This post examines an opinion from the U.S. Court of Appeals
for the 2d Circuit: Sewell v. Bernardin, 795 F.3d 337 (2015). The court begins by explaining that
[i]n order to resolve this appeal, we
address a matter of first impression in this Circuit: the operation of the
statutes of limitations applicable under the civil enforcement provisions of
the Computer Fraud and Abuse Act (CFAA.), 18 U.S. Code § 1030, and the
Stored Communications Act (SCA.), 18 U.S. Code § 2701, et seq. A
plaintiff bringing an action under the CFAA's civil enforcement provision must
do so `within 2 years of the date of the act complained of or the date of the
discovery of the damage.’ 18 U.S. Code § 1030(g). The SCA provides that `[a]
civil action under this section may not be commenced later than two years after
the date upon which the claimant first discovered or had a reasonable opportunity
to discover the violation.’ 18 U.S. Code § 2707(f).
Sewell v. Bernardin,
supra.
The statutes cited above are statutes of limitations, and,
as Wikipedia explains,
[s]tatutes
of limitations are laws passed by a legislative body in common
law systems to set the maximum time after an event when legal proceedings
may be initiated. When the period of time specified in a
statute of limitations passes, a claim can no longer be filed. The intention of
these laws is to facilitate resolution in a reasonable length of time. .
. .
The court goes on to explain how, and why, this case arose:
[t]he plaintiff, Chantay Sewell, filed
suit under both statutes alleging that her former boyfriend, defendant Phil
Bernardin, had gained access to her e-mail and Facebook accounts without her
permission and therefore in violation of the CFAA and the SCA. She asserts that
she discovered that she could not log into her www.aol.com (AOL.) e-mail account
on or about August 1, 2011 `because her password was altered.’ Complaint ¶ 11.
. . . More than six months later, on or about February 24, 2012, she contends,
she discovered that she could not log into her www.facebook.com (`Facebook’)
account `because her password was altered.’ . . .
The district court granted Bernardin's
motion to dismiss Sewell's claims as untimely, and Sewell appealed. Because
Sewell filed suit on January 2, 2014, we conclude that her claims relating to
Bernardin's alleged unlawful access of her e-mail account are time-barred, but
that her claims relating to his alleged unlawful access of her Facebook account
were timely filed.
Sewell v. Bernardin,
supra. You can, if you are
interested, read more about how and why this case arose in the news stories you
can find here, here and here.
As Wikipedia explains, when a plaintiff (the person who
files a civil suit) initiates a lawsuit, the defendant, the person who is being
sued, can file a motion to dismiss the suit under Rule 12(b)(6) of the Federal
Rules of Civil Procedure for failing to state a cause of action upon which
relief can be granted. Having lost at
the District Court level, Sewell is arguing that the court erroneously granted
Bernardin’s motion to dismiss.
The Court of Appeals then takes up Sewell’s argument,
explaining that
[w]e accept as true at this stage of
the proceedings all facts alleged in Sewell's complaint. See Town
of Babylon v. Fed. Hous. Fin. Agency, 699 F.3d 221 (U.S. Court of
Appeals for the 2d Circuit 2012). According to those allegations, Sewell and
Bernardin were involved in a `romantic relationship’ from in or about 2002
until 2011. Sewell maintained a private e-mail account with AOL and a private
social media account with Facebook, including in 2011 and 2012. She did not
knowingly share her account passwords with Bernardin or any other person and
was the only authorized user of each account.
On or about August 1, 2011, Sewell
discovered that her AOL password had been altered, and she was therefore unable
to log into her AOL e-mail account. That same month, malicious statements
about her sexual activities were e-mailed to various family members and
friends `via Sewell's own contacts list maintained privately within her email
account.’ Complaint ¶ 19 . . . .
Sewell v. Bernardin,
supra.
The Court of Appeals goes on to explain that
[o]n February 24, 2012, Sewell found
herself unable to log into her Facebook account. Then, on March 1, 2012,
someone other than she posted a public message from her Facebook account
containing malicious statements, again concerning Sewell's sex life.
Sewell alleges that Bernardin obtained
her AOL and Facebook passwords without her permission while he was a guest in
her home. Verizon Internet records confirmed that Bernardin's computer was used
to gain access to the servers on which Sewell's accounts were stored. He then
changed her AOL and Facebook passwords. Bernardin allegedly thereby obtained
access to Sewell's electronic communications and other personal information and
sent messages purporting to be from her.
On May 15, 2013, Sewell filed a
separate suit against Bernardin's wife, Tara Bernardin, and `John Does # 1–5,’
apparently believing that Tara Bernardin and others unknown to her had gained
access to her Internet accounts. The complaint raised claims strikingly similar
to those that she is pursuing in the instant action. Tara Bernardin settled her
suit with Sewell on September 27, 2013, and the court accordingly entered
judgment in Sewell's favor shortly thereafter. Several months later, on January
2, 2014, Sewell filed the instant action against Phil Bernardin, alleging
violations of the SCA and CFAA.
