Terpin 2020
Terpin 2020
Terpin 2020
1 O
2
3
4
5
6
7
8
United States District Court
9
Central District of California
10
11 MICHAEL TERPIN, Case No. 2:18-cv-06975-ODW (KSx)
12 Plaintiff,
13 ORDER GRANTING, IN PART, AND
v.
DENYING, IN PART,
14 AT&T MOBILITY, LLC, et al., DEFENDANT’S MOTION TO
15 DISMISS [33]
Defendants.
16
17 I. INTRODUCTION
18 Defendant AT&T Mobility, LLC (“AT&T”) moves to dismiss Plaintiff Michael
19 Terpin’s (“Terpin”) First Amended Complaint (“FAC”) (the “Motion”). (Mot., ECF
20 No. 33.) For the reasons that follow, the Court GRANTS, IN PART, AND DENIES,
21 IN PART, AT&T’s Motion.1
22 II. FACTUAL AND PROCEDURAL BACKGROUND
23 As previously set forth in the Court’s July 19, 2019 Order (“July Order”), (ECF
24 No. 29), granting in part and denying in part AT&T’s motion to dismiss the original
25 Complaint, Mr. Terpin is a prominent and well-known member of the cryptocurrency
26 community. (FAC ¶¶ 18–19, ECF No. 32.) He is domiciled in Puerto Rico with a
27
1
28 Having carefully considered the papers filed in connection with the Motion, the Court deemed the
matter appropriate for decision without oral argument. Fed. R. Civ. P. 78; C.D. Cal. L.R. 7-15.
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 2 of 15 Page ID #:757
1 residence in California. (FAC ¶ 1.) On June 11, 2017, Mr. Terpin’s phone suddenly
2 became inoperable because his cell phone number had been hacked. (FAC ¶ 83.)
3 After hackers attempted and failed eleven times to change Mr. Terpin’s AT&T
4 password in AT&T retail stores, the hackers were able to change his password
5 remotely. (FAC ¶ 83.) Mr. Terpin alleges that this allowed the hackers to gain
6 control of his phone number, which allowed them to divert his personal information,
7 including telephone calls and text messages, to gain access to his accounts that use his
8 telephone number for authentication. (FAC ¶¶ 83–84.) Mr. Terpin asserts the hackers
9 used his telephone number to access his cryptocurrency accounts and also
10 impersonated him by using his Skype account. (FAC ¶ 84.) By impersonating Mr.
11 Terpin, the hackers convinced one of Mr. Terpin’s clients to send them cryptocurrency
12 and diverted the cryptocurrency to themselves. (FAC ¶ 84.) Later that day, AT&T
13 was able to cutoff the hackers’ access to Mr. Terpin’s telephone number. (FAC ¶ 84.)
14 However, by this time, the hackers had stolen substantial funds from Mr. Terpin.
15 (FAC ¶ 84.)
16 Around June 13, 2017, Mr. Terpin met with AT&T representatives in Puerto
17 Rico to discuss the hack. (FAC ¶ 85.) AT&T allegedly promised to place Mr.
18 Terpin’s account on a “higher security level with special protection.” (FAC ¶ 86
19 (internal quotation marks omitted).) This included requiring a six-digit passcode
20 (known only to Mr. Terpin and his wife) of anyone attempting to access or change Mr.
21 Terpin’s account settings or transfer his telephone number to another phone. (FAC
22 ¶ 86.) Mr. Terpin maintains that he “relied upon AT&T’s promises that his account
23 would be much more secure against hacking, including SIM swap fraud, after it
24 implemented the increased security measures,” which led him to remain an AT&T
25 customer. (FAC ¶ 88.)
26 On Sunday, January 7, 2018, Mr. Terpin’s phone again became inoperable.
27 (FAC ¶ 91.) Mr. Terpin alleges that an employee at an AT&T store in Norwich,
28
2
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 3 of 15 Page ID #:758
1 Connecticut assisted an imposter with a SIM card swap.2 (FAC ¶¶ 90–91.) This
2 resulted in AT&T transferring Mr. Terpin’s phone number to an imposter. (FAC
3 ¶ 91.) Mr. Terpin alleges that when his phone became inoperable, he attempted to
4 contact AT&T to have his telephone number canceled, but AT&T failed to promptly
5 cancel his account. (FAC ¶ 93.) By having access to Mr. Terpin’s phone number, Mr.
6 Terpin alleges that “the hackers were able to intercept Mr. Terpin’s personal
7 information, including telephone calls and text messages, change passwords, access
8 programs and files and locate information that allowed them to gain access to his
9 cryptocurrency wallets and/or accounts.” (FAC ¶ 96.) Specifically, Mr. Terpin alleges
10 that the hackers used a cell phone with his telephone number to send “a password
11 reset request to [Mr. Terpin’s password protected] program or programs which then
12 sent a [2-Factor Authentication (“2FA”)] message to Mr. Terpin’s telephone number,
13 which was by virtue of the SIM swap in the hackers’ possession.” (FAC ¶ 92.) Mr.
14 Terpin further alleges that the hackers created new passwords, which allowed them to
15 “locate[] a file with confidential information to access Mr. Terpin’s [cryptocurrency]
16 wallets and/or accounts.” (FAC ¶ 92.) Mr. Terpin alleges that, as a result, between
17 January 7 and 8, 2018, the hackers stole nearly $24 million worth of cryptocurrency
18 from him. (FAC ¶ 91.)
19 On August 15, 2018, Mr. Terpin filed his Complaint asserting sixteen causes of
20 action. (See generally Compl., ECF No. 1.) AT&T moved to dismiss the Complaint
21 in its entirety, which the Court granted in part and denied in part, with leave to amend.
22 (See July Order.) On August 9, 2019, Mr. Terpin filed his FAC against AT&T
23 alleging nine causes of action for: (1) declaratory relief that AT&T’s consumer
24 agreement is unconscionable and contrary to public policy; (2) unauthorized
25 disclosure of customer confidential proprietary information, 47 U.S.C. §§ 206, 222;
26
2
27 Mr. Terpin alleges that “SIM swapping consists of tricking a provider . . . into transferring the
target’s phone number to a SIM card controlled by the criminal. Once they get the phone number,
28 fraudsters can leverage it to reset the victims’ passwords and break into their online accounts.”
(FAC ¶ 69.)
3
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 4 of 15 Page ID #:759
4
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 5 of 15 Page ID #:760
1 1025, 1031 (9th Cir. 2008). Leave to amend may be denied when “the court
2 determines that the allegation of other facts consistent with the challenged pleading
3 could not possibly cure the deficiency.” Schreiber Distrib. Co. v. Serv-Well Furniture
4 Co., 806 F.2d 1393, 1401 (9th Cir. 1986). Thus, leave to amend “is properly
5 denied . . . if amendment would be futile.” Carrico v. City and Cty. of San Francisco,
6 656 F.3d 1002, 1008 (9th Cir. 2011).
7 IV. DISCUSSION
8 A. Proximate Cause
9 AT&T first moves to dismiss the FAC on the basis that Mr. Terpin fails to
10 sufficiently allege proximate cause. (Mot. 5–10.) In its July Order partially
11 dismissing the initial Complaint, the Court concluded that Mr. Terpin “sufficiently
12 alleged that the [hacker/fraudster’s] criminal act was reasonably foreseeable”;
13 however, Mr. Terpin “fail[ed] to sufficiently allege proximate cause,” because he did
14 “not connect how granting the hackers/fraudsters access to [his] phone number
15 resulted in him losing $24 million.” (July Order 6.) The Court now finds that Mr.
16 Terpin has adequately pled proximate cause and, thus, the FAC survives AT&T’s
17 motion to dismiss on that basis.
