Orbitz and the Computer Fraud and Abuse Act
By Todd
A good number of you know that Orbitz is an online travel agency where you can search for, and purchase, airline tickets and the like. Apparently it was created in late 1999 pursuant to a partnership among five airlines: American, Continental, Delta, Northwest and United. Back in 1999 and 2000 Orbitz signed a bunch of contracts with companies to provide it with information and web-infrastructure. Worldspan L.P. was one of those companies.
Worldspan apparently agreed to provide Orbitz with information about the availability of airline segments and web-page support so that Orbitz could book and issue airline tickets and also display in a screen the various international flight options available to the potential customer. Orbitz's business model, however, was ultimately to rely less and less on these companies providing "computer reservation systems" - or CRS companies.
In 2001, Orbitz went into negotiations with Worldspan to use the Worldspan information Orbitz needed. A contract was entered but the companies were unable to resolve the amount of compensation Worldspan would receive from Orbitz for certain information provided. At some point, Worldspan learned that Orbitz was continuing to use information and data that Worldspan had not authorized Orbitz to use in marketing and selling airline tickets. This resulted in another negotiated agreement but Worldspan was still not happy with Orbitz after that agreement was reached. According to Worldspan, Orbitz was accessing Worldspan's systems without authorization and stealing data in derogation of the negotiated agreements. So Worldspan filed suit . . . and their principal claim against Orbitz was for violation of the federal Computer Fraud and Abuse Act at 18 U.S.C. section 1030 et seq.
Orbitz filed a motion to dismiss Worldspan's claim under the Computer Fraud and Abuse Act. Orbitz said that the agreements appended to Worldspan's federal complaint demonstrated that Orbitz's access to Worldspan's data was authorized - the contractual language being "During the term of this Agreement, WORLDSPAN will provide Orbitz with acceess to the WORLDSPAN System for purposes of the operation of the Orbitz Website and in accordance with the provisions of this Agreement." Hmmm - good point, Orbitz. Worldspan responded that Orbitz "had exceeded the permitted access and misused the . . . data." The district court deciding the motion to dismiss noted that there is a distinction between accessing a computer "without authorization" and accessing a computer while "exceeding the authorized access." To "exceed authorized access," the district court noted, is "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." But that is not what Worldspan pled in their complaint - they alleged Orbitz was not authorized to access the computer data. Oops.
The district court dismissed Worldspan's Computer Fraud and Abuse Act claim. The message to companies and their attorneys is to plead the violation of the CFAA particularly. The case is cited as Worldspan L.P. v. Orbitz, L.L.C., 2006 WL 1069128 (April 19, 2006 N.D. Ill.).
Worldspan apparently agreed to provide Orbitz with information about the availability of airline segments and web-page support so that Orbitz could book and issue airline tickets and also display in a screen the various international flight options available to the potential customer. Orbitz's business model, however, was ultimately to rely less and less on these companies providing "computer reservation systems" - or CRS companies.
In 2001, Orbitz went into negotiations with Worldspan to use the Worldspan information Orbitz needed. A contract was entered but the companies were unable to resolve the amount of compensation Worldspan would receive from Orbitz for certain information provided. At some point, Worldspan learned that Orbitz was continuing to use information and data that Worldspan had not authorized Orbitz to use in marketing and selling airline tickets. This resulted in another negotiated agreement but Worldspan was still not happy with Orbitz after that agreement was reached. According to Worldspan, Orbitz was accessing Worldspan's systems without authorization and stealing data in derogation of the negotiated agreements. So Worldspan filed suit . . . and their principal claim against Orbitz was for violation of the federal Computer Fraud and Abuse Act at 18 U.S.C. section 1030 et seq.
Orbitz filed a motion to dismiss Worldspan's claim under the Computer Fraud and Abuse Act. Orbitz said that the agreements appended to Worldspan's federal complaint demonstrated that Orbitz's access to Worldspan's data was authorized - the contractual language being "During the term of this Agreement, WORLDSPAN will provide Orbitz with acceess to the WORLDSPAN System for purposes of the operation of the Orbitz Website and in accordance with the provisions of this Agreement." Hmmm - good point, Orbitz. Worldspan responded that Orbitz "had exceeded the permitted access and misused the . . . data." The district court deciding the motion to dismiss noted that there is a distinction between accessing a computer "without authorization" and accessing a computer while "exceeding the authorized access." To "exceed authorized access," the district court noted, is "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." But that is not what Worldspan pled in their complaint - they alleged Orbitz was not authorized to access the computer data. Oops.
The district court dismissed Worldspan's Computer Fraud and Abuse Act claim. The message to companies and their attorneys is to plead the violation of the CFAA particularly. The case is cited as Worldspan L.P. v. Orbitz, L.L.C., 2006 WL 1069128 (April 19, 2006 N.D. Ill.).
0 Comments:
Post a Comment
<< Home