Ninth Circuit affirms dismissal of customer’s claims arising from malware attack

McGarry v. Delta Air Lines, Inc. (9th Cir. July 17, 2020).  Through a malware attack, hackers accessed credit and debit card information, mailing addresses and other personal information of users of Delta’s website.  One user brought a class action complaint against Delta and [24]7, “a chat service that Delta retained to interact with customers through its website.”  The plaintiff alleged that she faced “years of constant surveillance of her financial and personal records, monitoring, and loss of rights,” and her first amended complaint alleged claims for “(1) breach of contract as third-party beneficiary, against both Defendants; (2) breach of contract against Delta; (3) unjust enrichment against Delta; (4) bailment against Delta; (5) violation of the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., against 24[7]; and (6) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §§ 1030 et seq., against both Defendants.”

The defendants filed a motion to dismiss all of the plaintiff’s claims; the court granted it in its entirety, ruling as follows:

Breach of contract as third-party beneficiary.  The court ruled that 49 U.S.C. § 41713(b)(1), the ADA’s preemption provision, preempted this claim because it constituted the plaintiff’s improper attempt to expand her contractual relationship with Delta by relying on the airline’s separate subscription services contract with [24]7.  The court reasoned that the plaintiff’s claim would necessarily rely on California third-party beneficiary law, which was external to the contract between the plaintiff and Delta.

Breach of contract.  The court ruled that this claim failed because it was based on Delta’s Privacy Policy but such policy included this disclaimer:  “This Privacy Policy is not a contract and does not create any legal rights or obligations.”  Also, the court ruled that, even though Delta’s Contract of Carriage recognized that customers are providing personal data, it “contains no self-imposed promise from Delta as to how it will handle customer data” and does not “promise specific procedures of third-parties, like [24]7, that have access to such data.”

Unjust enrichment.  The ADA preempts this claim, the court ruled, because “under California law, a claim for unjust enrichment imposes a state-created obligation outside the parties’ private agreement.”

Bailment.  The court ruled that the plaintiff had failed to adequately allege a bailment claim because her personal data did not constitute personal property that she had delivered to Delta with an expectation that it be returned at some point.

SCA.  Section 2701 of the SCA “provides a cause of action against anyone who intentionally accesses without authorization a facility through which an electronic communication service is provided . . . and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.”  The court ruled that the plaintiff’s personal data did not constitute a “facility.”

Section 2702 of the SCA “prohibits a person or an entity providing either an ‘electronic communication service’ or ‘remote computing service’ to the public from ‘knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.’”  The court ruled that the plaintiff’s allegations were “insufficient to show that [24]7 divulged Plaintiffs’ data and did so with a knowing state of mind within the meaning of § 2702.”

CFAA.  “A claim for violation of the CFAA requires a plaintiff to show that a defendant (1) intentionally accessed a computer; (2) without authorization or exceeding authorized access; (3) obtained information; (4) causing a loss; and (5) resulting in a loss of at least $5,000 in value.”  The plaintiff had alleged that the defendants had violated the CFAA by placing “cookies” on her computer.  The court ruled that the plaintiff’s CFAA claim was insufficient because she had not alleged (i) that, through the cookies, the defendants had gained access to her computer without authorization, or (ii) that her personal data had been accessed through the “unauthorized cookies.”

The district court granted the motion to dismiss with leave to amend, but the plaintiff notified the court that she would not be filing a second amended complaint.  The next day, the court dismissed the case with prejudice, and the plaintiff appealed.  The Ninth Circuit affirmed the dismissal order.

Note:  A day earlier, on July 16, 2020, the Ninth Circuit issued an opinion affirming the district court’s dismissal order in a related case, Pica v. Delta Air Lines, Inc. et al.

Leave a Reply