Ryanair DAC v. Booking Holdings Inc. et al, No. 1:2020cv01191 - Document 105 (D. Del. 2022)
Court Description: MEMORANDUM OPINION AND ORDER, Count III of Ryanair's First Amended Complaint is DISMISSED. Counts I, II, IV, and V all state a plausible claim for relief and therefore will not be dismissed at this time. The stay of discovery issued on July 8, 2022 D.I. 74 is hereby lifted. The deadlines set forth in the 46 Scheduling Order remains in affect. (SEE ORDER FOR FURTHER DETAILS) Signed by Judge William C. Bryson on 10/24/2022. (srs)
Download PDF
<![CDATA[
Ryanair DAC v. Booking Holdings Inc. et al Doc. 105 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 1 of 27 PageID #: 2140 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE RYANAIR DAC, Plaintiff, v. BOOKING HOLDINGS INC., BOOKING.COM B.V., KAYAK SOFTWARE CORPORATION, PRICELINE.COM LLC, and AGODA COMPANY PTE. LTD., Defendants. § § § § § § § § § § § § § Civil Action No. 20-1191-WCB MEMORANDUM OPINION AND ORDER On September 4, 2020, plaintiff Ryanair DAC (“Ryanair”) filed its original complaint against the defendants. Dkt. No. 1. The defendants moved to dismiss the original complaint on the grounds of forum non conveniens and failure to state a claim, Dkt. No. 16, and Judge Stark denied that motion, Dkt. No. 43. The case was then transferred to me, after which the defendants filed a motion for judgment on the pleadings under Federal Rule of Civil Procedure 12(c). Dkt. No. 64. Ryanair then moved to amend its complaint to address matters raised in the defendants’ motion, Dkt. No. 66, and I allowed the amendment, Dkt. No. 75. On July 22, 2022, Ryanair filed its first amended complaint. Dkt. No. 76. The defendants then filed a motion to dismiss the first amended complaint for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). Dkt. No. 80. In support of their motion to dismiss, the defendants have also moved for the court to take judicial notice of the contents of several documents. Dkt. No. 82. At the defendants’ request, I held a telephonic oral argument on those 1 Dockets.Justia.com Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 2 of 27 PageID #: 2141 two motions on October 18, 2022. For the reasons set forth below, the request for judicial notice is DENIED and the motion to dismiss is GRANTED IN PART and DENIED IN PART. I. Background Ryanair is a low-fare airline based in Ireland that offers flights in Europe and North Africa. Defendants Booking.com B.V. (“Booking.com”), KAYAK Software Corporation (“KAYAK”), Priceline.com LLC (“Priceline”), and Agoda Company Pte. Ltd. (“Agoda”) are travel companies that allow consumers to purchase flights, hotel reservations, rental cars, and other travel services. 1 Defendant Booking Holdings, Inc., (“BHI”) is a holding company whose wholly owned subsidiaries include Booking.com, Priceline, Agoda, and KAYAK. Ryanair sells flight reservations to the public on its website. 2 In order to book a flight on the Ryanair website, a user must create an account by selecting a username and password. After creating an account, a user may view and purchase flights in the “myRyanair” section of the Ryanair website. Ryanair alleges that the myRyanair section of the website is not public, and that there are various contractual and technical mechanisms in place to ensure that unauthorized users are not able to access the myRyanair section of the Ryanair website or make unauthorized use of materials found in that section of the website. Ryanair’s complaint alleges five claims under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. The key allegation underlying Ryanair’s claims is that the defendants or their agents (referred to as “aggregators”) engage in “screen scraping,” i.e., 1 The defendants assert that KAYAK is merely a “metasearch engine” that is not a “reservation service.” Dkt. No. 81 at 4. Ryanair disputes that assertion, arguing that “a user of Kayak.com is able to book [a] Ryanair flight without leaving the Kayak.com website.” Dkt. No. 92 at 2 (quoting Dkt. No. 76 at ¶ 192) (emphasis omitted). I need not resolve that dispute for purposes of the present motions. 2 Ryanair’s website is accessible at https://www.ryanair.com. 2 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 3 of 27 PageID #: 2142 automatically collecting data from the myRyanair section of the Ryanair website. Ryanair alleges that the defendants then use the data they obtain to allow users to book Ryanair flights on the defendants’ websites, often at higher fares than those flights are priced on the Ryanair website. Ryanair further alleges that such conduct violates the terms of use for the Ryanair website and that in conducting their screen scraping activities the defendants circumvent technology that Ryanair employs to prevent unauthorized users from accessing the myRyanair portion of the website. One example of the technology that is referenced in Ryanair’s complaint is a program called “Shield.” Dkt. No. 76 at ¶¶ 98–102. Ryanair alleges that Shield “has blocked unauthorized users such as the Defendants . . . from scraping the Ryanair Website and selling Ryanair inventory.” Id. at ¶ 99. Specifically, Ryanair alleges that Shield employs “a machine learning blocking algorithm” that “determine[s] whether a user accessing the Ryanair website is an unauthorized party”; if the user is unauthorized, Shield “block[s] that user from accessing the Ryanair Website.” Id. at ¶¶ 100–01. Ryanair further alleges that the defendants or their agents “circumvent Shield and Ryanair’s other technological and non-technological limitations on access to the Ryanair Website.” Id. at ¶ 253. II. Legal Standards Under Federal Rule of Civil Procedure 12(b)(6), a complaint should be dismissed if it “fail[s] to state a claim upon which relief can be granted.” The Third Circuit has instructed district courts to conduct a “two-part analysis” in evaluating a motion to dismiss for failure to state a claim. Fowler v. UPMC Shadyside, 578 F.3d 203, 210 (3d Cir. 2009). First, the district court must separate the factual and legal elements of the claims. Id. That is, the court “must accept all of the complaint’s well-pleaded facts as true, but may disregard any legal conclusions.” Id. at 210–11. Second, the court “must then determine whether the facts alleged in the complaint are sufficient to 3 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 4 of 27 PageID #: 2143 show that the plaintiff has a ‘plausible claim for relief.’” Id. at 211 (quoting Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009)). Requests for judicial notice are governed by Federal Rule of Evidence 201. Under Rule 201, “[t]he court may judicially notice a fact that is not subject to reasonable dispute because it: (1) is generally known throughout the trial court’s territorial jurisdiction; or (2) can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b). Moreover, if a party requests judicial notice and “the court is supplied with the necessary information,” the court “must take judicial notice.” Fed. R. Evid. 201(c). In deciding a motion to dismiss, “courts generally consider only the allegations contained in the complaint, exhibits attached to the complaint[,] and matters of public record.” Pension Ben. Guar. Corp. v. White Consol. Indus., Inc., 998 F.2d 1192, 1196 (3d Cir. 1993). However, “a court may consider an undisputedly authentic document that a defendant attaches as an exhibit to a motion to dismiss if the plaintiff’s claims are based on the document.” Id. III. Request for Judicial Notice I begin by addressing the defendants’ request for judicial notice. The defendants ask that the court take judicial notice of ten documents: seven agreements between the defendants and various third parties; two documents from the Irish High Court; and the 2021 Form 10-K that BHI filed with the Securities and Exchange Commission. Third-Party Agreements. As for the seven agreements between the defendants and various third parties, I disagree with the defendants’ assertion that Ryanair’s claims are “based on” those documents. See Pension Ben., 998 F.2d at 1196. The Third Circuit has generally permitted district courts to consider a document that a defendant attaches to a motion to dismiss only if the plaintiff relied on that document in the complaint. See Levins v. Healthcare Revenue Recovery Grp. LLC, 4 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 5 of 27 PageID #: 2144 902 F.3d 274, 279 (3d Cir. 2018). That is because “the primary problem raised by looking to documents outside the complaint—lack of notice to the plaintiff—is dissipated where the plaintiff has actual notice and has relied upon those documents in framing the complaint.” Id. (cleaned up). There is no indication, however, that Ryanair relied on the specific contents of the agreements offered by the defendants when it drafted either its original complaint or its first amended complaint. See Dkt. No. 92 at 7. Moreover, there are disputes regarding the authenticity of at least some of the third-party agreements. See id. at 8; Silverman v. Crown Cork & Seal Co. Pension Plan, No. 06-CV-5438, 2007 WL 9812749, at *1 n.1 (E.D. Pa. Aug. 24, 2007) (“Because at least some dispute exists as to the authenticity and completeness of the documents, the Court is unwilling to consider their substance for the purpose of ruling on Defendant's Motion to Dismiss.”). Accordingly, the defendants’ request for judicial notice is denied with respect to the seven third-party agreements. Documents from the Irish High Court. The records of another court may generally be noticed, but “only to establish the fact of the litigation and [the] actions of that court.” Trevino v. Merscorp, Inc., 583 F. Supp. 2d 521 (D. Del. 2008) (quoting 1 Jack B. Weinstein & Margaret A. Berger, Weinstein’s Federal Evidence § 201.12[3] (2d ed. 2008)). In this case, the defendants seek to use two documents from the Irish High Court to establish a judicial admission on the part of Ryanair. Specifically, the defendants point to a declaration that Ryanair filed with the Irish High Court, which they argue establishes that Ryanair is capable of ascertaining who visits its website. See Dkt. No. 81 at 9; Dkt. No. 83-1, Exh. 10, at ¶¶ 39–45. Ryanair disputes that it is capable of doing so, in particular given its allegation that the defendants mask their IP addresses when accessing the Ryanair website. Dkt. No. 92 at 4. Accordingly, I find that the defendants’ intended use of these two documents goes beyond the proper scope of judicial notice for documents from 5 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 6 of 27 PageID #: 2145 other courts. The request for judicial notice of the two documents from the Irish High Court is denied. BHI’s 10-K Filing. It is true, as the defendants argue, that SEC filings are public records and therefore are typically subject to judicial notice. Schmidt v. Skolas, 770 F.3d 241, 249 (3d Cir. 2014). However, for a document to be subject to judicial notice, it must not be “reasonably subject to dispute.” Victaulic Co. v. Tieman, 499 F.3d 227, 236 (3d Cir. 2007), as amended (Nov. 20, 2007). Concerns regarding the authenticity or completeness of a document are the types of concerns that render a document reasonably subject to dispute. Silverman, 2007 WL 9812749, at *1 n.1; In re New Century TRS Holdings, Inc., 502 B.R. 416, 424 (Bankr. D. Del. 2013) (declining to take judicial notice of an SEC filing that was missing six pages). Ryanair points out that the 10-K filing attached to the defendants’ motion appears to be missing more than 200 pages from the original version of the document. Compare Dkt. No. 83-1, Exh. 2, with Booking Holdings Inc., Annual Report (Form 10-K) (Feb. 23, 2022), https://www.sec.gov/Archives/edgar/data/ 1075531/000107553122000008/bkng-20211231.htm. Accordingly, the defendants’ request for judicial notice of BHI’s 2021 Form 10-K is denied. IV. Motion to Dismiss The defendants argue that Ryanair’s complaint must be dismissed for several reasons. First, they argue that the CFAA does not permit claims to be brought on a vicarious liability theory, and therefore the defendants are not liable under the CFAA. Second, they argue that Ryanair has not alleged that the defendants have caused any harm that would trigger a civil cause of action under the CFAA. Third, the defendants argue that each of Ryanair’s five CFAA counts fails on the merits. For the reasons set forth below, the defendants’ motion is granted as to Count III but denied as to Counts I, II, IV, and V. 6 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 7 of 27 PageID #: 2146 A. Indirect or Vicarious Liability The defendants argue that Ryanair may not rely on a theory of indirect or vicarious liability in bringing a civil claim under section 1030(g) of the CFAA. The defendants’ argument is that section 1030(g) permits a civil action “against the violator,” and that liability under that statute is limited to “hackers,” i.e., the persons who actually take the actions that harm computer systems. Dkt. No. 81 at 10-12. In order to extend liability to a third party, the defendants argue, Ryanair must allege and prove a formal agency relationship between the defendants and the aggregators, i.e., a master-servant relationship under which the defendants control or have the right to control the activities of the aggregators. According to the defendants, in the absence of allegations of such an agency relationship or that the aggregators were alter egos of the defendants, the complaint must be dismissed. Ryanair, on the other hand, contends that liability under section 1030(g) extends beyond those who directly access a computer unlawfully and extends to those direct, encourage, or induce such violation, regardless of whether there is a formal agency or masterservant relationship between the parties. Numerous courts have recognized that vicarious or indirect liability under section 1030(g) extends to parties who direct, encourage, or induce others to commit acts that violate the statute. See, e.g., Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016) (“Once permission [to access a computer] has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability” under the CFAA.); Alchem Inc. v. Cage, No. 2:20-cv-3142, 2021 WL 4902331, at *7 (E.D. Pa. Oct. 21, 2021), vacated and remanded on other grounds, No. 21-2994, 2022 WL 3043153 (3d Cir. Aug. 2, 2022) (“For an indirect access claim, Alchem must prove that NAN directed, encouraged, or induced Ms. Cage to access one of Alchem’s protected computers that NAN was unauthorized to access.”); Teva Pharms. USA, Inc. 7 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 8 of 27 PageID #: 2147 v. Sandhu, 291 F. Supp. 3d 659, 671 (E.D. Pa. 2018) (denying motion to dismiss a section 1030(g) claim against parties who indirectly accessed plaintiff’s computers through plaintiff’s employees, stating that “[a] person who did not directly access the computer may still be liable under the CFAA if he ‘directs, encourages, or induces’ someone else to access a computer that he himself is unauthorized to access” (citation omitted)); Brand Energy & Infrastructure Servs., Inc. v. Irex Contracting Grp., No. 16-2499, 2017 WL 1105648, at *15 (E.D. Pa. Mar. 24, 2017) (“Unlike claims of direct authorized access, a person may be liable if he directs, encourages, or induces someone else to access a computer that he himself is not authorized to access.”); Cloudpath Networks, Inc. v. SecureW2 B.V., 157 F. Supp. 3d 961, 985 (D. Colo. 2016) (“If SecureW2-USA encouraged Grimm’s post-resignation access, which is a reasonable inference from the [complaint], then SecureW2-USA may be vicariously liable for the alleged CFAA violation.”); Advanced Fluid Sys., Inc. v. Huber, 28 F. Supp. 3d 306, 327 (M.D. Pa. 2014) (“The court joins those before it which have held that the act of inducing another to access a protected computer that he or she is otherwise not authorized to use constitutes ‘access’ within the meaning of the CFAA.”); Synthes, Inc. v. Emerge Med., Inc., No. 11-1566, 2012 WL 4205476, at *17 (E.D. Pa. Sept. 19, 2012) (“[M]any courts have found that one’s act of inducing another to access a computer that he or she is otherwise not authorized to use constitutes ‘access’ for purposes of CFAA liability.”) (citing cases); PLC Trenching Co., LLC v. Newton, No. 11-cv-0515, 2011 WL 13135653, at *7 (N.D.N.Y. Dec. 12, 2011) (“To state a claim for vicarious liability under the CFAA, a plaintiff must allege facts that would plausibly suggest that (1) the defendant affirmatively urged or encouraged its employee to violate the CFAA, and (2) the employee committed such a violation.”); Ipreo Holdings LLC v. Thomson Reuters Corp., No. 09-cv-8099, 2011 WL 855872, at *8 (S.D.N.Y. Mar. 8, 2011) (“[T]he CFAA allows for vicarious liability only 8 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 9 of 27 PageID #: 2148 when its violation was affirmatively urged or otherwise directed by the employer.”); Se. Mech. Servs., Inc. v. Brody, No. 8:08-cv-1151, 2008 WL 4613046, at *14 (M.D. Fla. Oct. 15, 2008) (evidence that defendants “induced and/or encouraged” others to access computers unlawfully sufficient to establish a likely violation of section 1030(a)(4)); Binary Semantics, Ltd. v. Minitab, Inc., No. 07-1750, 2008 WL 763575, at *5 (M.D. Pa. Mar. 20, 2008) (allegations that employee of plaintiff accessed a protected computer at the direction of defendant was sufficient to state a claim under section 1030(a)(4)); Charles Schwab & Co. v. Carter, No. 04-cv-7071, 2005 WL 2369815, at *6–7 (N.D. Ill. Sept. 27, 2005) (plaintiff’s complaint under section 1030(g) sufficient to survive a motion to dismiss because it alleged that the employer “affirmatively urged the employee to access the plaintiffs’ computer beyond his authorization for [the employer’s] benefit”); Nexans Wires S.A. v. Sark-USA, Inc., 319 F. Supp. 2d 468, 472 (S.D.N.Y. 2004) (same). Although several of the above-cited cases involved extending liability to employers who directed their employees to access the victims’ computers, several of them did not, and the principle set forth in those cases is not limited to employer-employee or other master-servant relationships. The defendants cite authority for the proposition that vicarious liability can extend to cases in which the inducer and the induced party were in a master-servant relationship. See Dkt. No. 81 at 13. 3 However, the defendants have cited no authority for the proposition that liability 3 The defendants are somewhat coy about whether they are embracing the position they describe at page 13 of their brief or merely describing certain of the cases. If they are arguing that inducement is permitted only when the person being induced is an employee of the inducer or is otherwise in a master-servant relationship with the inducer, it seems highly unlikely that Congress would have meant to draw such a distinction, which would make a party liable for inducing an employee to unlawfully access a computer but shield that party from liability if the inducer used an independent contractor to do the same thing. On the other hand, if the defendants’ position is that inducement is not a basis for liability regardless of whether the inducer is in a master-servant relationship with the party being induced, it is hard to see how a corporate entity could ever be civilly liable for a violation of section 1030, since corporate entities by their nature act through 9 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 10 of 27 PageID #: 2149 for inducement is limited to parties in a master-servant relationship, and that proposition is contrary to the analysis in several of the cases cited above. 4 The defendants cite two district court cases in support of their argument that the CFAA does not permit vicarious liability claims. In the first case, Doe v. Dartmouth-Hitchcock Medical Center, the court held that a hospital could not be held liable under the CFAA for the actions of one of its doctors, who accessed a patient’s computerized medical records without authorization. No. 00-cv-100, 2001 WL 873063, at *4–6 (D.N.H. July 19, 2001). In so holding, the court observed that “[e]xpanding the private cause of action created by Congress to include one for vicarious liability against persons who did not act with criminal intent and cannot be said to have violated the statute . . . would be entirely inconsistent with the plain language of the statute.” Id. at *5. The court focused in particular on the fact that in violating the CFAA, the doctor actually “exceeded the limitations placed on her access” by the hospital itself. Id. their officers and employees. A construction that would immunize all corporate entities from liability under section 1030(g) is even more unlikely to have been intended by Congress. 4 Only a few district courts (and no appellate courts) have addressed the question whether aiding and abetting liability applies generally to civil actions based on violations of section 1030. Those courts that have addressed the issue are divided. Compare Podium Corp. v. Chekkit Geolocation Servs., Inc., No. 2:20-cv-352, 2021 WL 5772269, at *8–9 (D. Utah Dec. 6, 2021); Mifflinburg Telegraph, Inc. v. Criswell, 277 F. Supp. 3d 750, 794 & n.245 (M.D. Pa. 2017); Clinmicro Immunology Ctr., LLC v. Primemed, P.C., No. 3:11-CV-2213, 2016 WL 4107710, at *9 (M.D. Pa. July 7, 2016); Huber, 28 F. Supp. 3d at 328; Flynn v. Liner Grode Stein Yankelevitz Sunshine Regenstreif & Taylor LLP, No. 3:09-CV-422, 2011 WL 2847712, at *2–3 (D. Nev. July 15, 2011) (civil action under section 1030(g) does not include liability for aiding and abetting), with COR Secs. Holdings Inc. v. Banc of Cal., No. 17-CV-1403, 2018 WL 4860032, at *7 (C.D. Cal. Feb. 12, 2018); Tracfone Wireless, Inc. v. Simply Wireless, Inc., 229 F. Supp. 3d 1284, 1296– 97 (S.D. Fla. 2017) (civil action under section 1030(g) includes liability for aiding and abetting); Charles Schwab, 2005 WL 2369815, at *6 (“Congress drafted the CFAA with an intent to permit vicarious liability”). Even if aiding and abetting liability is inapplicable in such cases, however, liability may still be predicated on an inducement theory. See Huber, 28 F. Supp. 3d at 328 (even though claim for aiding and abetting pursuant to section 1030 is dismissed, court denies motion to dismiss for defendant’s conduct in instigating and conspiring with the party who accessed the plaintiff’s protected computer). 