Monday, August 31, 2015

The Passwords, the Computer Fraud and Abuse Act and the Statute of Limitations

This post examines an opinion issued in a case in which a woman – Chantay Sewell -- sued “her former boyfriend, . . . Phil Bernardin,” alleging that he “had gained access to her e-mail and Facebook accounts without her permission and therefore in violation of the [Computer Fraud and Abuse Act] and the [Stored Communications Act]. Sewell v. Bernardin, 2015 WL 4619519 (U.S. Court of Appeals for the 2d Circuit 2015).
Both the Computer Fraud and Abuse Act [CFAA] and the Stored Communications Act [SCA] are primarily “criminal” statutes, in that if you violate their provisions with the requisite intent, you can, and may very well be, prosecuted in federal court by an Assistant U.S.Attorney.  But each also creates a civil cause of action so that those who have been the target of conduct that violates either statute (or both statutes) can sue for damages.  Federal criminal statutes, at least, often include a private cause of action; the premise is that citizens who have been the target of a violation of either statute (or both statutes) can sue for damages, which provides a supplemental enforcement method. The theory is that, since prosecutors probably cannot prosecute every violation of either statute or both statutes, allowing civil enforcement suits supplements enforcement of either or both statutes. This practice is known as enabling private attorney generals and you can,, if you are interested, read a Wikipedia entry about this here.
And that brings us to the facts that resulted in this case. As the Court of Appeals explains,
[i]n order to resolve this appeal, we address a matter of first impression in this Circuit: the operation of the statutes of limitations applicable under the civil enforcement provisions of the Computer Fraud and Abuse Act (CFAA), 18 U.S. Code § 1030, and the Stored Communications Act (SCA), 18 U.S. Code §2701, et seq. A plaintiff bringing an action under the CFAA's civil enforcement provision must do so `within 2 years of the date of the act complained of or the date of the discovery of the damage.’ 18 U.S. Code § 1030(g). The SCA provides that `[a] civil action under this section may not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.’ 18 U.S. Code § 2707(f).

The plaintiff, Chantay Sewell, filed suit under both statutes alleging that her former boyfriend, defendant Phil Bernardin, had gained access to her e-mail and Facebook accounts without her permission and therefore in violation of the CFAA and the SCA. She asserts that she discovered that she could not log into her www.aol.com (AOL.) e-mail account on or about August 1, 2011 `because her password was altered.’ Complaint ¶ 11 (J.A. 5). More than six months later, on or about February 24, 2012, she contends, she discovered that she could not log into her www.facebook.com (`Facebook’) account `because her password was altered.’ Complaint ¶ 12 (J.A. 5). The district court granted Bernardin's motion to dismiss Sewell's claims as untimely, and Sewell appealed. 
Sewell v. Bernardin, supra.
The Court of Appeals began its analysis of Sewell’s appeal by explaining that
[w]e accept as true at this stage of the proceedings all facts alleged in Sewell's complaint. See Town of Babylon v. Fed. Housing Finance Agency, 699 F.3d 221 (U.S. Court of Appeals for the 2d Circuit 2012). According to those allegations, Sewell and Bernardin were involved in a `romantic relationship' from in or about 2002 until 2011. Sewell maintained a private e-mail account with AOL and a private social media account with Facebook, including in 2011 and 2012. She did not knowingly share her account passwords with Bernardin or any other person and was the only authorized user of each account.

On or about August 1, 2011, Sewell discovered that her AOL password had been altered, and she was therefore unable to log into her AOL e-mail account. That same month, malicious statements about her sexual activities were e-mailed to various family members and friends `via Sewell's own contacts list maintained privately within her email account.’ Complaint ¶ 19 (J.A. 6).

On February 24, 2012, Sewell found herself unable to log into her Facebook account. Then, on March 1, 2012, someone other than she posted a public message from her Facebook account containing malicious statements, again concerning Sewell's sex life. Sewell alleges that Bernardin obtained her AOL and Facebook passwords without her permission while he was a guest in her home. Verizon Internet records confirmed that Bernardin's computer was used to gain access to the servers on which Sewell's accounts were stored. He then changed her AOL and Facebook passwords. Bernardin allegedly thereby obtained access to Sewell's electronic communications and other personal information and sent messages purporting to be from her.
Sewell v. Bernardin, supra. The court included two footnotes in the passage quoted above:  The first said, “Sewell's characterization of her relationship with Bernardin is contained in an affidavit filed with the district court on February 14, 2014.” Sewell v. Bernardin, supra. The
second footnote said “[i]n her complaint, Sewell describes an e-mail sent in or around August 2011 using her personal contacts list as containing `malicious statements toward Sewell regarding certain sexually transmitted diseases and sexual activities.’”  Sewell v. Bernardin, supra.
The opinion then went on to explain that
[o]n May 15, 2013, Sewell filed a separate suit against Bernardin's wife, Tara Bernardin, and `John Does # 1–5,’ apparently believing that Tara Bernardin and others unknown to her had gained access to her Internet accounts. The complaint raised claims strikingly similar to those that she is pursuing in the instant action. Tara Bernardin settled her suit with Sewell on September 27, 2013, and the court accordingly entered judgment in Sewell's favor shortly thereafter.

