Race discrimination claim preempted by Warsaw Convention

Sewer v. LIAT (1974) Ltd. (D. Virgin Islands Feb. 16, 2011).  The plaintiff had purchased a ticket for a LIAT flight from the British Virgin Islands to Antigua.  The flight was overbooked, so airline personnel informed the plaintiff that he would have to take a later flight.  Undeterred, the plaintiff (and the other waiting would-be passengers) pushed past the airline’s gate personnel and boarded the aircraft.  Airline personnel asked the plaintiff to leave the aircraft because he did not have a seat, and he did so.  An off-duty police officer arrested and handcuffed the plaintiff, who was briefly detained in an airport holding cell and released without being charged with any crime.

The plaintiff filed suit against the airline, asserting claims of race discrimination, defamation and intentional or negligent infliction of emotional distress, although the plaintiff only pursued the discrimination claim.  The court described the plaintiff as “a black West Indian with dreadlocks in his hair who believes in the underlying tenets of Rastafarianism.”

LIAT moved for summary judgment, and the court granted the motion.  The court agreed with the airline that the plaintiff’s discrimination claim was preempted by the Warsaw Convention, citing King v. American Airlines (written by now-Justice Sotomayor) and several other cases.  The court also held that the plaintiff had no claim under the Warsaw Convention because bumping is a well-established airline industry practice and, thus, is not an “unexpected or unusual event” constituting an “accident” under Article 17.  Finally, the court held that, even if the bumping had constituted an “accident,” the plaintiff’s claim still failed because his injuries, bruised and swollen wrists, were caused by the off-duty police officer in the airport, not by airline personnel on the aircraft.

Note:  Plaintiff filed the case in 2002, and LIAT filed its summary judgment motion in 2009.  Cases seem to move at a leisurely pace in the Virgin Islands, in both federal and state courts.

Holders of airline gift cards who did not use them, lost them

Restivo v. Continental Airlines, Inc. (Ohio App. Jan. 20, 2011).  Continental sold gift cards for air transportation that were valid for one year after issuance.  Purchasers agreed in writing to the one-year validity period.  When the airline refused to honor expired cards, cardholders commenced a class action lawsuit, alleging that Continental had violated Ohio’s gift card and consumer protection statutes and had been unjustly enriched.

Continental moved to dismiss the statutory claims on the grounds that they were preempted by the Airline Deregulation Act.  The preemption provision of the ADA, 49 U.S.C. § 41713(b)(1), provides in part that “a State . . . may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.”  Continental argued that the unjust enrichment claim should be dismissed because the parties had entered into express contracts.  The trial court granted the motion to dismiss and the cardholders appealed.

On appeal, as to their statutory claims, the cardholders argued that a Continental gift card is not a “service” within the meaning of Section 41713(b)(1) but, rather, is simply the equivalent of money.  The court disagreed, holding that because the gift card’s only purpose is to allow the purchase of air transportation from the airline, it is “related to” the airline’s “price, route, or service.”  The court reasoned that “the fact that the gift card postpones the eventual purchase of an airline ticket does not alter that the gift card is still related to the provision of air transportation.”

As to the cardholders’ unjust enrichment claim, the court held that the existence of valid contracts between the parties prevented any recovery under such theory.

Accordingly, the court affirmed the trial’s court judgment.

Montreal Convention two-year limitation period not subject to tolling under local law

Duay v. Continental Airlines, Inc. (S.D. Tex. Dec. 21, 2010).  After arriving in Texas on a Continental flight from Switzerland, the plaintiff discovered at the baggage claim area that his custom-fitted wheelchair had been damaged.  Continental provided the plaintiff with a replacement wheelchair, which he used for the remainder of his trip in the United States.

In his complaint against Continental, the plaintiff alleged that the replacement wheelchair caused him to sustain a skin irritation injury that ultimately required surgery.  The plaintiff alleged causes of action for negligence, bailment and breach of contract.

Continental moved to dismiss on the grounds that the plaintiff had failed to perform the condition precedent of filing the lawsuit within the two-year period set forth in Article 35(1) of the Montreal Convention, which provides in part that “[t]he right to damages shall be extinguished if an action is not brought within a period of two years, reckoned from the date of arrival at the destination.”  The plaintiff’s flight had arrived in Texas on December 2, 2007, but he did not file his complaint until December 18, 2009.

In opposition, the plaintiff contended that his claims were not barred because Article 35(2) of the Convention allows tolling in accordance with Texas law, and because that state’s discovery rule functioned to toll the running of the two-year period.  Article 35(2) provides that “[t]he method of calculating that period shall be determined by the law of the court seised of the case.”

The court agreed with Continental.  First, citing numerous Warsaw Convention cases and that treaty’s drafting minutes, the court ruled that subjecting the Article 35(1) two-year period to the “various tolling provisions of the member states” would be contrary to the Montreal Convention’s policy goal of achieving uniformity of the rules governing international air transportation claims.  Second, the court rejected the plaintiff’s tolling argument on the grounds that the Texas discovery rule does not apply where the accrual of a limitation period is “specifically defined by law,” and that Article 35(1) “unequivocally prescribes” the accrual date as the date of the arrival of the flight.  Accordingly, the court granted Continental’s motion to dismiss.

DOT enforces consumer-friendly interpretation of Montreal Convention baggage liability provisions

As previously reported, on March 26, 2009 DOT issued a “Guidance on Airline Baggage Liability and Responsibilities of Code-Share Partners Involving International Itineraries” that states in part as follows:  “Although carriers may wish to have tariff terms that prohibit passengers from including certain items in checked baggage, once a carrier accepts checked baggage, whatever is contained in the checked baggage is protected, subject to the terms of the [Montreal] Convention, up to the limit of 1000 SDRs (Convention, Article 22, para. 2).”  (On December 30, 2009, the 1,000 SDR limit was increased to 1,131 SDRs, which is currently equivalent to about $1,750.)

Upon receiving a consumer complaint after the 90-day grace period for compliance with the Guidance, DOT initiated an enforcement action regarding Air France’s policies and practices with respect to items of checked baggage lost or damaged in transit to or from the United States.  DOT’s specific concern was over the airline’s General Conditions of Carriage, which disclaimed liability for “valuable, fragile or perishable items” in checked baggage and the reliance of the airline’s Customer Relations Department on such disclaimer to deny liability for the loss or damage of jewelry, electronic equipment and similar items.

By a Consent Order issued on December 23, 2010 (Order 2010-12-26), DOT announced that it and Air France had reached a settlement.  Under the settlement, Air France agreed to modify its policies and practices in order to comply with the Guidance and to pay a compromise assessment of $50,000 (and an additional $50,000 should it violate the Order within a year).

Note:  In a November 18, 2010 ruling, the Canadian Transportation Agency struck down an airline’s tariff rule, as well as a proposed revised version of such rule, that purported to preclude an airline’s liability for fragile and valuable items in baggage checked in connection with carriage subject to the Montreal Convention.  See Lukács v. WestJet (Decision No. 477-C-A-2010).  On February 1, 2011, the Federal Court of Appeal denied WestJet’s application for leave to appeal the agency’s decision.

Airline not liable to customer for trip and fall in TSA-controlled area

Narvaez v. American Airlines, Inc. (S.D.N.Y. Dec. 13, 2010).  After checking her baggage at American’s ticket counter at John F. Kennedy International Airport, the plaintiff proceeded to the security checkpoint.  After presenting her passport to a TSA employee at the checkpoint, but before going through the metal detector, the plaintiff tripped over the upturned corner of a rug and fell forward, her arms, forehead and knees striking the floor.  The plaintiff was taken by ambulance to a hospital, but she returned to JFK and took a flight later that same day.

The plaintiff sued American in state court, alleging that her injuries resulted from American’s negligence.  The airline removed the case on diversity grounds and, after discovery, moved for summary judgment.  American contended that it did not owe the plaintiff a duty of care in the area in which she fell because there was no genuine issue as to the fact that it did not occupy or control such area.  In support, American presented deposition testimony of its Manager of Passenger Services at JFK establishing that TSA, not American, exclusively occupied and controlled the security checkpoint area in which the plaintiff fell and that American did not own the rug at issue.

In opposition, the plaintiff argued that one could infer that American exercised control over the area at issue because airline personnel allegedly assisted TSA personnel in rolling up the rug and placing it in a corner after the plaintiff fell.  The court ruled that, even if American personnel did help move the rug, such act did not create a genuine issue of fact regarding the airline’s control over the area at issue, as its control could not be inferred simply because its personnel provided assistance after the incident.  Accordingly, the court granted American’s motion.

Court rejects parent’s contention that airline has duty during boarding to ensure compliance with child custody orders

Braden v. All Nippon Airways Co., Ltd. (Cal. App. 2^nd Dist. Oct. 13, 2010).  In a child custody case, the court had denied the mother’s request to move to Japan with her infant daughter and had ordered that she surrender her daughter’s passport.  Despite the order, the mother, using the passport, took the child with her on an ANA flight from Los Angeles to Japan.  Because Japan is not a signatory to the Hague Convention on the Civil Aspects of International Child Abduction, the father had no legal recourse to compel his daughter’s return to the U.S.

The father sued ANA, alleging causes of action for negligence and interference with custodial relations.  He asserted that ANA had violated its duty to him to make the mother prove, as part of the boarding process, that she had his consent to take their daughter out of the country or that she had sole custody of the child.  The trial court sustained ANA’s demurrer to the amended complaint, and the father appealed.

The appeals court affirmed the trial court’s judgment.  First, however, the court rejected the trial court’s ruling that the father’s claims were preempted by 49 U.S.C. § 41713(b)(1), the preemption provision of the Airline Deregulation Act.  That provision states in part as follows:  “[A] State, political subdivision of a State, or political authority of at least 2 States may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier that may provide air transportation under this subpart.”

Following the Ninth Circuit and other California appellate courts, the appeals court adopted a narrow view of the term “service,” and, consistent with that view, held that a claim related to an airline’s boarding procedures is not preempted by the ADA.  The court reasoned that boarding procedures “are not services within the meaning of the ADA” because they have “no impact on prices, schedules, origins, or destinations” and do not represent “a legitimate interest needing protection under the ADA.”

The appeals court then upheld the trial court’s ruling that the father had failed to state a negligence claim.  The court held that ANA did not owe him a duty of care because there was “no authority for the proposition that a common carrier has a duty to ensure that a minor traveling with a custodial parent is not being transported in violation of a court order.”  For the same reason, the appeals court also held that the father’s intentional interference with custodial relations claim failed.

Note:  The First, Second, Fourth, Fifth, Seventh and Eleventh Circuits have held that an airline’s boarding procedures constitute a “service” within the meaning of the ADA, in contrast to the Ninth Circuit’s highly restrictive definition of the term (which the Third Circuit also decided to adopt).  According to Ninth Circuit Judge Diarmuid O’Scannlain, the Supreme Court reversed or vacated Ninth Circuit decisions in 148 of 182 cases during the last nine terms.  Thus, the Ninth Circuit “got it wrong in 81% of its cases that the Supreme Court agreed to hear,” which is a “strikingly poor record.”  According to Judge O’Scannlain, “even more telling than the reversal rate itself, however, is the number of unanimous reversals.  Seventy-two of the 148 Ninth Circuit cases reversed during the period in question were at the hands of a unanimous Supreme Court.”  Harvard Law School, When ‘The Nine’ Overrule the Ninth:  O’Scannlain ponders 10 years of reversals (Sept. 27, 2010).

The Computer Fraud and Abuse Act: revenue protection weapon for airlines

Note:  This post is an abridged version of the article I wrote for the Autumn 2010 issue of Issues in Aviation Law and Policy, which is published by the International Aviation Law Institute of DePaul University College of Law.  Click here for the full version.

Until the last few years, airlines sustained significant revenue losses from “bust-outs” by Airlines Reporting Corporation (ARC)-accredited travel agencies.  In a bust-out, an agency’s owners validate and sell vast numbers of tickets in a short period of time to individuals and other agencies, fail to report the sales to ARC, and disappear with the proceeds.  Due to technological innovations and aggressive enforcement activities, primarily driven by ARC, bust-outs are now comparatively rare.