18 “It is a well established principle of [the common] law that in all cases of loss,
19 we are to attribute it to the proximate cause, and not to any remote cause.” Bank of
20 Am. Corp. v. Miami, 137 S. Ct. 1296, 1305 (2017) (alteration in original) (internal
21 quotation marks omitted). “Proximate cause is that cause which, in natural and
22 continuous sequence, unbroken by any efficient intervening cause, produced the injury
23 [or damage complained of] and without which such result would not have occurred.”
24 California v. Superior Court, 150 Cal. App. 3d 848, 857 (1984) (alteration in original)
25 (internal quotation marks omitted). The proximate cause requirement “bars suits for
26 alleged harm that is ‘too remote’ from the defendant’s unlawful conduct.” Lexmark
27 Int’l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 133 (2014).
28
5
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 6 of 15 Page ID #:761
1 Mr. Terpin pleads sufficient facts in the FAC to allow the Court to plausibly
2 infer that the hackers’ access to Mr. Terpin’s phone number enabled them to steal his
3 cryptocurrency. Specifically, Mr. Terpin alleges that an AT&T agent named “Jahmil
4 Smith . . . was bribed by a criminal gang” to “fabricate information indicating that Mr.
5 Terpin visited [an AT&T] store and showed identification.” (FAC ¶¶ 8, 11.) Mr.
6 Terpin further alleges that Smith transferred a SIM card linked to Mr. Terpin’s phone
7 number to a telephone under the hackers’ control, which the hackers then used “to
8 intercept communications, including text messages, to reset passwords for Mr.
9 Terpin’s accounts” through 2FA methods. (FAC ¶¶ 11, 12.) Finally, Mr. Terpin
10 alleges the hackers employed 2FA “to access files under [his] accounts containing
11 confidential information,” used the confidential information to access his
12 cryptocurrency wallets and/or exchanges, and transferred funds to cryptocurrency
13 wallets and/or exchanges under the hackers’ control. (FAC ¶¶ 8, 12.)
14 AT&T contends that Mr. Terpin does not plead any facts to support the assertion
15 that 2FA was involved here because if, “for example, Mr. Terpin stored his
16 cryptocurrency in an online wallet and that wallet provider does not employ two-
17 factor authentication . . . the SIM swap would have little, if any, role in the alleged
18 cryptocurrency theft.” (Mot. 8.) However, Mr. Terpin does not allege the hackers
19 used 2FA methods to crack his cryptocurrency accounts; rather, Mr. Terpin alleges the
20 hackers used 2FA methods to access other programs and files containing “confidential
21 information” that enabled the hackers to crack his cryptocurrency accounts. (See FAC
22 ¶¶ 8, 11, 12, 91, 92.) AT&T disputes the sufficiency of this allegation because Mr.
23 Terpin does not identify the specific “accounts” where he kept his confidential
24 information. (Mot. 6–7.) The Court finds this allegation adequate, however, because
25 Mr. Terpin alleges sufficient facts for the Court to reasonable infer the hackers may
26 have used 2FA methods to glean Mr. Terpin’s personal information from various
27 accounts, such as email or cloud storage. (See FAC ¶¶ 12, 64, 92.) At this stage, Mr.
28 Terpin is not required to reconstruct the precise sequence of the hack, but rather,
6
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 7 of 15 Page ID #:762
23 Id. at 804. All six factors must be considered by the court and the presence or absence
24 3
In his Opposition, Mr. Terpin attempts to fashion his third cause of action—deceit by
25 concealment—into a fraudulent inducement claim in order to except it from the economic loss rule.
(See Opp’n to Mot. (“Opp’n”) 15–16, ECF No. 34.) Because Mr. Terpin has not properly pled a
26 fraudulent inducement claim in the FAC, the Court declines to address whether it is subject to the
27 economic loss rule. Schneider v. Cal. Dep’t. of Corr., 151 F.3d 1194, 1197 n.1 (9th Cir. 1998) (“In
determining the propriety of a Rule 12(b)(6) dismissal, a court may not look beyond the complaint to
28 a plaintiff’s moving papers, such as a memorandum in opposition to a defendant’s motion to
dismiss.”).