10 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 11 of 27 PageID #: 2150 The defendants also cite SolarCity Corp. v. Pure Solar Co., in which the court dismissed the CFAA claim against one defendant who did not participate in the conduct that the plaintiff alleged violated the CFAA. No. 16-cv-1814, 2016 WL 11019989, at *9 (C.D. Cal. Dec. 27, 2016). In that case, the court noted that the CFAA “makes no mention of vicarious liability,” and that the plaintiff had not “pleaded facts indicating that [the defendant] was individually involved in or specifically aware of any of [the] underlying conduct.” Id. The court added that “an employer may be liable for CFAA violations if the employee was acting within the scope of his employment.” Id. The Dartmouth-Hitchcock and SolarCity cases do not stand for the proposition that a vicarious liability claim may never be brought under the CFAA. Those cases stand for the more limited proposition that a principal is not vicariously liable for an agent’s CFAA violation if the principal had no knowledge of or involvement in the agent’s conduct. 5 In this case, Ryanair alleges that the defendants directed third parties to access the myRyanair portion of the Ryanair website, and therefore would have had knowledge of those third parties’ conduct. In such a situation, a vicarious liability claim under the CFAA is proper. See Charles Schwab, 2005 WL 2369815, at *7 (distinguishing Dartmouth on facts similar to those in this case and stating that to refuse to apply vicarious liability in that setting “would exempt a principal from liability when its agent improperly accessed a computer at the direction of the principal.”); Nexans Wires, 319 F. Supp. 2d at 472 (also distinguishing the Dartmouth case on the ground that the employee there acted in violation of his employer’s policy, while in the case before the court, the parties who were alleged 5 Even that proposition is subject to dispute, as some courts have held that an employer can be vicariously liable for an employee’s violations of the CFAA “if those transgressions occur in the scope of employment.” NetApp, Inc. v. Nimble Storage, Inc., 41 F. Supp. 3d 816, 835 (N.D. Cal. 2014) (citing cases). 11 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 12 of 27 PageID #: 2151 to have committed the CFAA violations were alleged to have acted at the direction of the defendants). For the same reasons, the decisions in QVC, Inc. v. Resultly, LLC, 159 F. Supp. 3d 576, 589–91 (E.D. Pa. 2016), and Compagnie des Grands Hotels D’Afrique S.A. v. Starwood Cap. Grp. Glob. I LLC, No. 18-654, 2019 WL 148454, at *3–7 (D. Del. Jan. 19, 2019), on which the defendants rely, are inapposite. In those cases, the plaintiffs sought to impose liability on defendants on agency or alter ego theories, which the courts found inapplicable. In this case, Ryanair is seeking to hold the defendants liable for actually causing the CFAA violations by purposely inducing others to commit those violations. As noted, the defendants appear to acknowledge that liability can be based on “the principal’s active role in the CFAA violator’s conduct” by directing, encouraging, or inducing a CFAA violation. See Dkt. No. 81 at 13 (citing Alchem Inc. v. Cage, supra, and Charles Schwab & Co. v. Carter, supra). Those were not the allegations in the QVC and Grands Hotels cases. Thus, neither those cases nor any of the other vicarious liability case cases relied upon by the defendants involved a civil action against a party charged with directly inducing another party to violate section 1030. The defendants further argue that, even if the CFAA permits vicarious liability claims, Ryanair has not adequately alleged any theory of vicarious liability. Dkt. No. 81 at 12–17. To the contrary, Ryanair’s complaint adequately pleads vicarious, or indirect, liability on a “direct, encourage, or induce” theory. For example, Ryanair alleges that the defendants “direct, encourage, induce, and/or affirmatively act in support of their agents and certain third parties who access the Ryanair Website on behalf of the Defendants in violation of the CFAA.” Dkt. No. 76 at ¶ 219. Ryanair adds that the defendants have “entered into written agreements with their agents and certain third parties who access the Ryanair Website without authorization (or alternatively, in 12 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 13 of 27 PageID #: 2152 excess of their authorized access) on behalf of the Defendants,” and alleges that the specific third parties with whom the defendants have contracted include “Travelfusion, Mystifly, Kiwi.com, and PKFare,” as well as “Etraveli.” Id. at ¶¶ 215, 220. The complaint contains extensive allegations regarding the arrangement between the defendants and the aggregators, and the conduct of the aggregators in accessing Ryanair’s website. Id. at ¶¶ 117–18, 188–89, 208–255. In particular, the complaint alleges that the Defendants specifically direct one or more of those third parties to access the myRyanair portion of the Ryanair website when a user purchases a particular Ryanair flight itinerary on one of the defendants’ websites. Id. at ¶¶ 220–26, 245–47. 6 Finally, Ryanair alleges that various interests are shared between the defendants and some of the third parties with whom they contract. Id. at ¶¶ 230–42. Those allegations are sufficient to support Ryanair’s claims that are premised on a vicarious liability theory. In sum, to the extent the defendants argue that the complaint was insufficient because it failed to allege the existence of a formal agency relationship between the defendants and the aggregators, the short answer is that the existence of an agency (or master-servant) relationship is not a necessary predicate for liability on a “direct, encourage, or induce” theory. As indicated in the cases cited above, even if the aggregators are independent contractors and not agents of the 6 While it is true that the complaint does not recite the details of the directions given to the aggregators regarding how they go about obtaining access to the Ryanair website, it is not surprising that such details were not available to Ryanair before discovery in the case. Ryanair has therefore adequately pleaded the elements of a CFAA violation in light of the information in its possession at the time the complaint was filed. See Thompson v. Real Estate Mortg. Network, 748 F.3d 142, 147 (3d Cir. 2014) (a plaintiff “need only put forth allegations that raise a reasonable expectation that discovery will reveal evidence of the necessary element”) (cleaned up); ReidAshman Mfg., Inc. v. Swanson Semiconductor Serv., LLC, No. C-0604693, 2007 WL 1394427, at *10 (N.D. Cal. May 10, 2007). Moreover, the complaint alleges that Ryanair advised the defendants of the aggregators’ activities, Dkt. No. 76 at ¶¶ 72–90, so the defendants were plainly on notice of the aggregators’ conduct and Ryanair’s belief that the conduct was unlawful. 