APA Comments
Reply Comments in Protecting Consumers from SIM-Swap and Port-Out Fraud (FNPRM)
WC 21-341 (Feb. 2024)
Before the
FEDERAL COMMUNICATIONS COMMISSION
Washington, DC 20554
In the Matter of Protecting Consumers from SIM-Swap and Port-Out Fraud
WC Docket No. 21-341
REPLY COMMENTS ON
REPORT AND ORDER AND
FURTHER NOTICE OF PROPOSED RULE MAKING
by
Electronic Privacy Information Center (EPIC)
National Consumer Law Center (NCLC), on behalf of its low-income consumers,
Consumer Action
Consumer Federation of America
National Association of Consumer Advocates
National Consumers League
Public Knowledge and
U.S. Public Interest Research Group
Submitted February 12, 2024
I. Introduction and Summary
The Electronic Privacy Information Center (EPIC), the National Consumer Law Center (NCLC), on behalf of its low-income consumers, Consumer Action, Consumer Federation of America, the National Association of Consumer Advocates, National Consumers League, Public Knowledge, and U.S. Public Interest Research Group file these reply comments to applaud the Federal Communications Commission (“Commission” or “FCC”) for its response to carrier vulnerabilities leading to SIM swap and port-out fraud, and to support the agency’s new rules and proposals while urging additional measures.[1] These comments are intended to supplement the initial comments filed by EPIC.[2]
We applaud the Commission’s restrictions against patently insecure methods of authentication[3] and its emphasis that SMS-based authentication is not a safe harbor.[4] We are hopeful that the Commission’s new requirement that carriers evaluate the effectiveness of their authentication methods every year might eventually improve cybersecurity practices to the benefit of consumers.[5] But we are not persuaded that, absent clear liability for failing to adopt effective measures, carriers will succeed in eliminating SIM swap and port-out fraud.
The Commission has already recognized the danger of potentially life-altering financial losses that are caused by these frauds: “Once a fraudulent SIM swap or port-out request has been completed, the bad actor has acquired the means to take control of many more of the victim’s accounts, which can result in substantial harm to the customer.”[6] And Chairwoman Rosenworcel pointed out that “For many of us, these devices are internet gateways to our bank accounts, health records, social media profiles, and more.”[7] Additionally, according to the FBI, losses to consumers from SIM swap and port-out frauds were more than double losses from ransomware in 2022: $72 million in losses compared to $34 million for ransomware.[8] Given the number of cases initiated in the courts in 2023,[9] we believe it is likely that the 2023 numbers will be much higher.
SMS-based two-factor authentication (2FA) is the most widely used method of 2FA, with many large websites offering no other alternative.[10] Users consistently pick 2FA because of its usability and their familiarity with texting, even when presented with demonstrably more secure options.[11] The Cyber Safety Review Board (CSRB)—recognizing that the providers are not taking sufficient care to prevent fraud—has called explicitly for the Commission to “incentivize better security at telecommunications providers by enacting penalties for fraudulent SIM swaps or lax controls.”[12]
Given the urgent need to create meaningful incentives to drive carrier behavior, we do not believe that the measures proposed in the recent order will meaningfully impact the rise in SIM swap attacks. And the threat of individual, occasional enforcement actions from the Commission clearly does not adequately drive carrier behavior, as otherwise these problems would not be so severe today. The best incentive would be the threat of having to cover the financial losses suffered by consumers from fraudsters accessing their private information through the carrier’s network. More importantly, ensuring that harmed consumers are able to recover their losses from the carriers responsible for them is both vital and fair. The carriers are the only parties in these frauds that have the means to protect consumers from losses.
The Commission reiterates its “request for comment on whether there are any additional requirements the Commission should consider that would help protect customers from SIM swap or port-our fraud or assist them with resolving problems resulting from such incidents.”[13] We offer two suggestions here. The Commission should state there is a presumption of carrier liability in SIM swap and port-out fraud contexts and should prohibit carriers from using binding pre-dispute arbitration clauses to avoid facing consumer victims in court for claims arising from these attacks.
We additionally offer comment on the scope of the Commission’s legal authorities and on carriers equipping consumers to protect themselves via timely fraud alerts.
II. The Commission should incentivize carries to prevent SIM swaps and port-out fraud by specifying that failure to do so violates Sections 222 and 201(b) and that carriers are fully responsible for SIM swaps by their employees.
Regulation premised on providers having the flexibility to solve a problem is only effective if providers are held liable when their methods fail. Allowing flexibility without accountability for falling short is no different from the absence of regulation. The harms identified in this docket cannot happen unless and until the carrier enables a swap. The causal chain could not be clearer, and the harms to consumers grow demonstrably worse with each year.[14]
The Commissioners have recognized that phone companies are essentially custodians not only of their consumers’ information but also of their subscribers’ ability to digitally authenticate themselves.[15] And yet at the same time, carriers continue to claim in federal court cases that they should not be held to account for their security failures that lead directly to significant consumer losses. They argue that their terms of service immunize them from any responsibility for these harms,[16] that there is no violation of Section 222,[17] and that Title II doesn’t even apply[18]—despite being the least-cost and most capable avoiders and having an explicit statutory duty to protect the information of their subscribers since at least as early as 1996.[19]
The Commission’s proposed rule would state that compliance with its baseline rules is not a safe harbor and that customers are still able to pursue any existing remedies.[20] These are appropriate provisions to adopt, but the Commission needs to do more: it should clearly articulate that failing to prevent a SIM swap or port-out fraud violates Section 222.[21] It should do so by clarifying[22] that failing to prevent a SIM swap or port-out fraud is a violation of Section 222 (and has been since at least as early as 2007), as it is demonstrably a failure to protect the consumer’s proprietary information.[23] Alternatively, the Commission could clarify that it is a violation since the Commission’s 2013 declaratory ruling, cited to in its recent enforcement advisory.[24]
We also encourage the Commission to state its finding that failure to prevent a SIM swap or port-out fraud is also a violation of Section 201(b) in the main body of its Report and Order, rather than only stating it in the legal authorities section of its order.[25] The Commission indirectly addressed SIM swapping and port-out fraud potentially constituting a 201(b) violation in its recent enforcement advisory but does not explicitly state that a SIM swap or port-out fraud inherently constitutes a 201(b) violation.[26]
The dates at which carriers first incurred these obligations are likely to be relevant to consumers litigating claims against carriers for their losses.[27] So we encourage the Commission to be mindful about what it calls a new rule or a new obligation, as opposed to clarifying an existing obligation.
While we are encouraged that the Commission is paying attention to this issue, we are deeply concerned about its approach. More than 15 years ago the Commission explained that “adoption of the rules in this Order does not relieve carriers of their fundamental duty to remain vigilant in their protection of CPNI [Customer Proprietary Network Information], nor does it necessarily insulate them from enforcement action for unauthorized disclosure of CPNI.”[28] Since 2007, pretexting-based breaches have impacted millions of phone subscribers.[29] The highest-profile Notices of Apparent Liability (NALs) remain uncollected by the Commission four years later.[30] Saying very nearly the same thing in 2024—after years of DOJ reporting on the actual (and growing) harms of SIM swapping[31] and CISA calling explicitly for the Commission to “incentivize better security at telecommunications providers”[32]—is unlikely to influence carrier behavior now when it has not to date.
As we have argued in the robocall context, carriers are in a position to stop these scams, but they need a financial incentive to do so—one that does not look at what carriers say they will do, nor even whether they fulfill those promises, but rather at the results.[33] Although the Commission has declined to independently impose liability for all consumer losses (while preserving any existing remedies consumers may be entitled to),[34] we urge the Commission to learn from the mistakes of 2007 and to heed the advice of the national coordinator for critical infrastructure security rather than diverting from its guidance and lowering the cybersecurity bar.[35] The Commission should be explicit about how its authority applies and what violations a private litigant might consider bringing. As Sen. Lindsey Graham has recently observed in the context of dangerous products: “Either allow lawsuits, have statutory protections to protect consumers, or you have a commission to regulate the industry in question to take your license away.”[36] If the Commission is not going to bring enforcement actions and collect on the NALs it issues, it must do more to allow the harmed consumers to achieve meaningful relief for themselves. Allowing consumers to obtain redress would create meaningful incentives for carriers to improve their cybersecurity posture.
Similarly, in its Report and Order, the Commission also declines to specify that wireless providers are “fully responsible for any abuse committed by its employees,” but clarifies that this does not absolve wireless providers of any liability that already exists.[37] Given how prevalent employee access is in successful SIM swap and port-out attacks,[38] the Commission should do more to incentivize carriers to fix this obvious lever favored by threat actors.[39] Again, holding the providers responsible while giving them the flexibility to correct the problem as they see fit would resolve this, but merely giving them flexibility without accountability is tantamount to the absence of regulation.
III. The Commission has the authority to ban forced arbitration and should do so in the context of SIM swaps.
In the absence of any Commission enforcement actions for these violations to date and in light of the possibility of future periods of constrained Commission enforcement, the Commission must do more to empower consumers to obtain redress themselves.[40] To this end, we urge the Commission to protect consumers from pre-dispute mandatory arbitration clauses, which are routinely included in carrier agreements with consumers. Forced arbitration provisions undermine industry incentives to comply with regulations and other requirements; formal studies have shown the negative impact of arbitration on consumer outcomes.[41] We include in the category of forced arbitration those mandatory arbitration provisions that allow for opt out only within a limited time period.[42] The Commission should prevent carriers from using or attempting to use contractual clauses to force victims of SIM swap or port-out fraud into arbitration rather than litigation in federal court when seeking recovery for their losses.[43]
Consumers should be able to choose whether or not to opt for arbitration, and to make that choice after the dispute arises.[44] It is very difficult for the average phone subscriber to opt out of arbitration provisions in their carrier’s terms of service.[45] Especially as relates to arbitration, this contract language is infamously difficult to understand.[46] As a result, in many cases consumers, through a form contract to which they do not meaningfully consent, lose virtually all access to the public court system.[47] This result produces what one commentator called the “anti-democratic consequences of mandatory arbitration.”[48]
Because the arbitration process is private, it typically favors the industry. Arbitrators serving on panels are often industry friendly; the governing rules of the major arbitration providers only permit limited discovery; typically there is no decision explaining the findings; and there are no rights of appeal, no matter how egregious the misapplication of the law may have been.
a. Class actions are a vital mechanism for subscribers to safeguard their interests against better-resourced carriers.
Class actions are an important leveler between individually aggrieved consumers and large corporations, such as carriers. Forced arbitration generally denies subscribers this avenue. Additionally, forced arbitration has several procedural deficiencies compared to litigation, such as diminished discovery, no right to a jury, and limited appealability.
When a business victimizes a large number of consumers, but individual injuries are relatively small, class actions in court or arbitration often provide the only effective way for consumers to vindicate their rights. Individual phone subscribers often lack the resources to bring complex privacy, data security, and/or cybercrime claims individually, meaning barring class actions through arbitration provisions may render consumer relief practically unavailable.[49] Even arbitration itself may be prohibitively expensive for the average consumer.[50] The vast majority of arbitration clauses used in consumer contracts explicitly prohibit consumers from bringing or participating in class actions either in court or in arbitration.[51] According to the CFPB’s study, across all of the products studied, between 85 and 100% of arbitration clauses included such clauses.
After reviewing the use of forced arbitration over a three-year period, the Consumer Financial Protection Bureau concluded in its March 2015 study that the consequences of “class waiver” provisions are particularly dire. By contrast to consumer arbitration—which rarely occurs and, when it does occur, generally proceeds on an individual basis—consumers fare relatively well in class litigation. Consumers recover significant amounts in affirmative relief in class litigation. The CFPB study found that in 419 federal consumer class action settlements “the annual average of the aggregate . . . [financial recovery for consumers] was $540 million per year. This estimate covers, for settlements approved between 2008 and 2012, more than $2 billion in cash relief including fees and expenses and more than $600 million in in-kind relief.”[52]
One of the leading corporate proponents of forced arbitration has openly stated that arbitration strips consumers of familiar protections: “Arbitration materially changes the dispute resolution rules that consumers and borrowers are accustomed to: there is no right to a jury trial, pre-hearing discovery is limited, class actions are eliminated and appeals are severely circumscribed.”[53] The general counsel of Automotive Compliance Consultants asserted that in car dealership contracts “the purpose of an arbitration agreement is to keep a customer’s suit against a dealership from becoming the basis for a class action.”[54]
b. Arbitration generally eliminates consumers’ fundamental ability to protect their own interests.
Arbitrations are seriously flawed. The arbitrators are often biased against consumers. The process is secret, normal rules of discovery and evidence do not apply, subject to the arbitrator’s discretion (making potential bias an even bigger concern). The lack of a resulting body of precedent, the impaired ability to appeal arbitration decisions, and the lack of arbitrator accountability further exacerbate the risk of unfairness to consumers.
Bias. In arbitration forums, the arbitrators are chosen by the parties, which rewards those arbitrators who favor industry. An individual consumer will be unlikely to appear again, but the industry will often be choosing an arbitrator. This causes arbitrator bias against consumer interests. Private arbitration companies compete to be selected by corporations in their standard form contracts with consumers and employees, which means there is competitive pressure to side with corporations, or risk a different arbitrator being chosen. As one troubling example of caving to market pressure:
Declaring that contractual restrictions on class suits are “inappropriate,” JAMS announced in 2004 that it would start to “ensure fairness” by ignoring such prohibitions and letting class arbitrations go forward. But then Citibank, Discover Card and American Express fought back, writing JAMS out of their arbitration accords. Within months, JAMS reversed itself. . . .[55]
Juries often sympathize with a victimized consumer, and so access to a jury may be the difference between winning and losing the case and may also substantially affect the amount of any award.[56] Arbitrators, on the other hand, typically handle disputes between two businesses, and are most frequently drawn from law firms that largely represent corporate defendants. As one commentator concluded: “Sending a case to arbitration not only deprives the claimant of a jury trial but also deprives society of the jury’s role as enunciator of behavioral norms.”[57] A study of cases filed with the American Arbitration Association (AAA) found that consumers “won” only 35% of cases filed with AAA, but even when they did prevail their recoveries were limited to, on average, just 19% of the monetary demand.[58]
Secrecy. Arbitrations are secret, so consumers are unable to use other claims and judgments to show the degree of carrier fault. Concerns with secrecy in arbitration include exacerbating information asymmetry between carriers and subscribers, and obstructing competition in the market as subscribers are bound by confidentiality provisions and can’t alert other consumers or prospective consumers about the businesses’ practices and how the business conducts itself during arbitration. Secrecy tends to reduce the ability of consumer attorneys to effectively represent their clients.[59] Secrecy also makes it harder to evaluate whether a given arbitration service provider is exhibiting bias in favor of corporate defendants or not.[60] One federal court has given a concrete illustration of the social significance of such a confidentiality provision:
The implications of such secrecy to society are troubling. Among many others, they mean that if consumers obtain determinations that a particular AT&T practice is unlawful, they are prohibited from alerting other consumers. Since the AAA does not require the arbitrator to state reasons for the award and does not provide a public record of arbitrator rulings, this confidentiality provision means that a contract that affects seven million Californians will be interpreted largely without public scrutiny. This puts AT&T in a vastly superior legal posture since as a party to every arbitration, it will know every result and be able to guide itself and take legal positions accordingly, while each class member will have to operate in isolation and largely in the dark.[61]
Secrecy also undermines the public function of litigation: “By closing off access to proceedings, eliminating judicial precedent, and allowing parties to write their own laws, we compromise society’s role in setting the terms of justice.”[62] Secret dispute resolution therefore harms the free market, because market participants—like shareholders, investors, and large corporate consumers—do not have an opportunity to learn about how the companies with which they do business resolve disputes with consumers and employees.[63]
No Rules of Evidence. Arbitrators are not required to follow rules of evidence,[64] and while discovery must be permitted in arbitration, the arbitrator can determine the scope of discovery, including restricting depositions and testifying witnesses.[65] Lack of robust discovery coupled with confidentiality provisions means that there will not be the same public exposure of the nature of the company’s practices as with a monetary verdict.[66] Restrictions on discovery also mean that consumers may not be able to determine if a practice is part of a more general pattern. Not only is this critical information in any case seeking punitive damages, but it could also result in an individual case expanding into a class action. Limiting discovery in a case to basic document production also makes it difficult for individual consumers to prove their individual claims.[67] In the majority of “David versus Goliath” disputes, only the larger party will have access to relevant data about, for example, the company’s historical practices. Without discovery, the individual consumer has no access to that information.[68]
Limited appeals. There are other reasons that counsel against arbitration, for example unlike litigation arbitration is unlikely to create precedent and offers limited ability to appeal. “Arbitrators have no obligation to the court to give their reasons for an award,”[69] and it is common for arbitrators to provide no written explanation for their decisions.[70] This prevents the public from understanding how these decisions are made, makes it harder to seek judicial review, and renders awards unpredictable and inconsistent as there is no robust body of precedent to rely upon.[71] Because the FAA provides the consumer with a sharply circumscribed ability to appeal the decision maker’s erroneous interpretation of the law,[72] arbitrators may effectively ignore state or federal consumer protection statutes and judicial precedent.[73] Arbitration has come under significant criticism for the lack of quality control inherent in many arbitral fora.[74] The lack of an appeals process means that even grossly erroneous applications of the law are generally binding.[75] “[U]nlike a judge, an arbitrator is neither publicly chosen nor publicly accountable.”[76]
Industry still uses the courts. Evidence of corporations’ true motivations in requiring binding arbitration is demonstrated by their reactions when forced to arbitrate claims they would prefer to bring in court. Arbitration clauses may force the consumer to arbitrate while as a practical matter leave the company the option to go to court in those cases when the company would be likely to sue the consumer. In the words of one commentator, the rhetorical question then becomes: “If arbitration—in particular, the arbitration system you have—is so great, why are you imposing it on your customers/employees while reserving to yourself the option of avoiding that arbitration system and pursuing litigation?”[77] Similarly, a study looked at whether corporations included arbitration clauses in their contracts with other companies. Only 11% of such contracts had an arbitration requirement, in contrast to dramatically higher numbers in the corporation’s contracts with consumers, indicating that corporations do not view arbitration as an efficient substitute for court litigation when their own rights are at stake.[78] Interestingly, recent studies have also shown that corporate counsel are increasingly dissatisfied with arbitration even for the commercial disputes that arbitration was initially designed to streamline. One publication for in-house counsel notes that arbitration is not significantly less expensive and time-consuming than litigation, and expresses concerns about arbitrators’ competence and neutrality.[79] Another example of corporate hypocrisy is that AT&T Mobility went to the United States Supreme Court to force its customers to resolve disputes through individual arbitration.[80] But shortly after the company’s victory in the Supreme Court—and as it began to move forward with a merger with T-Mobile—AT&T Mobility filed suit in eight federal courts seeking to block individual customer-initiated arbitration proceedings that could prevent the merger.[81] It would prefer, apparently, to proceed in court.
As NCLC has argued in the context of the Commission’s data breach rule,[82] the FCC has the authority to ban forced arbitration under § 201 of the Communications Act. That section requires all practices in connection with communications service to be just and reasonable, and any practice that is unjust or unreasonable is prohibited. It further gives the FCC authority to prescribe regulations that are necessary in the public interest to carry out such provisions. As noted above, there are many examples of how the use of forced arbitration clauses is inherently unreasonable and unjust, and prohibiting its use in this context would be in the public interest. It is therefore clearly within the purview of the FCC’s authority to ban the abusive practice of forced arbitration.
The Eighth Circuit relied on a similar authorizing statute to uphold HHS’s authority to prohibit long-term care facilities from conditioning admission upon entering into a binding arbitration agreement.[83] That statute stated that it was the duty of HHS to assure that those facilities protected the health, safety, and well-being of residents.[84] The court held that it was reasonable for the agency “to conclude that regulating the use of arbitration agreements in LTC facilities furthers the health, safety, and well-being of residents.”[85]
In addition, nothing in the Federal Arbitration Act limits the FCC’s ability to prohibit carriers from enforcing pre-dispute binding arbitration agreements.[86] Accordingly, the FCC has authority to condition carriers’ participation in the telecommunications network on not including forced arbitration clauses in their agreements with subscribers.
IV. The Commission should clearly articulate the scope of its authority under Sections 222 and 201(b) as it applies to SIM swap and port-out fraud.
The Commission has important and relevant authority under Sections 222 and 201(b), and it should give voice to this authority loudly and clearly. CTIA raises arguments about the limited scope of Section 222 and the inapplicability of Section 201(b),[87] but these are untimely, mistaken, and out of step with Commission and Supreme Court precedent. As we noted last year, the Commission unambiguously established in 2007 that all personally-identifiable information (PII) that comes into a carrier’s possession by virtue of the carrier/customer relationship should be treated as CPNI.[88] This covers information such as Social Security Numbers (SSNs), as the Commission recently re-articulated.[89] Indeed, the Commission’s findings in its December Data Breach Reporting Requirements Report and Order address CTIA’s arguments about the Commission’s authority in this docket handily.[90]
Even assuming for sake of argument that Section 222 does not cover PII, this does not preclude the Commission from using its authority under Section 201(b) to promulgate rules finding deficient common carrier cybersecurity measures to be unjust or unreasonable practices.[91] The Commission recently found it to be “implausible that Congress would have exempted common carriers from any obligation to protect their customers’ private information that is not CPNI” in the context of its data privacy and data protection authority under Section 201(b).[92]
Additionally, Section 201(b) of the Communications Act of 1934 requires that “[a]ll…practices…for and in connection with such [common carrier] communication service, shall be just and reasonable, and any such…practice…that is unjust or unreasonable is hereby declared to be unlawful.”[93] (emphasis added). This use of “all practices” and “any practice” suggests broad, not limited, applicability. Section 201(b) also provides that the Commission “may prescribe such rules and regulations as may be necessary in the public interest to carry out the provisions of this chapter.”[94] On multiple occasions, the Supreme Court has found that Congress’ delegation of authority to the Commission under Section 201(b) is express and far-reaching, including “broad power to enforce all provisions of the statute.”[95] That includes Section 222.
Also, the 1999 Order on Reconsideration referred to by CTIA is inapplicable, as it pertains to the interpretation of “information” under Section 272.[96] Moreover, CTIA’s view that the Commission recognized the “exclusive and comprehensive nature of Section 222” in that order is mistaken. The Commission’s exact words were:
In enacting section 222, Congress carved out very specific restrictions governing consumer privacy in CPNI and consolidated those restrictions in a single, comprehensive provision. We believe that the specific requirements governing CPNI use are contained in that section and we disfavor, accordingly, an interpretation of section 272 that would create constraints for CPNI beyond those embodied in the specific provision delineating those constraints.[97]
This does not mean that the Commission’s rulemaking authority over CPNI is in any way constrained, but only that the language of Section 272 does not refer to CPNI. Nor does this mean that the Commission’s authority over the privacy and security of non-CPNI data is in any way constrained. In light of Congress’ broad grant of authority under Section 201(b) to enforce all provisions of the Communications Act, the Commission should not be reluctant to take action immediately and decisively to protect consumers from increasingly common SIM swap and port-out frauds.
For these reasons, we urge the Commission not only to rely on the same authority explicitly listed when implementing the original CPNI authentication rules[98] but also to explicitly rely upon Section 201(b).
V. The Commission should require carriers to use timely notification to equip consumers to prevent downstream harms.
The Commission should equip consumers to protect themselves when their carrier has failed to prevent a SIM swap or port-out fraud. As implied in the Commission’s recent Data Breach Reporting Requirements Order, customers who are victims of breaches should be notified in order to take protective action.[99] We support the Commission’s proposal of immediate notification in the event of a failed authentication attempt.[100] The consumer is in the best position to know whether the authentication attempt was their own or someone impersonating them; it should not be left to the carrier to determine.[101] If the Commission decides to set the threshold for notification at multiple failed attempts rather than a single attempt, we urge it to adopt a commonsense definition of “more than one attempt” regardless of the mechanism used (e.g., such that one attempt via app and one attempt via website would trigger a notification under a “multiple failed attempts” regime).[102]
VON implies in its comments that there is greater harm in access to a wireless phone via SIM swap or port-out fraud than in “the limited information available from access to CPNI.”[103] While it is true that the potential for harm is more immediate in the context of a threat actor having the ability to send and receive calls and texts using someone else’s number, access to information such as CPNI can still facilitate privacy- and cybersecurity-related harms. CPNI is personal and highly individualized data; it can afford attackers the information necessary to tailor future social engineering attacks or other attempts at unauthorized access to even more sensitive data.[104] Most relevantly, the Commission has already established that breaches of proprietary information (including but not limited to CPNI) are presumptively harmful.[105]
VI. Conclusion
The Commission’s guardrails on authentication and emphasis that SMS-based authentication is not a safe harbor are encouraging, but the FCC should do more to ensure that common carriers take effective action to prevent their customers from falling victim to SIM swap and port-out fraud. The Commission must empower consumers to enforce clear duties on the part of carriers to prevent this form of fraud.
[1] In re Protecting Consumers from SIM Swap and Port-Out Fraud, Report and Order and Further Notice of Proposed Rulemaking, WC Docket No. 21-341 (Rel. Nov. 16, 2023), available at https://docs.fcc.gov/public/attachments/FCC-23-95A1.pdf [hereinafter “R&O” for citations to ¶¶ 1-97 or “FNPRM” for citations to ¶¶ 98-108]. The Final Rule was published in the Federal Register at 88 Fed. Reg. 85,794 (Dec. 8, 2023) and is available at https://www.federalregister.gov/documents/2023/12/08/2023-26338/protecting-consumers-from-sim-swap-and-port-out-fraud. The Proposed Rule was published in the Federal Register at 88 Fed. Reg. 86,614 (Dec. 14, 2023) and is available at https://www.federalregister.gov/documents/2023/12/14/2023-26701/protecting-consumers-from-sim-swap-and-port-out-fraud.
[2] Comment of Electronic Privacy Information Center (Jan. 17, 2024), https://www.fcc.gov/ecfs/search/search-filings/filing/1011728090306 [hereinafter “EPIC FNPRM Comment”].
[3] See R&O at ¶ 29.
[4] See id. at ¶ 30.
[5] See id. at ¶ 26.
[6] Id. at ¶ 7.
[7] Statement of Chairwoman Jessica Rosenworcel (Nov. 15, 2023), https://docs.fcc.gov/public/attachments/FCC-23-95A2.pdf.
[8] See FBI, Internet Crime Report 2022 at 24, https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf. Note EPIC’s initial comments in the FNPRM contained a typographical error suggesting ransomware losses were twice the losses of SIM swap attacks, but the opposite is accurate. See EPIC FRNPM Comment at 2 n. 8. EPIC’s initial comments also credited the New York Attorney General with bringing a case against Avid telecom, see id. at 19 n. 91, but it was a multistate effort coordinated in large part by Arizona, Indiana, North Carolina, and Ohio. See Compl. and Demand for Jury Trial, State of Az., et al, v. Michael D. Lansky, L.L.C., dba Avid Telecom, et al., 4:23-cv-00233-EJM (D. Az. May 23, 2023), available at https://portal.ct.gov/-/media/AG/Press_Releases/2023/Conformed-Complaint_Avid.pdf.
[9] See, e.g., Compl. Weiss v. AT&T Mobility, LLC, 6:2023-cv-00120 (M.D. Fl. Jan. 23, 2023); Compl., Bayani v. T-Mobile USA Inc., 2:2023-cv-00271 (W.D. Wa. Feb. 27, 2023); Notice of Removal, Ayeni v. Bank of America N.A. et al, 2:2023-cv-00618 (D. Nm. July 24, 2023) (removing case against defendants including Verizon initially filed on June 28, 2023); Compl. Krumdieck v. Coinbase, Inc. et al, 1:2023-cv-09556 (S.D. Ny. Nov. 7, 2023) (defendants include Verizon) [hereinafter “Krumdieck Complaint”].
