In Re American Airlines, Inc., Privacy Litigation, 370 F. Supp. 2d 552

370 F. Supp. 2d 552

N.D. Tex.

2005

FITZWATER, District Judge.

Defendants’ Fed.R.Civ.P. 12(b)(6) motions to dismiss require that the court decide whether plaintiffs have stated claims under the Electronic Communications Privacy AcL-Stored Communications (“ECPA”), 18 U.S.C. § 2701 et seq., and whether plaintiffs’ state-law claims are preempted by the Airline Deregulation Act of 1978 (“ADA”), and, if not, whether plaintiffs have stated state-law claims on which relief can be granted. For the reasons that follow, the court holds that plaintiffs’ ECPA actions fail to state a claim, that their state-law claims, except their breach of contract action, are expressly preempted by the ADA, and that they have failed to state a breach of contract claim on which relief can be granted. The court therefore grants defendants’ motions to dismiss and allows plaintiffs to replead.

These are consolidated cases pending in this court for coordinated or consolidated pretrial proceedings by order of the Judicial Panel on Multidistrict Litigation. See In re Am. Airlines, Inc., Privacy Litig., 342 F.Supp.2d 1355 (Jud.Pan.Mult.Lit. 2004). Plaintiffs bring putative nationwide class actions on behalf of persons allegedly injured when defendants AMR Corp. and American Airlines, Inc. (collectively, “American”) authorized Airline Automation, Inc. (“AAI”) to disclose highly confidential passenger information — passenger name records (“PNRs”) — to the Transportation Security Administration (“TSA”), without the passengers’ consent. 1 They allege that, without the passengers’ consent, and perhaps without American’s pér-mission, AAI accessed and provided the information to four private research companies: defendants Fair, Isaac and Company, 2 Infoglide Software Corporation, Lockheed Martin Corporation (collectively, “vendor defendants”), and Ascent Technology, Inc. (“Ascent”). 3 Plaintiffs maintain that defendants intentionally accessed, without authorization, a facility through which an electronic communication service is provided or exceeded their authority in order to obtain stored electronic communications that included plaintiffs’ personally-identifiable information.

In Kimmell v. AMR Corp., et al., No. 3:04-CV-0750-D, and Baldwin v. AMR Corp., et al., No. 3:04-CV-1148-D, plaintiffs sue under 18 U.S.C. § 2707 4 for violations of the ECPA and on state-law claims for breach of contract, trespass to property, invasion of privacy, unjust enrichment, and deceptive trade practices under the Texas Deceptive Trade Practices — Consumer Protection Act, Tex. Bus. & Com. Code Ann. §§ 17.41-17.826 (Vernon 2002 & Supp.2004-05), and similar statutes of 48 other states and the District of Columbia that prohibit unfair and deceptive acts and practices. In Rosenberg v. AMR Corp., et al., No. 3:04-CV-2564-D, plaintiff sues under the ECPA and for breach of contract, deceptive trade practices under N.Y. Gen. Bus. Law § 349 (McKinney 2004) and similar statutes of 48 other states and the District of Columbia that prohibit unfair and deceptive acts practices, trespass to property, invasion of privacy, and unjust enrichment.

American owns and operates an Internet website — http://www.aa.com—that enables customers to purchase tickets for air transportation and provides users the ability to send or receive wire or electronic communications. 5 AAI plays a role in maintaining the website. American also owns or operates SABRE, a computer reservation system or server (“CRS”) used in providing air transportation-related services, such as ticket reservations and sales. It, too, provides users the ability to send or receive wire or electronic communications. The website also enables users to send or receive electronic communications to the CRS. When American takes reservations or sells air transportation over the telephone or via the Internet, it collects personalty-identifiable information from its passengers, including name, address, telephone numbers, AAdvantage account and flight information, eredit/debit card information, emergency contacts, seating and dietary preferences, passport number, and country of residence. The information is bundled and maintained in a PNR.

American’s website sets out its privacy policy, which is part of the contract of carriage with passengers. The policy states the limitations American observes in disclosing or sharing customer information and represents that information security is one of its highest priorities. In sum, the policy represents that American does not sell customer information or share a customer’s email address with third parties unless required by law, and does not disclose customer information to companies affiliated with American, or unaffiliated third parties, except to fulfill products or services the customer requests, and may disclose this information to United States or other countries’ tax, security, or regulatory authorities, if required by law. American represents that access to personal information about customers is limited to employees and agents who need to know the information to provide products and services, that personal information is maintained under strict physical, electronic, and procedural safeguards that comply with federal regulations, that security standards and procedures are regularly reviewed to protect against unauthorized access, and that American participates in the Council of Better Business Bureaus’ online privacy program and complies with its privacy and security standards.

In or about June 2002 American, through its agent, AAI, turned over approximately 1.2 million electronically-stored PNRs. American and AAI accessed this personal information without the passengers’ prior authorization and/or beyond their consent. AAI also purportedly lacked American’s consent. AAI, in turn, disclosed the information to the vendor defendants and Ascent. When the news broke that JetBlue Airways Corporation had disclosed such information, American initially denied that it had released passenger personal information. In 2004, however, it admitted that it had authorized AAI to disclose highly confidential personal passenger information to TSA, although it contends that AAI exceeded its authority by accessing, transferring, or making PNRs available to the vendor defendants and Ascent. AAI maintains that American was fully aware of, and authorized, this access.