Airlines still suffer revenue losses from ticket-related fraud, but now that type of fraud mostly results from online conduct by persons who are not affiliated with ARC agencies.  Online fraud, primarily the illicit sale of tickets purchased over the Internet by persons using stolen credit and debit card numbers, is a significant source of revenue loss for airlines.  This past summer, federal authorities charged 38 defendants “in a series of indictments that allege an extensive network of black market travel agents who used the stolen identities of thousands of victims as part of a multi-million dollar fraud scheme to purchase airline tickets for their customers.”  News Release, Office of the U.S. Attorney, W. District of Missouri, Black Market Travel Agents – 38 Defendants Indicted in Multi-Million Dollar Fraud (July 9, 2010).  Losses from this scheme allegedly exceeded $20 million.  According to one survey, airlines suffered losses of over $1.4 billion in 2008 due to online fraud.  Airlines Tackle $1.4 Billion Online Fraud Challenge, Cybersource (Mar. 16, 2009).

Airlines also sustain online-related revenue losses from fraud by frequent flyer mileage brokers and website abuse by “screen scraper” travel information providers.  Ironically, just as technology was instrumental in reducing the incidence of bust-outs, it is technology, mainly in the form of the Internet, which makes these other forms of fraud and abuse possible.

Alaska Airlines’s recent successful use of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, in federal court against a defiant, long-time frequent flyer mileage broker demonstrates that the Act can be effectively used to combat online fraud and abuse.  Having the CFAA as a gateway to federal court, through federal question jurisdiction under 28 U.S.C. § 1331, is particularly important for airlines because, in general, cases move more quickly, and summary judgment is more readily available, in federal district courts than in state courts.  Moreover, airlines can no longer depend as heavily as they once did on federal trademark infringement or other Lanham Act causes of action to obtain federal question jurisdiction, as mileage brokers appear to be lessening their use of airline logos, trade names, and other trademarks on their websites in an effort to avoid drawing airlines’ attention.

A CFAA cause of action can serve as a powerful weapon, but, in general, courts are cautious about using the CFAA in a civil setting and thoroughly scrutinize evidence offered by a plaintiff in support of its CFAA cause of action.  As a result, an airline must make sure that its website’s terms of use are correctly set up so they can help support a CFAA cause of action, and as soon as online-based fraud or abuse is detected, an airline needs to take steps to ensure that it will be able to prove the elements of a CFAA cause of action, particularly with respect to the “loss” element, which various federal courts have construed differently.  These protective measures are discussed in detail below.

Introduction to the Act

In the early 1980s, computer hackers began to penetrate government and private computer systems.  Gradually, the public began to become aware of these shadowy figures, who used a combination of telephones and “social engineering” (tricking people into disclosing information) to hack into computer systems and steal information or cause damage.

Oddly, Hollywood provided a major impetus for legislative change to address the hacker problem.  In 1983, the movie “WarGames” was released, and it dramatically increased the public’s – and Congress’ – awareness of computer hacking.  In the movie, a high school-age computer geek unknowingly hacks into a NORAD computer system using his personal computer and a telephone and nearly causes a global nuclear war.  Partly as a result of this movie, and its far-fetched premise that a teenage hacker could cause the launch of nuclear missiles, Congress enacted the CFAA, which was then called the “Counterfeit Access Device and Computer Fraud and Abuse Act of 1984.”  (For those who doubt that a movie featuring the escapades of Matthew Broderick and Ally Sheedy spurred the enactment of federal computer crime legislation, see H.R. Rep. No. 98-894, at 6 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3695 (“For example, the motion picture ‘War Games’ showed a realistic representation of the automatic dialing and access capabilities of the personal computer.”).)

The Report of the House Committee on the Judiciary summarized the need for the legislation as follows:  “The committee concluded that the law enforcement community, those who own and operate computers, as well as those who may be tempted to commit crimes by unauthorized access to them, require a clearer statement of proscribed activity.”

The goal of articulating a “clearer statement of proscribed activity” has been difficult for Congress to achieve, and, as a result, it has repeatedly amended the CFAA over the years.  The amendments have caused the Act’s reach to broaden substantially, just as the prevalence of computers themselves has increased.  For example, the CFAA initially was a criminal statute only.  In 1994, Congress amended the Act to add a civil cause of action, which is now codified at 18 U.S.C. § 1030(g), under which victims of computer fraud or abuse can assert claims against violators of the statute.  Also, the statute was originally intended to control interstate computer crime only, but, with the development of the Internet, virtually all computer use has become interstate use and thus subject to the Act.

The Act’s Civil Cause of Action

Although the CFAA prohibits seven separate types of activities, airline plaintiffs typically proceed against offenders under Section 1030(a)(4), which prohibits a person from “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.”

The Act defines a “protected computer” as a computer “which is used in or affecting interstate or foreign commerce or communication.”  Thus, as noted above, the Act covers, in essence, any computer that is connected to the Internet, which means that it covers virtually all modern computers.  Certainly, any computer that hosts an airline’s website or frequent flyer mileage program constitutes a “protected computer” under the Act.

To prevail on a claim under Section 1030(a)(4), an airline plaintiff must prove that the defendant caused a “loss” to the airline “during any 1-year period . . . aggregating at least $5,000 in value.”  The Act defines the term “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  The “cost of responding to an offense” includes the “consequential” costs incurred in investigating an offense and taking remedial measures in response to it.

An airline plaintiff that has sustained a “loss” through violations of the Act is entitled to “maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”  Actions must be brought within two years of the offensive conduct or the date of the discovery of the actionable damage.

History of Cases Brought by Airlines Under the Act

In court, airlines have had some successes with CFAA causes of action.  Although issues regarding whether defendants have accessed airline computers “without authorization” or have “exceed[ed] authorized access” have been litigated in several cases, the primary battleground has been the issue of whether the airline plaintiff has been able to prove that it sustained a “loss” within the meaning of Section 1030(c)(4)(A)(i)(I).

Southwest’s Cases

Of all airlines, Southwest Airlines has been, by far, the most active in bringing CFAA causes of action in court.  Southwest’s experiences in litigating the “loss” element of the CFAA cause of action in the three cases are instructive.

Southwest v. FareChase.  In 2003, Southwest sued a software company that developed and licensed software that had the ability to send out “a robot, spider, or other automated scraping device” via the Internet to obtain fare, route, and schedule information from southwest.com, as well as a company that was using such software, pursuant to a license, for use by its corporate traveler customers.  Southwest Airlines Co. v. FareChase, Inc., 318 F. Supp. 2d 435, 437 (N.D. Tex. 2004).  In its complaint, Southwest claimed that the defendants’ activities directed at southwest.com were unauthorized and were deceiving Southwest’s customers by providing them with incomplete and inaccurate information.  Southwest alleged 12 causes of action in its complaint, including a CFAA cause of action.

The defendant that had been using the software moved to dismiss, among other things, Southwest’s CFAA claim pursuant to Federal Rule of Civil Procedure 12(b)(6) because the complaint supposedly had failed to adequately allege “loss” and unauthorized access to southwest.com.  The court rejected both arguments.

As to the “loss” issue, the court held that, because the complaint alleged “loss” aggregating at least $5,000 pursuant to Section 1030(e)(11), Southwest did not need to also allege “damage” to its computer or data pursuant to Section 1030(e)(8), as the defendant had contended.  The court also held that Southwest had adequately alleged unauthorized access under the CFAA because southwest.com’s Use Agreement, which was accessible from all pages on the site, specifically informed users that the use of “automated scraper devices” on the site was prohibited.

Southwest v. BoardFirst.  In 2006, Southwest sued BoardFirst to prevent it from continuing to assist Southwest customers trying to obtain “A” boarding passes, which allow the holder to board flights earlier during the boarding process.  Southwest Airlines Co. v. BoardFirst, L.L.C., 2007 WL 4823761 (N.D. Tex. 2007).  Southwest customers would provide their name, flight confirmation number, and credit card information to BoardFirst.  BoardFirst personnel then would log onto Southwest’s website using the customer’s personal information and attempt to secure an “A” boarding pass.  If BoardFirst obtained an “A” pass, the customer would be charged a fee.

In its complaint, Southwest alleged, among other things, that BoardFirst’s conduct violated the CFAA, and Southwest moved for summary judgment on its claims.  The court held that Southwest was not entitled to summary judgment on its CFAA claim.  The court agreed with Southwest that, by logging on to southwest.com, BoardFirst had been “intentionally access[ing]” Southwest’s computer within the meaning of the CFAA.  However, the court asked the parties to provide additional briefing on the issue of whether BoardFirst had acted “without authorization” or had “exceed[ed] authorized access,” as well as whether the court should apply the “rule of lenity” in interpreting the CFAA in the context of the case.  The rule of lenity “counsels courts to construe ambiguities in a criminal statute, even when applied in a civil setting, in a narrow way.”