7
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 8 of 15 Page ID #:763
1 of one factor is not decisive. Kalitta Air, LLC v. Cent. Tex. Airborne Sys., Inc., 315 F.
2 App’x 603, 605–06 (9th Cir. 2008).
3 Applying these factors, the Court previously found that Mr. Terpin failed to
4 plead facts showing that he had a special relationship with AT&T. Specifically, the
5 Court noted that Mr. Terpin had sufficiently alleged “that it was foreseeable that [he]
6 would suffer injury if AT&T did not protect his personal information” and “the degree
7 of certain[ty] of his injury” but Mr. Terpin had not adequately pleaded “the extent to
8 which the transaction was intended to benefit [him], the closeness of the connection
9 between AT&T’s conduct and the injury suffered, the moral blame attached to AT&T’s
10 conduct, or the policy of preventing future harm.” (July Order 14.)
11 In an effort to satisfy the first, and fourth through sixth J’Aire factors, Mr.
12 Terpin now alleges that: (1) Mr. Terpin had a contract with AT&T for the provision of
13 mobile telephone services, including the ability to make telephone calls, receive text
14 messages, access the Internet, send e-mails, and use a variety of other applications,
15 which required Mr. Terpin to provide AT&T with his personal information;
16 (2) AT&T’s lack of adequate security measures proximately caused Mr. Terpin’s
17 damages; (3) AT&T’s conduct warrants moral blame because AT&T promised to
18 secure Mr. Terpin’s personal information; and (4) holding AT&T accountable will
19 require AT&T and other telecommunication companies to provide reasonable, reliable,
20 and industry-standard security measures. (FAC ¶¶ 52–58, 100–06.)
21 First, although the contract entered into between the parties related only to
22 mobile telephone services, Mr. Terpin was required to share his personal information
23 with AT&T with the understanding that AT&T would adequately protect it, including
24 the SIM card linked to his telephone number and personal data. Here, the Court finds
25 that this exchange of personal information based on a promise of safekeeping is
26 sufficient to satisfy the first J’Aire factor. See, e.g., In re Yahoo! Inc. Customer Data
27 Sec. Breach Litig., 313 F. Supp. 3d 1113, 1132 (N.D. Cal. 2018) (finding the J’Aire
28 exception applied in part because plaintiffs were required to turn over their personal
8
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 9 of 15 Page ID #:764
9
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 10 of 15 Page ID #:765
10
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 11 of 15 Page ID #:766
11
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 12 of 15 Page ID #:767
1 would require a six-digit passcode before allowing changes to his account. See
2 Tarmann v. State Farm Mut. Auto. Ins. Co., 2 Cal. App. 4th 153, 158–59 (1991)
3 (holding that intentional misrepresentation claim based on a false promise requires
4 plaintiff to plead that “the promisor did not intend to perform at the time he or she
5 made the promise and that it was intended to deceive or induce the promisee to do or
6 not do a particular thing.”); see also Las Palmas Assocs. v. Las Palmas Ctr. Assocs.,
7 235 Cal. App. 3d 1220, 1238 (1991) (“A promise to do something necessarily implies
8 the intention to perform, and, where such an intention is absent, there is an implied
9 misrepresentation of fact, which is actionable fraud.”). Therefore, Mr. Terpin’s
10 allegations fall short of pleading actionable fraud.
11 Because Mr. Terpin fails to allege knowledge of falsity and justifiable reliance,
12 the Court GRANTS AT&T’s motion to dismiss the fourth claim, with leave to
13 amend in the event Mr. Terpin can plead that he actually relied upon the statements in
14 AT&T’s Privacy Policy and COBC or that AT&T never intended to adhere to its
15 heightened security protocols. See Leadsinger, Inc. v. BMG Music Publ’g, 512 F.3d
16 522, 532 (9th Cir. 2008) (ruling leave to amend proper when amendment is not futile).
17 E. Breach of Implied Contract (Claim 9)
18 AT&T renews its motion to dismiss Mr. Terpin’s claim for breach of implied
19 contract on the basis that he failed to sufficiently plead conduct that could manifest
20 agreement to particular terms of an implied contract. (See Mot. 16–18.)
21 In California, the elements of a claim for breach of an express or implied
22 contract are the same. Gomez v. Lincare, Inc., 173 Cal. App. 4th 508, 525 (2009). To
23 state a claim for breach of an implied contract, a plaintiff must allege facts sufficient
24 to establish: (1) the existence of a contract; (2) performance by the plaintiff or excuse
25 for nonperformance; (3) breach by the defendant; and (4) damages. First Commercial
26 Mortg. Co. v. Reece, 89 Cal. App. 4th 731, 745 (2001). In an implied contract, the
27 existence and terms of the contract are manifested by the parties’ conduct. Cal. Civ.
28 Code § 1621.
12
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 13 of 15 Page ID #:768
1 Mr. Terpin pleads his breach of implied contract claim as an alternative to his
2 breach of contract claim. (FAC ¶ 202.) He realleges that AT&T breached the implied
3 contracts “by failing to adhere to the terms of the applicable Privacy Policy and
4 COBC . . . to maintain the confidentiality and security of the Personal Information of
5 Mr. Terpin.” (FAC ¶ 203.) However, Mr. Terpin fails again to sufficiently allege the
6 parties’ conduct that forms the basis of the implied contract. The Court previously
7 found Mr. Terpin’s allegation that his “opening of an AT&T wireless account . . .
8 created implied contracts” too conclusory to state a claim. (July Order 15.) Mr.
9 Terpin now alleges in his FAC that “the opening of and the ongoing and continued use
10 of an AT&T wireless account by Mr. Terpin created . . . implied contracts.” (FAC
11 ¶ 202.) This allegation is equally insufficient to state a valid claim for breach of
12 implied contract.
13 Accordingly, Mr. Terpin’s ninth claim is DISMISSED with prejudice.
14 F. Punitive Damages
15 Mr. Terpin seeks punitive damages in connection with his claims for deceit by
16 concealment (Claim 3), misrepresentation (Claim 4), negligence (Claim 5), negligent
17 supervision and training (Claim 6), and negligent hiring (Claim 7). (FAC ¶¶ 149, 156,
18 166, 179, 192.) AT&T argues that Mr. Terpin has not adequately pleaded that he is
19 entitled to punitive damages. (Mot. 19–21.)
20 AT&T advances two arguments in support of dismissal of Mr. Terpin’s claims
21 for punitive damages. First, AT&T argues that Mr. Terpin has not alleged that an
22 officer, director, or agent of AT&T committed or ratified an oppressive, fraudulent, or
23 malicious act. Second, AT&T argues that Mr. Terpin’s negligence claims are
24 ineligible for punitive damages.
25 By statute, where a plaintiff proves “by clear and convincing evidence that the
26 defendant has been guilty of oppression, fraud, or malice, the plaintiff, in addition to
27 the actual damages, may recover [punitive] damages.” Cal. Civ. Code § 3294(a).
28 Nevertheless, a corporate entity cannot commit willful and malicious conduct; instead,
13
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 14 of 15 Page ID #:769
14
Case 2:18-cv-06975-ODW-KS Document 37 Filed 02/24/20 Page 15 of 15 Page ID #:770
1 V. CONCLUSION
2 For the reasons discussed above, the Court GRANTS, IN PART, and
3 DENIES, IN PART, AT&T’s Motion to Dismiss (ECF No. 33). Mr. Terpin may
4 amend the FAC to address the deficiencies identified above within twenty-one (21)
5 days from the date of this Order.
6
7 IT IS SO ORDERED.
8
9 February 24, 2020
10
11 ____________________________________
12 OTIS D. WRIGHT, II
UNITED STATES DISTRICT JUDGE
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
15