Defendants move to dismiss these actions for failure to state a claim, contending that plaintiffs cannot recover under the ECPA, their state-law actions are preempted under the ADA, and, if any causes of action are not preempted, plaintiffs have failed to state claims on which relief can be granted. 6

The court considers first whether defendants are entitled to dismissal of plaintiffs’ ECPA claim. 7 “[A] complaint should not be dismissed [under Rule 12(b)(6)] for failure to state a claim unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” Ramming v. United States, 281 F.3d 158, 161 (5th Cir.2001) (per curiam) (quoting Conley v. Gibson, 355 U.S. 41, 45-46, 78 S.Ct. 99, 2 L.Ed.2d 80 (1957)).

As clarified at oral argument, 8 plaintiffs allege that AAI violated § 2701 9 of the ECPA by intentionally accessing without authorization, and/or in excess of its authorization, plaintiffs’ PNRs and, in turn, divulging their contents to the vendor defendants. Plaintiffs assert that the vendor defendants are also liable directly and as aiders and abettors 10 and coconspirators. 11 AAI argues that plaintiffs’ § 2701-based claim fails because, inter alia, by pleading that American authorized AAI to disclose I.2 million PNRs to TSA, they implicitly concede that American authorized AAI to access the PNRs in any American electronic communication service. AAI also maintains that plaintiffs cannot recover because, while there may be some dispute regarding whether American provided AAI the PNRs with the understanding that it would disclose them only to TSA, they have not pleaded specific facts that support the conclusion that AAI originally obtained the data without American’s consent.

The court concludes that plaintiffs have failed to state a § 2701-based claim against AAI. Their amended complaints each assert that American authorized AAI to disclose the PNRs to TSA. See, e.g., Kimmell Am. Compl. ¶38. As AAI points out, an implicit corollary to these aver-ments is that AAI obtained the passengers’ information with American’s knowledge and consent, i.e., it had American’s authorization to access the PNRs in the first place. Absent an explicit allegation that American authorized AAI to disclose the PNRs to TSA after AAI had obtained unauthorized access to American’s facility — a premise that is so at odds with common sense that it cannot reasonably be inferred absent such specificity — the amended complaints undercut the premise that AAI lacked American’s authorization to access its facility. 12

Plaintiffs are therefore limited to the contention that AAI violated § 2701 by exceeding its authorization to access American’s facility. Although plaintiffs include conclusory allegations that AAI in fact exceeded its authorization, see, e.g., Kimmell Am. Compl. ¶ 51, the factual basis for these assertions is that AAI lacked authorization to disclose the PNRs to any entity other than TSA, i.e., the vendor defendants and Ascent. See, e.g., id. ¶¶ 39, 40 (“While [American] admits that it authorized AAI to disclose highly confidential personal passenger information to the TSA, it contends that AAI exceeded its authority by accessing, transferring or making PNRs available to [the vendor defendants] and non-party Ascent. AAI, however, claims that [American] was fully aware of and authorized access by [the vendor defendants] and non-party Ascent.”). The facts plaintiffs plead demonstrate that they are relying on a theory of unauthorized disclosure of information, not of access that exceeded what was authorized. 13

The purpose of § 2701 is to prevent unauthorized access to a facility through which an electronic communication service is provided. See In re Northwest Airlines Privacy Litig., 2004 WL 1278459, at *2 (D.Minn. June 6, 2004) (dismissing § 2701-based claim because “[plaintiffs’ complaint is not with how Northwest obtained the information, but with how Northwest subsequently used the information.”); Sher man & Co. v. Salton Maxim Housewares, Inc., 94 F.Supp.2d 817, 821 (E.D.Mich.2000) (“Because section 2701 of the ECPA prohibits only unauthorized access and not the misappropriation or disclosure of information, there is no violation of section 2701 for a person with authorized access to the database no matter how malicious or larcenous his intended use of that access. Section 2701 outlaws illegal entry, not larceny.”); Educ. Testing Serv. v. Stanley H. Kaplan, Educ. Ctr., Ltd., 965 F.Supp. 731, 740 (D.Md.1997) (“[I]t appears evident that the sort of trespasses to which the [ECPA] applies are those in which, the trespasser gains access to information to which he is not entitled to see, not those in which the trespasser uses the information in an unauthorized way.”); State Wide Photocopy, Corp. v. Tokai Fin. Servs., Inc., 909 F.Supp. 137, 145 (S.D.N.Y.1995) (“[Section] 2701 is aimed at parties accessing facilities without authorization.”). Section 2701 does not proscribe unauthorized use or disclosure of information obtained from authorized access to a facility. See Northwest Airlines, 2004 WL 1278459, at *2; Sherman & Co., 94 F.Supp.2d at 820 (citing Wesley Coll. v. Pitts, 974 F.Supp. 375, 389 (D. Del.1997), aff'd, 172 F.3d 861 (3d Cir.1998) (unpublished table decision)). Yet this is what plaintiffs are alleging concerning AAI’s disclosure of PNRs to the vendor defendants. 14 Accordingly, the court holds that plaintiffs have failed to state a § 2701-based claim against AAI.

Plaintiffs seek to hold the vendor defendants liable under § 2701 directly and as aiders and abettors and coconspirators of American’s violations of the ECPA. The court concludes that the vendor defendants are also entitled to dismissal. First, plaintiffs have failed to state a claim against them directly because, despite the conclusory allegations that these defendants accessed American’s facility, the facts plaintiffs plead all point to their having received the PNRs from American and/or AAI. See, e.g., Kimmell Compl. ¶42 (“[American] and/or AAI accessed a facility ... and made [the contents of the communications] available for access by [the vendor defendants] and non-party Ascent.”). Plaintiffs have failed to state a direct cause of action based on unauthorized access. Second, because plaintiffs clarified at oral argument that they are not asserting § 2701-based liability against American, the vendor defendants cannot be held liable under § 2701 as aiders and abettors or conspirators of American. Third, even if plaintiffs’ clarification means that they intend to hold the vendor defendants liable as aiders and abettors of or coconspirators with AAI, 15 because the court is dismissing plaintiffs’ § 2701-based claim against AAI, it follows that the vendor defendants cannot be held liable as aiders and abettors or coconspirators. See In re Managed Care Litig., 298 F.Supp.2d 1259, 1286 (S.D.Fla.2003) (holding that civil liability for aiding and abetting requires showing that substantive offense was committed); Coppock v. Northrop Grumman Corp., 2003 WL 21730668, at *14 n. 17 (N.D.Tex. July 22, 2003) (Fitzwater, J.) (“A claim for civil conspiracy is generally not viable without the commission of an underlying wrongful act[.j”).

The court turns next to whether plaintiffs have stated a § 2702-based claim against American. 16 With certain exceptions, § 2702 prohibits a provider of an electronic communication service or of a remote computing service to the public from knowingly divulging the contents of a communication in electronic storage or carried or maintained on the service. Plaintiffs allege that American violated § 2702 by authorizing the disclosure of passenger information.

American argues, inter alia, that, even assuming that its computer reservation system is an electronic communication service or a remote computing service, its conduct falls within the exception to liability set out in § 2702(b)(3), which permits disclosure of electronic communications “with the lawful consent of ... an ... intended recipient of such communication[.]” Plaintiffs respond that American cannot avail itself of this exception because its consent was unlawful in that it violated American’s privacy policy, or because American was not the intended recipient of the electronic communications in question.

Plaintiffs have failed sufficiently to plead that American’s consent was unlawful because it was given in violation of its privacy policy. Nor do they cite authority in their opposition memorandum that supports the assertion that consent under § 2702(b)(3) is not lawful if given in breach of a contract. Section 2702 is a criminal statute, and the mere breach of a contract normally is not “unlawful” in a criminal sense. See United States v. Blankenship, 382 F.3d 1110, 1133 (11th Cir.2004) (“It is not illegal for a party to breach a contract[.]”); Benderson Dev. Co. v. United States Postal Serv., 998 F.2d 959, 962 (Fed.Cir.1993) (“To breach a contract is not unlawful; the breách only begets a remedy in law or in equity.”); Cram Roofing Co. v. Parker, 131 S.W.3d 84, 91 (Tex.App.2003, no pet.) (en banc) (“While a contract may indeed have the force of law, breach of a contract is not necessarily an illegal activity."). Moreover, the concept of "lawful consent" in § 2702(b)(3) is probably more akin to that found in other criminal statutes, i.e., consent given by one who has the legal capacity to consent. Cf. e.g., United States v. Chavarriya-Mejia, 367 F.3d 1249, 1251 (11th Cir.) (noting that law presumes children cannot lawfully consent to sexual contact), cert. denied, - U.S. -, 125 S.Ct. 95, 160 L.Ed.2d 182 (2004). Even if American was contractually bound by its privacy policy not to disclose passenger information and can be held liable for breach of contract, this obligation did not deprive it of the legal capacity under § 2702(b)(3) to consent to disclosure.

Plaintiffs also maintain that § 2702(b)(3) is inapplicable on the basis that the intended recipient of their electronic communications was SABRE instead of American. This contention is not supported, however, by their amended complaints. Plaintiffs allege that they conveyed personal information to American. Under § 2702(b)(3), American need only be an intended recipient, not the intended recipient. They also aver that they sent their personal information in reliance upon American's promise not to disclose it to third parties, except to provide travel services. This allegation of reliance on American's promise is inconsistent with the argument that they did not intend American to be a recipient of their personal information.

Accordingly, the court holds that plaintiffs have failed to state a § 2702-based claim against American. Plaintiffs' ECPA claim against all defendants is dismissed. 17

III

The court next addresses whether plaintiffs' state-law claims are expressly preempted by the ADA or are impliedly preempted by federal action in the field of aviation transportation security.

The court turns first to express preemption.

It is beyond question that, by enacting the ADA, Congress intended to preempt aspects of state law that govern air carriers. Section 41713(b)(1) provides:

Except as provided in this subsection, a State . . . may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier that may provide air transportation under this subpart.

49 U.S.C. § 41713(b)(1). 18 The Supreme Court reads broadly the "related to" language of this section and, in turn, the preemptive effect of the ADA. See Morales v. Trans World Airlines, Inc., 504 U.S. 374, 383, 112 S.Ct. 2031, 119 L.Ed.2d 157 (1992) ("The ordinary meaning of [relating to] is a broad one ... and the words thus express a broad pre-emptive purpose."). Laws of general applicability may be preempted by the ADA; they need not actually prescribe airline prices, routes, or services. See Hodges v. Delta Airlines, Inc., 44 F.3d 334, 336 (5th Cir.1995) (en banc). Moreover, "ADA preemption is not limited to claims brought directly against air carriers. Rather, claims are preempt ed if they ‘relate to’ the prices, routes or services of an air carrier.” Lyn-Lea Travel Corp. v. Am. Airlines, Inc., 283 F.3d 282, 287 n. 8 (5th Cir.2002) (citations omitted). Nor is preemption limited to state laws or regulations. See id. at 287-89 (holding, inter alia, that common law claims were preempted).

