statute of limitations – Attorney Evan Brown

Plaintiff freelance photojournalist sued defendant website publisher for copyright infringement over photos plaintiff took of a luxury maximum security prison in Norway in 2010. Defendants posted the photos on its website in 2011 without permission, in connection with a widely-publicized story of a notorious mass shooter being relocated there. Plaintiff registered the copyright in his photos in 2015 and filed suit in 2018, claiming that he did not learn of the alleged infringement until 2016.

Each party filed motions for summary judgment. Plaintiff claimed that the court should enter summary judgment in his favor because he had a valid copyright to the photographs, and there was no dispute that defendant published several of them without authorization. Defendant asserted that plaintiff’s claims were time-barred by the Copyright Act’s three-year statute of limitations, because he knew, or should have known, of the infringement when interest in the photos spiked following the remand of the alleged mass murderer to the prison where the photos were taken.

Photos included in copyright registration

The court found there was no genuine issue as to any material fact concerning plaintiff’s ownership of the copyright in the photos. And defendant conceded it published the photos without authorization. Defendant had challenged whether plaintiff’s copyright registration covered the photos at issue. Plaintiff had not introduced the deposit materials, but had submitted a sworn statement saying the photos had been included in the registration. The court found the sworn statement to carry the issue – had the defendant filed a motion to compel or sought the deposit materials from the copyright office, it may have been able to show the photos were not included. But on these facts, it was clear to the court that the copyright registration covered the photos.

Statute of limitations – no duty to scour

The court denied defendant’s motion for summary judgment, finding that the copyright infringement claims were not barred by the statute of limitations. Civil actions for copyright infringement must be “commenced within three years after the claim accrued.” 17 U.S.C. § 507(b). The Second Circuit has stated that the “discovery rule” governs when the statute of limitations begins to run: an infringement claim does not ‘accrue’ until the copyright holder discovers, or with due diligence should have discovered, the infringement.

The court found that plaintiff’s knowledge about general interest in the prison following the news stories about the mass shooter being relocated there was not sufficient to constitute constructive discovery that his photographs of that prison were being infringed. Plaintiff did not have knowledge of any infringement of his work and there was no reason for him to think, or duty for him to scour the internet to find out if, anyone was using his photographs without his consent. The court cited Wu v. John Wiley & Sons, Inc., 2015 WL 5254885 (S.D.N.Y. Sept. 10, 2015) to observe that “[i]f that were the expectation, then stock photo agencies and photographers likely would spend more money monitoring their licenses than they receive from issuing licenses.”

Masi v. Moguldom Media Group, 2019 WL 3287819 (S.D.N.Y., July 22, 2019)

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Tag: statute of limitations

Plaintiff had no duty to “scour” the internet for infringements – statute of limitations did not bar copyright claim made 7 years after infringement

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation