Filed: Aug. 04, 2015
Latest Update: Mar. 02, 2020
Summary: 14-3143 Sewell v. Bernardin 1 UNITED STATES COURT OF APPEALS 2 FOR THE SECOND CIRCUIT 3 August Term, 2014 4 (Argued: February 18, 2015 Decided: August 4, 2015) 5 Docket No. 14-3143 6 7 Chantay Sewell, 8 Plaintiff–Appellant, 9 v. 10 Phil Bernardin, 11 Defendant–Appellee. 12 13 Before: POOLER, SACK, and DRONEY, Circuit Judges. 14 The plaintiff, Chantay Sewell, appeals from an August 2, 2014, judgment of 15 the United States District Court for the Eastern District of New York (Arthur D. 16 Spatt, J
Summary: 14-3143 Sewell v. Bernardin 1 UNITED STATES COURT OF APPEALS 2 FOR THE SECOND CIRCUIT 3 August Term, 2014 4 (Argued: February 18, 2015 Decided: August 4, 2015) 5 Docket No. 14-3143 6 7 Chantay Sewell, 8 Plaintiff–Appellant, 9 v. 10 Phil Bernardin, 11 Defendant–Appellee. 12 13 Before: POOLER, SACK, and DRONEY, Circuit Judges. 14 The plaintiff, Chantay Sewell, appeals from an August 2, 2014, judgment of 15 the United States District Court for the Eastern District of New York (Arthur D. 16 Spatt, Ju..
More
14‐3143
Sewell v. Bernardin
1 UNITED STATES COURT OF APPEALS
2 FOR THE SECOND CIRCUIT
3 August Term, 2014
4 (Argued: February 18, 2015 Decided: August 4, 2015)
5 Docket No. 14‐3143
6
7 Chantay Sewell,
8 Plaintiff–Appellant,
9 v.
10 Phil Bernardin,
11 Defendant–Appellee.
12
13 Before: POOLER, SACK, and DRONEY, Circuit Judges.
14 The plaintiff, Chantay Sewell, appeals from an August 2, 2014, judgment of
15 the United States District Court for the Eastern District of New York (Arthur D.
16 Spatt, Judge) dismissing her claims under the Computer Fraud and Abuse Act, 18
17 U.S.C. § 1030, and the Stored Communications Act, 18 U.S.C. § 2701, et seq., for
18 failure to initiate her action within the Actsʹ two‐year limitations periods. Her
19 claims arose in connection with the defendant, Phil Bernardinʹs, alleged acts of
20 gaining unlawful access to Sewellʹs AOL e‐mail and Facebook accounts. We
21 conclude that the district court correctly applied the two‐year statutes of
22 limitations to Sewellʹs claims for unlawful access with respect to her e‐mail
� No. 14‐3143
Sewell v. Bernardin
1 account, but that it erred in holding that her claims with respect to her Facebook
2 account were time‐barred.
3 We therefore AFFIRM in part, and VACATE and REMAND in part for
4 further proceedings as indicated in this opinion.
5 HARVEY S. MARS, Law Office of Harvey
6 S. Mars LLC, New York, NY, for Plaintiff–
7 Appellant.
8 GARY T. CERTAIN, Law Office of Certain
9 & Zilberg, PLLC, New York, NY, for
10 Defendant–Appellee.
11 SACK, Circuit Judge:
12 In order to resolve this appeal, we address a matter of first impression in
13 this Circuit: the operation of the statutes of limitations applicable under the civil
14 enforcement provisions of the Computer Fraud and Abuse Act (ʺCFAAʺ), 18
15 U.S.C. § 1030, and the Stored Communications Act (ʺSCAʺ), 18 U.S.C. § 2701, et
16 seq. A plaintiff bringing an action under the CFAAʹs civil enforcement provision
17 must do so ʺwithin 2 years of the date of the act complained of or the date of the
18 discovery of the damage.ʺ 18 U.S.C. § 1030(g). The SCA provides that ʺ[a] civil
19 action under this section may not be commenced later than two years after the
20 date upon which the claimant first discovered or had a reasonable opportunity to
21 discover the violation.ʺ 18 U.S.C. § 2707(f).
2
� No. 14‐3143
Sewell v. Bernardin
1 The plaintiff, Chantay Sewell, filed suit under both statutes alleging that
2 her former boyfriend, defendant Phil Bernardin, had gained access to her e‐mail
3 and Facebook accounts without her permission and therefore in violation of the
4 CFAA and the SCA. She asserts that she discovered that she could not log into
5 her www.aol.com (ʺAOLʺ) e‐mail account on or about August 1, 2011 ʺbecause
6 her password was altered.ʺ Compl. ¶ 11 (J.A. 5). More than six months later, on
7 or about February 24, 2012, she contends, she discovered that she could not log
8 into her www.facebook.com (ʺFacebookʺ) account ʺbecause her password was
9 altered.ʺ Compl. ¶ 12 (J.A. 5). The district court granted Bernardinʹs motion to
10 dismiss Sewellʹs claims as untimely, and Sewell appealed. Because Sewell filed
11 suit on January 2, 2014, we conclude that her claims relating to Bernardinʹs
12 alleged unlawful access of her e‐mail account are time‐barred, but that her claims
13 relating to his alleged unlawful access of her Facebook account were timely filed.
14 BACKGROUND
15 We accept as true at this stage of the proceedings all facts alleged in
16 Sewellʹs complaint. See Town of Babylon v. Fed. Hous. Fin. Agency, 699 F.3d 221,
17 227 (2d Cir. 2012). According to those allegations, Sewell and Bernardin were
3
� No. 14‐3143
Sewell v. Bernardin
1 involved in a ʺromantic relationshipʺ1 from in or about 2002 until 2011. Sewell
2 maintained a private e‐mail account with AOL and a private social media
3 account with Facebook, including in 2011 and 2012. She did not knowingly share
4 her account passwords with Bernardin or any other person and was the only
5 authorized user of each account.
6 On or about August 1, 2011, Sewell discovered that her AOL password
7 had been altered, and she was therefore unable to log into her AOL e‐mail
8 account. That same month, malicious statements about her sexual activities2
9 were e‐mailed to various family members and friends ʺvia Sewellʹs own contacts
10 list maintained privately within her email account.ʺ Compl. ¶ 19 (J.A. 6).
11 On February 24, 2012, Sewell found herself unable to log into her Facebook
12 account. Then, on March 1, 2012, someone other than she posted a public
13 message from her Facebook account containing malicious statements, again
14 concerning Sewellʹs sex life.
Sewellʹs characterization of her relationship with Bernardin is contained in an
1
affidavit filed with the district court on February 14, 2014.
2 In her complaint, Sewell describes an e‐mail sent in or around August 2011 using her
personal contacts list as containing ʺmalicious statements toward Sewell regarding
certain sexually transmitted diseases and sexual activities.ʺ Compl. ¶ 19 (J.A. 6).
4
� No. 14‐3143
Sewell v. Bernardin
1 Sewell alleges that Bernardin obtained her AOL and Facebook passwords
2 without her permission while he was a guest in her home. Verizon Internet
3 records confirmed that Bernardinʹs computer was used to gain access to the
4 servers on which Sewellʹs accounts were stored. He then changed her AOL and
5 Facebook passwords. Bernardin allegedly thereby obtained access to Sewellʹs
6 electronic communications and other personal information and sent messages
7 purporting to be from her.
8 On May 15, 2013, Sewell filed a separate suit against Bernardinʹs wife, Tara
9 Bernardin, and ʺJohn Does #1‐5,ʺ apparently believing that Tara Bernardin and
10 others unknown to her had gained access to her Internet accounts. The
11 complaint raised claims strikingly similar to those that she is pursuing in the
12 instant action. Tara Bernardin settled her suit with Sewell on September 27, 2013,
13 and the court accordingly entered judgment in Sewellʹs favor shortly thereafter.
14 Several months later, on January 2, 2014, Sewell filed the instant action against
15 Phil Bernardin, alleging violations of the SCA and CFAA. On August 2, 2014, the
16 United States District Court for the Eastern District of New York (Arthur D.
17 Spatt, Judge) granted Bernardinʹs motion to dismiss, holding that Sewellʹs claims
5
� No. 14‐3143
Sewell v. Bernardin
1 were time‐barred under the CFAAʹs and SCAʹs applicable two‐year statutes of
2 limitations. This appeal followed.
3 DISCUSSION
4 We review the grant of a motion to dismiss under Federal Rule of Civil
5 Procedure 12(b)(6)3 de novo, ʺaccepting as true factual allegations made in the
6 complaint, and drawing all reasonable inferences in favor of the plaintiff[].ʺ
7 Town of Babylon, 699 F.3d at 227. ʺDismissal under Fed. R. Civ. P. 12(b)(6) is
8 appropriate when a defendant raises a statutory bar,ʺ such as lack of timeliness,
9 ʺas an affirmative defense and it is clear from the face of the complaint, and
10 matters of which the court may take judicial notice, that the plaintiffʹs claims are
11 barred as a matter of law.ʺ Staehr v. Hartford Fin. Servs. Grp., 547 F.3d 406, 425 (2d
12 Cir. 2008) (internal quotation marks, alterations, and emphasis omitted).
13 I. The Applicable Statutes of Limitations
14 A. The Computer Fraud and Abuse Act
The defendant styled his motion before the district court as a motion pursuant to
3
Federal Rule of Civil Procedure 12(c). The district court, however, treated the motion as
a motion to dismiss pursuant to Rule 12(b)(6). The parties do not raise this as an issue
on appeal and, in any event, ʺ[t]he standard for granting a Rule 12(c) motion for
judgment on the pleadings is identical to that of a Rule 12(b)(6) motion for failure to
state a claim.ʺ Patel v. Contemporary Classics of Beverly Hills, 259 F.3d 123, 126 (2d Cir.
2001).
6
� No. 14‐3143
Sewell v. Bernardin
1 The CFAA criminalizes, inter alia, ʺintentionally access[ing] a computer
2 without authorization or exceed[ing] authorized access, and thereby
3 obtain[ing] . . . information from any protected computer,ʺ 18 U.S.C.
4 § 1030(a)(2)(C), and ʺintentionally access[ing] a protected computer without
5 authorization, and as a result of such conduct, caus[ing] damage and loss,ʺ id.
6 § 1030(a)(5)(C).
7 The statute also provides a civil cause of action to ʺ[a]ny person who
8 suffers damage or loss by reason of a violation of this section.ʺ Id. § 1030(g). To
9 be timely, such a civil suit must be filed ʺwithin 2 years of the date of the act
10 complained of or the date of the discovery of the damage.ʺ Id. ʺDamage,ʺ in
11 turn, is defined as ʺany impairment to the integrity or availability of data, a
12 program, a system, or information.ʺ Id. § 1030(e)(8). The statute of limitations
13 under the CFAA accordingly ran from the date that Sewell discovered that
14 someone had impaired the integrity of each of her relevant Internet accounts.
15 B. The Stored Communications Act
16 Under the SCA, it is a crime to:
17 (1) intentionally access[] without authorization a facility through
18 which an electronic communication service is provided; or
19 (2) intentionally exceed[] an authorization to access that facility;
7
� No. 14‐3143
Sewell v. Bernardin
1 and thereby obtain[], alter[], or prevent[] authorized access to a wire
2 or electronic communication while it is in electronic storage in such
3 system . . . .
4 18 U.S.C. § 2701(a).
5 As with the CFAA, the SCA establishes a civil cause of action. ʺ[A]ny . . .
6 person aggrieved by any violation of this chapter in which the conduct
7 constituting the violation is engaged in with a knowing or intentional state of
8 mindʺ may file suit. Id. § 2707(a). A civil action under this section must be
9 commenced no ʺlater than two years after the date upon which the claimant first
10 discovered or had a reasonable opportunity to discover the violation.ʺ Id.
11 § 2707(f). In other words, the limitations period begins to run when the plaintiff
12 discovers that, or has information that would motivate a reasonable person to
13 investigate whether, someone has intentionally accessed the ʺfacility through
14 which an electronic communication service is providedʺ and thereby obtained
15 unauthorized access to a stored electronic communication. Id. § 2701(a).
16 II. Sewellʹs Discovery of Damage and Unauthorized Access to Her AOL
17 and Facebook Accounts
18
19 The district court granted Bernardinʹs motion to dismiss Sewellʹs claims as
20 untimely based on the courtʹs conclusion that Sewell was ʺaware that the
21 integrity of her computer had been compromisedʺ as of August 1, 2011. Sewell v.
8
� No. 14‐3143
Sewell v. Bernardin
1 Bernardin, 50 F. Supp. 3d 204, 212 (E.D.N.Y. 2014). The court reasoned that
2 Sewellʹs August 1, 2011, discovery – which related to the unauthorized use of her
3 AOL account – provided her with a reasonable opportunity to discover the full
4 scope of Bernardinʹs alleged illegal activity more than two years before she
5 brought this suit on January 2, 2014. We agree with the district court as its
6 decision related to Sewellʹs AOL account, but disagree with it as it related to her
7 Facebook account.
8 Sewell discovered the ʺdamageʺ to her AOL account for CFAA purposes
9 on August 1, 2011, when she learned that she could not log into her AOL e‐mail
10 account. That she may not have known exactly what happened or why she
11 could not log in is of no moment. The CFAAʹs statute of limitations began to run
12 when Sewell learned that the integrity of her account had been impaired.
13 The SCAʹs statute of limitations began to run when Sewell ʺfirst . . . had a
14 reasonable opportunity to discover, ʺ 18 U.S.C. § 2707(f), that someone had
15 ʺintentionally access[ed] [her AOL account] without authorization,ʺ id. § 2701(a).
16 She had such an opportunity as soon as she discovered that she could not obtain
17 access to that account because her password had been ʺalteredʺ inasmuch as,
9
� No. 14‐3143
Sewell v. Bernardin
1 accepting her other allegations as true, further investigation would have led her
2 to Bernardin.4
3 Sewellʹs CFAA and SCA claims with regard to her AOL account were first
4 made on January 2, 2014, and were premised on damage and unauthorized
5 access to her AOL account which she had or should have discovered some two
6 years and five months earlier. The two‐year statutes of limitations had therefore
7 run.5
8 Sewellʹs Facebook‐related claims, by contrast, appear to have accrued on or
9 about February 24, 2012. Her complaint alleges that she ʺwas the sole authorized
10 user ofʺ her Facebook account. Compl. ¶ 10 (J.A. 4). On or about ʺFebruary 24,
11 2012, [she] discovered that she could no longer log into or access her account
12 with www.facebook.com because her password [had been] altered.ʺ Compl. ¶ 12
13 (J.A. 5). There is nothing in the facts as alleged in the complaint from which to
We express no view as to whether, in a different case under different facts, the mere
4
inability to access an account without knowledge that oneʹs password had been
ʺalteredʺ would provide a plaintiff with a reasonable opportunity to discover an SCA
violation.
5 Although the complaint alleges that Sewellʹs AOL account was improperly accessed
on multiple occasions subsequent to August 1, 2011, Sewell does not raise any
arguments on appeal with respect to these alleged violations. We thus take no position
as to whether claims based on those subsequent violations would be timely under the
CFAA or the SCA, or whether such claims would otherwise survive Bernardinʹs motion
to dismiss.
10
� No. 14‐3143
Sewell v. Bernardin
1 infer that anyone gained unauthorized access to her Facebook account before
2 then. Thus, taking these allegations as true, there would have been no damage,
3 for CFAA purposes, or violation, for SCA purposes, for Sewell to discover with
4 respect to her Facebook account before that date, which was less than two years
5 before the suit was brought.
6 The fact that Sewell had discovered ʺdamageʺ to her AOL account based
7 on her inability to access AOLʹs computer servers at an earlier date does not lead
8 to a different result. Contrary to the district courtʹs remark, Sewell did not
9 allegedly discover ʺthat the integrity of her computer had been compromisedʺ as
10 of August 1, 2011. Sewell, 50 F. Supp. 3d at 212 (emphasis added). She
11 discovered only that the integrity of her AOL account had been compromised as
12 of that time. Her CFAA claim accordingly is premised on impairment to the
13 integrity of a computer owned and operated by AOL, not of her own physical
14 computer.6 As a result, Sewell has two separate CFAA claims, one that accrued
15 on August 1, 2011, when she found out that she could not access her AOL
16 account, and one that accrued on February 24, 2012, when she found out that she
17 could not access her Facebook account.
Sewell asserts that the AOL and Facebook computers to which Bernardin allegedly
6
gained unauthorized access were ʺprotectedʺ under the CFAA. Compl. ¶ 15 (J.A. 5).
Bernardin does not argue otherwise.
11
� No. 14‐3143
Sewell v. Bernardin
1 Like her Facebook‐related CFAA claim, Sewellʹs Facebook‐related SCA
2 claim is also timely. Under the SCA, a civil plaintiff must file her claim within
3 two years of discovery or a reasonable opportunity to discover intentional and
4 unauthorized access to an electronic communication facility. The district court
5 concluded that Sewell ʺhad a reasonable opportunity to discover the Defendantʹs
6 illegal activityʺ vis‐à‐vis her Facebook account as of August 1, 2011. Sewell, 50 F.
7 Supp. 3d at 213 (internal quotation marks and brackets omitted). But as we have
8 noted, there is no allegation in the complaint that Sewellʹs Facebook account and
9 the computer servers on which her information was stored were tampered with
10 before February 24, 2012, when she alleges that she was unable to log into her
11 Facebook account. She could not reasonably be expected to have discovered a
12 violation that, under the facts as alleged in the complaint, had not yet occurred.
13 The district courtʹs conclusion may rest on the assumption that a plaintiff
14 is on notice of the possibility that all of her passwords for all of the Internet
15 accounts she holds have been compromised because one password for one
16 Internet account was compromised. We do not think that that is a reasonable
17 inference from the facts alleged in the complaint. We take judicial notice of the
18 fact that it is not uncommon for one person to hold several or many Internet
12
� No. 14‐3143
Sewell v. Bernardin
1 accounts, possibly with several or many different usernames and passwords, less
2 than all of which may be compromised at any one time. At least on the facts as
3 alleged by the plaintiff, it does not follow from the fact that the plaintiff
4 discovered that one such account – AOL e‐mail – had been compromised that she
5 thereby had a reasonable opportunity to discover, or should be expected to have
6 discovered, that another of her accounts – Facebook – might similarly have
7 become compromised.
8 We pause to acknowledge that the statutes of limitations governing claims
9 under the CFAA and SCA, as we understand them, may have troubling
10 consequences in some situations. Even after a prospective plaintiff discovers that
11 an account has been hacked, the investigation necessary to uncover the hackerʹs
12 identity may be substantial. In many cases, we suspect that it might take more
13 than two years. But it would appear that if a plaintiff cannot discover the
14 hackerʹs identity within two years of the date she discovers the damage or
15 violation, her claims under the CFAA and SCA will be untimely.
16 The plaintiff does have the option of initiating a lawsuit against a Jane or
17 John Doe defendant, but she must still discover the hackerʹs identity within two
18 years of discovery or a reasonable opportunity to discover the violation to avoid
13
� No. 14‐3143
Sewell v. Bernardin
1 dismissal. This is because we have concluded ʺthat Rule 15(c) does not allow an
2 amended complaint adding new defendants to relate back if the newly‐added
3 defendants were not named originally because the plaintiff did not know their
4 identities.ʺ Barrow v. Wethersfield Police Depʹt, 66 F.3d 466, 470 (2d Cir. 1995).7
5 CONCLUSION
6 For the foregoing reasons, the judgment of the district court is AFFIRMED
7 in part and VACATED and REMANDED in part for further proceedings.
Sewell also purports to appeal from the district courtʹs denial of her request for leave
7
to amend, but the district court did not explicitly deny or otherwise rule on this request.
We can imagine no plausible amendment that would render her AOL claims timely but
nevertheless instruct the district court to consider and expressly rule on Sewellʹs
motion, should she choose to revive it, on remand. See Jin v. Metro. Life Ins. Co., 310 F.3d
84, 101 (2d Cir. 2002) (ʺOutright refusal to grant the leave [to amend] without any
justifying reason for the denial is an abuse of discretion.ʺ).
14
�
