Are you liable if someone loses money because of your lousy data security? (No. 2)

I wish I had less FUD to offer, but this is a cautionary tale

A wealthy cryptocurrency investor lost $24 million to hackers, and, since it’s basically impossible to get the money back from whoever who stole it, he sued AT&T. Since hackers got access to his SIM card and phone number to ultimately steal funds, AT&T might be liable for some of the loss.

WHY THIS MATTERS: AT&T is a common carrier and subject to rules that most software engineers are not, yet still… the idea that someone can break the security of the software you write to access something else of value, say $24 million in someone else’s crypto, and that the victim can then, at least, attempt to hold you liable, is something you should, for sure be aware of. (That was a lot of commas!)

ACTION TO TAKE: very simple -- tighten up your security measures!!!

THE CASE: On August 15, 2018, attorneys for Mr. Terpin filed a lawsuit against AT&T in Los Angeles federal court (Terpin v. AT&T). In Terpin’s 69 page complaint, Terpin alleges, at a very high level, as follows:

  • Terpin is a high profile, well known, and wealthy crypto investor

  • his phone was hacked through a SIM fraud on June 11, 2017 

  • he went to an AT&T store in Puerto Rico (where he resides) and added the six digit extra security that everyone should add so people can’t (or shouldn’t be able to, as this case demonstrates) fake a SIM swap and gain control of your phone number to defeat two factor authentication mechanisms or impersonate you through your phone number

  • despite the fact that he added the extra security, somehow hackers went into an AT&T store in Connecticut and convinced the clerks to swap out the SIM card again (he seems to allege some kind of conspiracy with the complaint)

  • this time hackers got access to $24 million in cryptocurrency through his phone number within a short of period of time

  • Terpin alleged 16 reasons for the complaint (they’re called causes of action), everything from that the AT&T consumer agreement is unenforceable to California legal provisions, to traditional tort and contract claims

There hasn’t been a trial yet. Nobody knows whether AT&T will need to pay yet. Nobody knows if the allegations are true yet. However, we have an important ruling. 

AT&T asked Judge Wright in Los Angeles to throw the case out of court by filing a motion to dismiss. A motion to dismiss is a common, but drastic motion. It asks the judge to declare that, even if all the things that Terpin says are true, that he is not entitled to any money damages or other relief. 

In this case, Judge Wright denied most of AT&T’s motion. However, he did agree that, despite the 69-page complaint, Terpin did not explain how access to his phone number through the SIM card led to the $24 million dollar loss. The connection from the SIM swap to the loss was only implied in allegations.

The key paragraphs of the complaint seem to be around paragraphs number 72 to 79.  Paragraph 73, by way of example, reads as follows:

When Mr. Terpin’s telephone went dead [as a result of the SIM fraud swap] on January 7, 2018, he instantly attempted to contact AT&T to have the telephone number immediately canceled so that the hackers would not gain access to his Personal Information and accounts. Ignoring Mr. Terpin’s urgent request, AT&T failed promptly to cancel Mr. Terpin’s account, which gave the hackers sufficient time to obtain information about Mr. Terpin’s cryptocurrency holdings and to spirit off funds to their own accounts. Adding insult to injury, AT&T placed Mr. Terpin’s wife on endless hold (over an hour!) when she asked to be connected to AT&T’s fraud department while Mr. Terpin was furiously attempting to see what damage was being done to his accounts. Mr. Terpin’s wife never reached AT&T’s fraud department because it apparently does not work (or is unavailable) on Sundays. But the hackers work on Sunday!

In his opinion, Judge Wright has an interesting discussion about whether AT&T should or should not be liable on these facts, at least enough to give Terpin an opportunity to be proven (or disproven) at trial. 

AT&T argued it can’t be liable because the criminals who obtained access to the phone number and committed the actual fraud were the true (“intervening” in the terms of the law) cause of Terpin’s loss. Judge Wright disagreed by citing well known law that one can still be liable if he or she knows that, for whatever reason, it has opened up the possibility of criminal conduct. 

For example, if I leave my house unlocked and know there’s criminal activity happening inside, I could be liable if something bad happens. Here, AT&T already knew Terpin was a high profile target of fraud, and had been hacked before.

That said, Judge Wright DID agree that Terpin didn’t include enough facts to explain how the SIM fraud actually led to the $24 million loss.

The case isn’t over, however, because in motions to dismiss, usually the plaintiff has an opportunity to add additional facts (through an amended complaint) to keep the lawsuit alive. That’s exactly what happened here.

Among other things, it seems that Terpin needs to add some additional facts to allege how he believes the fraud took place once the hackers got access to Terpins’s phone number. Did they, for example, reset passwords and get access to two factor authentication? Did they use the number to send fake text messages? Did they call people and cause funds to get transferred? All legit questions that seem reasonable – at least at the trial level.

POLICY AND PRAGMATISM: remember, this isn’t a ruling whether one side or other is right or wrong according to Judge Wright. It’s an early procedural decision to decide whether the case should continue or not. In this case, Judge Wright (who must be always Wright – sorry) said he needs just a few more, specific, allegations to proceed. If this case is legit, I would assume plaintiffs DO have that information and can get to trial. If the case is not legit, then the procedural device serves its purpose.

WHAT THIS MEANS: even though Terpin needs to come up with some more facts, the logic of the case seems pretty clear. If your security measures fail, especially after you know that you’ve got a user who might be a target, you could be liable (or, at least, go to trial) for the harm that results from a breach as long as they can explain how the loss happened. There’s nothing specific to limit it to cell phone providers like AT&T at this point. I wish I had something less “FUDy” to give you on this, but this seems to be the upshot of the ruling.


Want to get this email every week day (mostly)?

If you think someone else might find it interesting, please forward!

LEGAL DISCLAIMERS AND OTHER MUMBO JUMBO: since this is a newsletter from an attorney, it is possible that this could be construed as attorney advertising (in blinking lights, of courts). I should also tell you that anything I say or opinions I offer in the list should never be construed as legal advice — even if you think the facts from some case or situation I discuss are pretty close to yours, small details make a big difference. And besides, since I’m just broadcasting information without seeing your individual situation, how could I possibly be giving you legal advice? Never forget the lesson of the Selfish Giant. And finally, my name is Michael Rice, I wrote this content, I’m licensed in California, and, with rare exception, can only work with clients in California.