NOT PRECEDENTIAL

UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT _____________

No. 22-3274 _____________

ACRISON, INC., Appellant

v.

ANTHONY M. RAINONE, an individual; BRACH EICHLER LLC, a New Jersey limited liability corporation; XCELLENCE, INC., directly and as successor-in-interest to RVM ENTERPRISES, INC., d/b/a Xact Data Discovery; JOHN P. MARTIN, an individual; JOHN DOES 1-10, unknown individuals; ABC COMPANIES 1-10, unknown entities _____________

On Appeal from the District Court for the District of New Jersey (D.C. Civil No. 2-22-cv-01176) District Judge: Honorable Kevin McNulty _____________

Submitted Pursuant to Third Circuit L.A.R. 34.1(a) November 14, 2023 _____________

Before: CHAGARES, Chief Judge, MATEY and FUENTES, Circuit Judges

(Filed: November 24, 2023) ____________

OPINION* ____________

CHAGARES, Chief Judge.

Acrison, Inc. filed a federal lawsuit against a law firm and a computer services

company alleging that they hacked into Acrison’s computers in connection with a state-

court lawsuit. The District Court ruled that Acrison’s federal claims were untimely and

declined to exercise supplemental jurisdiction over the remaining state claims. But the

District Court did not apply the legal standard that governs an affirmative defense at the

motion to dismiss stage. We apply that standard and conclude that it was not apparent on

the face of the complaint that Acrison’s federal claims were untimely. Thus, we will

reverse the District Court’s order and remand for further proceedings.

I.

We write primarily for the parties and recite only the facts essential to our

decision. Defendant Brach Eichler LLC is a law firm and defendant Xcellence, Inc.

(“XDD”) is a computer services company. Acrison alleged that Brach Eichler, XDD, and

others violated the law by hacking into Acrison’s computers in connection with a state-

court lawsuit. The state-court action involved a dispute between two brothers, Ron and

Ralph Ricciardi, who owned Acrison. Ralph, represented by Brach Eichler, filed a

lawsuit against Ron in September 2019 for corporate fraud, waste, misuse, and

* This disposition is not an opinion of the full Court and, pursuant to I.O.P. 5.7, does not constitute binding precedent.

2 misappropriation of corporate assets and opportunities. Acrison, a nominal defendant in

that lawsuit, counterclaimed against Ralph leveling similar accusations.

According to Acrison, the defendants hacked into Acrison’s computers without its

knowledge both before and during the state-court action. Brach Eichler allegedly

attempted to prevent Acrison from learning about the defendants’ clandestine activities

during discovery in the state-court action. By the end of 2020, however, the details of

defendants’ alleged hacking came to light. Acrison purportedly learned that Brach

Eichler had instructed XDD to enter Acrison’s office and create full forensic images of

Acrison’s computers and to recover passwords and login information so that it could later

remotely VPN access Acrison’s computers. Acrison moved for summary judgment and

sought dismissal of the state-court action based on this alleged discovery misconduct.

The parties eventually reached a settlement in the state-court action and stipulated to its

dismissal with prejudice in February 2022.

On March 3, 2022, Acrison filed a five-count lawsuit in federal court against the

defendants for: (1) violation of the Computer Fraud and Abuse Act (“CFAA”); (2)

conspiracy to violate the CFAA; (3) violation of the New Jersey Computer Related

Offenses Act; (4) trespass to personal property; and (5) conversion. The defendants

moved to dismiss these claims. The District Court found that Acrison’s CFAA claim was

barred by the law’s two-year statute of limitations and that the deadline should not be

equitably tolled. The District Court rejected Acrison’s conspiracy claim on similar

3 grounds. Finally, it declined to exercise supplemental jurisdiction over the remaining

state-law claims. Acrison timely appealed.

II.1

The CFAA is a federal computer-crime statute that also provides a private cause of

action for civil liability. Van Buren v. United States,

(2021). The

CFAA provides that a civil action must be brought: “within 2 years of [1] the date of the

act complained of or [2] the date of the discovery of the damage.”

(g).

The statute defines “damage” as “any impairment to the integrity or availability of data, a

program, a system, or information.”

§ 1030(e)(8).

The District Court found that Acrison could not satisfy the first prong of the

CFAA’s statute of limitations because it filed its lawsuit in March 2022, and the

defendants’ alleged conduct occurred in May 2018 and September 2019. It found that

Acrison could not satisfy the second prong because Acrison did not specifically plead

“damage” under the CFAA, and in any event, it was inadequately alleged.

The District Court employed an incorrect standard to assess the timeliness of

Acrison’s claims at this early stage of the litigation. A statute of limitations argument is

an affirmative defense. Schmidt v. Skolas,

(3d Cir. 2014). But it is

well established that “a complaint need not anticipate or overcome affirmative defenses.”

. Accordingly, we may consider a limitations defense at the motion to dismiss

stage only in the narrow circumstance when untimeliness is “apparent” on the face of the

1 We review a district court’s dismissal of a complaint under Federal Rule of Civil Procedure 12(b)(6) de novo. Schmidt v. Skolas,

(3d Cir. 2014).

4 complaint. LabMD Inc. v. Boback,

, 179 n.9 (3d Cir. 2022) (quoting

Robinson v. Johnson,

(3d Cir. 2002)); accord Bohus v.

Restaurant.com, Inc.,

, 923 n.2 (3d Cir. 2015).

Our decision in Schmidt is instructive. In that case, the plaintiff-shareholder

appealed the district court’s dismissal of his complaint on statute of limitations grounds.

Schmidt,

. The district court ruled that the plaintiff did not meet his

burden of establishing that the discovery rule applied to his fiduciary duty claims because

the complaint did not plead facts showing that he exercised reasonable diligence in

discovering his injury.

. We reversed, explaining that the district court’s

reasoning “effectively required [the plaintiff] to plead around an affirmative defense in

his complaint, which is inconsistent with Rules 8 and 12(b)(6).”

. We

concluded that dismissal was premature because “nothing in [the plaintiff’s] complaint

clearly suggests that he did in fact” discover the wrongdoing too late.

The District Court should not have placed the burden on Acrison to “sufficiently

plead later-discovered ‘damage’ in order to delay the onset of the limitations period.”

Appendix (“App.”) 21. Instead, as Schmidt illustrates, the burden is on the defendants to

establish that the complaint shows that Acrison’s claims are untimely. Applying that

standard, it is not apparent on the face of the complaint that Acrison did not file suit

“within 2 years of . . . the date of the discovery of the damage.”

(g).

Starting with “the date of the discovery,” the complaint alleged that Acrison

discovered the details of the defendants’ hacking by the end of 2020. We are inclined to

think that the clock started before then, because the discovery rule applies “even though

5 the full extent of the injury is not then known or predictable.” LabMD, 47 F.4th at 180

(citation omitted). That does not doom Acrison’s position, though, because the

defendants acknowledge that “the Complaint reveal[s] that Acrison was aware of the

alleged unlawful access as early as . . . March 17, 2020[.]” Appellees’ Br. 5; see also

Acrison Br. 5–6 (“Acrison began to detect clues to the defendants’ misconduct during the

discovery process, beginning on or about March 17, 2020[.]” (internal quotation marks

and citation omitted)). Because the federal lawsuit was filed on March 3, 2022 — just

shy of two years later — we hold at this juncture that it was timely.

We turn next to “the damage.” The District Court reasoned that merely

downloading another’s data, without more, cannot constitute “damage” under the CFAA.

We think that the complaint alleged more. Acrison alleged that the defendants exploited

its passwords and login information to remotely access its servers at various times

following the on-site hacking. It is not apparent to us that the defendants’ unauthorized

remote access did not cause “impairment to the integrity or availability of data, a

program, a system, or information.”

(e)(8). That is a factual question

that is inappropriate to resolve at this early stage of the litigation. Because it is “not

evident on the face of the complaint . . . at the motion to dismiss stage whether the

discovery rule saves [Acrison’s] claims,” the District Court should have denied the

motion to dismiss based upon the statute of limitations defense. Schmidt,

; accord LabMD, 47 F.4th at 179 n.9; see also Fried v. JP Morgan Chase & Co., 850

(3d Cir. 2017) (reversing dismissal of complaint on ground of untimeliness

because of a “factual question” that was “not clear from the face of the complaint”).

We will also reverse the District Court’s order as to the remaining claims. The

District Court dismissed Acrison’s conspiracy claim on the ground that it was time-barred

and because it lacked a predicate violation of the CFAA. Because we will reverse the

dismissal of the CFAA claim, we will likewise reverse the dismissal of the conspiracy

claim. Finally, the District Court dismissed Acrison’s state-law claims by declining to

exercise supplemental jurisdiction. Because we will revive the federal claims, we will

also revive the state-law claims.2

III.

For the foregoing reasons, we will reverse the District Court’s order granting the

defendants’ motion to dismiss and remand for further proceedings.

2 We have considered the defendants’ other arguments in favor of affirmance and are not persuaded.

7