[10] See Christian Peeters, et al., SMS OTP Security (SOS): Hardening SMS-Based Two Factor Authentication, ACM Asia Conference on Computer and Communications Security (ASIA CCS ’22), May 30–June 3, 2022, Nagasaki, Japan, Session 1A: Cryptography #1, at 1, available at https://dl.acm.org/doi/pdf/10.1145/3488932.3497756.
[11] See id.
[12] Cyber Safety Review Board, Review of the Attacks Associated with Lapsus$ and Related Threat Groups at 37 (July 24, 2023), https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf [hereinafter ”CSRB Report”]; see id. at ii, iv.
[13] FNRPM at ¶ 107.
[14] See, e.g., EPIC FNPRM Comment at 2 n. 9. We note that in between the initial and reply comments of this proceeding, a Securities and Exchange Commission’s social media account was taken over and misinformation was published immediately impacting cryptocurrency values; this incident was effectuated via a SIM swap attack. See Rebecca Heilweil and Derek B. Johnson, A tangled mess: Government rules for social media security lack clarity, CyberScoop (Jan. 29, 2024), https://cyberscoop.com/federal-government-agency-social-media-security-multifactor-authentication/. We also re-iterate that data breaches of phone subscriber information can facilitate future SIM swaps. See, e.g., EPIC FNPRM Comment at 4; Lawrence Abrams, Mint Mobile discloses new data breach exposing customer data, Bleeping Computer (Dec. 22, 2023), https://www.bleepingcomputer.com/news/security/mint-mobile-discloses-new-data-breach-exposing-customer-data/.
[15] See, e.g., R&O at ¶ 4 (“Cell phone numbers are frequently used as a means of authenticating the identity of users for various types of accounts, including accounts with wireless providers, e-mail and social media providers, financial institutions, healthcare providers, and retail websites.”); Statement of Comm’r Anna M. Gomez (Nov. 15, 2023), https://docs.fcc.gov/public/attachments/FCC-23-95A4.pdf (“messages sent to our phones for multifactor authentication are also used to grant access to these accounts that hold so much of our personal information”); Statement of Comm’r Geoffrey Starks (Nov. 15, 2023), https://docs.fcc.gov/public/attachments/FCC-23-95A3.pdf (“Because we so frequently use our phone numbers for two-factor authentication, a bad actor who takes control of a phone can also take control of financial accounts, social media accounts, the list goes on.”).
[16] See, e.g., Order Granting Def.’s Mot. for Summ.J. and Den. Ex Parte Appl., Michael Terpin v. AT&T Mobility, LLC et al., No: 2:18-06975-ODW-KS, Doc. 243, at 11 (Mar. 28, 2023).
[17] See, e.g., Br. of Appellee AT&T Mobility LLC, Michael Terpin v. AT&T Mobility LLC et al, No. 23-55375 at 19-20 (9th Cir. Sept. 25, 2023); Answer to Am. Compl., Seth Shapiro v. AT&T Mobility, LLC, No. 2:19-08972-CBM-RAO, Doc. 161, at 49 (Feb. 13, 2023); Bayani v. T-Mobile USA, Inc., 76 No. 2:23-CV-00271-JHC, 2023 WL 6959287, at 5 (W.D. Wash. Oct. 20, 2023).
[18] See, e.g., Br. of Amicus Curiae CTIA, Michael Terpin v. AT&T Mobility, LLC, et al., No. 23-55375 at 24-26 (9th Cir. Oct. 2, 2023).
[19] See Telecommunications Act of 1996, PL 104-104, Sec. 702 (Feb. 8, 1996) (amending Title II by adding “Sec. 222 Privacy of customer information.” to the Communications Act of 1934).
[20] See R&O at ¶ 80.
[21] The Commission states that service providers are obligated to protect confidential information under Section 222, see, e.g., R&O at ¶ 11, but does not say explicitly that a successful SIM swap or port-out attack constitutes a violation of Section 222. Similarly, in its enforcement advisory, the Commission says that “[a] telecommunications carrier’s failure to reasonably protect customer information, including through allowing fraudulent SIM swap schemes, can independently violate the Act and Commission rules,” FCC Enforcement Advisory No. 2023-03, DA 23-1148 (Rel. Dec. 11, 2023), https://docs.fcc.gov/public/attachments/DA-23-1148A1.pdf at 2 (emphasis added) [hereinafter “SIM Swap Enforcement Advisory”], but not that it does in fact violate the rules. Similarly, the Commission notes that 201(b) authorizes the Commission to conclude practices that allow for fraudulent SIM swaps and number ports are unjust and unreasonable, R&O at ¶ 96, but doesn’t actually state explicitly that the Commission has come to that conclusion. These two clarifications—that a successful SIM swap or port-out fraud has always been demonstrative of a violation of Section 222, and that the Commission has found that deficient data security practices that allow for successful SIM swap or port-out frauds violate 201(b)—would greatly support consumers currently trying to fight on their own in private litigation to cover the gap left by the Commission’s lack of enforcement activity. See Section IV, infra.
[22] See EPIC FNPRM Comment at 14-19.
[23] See in re Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information, CC Docket No. 96-115; IP-Enabled Services, WC Docket No. 04-36, Report & Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927 at ¶ 4, 9 (rel. April 2., 2007) [hereinafter ”2007 CPNI Order”]).
