Although it seems 2025 has just begun, the Second Circuit has been hard at work, generating over 300 decisions already in the year’s early months. The Second Circuit’s distinctive prolificity, as always, makes choosing cases to highlight in a short column no easy feat. A few recent exercises in statutory interpretation, however, caught this author’s eye. As discussed below, the court recently expounded on:
(1) When accessing information on a public website amounts to computer fraud;
(2) Whether a plaintiff can be time-barred from asserting statutory claims that, by presidential decree, never could be brought; and
(3) Whether meeting an exception under the Foreign Sovereign Immunities Act sounds the death knell for a claim of immunity by a foreign sovereign.
Accessing Information
United States v. Cuomo, 125 F.4th 354 (2025), involved a debt collector’s “skip tracing” scheme. “Skip tracing” is the process of locating debtors by obtaining their personal information, such as home address or place of employment. The defendant in Cuomo allegedly obtained debtors’ places of employment by submitting phony online applications for unemployment insurance through the New York unemployment insurance website. The defendant allegedly bypassed website identity verification measures by inputting the debtors’ Social Security numbers and utilizing fraudulent email addresses.
A jury found the defendant guilty of accessing information from a protected computer in violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. On appeal, the defendant argued that he did not access any computer “without authorization” or exceed “authorized access” as prohibited under the CFAA, because the websites were fully accessible to the public.
The Second Circuit (Judges Kearse, Park, and Pérez) rejected the argument and affirmed the conviction. Key for the court was the word “authorization” (not defined in the CFAA), a word of “common usage” which suggests “permission or power granted by authority.” The CFAA prohibits both accessing a computer “without authorization,” meaning that one cannot enter an entire computer system, as well as exceeding “authorized access” to certain areas within that system. Here, the website imposed “gates” around place of employment by requiring a verifiable email address and valid social security number to access that information. In other words, a user must be the actual person (not an imposter) to gain authorized access compliant with the CFAA.
International Affairs
Moving to international affairs, the statute at issue in Moreira v. Société Générale, S.A., 125 F.4th 371 (2025), was the Helms-Burton Act, 22 U.S.C. §§ 6021-6091, enacted by Congress in 1996 to provide redress for U.S. nationals with an interest in bank assets seized by the Cuban government. The statute allows aggrieved persons to bring suit against “any person” who “traffics” in such “confiscated” property. § 6082(a). However, the cause of action “may not be brought” over two years after the trafficking “ceased to occur” (§ 6084). And the statute empowers the president to “suspend” the right to sue in six-month intervals (§ 6085(c)), which presidents exercised uniformly for 23 years until the suspension was lifted in 2019. That prompted a wave of litigation, including the instant actions against two French banks.
The question on appeal was whether, despite being blocked for 23 years, plaintiffs’ claims were time-barred because they failed to allege trafficking in the two years prior to filing suit. The Second Circuit’s answer (Judges Jacobs, Sack, and Sullivan) was yes. There are two types of statutory time bars, the court explained: statutes of limitations, which may be “tolled” (or suspended) for equitable reasons, and statutes of repose, which cannot because their purpose is to protect a defendant’s right to be free from liability after a legislatively determined time.
Looking at the statute’s text, the court noted that that the Helms-Burton Act requires a claim to be brought within two years of the “trafficking” – i.e., “the last culpable act” – strongly indicating a statute of repose. The statute also provides that a claim “may not be brought” after two years, a phrase admitting of “no exception.” The court acknowledged that the result was perhaps unfair, blocking claims that never could be brought. That, however, is how a statute of repose is “supposed to operate.”
Sovereign Immunity
As for the liability of states and their instrumentalities, Schansman v. Sberbank of Russia PJSC, 128 F.4th 70 (2025), arose from the tragedy of Malaysia Airlines Flight 17, shot down in 2014 by the Donetsk People’s Republic (DPR), a Russia-backed terrorist group. The relatives of a deceased passenger brought suit under the Anti-Terrorism Act (ATA), 18 U.S.C. § 2331 et seq., against Sberbank, a Russia-based bank, alleging that it provided material support to the DPR by facilitating money transfers from donors based in the United States.
After suit was filed, Russia’s Ministry of Finance acquired a majority stake in Sberbank. Sberbank then moved to dismiss on immunity grounds under the ATA and the Foreign Sovereign Immunities Act (FSIA), 28 U.S.C. § 1602 et seq. The district court denied the motion, and the Second Circuit (Judges Walker, Cabranes, and Bianco) affirmed. Upon Russia’s acquisition of its shares, Sberbank became “an agency or instrumentality of a foreign state,” making it presumptively immune under the FSIA. But the FSIA contains an exception to immunity where an action is “based upon a commercial activity carried on in the United States” (§ 1605(a)). And Sberbank’s facilitation of money transfers to the DPR qualified as “commercial activity” because it was “a regular course of commercial conduct or a particular commercial transaction or act” (§ 1603(d)).
Sberbank also argued for immunity under the ATA, pointing to its broad immunity provision for any “foreign state” or “agency of a foreign state.” But the court refused to allow the ATA to override the FSIA’s commercial-activity exception. The FSIA, the court explained, is a “comprehensive” statutory scheme that establishes the legal standards governing immunity in every civil action against a foreign state or its instrumentalities. The court declined to disturb that “comprehensive” framework.
Conclusions
An oft-repeated maxim in the Second Circuit is that statutory interpretation “starts with the text,” and each of these decisions exemplifies that approach. In Cuomo, the court applied a common-sense meaning to the statutory word “authorization”: just because it is possible to access a computer through a public portal does not mean deceptive access is authorized. In Moreira, the court blocked plaintiffs’ claims even if the result was arguably unfair, because the statutory text left it with no choice. In Sberbank, the court allowed claims against a foreign instrumentality based on the plain language of the FSIA’s commercial-activity exception, while heeding the result mandated by the more “comprehensive” of two statutory schemes. As long as there are statutes, the spigot of statutory interpretation decisions will continue to flow in the Second Circuit.