District Court Ruling Offers Insight into Computer Fraud and Abuse Act Civil Jury Cases
A Holland & Knight trial team made up of attorneys David Donoghue, Anthony Fuga, Cindy Gierhart, Ji Mao, Billy Oliver, Maxwell Hansen and William Ringhofer, along with paralegals Pete Uhlenhake and Jack Stoerger, won a unanimous Computer Fraud and Abuse Act (CFAA) jury verdict for client Ryanair DAC against Booking.com in the U.S. District Court for the District of Delaware. Ryanair accused Booking.com of several CFAA violations based upon Booking.com, through a third-party partner, accessing the password-protected "myRyanair" portion of the Ryanair website. Ryanair alleged, and the jury found, that Booking.com was vicariously liable, through the third party, for accessing this protected portion of Ryanair's website to obtain and sell Ryanair flights.
The case and jury verdict are notable for several reasons. First, while there have been numerous criminal CFAA trials, Ryanair's case appears to be the first civil CFAA claim to be decided by a jury trial. Therefore, it offers insights into how juries will receive CFAA testimony, particularly in cases where the claims are focused on use of a password-protected website.
Second, Ryanair's case is one of only a few matters post-Van Buren v. United States, decided by the U.S. Supreme Court in 2021, to receive substantive decisions that help identify the contours of the post-Van Buren law. Written by Judge Curtis Bryson (Federal Circuit, sitting by designation in District of Delaware), the summary judgment decision offers guidance as to how to bring civil CFAA cases, in particular those involving a protected website. Important takeaways from the summary judgment decision include:
- Notice letters remain an important part of bringing a CFAA claim because they can revoke authorization to a protected website or a protected portion of a website.
- Websites that are publicly accessible are unlikely to have much CFAA protection. Password-protected or other access-limited portions of websites, including those where users are invited to create accounts to gain access, are where CFAA protection likely lies.
For Ryanair, it was critical to stop Booking.com and other online travel agents from making unauthorized sales via the Ryanair website. But as detailed above, the case has much broader implications across industries, as well as provides insight into the boundaries of the CFAA.
The jury also sided with Ryanair in denying a series of Booking.com counterclaims based upon emails Ryanair sent to its customers suspected of booking Ryanair flights through online travel agents (OTAs), such as Booking.com. Booking.com alleged that these emails, which called OTAs "screen scrapers" and claimed OTAs provide false customer details to Ryanair, were defamatory and constituted unfair competition, deceptive trade practices and tortious interference. The jury rejected each of those claims.
For more information or questions, contact the authors or your Holland & Knight attorney.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.