[24] See SIM Swap Enforcement Advisory at 4 n. 13 (citing to In re Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Declaratory Ruling, 28 FCC Rcd 9609 (2013) [hereinafter “2013 Declaratory Ruling”]); “Congress, through the Communications Act, requires communications providers to protect consumers’ sensitive personal information to which they have access as a result of their unique position as network operators.” 2013 Declaratory Ruling at ¶ 9. We further note that 47 C.F.R. § 64.2010 became effective September 2017. See Fed. Commc’ns Comm’n, Final Rule, In re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, FCC 16-148, 82 Fed. Reg. 44,118 (Sept. 21, 2017), https://www.federalregister.gov/documents/2017/09/21/2017-20137/protecting-the-privacy-of-customers-of-broadband-and-other-telecommunications-services.
[25] See R&O at ¶ 96.
[26] See SIM Swap Enforcement Advisory at 2 n. 7; id. at 4.
[27] See, e.g., cases cited in notes 9, 16-18 supra.
[28] 2007 CPNI Order at ¶ 33.
[29] See, e.g., FCC Proposes Over $200M in Fines for Wireless Location Data Violations (Feb. 28, 2020), https://www.fcc.gov/document/fcc-proposes-over-200m-fines-wireless-location-data-violations.
[30] See, e.g., Speech, Chairwoman Rosenworcel Remarks at CDT Forum on Data Privacy 3 (June 14, 2023), https://www.fcc.gov/document/chairwoman-rosenworcel-remarks-cdt-forum-data-privacy.
[31] See, e.g., EPIC FRNPM Comment at 2 n. 8, n. 9.
[32] CSRB Report at 37.
[33] See, e.g., 5NPRM Comment of EPIC and NCLC, In re Advanced Methods to Target and Eliminate Unlawful Robocalls, Call Authentication Trust Anchor, CG Dkt. No. 17-59, WC Dkt. No. 17-97 at 9 (Aug. 17, 2022), https://www.fcc.gov/ecfs/search/search-filings/filing/10817350228611 (“The standard for compliance should be based on the success of the effort, not the measures taken. This is particularly important because just as one measure may prove successful one month, scam callers are likely to quickly adopt new methods for evading that successful measure. Providers need to be incentivized to be constantly on the lookout for illegal traffic in the calls they are transmitting. To eradicate scam robocalls, the Commission must require that providers effectively mitigate scam robocall traffic. Compliance should not be evaluated based on what measures the provider says it is using, or even whether it is using the measures promised. Compliance should be evaluated based on the success of the provider’s efforts in avoiding the transmission of illegal robocalls.”) (internal citations omitted); NPRM Comment of NCLC and EPIC at 4 (Nov. 15, 2021), https://www.fcc.gov/ecfs/search/search-filings/filing/111608400758 (“As the Commission has noted, most carriers know how to avoid these problems. They just need to be incentivized to employ these avoidance procedures in all cases, to protect their vulnerable customers from frauds and significant financial losses.”) (internal citations omitted) [hereinafter “NCLC and EPIC NPRM Comment”].
[34] See R&O at ¶ 80-81.
[35] See Cybersecurity & Infrastructure Security Agency, About CISA, https://www.cisa.gov/about.
[36] See Emily Field, 3 Highlights from Sem. Hearing on Social Media Child Safety, Law360 (Jan. 31, 2024), https://www.law360.com/articles/1791944/3-highlights-from-sen-hearing-on-social-media-child-safety.
[37] See R&O at ¶ 81.
[38] See, e.g., CSRB Report at iv, 8, 17, 27, 35; Opening Br., Michael Terpin v. AT&T Mobility, No. 23-55375 at 9 (9th Cir. Oct. 4, 2023); Krumdieck Complaint at 2 ¶ 5; Gabriella Killett, Former worker at T-Mobile store arrested in digital simcard scheme targeting customers, nola.com (July 14, 2023), https://www.nola.com/news/crime_police/former-t-mobile-employee-arrested-in-digital-sim-card-scheme/article_ae0ab124-21b5-11ee-9e92-8b3181de1471.html.
[39] We acknowledge that the Commission has implemented rules that make it harder for some employees to access CPNI in some contexts. See, e.g., R&O at ¶ 50. This is not the same as giving providers financial incentives.
[40] We have made a similar argument in the context of telecom data breaches; it is equally applicable to carrier failure to prevent SIM swap and port-out fraud. Reply Comment of EPIC, Center for Democracy and Technology, Privacy Rights Clearinghouse, and Public Knowledge, In re Data Breach Reporting Requirements, WC Dkt. No. 22-21 at 19 (Mar. 24, 2023), https://www.fcc.gov/ecfs/search/search-filings/filing/1032465071814 (“The highest priority in this proceeding should be protecting consumers. While it is unfair to place the burden on consumers when providers fail in their charge as custodians of consumer data, the current data security reality is such that the best interim solution is to equip consumers to protect themselves from the downstream impacts of data breaches such as identity theft and account compromise.”) [hereinafter “EPIC et al. Data Breach Reply Comment”].
[41] See, e.g., NCLC and EPIC NPRM Comment at 7 n. 26 (citing to Consumer Fin. Prot. Bureau, Arbitration Study, Report to Congress Pursuant to Dodd-Frank Wall Street Reform and Consumer Protection Act § 1028(a), at § 1.4.1 (Mar. 2015), available at , available at https://files.consumerfinance.gov/f/201503_cfpb_arbitration-study-report-to-congress-2015.pdf [hereinafter “CFPB 2015 Arb. Study”], Elizabeth G. Thornburg, Contracting with Tortfeasors: Mandatory Arbitration Clauses and Personal Injury Claims, 67 Law & Contemp. Probs. 253, 271 (2004), Paul D. Carrington & Paul H. Haagen, Contract and Jurisdiction, 1996 Sup. Ct. Rev. 331, 347–348, and Davis v. Prudential Sec., 59 F.3d 1186, 1190 (11th Cir. 1995)). The CFPB’s findings are entirely consistent with prior studies of consumer arbitration, which have revealed that arbitration agreements suppress valid claims and subject consumers to a sharply unfair dispute resolution procedure. See, e.g., David Horton & Andrea Cann Chandrasekher, After the Revolution: An Empirical Study of Consumer Arbitration, 104 Geo. L.J. 57 (2015), available at http://papers.ssrn.com.
