Southwest’s computer system within the meaning of the CFAA.  Southwest focused its opposition solely on the “access” element of the CFAA because that is the only one that the defendants had disputed, but, in deciding the motion, the United States Magistrate Judge decided to analyze all the elements of the CFAA cause of action, including whether Southwest had sustained a “loss” within the meaning of Sections 1030(c)(4)(A)(i)(I) and (e)(11).  Southwest Airlines Co. v. Harris, 2007 WL 3285616 at *3-4 (N.D. Tex. 2007).

In his ruling, the Magistrate Judge noted that, under the Act, Southwest was required to show that it had sustained a “loss aggregating at least $5,000 in value over a one-year period.”  The Magistrate Judge also noted that, under Section 1030(e)(11), the Act defines the term “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In its complaint, Southwest alleged that it had incurred a “loss” within the meaning of the Act because it had lost more than $5,000 in revenue in one year due to numerous passengers having traveled on its flights using awards that were void because defendants had brokered them in violation of the Rapid Rewards program’s terms.  Taking a narrow view of the Act’s definition of “loss,” the Magistrate Judge ruled that the form of loss alleged by Southwest did not fall under the definition set forth in Section 1030(e)(11) because the revenue at issue had not been lost “because of interruption of service.”  Accordingly, the Magistrate Judge recommended that the defendants’ motion to dismiss be granted, and the District Court accepted his recommendation.

The court in Harris is not alone in its view that lost revenue must result from a service interruption in order to constitute a “loss” within the meaning of Section 1030(e)(11).  In fact, this appears to be the majority view on this issue.  See Costar Realty Information, Inc. v. Field, 2010 WL 3369349 at *15 (D. Md. 2010).  However, some courts have ruled that lost revenue does constitute “loss” within the meaning of Section 1030(e)(11) even if it does not result from a service interruption.  See, e.g., Frees, Inc. v. McMillian, 2007 WL 2264457 at *6 (W.D. La. 2007).  This issue was recently addressed in a case brought by Alaska Airlines.

Alaska Airlines v. Carey

Brad Carey is no stranger to lawsuits brought against him by airlines seeking injunctive relief against, and damages arising from, his frequent flyer mileage brokering.  Northwest Airlines sued Carey for mileage brokering in 1991, and, the next year, the court granted the airline a permanent injunction and a stipulated judgment for $200,000.  United Airlines sued Carey for mileage brokering in 1992, and again in 2005 for violation of the permanent injunction entered against him in the first case in 1993.  In its summary judgment memorandum in the case discussed below, Alaska Airlines referred to Carey as “an incorrigible and devious scofflaw.”

In 2007, Alaska Airlines filed a lawsuit in the United States District Court for the District of Washington against Carey, his wife, and Carey Travel, Inc. seeking damages and injunctive relief related to Carey’s brokering of frequent flyer miles and award tickets.  Like other frequent flyer programs, the terms of Alaska Airlines’s program, which is known as the “Mileage Plan,” prohibit its members from selling, purchasing, or bartering miles or award tickets, and stipulate that miles and award tickets “are void if transferred for cash or other consideration.”

In its amended complaint, Alaska Airlines set forth eight causes of action, but its CFAA cause of action was the only federal statutory cause of action in its pleading and, thus, the sole basis for the court’s subject matter jurisdiction under 28 U.S.C. § 1331.

According to Alaska Airlines, Carey operated the following scheme in violation of the CFAA.  Carey would solicit Mileage Plan members to sell their miles to him.  He would pay the members a set number of cents per mile, and the members would provide him with their online Mileage Plan username and password.  Carey would then be contacted by persons looking to buy an Alaska Airlines ticket, and he would agree to sell them a ticket.  Carey would then log on to Alaska Airlines’s website using a Mileage Plan member’s username and password and purchase the requested ticket in the name of the buyer.  Carey would then pass the electronic ticket information to the buyer, along with the instruction that, if asked, the buyer should explain that the award ticket was received “free, free, free” as a gift.

In the litigation before the District Court, Alaska Airlines claimed that Carey was violating the CFAA by, “with intent to defraud,” accessing its computer system “without authorization” by using others’ account information without the airline’s permission for the sole purpose of fraudulently causing the airline to issue tickets and provide transportation based on void miles and award tickets.

The District Court agreed with Alaska Airlines that Carey had violated the CFAA, and it entered summary judgment in its favor and a permanent injunction against the defendants.  The Ninth Circuit agreed as well, affirming the District Court’s rulings in all respects.  Alaska Airlines, Inc. v. Carey, 2009 WL 3633894 (W.D. Wash. 2009), amended, 2010 WL 2196446 (W.D. Wash. 2010), aff’d, 2010 WL 3677783 (9th Cir. 2010).  However, neither the District Court’s order granting summary judgment, its amended order granting summary judgment, nor the Ninth Circuit’s memorandum opinion affirming the District Court’s decision contains an extensive discussion of the CFAA cause of action.  Only the transcript of the District Court’s oral decision at the hearing on Alaska Airlines’s motion for summary judgment offers insight into either court’s thinking on the CFAA issues.

At the summary judgment hearing, the District Court ruled that Alaska Airlines had proven the elements of its CFAA cause of action.  As to the unauthorized access element, the court held that using a frequent flyer program member’s online username and password, even with the member’s permission, to perpetrate a fraud against the airline constitutes “access[ing] a protected computer without authorization” in violation of the CFAA.  In ruling in this manner, the court rejected Carey’s contention that his access was authorized because the selling Mileage Plan members had given him permission to use their website login information.  The court pointed out that the victim of Carey’s fraud was Alaska Airlines and that the airline owned and operated its site, solely determined authorized access to it, and had not given Carey the authority to use its site to perpetrate a fraud against it.

