Circuit Clarifies Time Limit for Computer Hacking Suits

August 18, 2015

Computer hacking historically has been seen as the province of lowlife criminals existing in the darkened recesses of some faraway place looking to make a dishonest buck. However, as individuals increase their online presence and, thereby, their digital vulnerability, unauthorized access to a person’s computers and to email and social media accounts is increasingly being used as a tool by people in the “real world” to cause vengeance and mischief. Federal laws, such as the Computer Fraud and Abuse Act (CFAA) and the Stored Communications Act (SCA), originally enacted to combat the former scenario by criminalizing it1 and by providing certain civil remedies to victims,2 increasingly are being applied to personal disputes.

One case of an alleged personal vendetta is Sewell v. Bernardin,3 in which the U.S. Court of Appeals for the Second Circuit explored application of the statutes of limitations for civil lawsuits under the CFAA and SCA—an issue of first impression in the circuit. The decision is notable not just for the guidance it provided regarding the operation of the statutes of limitations for civil lawsuits under those federal laws but also for the many issues that the Second Circuit left open for consideration on another day.

Background

The plaintiff, Chantay Sewell, alleged that she and Phil Bernardin were involved in a “romantic relationship” from in or about 2002 until 2011. She said that she maintained a private email account with AOL and a private social media account with Facebook through 2012, that she did not knowingly share her account passwords with Bernardin or any other person, and that she was the only authorized user of each account.

According to Sewell, on Aug. 1, 2011 she discovered that she was unable to log into her AOL email account because her password had been altered. She claimed that the same month, malicious statements regarding her sexual activities and certain sexually transmitted diseases were emailed to various family members and friends via her “own contacts list maintained privately within her email account.”

Sewell also asserted that, on Feb. 24, 2012, she was unable to log into her Facebook account because its password, too, had been altered. Sewell alleged that, on March 1, 2012, someone other than she posted a public message from her Facebook account containing malicious statements, again concerning her sex life.

As a basis for her suit, Sewell alleged that Bernardin had obtained her AOL and Facebook passwords without her permission while a guest in her house. She moreover claimed that Verizon Internet records confirmed that Bernardin’s computer was used to gain access to the servers on which Sewell’s AOL and Facebook accounts were stored. She alleged that, once accessed, Bernardin changed her passwords, obtained access to Sewell’s electronic communications and other personal information, and sent messages purporting to be from Sewell.

On Jan. 2, 2014, Sewell filed a lawsuit against Phil Bernardin, alleging violations of the CFAA and the SCA.4 The district court granted Bernardin’s motion to dismiss, holding that Sewell’s claims were time barred under the applicable two year statutes of limitations in the CFAA5 and SCA.6 It found that Sewell had been “aware that the integrity of her computer” had been compromised as of Aug. 1, 2011. The district court reasoned that Sewell’s discovery on Aug. 1, 2011, which related to the alleged unauthorized use of her AOL account, had provided her with a reasonable opportunity to discover the full scope of Bernardin’s alleged illegal activity more than two years before she had filed her suit.

Sewell appealed to the Second Circuit.

The Second Circuit’s Decision

The Second Circuit affirmed in part (regarding Sewell’s AOL account) and reversed in part (regarding Sewell’s Facebook account). Inherent to the Second Circuit’s decision was the distinction between Sewell’s claims predicated on Bernardin’s unauthorized access to the AOL and Facebook servers, as opposed to any claim that Sewell might have asserted based on Bernardin’s allegedly unauthorized access to Sewell’s own computer that enabled him to obtain her passwords.

The circuit court reasoned that Sewell had discovered the “damage” to her AOL account for CFAA purposes on Aug. 1, 2011, when she had learned that she could not log into her AOL email account. The circuit court said that it was “of no moment” that she may not have known exactly what happened—the CFAA’s statute of limitations had begun to run when Sewell had learned that the integrity of the AOL account had been impaired.

The Second Circuit also ruled that the SCA’s statute of limitations relating to her AOL account had begun to run at that time, too, because that was when Sewell “first … had a reasonable opportunity to discover” that someone had “intentionally access[ed] [her AOL account] without authorization.”

Therefore, the circuit court decided, the two-year statutes of limitations had run on Sewell’s CFAA and SCA claims with regard to her AOL account by the time she had filed her lawsuit, on Jan. 2, 2014.

The Second Circuit reached a different result with respect to Sewell’s Facebook-related claims, finding that her CFAA and SCA claims had accrued on Feb. 24, 2012 when she alleged that she had “discovered that she could no longer log into or access her account with www.facebook.com because her password [had been] altered.” The circuit court ruled that, taking these allegations as true, there would have been no damage, for CFAA purposes, or violation, for SCA purposes, for Sewell to discover with respect to her Facebook account before that date, which was less than two years before she brought her suit.