On August 2, 2014, the United States
District Court for the Eastern District of New York . . . granted Bernardin's
motion to dismiss, holding that Sewell's claims were time-barred under the
CFAA's and SCA's applicable two-year statutes of limitations. This appeal
followed.
Sewell v. Bernardin,
supra.
The court began its analysis of the arguments in this case
by explaining that
[w]e review the grant of a motion to
dismiss under Federal Rule of Civil Procedure 12(b)(6) de novo, `accepting
as true factual allegations made in the complaint, and drawing all reasonable
inferences in favor of the plaintiff[ ].’ Town of Babylon v. Fed. Hous.
Fin. Agency, supra. `Dismissal under Fed.R.Civ.P. 12(b)(6) is appropriate
when a defendant raises a statutory bar,’ such as lack of timeliness, `as an
affirmative defense and it is clear from the face of the complaint, and matters
of which the court may take judicial notice, that the plaintiff's claims are
barred as a matter of law.’ Staehr v. Hartford Financial Services
Group, 547 F.3d 406 (U.S. Court of Appeals for the 2d Circuit 2008).
Sewell v. Bernardin,
supra.
The court then outlined the applicable statute of
limitations under both statutes, starting with the Computer Fraud and Abuse
Act:
The CFAA criminalizes, inter
alia, `intentionally access[ing] a computer without authorization or
exceed[ing] authorized access, and thereby obtain[ing] . . . information from
any protected computer,’ 18 U.S. Code § 1030(a)(2)(C), and `intentionally
access[ing] a protected computer without authorization, and as a result of such
conduct, caus[ing] damage and loss,’ 18 U.S. Code § 1030(a)(5)(C).
The statute also provides a civil cause
of action to `[a]ny person who suffers damage or loss by reason of a violation
of this section.’ 18 U.S. Code §
1030(g). To be timely, such a civil suit must be filed `within 2 years of the
date of the act complained of or the date of the discovery of the damage.’ 18 U.S. Code § 1030(g). `Damage,’ in
turn, is defined as `any impairment to the integrity or availability of data, a
program, a system, or information.’ 18
U.S. Code § 1030(e)(8). The statute of limitations under the CFAA
accordingly ran from the date that Sewell discovered that someone had impaired
the integrity of each of her relevant Internet accounts.
Sewell v. Bernardin,
supra.
It then did the same for the Stored Communications Act,
noting that under the SCA, it is a crime to:
(1) intentionally access[ ] without authorization
a facility through which an electronic communication service is provided; or
(2) intentionally exceed[ ] an
authorization to access that facility; and thereby obtain[ ], alter[ ], or
prevent[ ] authorized access to a wire or electronic communication while it is
in electronic storage in such system. . . .
18 U.S. Code § 2701(a).
As with the CFAA, the SCA establishes a civil cause of
action:
[A]ny
. . . person aggrieved by any violation
of this chapter in which the conduct constituting the violation is engaged in
with a knowing or intentional state of mind’ may file suit. 18 U.S. Code §
2707(a). A civil action under this section must be commenced no `later than two
years after the date upon which the claimant first discovered or had a reasonable
opportunity to discover the violation.’
18 U.S. Code § 2707(f).
In other words, the limitations period
begins to run when the plaintiff discovers that, or has information that would
motivate a reasonable person to investigate whether, someone has intentionally
accessed the `facility through which an electronic communication service is
provided’ and thereby obtained unauthorized access to a stored electronic
communication. 18 U.S. Code § 2701(a).
Sewell v. Bernardin,
supra.
The court then analyzed the extent to which Sewell’s claims
against Bernardin complied with these statutes of limitations:
The District Court Judge granted
Bernardin's motion to dismiss Sewell's claims as untimely based on the court's
conclusion that Sewell was `aware that the integrity of her computer had been
compromised’ as of August 1, 2011. Sewell v. Bernardin, 50 F.
Supp. 3d 204, 212 (U.S. District Court for the Eastern District of New York 2014).
The court reasoned that Sewell's August 1, 2011, discovery—which related to the
unauthorized use of her AOL account—provided her with a reasonable opportunity
to discover the full scope of Bernardin's alleged illegal activity more than
two years before she brought this suit on January 2, 2014. We agree with
the district court as its decision related to Sewell's AOL account, but
disagree with it as it related to her Facebook account.
Sewell v. Bernardin,
supra.
It went on to point out that Sewell
discovered the `damage’ to her AOL
account for CFAA purposes on August 1, 2011, when she learned that she could
not log into her AOL e-mail account. That she may not have known exactly what
happened or why she could not log in is of no moment. The CFAA's statute of
limitations began to run when Sewell learned that the integrity of her account
had been impaired.
The SCA's statute of limitations began
to run when Sewell `first . . . had a reasonable
opportunity to discover,’ 18 U.S. Code § 2707(f) that someone had `intentionally
access[ed] [her AOL account] without authorization,’ 18 U.S. Code §
2701(a). She had such an opportunity as soon as she discovered that she could
not obtain access to that account because her password had been `altered’
inasmuch as, accepting her other allegations as true, further investigation
would have led her to Bernardin.
Sewell's CFAA and SCA claims with
regard to her AOL account were first made on January 2, 2014, and were premised
on damage and unauthorized access to her AOL account which she had or should
have discovered some two years and five months earlier. The two-year statutes of
limitations had therefore run.
Sewell v. Bernardin,
supra.
The Court of Appeals then addressed Sewell’s Facebook claims,
which it said
appear to have accrued on or about
February 24, 2012. Her complaint alleges that she `was the sole authorized user
of’ her Facebook account. Compl. ¶ 10. . . On or about `February 24, 2012,
[she] discovered she could no longer log into or access her account with www.facebook.com
because her password [had been] altered.’ Compl. ¶ 12. . . . There is nothing
in the facts as alleged in the complaint from which to infer that anyone gained
unauthorized access to her Facebook account before then. Thus, taking these
allegations as true, there would have been no damage, for CFAA purposes, or
violation, for SCA purposes, for Sewell to discover with respect to her
Facebook account before that date, which was less than two years before the
suit was brought.
Sewell v. Bernardin, supra.
It went on to explain that the
fact that Sewell had discovered
`damage’ to her AOL account based on her inability to access AOL's computer
servers at an earlier date does not lead to a different result. Contrary to the
district court's remark, Sewell did not allegedly discover `that the integrity
of her computer had been compromised” as of August 1,
2011. . . . She discovered only that the integrity of her AOL
account had been compromised as of that time. Her CFAA claim
accordingly is premised on impairment to the integrity of a computer owned and
operated by AOL, not of her own physical computer.
As a result, Sewell has two separate
CFAA claims, one that accrued on August 1, 2011, when she found out that she
could not access her AOL account, and one that accrued on February 24, 2012,
when she found out that she could not access her Facebook account.
Sewell v. Bernardin,
supra (emphasis in the original).
The court then pointed out that
[l]ike her Facebook-related CFAA claim,
Sewell's Facebook-related SCA claim is also timely. Under the SCA, a civil
plaintiff must file her claim within two years of discovery or a reasonable
opportunity to discover intentional and unauthorized access to an electronic
communication facility. The District Court Judge concluded that Sewell `had a
reasonable opportunity to discover the Defendant's illegal activity’ vis-à-vis
her Facebook account as of August 1, 2011. . . . But as we have
noted, there is no allegation in the complaint that Sewell's Facebook account
and the computer servers on which her information was stored were tampered with
before February 24, 2012, when she alleges that she was unable to log into her
Facebook account. She could not reasonably be expected to have discovered a
violation that, under the facts as alleged in the complaint, had not yet
occurred.
The district court's conclusion may
rest on the assumption that a plaintiff is on notice of the possibility that
all of her passwords for all of the Internet accounts she holds have been
compromised because one password for one Internet account was compromised. We
do not think that that is a reasonable inference from the facts alleged in the
complaint. We take judicial notice of the fact that it is not uncommon for one
person to hold several or many Internet accounts, possibly with several or many
different usernames and passwords, less than all of which may be compromised at
any one time. At least on the facts as alleged by the plaintiff, it does not
follow from the fact that the plaintiff discovered that one such account—AOL
e-mail—had been compromised that she thereby had a reasonable opportunity to
discover, or should be expected to have discovered, that another of her
accounts—Facebook—might similarly have become compromised.
Sewell v. Bernardin, supra.
The Court of Appeals then “pause[d]” to
acknowledge that the statutes of
limitations governing claims under the CFAA and SCA, as we understand them, may
have troubling consequences in some situations. Even after a prospective
plaintiff discovers that an account has been hacked, the investigation
necessary to uncover the hacker's identity may be substantial. In many cases,
we suspect that it might take more than two years. But it would appear that if
a plaintiff cannot discover the hacker's identity within two years of the date
she discovers the damage or violation, her claims under the CFAA and SCA will
be untimely.
The plaintiff does have the option of
initiating a lawsuit against a Jane or John Doe defendant, but she must still
discover the hacker's identity within two years of discovery or a reasonable
opportunity to discover the violation to avoid dismissal. This is because we
have concluded `that Rule 15(c) does not allow an amended complaint adding new
defendants to relate back if the newly-added defendants were not named
originally because the plaintiff did not know their identities.’ Barrow
v. Wethersfield Police Dep't, 66 F.3d 466 (U.S. Court of Appeals for
the 2d Circuit 1995).
Sewell v. Bernardin,
supra.
The appellate court therefore affirmed the judgment of the
District Court Judge “in part” and “vacated and remanded” the case “in part for
further proceedings.” Sewell v. Bernardin,
supra.