The man dubbed by CNBC as the "Godfather of Crypto" has won a chance to move forward with a lawsuit under federal law against AT&T for allegedly failing to protect his private information, after a so-called "SIM swap" allegedly allowed hackers to clean out $24 million of cryptocurrency from his accounts.
On Sept. 30, a three-judge panel of the U.S. Ninth Circuit Court of Appeals sided with investor Michael Terpin that he should be allowed to sue the mobile wireless carrier for allegedly failing to live up to its obligations to him under a provision of federal law known as Section 222 of the Federal Communications Act.
In the ruling, the federal appeals judges agreed customers don't necessarily need to prove wireless carriers actually disclosed so-called customer proprietary customer information to be subject to a lawsuit under Section 222. Rather, it may be enough to show the company allowed hackers to access the information.
"... Section 222(b)(1) does not merely prohibit the use or disclosure of CPNI, it also prohibits 'permitting access to' CPNI," the judges wrote. "The FCC's rules implementing Section 222 likewise require that carriers 'take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.'
"Permitting 'access' to information is broader than disclosing it: access includes an 'opportunity' or 'ability to' obtain or use the information."
In this case, they said, AT&T must defend itself against Terpin's claims the company's alleged failure to prevent a hacker from seizing control of Terpin's communications violated its Section 222 obligations, just as if the hacker had walked into an AT&T store and "asked ... to print Terpin's recent call log and looked at the call log..."
"Our decision avoids this paradox," the judges wrote.
The decision revives a key piece of Terpin's lawsuit against AT&T.
The investor, who has amassed a fortune through promoting and investing in cryptocurrency, like bitcoin, has been in court against AT&T since 2018, when he first filed suit in Los Angeles federal court.
In that lawsuit, Terpin said AT&T owes him at least $24 million for allegedly allowing him to be victimized by a hacker.
According to court documents, in 2017, Terpin was the victim of a scheme in which a hacker and thief allegedly gained control of Terpin's communications through his mobile phone through a technique known as a "SIM swap." Under such a procedure, a hacker can replace a "subscriber identity module," or SIM card, in one mobile device with another, associated with a different number, to remotely gain control over another person's communications, as if they had stolen their phone.
According to court documents, a thief managed to use that technique to steal some of Terpin's cryptocurrency at that time.
According to court documents, AT&T allegedly agreed to provide Terpin with extra security protections over his devices and communications.
However, a year later, in 2018, court documents say Terpin suffered a theft of $24 million of his cryptocurrency when a man named Ellis Pinksy allegedly bribed a worker at an AT&T store, Jahmil Smith, to again "SIM swap" Terpin's device. Pinksy and an associate then allegedly reset Terpin's passwords to gain access to Terpin's accounts.
Terpin then sued AT&T, accusing the company of unlawful disclosure under Section 222, as well as other counts, including deceit by concealment, misrepresentation, negligence, negligent hiring, supervision and training and breach of contract.
Terpin sought the return of his $24 million, as well as $216 million in punitive damages.
Terpin also sued Pinksy and his accomplice separately, winning a $22 million judgment against Pinksy and $75 million against Pinksy's associate. Pinsky's associate was also criminally prosecuted.
In the suit against AT&T, an L.A. federal judge sided with the company on all counts, rejecting Terpin's punitive damages request and agreeing that "the SIM swap did not disclose any information that is protected under (Section 222)."
On appeal, the Ninth Circuit upheld most of the lower court's determinations, including the rejection of the punitive damages request.
But the Ninth Circuit judges said the lower court was wrong to block Terpin from suing under Section 222.
The panel noted that the "constrained" intepretation of Section 222 argued by AT&T and embraced by the lower court concerning CPNI would lead to "absurd results."
"AT&T contends that 'the only communications Terpin identifies are messages Pinsky requested and received [while] resetting various online passwords.' Thus, AT&T argues, because 'Terpin didn’t generate or request any of those messages,' there was 'no customer information for (Section 222) to protect,” Desai wrote.
"... Not so. Even if Pinsky fraudulently requested the password reset messages from Terpin’s accounts, the messages were intended for Terpin and sent to Terpin’s phone number. A hacker’s fraudulent use of a customer’s account does not transform the customer’s account into the hacker’s account.
"... Even though Pinsky requested the password reset messages, the messages were sent to Terpin’s AT&T phone number and thus were made available to AT&T 'solely by virtue of the carrier-customer relationship'" under Section 222, the judges said.
Both sides welcome the appellate ruling.
In a statement, Terpin's attorney Pierce O'Donnell, of the firm of Greenberg Glusker, of Los Angeles, hailed the ruling: “This is a major precedential decision of national significance. Rejecting all of AT&T's arguments, the Court of Appeal held that AT&T can be liable in damages under the Federal Communications Act when it allows a hacker to get into its system, access the customer's AT&T account, and steal the customer's private information or assets - in this case $24 million of cryptocurrency.
"The decision paves the way for our client to go to trial and hold AT&T accountable after more than six years of litigation. We look forward to asking a Los Angeles federal jury to award Mr. Terpin $24 million, plus at least $14 million of interest, plus his attorney's fees, for a total of at least $45 million.”
In a statement, an AT& T spokesperson said: “Fraudulent SIM swaps are a form of theft committed by sophisticated criminals and it is unfortunate that these criminals targeted Mr. Terpin. We are pleased that the appellate court agreed with us and dismissed nearly all of the claims in his lawsuit. We will continue to defend ourselves against the one remaining allegation in this case.”