Importantly, the Second Circuit disagreed with the district court’s conclusion that Sewell had been aware that the integrity of her “computer” had been compromised as of Aug. 1, 2011. Rather, the Second Circuit said, she had “discovered only that the integrity of her AOL account had been compromised as of that time.” Sewell’s CFAA claim was premised on impairment to the integrity of the servers owned and operated by AOL or Facebook on which Sewell’s accounts resided and not of her own physical computer, the circuit court explained. As a result, the Second Circuit found that Sewell had “two separate CFAA claims, one that accrued on Aug. 1, 2011, when she found out that she could not access her AOL account, and one that accrued on Feb. 24, 2012, when she found out that she could not access her Facebook account.”

Relying on the same reasoning, the Second Circuit then found that Sewell’s Facebook-related SCA claim also was timely because she alleged that she was unable to log into her Facebook account on Feb. 24, 2012 and she “could not reasonably be expected to have discovered a violation” before that where, under the facts as she alleged in her complaint, a violation may not yet have occurred.

The Second Circuit concluded that it did not follow from the fact that Sewell had discovered that one account—her AOL email account—had been compromised that she had a reasonable opportunity to discover, or that she should be expected to have discovered, that another of her accounts—her Facebook account—might similarly have become compromised.

Conclusion

Although the Second Circuit’s decision provides clear guidance as to the criteria that should be considered for determining statutes of limitations accrual for CFAA and SCA claims, the Second Circuit identified but declined to resolve many potential issues that are likely to arise in future cases.

For example, the circuit court acknowledged that although the CFAA and SCA statutes of limitations were triggered by a prospective plaintiff’s discovery that his or her account had been hacked, the investigation necessary to uncover the hacker’s identity might take more than two years. Accordingly, the statute of limitations could expire before the hacker’s identity is discovered. Moreover, the Second Circuit noted that the problem may not be avoided by initiating litigation against Jane or John Doe defendants, given that Federal Rule of Civil Procedure 15(c) does not allow an amended complaint adding new defendants to relate back if the newly-added defendants were not named originally because the plaintiff did not know their identities.7 Accordingly, a CFAA or SCA claim could be time barred before a prospective plaintiff has a meaningful opportunity to initiate the claim.

The Second Circuit also declined to express any bright line rules as to accrual of the statute of limitations in future cases, stating “we express no view as to whether, in a different case under different facts, the mere inability to access an account without knowledge one’s password had been ‘altered’ would prove a plaintiff with an opportunity to discover an SCA violation.”

It likewise took no position as to whether multiple instances of unauthorized access to an account would constitute individual violations with individual accrual points for the statutes of limitations or provide any basis for tolling, such as for a continuing tort. As the parties had not addressed that issue on appeal in this case, determination of that issue and others will have to await another day.

Endnotes:

1. The CFAA criminalizes, inter alia, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any protected computer,” 18 U.S.C. §1030(a)(2)(C), and “intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss,” 18 U.S.C. §1030(a)(5)(C). Under the SCA, it is a crime to:

  1. intentionally access without authorization a facility through which an electronic communication service is provided; or
  2. intentionally exceed an authorization to access that facility; and thereby obtain[], alter[], or prevent[] authorized access to a wire or electronic communication while it is in electronic storage in such system … .

18 U.S.C. §2701(a).

2. The CFAA provides a civil cause of action (so long as certain damage thresholds are met) to “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. §1030(g). The SCA also establishes a civil cause of action, including minimum damages per violation: “[A]ny … person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind” may file suit. 18 U.S.C. §2707(a).

3. No. 14-3143 (2d Cir. Aug. 4, 2015).

4. Previously, on May 15, 2013, Sewell commenced an action against Bernardin’s wife and “John Does 1-5” raising “startlingly similar” claims to those against Bernardin. On Sept. 27, 2013, Sewell settled her claim with Bernardin’s wife for $2,500, as a result of which judgment was entered on Sewell’s behalf. Bernardin did not, himself, participate in that earlier action.

5. A plaintiff bringing an action under the CFAA’s civil enforcement provision must do so “within 2 years of the date of the act complained of or the date of the discovery of the damage.” 18 U.S.C. §1030(g). “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. §1030(e)(8).

6. The SCA provides that “[a] civil action under this section may not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.” 18 U.S.C. §2707(f).

7. See Barrow v. Wethersfield Police Dep’t, 66 F.3d 466 (2d Cir. 1995).

Reprinted with permission from the August 18, 2015 issue of the New York Law Journal.  All rights reserved.

Legal updates and news delivered to your inbox