Second Cir: Facebook Case Reveals Difference b/t CFAA & SCA Statute of Limitation Periods

Data Breach

The Second Circuit confirmed that the Computer Fraud and Abuse Act (18 USC 1030) and the Stored Communications Act (18 USC 2701) calculate the starting point of their two year statute of limitation differently.  If someone’s email and/or social media accounts are hacked, the statutory periods are calculated differently.  This case may be important since it puts the burden on users to know that the statutory period for claims may begin to run as soon as they discover that they are locked out of their email or social media accounts.

The distinction arose in Chantay Sewell v. Phil Bernardin, where the defendant/former boyfriend allegedly gained unlawful access to Plaintiff/former girlfriend’s AOL email and Facebook accounts.  Specifically, the Plaintiff discovered that she could not log into her email account in August 2011.  That month, malicious statements about her secual activities were emailed to various family members and friends via Plaintiff’s own contacts list maintained privately in her email account.  In February 2012, she learned that she could not log into her Facebook account.  A week later, someone other than the Plaintiff posted a public message from her Facebook account containing malicious statements, again concerning Sewell’s sex life.  She filed suit against the defendant’s wife in 2013.  She filed suit against the defendant in 2014.  According to the opinion, in discovery, Verizon internet records confirmed that the defendant’s computer was used to access the servers which hosted the Plaintiff’s accounts.

Here’s the CFAA statute of limitation:

ʺwithin 2 years of the date of the act complained of or the date of the the discovery of the damage.ʺ  18 U.S.C. § 1030(g).

According to the Second Circuit, “the statute of limitation under the CFAA ran from the date that Plaintiff discovered that someone had impaired the integrity of each of her relevant internet accounts.”

And the SCA statute of limitation:

ʺ[a] civil action under this section may not be commenced later than two years after the 20 date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.ʺ  18 U.S.C. § 2707(f).

According to the Second Circuit, “the limitations period begins to run when the plaintiff discovers that, or has information that would motivate a reasonable person to investigate whether, someone has intentionally accessed the ‘facility through which an electronic communication service is provided’ and thereby obtained unauthorized access to a stored electronic communication.  Id. § 2701(a).”

Application to Email and Facebook

CFAA limitation:  the Plaintiff discovered the “damage” to her email account for CFAA purposes when she learned that she was locked out.  “That she may not have known exactly what happened or why she 11 could not log in is of no moment.  The CFAAʹs statute of limitations began to run when Sewell learned that the integrity of her account had been impaired.”

SCA limitation:  the limitation period “began to run when Sewell ‘first . . .  had a reasonable opportunity to discover,’ 18 U.S.C. § 2707(f), that someone had  ‘intentionally access[ed] [her AOL account] without authorization,’ id. § 2701(a).”  The Court continued, “She had such an opportunity as soon as she discovered that she could not obtain access to that account because her password had been ‘altered’ inasmuch as, accepting her other allegations as true, further investigation would have led her to Bernardin.”

In this case, the Plaintiff was untimely in her suit regarding the email account but was still within both Act’s statutory periods for the Facebook claim.


Practitioners should consider the following issues:

1.  As soon as a user detects that they cannot get into their accounts, and/or that there is some unusual activity, a court may conclude that the CFAA and SCA statutory periods have begun.

2.  If the client comes to you too late for claims under the Acts, consider state statute or common law torts which may, in your jurisdiction, have longer statutory periods.

3.  This case turns largely on the allegations in the complaint — this may be an instance where the detailed phrasing of the pleadings may have locked the Plaintiff into certain claims and time periods.

4.  It was claimed that defendant had accessed the Plaintiff’s computer in her house to get the passwords.  Note that the statutory period did not run from the date of the intrusion onto Plaintiff’s PC because there is no basis to show that the Plaintiff was on notice of that event.  Instead, it was not until the Defendant allegedly intruded upon the AOL and Facebook servers that the Plaintiff was on notice.  It is important to understand the difference between Plaintiff’s computer vs. AOL’s and Facebook’s computers.


Data Breach
Christopher Hopkins Speaks on “Protect Your Mediation Practice from Hackers” (Florida Dispute Resolution Conference 2022)

Thanks to the Florida Dispute Resolution Center for inviting me to speak about Protecting Your Mediation Practice from Hackers this year at their 2022 30th Annual Conference in Orlando. The PowerPoint for the presentation is here.

Data Breach
Christopher Hopkins to Speak on “Cybersecurity & Data Breach Risks in 2022” at the Florida Creditors Bar Association

Special thanks to the Florida Creditors Bar Association for inviting me to speak at their annual conference in Orlando this year. We discussed spear phishing, business email compromise, and man-in-the-middle attacks as well as ethics issues and practical steps how to protect lawyers and law firms from these risks. For …

Data Breach
Dangers of the Dark Web (Law Firm Leaders Summit 2021)

Is your data on the dark web? How about your usernames and passwords? Likely. At the Law Firm Leaders Summit this week in Orlando, I had the opportunity to discuss the dark web; three ways people get hacked; and how to find your information on the dark web. Thanks for …