The law reflects our values, and our power structure. When Kentucky physician David Dao was dragged off a United Airlines (UAL) flight by Chicago Aviation Police, most people saw outrageous conduct by the airline and possibly the police department.
Some saw an uncooperative passenger refusing to quietly exit a plane. What you see depends on how you feel about the situation. Nevertheless, there is no doubt that the incident was a public relations nightmare for United, exacerbated by its weak and somewhat feckless response to the hullabaloo. Correct response? A tweet that says, OMG!
The information security community can learn from this incident. Because United actually had (mostly) every legal right to do what it did (mostly). But being right legally is not the same as being right. And that reflects more on the fact that the legal system is out of sync – in many cases – with what is right. The same is true for data breaches. Whether you should, or should not notify customers about a data breach, and how to do so, should first be guided by a sense of what is right and thereafter what is required.
Airplane Law
Airlines overbook and oversell flights to make up for the fact that some people don’t show up for the flight, and the airline can then keep the money from the no-show AND make money from someone who wants to pay for the empty seat. Federal law and United’s contract of carriage Rule 25 both provide that, where the flight is “oversold” the airline can first request volunteers, then offer compensation, and if there are no volunteers, can involuntarily deny boarding (or, in this case, remove someone from the plane.)
United’s policy (which is part of the contract you “agreed” to) is that disabled persons and unaccompanied minors have first dibs on staying on the plane, and after that, whether you get kicked off is dependent on the passenger’s fare class, itinerary, status of frequent flyer program membership, and the time in which the passenger presents him/herself for check-in without advanced seat assignment.
While United is required, in many cases, to pay compensation for those involuntarily denied boarding, this is not true in all cases.
Two US Supreme Court decisions impact this case. First, in Nader v. Allegheny Airlines, the Supreme Court held that the practice of overselling flights – something that would be criminal fraud if done by, for example the theatrical production company of Bialistock and Bloom, is legal because the right to do so is in the contract of carriage.
So, while you THINK you have a seat on a plane, what you have is a license to possibly have a seat on a plane, if someone else with more frequent flier points doesn’t want your seat. The second case, Morales v. Trans World Airlines held that federal aviation laws give the FAA and the government the right to fine airlines. But it provides no “private right of action” by the customer against the airline AND that state laws (including state tort law, assault, and the like) cannot be enforced against airlines.
That case was used to dismiss a case against Northwest Airlines when it violated its own privacy policies, because the airline was not bound by its own policies not to use or sell personal information and federal law preempted state fraud law. So Dr. Dao has very limited remedies here.
While Dr. Dao could sue United for breach of contract, the contract reserves to UAL the right to kick him off the plane. Maybe. The problem for UAL is that the right to deny boarding in this case (as opposed to its right to deny boarding to passengers who are disruptive) is based on the fact that UAL “oversold” the flight – not that they “overbooked” the flight.
While the terms aren’t defined, the flight was not “oversold.” No paying passenger was waiting for a seat. Rather, UAL needed to get a crew to Kentucky for another flight, and was kicking Dr. Dao off to accommodate that crew.
Since the contract only provided UAL with a remedy for oversold flights, Dr. Dao could possibly sue UAL for breach of the contract of carriage – and receive any actual damages resulting from the two-hour delay. The real damages, injury, pain and suffering, embarrassment, etc., are likely damages in tort, and likely not recoverable under the Morales precedent.
Similarly, once UAL ordered Dao off the flight, he may have become a trespasser, who could be forcibly removed by the police. His resistance, or failure to cooperate, would justify some use of force. At least under the law. Not necessarily in public opinion.
So the law is stacked against the passenger. They have no right to the seat they paid for. They agreed to the terms of a contract they never saw which was written by lawyers for the airline and naturally favors the company. Federal law preempts state laws designed to protect consumers, and limits the remedy they can entertain. And the company can use the instrumentalities of the state (the police) to enforce their contract and property rights, even without any showing of a contract right to do what they did.
But public opinion is with the passenger. We’ve all been frustrated on airlines and mistreated by corporations. We understand where Dr. Dao is coming from, and empathize with him, even if few of us would have stood our ground and refused to leave the plane. We see his blood-streaked face and are outraged by the police use of force against a 69 year old physician. We hear UAL’s tone-deaf response about “volunteers” and rebooking and are outraged.
Again, I am reminded of the quote that the definition of a gentleman is a person who knows how to play the accordion, but doesn’t. Just because you have a right to do something, does not mean that you should do it.
Lessons for Incident Response
Most infosec specialists only interact with the consuming public when things go wrong. Usually that means either a DDoS attack, ransomware attack, or a data breach. Recognize that consumers will have expectations of companies that handle their data – and that these expectations may or may not be reasonable.
Sometimes they want an explanation for what happened. Sometimes they want a remedy for what happened. Sometimes they want assurances that it won’t happen again. Sometimes they want to vent their anger or restructuration. And sometimes they just want someone to listen to them and empathize.
The UAL incident also reflects the fact that the “legal” and “corporate” response to an incident may not satisfy these diverse consumer needs. While hindsight is 20-20, a more empathetic response by the UAL CEO might have simply have been to say, “OMG! I saw that video and was shocked. Let me look into it,” and assure everyone that we will do the right thing by the passenger and others. This way, UAL shares the initial reaction that many felt, but has the opportunity to come back later and mitigate or explain their own actions, and to define what the “right thing” is. It would also perfectly match the sentiment of many who saw the video.
Incident response and crisis communications is NOT an exact science. It’s an art-form, which includes elements of compliance, forensics, social media, and a lot of luck. Remember, you can never really do the right thing when responding to an incident. Ultimately, your job is to do the least wrong thing. And hope it works.