13 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 14 of 27 PageID #: 2153 defendants, the defendants can be held liable simply based on evidence that the defendants induced the aggregators to commit violations of the CFAA. 7 B. Damage or Loss The defendants next argue that Ryanair has not alleged any actionable harm under the CFAA. To sustain a civil claim under the CFAA, a plaintiff must allege that it has “suffer[ed] damage or loss by reason of a violation” of the CFAA. 18 U.S.C. § 1030(g). The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8). Likewise, the CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). As the Supreme Court has observed, those terms “focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data.” Van Buren v. United States, 141 S. Ct. 1648, 1660 (2021). Ryanair alleges that it has “suffered significant technological harms due to Defendants’ unauthorized access to the Ryanair Website.” Dkt. No. 76 at ¶ 269. For example, Ryanair alleges that the actions of the defendants and/or their agents “greatly increase[] the quantities of queries on the Ryanair Website,” “impair[] the . . . availability and/or usability” of the Ryanair website, 7 The defendants argue that their agreements with several third parties affirmatively disclaim an agency relationship between the defendants and those third parties. Dkt. No. 81 at 14– 15. However, because I have denied the request for judicial notice, consideration of the contents of those agreements would be improper at this stage of the case. In any event, as noted above, the existence of an agency relationship is not a prerequisite to liability on a “direct, encourage, or induce” theory. Beyond that, the fact that an agreement between two parties “denies the existence of an agency relationship is not in itself determinative of the matter.” Drexel v. Union Prescription Ctrs., 582 F.2d 781, 786 (3d Cir. 1978). 14 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 15 of 27 PageID #: 2154 and cause the website’s response times to deteriorate. Id. at ¶¶ 270–72. In its complaint, Ryanair provided several examples of the errors that it alleges are caused by the defendants’ screen scraping activities. See, e.g., id. at ¶¶ 273–280. Those allegations are sufficient to overcome the defendants’ dismissal motion based on inadequate allegations of damage or loss. The defendants further complain that Ryanair has not alleged any such harm that is specifically attributable to the defendants. However, Ryanair has alleged that the harm it has suffered is attributable to the activities of the defendants and/or their agents. See, e.g., id. at ¶¶ 269–80. As noted, Ryanair will not be prohibited from establishing a CFAA violation on a vicarious liability theory, so it is sufficient for Ryanair to allege that the harm it suffered was caused either directly or indirectly by the defendants. Accordingly, Ryanair’s claims will not be dismissed on the ground that Ryanair has not alleged actionable harm under the CFAA. C. Count III: 18 U.S.C. § 1030(a)(5)(A) Count III of Ryanair’s complaint alleges a violation of 18 U.S.C. § 1030(a)(5)(A). Section 1030(a)(5)(A) prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” The defendants argue that Ryanair has not alleged that any defendant intended to cause damage to Ryanair’s website or computer systems. In order for a claim to lie under section 1030(a)(5)(A), the defendant must specifically intend to cause damage to the plaintiff’s computer systems. See, e.g., Kalow & Springnut, LLP v. Commence Corp., No. 07-cv-3442, 2008 WL 2557506, at *4 (D.N.J. June 23, 2008); Oracle Corp. v. SAP AG, 734 F. Supp. 2d 956, 964 (N.D. Cal. 2010). It is insufficient for a plaintiff to allege that the defendant intended to access the computer system, and that such access caused damage, absent a showing that the defendant intended to cause the resulting damage. See Kalow, 2008 WL 15 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 16 of 27 PageID #: 2155 2557506, at *4; Oracle, 734 F. Supp. 2d at 964. The harm or damage contemplated by the CFAA includes “slowdowns, disruptions in service, crashes, or other impairments to the availability or accessibility of the systems or data,” as well as changing, altering, deleting, or destroying “any data, programs, systems, or other information” on the plaintiff’s computer systems. Oracle, 734 F. Supp. 2d at 964; see also 18 U.S.C. § 1030(e)(8). Ryanair alleges that the defendants’ screen scraping resulted in interruptions of service to its website. See, e.g., Dkt. No. 76 at ¶¶ 270–80. Even assuming that allegation is true, however, Ryanair’s complaint does not allege that the defendants specifically intended to cause any interruptions to Ryanair’s website or any other damage to Ryanair’s computer systems. 8 Ryanair’s complaint alleges that the defendants intended to obtain information (e.g., flight itineraries) from Ryanair’s website, but that allegation is insufficient to establish that the defendants intended to cause damage to Ryanair’s computer systems. See Kalow, 2008 WL 2557506, at *4; Oracle, 734 F. Supp. 2d at 964. Because Ryanair has not plausibly alleged that the defendants intended to cause damage to Ryanair’s computer systems, Count III of its First Amended Complaint is dismissed. 8 Ryanair alleges in its discussion of Count III in the First Amended Complaint that the defendants “intentionally caus[e] damage” and “intentionally cause[] harm” to the Ryanair website. Dkt. No. 76 at ¶¶ 332–33. Those unelaborated recitations of the elements of a section 1030(a)(5)(A) violation are insufficient to allege that the defendants specifically intended to cause the sort of damage that is contemplated by the CFAA. See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.”). Moreover, such an allegation appears to be inconsistent with Ryanair’s general theory of this case. As the defendants point out, causing harm to Ryanair’s website would actually hinder the defendants’ efforts to obtain data from the Ryanair website via screen scraping. 16 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 17 of 27 PageID #: 2156 D. Count II: 18 U.S.C. § 1030(a)(4) Count II of Ryanair’s complaint alleges a violation of 18 U.S.C. § 1030(a)(4). Section 1030(a)(4) prohibits “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.” The defendants argue that the heightened pleading standard for fraud claims set forth in Federal Rule of Civil Procedure 9(b) applies to the “intent to defraud” and “intended fraud” elements of section 1030(a)(4). Under Rule 9(b), “[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake.” Fed. R. Civ. P. 9(b). That is, in cases subject to Rule 9(b), the plaintiff must articulate the “who, what, when, where, and how of the events at issue.” United States ex rel. Bookwalter v. UPMC, 946 F.3d 162, 176 (3d Cir. 2019) (citation omitted). A number of district courts have addressed the question whether Rule 9(b) applies to CFAA claims based on section 1030(a)(4) and, if so, the extent to which it does. 9 But the law on this issue is a mess. Most of the courts that have addressed the issue have held that the special pleading requirements of Rule 9(b) do not apply to claims based on section 1030(a)(4), even though that statute requires proof of “intent to defraud” and “conduct that furthers the intended fraud.” See, e.g., Elias Indus., Inc. v. Kissler & Co., No. 20-CV-1011, 2021 WL 2141509, at *5 (W.D. Pa. May 26, 2021); Coll Builders Supply, Inc. v. Velez, No 6:17-cv-933, 2017 WL 4158661, at *9 (M.D. Fla. Aug. 31, 2017); DHI Group, Inc. v. Kent, No. 4:16-cv-1670, 2017 WL 9939568, at *10 (S.D. 9 No appellate court has directly addressed whether Rule 9(b) applies to CFAA claims brought under section 1030(a)(4) in a precedential opinion. In Miller v. Int’l Bus. Machs. Corp., 138 F. Appx. 12, 17 (9th Cir. 2005), the Ninth Circuit, in a non-precedential opinion, referred to a section 1030(a)(4) claim as “a fraud claim” and upheld a district court decision dismissing that claim for failure to plead that claim with sufficient particularity to satisfy Rule 9(b). 17 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 18 of 27 PageID #: 2157 Tex. Apr. 27, 2017); MetroPCS v. SD Phone Trader, 187 F. Supp. 3d 1147, 1150 (S.D. Cal. May 17, 2016); Rickett v. Smith, No. 1:14-CV-70, 2015 WL 3580500, at *6 (W.D. Ky. June 5, 2015); Sprint Nextel Corp. v. Simple Cell, Inc., No. 13-cv-617, 2013 WL 3776933, at *6 (D. Md. July 17, 2013) (“The balance of authority . . . appears to support the view that Rule 9(b) does not apply to § 1030(a)(4).”); Cornerstone Staffing Sols., Inc. v. James, No. 3:12-cv-1527, 2013 WL 12124381, at *4 (N.D. Cal. Jan. 15, 2013); Gridiron Mgmt. Grp. LLC v. Wranglers, No. 12-cv-3128, 2012 WL 5187839, at *10 & n.7 (D. Neb. Oct. 18, 2012) (“Although some of the particular substantive offenses involve ‘fraud,’ the heightened pleading standards of Rule 9(b) do not apply to claims brought under § 1030(g).”) (cleaned up); Facebook, Inc. v. MaxBounty, Inc., 274 F.R.D. 279, 284 (N.D. Cal. 2011) (same); SFK USA, Inc. v. Bjerkness, 636 F. Supp. 2d 696, 719 n.13 (N.D. Ill. 2009) (“The heightened pleading standards of Rule 9(b) do not apply to the Computer Fraud and Abuse Act.”); Dental Health Prods., Inc. v. Ringo, No. 08-cv-1039, 2009 WL 1076883, at *8 (E.D. Wis. Apr. 20, 2009); eBay, Inc. v. Digital Point Sols., Inc., 608 F. Supp. 2d 1156, 1164 (N.D. Cal. 2009); Joe N. Pratt Ins. v. Doane, No. 6:07-cv-07, 2008 WL 819011, at *9 (S.D. Tex. Mar. 20, 2008); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125– 26 (W.D. Wash. 2000); see also Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., 556 F. Supp. 2d 1122, 1131 (E.D. Cal. 2008) (“The term ‘defraud’ for purposes of § 1030(a)(4) simply means wrongdoing and does not require proof of common law fraud.”). Some of the cases dealing with this issue focus on the “intent to defraud” element of section 1030(a)(4) and hold that the special pleading requirements do not apply to that element, while remaining silent as to whether the “further the intended fraud” element is subject to those requirements. See, e.g., El Omari v. Buchanan, 20-cv-2601, 2021 WL 5889341, at *13 (S.D.N.Y. Dec. 10, 2021) (“Rule 9(b) does not apply to Section 1030(a)(4) because ‘intent to defraud’ is best 18 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 19 of 27 PageID #: 2158 understood as requiring wrongdoing, but not the elements of common law fraud.”); PNY Techs., Inc. v. Salhi, No. 2:12-cv-4916, 2013 WL 4039030, at *6 (D.N.J. Aug. 5, 2013); In re Maxim Integrated Prods., Inc., MDL No. 2354, 2013 WL 12141373, at *10 (W.D. Pa. Mar. 19, 2013); Sealord Holdings, Inc. v. Radler, No. 11-6125, 2012 WL 707075, at *6–7 (E.D. Pa. 2012); TEKsystems, Inc. v. Modis, Inc., No. 1:08-cv-5476, 2008 WL 5155720, at *5 (N.D. Ill. Dec. 5, 2008); P.C. of Yonkers, Inc. v. Celebrations! The Party and Seasonal Superstore, L.L.C., No. 04cv-4554, 2007 WL 708978, at *6–7 (D.N.J. Mar. 5, 2007); C.H. Robinson Worldwide, Inc. v. Command Transp., LLC, No. 05-cv-3401, 2005 WL 3077998, at *4 (N.D. Ill. Nov. 16, 2005) (Rule 9(b)’s “particularity requirements do not apply to intent allegations.”); Fed. R. Civ. P. 9(b) (“Malice, intent, knowledge, and other conditions of a person’s mind may be alleged generally.”). Other courts have held that the Rule 9(b) pleading standard applies to the “furthers the intended fraud” element, but not to the “intent to defraud” element. Nowak v. Xapo, Inc., No. 5:20-cv-3643, 2020 WL 6822888, at *3 (N.D. Cal. Nov. 20, 2020); Property Rights Law Grp., P.C. v. Lynch, No. 13-273, 2013 WL 4791485, at *4 (D. Haw. Sept. 6, 2013); Oracle Am., Inc. v. Service Key, LLC, No. 4:12-cv-790, 2012 WL 6019580, at *6 (N.D. Cal. Dec. 3, 2012); Motorola, Inc. v. Lemko Corp., 609 F. Supp. 2d 760, 765 (N.D. Ill. 2009) (Rule 9(b) “quite plainly applies to section 1030(a)(4)’s requirement that the defendant’s acts further the intended fraud.”). Yet other courts have held that CFAA claims must be pleaded with specificity “only when fraudulent conduct is specifically alleged as the basis for the wrongdoing.” E.D.C. Techs., Inc. v. Seidel, No. 16-cv-3316, 2016 WL 4549132, at *4 (N.D. Cal. Sept. 1, 2016); NetApp, Inc. v. Nimble Storage, Inc., 41 F. Supp. 3d 816, 834 (N.D. Cal. 2014); Oracle Am., Inc. v. TERiX Comput. Co., No. 5:13-cv-3385, 2014 WL 31344, at *4–5 (N.D. Cal. Jan. 14, 2014); see also NLRK, LLC v. Indoor Ag-Con, LLC, No. 3:21-cv-73, 2022 WL 293252, at *7 (D. Nev. Jan. 31, 2022) (CFAA 19 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 20 of 27 PageID #: 2159 claims must be pleaded with particularity when they are “based on a unified course of fraudulent conduct” because such claims are “grounded in fraud” (citation omitted)); Banc of Cal., NA v. McDonnell, No. 18-cv-1194, 2018 WL 8693922, at *4 (C.D. Cal. Nov. 9, 2018) (same); Ewiz Corp v. Ma Labs., Inc., No. 15-CV-1213, 2015 WL 5680904, at *5–6 (N.D. Cal. Sept. 28, 2015). A few courts have held to the contrary, requiring that section 1030(a)(4) allegations in civil cases brought under section 1030(g) satisfy the Rule 9(b) pleading standard, seemingly with respect to each of the elements of section 1030(a)(4) that refer to “fraud” or “intent to defraud.” See, e.g., United Fed’n of Churches, LLC v. Johnson, No. 2:20-cv-509, 2022 WL 1128919, at *4 n.5 (W.D. Wash. Apr. 15, 2022); Villareal v. Saenz, No. 5:20-CV-571, 2021 WL 1986831, at *7 (W.D. Tex. May 18, 2021); SMH Enterprises, L.L.C. v. Krispy Krunchy Foods, L.L.C., No. 20-cv2970, 2021 WL 1226411, at *5 (E.D. La. Apr. 1, 2021); Symphony Diagnostic Servs. No. 1, LLC v. Kingrey, No. 4:18-cv-463, 2019 WL 7821416, at *1 (E.D. Ark. Jan. 29, 2019); Synopsys, Inc. v. Ubiquiti Networks, Inc., 313 F. Supp. 3d 1056, 1072 (N.D. Cal. 2018); Saunders v. Davis, No. 15-cv-2026, 2016 WL 4921418, at *13 n.18 (D.D.C. Sept. 15, 2016). For purposes of this case, I need not decide whether the heightened pleading standard of Rule 9(b) applies to Ryanair’s claim based on section 1030(a)(4), because the complaint’s allegations are sufficient to satisfy that heightened pleading standard in any event. Ryanair alleges that the defendants and/or the aggregators have engaged in fraudulent conduct by misrepresenting themselves, for example by “lying about [their] email address[es] or anonymizing [their] IP address[es],” when creating accounts on the Ryanair website. Dkt. No. 76 at ¶ 325. As noted, Rule 9(b) requires that Ryanair establish the “who, what, where, when, and how” of the fraudulent conduct Ryanair is alleging. See UPMC, 946 F.3d at 176 (citation omitted). Ryanair has alleged the “who” (the defendants and/or the aggregators), the “what” 20 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 21 of 27 PageID #: 2160 (misrepresenting themselves), the “where” (on the Ryanair website), the “when” (when attempting to access the myRyanair section of the Ryanair website), and the “how” (using false email addresses or IP addresses). See id. Specific details regarding the defendants’ alleged conduct, such as the specific technologies used to generate the false email and IP addresses, and any communications between the defendants and the aggregators regarding those efforts, are likely to be “peculiarly within the defendant[s’] knowledge or control” and obtainable only in discovery. See In re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1418 (3d Cir. 1997). Moreover, the purposes of Rule 9(b) have been satisfied, as the defendants have been able to answer the complaint and appear to have “understood what was being pleaded.” See Illinois Nat’l Ins. Co. v. Wyndham Worldwide Operations, Inc., 653 F.3d 225, 233 (3d Cir. 2011). Accordingly, I will not dismiss Count II of Ryanair’s complaint on the ground that it fails to meet Rule 9(b)’s heightened pleading standard. 10 E. Counts I and IV: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(5)(B)–(C). Count I of Ryanair’s complaint alleges a violation of 18 U.S.C. § 1030(a)(2)(C), which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.” Similarly, Count IV of Ryanair’s complaint alleges a violation of 18 U.S.C. § 1030(a)(5)(B)–(C), which prohibits 10 At oral argument on the present motion, the defendants suggested that Ryanair’s amended complaint fails to allege adequately that Ryanair has had been “defrauded,” i.e., that Ryanair has been deprived of something of value as a result of the defendants’ conduct. That argument is forfeited by not having been raised in the defendants’ opening brief on the motion. In any event, it is unpersuasive in view of Ryanair’s allegation that the defendants use the information they obtain via their conduct in a manner that “causes damage to Ryanair’s goodwill and reputation.” See Dkt. No. 76 at ¶¶ 259–63. Although goodwill is an intangible asset, it is one to which corporations attribute value and which they include on their financial statements. Therefore, even if a deprivation of something of value is required by section 1030(a)(4), Ryanair has adequately alleged that such a deprivation occurred. 21 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 22 of 27 PageID #: 2161 “intentionally access[ing] a protected computer without authorization,” and either “recklessly caus[ing] damage” or actually “caus[ing] damage and loss.” The issue with respect to those two counts is whether Ryanair has plausibly alleged that the defendants have accessed Ryanair’s website without authorization or, if they had some level of authorization, whether the defendants exceeded their authorized access to Ryanair’s website. The defendants argue that the Ryanair website is a public website, to which the CFAA’s concept of “authorization” or “authorized access” does not apply. Ryanair alleges that the myRyanair portion of its website is not public and that, in any event, the defendants are not authorized to access the that portion of the Ryanair website. Recent case law interpreting the CFAA makes clear that the CFAA’s concept of authorization focuses heavily on technological barriers to access. For example, in Van Buren v. United States, the Supreme Court held that an individual “exceeds authorized access” when he “accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” 141 S. Ct. at 1662. Although the Court declined to expressly decide whether that inquiry “turns only on technological (or ‘code-based’ limitations) on access, or instead also looks to limits contained in contracts or policies,” the Court’s ultimate holding—that a police officer did not violate the CFAA when he accessed police records for an improper purpose—strongly suggests that the operative question is whether a technological or code-based limitation exists to prevent access to a computer by those who do not have proper authorization. See id. at 1658–59 & n.8, 1662. The Ninth Circuit’s opinion in hiQ Labs, Inc. v. LinkedIn Corp. is similarly instructive. 31 F.4th 1180 (9th Cir. 2022). In that case, the court noted that a user accesses a computer system “without authorization” when the user “circumvents a computer’s generally applicable rules 22 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 23 of 27 PageID #: 2162 regarding access permissions, such as username and password requirements, to gain access to a computer.” Id. at 1201. As a result, the court held that accessing “publicly available data” did not “constitute access without authorization under the CFAA,” even when that access was in violation of the website’s terms of use and was the subject of a cease-and-desist letter. Id. at 1195, 1199, 1201. The court suggested that had the data in question been “protected by [a] username and password authentication system,” such as that used by Facebook, rather than being “available to anyone with a web browser,” the user’s accessing of that data might have been without authorization. See id. at 1199. Other district court decisions are in accord. See, e.g., Greenburg v. Wray, No. 22-cv-122, 2022 WL 2176499, at *2 (D. Ariz. June 16, 2022) (“[I]f ‘anyone with a browser’ could access the website, it had no limitations on access.”); Salinas v. Cornwell Quality Tools Co., No. 19-cv-2275, 2022 WL 3130875, at *8–9 (C.D. Cal. June 10, 2022) (holding that accessing a database, which did not require a password to access, was not conduct that violated the CFAA); Meta Platforms, Inc. v. BrandTotal Ltd., No. 20-CV-07182, 2022 WL 1990225, at *24 (N.D. Cal. June 6, 2022) (“Where a website is made available to the public without any authentication requirement at least in the first instance, the concept of ‘without authorization’ does not apply, even if the owner employs technological measures to block specific users, suspicious activity, or—as here—repeated access beyond a particular threshold.” (cleaned up)). The above cases make clear that in order for the CFAA’s “without authorization” and “exceeds authorized access” elements to apply, some sort of authentication mechanism (e.g., the use of usernames and passwords) must be employed to limit access to the website. If the information on the website is publicly available without requiring users to authenticate themselves, 23 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 24 of 27 PageID #: 2163 a violation of the terms of use or the defiance of a cease-and-desist letter will not give rise to liability under the CFAA. In this case, Ryanair alleges that users must log in to the myRyanair portion of the Ryanair website using a username and password. Dkt. No. 76 at ¶ 95. Ryanair further alleges that it has blocked accounts associated with persons that Ryanair believes have engaged in screen scraping of the myRyanair portion of the site. Id. at ¶ 111. And beyond the login mechanism, Ryanair also alleges that it uses the Shield program to limit unauthorized access to its website, and that the defendants have sought to circumvent the Shield program in order to access information about Ryanair itineraries. Id. at ¶¶ 252–53. In short, Ryanair has alleged that the defendants circumvent code-based authentication mechanisms that are designed to limit access to the myRyanair portion of the website. Ryanair also alleges that the defendants engaged in screen scraping in violation of the terms of use of the Ryanair website and that the defendants continued to do so even after Ryanair sent each defendant a cease-and-desist letter. Id. at ¶¶ 70–85. Although those allegations would be insufficient to establish liability under the CFAA if the contents of the myRyanair portion of the website were accessible to the public without authentication, courts have found cease-and-desist letters to withdraw authorization to access a protected portion of a website when an authentication mechanism protected access to that portion of the website. Facebook, 844 F.3d at 1067–69 (holding that a defendant who used the login information of other users to access the Facebook website, in defiance of a cease-and-desist letter, violated the CFAA); In re Dealer Mgmt. Sys. Antitrust Litig., 362 F. Supp. 3d 558, 570 (N.D. Ill. 2019). In the context of a system that requires a user name and password to obtain access to a particular portion of a party’s website, and where the defendants are alleged to have obtained such access in violation of the terms of use of the 24 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 25 of 27 PageID #: 2164 Ryanair website and the cease-and-desist letters that Ryanair sent to the defendants, the allegations in the First Amended Complaint are sufficient to withstand a motion to dismiss for failure to state a claim on which relief can be granted. 11 The question before the court is whether the steps Ryanair has taken to protect the myRyanair portion of its website from unwanted incursions such as those allegedly sponsored by the defendants are sufficient to render that portion of the website non-public, and thus the defendants’ access to that website unauthorized for purposes of section 1030. The resolution of that question will depend on the facts developed in the further course of this litigation. I therefore find that Ryanair has stated a plausible claim for relief in Counts I and IV, and that the motion to dismiss must be DENIED with respect to those two counts. F. Count V: 18 U.S.C. § 1030(b) Count V of Ryanair’s complaint alleges a violation of 18 U.S.C. § 1030(b). Section 1030(b) provides that “[w]hoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.” Put simply, section 1030(b) prohibits any conspiracy to violate the CFAA. Courts have routinely entertained claims under section 1030(b) in civil cases. 12 See, e.g., In re Lenovo Adware Litig., No. 15-MD-02624, 2016 WL 6277245, at *6 (N.D. Cal. Oct. 27, 11 It is worth noting that the Facebook case pre-dates the Supreme Court’s decision in Van Buren, and it is not entirely clear to what extent that case—and in particular the discussion of cease-and-desist letters in that case—remains good law in light of Van Buren. In the hiQ decision, which was issued after Van Buren, the Ninth Circuit relied on the Facebook case, so that case likely has some persuasive force even in light of Van Buren. See hiQ, 31 F.4th at 1199. In any event, I find that the various factors alleged by Ryanair, including the myRyanair login mechanism, the Shield program, and Ryanair’s use of cease-and-desist letters, support Ryanair’s claims and thus allow Counts I and IV to survive the defendants’ motion to dismiss. 12 The defendants argue that the CFAA does not permit a civil claim for conspiracy under section 1030(b). They point to the language of section 1030(g), which provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action 25 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 26 of 27 PageID #: 2165 2016); Cloudpath Networks, Inc. v. SecureW2 B.V., 157 F. Supp. 3d 961, 984–85 (D. Colo. 2016); Advanced Fluid Sys., Inc. v. Huber, 28 F. Supp. 3d 306, 328 (M.D. Pa. 2014), aff’d, 958 F.3d 168 (3d Cir. 2020). A claim under section 1030(b) requires “specific allegations of an agreement and common activities.” Lenovo Adware, 2016 WL 6277245, at *6 (citation omitted). Ryanair’s complaint contains sufficient allegations of conspiracy to survive a motion to dismiss. Among other things, the complaint alleges that the defendants “have entered into written agreements with their agents and certain third parties who access the Ryanair Website without authorization . . . on behalf of the Defendants.” Dkt. No. 76 at ¶ 220. Ryanair alleges that the defendants have entered into such agreements with specific third parties, including “Travelfusion,” “Mystifly,” “Kiwi.com,” “PKFare,” and “Etraveli.” Id. at ¶ 215. Moreover, Ryanair alleges that the defendants “know that neither the Defendants nor th[o]se agents and third parties are authorized to access the Ryanair website,” and that the defendants and third parties “work in concert to access the Ryanair Website, including the myRyanair portion of the Ryanair Website.” Id. at ¶¶ 221, 223. Ryanair further alleges that the defendants share common interests with some of the third parties with whom they contract. Id. at ¶¶ 230–42. 13 As discussed above, Ryanair has alleged a plausible claim for relief in Counts I and IV of its complaint. Because Ryanair has alleged an underlying violation of the CFAA along with an against the violator.” 18 U.S.C. § 1030(g) (emphasis added). That argument fails to recognize, however, that a defendant who conspires to commit a CFAA violation is itself a violator of section 1030(b), which falls within the scope of the cause of action provided in section 1030(g). 13 The defendants argue (Dkt. No. 81 at 27) that the First Amended Complaint does not allege that any of the agreements between the defendants and third parties contain any agreement to violate the law, and in fact that the agreements represent that the parties will not violate the law in performing their contractual obligations. Setting aside the fact that the agreements are not part of the record on the motion to dismiss, the fact that parties may have signed an agreement stating that they will not violate the law obviously does not immunize them from liability if the allegations assert, and the evidence shows, that they engaged in unlawful conduct. 26 Case 1:20-cv-01191-WCB Document 105 Filed 10/24/22 Page 27 of 27 PageID #: 2166 agreement and common activities with third parties, the defendants’ motion to dismiss Count V of the First Amended Complaint must be denied as well. V. Conclusion In summary, Count III of Ryanair’s First Amended Complaint is dismissed. Counts I, II, IV, and V all state a plausible claim for relief and therefore will not be dismissed at this time. The stay of discovery issued on July 8, 2022, Dkt. No. 74, is hereby lifted. The deadlines set forth in the Scheduling Order, Dkt. No. 46, remain in effect. IT IS SO ORDERED. SIGNED this 24th day of October, 2022. _______________________________ WILLIAM C. BRYSON UNITED STATES CIRCUIT JUDGE 27
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