In addition, the court ruled at the summary judgment hearing that Alaska Airlines had proven the “loss” element of its CFAA cause of action:

The statutory dollar value, the Court is satisfied, is met in aggregating the cost of policing the system in order for Alaska Airlines to maintain the continued integrity and viability of its frequent flyer system.

The fact of damage here is not a close question in my judgment.  Not only do we have the in excess of $5,000 spent by Alaska Airlines to fulfill its business interest in maintaining the integrity of its mileage system, but as in the Texas case of Frequent Flyer Depot v. American Airlines, it is also clear to me that there has been a loss of goodwill.  Any time a valid frequent flyer mile customer does not have a seat available on a plane because of someone who improperly aggregated miles and obtained a travel award in violation of the terms and conditions, that results in a loss of goodwill, a loss of respect and confidence in the system that Alaska Airlines and, I might add, most other carriers have promoted and spent a goodly amount of money in advertising and promoting for their economic advantage.

The District Court was able to conclude that Alaska Airlines had incurred costs in excess of $5,000 in a one-year period responding to Carey’s offenses because the airline had submitted, in support of its summary judgment motion, the declaration of its Director, Customer Loyalty & Marketing Programs, in which he attested that the airline had expended over $5,000 in manpower in a one-year period while “tracking and attempting to curtail Defendants’ abuses of the system.”  The court relied on this declaration in ruling that Alaska Airlines had satisfied the “loss” element of its CFAA cause of action.

CFAA Pointers

The CFAA is a potentially powerful weapon against mileage brokers, “screen scrapers” and others who threaten an airline’s revenues through conduct that involves accessing the airline’s computers.  But, in general, judges appear to be reluctant to award relief under the CFAA because the law is relatively new and it was originally enacted as a criminal statute designed to stop computer hackers, and a mileage broker is very different from a hacker.  This means that, knowingly or unknowingly, judges are likely to apply “the rule of lenity” in analyzing whether an airline has proven the elements of a CFAA claim.  However, if an airline takes the following steps, it can substantially increase the odds of obtaining favorable and relatively quick relief under the CFAA:

  • The frequent flyer program’s rules should contain a term that clearly states that a member is not authorized to allow a third party to use the member’s user identification or password in order to log in to the member’s account to perform any transaction that violates the program’s terms.  This term would make it difficult for a mileage broker to successfully argue, using an agency theory, that he did not violate the CFAA because the member had given him “authorization” to “access” the airline’s computer by using the member’s login information.
  • To combat automated “screen scraper” devices, the terms of use of an airline’s website should specifically prohibit such devices, and the terms of use should be accessible from all pages on the site.  This term would help an airline satisfy the requirement that it show that the CFAA offender had accessed the airline’s computer “without authorization.”
  • An airline should focus on proving its damages as soon as online fraud or abuse is detected.  At the outset in most fraud cases, the plaintiff’s focus is primarily on proving liability, and the computation of damages is often left for discovery or for an expert witness to handle at a later time.  However, to help prosecute a CFAA claim, an airline must prepare to prove its “loss” before the litigation and as soon as the offending conduct is identified.  If the defendant moves to dismiss a CFAA cause of action on the grounds that the airline has failed to properly plead a “loss” (i.e., the defendant makes a “factual attack” on subject matter jurisdiction grounds), the airline will be required to oppose the motion with admissible evidence.  Such evidence must be collected before the case is filed.
  • To ensure that an airline has sufficient evidence of “loss,” as soon as online fraud or abuse is detected, the airline personnel (or outside contractors) investigating and responding to the offending conduct should keep daily logs describing the tasks they have performed and the time spent performing them.  It is critically important that the logs (and the contractor invoices, if any) describe how the tasks performed were in direct response to the CFAA violations.  Otherwise, there is a substantial risk that a court will hold that the airline has failed to prove that the employee time, or other response costs incurred, constitute “reasonable” costs within the meaning of Section 1030(e)(11).
  • In the court complaint, in addition to alleging revenue and goodwill loss due to the defendant’s CFAA offenses, an airline should separately allege that, as “the cost of responding to” such offenses, it has incurred aggregated costs exceeding $5,000 in a one-year period.  “The cost of responding to an offense” is considered “loss” under the CFAA.  Courts have held that employee response time counts toward the $5,000 threshold.  Once the airline has its “foot in the door” as to the CFAA by proving that its response costs exceeded $5,000 in a one-year period, then it can seek to recover revenue under common law fraud and other causes of action that was lost for reasons other than an “interruption of service.”
  • If damages are relatively unimportant, difficult to prove, or likely to be impossible to recover, and an airline’s primary objective is to stop the defendant’s online fraud or abuse, then the airline should consider dismissing its damages request at some point, particularly where a state statute could provide a cause of action for attorneys’ fees and costs.  (In the Carey case, the court awarded Alaska Airlines attorneys’ fees of over $122,000 and litigation expenses of over $4,500 in connection with its successful claim that the defendants had violated the Washington Consumer Protection Act.)  Streamlining the case in this manner would increase the likelihood that an airline would be able to obtain a permanent injunction at the summary judgment stage and end the case without having to engage in potentially costly and time-consuming damages-related discovery.

Follow

Get every new post delivered to your Inbox.