Several months later, on January 2, 2014, Sewell filed the instant action against Phil Bernardin, alleging violations of the SCA and CFAA. On August 2, 2014, the United States District Court for the Eastern District of New York (Arthur D. Spatt, Judge ) granted Bernardin's motion to dismiss, holding that Sewell's claims were time-barred under the CFAA's and SCA's applicable two-year statutes of limitations. This appeal followed.
Sewell v. Bernardin, supra.
The Court of Appeals then began its analysis of the issues in this case, explaining that
[w]e review the grant of a motion to dismiss under Federal Rule of Civil Procedure12(b)(6) de novo, `accepting as true factual allegations made in the complaint, and drawing all reasonable inferences in favor of the plaintiff[ ].’ Town of Babylon v. Federal Housing Finance Agency, 699 F.3d 221 (U.S. Court of Appeals for the 2d Circuit 2012).  `Dismissal under Federal Rules of Civil Procedure Rule 12(b)(6) is appropriate when a defendant raises a statutory bar,’ such as lack of timeliness, `as an affirmative defense and it is clear from the face of the complaint, and matters of which the court may take judicial notice, that the plaintiff's claims are barred as a matter of law.’ Staehr v. Hartford Financial Services Group, 547 F.3d 406 (U.S. Court of Appeals for the 2d Circuit 2008). 
Sewell v. Bernardin, supra.  Rule 12(b)(6), which you can find here, says that a party to litigation (usually a defendant) can assert the defense that the plaintiff’s Complaint “fails to state a claim upon which relief can be granted.” You can read more about Rule 12(b)(6) motions here.
Next, the Court of Appeals summarized the relevant provisions of the CFAA and the SCA and noted the length and “tolling” of the pertinent statute of limitations for each statute. Sewell v. Bernardin, supra.  It began with the CFAA, explaining that the
CFAA criminalizes, inter alia, `intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain [ing] . . . information from any protected computer,’ 18 U.S. Code § 1030(a)(2)(C), and `intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.’  18 U.S. Code § 1030(a)(5)(C).

The statute also provides a civil cause of action to `[a]ny person who suffers damage or loss by reason of a violation of this section.’ 18 U.S. Code § 1030(g). To be timely, such a civil suit must be filed `within 2 years of the date of the act complained of or the date of the discovery of the damage’ 18 U.S. Code § 1030(g). `Damage’ . . . is defined as `any impairment to the integrity or availability of data, a program, a system, or information.’ 18 U.S. Code § 1030(e)(8) The statute of limitations under the CFAA accordingly ran from the date that Sewell discovered that someone had impaired the integrity of each of her relevant Internet accounts.
Sewell v. Bernardin, supra. 
The court then did the same for the SCA, explaining that under the SCA it is a crime to:
(1)  intentionally access[ ] without authorization a facility through which an electronic communication service is provided; or
 (2) intentionally exceed[ ] an authorization to access that facility; and thereby obtain[ ], alter[ ], or prevent[ ] authorized access to a wire or electronic communication while it is in electronic storage in such system. . . .
Sewell v. Bernardin, supra (quoting 18 U.S. Code § 2701(a)).  It went on to explain that
[a]s with the CFAA, the SCA establishes a civil cause of action. `[A]ny . . . person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind’ may file suit. 18 U.S. Code § 2707(a). A civil action under this section must be commenced no 1later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.’ 18U.S. Code § 2707(f).

In other words, the limitations period begins to run when the plaintiff discovers that, or has information that would motivate a reasonable person to investigate whether, someone has intentionally accessed the `facility through which an electronic communication service is provided’ and thereby obtained unauthorized access to a stored electronic communication. 18 U.S. Code § 2701(a).
Sewell v. Bernardin, supra.
The Court of Appeals then took up the issue involved in Sewell’s appeal, noting that
[t]he district court granted Bernardin's motion to dismiss Sewell's claims as untimely based on the court's conclusion that Sewell was `aware that the integrity of her computer had been compromised’ as of August 1, 2011. Sewell v. Bernardin, 50 F.Supp.3d 204 (U.S. District Court for the Eastern District of New York 2014). The court reasoned that Sewell's August 1, 2011, discovery—which related to the unauthorized use of her AOL account—provided her with a reasonable opportunity to discover the full scope of Bernardin's alleged illegal activity more than two years before she brought this suit on January 2, 2014. We agree with the district court as its decision related to Sewell's AOL account, but disagree with it as it related to her Facebook account.