Not all claims that may have economic repercussions, however, are sufficiently related to an airline’s prices, routes, or services to be preempted. “ ‘[S]ome state actions may affect [airline fares] in too tenuous, remote, or peripheral a manner’ to have pre-emptive effect.” Morales, 504 U.S. at 390, 112 S.Ct. 2031 (quoting Shaw v. Delta Air Lines, Inc., 463 U.S. 85, 100 n. 21, 103 S.Ct. 2890, 77 L.Ed.2d 490 (1983)). Thus, for example, in Smith v. America West Airlines; Inc., 44 F.3d 344 (5th Cir.1995) (en banc), the claims of passengers who alleged that an airline was negligent in permitting a hijacker to board an aircraft were not preempted, despite the potential economic effects that could arise from a damages award. Id. at 345. The effects were, too remotely related to fares to trigger ADA preemption. Id. at 347 (“If [plaintiffs] ultimately recover damages, the judgment could affect the airline’s ticket selling, training or security practices, but it would not regulate the economic or contractual aspects of boarding. Any such effect would be ‘too tenuous, remote or peripheral’ to be preempted by [the statutory predecessor to § 41713].” (quoting Morales, 504 U.S. at 390, 112 S.Ct. 2031)). Moreover, ADA preemption “does not displace state tort actions for personal physical injuries or property damage caused by the operation and maintenance of aircraft.” Witty v. Delta Air Lines, Inc., 366 F.3d 380, 382 (5th Cir.2004) (quoting Hodges, 44 F.3d at 336).

The court initially decides whether plaintiffs’ state-law claims for trespass to property, invasion of privacy, deceptive trade practices, and unjust enrichment are expressly preempted. 19 Defendants contend, inter alia, that they are because PNRs are created when passengers make reservations for air carrier service and contain information necessary or convenient to provide the services American renders as an air carrier, and plaintiffs admit they conveyed personally-identifiable information to American when purchasing tickets for air transportation. They also cite plaintiffs’ allegation that American’s statements about privacy, cus-’ tomer information, and security are part of the contract of carriage.

Plaintiffs respond to this argument at two levels. As a general matter, they maintain that Congress enacted the ADA to ensure, following airline deregulation, that the states would not enact their own forms of economic regulation. They therefore assert that courts, including the Fifth Circuit, hold that claims are preempted only when their purpose or effect inhibits or frustrates this goal. Plaintiffs posit that their claims seeking redress for privacy rights violations have no connection to airline competition or economic deregulation of the airline industry, nor would they frustrate Congress’ goal in enacting the ADA. At a more specific level, plaintiffs contend that these claims do not relate to American’s rates, routes, or services. Concerning the pertinent component of airline services, they cite authority from outside this circuit to argue that the ADA definition encompasses only “the actual provision of transportation service.” Ps. Consol. Mem. at 31 (emphasis omitted). 20

The court holds that plaintiffs’ actions for trespass to property, invasion of privacy, deceptive trade practices, and unjust enrichment are expressly preempted because they relate to at least one of American’s services. This conclusion follows from analyzing in combination the Fifth Circuit’s definition of “services,” 21 the Supreme Court’s expansive construction of the term “relate to” in § 41713(b)(1), and the factual bases for plaintiffs’ claims. In Hodges the en banc court adopted the panel opinion’s definition of “services.”

“Services” generally represent a bargained-for or anticipated provision of labor from one party to another. If the element of bargain or agreement is incorporated in our understanding of services, it leads to a concern with the contractual arrangement between the airline and the user of the service. Elements of the air carrier service bargain include items such as ticketing, boarding procedures, provision of food and drink, and baggage handling, in addition to the transportation itself. These matters are all appurtenant and necessarily included with the contract of carriage between the passenger or shipper and the airline. It is these [contractual] features of air transportation that we believe Congress intended to de-regulate as “services” and broadly to protect from state regulation.

Hodges, 44 F.3d at 336 (quoting Hodges v. Delta Airlines, Inc., 4 F.3d 350, 354 (5th Cir.1993)). 22 Therefore, plaintiffs are in correct in contending that “service” under the ADA “means the actual provision of transportation service.” Ps. Consol. Mem. at 31 (emphasis omitted). Plaintiffs’ claims “relate to” American’s services if they have a connection with or reference to them. See Hodges, 44 F.3d at 336 (“Consequently, ‘[s]tate enforcement actions having a connection with or reference to airline “rates, routes- or services” are preempted’ under [the statutory predecessor to § 41713(b)(1)].”). “Morales commands that whatever state laws ‘relate to ... services’ are broadly preempted[.]” Id.

Plaintiffs allege that American collects personally-identifiable information from customers when taking reservations or selling air transportation. They also assert that American’s privacy policy; is part of the contract of carriage and prohibits American or its agents from disclosing their personal information, except in limited circumstances. See Ps. Consol. Mem. at 25 (“The privacy policy is unquestionably' one of a number of terms that form the basis for the transportation agreement between passengers and American.”). Their state-law claims for trespass to property, invasion of privacy, deceptive trade practices, and unjust enrichment are preempted because they have a connection at least with American’s ticketing service, including the reservation component. Congress surely intended to immunize airlines from a host of potentially-varying state laws and state-law causes of action that could effectively dictate how they manage personal information collected from customers to facilitate the ticketing and reservation functions that are integral to the operation of a commercial airline. 23

These claims are likewise preempted to the extent asserted against AAI and the vendor defendants. See Lyn-Lea Travel, 283 F.3d at 287 n. 8 (stating that ADA preemption is not limited to claims brought directly against air carriers but also preempts claims that relate to air carrier’s services). The court recognizes that there will be instances in which state-law claims that would be preempted if brought against an airline will be too attenuated, remote, or peripheral to be preempted if asserted against an entity such as a vendor to an airline. The court need not decide today, however, precisely where that line should be drawn. See Hodges, 44 F.3d at 336 (noting that, in Morales, Supreme Court had “[r]efus[ed] to state exactly where the line would be drawn in a close case[.]”). Although perhaps tautologically phrased, it can be said to occur on a relatedness continuum at the point where the state law’s regulation of the entity’s conduct is too attenuated, remote, or peripheral to be related to an airline’s services. In the present case that point is not reached. Plaintiffs allege that American authorized AAI — whom plaintiffs assert plays a role in maintaining American’s website — to disclose passenger information to TSA, and that it disclosed the information — perhaps without American’s permission — to the vendor defendants. E.g., Kimmell Am. Compl. ¶¶ 27, 38-39. They assert, inter alia, that the vendor defendants aided and abetted and conspired with American to commit trespass to property, invasion of privacy, deceptive trade practices, and unjust enrichment. E.g., id. ¶ 47. Their claims against AAI and the vendor defendants are based on conduct that relates to American’s tick eting service and its reservation component and for that reason are preempted.

The court next considers whether the ADA expressly preempts plaintiffs’ breach of contract claim against American. 24

In American Airlines, Inc. v. Wolens, 513 U.S. 219, 115 S.Ct. 817, 130 L.Ed.2d 715 (1995), the Supreme Court recognized that the ADA’s preemption clause does not “shelter airlines from suits alleging no violation of state-imposed obligations, but seeking recovery solely for the airline’s alleged breach of its own, self-imposed undertakings.” Id. at 228, 115 S.Ct. 817. “[TJerms and conditions airlines offer and passengers accept are privately ordered obligations and thus do not amount to a State’s enact[ment] or enforee[ment] [of] any law, rule, regulation, standard, or other provision having the force and effect of law within the meaning of [the ADA preemption provision].” Id. (citations, footnote, and internal quotation marks omitted); see also Trujillo v. Am. Airlines, Inc., 938 F.Supp. 392, 394 (N.D.Tex.1995) (Fitzwater, J.) (“State causes of action are available to enforce bargains for services into which an airline voluntarily enteredf.]”), aff'd, 98 F.3d 1338 (5th Cir.1996) (per curiam) (unpublished table decision). Plaintiffs’ breach of contract action against American rests on a self-imposed undertaking concerning the handling of passengers’ confidential information and therefore is not preempted under the holding in Wolens.

American maintains, however, that Wol ens, Smith v. Comair, Inc., 134 F.3d 254 (4th Cir.1998), and Delta Air Lines, Inc. v. Black, 116 S.W.3d 745 (Tex.2003), cert. denied, 540 U.S. 1181, 124 S.Ct. 1418, 158 L.Ed.2d 84 (2004), support the conclusion that the breach of contract claim is preempted because it cannot be adjudicated without resort to outside sources of law. In particular, American points out that its privacy policy informs customers that their personal information may be shared as required by law and provided to United States or foreign tax, security, and regulatory authorities, if required by law. In Wolens the Supreme Court held:

The ADA’s preemption clause ..., read together with the [Federal Aviation Act’s] saving clause, stops States from imposing their own substantive standards with respect to rates, routes, or services, but not from affording relief to a party who claims and proves that an airline dishonored a term the airline itself stipulated. This distinction between what the State dictates and what the airline itself undertakes confines courts, in breach-of-contract actions, to the parties’ bargain, with no enlargement or enhancement based on state laws or policies external to the agreement.

Wolens, 513 U.S. at 232-33, 115 S.Ct. 817 (footnote omitted). In Comair the plaintiffs breach of contract claim was preempted because the airline raised federal defenses, and his claim could only be adjudicated by reference to law and policies external to the parties’ bargain. Comair, 134 F.3d at 258-59. In Delta Air Lines the Texas Supreme Court held that a breach of contract action was preempted because, although the contract incorporated Department of Transportation regulations, the plaintiff sought to enlarge the airline’s obligations and seek additional remedies not available under the contract’s terms. Delta Air Lines, 116 S.W.3d at 755.

The court concludes that the principle stated in Wolens is factually inapposite to plaintiffs’ breach of contract claim, and that Comair and Delta Air Lines are also distinguishable. Wolens differentiates between holding an airline to the bargain it struck and to one enlarged or enhanced by state laws or policies external to the agreement. In this case, as plaintiffs have pleaded their claim, American agreed to be bound to its privacy policy, except as required by law. In other words, the laws that American maintains are external to the contract are expressly incorporated into it. Unlike Comair, which was an appeal from a summary judgment in which the airline had raised federal-law defenses, Comair, 134 F.3d at 256, 258, plaintiffs in this case rely on a contract that incorporates the laws that American contends are external, and the court is assessing at the Rule 12(b)(6) stage whether they have a stated a claim. And as distinguished from Delta Air Lines, plaintiffs do not seek to modify the contract to press a right that is external to its terms. As pleaded, this case presents a question more like one that the Supreme Court held in Wolens was not external to the contract. As the Comair court explained in interpreting Wolens:

American Airlines argued that whether it breached the frequent-flyer contract depended on resolution of the external policy issue of whether to recognize American’s express reservation of the right to modify the rules governing its frequent-flyer contracts. The Court summarily rejected this argument, explaining that interpretation of the company’s express reservation was merely another issue within the parties’ contractual relationship and therefore not preempted.

Comair, 134 F.3d at 258 (citations omitted). As in Wolens, the possibility that American is permitted or required by law to share plaintiffs’ personal information is within the parties’ contractual relationship.

Accordingly, the court concludes that plaintiffs’ breach of contract claim against American is not expressly preempted.

American also maintains that plaintiffs’ state-law claims are impliedly preempted. The court need only address this argument in connection with plaintiffs’ breach of contract claim.

American argues that plaintiffs’ state-law claims are impliedly preempted because “[t]here simply is no room for the laws of the several states in the regulation of interactions between air carriers and the TSA, or cooperation between the airlines and TSA.” American Sept. 23, 2004 Br. at 15. Without suggesting a view concerning whether any of plaintiffs’ other claims are impliedly preempted, the court holds that the breach of contract action is not. In this respect, it is American’s own contractual undertaking, enforceable under state contract law, that regulates its relationship with TSA, not the laws of the several states.

American also asserts, based on Buckman Co. v. Plaintiffs’ Legal Committee, 531 U.S. 341, 121 S.Ct. 1012, 148 L.Ed.2d 854 (2001), and Brown v. Nationsbank Corp., 188 F.3d 579 (5th Cir.1999), that the claims are preempted because the relationship between TSA and American is inherently federal in character, and the question whether American properly authorized AAI to release PNR information to TSA is a question for federal regulatory agencies, not state common law. Whatever force these authorities may otherwise have, they do not compel the conclusion that American urges in the breach-of-contract context.

The court holds that plaintiffs’ breach of contract claim is not impliedly preempted.

American also moves to dismiss the breach of contract claim on the merits, contending that plaintiffs have failed to state a claim on which relief can be granted. 25 American posits that this action fails because, inter alia, plaintiffs do not allege that they incurred damages as a result of American’s breach.

The district court may dismiss a claim when it is clear that the plaintiff can prove no set of facts in support of his claim that would entitle him to relief. In analyzing the complaint, [the court] will accept all well-pleaded facts as true, viewing them in the light most favorable to the plaintiff. [The court] will not, however, accept as true conclusory allegations or unwarranted deductions of fact. The issue is not whether the plaintiff will ultimately prevail, but whether he is entitled to offer evidence to support his claim. Thus, the court should not dismiss the claim unless the plaintiff would not be entitled to relief under any set of facts or any possible theory that he could prove consistent with the allegations in the complaint.

Great Plains Trust Co. v. Morgan Stanley Dean Witter & Co., 313 F.3d 305, 312-13 (5th Cir.2002) (Rule 12(c) decision) (citations, original brackets, and internal quotation marks omitted).

The elements of a cause of action for breach of contract under Texas and New York law are: (1) existence of a contract, (2) performance or tendered performance by the plaintiff, (3) breach of the contract by the defendant, and (4) damages incurred by the plaintiff as a result of the breach. E.g., Lee v. Tyco Elecs. Power Sys., Inc., 2005 WL 1017821, at *4 (N.D.Tex. April 27, 2005) (Fitzwater, J.) (Texas law); Rasada, Inc. v. Access Capital, Inc., 2004 WL 2903776, at *21 (S.D.N.Y. Dec. 14, 2004) (New York law). Plaintiffs allege that they sustained injury as a result of defendants’ deceptive practice and invasion of privacy. E.g., Kimmell Am. Compl. ¶¶ 46, 67, 77. Their assertion that they were injured in these respects is insufficient to allege the ineluctable element that they incurred damages as a result of American’s breach of contract.

Plaintiffs appear to complain of two separate disclosures of their personal information: one to TSA (with American’s permission) and the other to the vendor defendants (with or without American’s authorization). It is unclear whether the disclosure giving rise to plaintiffs’ deceptive trade practices and invasion of privacy claims against American also supports their breach of contract claim or whether they allege that they incurred damages as a result of both disclosures. When the court assesses whether plaintiffs would be entitled to relief under any set of facts or any possible theory that they could prove consistent with the allegations in their complaints, it becomes clear that they have failed to plead the essential element of damages flowing from the breach. Accordingly, the court concludes that plaintiffs have failed to state a claim for breach of contract.

Although the court has granted defendants’ motions to dismiss, plaintiffs have requested leave to amend, which the court grants. The Fifth Circuit has recognized that

[i]n view of the consequences of dismissal on the complaint alone, and the pull to decide cases on the merits rather than on the sufficiency of pleadings, district courts often afford plaintiffs at least one opportunity to cure pleading deficiencies before dismissing a case, unless it is clear that the defects are incurable or the plaintiffs advise the court that they are unwilling or unable to amend in a manner that will avoid dismissal.

Great Plains Trust Co., 313 F.3d at 329. Despite the fact that plaintiffs have already filed amended complaints, this is the first time the court has addressed whether their pleadings sufficiently state a claim on which relief can be granted. They have not yet advised the court that they are unwilling or unable to amend in a manner that will avoid dismissal. And plaintiffs may have little difficulty remedying the pleading deficiency in their breach of contract claim. The court has also dismissed sua sponte a component of plaintiffs’ § 2701-based ECPA claim against AAI and, in doing so, has noted that plaintiffs can attempt to cure the deficiency in their pleadings by amendment. It will therefore give them an additional opportunity to avoid dismissal.

* * *

The court grants defendants’ motions to dismiss, and it grants plaintiffs leave to file amended complaints within 30 days of the date this opinion is filed.

SO ORDERED.

Notes

. Plaintiffs initially defined the putative classes as including "[a]ll persons in the United States who, prior to June 2002 ..provided personally identifiable information in connection with a flight on American Airlines, and whose information has been transferred to or accessed by another person or entity absent the authorization and/or beyond the consent of the customer[.]” E.g., Kimmell Am. Compl. ¶ 2. Although plaintiffs excluded "the Court” from the class, they did not explicitly exclude members of the presiding judge’s family, and it was theoretically possible that including such family members could require the presiding judge’s recusal. In a March 18, 2005 order, the court noted this possibility and invited plaintiffs to advise whether they would be willing to modify the putative class, and any certified class, to exclude not only the presiding judge but also the judge’s wife, persons within the third degree of relationship to the judge or his wife, and the spouses of such persons. Plaintiffs have advised that they are willing to modify the definition of the class to exclude the presiding judge, his wife, persons within the third degree of relationship to the judge or his wife, and the spouses of such persons. The court need not therefore recuse itself in these cases.

. Plaintiffs Bruce Kimmell ("Kimmell”) and Erica Baldwin ("Baldwin”) sue this defendant as "Fair, Isaac and Company, Inc.,” and they note that it merged with HNC Software, Inc. in 2002. Plaintiff Michael Rosenberg ("Rosenberg”) sues it under the name "HNC Software, Inc.”

. Kimmell and Baldwin have dismissed their claims against Ascent. The Judicial Panel on Multidistrict Litigation transferred Rosenberg v. Ascent Technology, Inc. from the District of Massachusetts to this court, where it was docketed on May 19, 2005 as Civil Action No. 3:05-CV-1040-D. Because the court has just received the case and it is not explicitly the subject of the pending motions to dismiss, this opinion does not address whether Rosenberg has stated a claim against Ascent.

Kimmell and Baldwin also sue Doe defendants 1-50, who they allege are "legally responsible in some actionable manner” for the disclosures of personal information. They have not pleaded facts that state a claim against these defendants, and the court dismisses the actions against Does 1-50 pursuant to Rule 12(b)(6).

. 18 U.S.C. § 2707(a) provides:

Cause of Action. — Except as provided in section 2703(e), any provider of electronic communication service, subscriber, or other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate.

. In deciding defendants’ motions to dismiss, the court construes the complaint in the light most favorable to plaintiffs, accepts as true all well-pleaded factual allegations, and draws all reasonable inferences in plaintiffs' favor. Lovick v. Ritemoney Ltd., 378 F.3d 433, 437 (5th Cir.2004). The court does not, however, "rely upon conclusional allegations or legal conclusions that are disguised as factual allegations.” Jeanmarie v. United States, 242 F.3d 600, 602-03 (5th Cir.2001). The court recounts the factual allegations of plaintiffs’ amended complaints under these standards.

. The court addresses the following motions to dismiss in this opinion: (1) the vendor defendants' September 20, 2004 motion; (2) AAI’s September 20, 2004 motion; (3) American's September 23, 2004 motion; (4) American’s December 6, 2004 motion; (5) the vendor defendants' December 23, 2004 motion; and (6) AAI's December 27, 2004 motion. The court also considers the government’s second statement of interest, in which it supports dismissal of plaintiffs’ ECPA claim.

. A fundamental premise of this cause of action is that American provides an electronic communication service or remote computing service through its website or SABRE. Defendants seek dismissal of the § 2701- and § 2702-based claims on the ground that plaintiffs have failed sufficiently to allege that American provides either service. Although other courts have disposed of ECPA claims on this basis and the parties have extensively briefed the issue, the court need not decide it. Assuming arguendo that American provides an electronic communication service or a remote computing service within the meaning of §§ 2701, 2702, and 2707, the court holds for other reasons that plaintiffs have failed to state a claim for relief under the ECPA.

. Plaintiffs' amended complaints can be read to allege § 2701- and § 2702-based liability against all defendants, including § 2701 liability against American. Such a claim would seem to make little sense since American would apparently have plenary authority to access its own facility. Plaintiffs attempted to clarify during oral argument which constituent claims under the ECPA they assert against each defendant, and they confirmed that they do not allege a § 2701-based claim against American.

. Section 2701(a) provides:

Offense. — Except as provided in subsection (c) of this section whoever — (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

. Because defendants do not raise the issue, the court assumes arguendo that a person can be held liable under § 2707 for aiding and abetting a violation of the ECPA.

. Kimmell and Baldwin allege that the vendor defendants are liable under the ECPA directly and as aiders and abettors of and coconspirators with American. At oral argument, however, they only described the vendor defendants as being liable as aiders and abettors under § 2701. As the court later explains, plaintiffs have not stated an ECPA claim against the vendor defendants directly or as aiders and abettors or coconspirators.

. This reasoning applies with greater force to Rosenberg, because he alleges that "AAI operates, manages, maintains, or controls [American’s] Website in conjunction with American[.]” Rosenberg Am. Compl. ¶ 28.

. Although AAI has not included this precise ground in its motion to dismiss, the court may rely on it sua sponte as a basis for dismissal. See Coates v. Heartland Wireless Communications, Inc., 55 F.Supp.2d 628, 633 (N.D.Tex.1999) (Fitzwater, J.); Foreman v. Dallas County, Tex., 990 F.Supp. 505, 510 (N.D.Tex.1998) (Fitzwater, J.) (three-judge court). "Even if a party does not make a formal motion under Rule 12(b)(6), the district judge on his or her own initiative may note the inadequacy of the complaint and dismiss it for failure to state a claim as long as the procedure employed is fair to the parties.” 5B Charles A. Wright & Arthur R. Miller, Federal Practice and Procedure § 1357, at 409 (3d ed.2004). In this case, the court is granting plaintiffs leave to amend, and they can attempt to cure this deficiency in their amended complaint. If they conclude that they cannot cure this defect by amendment, then to ensure that the procedure is fair, the court will allow them 30 days from the date this opinion is filed to submit a brief that sets out their opposition to dismissing their § 2701 claim on this basis.

. Other courts have described the conduct that § 2701 prohibits as computer "hacking.” See, e.g., State Wide, 909 F.Supp. at 145 ("[I]t appears that the ECPA was' primarily designed to provide a cause of action against computer hackers, (i.e., electronic trespassers).”). Although plaintiffs allege that AAI "hacked” into American’s electronic communication service or remote computing service, see, e.g., Kimmell Am. Compl. ¶ 1, this is a conclusoiy assertion that the court need not accept for purposes of deciding defendants' Rule 12(b)(6) motion. See Lovick, 378 F.3d at 437.

. As noted supra at note 11, Kimmell and Baldwin allege that the vendor defendants are liable as aiders and abettors of and coconspir-ators with American, not AAI.

. 18 U.S.C. § 2702 provides, in pertinent part:

(a) Prohibitions. — Except as provided in subsection (b)—

(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and

(2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service—

(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service;

(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing; and

(3)a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.

(b) Exceptions for disclosure of communications. — A provider described in subsection (a) may divulge the contents of a communication—

(3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service!)]

. As explained supra at § 11(A), the vendor defendants cannot be held liable as alders and abettors or coconspirators because American is not liable under § 2702.

. Earlier cases refer to § 1305(a), which was recodified in 1994 with slight, nonsubstantive changes in language. See Lyn-Lea Travel Corp. v. Am. Airlines, Inc., 283 F.3d 282, 286 n. 4 (5th Cir.2002). For example, § 1305(a) uses "relating to" rather than "related to," as does § 41713(b)(1).

. The court considers plaintiffs' unjust enrichment claim in tandem with their tort claims because the elements of unjust enrichment are defined by state law and are not self-imposed contractual duties. See All World Prof'l Travel Servs., Inc. v. Am. Airlines, Inc., 282 F.Supp.2d 1161, 1169 (C.D.Cal.2003).

. They also argue that defendants fail to articulate how providing communications containing PNR data to the vendor defendants relates to or constitutes a service. This contention lacks force. The disclosure of such information need not constitute a service, it need only relate to one. And for reasons the court will explain, the court concludes that it does relate to a service that American provides its customers.

. The question whether plaintiffs’ claims are expressly preempted is one of federal law. Accordingly, the law of this circuit controls the disposition of defendants’ motions filed in Rosenberg, even though the case was filed initially in the Eastern District of New York. See, e.g., In re Temporomandibular Joint (TMJ) Implants Prods. Liability Litig., 97 F.3d 1050, 1055 (8th Cir.1996) (“When analyzing questions of federal law, the transferee court should apply the law of the circuit in which it is located.” (citing In re Korean Air Lines Disaster, 829 F.2d 1171, 1176 (D.C.Cir.1987), aff'd, 490 U.S. 122, 109 S.Ct. 1676, 104 L.Ed.2d 113 (1989))).

. In Morales the Supreme Court looked to preemption under § 514(a) of the Employee Retirement Income Security Act of 1974 ("ERISA”), 29 U.S.C. § 1144(a), which preempts all state laws "insofar as they ... relate to any employee benefit plan[,]” to determine the reach of ADA preemption. Morales, 504 U.S. at 384, 112 S.Ct. 2031 ("Since the relevant language of the ADA is identical, we think it appropriate to adopt the same standard here[.]”). Plaintiffs challenge defendants' reliance on Hodges on the ground that it predates De Buono v. NYSA-ILA Medical and Clinical Services Fund, 520 U.S. 806, 117 S.Ct. 1747, 138 L.Ed.2d 21 (1997), in which the Supreme Court narrowed the reach of ERISA preemption. Plaintiffs maintain that De Buono, in turn, implicitly restricts the breadth of ADA preemption. The court declines to adopt plaintiffs' argument because Morales has direct application to the present case, and the Supreme Court has yet to state that Morales is no longer binding in the context of ADA preemption. See Agostini v. Felton, 521 U.S. 203, 237, 117 S.Ct. 1997, 138 L.Ed.2d 391 (1997) ("We reaffirm that '[i]f a precedent of this Court has direct application in a case, yet appears to rest on reasons rejected in some other line of decisions, the [lower court] should follow the case which directly controls, leaving to this Court the prerogative of overruling its own decisions.’ ” (quoting Rodriguez de Quijos v. Shearson/Am. Express, Inc., 490 U.S. 477, 484, 109 S.Ct. 1917, 104 L.Ed.2d 526 (1989))); see also United Airlines, Inc. v. Mesa Airlines, Inc., 219 F.3d 605, 608-09 (7th Cir.2000) (holding that court is not able to conclude that recent ERISA cases have .overruled Morales, and noting that "[o]ur inarching orders are clear: follow decisions until the Supreme Court overrules them”).

. As the court explains infra at § 111(A)(3), this reasoning does not extend to an airline’s self-imposed contractual undertakings.

. Plaintiffs bring their breach of contract claim only against American.

. All defendants move to dismiss all of plaintiffs’ claims on this basis. The court considers this contention only in regard to the breach of contract claim against American because it is the only claim that is not preempted.