Every now and then, a court issues a decision that is as interesting for its facts as it is for the import of its legal holding. The Second Circuit Court of Appeals recently issued such a decision involving application of the respective statutes of limitation for private claims made under the Stored Communications Act (“SCA”) and the Computer Fraud and Abuse Act (“CFAA”).
The facts of Sewell v. Bernadin (decided August 4, 2015) are not complicated. In August 2011, the plaintiff discovered that her AOL email account password had been changed without her permission and she could not gain access to her account. She also discovered that malicious statements regarding her sexual activities had been emailed to some of her private contacts. Then, in February 2012, she found herself unable to log onto her Facebook account, and in March 2012, someone posted malicious statements on her Facebook page. She filed suit in the Eastern District of New York against her ex-boyfriend in January 2014, alleging violations of SCA and CFAA. The District Court dismissed the case in its entirety on statute of limitations grounds, but the Second Circuit recently revived the claims relating to her Facebook account.
Both the SCA and the CFAA criminalize the alleged conduct of the ex-boyfriend. Both have two year statutes of limitations, the SCA’s running from when a person discovers or has a reasonable opportunity to discover a violation, and the CFAA’s running from the act complained of or discovery of the damage (i.e., the hacking). While the District Court found that the plaintiff’s August 2011 discovery of unauthorized use of her email account provided her with a reasonable opportunity to discovery the “full scope” of the defendant’s alleged illegal activity and dismissed the complaint in its entirety, the Second Circuit disagreed, finding that the plaintiff’s Facebook-related claims accrued independently in February 2012 when she discovered that she was locked out of her Facebook account. “[T]here would have been no damage, for CFAA purposes, or violation, for SCA purposes, for Sewell to discover with respect to her Facebook account before that date, which was less than two years before the suit was brought.”
While the Court was careful to limit the holding to the facts of the case before it, the takeaway is that it cannot be assumed that a plaintiff is on notice of the possibility that all of her passwords for all of the internet accounts she holds have been compromised because one password from one account was compromised. The Second Circuit found this to be an unreasonable inference and, accordingly, reinstated the plaintiff’s Facebook claims.