Sewell discovered the `damage’ to her AOL account for CFAA purposes on August 1, 2011, when she learned that she could not log into her AOL e-mail account. That she may not have known exactly what happened or why she could not log in is of no moment. The CFAA's statute of limitations began to run when Sewell learned that the integrity of her account had been impaired.
Sewell v. Bernardin, supra.
The court then pointed out that Sewell’s
CFAA and SCA claims with regard to her AOL account were first made on January 2, 2014, and were premised on damage and unauthorized access to her AOL account which she had or should have discovered some two years and five months earlier. The two-year statutes of limitations had therefore run.
Sewell v. Bernardin, supra.  In a footnote, the court points out that
[a]lthough the complaint alleges that Sewell's AOL account was improperly accessed on multiple occasions subsequent to August 1, 2011, Sewell does not raise any arguments on appeal with respect to these alleged violations. We thus take no position as to whether claims based on those subsequent violations would be timely under the CFAA or the SCA, or whether such claims would otherwise survive Bernardin's motion to dismiss.
Sewell v. Bernardin, supra.
The Court of Appeals then took up her Facebook claims, noting that Sewell’s
Facebook-related claims, by contrast, appear to have accrued on or about February 24, 2012. Her complaint alleges that she `was the sole authorized user of’ her Facebook account. . . . On or about `February 24, 2012, [she] discovered that she could no longer log into or access her account with www.facebook.com because her password [had been] altered.’ . . .  

There is nothing in the facts as alleged in the complaint from which to infer that anyone gained unauthorized access to her Facebook account before then. Thus, taking these allegations as true, there would have been no damage, for CFAA purposes, or violation, for SCA purposes, for Sewell to discover with respect to her Facebook account before that date, which was less than two years before the suit was brought.
Sewell v. Bernardin, supra.
The court went on to explain that
[t]he fact that Sewell had discovered `damage’ to her AOL account based on her inability to access AOL's computer servers at an earlier date does not lead to a different result. Contrary to the district court's remark, Sewell did not allegedly discover `that the integrity of her computer had been compromised’ as of August 1, 2011. Sewell v. Bernardin, 50 F.Supp.3d 204 (U.S. District Court for the Eastern District of New York August 2014) (emphasis added). She discovered only that the integrity of her AOL account had been compromised as of that time.

Her CFAA claim accordingly is premised on impairment to the integrity of a computer owned and operated by AOL, not of her own physical computer. As a result, Sewell has two separate CFAA claims, one that accrued on August 1, 2011, when she found out that she could not access her AOL account, and one that accrued on February 24, 2012, when she found out that she could not access her Facebook account.
Sewell v. Bernardin, supra.
The Court of Appeals then took up Sewell’s “Facebook-related SCA claim”, noting that,
[l]ike her Facebook-related CFAA claim, [this] claim is also timely. Under the SCA, a civil plaintiff must file her claim within two years of discovery or a reasonable opportunity to discover intentional and unauthorized access to an electronic communication facility.

The district court concluded that Sewell `had a reasonable opportunity to discover the Defendant's illegal activity” vis-à-vis her Facebook account as of August 1, 2011. Sewell v. Bernardin, supra, 50 F.Supp.3d at 213. . . . But as we have noted, there is no allegation in the complaint that Sewell's Facebook account and the computer servers on which her information was stored were tampered with before February 24, 2012, when she alleges that she was unable to log into her Facebook account. She could not reasonably be expected to have discovered a violation that, under the facts as alleged in the complaint, had not yet occurred.
Sewell v. Bernardin, supra.
It also pointed out that the U.S. District Court Judge’s
conclusion may rest on the assumption that a plaintiff is on notice of the possibility that all of her passwords for all of the Internet accounts she holds have been compromised because one password for one Internet account was compromised. We do not think that that is a reasonable inference from the facts alleged in the complaint.

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account—AOL e-mail—had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts—Facebook—might similarly have become compromised.
Sewell v. Bernardin, supra.
And it explained that
[w]e pause to acknowledge that the statutes of limitations governing claims under the CFAA and SCA, as we understand them, may have troubling consequences in some situations. Even after a prospective plaintiff discovers that an account has been hacked, the investigation necessary to uncover the hacker's identity may be substantial. In many cases, we suspect that it might take more than two years. But it would appear that if a plaintiff cannot discover the hacker's identity within two years of the date she discovers the damage or violation, her claims under the CFAA and SCA will be untimely.
Sewell v. Bernardin, supra.
Finally, the Court of Appeals explained that Sewell
does have the option of initiating a lawsuit against a John or Jane Doe defendant, but she must still discover the hacker's identity within two years of discovery or a reasonable opportunity to discover the violation to avoid dismissal. This is because we have concluded `that Rule 15(c) does not allow an amended complaint adding new defendants to relate back if the newly-added defendants were not named originally because the plaintiff did not know their identities.’ Barrow v. Wethersfield Police Dep't, 66 F.3d 466, 470 (U.S. Court of Appeals for the 2d Circuit 1995).
Sewell v. Bernardin, supra.
The Court of Appeals therefore ordered that “[f]or the foregoing reasons, the judgment of the district court is AFFIRMED in part and VACATED and REMANDED in part for further proceedings.” Sewell v. Bernardin, supra.
You can, if you are interested, read more about this case in the news stories you can find here, here and here

No comments: