Sewell v. Bernardin

• Decision Date: 04 August 2015
• Docket Number: No. 14–3143.,14–3143.
• Citation: 795 F.3d 337
• Parties: Chantay SEWELL, Plaintiff–Appellant, v. Phil BERNARDIN, Defendant–Appellee.
• Court: U.S. Court of Appeals — Second Circuit

795 F.3d 337

Chantay SEWELL, Plaintiff–Appellant

v.Phil BERNARDIN, Defendant–Appellee.

No. 14–3143.

United States Court of Appeals, Second Circuit.

Argued: Feb. 18, 2015.

Decided: Aug. 4, 2015.

Harvey S. Mars, Law Office of Harvey S. Mars LLC, New York, N.Y., for Plaintiff–Appellant.

Gary T. Certain, Law Office of Certain & Zilberg, PLLC, New York, N.Y., for Defendant–Appellee.

Before: POOLER, SACK, and DRONEY, Circuit Judges.

Opinion

SACK, Circuit Judge:

In order to resolve this appeal, we address a matter of first impression in this Circuit: the operation of the statutes of limitations applicable under the civil enforcement provisions of the Computer Fraud and Abuse Act (CFAA.), 18 U.S.C. § 1030, and the Stored Communications Act (SCA.), 18 U.S.C. § 2701, et seq. A plaintiff bringing an action under the CFAA's civil enforcement provision must do so “within 2 years of the date of the act complained of or the date of the discovery of the damage.” 18 U.S.C. § 1030(g). The SCA provides that “[a] civil action under this section may not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.”18 U.S.C. § 2707(f).

The plaintiff, Chantay Sewell, filed suit under both statutes alleging that her former boyfriend, defendant Phil Bernardin, had gained access to her e-mail and Facebook accounts without her permission and therefore in violation of the CFAA and the SCA. She asserts that she discovered that she could not log into her www.aol.com (AOL.) e-mail account on or about August 1, 2011 “because her password was altered.” Compl. ¶ 11 (J.A. 5). More than six months later, on or about February 24, 2012, she contends, she discovered that she could not log into her www.facebook.com (“Facebook”) account “because her password was altered.” Compl. ¶ 12 (J.A. 5). The district court granted Bernardin's motion to dismiss Sewell's claims as untimely, and Sewell appealed. Because Sewell filed suit on January 2, 2014, we conclude that her claims relating to Bernardin's alleged unlawful access of her e-mail account are time-barred, but that her claims relating to his alleged unlawful access of her Facebook account were timely filed.

BACKGROUND

We accept as true at this stage of the proceedings all facts alleged in Sewell's complaint. See Town of Babylon v. Fed. Hous. Fin. Agency, 699 F.3d 221, 227 (2d Cir.2012). According to those allegations, Sewell and Bernardin were involved in a “romantic relationship”¹ from in or about 2002 until 2011. Sewell maintained a private e-mail account with AOL and a private social media account with Facebook, including in 2011 and 2012. She did not knowingly share her account passwords with Bernardin or any other person and was the only authorized user of each account.

On or about August 1, 2011, Sewell discovered that her AOL password had been altered, and she was therefore unable to log into her AOL e-mail account. That same month, malicious statements about her sexual activities² were e-mailed to various family members and friends “via Sewell's own contacts list maintained privately within her email account.” Compl. ¶ 19 (J.A. 6).

On February 24, 2012, Sewell found herself unable to log into her Facebook account. Then, on March 1, 2012, someone other than she posted a public message from her Facebook account containing malicious statements, again concerning Sewell's sex life.

Sewell alleges that Bernardin obtained her AOL and Facebook passwords without her permission while he was a guest in her home. Verizon Internet records confirmed that Bernardin's computer was used to gain access to the servers on which Sewell's accounts were stored. He then changed her AOL and Facebook passwords. Bernardin allegedly thereby obtained access to Sewell's electronic communications and other personal information and sent messages purporting to be from her.

On May 15, 2013, Sewell filed a separate suit against Bernardin's wife, Tara Bernardin, and “John Does # 1–5,” apparently believing that Tara Bernardin and others unknown to her had gained access to her Internet accounts. The complaint raised claims strikingly similar to those that she is pursuing in the instant action. Tara Bernardin settled her suit with Sewell on September 27, 2013, and the court accordingly entered judgment in Sewell's favor shortly thereafter. Several months later, on January 2, 2014, Sewell filed the instant action against Phil Bernardin, alleging violations of the SCA and CFAA. On August 2, 2014, the United States District Court for the Eastern District of New York (Arthur D. Spatt, Judge ) granted Bernardin's motion to dismiss, holding that Sewell's claims were time-barred under the CFAA's and SCA's applicable two-year statutes of limitations. This appeal followed.

DISCUSSION

We review the grant of a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6)³ de novo, “accepting as true factual allegations made in the complaint, and drawing all reasonable inferences in favor of the plaintiff[ ].” Town of Babylon, 699 F.3d at 227. “Dismissal under Fed.R.Civ.P. 12(b)(6) is appropriate when a defendant raises a statutory bar,” such as lack of timeliness, “as an affirmative defense and it is clear from the face of the complaint, and matters of which the court may take judicial notice, that the plaintiff's claims are barred as a matter of law.” Staehr v. Hartford Fin. Servs. Grp., 547 F.3d 406, 425 (2d Cir.2008) (internal quotation marks, alterations, and emphasis omitted).

I. The Applicable Statutes of Limitations

A. The Computer Fraud and Abuse Act

The CFAA criminalizes, inter alia, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] ... information from any protected computer,” 18 U.S.C. § 1030(a)(2)(C), and “intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss,” id. § 1030(a)(5)(C).

The statute also provides a civil cause of action to “[a]ny person who suffers damage or loss by reason of a violation of this section.” Id. § 1030(g). To be timely, such a civil suit must be filed “within 2 years of the date of the act complained of or the date of the discovery of the damage.” Id. “Damage,” in turn, is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8). The statute of limitations under the CFAA accordingly ran from the date that Sewell discovered that someone had impaired the integrity of each of her relevant Internet accounts.

B. The Stored Communications Act

Under the SCA, it is a crime to:

(1) intentionally access[ ] without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceed[ ] an authorization to access that facility; and thereby obtain[ ], alter[ ], or prevent[ ] authorized access to a wire or electronic communication while it is in electronic storage in such system....

18 U.S.C. § 2701(a).

As with the CFAA, the SCA establishes a civil cause of action. “[A]ny ... person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind” may file suit. Id. § 2707(a). A civil action under this section must be commenced no “later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.” Id. § 2707(f). In other words, the limitations period begins to run when the plaintiff discovers that, or has information that would motivate a reasonable person to investigate whether, someone has intentionally accessed the “facility through which an electronic communication service is provided” and thereby obtained unauthorized access to a stored electronic communication. Id. § 2701(a).

II. Sewell's Discovery of Damage and Unauthorized Access to Her AOL and Facebook Accounts

The district court granted Bernardin's motion to dismiss Sewell's claims as untimely based on the court's conclusion that Sewell was “aware that the integrity of her computer had been compromised” as of August 1, 2011. Sewell v. Bernardin, 50 F.Supp.3d 204, 212 (E.D.N.Y.2014). The court reasoned that Sewell's August 1, 2011, discovery—which related to the unauthorized use of her AOL account—provided her with a reasonable opportunity to discover the full scope of Bernardin's alleged illegal activity more than two years before she brought this suit on January 2, 2014. We agree with the district court as its decision related to Sewell's AOL account, but disagree with it as it related to her Facebook account.

Sewell discovered the “damage” to her AOL account for CFAA purposes on August 1, 2011, when she learned that she could not log into her AOL e-mail account. That she may not have known exactly what happened or why she could not log in is of no moment. The CFAA's statute of limitations began to run when Sewell learned that the integrity of her account had been impaired.

The SCA's statute of limitations began to run when Sewell “first ... had a reasonable opportunity to discover,” 18 U.S.C. § 2707(f), that someone had “intentionally access[ed] [her AOL account] without authorization,” id. § 2701(a). She had such an opportunity as soon as she discovered that she could not obtain access to that account because her password had been “altered” inasmuch as, accepting her other allegations as true, further investigation would have led her to Bernardin.⁴

Sewell's CFAA and SCA claims with regard to her AOL account were first made on January 2, 2014, and were premised on damage and unauthorized access to her AOL account which she had or should have discovered some two years and five months earlier. The two-year statutes of limitations had therefore run.⁵

Sewell's Facebook-related claims, by contrast, appear to have accrued on or about February 24, 2012. Her complaint alleges that she “was the sole...