SIM Swap Crypto Lawsuit Goes Forward in Los Angeles
Can AT&T be held liable for identity theft resulting from SIM swapping?
In June 2017, Michael Terpin, a prominent cryptocurrency trader from Puerto Rico, turned on his cell phone and found it didn’t work. Apparently, hackers had gone to various AT&T retail stores and tried to change his password almost a dozen times. After failing that, they were able to change the password remotely, take control of his phone number with a SIM swap, divert his calls and texts messages and other information, and engage in identity theft. Once the hackers “became” Terpin, they convinced others to send cryptocurrency to the Terpin doppelganger, which they then were able to use themselves. AT&T cut off the hackers’ access and, at the request of the real Terpin, agreed to elevate his security by requiring a special PIN and validation to change any of the network or account settings. Yeah, right.
Some months later, a hacker went into an AT&T store in Norwich, Connecticut, and bribed an AT&T employee named “Jahmil Smith ” to swap Terpin’s SIM settings to their phone—again allowing the hackers to “become” Terpin. The new Terpin doppelganger was able to reset passwords and steal SMS messages (the two bases for 2FA) and steal $24 million in cryptocurrency.
In August 2018, Terpin sued in federal court in Los Angeles (he owns a home in L.A.), not the unknown hackers, but AT&T. Terpin v. AT&T, (C.D. Ca, Dkt. No. 2:18-cv-06975-ODW-KS). He asked for compensation for the $24 million he lost and for punitive damages totaling $240 million. On Feb. 24, Judge Otis Wright II allowed the bulk of Terpin’s claims to go forward, mostly dismissing AT&T’s motion for summary judgment. This establishes a precedent that, at least in some cases, even when the carrier mandates that all disputes be arbitrated and where it expressly tells customers that it doesn’t guarantee that their information will not be shared, carriers can be liable when they permit their customer data to be hacked.
The Lawsuit
Terpin’s lawsuit against AT&T made several allegations: first, that the AT&T consumer agreement that absolves the company of responsibility and mandates arbitration is “unconscionable and contrary to public policy”; second, that AT&T released his information in violation of federal telecommunications privacy law; third, that AT&T defrauded him by concealing the SIM swap vulnerability in violation of California law; and a host of negligence and breach of contract claims, including breach of their own privacy policy.
The court held that Terpin had sufficiently pleaded that the SIM swap compromised 2FA and likely lead to the theft of the cryptocurrency and that he had established a “special relationship” between himself and AT&T to warrant a trial on whether AT&T owed “economic damages” for negligence or breach of contract. In particular, the court noted the express and implied promise by AT&T that it would protect Terpin’s data, noting that while “the contract entered into between the parties related only to mobile telephone services, Mr. Terpin was required to share his personal information with AT&T with the understanding that AT&T would adequately protect it, including the SIM card linked to his telephone number and personal data.” The court described this as an “exchange of personal information based on a promise of safekeeping.”
Do Something!
The Court also found significant Terpin’s claim that AT&T was aware of the problem of SIM swapping but did not act reasonably to warn or prevent the problem. It accepted, at least at the pleading stage, Terpin’s claim that AT&T was “[a]ware of the vulnerability of its customers in having their [p]ersonal [i]nformation stolen through SIM swapping,” but AT&T “has done nothing to prevent that practice, including enforcing its own privacy policy and adhering to its promises to provide special or additional protection to its customers’ accounts.” Again, the court didn’t decide whether these allegations were true, just that they were sufficient to set out a claim.
On the other hand, the court noted that Terpin did not assert that AT&T had an affirmative duty to tell people about the SIM swapping and related vulnerabilities and that the assertion that AT&T defrauded him by “concealing” this fact failed as a matter of law. The court observed that the consumer contract between him and AT&T contained language in which AT&T told customers that it “cannot guarantee that your Personal Information will never be disclosed in a manner inconsistent with [AT&T’s] Policy (for example, as the result of unauthorized acts by third parties that violate the law or this Policy).” In other words, well, we told you there might be a data breach or other attack on your information, so you were warned.
Privacy Policy: No Soup For You!
Courts sometimes interpret privacy policies as contracts, sometimes as mere policies. The same is true for other “clickwrap” or “browsewrap” contracts—Terms of Service, Terms of Use, etc. When they are interpreted as binding contracts, however, they have a unique quality. A contract is typically binding on both parties—in this case, AT&T and the customer. In fact, as long as the contract is “available” and able to be read, it’s binding on the customer whether they have read it or not. Because many of the terms of a cellphone contract are dictated by state laws, you often cannot read the entire contract until after you have bought the phone and signed up for service—but courts get around this by noting that you have a right to return the phone for a refund after you read the contract. In Terpin’s case, he asserted that AT&T breached its own privacy policy and its Code of Business Conduct. He argues that he relied on these policies in being willing to provide his personal data to AT&T.
This is where it gets weird. Like every non-lawyer human being on the planet, of course, Terpin did not read the contract before he bought the phone and entered into the service. Duh. And in many cases like this, courts have found that a person can’t argue “reliance” on terms of a contract they didn’t read. On the face of it, that makes sense—you can’t say, “The only reason I gave you my personal data is ‘cause you said you would protect it,” if you never read the policy. But it results in an absurd result—you are bound by the terms of the privacy policy they wrote, whether you read it or not, but they are only bound by it if you read it. At least if you allege that you relied on the promise. As the court noted, “Mr. Terpin does not allege that he actually read AT&T’s Privacy Policy or COBC, which makes Mr. Terpin’s allegation that he reasonably relied on the statements contained therein implausible.” The court similarly rejected Terpin’s claim that by using AT&T services he and AT&T entered into an “implied contract” that AT&T would adhere to the terms of the “Privacy Policy and COBC … to maintain the confidentiality and security of the Personal Information of Mr. Terpin.” The court found no “implied contract” to protect data. Finally, the court noted that to be successful in his claim for punitive damages against AT&T, he would have to show substantial misconduct not just from the AT&T employee at the Connecticut store but by an “officer, director, or managing agent” who either knew about or ratified the alleged wrongful conduct.
So it was a partial victory for both sides, but mostly for Terpin, who gets to pursue the case. The message for consumers appears to be that you are warned that SIM swapping is a problem, that it potentially compromises many types of 2FA and that anyone can become you—well, at least on the phone. If more people continue to lose more money and carriers are held liable, then maybe we can expect some technological countermeasures. Until then, watch this space.