The court then addressed whether Southwest had satisfied the CFAA requirement that it show a “loss” of more than $5,000 in a one year period due to BoardFirst’s conduct.  To support its “loss” claim, Southwest had submitted the declaration of its corporate representative on damages, which stated that “Southwest spent at least $6,500 within a single one year period in investigating and responding to BoardFirst’s unauthorized access to Southwest’s computer system.”

The court ruled that, although “investigative and responsive costs fit within the concept of ‘loss’ as used in the CFAA,” the corporate representative’s declaration was “fairly conclusory,” and thus inadequate to establish “loss,” because the declarant had failed “to identify the precise steps taken by Southwest in ‘investigating and responding to’ BoardFirst’s unauthorized access.”  This failure, according to the court, prevented it from being able to determine if Southwest’s response costs were “reasonable,” as required by the Act’s definition of the term “loss.”  However, Southwest did succeed in shutting down BoardFirst’s operations; on the basis of Southwest’s breach of contract claim, the court permanently enjoined BoardFirst from continuing to use southwest.com to obtain boarding passes for its customers.

Southwest v. Harris.  In 2007, Southwest sued eight defendants, alleging that they had engaged in brokering of the airline’s Rapid Rewards frequent flyer plan miles and awards.  In its complaint, Southwest advanced a CFAA cause of action, its only federal cause of action, as well as numerous state statutory and common law causes of action.

The defendants moved to dismiss the complaint for lack of subject matter jurisdiction, alleging that they had not “accessed” Southwest’s computer system within the meaning of the CFAA.  Southwest focused its opposition solely on the “access” element of the CFAA because that is the only one that the defendants had disputed, but, in deciding the motion, the United States Magistrate Judge decided to analyze all the elements of the CFAA cause of action, including whether Southwest had sustained a “loss” within the meaning of Sections 1030(c)(4)(A)(i)(I) and (e)(11).  Southwest Airlines Co. v. Harris, 2007 WL 3285616 at *3-4 (N.D. Tex. 2007).

In his ruling, the Magistrate Judge noted that, under the Act, Southwest was required to show that it had sustained a “loss aggregating at least $5,000 in value over a one-year period.”  The Magistrate Judge also noted that, under Section 1030(e)(11), the Act defines the term “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In its complaint, Southwest alleged that it had incurred a “loss” within the meaning of the Act because it had lost more than $5,000 in revenue in one year due to numerous passengers having traveled on its flights using awards that were void because defendants had brokered them in violation of the Rapid Rewards program’s terms.  Taking a narrow view of the Act’s definition of “loss,” the Magistrate Judge ruled that the form of loss alleged by Southwest did not fall under the definition set forth in Section 1030(e)(11) because the revenue at issue had not been lost “because of interruption of service.”  Accordingly, the Magistrate Judge recommended that the defendants’ motion to dismiss be granted, and the District Court accepted his recommendation.

The court in Harris is not alone in its view that lost revenue must result from a service interruption in order to constitute a “loss” within the meaning of Section 1030(e)(11).  In fact, this appears to be the majority view on this issue.  See Costar Realty Information, Inc. v. Field, 2010 WL 3369349 at *15 (D. Md. 2010).  However, some courts have ruled that lost revenue does constitute “loss” within the meaning of Section 1030(e)(11) even if it does not result from a service interruption.  See, e.g., Frees, Inc. v. McMillian, 2007 WL 2264457 at *6 (W.D. La. 2007).  This issue was recently addressed in a case brought by Alaska Airlines.

Alaska Airlines v. Carey

Brad Carey is no stranger to lawsuits brought against him by airlines seeking injunctive relief against, and damages arising from, his frequent flyer mileage brokering.  Northwest Airlines sued Carey for mileage brokering in 1991, and, the next year, the court granted the airline a permanent injunction and a stipulated judgment for $200,000.  United Airlines sued Carey for mileage brokering in 1992, and again in 2005 for violation of the permanent injunction entered against him in the first case in 1993.  In its summary judgment memorandum in the case discussed below, Alaska Airlines referred to Carey as “an incorrigible and devious scofflaw.”

In 2007, Alaska Airlines filed a lawsuit in the United States District Court for the District of Washington against Carey, his wife, and Carey Travel, Inc. seeking damages and injunctive relief related to Carey’s brokering of frequent flyer miles and award tickets.  Like other frequent flyer programs, the terms of Alaska Airlines’s program, which is known as the “Mileage Plan,” prohibit its members from selling, purchasing, or bartering miles or award tickets, and stipulate that miles and award tickets “are void if transferred for cash or other consideration.”

In its amended complaint, Alaska Airlines set forth eight causes of action, but its CFAA cause of action was the only federal statutory cause of action in its pleading and, thus, the sole basis for the court’s subject matter jurisdiction under 28 U.S.C. § 1331.

According to Alaska Airlines, Carey operated the following scheme in violation of the CFAA.  Carey would solicit Mileage Plan members to sell their miles to him.  He would pay the members a set number of cents per mile, and the members would provide him with their online Mileage Plan username and password.  Carey would then be contacted by persons looking to buy an Alaska Airlines ticket, and he would agree to sell them a ticket.  Carey would then log on to Alaska Airlines’s website using a Mileage Plan member’s username and password and purchase the requested ticket in the name of the buyer.  Carey would then pass the electronic ticket information to the buyer, along with the instruction that, if asked, the buyer should explain that the award ticket was received “free, free, free” as a gift.

In the litigation before the District Court, Alaska Airlines claimed that Carey was violating the CFAA by, “with intent to defraud,” accessing its computer system “without authorization” by using others’ account information without the airline’s permission for the sole purpose of fraudulently causing the airline to issue tickets and provide transportation based on void miles and award tickets.

The District Court agreed with Alaska Airlines that Carey had violated the CFAA, and it entered summary judgment in its favor and a permanent injunction against the defendants.  The Ninth Circuit agreed as well, affirming the District Court’s rulings in all respects.  Alaska Airlines, Inc. v. Carey, 2009 WL 3633894 (W.D. Wash. 2009), amended, 2010 WL 2196446 (W.D. Wash. 2010), aff’d, 2010 WL 3677783 (9th Cir. 2010).  However, neither the District Court’s order granting summary judgment, its amended order granting summary judgment, nor the Ninth Circuit’s memorandum opinion affirming the District Court’s decision contains an extensive discussion of the CFAA cause of action.  Only the transcript of the District Court’s oral decision at the hearing on Alaska Airlines’s motion for summary judgment offers insight into either court’s thinking on the CFAA issues.

At the summary judgment hearing, the District Court ruled that Alaska Airlines had proven the elements of its CFAA cause of action.  As to the unauthorized access element, the court held that using a frequent flyer program member’s online username and password, even with the member’s permission, to perpetrate a fraud against the airline constitutes “access[ing] a protected computer without authorization” in violation of the CFAA.  In ruling in this manner, the court rejected Carey’s contention that his access was authorized because the selling Mileage Plan members had given him permission to use their website login information.  The court pointed out that the victim of Carey’s fraud was Alaska Airlines and that the airline owned and operated its site, solely determined authorized access to it, and had not given Carey the authority to use its site to perpetrate a fraud against it.

In addition, the court ruled at the summary judgment hearing that Alaska Airlines had proven the “loss” element of its CFAA cause of action:

The statutory dollar value, the Court is satisfied, is met in aggregating the cost of policing the system in order for Alaska Airlines to maintain the continued integrity and viability of its frequent flyer system.

The fact of damage here is not a close question in my judgment.  Not only do we have the in excess of $5,000 spent by Alaska Airlines to fulfill its business interest in maintaining the integrity of its mileage system, but as in the Texas case of Frequent Flyer Depot v. American Airlines, it is also clear to me that there has been a loss of goodwill.  Any time a valid frequent flyer mile customer does not have a seat available on a plane because of someone who improperly aggregated miles and obtained a travel award in violation of the terms and conditions, that results in a loss of goodwill, a loss of respect and confidence in the system that Alaska Airlines and, I might add, most other carriers have promoted and spent a goodly amount of money in advertising and promoting for their economic advantage.

The District Court was able to conclude that Alaska Airlines had incurred costs in excess of $5,000 in a one-year period responding to Carey’s offenses because the airline had submitted, in support of its summary judgment motion, the declaration of its Director, Customer Loyalty & Marketing Programs, in which he attested that the airline had expended over $5,000 in manpower in a one-year period while “tracking and attempting to curtail Defendants’ abuses of the system.”  The court relied on this declaration in ruling that Alaska Airlines had satisfied the “loss” element of its CFAA cause of action.

CFAA Pointers

The CFAA is a potentially powerful weapon against mileage brokers, “screen scrapers” and others who threaten an airline’s revenues through conduct that involves accessing the airline’s computers.  But, in general, judges appear to be reluctant to award relief under the CFAA because the law is relatively new and it was originally enacted as a criminal statute designed to stop computer hackers, and a mileage broker is very different from a hacker.  This means that, knowingly or unknowingly, judges are likely to apply “the rule of lenity” in analyzing whether an airline has proven the elements of a CFAA claim.  However, if an airline takes the following steps, it can substantially increase the odds of obtaining favorable and relatively quick relief under the CFAA:

• The frequent flyer program’s rules should contain a term that clearly states that a member is not authorized to allow a third party to use the member’s user identification or password in order to log in to the member’s account to perform any transaction that violates the program’s terms.  This term would make it difficult for a mileage broker to successfully argue, using an agency theory, that he did not violate the CFAA because the member had given him “authorization” to “access” the airline’s computer by using the member’s login information.
• To combat automated “screen scraper” devices, the terms of use of an airline’s website should specifically prohibit such devices, and the terms of use should be accessible from all pages on the site.  This term would help an airline satisfy the requirement that it show that the CFAA offender had accessed the airline’s computer “without authorization.”
• An airline should focus on proving its damages as soon as online fraud or abuse is detected.  At the outset in most fraud cases, the plaintiff’s focus is primarily on proving liability, and the computation of damages is often left for discovery or for an expert witness to handle at a later time.  However, to help prosecute a CFAA claim, an airline must prepare to prove its “loss” before the litigation and as soon as the offending conduct is identified.  If the defendant moves to dismiss a CFAA cause of action on the grounds that the airline has failed to properly plead a “loss” (i.e., the defendant makes a “factual attack” on subject matter jurisdiction grounds), the airline will be required to oppose the motion with admissible evidence.  Such evidence must be collected before the case is filed.
• To ensure that an airline has sufficient evidence of “loss,” as soon as online fraud or abuse is detected, the airline personnel (or outside contractors) investigating and responding to the offending conduct should keep daily logs describing the tasks they have performed and the time spent performing them.  It is critically important that the logs (and the contractor invoices, if any) describe how the tasks performed were in direct response to the CFAA violations.  Otherwise, there is a substantial risk that a court will hold that the airline has failed to prove that the employee time, or other response costs incurred, constitute “reasonable” costs within the meaning of Section 1030(e)(11).
• In the court complaint, in addition to alleging revenue and goodwill loss due to the defendant’s CFAA offenses, an airline should separately allege that, as “the cost of responding to” such offenses, it has incurred aggregated costs exceeding $5,000 in a one-year period.  “The cost of responding to an offense” is considered “loss” under the CFAA.  Courts have held that employee response time counts toward the $5,000 threshold.  Once the airline has its “foot in the door” as to the CFAA by proving that its response costs exceeded $5,000 in a one-year period, then it can seek to recover revenue under common law fraud and other causes of action that was lost for reasons other than an “interruption of service.”
• If damages are relatively unimportant, difficult to prove, or likely to be impossible to recover, and an airline’s primary objective is to stop the defendant’s online fraud or abuse, then the airline should consider dismissing its damages request at some point, particularly where a state statute could provide a cause of action for attorneys’ fees and costs.  (In the Carey case, the court awarded Alaska Airlines attorneys’ fees of over $122,000 and litigation expenses of over $4,500 in connection with its successful claim that the defendants had violated the Washington Consumer Protection Act.)  Streamlining the case in this manner would increase the likelihood that an airline would be able to obtain a permanent injunction at the summary judgment stage and end the case without having to engage in potentially costly and time-consuming damages-related discovery.