795 F.3d 337
2d Cir.2015Background
- Plaintiff Chantay Sewell alleged her ex-boyfriend Phil Bernardin accessed her AOL email and Facebook accounts without authorization, changed passwords, and sent malicious messages purporting to be from her.
- Sewell discovered she could not access her AOL account on or about August 1, 2011; she discovered she could not access her Facebook account on or about February 24, 2012.
- Sewell sued Tara Bernardin and John Does in May 2013 (settlement entered September 2013) and then sued Phil Bernardin on January 2, 2014 under the Computer Fraud and Abuse Act (CFAA) and the Stored Communications Act (SCA).
- The district court dismissed Sewell’s CFAA and SCA claims as time-barred under each statute’s two-year limitations period; Sewell appealed.
- The Second Circuit accepted the complaint’s allegations as true for 12(b)(6) review and evaluated when the two-year limitations periods began to run for each statute and each account.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| When does CFAA’s 2-year limitations period begin? | Sewell argued discovery should be measured by when she learned the full scope/identity of the hacker. | Bernardin argued the period began when Sewell discovered the account integrity was impaired. | Held: CFAA claims accrue when plaintiff discovers impairment to the integrity/availability of the affected account (discovery of inability to access AOL on Aug 1, 2011 starts limitations for that claim). |
| When does SCA’s 2-year limitations period begin? | Sewell argued SCA period should not run from discovery of unrelated account compromise. | Bernardin argued discovery of one compromise put Sewell on notice to investigate all accounts, starting the limitations clock for others. | Held: SCA period runs from discovery or reasonable opportunity to discover unauthorized access to the specific service; AOL discovery did not start the clock for Facebook absent facts showing Facebook was compromised then. |
| Whether discovery of one hacked account gives notice of all other accounts being compromised | Sewell contended each account is separate and earlier AOL discovery did not compel discovery of later Facebook intrusion. | Bernardin contended earlier discovery provided reasonable opportunity to discover other intrusions. | Held: Court rejected a per se rule that one compromised account imputes notice of compromise of all accounts; here Facebook claim (discovered Feb 24, 2012) was timely. |
| Relation-back by amendment to add identified defendant after limitations period | Sewell argued she could sue John Does then amend after identifying Bernardin. | Bernardin argued Rule 15(c) does not permit relation-back when identity was unknown and that tolling cannot save untimely claims. | Held: Citing Barrow, relation-back is not available when defendant was unnamed because plaintiff did not know identity; plaintiff must discover identity within limitations period. |
Key Cases Cited
- Town of Babylon v. Fed. Hous. Fin. Agency, 699 F.3d 221 (2d Cir. 2012) (standard for de novo review of Rule 12(b)(6) motions accepting complaint allegations)
- Staehr v. Hartford Fin. Servs. Grp., 547 F.3d 406 (2d Cir. 2008) (statutory affirmative defenses may warrant dismissal under Rule 12(b)(6) when apparent on face of complaint)
- Barrow v. Wethersfield Police Dep’t, 66 F.3d 466 (2d Cir. 1995) (Rule 15(c) relation-back cannot add defendants whose identities were unknown to plaintiff at filing)
- Patel v. Contemporary Classics of Beverly Hills, 259 F.3d 123 (2d Cir. 2001) (motions under Rule 12(c) are evaluated under same standard as Rule 12(b)(6))
- Jin v. Metro. Life Ins. Co., 310 F.3d 84 (2d Cir. 2002) (denial of leave to amend requires justification; outright refusal without reason is abuse of discretion)