Acrison Inc v. Anthony Rainone, No. 22-3274 (3d Cir. 2023)
Annotate this Case
Download PDF
NOT PRECEDENTIAL UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT _____________ No. 22-3274 _____________ ACRISON, INC., Appellant v. ANTHONY M. RAINONE, an individual; BRACH EICHLER LLC, a New Jersey limited liability corporation; XCELLENCE, INC., directly and as successor-in-interest to RVM ENTERPRISES, INC., d/b/a Xact Data Discovery; JOHN P. MARTIN, an individual; JOHN DOES 1-10, unknown individuals; ABC COMPANIES 1-10, unknown entities _____________ On Appeal from the District Court for the District of New Jersey (D.C. Civil No. 2-22-cv-01176) District Judge: Honorable Kevin McNulty _____________ Submitted Pursuant to Third Circuit L.A.R. 34.1(a) November 14, 2023 _____________ Before: CHAGARES, Chief Judge, MATEY and FUENTES, Circuit Judges (Filed: November 24, 2023) ____________ OPINION* ____________ CHAGARES, Chief Judge. Acrison, Inc. filed a federal lawsuit against a law firm and a computer services company alleging that they hacked into Acrison’s computers in connection with a statecourt lawsuit. The District Court ruled that Acrison’s federal claims were untimely and declined to exercise supplemental jurisdiction over the remaining state claims. But the District Court did not apply the legal standard that governs an affirmative defense at the motion to dismiss stage. We apply that standard and conclude that it was not apparent on the face of the complaint that Acrison’s federal claims were untimely. Thus, we will reverse the District Court’s order and remand for further proceedings. I. We write primarily for the parties and recite only the facts essential to our decision. Defendant Brach Eichler LLC is a law firm and defendant Xcellence, Inc. (“XDD”) is a computer services company. Acrison alleged that Brach Eichler, XDD, and others violated the law by hacking into Acrison’s computers in connection with a statecourt lawsuit. The state-court action involved a dispute between two brothers, Ron and Ralph Ricciardi, who owned Acrison. Ralph, represented by Brach Eichler, filed a lawsuit against Ron in September 2019 for corporate fraud, waste, misuse, and * This disposition is not an opinion of the full Court and, pursuant to I.O.P. 5.7, does not constitute binding precedent. 2 misappropriation of corporate assets and opportunities. Acrison, a nominal defendant in that lawsuit, counterclaimed against Ralph leveling similar accusations. According to Acrison, the defendants hacked into Acrison’s computers without its knowledge both before and during the state-court action. Brach Eichler allegedly attempted to prevent Acrison from learning about the defendants’ clandestine activities during discovery in the state-court action. By the end of 2020, however, the details of defendants’ alleged hacking came to light. Acrison purportedly learned that Brach Eichler had instructed XDD to enter Acrison’s office and create full forensic images of Acrison’s computers and to recover passwords and login information so that it could later remotely VPN access Acrison’s computers. Acrison moved for summary judgment and sought dismissal of the state-court action based on this alleged discovery misconduct. The parties eventually reached a settlement in the state-court action and stipulated to its dismissal with prejudice in February 2022. On March 3, 2022, Acrison filed a five-count lawsuit in federal court against the defendants for: (1) violation of the Computer Fraud and Abuse Act (“CFAA”); (2) conspiracy to violate the CFAA; (3) violation of the New Jersey Computer Related Offenses Act; (4) trespass to personal property; and (5) conversion. The defendants moved to dismiss these claims. The District Court found that Acrison’s CFAA claim was barred by the law’s two-year statute of limitations and that the deadline should not be equitably tolled. The District Court rejected Acrison’s conspiracy claim on similar 3 grounds. Finally, it declined to exercise supplemental jurisdiction over the remaining state-law claims. Acrison timely appealed. II.1 The CFAA is a federal computer-crime statute that also provides a private cause of action for civil liability. Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021). The CFAA provides that a civil action must be brought: “within 2 years of [1] the date of the act complained of or [2] the date of the discovery of the damage.” 18 U.S.C. § 1030(g). The statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8). The District Court found that Acrison could not satisfy the first prong of the CFAA’s statute of limitations because it filed its lawsuit in March 2022, and the defendants’ alleged conduct occurred in May 2018 and September 2019. It found that Acrison could not satisfy the second prong because Acrison did not specifically plead “damage” under the CFAA, and in any event, it was inadequately alleged. The District Court employed an incorrect standard to assess the timeliness of Acrison’s claims at this early stage of the litigation. A statute of limitations argument is an affirmative defense. Schmidt v. Skolas, 770 F.3d 241, 249 (3d Cir. 2014). But it is well established that “a complaint need not anticipate or overcome affirmative defenses.” Id. at 248. Accordingly, we may consider a limitations defense at the motion to dismiss stage only in the narrow circumstance when untimeliness is “apparent” on the face of the We review a district court’s dismissal of a complaint under Federal Rule of Civil Procedure 12(b)(6) de novo. Schmidt v. Skolas, 770 F.3d 241, 248 (3d Cir. 2014). 1 4 complaint. LabMD Inc. v. Boback, 47 F.4th 164, 179 n.9 (3d Cir. 2022) (quoting Robinson v. Johnson, 313 F.3d 128, 135 (3d Cir. 2002)); accord Bohus v. Restaurant.com, Inc., 784 F.3d 918, 923 n.2 (3d Cir. 2015). Our decision in Schmidt is instructive. In that case, the plaintiff-shareholder appealed the district court’s dismissal of his complaint on statute of limitations grounds. Schmidt, 770 F.3d at 245. The district court ruled that the plaintiff did not meet his burden of establishing that the discovery rule applied to his fiduciary duty claims because the complaint did not plead facts showing that he exercised reasonable diligence in discovering his injury. Id. at 248, 252. We reversed, explaining that the district court’s reasoning “effectively required [the plaintiff] to plead around an affirmative defense in his complaint, which is inconsistent with Rules 8 and 12(b)(6).” Id. at 252. We concluded that dismissal was premature because “nothing in [the plaintiff’s] complaint clearly suggests that he did in fact” discover the wrongdoing too late. Id. The District Court should not have placed the burden on Acrison to “sufficiently plead later-discovered ‘damage’ in order to delay the onset of the limitations period.” Appendix (“App.”) 21. Instead, as Schmidt illustrates, the burden is on the defendants to establish that the complaint shows that Acrison’s claims are untimely. Applying that standard, it is not apparent on the face of the complaint that Acrison did not file suit “within 2 years of . . . the date of the discovery of the damage.” 18 U.S.C. § 1030(g). Starting with “the date of the discovery,” the complaint alleged that Acrison discovered the details of the defendants’ hacking by the end of 2020. We are inclined to think that the clock started before then, because the discovery rule applies “even though 5 the full extent of the injury is not then known or predictable.” LabMD, 47 F.4th at 180 (citation omitted). That does not doom Acrison’s position, though, because the defendants acknowledge that “the Complaint reveal[s] that Acrison was aware of the alleged unlawful access as early as . . . March 17, 2020[.]” Appellees’ Br. 5; see also Acrison Br. 5–6 (“Acrison began to detect clues to the defendants’ misconduct during the discovery process, beginning on or about March 17, 2020[.]” (internal quotation marks and citation omitted)). Because the federal lawsuit was filed on March 3, 2022 — just shy of two years later — we hold at this juncture that it was timely. We turn next to “the damage.” The District Court reasoned that merely downloading another’s data, without more, cannot constitute “damage” under the CFAA. We think that the complaint alleged more. Acrison alleged that the defendants exploited its passwords and login information to remotely access its servers at various times following the on-site hacking. It is not apparent to us that the defendants’ unauthorized remote access did not cause “impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). That is a factual question that is inappropriate to resolve at this early stage of the litigation. Because it is “not evident on the face of the complaint . . . at the motion to dismiss stage whether the discovery rule saves [Acrison’s] claims,” the District Court should have denied the motion to dismiss based upon the statute of limitations defense. Schmidt, 770 F.3d at 252; accord LabMD, 47 F.4th at 179 n.9; see also Fried v. JP Morgan Chase & Co., 850 6 F.3d 590, 605 (3d Cir. 2017) (reversing dismissal of complaint on ground of untimeliness because of a “factual question” that was “not clear from the face of the complaint”). We will also reverse the District Court’s order as to the remaining claims. The District Court dismissed Acrison’s conspiracy claim on the ground that it was time-barred and because it lacked a predicate violation of the CFAA. Because we will reverse the dismissal of the CFAA claim, we will likewise reverse the dismissal of the conspiracy claim. Finally, the District Court dismissed Acrison’s state-law claims by declining to exercise supplemental jurisdiction. Because we will revive the federal claims, we will also revive the state-law claims.2 III. For the foregoing reasons, we will reverse the District Court’s order granting the defendants’ motion to dismiss and remand for further proceedings. We have considered the defendants’ other arguments in favor of affirmance and are not persuaded. 2 7
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
