Computer Fraud and Abuse Act Limitations Accrued With Awareness of Unauthorized Access–Not Identity of Perpetrator

Bend♪ng the blue harmonic 7th . .

SUMMARY: The two year statute of limitations for Computer Fraud and Abuse Act claim began to run when the plaintiff had an awareness of an unauthorized access into its computer system even if the plaintiff did not know the identity of the alleged perpetrator at that time.

This is an update on a previous post: Two Year Statute of Limitations for Computer Fraud and Abuse Act Accrued When Plaintiff “Suspected” Wrongdoing

This is the second ruling on limitations issues in Higgins v. NMI Enterprises, Inc. In the earlier ruling, on January 2, 2013, the court granted a Motion to Dismiss certain Computer Fraud and Abuse Act (CFAA) claims based on when the Plaintiff “suspected” some sort of wrongdoing though the Plaintiff argued that “suspected” was not the same as “discovered.” However, in making that ruling, the Court looked to facts outside of the pleadings by looking at a complaint filed in another matter. Because of that, the Court granted a Motion for Reconsideration and, pursuant to Rule 56(f)(3) notified the parties that it would consider summary judgment on its own.

The citation for this new case is Higgins v. NMI Enterprises, Inc., 2013 WL 4525635 (ED La. Aug. 26, 2013). The basic allegations are that a defendant had access to one of the plaintiff’s e-mail password by virtue of his position in a related company, provided plaintiff’s e-mail password to the other defendant’s to read his e-mails to and from the other plaintiffs as well as those to and from his attorneys. On these allegations plaintiffs sued for violating the CFAA and the Wiretap Act on September 29, 2009.

The issue before the court was whether the claims were timely filed. The Computer Fraud and Abuse Act has a two year statute of limitations that runs from “the date of the act complained of or the date of the discovery of the damage.” The evidence showed that, at least 2 years prior to September 29, 2009, the lead plaintiff knew someone had made an unauthorized access to the email account even though he only knew the IP address, not the actual identity of the alleged perpetrator. The plaintiff argued that the limitations period did not accrue until he discovered that person’s actual identity. The court disagreed and granted the Motion for Summary Judgment as to that defendant, reasoning as follows:

[U]nder [the Computer Fraud and Abuse Act], knowledge of unauthorized access is the information critical to begin the statute of limitation. There is no mention that a plaintiff must know the alleged perpetrator for the statute of limitations to begin. Unlike the plaintiffs in Quantlabb, here, Smith knew of the unauthorized access, even if he only suspected the identity of the perpetrator.

*   *   *

Thus, it is clear that Smith had an “awareness of an unauthorized access into [Thundervision’s] computer system,” which began the statute of limitations period more than two years before this action was filed.

The court held that the two year statute of limitations for Computer Fraud and Abuse Act claim began to run when the plaintiff had an awareness of an unauthorized access into its computer system even if the plaintiff did not know the identity of the alleged perpetrator at that time. The court granted the Motion for Summary Judgment as to the primary plaintiff who had such knowledge, however, as to the remaining plaintiffs the court found there was a factual dispute issue as to when they had knowledge of the alleged unauthorized access and, therefore, did not grant summary judgment on their CFAA claims though it seemed to invite additional challenges to their CFAA claims as well.

Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about the law in general, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com) and I will be more than happy to talk with you!

-Shawn E. Tuma

Two Year Statute of Limitations for Computer Fraud and Abuse Act Accrued When Plaintiff “Suspected” Wrongdoing

SEE NEW POST UPDATING THIS CASE:  Computer Fraud and Abuse Act Limitations Accrued With Awareness of Unauthorized Access–Not Identity of Perpetrator

There have not been many Computer Fraud and Abuse Act cases where the statute of limitations has been a key issue in the case so there are not many cases that have analyzed the issue. A new one just came out on January 2, 2013. In the case Higgins v. NMI Enterprises, Inc., 2013 WL 27556 (E.D. La. Jan. 2, 2013), the court offers a fairly detailed analysis of the applicable two year statute of limitations and ultimately decides to grant a Motion to Dismiss based thereon.

The Computer Fraud and Abuse Act has a two year statute of limitations that runs from “the date of the act complained of or the date of the discovery of the damage.” In Higgins, the Plaintiffs claimed that, while they “suspected” some sort of wrongdoing more than two years prior to the filing of their CFAA claim, they did not “actually discover the violations or damage” until later. The court found that “the statute of limitations ‘begins when facts that would support a cause of action are or should be apparent.'” Accordingly, when the Plaintiff suspected that those acts had occurred, those facts should have been apparent for purposes of limitations and limitations began to run at that time. You can read more by pulling up the case HERE.

Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about the law in general, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com) and I will be more than happy to talk with you!

-Shawn E. Tuma