A Holland & Knight trial team made up of attorneys David Donoghue, Anthony Fuga, Cindy Gierhart, Ji Mao, Billy Oliver, Maxwell Hansen and William Ringhofer, along with paralegals Pete Uhlenhake and Jack Stoerger, won a unanimous Computer Fraud and Abuse Act (CFAA) jury verdict for client Ryanair DAC against Booking.com in the U.S. District Court for the District of Delaware. Ryanair accused Booking.com of several CFAA violations based upon Booking.com, through a third-party partner, accessing the password-protected "myRyanair" portion of the Ryanair website. Ryanair alleged, and the jury found, that Booking.com was vicariously liable, through the third party, for accessing this protected portion of Ryanair's website to obtain and sell Ryanair flights.
The case and jury verdict are notable for several reasons. First, while there have been numerous criminal CFAA trials, Ryanair's case appears to be the first civil CFAA claim to be decided by a jury trial. Therefore, it offers insights into how juries will receive CFAA testimony, particularly in cases where the claims are focused on use of a password-protected website.
Second, Ryanair's case is one of only a few matters post-Van Buren v. United States, decided by the U.S. Supreme Court in 2021, to receive substantive decisions that help identify the contours of the post-Van Buren law. Written by Judge Curtis Bryson (Federal Circuit, sitting by designation in District of Delaware), the summary judgment decision offers guidance as to how to bring civil CFAA cases, in particular those involving a protected website. Important takeaways from the summary judgment decision include:
- Notice letters remain an important part of bringing a CFAA claim because they can revoke authorization to a protected website or a protected portion of a website.
- Websites that are publicly accessible are unlikely to have much CFAA protection. Password-protected or other access-limited portions of websites, including those where users are invited to create accounts to gain access, are where CFAA protection likely lies.
For Ryanair, it was critical to stop Booking.com and other online travel agents from making unauthorized sales via the Ryanair website. But as detailed above, the case has much broader implications across industries, as well as provides insight into the boundaries of the CFAA.
The jury also sided with Ryanair in denying a series of Booking.com counterclaims based upon emails Ryanair sent to its customers suspected of booking Ryanair flights through online travel agents (OTAs), such as Booking.com. Booking.com alleged that these emails, which called OTAs "screen scrapers" and claimed OTAs provide false customer details to Ryanair, were defamatory and constituted unfair competition, deceptive trade practices and tortious interference. The jury rejected each of those claims.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.