[42] See, e.g., Roseanna Sommers, What Do Consumers Understand About Predispute Arbitration Agreements? An Empirical Investigation at 1, 24 (July 25, 2023), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4521064.
[43] See FNPRM at ¶ 107.
[44] See, e.g., Letter to Hon. Gary Gensler from Better Markets, et al., Re: Critical Need for Rulemaking to Prohibit Forced Arbitration at 1 (Jan. 31, 2024), available at https://www.nclc.org/wp-content/uploads/2024/02/SEC-Arbitration-and-Section-921.pdf [hereinafter “Gensler Letter”]; id. at 10 (arguing for a prohibition on mandatory pre-dispute arbitration provisions in the context of investment contracts, but leaving investors and firms free to pursue arbitration post-dispute, and quoting Catherine Moore, The Effect of the Dodd-Frank Act on Arbitration Agreements: A Proposal for Consumer Choice, 12 Pepp. Disp. Resol. L.J. 503, 523 (2012) for the principle that competition between arbitration and litigation could correct perceived shortcomings in the arbitration process). According to one survey of several hundred consumers, approximately 15% self-reported as being given the choice to opt out of standard arbitration language with their phone company, as compared with 33% not given a choice and 52% who don’t remember. See Sommers supra note 42 at 24 Table 6.3. 36% of consumers in a different section of the survey indicated that they thought they would still be able to sue in court. See id. at 20 Table 5.3.
[45] See, e.g., Cell Phones, Fair Arbitration Now, https://fairarbitrationnow.org/cell-phone-arbitration/ (last visited Feb. 12, 2024) (citing to CFPB 2015 Arb. Study at 8, Table 1 (finding that 99.9% of wireless subscribers were subject to forced arbitration agreements.)); Brian Hardingham, The FCC Should Stop Cell Phone Giants from using Forced Arbitration Clauses as a Get Out of Jail Free Card, Public Justice blog (Jan. 13, 2017), https://www.publicjustice.net/fcc-stop-cell-phone-giants-using-forced-arbitration-clauses-get-jail-free-card/ (“Before the two 5-4 Supreme Court rulings on the issue, consumers could realistically expect that they would obtain relief if they could prove that a mobile phone company overcharged them, even when their contracts contained a forced arbitration clause with a class action ban.”); Gensler Letter at 3 (noting that investors are often unable to open a brokerage account without agreeing to submit to mandatory pre-dispute arbitration).
[46] See, e.g., Gensler Letter at 4 (“The CFPB found that the average arbitration clause comprised 14.1% of the words in the contract and consisted of 1,108.8 words. The average grade level (which translates total words, total sentences, and total syllables into the level of education required to understand the text) for the arbitration clauses averaged 15.6, indicating that the text is best understood by those with some college education. In contrast, the average grade level for the remainder of the contract was 11.6, which roughly corresponds to a high school-level education.”)(internal citations omitted); Sommers supra note 42 at 1 (“less than 1% of respondents correctly understood the full significance of the arbitration agreement, as indicated by their responses to questions about whether they retained the rights to sue, have a jury decide their case, access the public courts, and appeal a decision based on a legal error.”).
[47] See, e.g., National Consumer Law Center, Consumer Arbitration Agreements at “1.3 Definition of Predispute Binding Arbitration Agreement—or “Forced Arbitration” Agreement” (8th ed. 2020), updated at www.nclc.org/library.
[48] Richard C. Reuben, Democracy and Dispute Resolution: The Problem of Arbitration, 67 Law & Contemp. Probs. 279, 309–318 (2004).
[49] See Gensler Letter at 5 (discussing this phenomenon in the context of securities law).
[50] See Gensler Letter at 7.
[51] According to the Consumer Financial Protection Bureau’s 2013 report, around 90% of the arbitration clauses studied in credit card agreements, consumer banking agreements, payday loans, and prepaid card agreements included class action waivers. Consumer Fin. Prot. Bureau, Arbitration Study Preliminary Results: Section 1028(a) Study Results to Date (Dec. 12, 2013), available at http://files.consumerfinance.gov.
[52] CFPB 2015 Arb. Study at 15.
[53] Alan S. Kaplinsky & Mark J. Levin, Anatomy of An Arbitration Clause: Drafting and Implementation Issues Which Should Be Considered By A Consumer Lender, 1113 Prac. L. Inst. Corp. L. Prac. Course Handbook 655, 657 (1999). See also Mercedes Homes v. Colon, 966 So. 2d 10, 20 (Fla. Dist. Ct. App. 2007) (Griffith, J., dissenting) (“And with every reinforcing decision, these clauses become ever more brazenly loaded to the detriment of the consumer—who gets to be the arbitrator; when, where, how much it costs; what claims are excluded; what damages are excluded; what statutory remedies are excluded; what discovery is allowed; what notice provisions are required; what shortened statutes of limitation apply; what prerequisites even to the right to arbitrate are thrown up—not to mention the fairness or accuracy of the decision itself. The drafters have every incentive to load these arbitration clauses with such onerous provisions in favor of the seller because the worst that ever happens, if the consumer has the resources to go to court, is that the offending provisions are severed. The state courts, demoralized by the United States Supreme Court’s disapproval, have too often allowed these overreaching provisions to succeed. Most consumers can’t read them, won’t read them, don’t understand them, don’t understand their implication and can’t afford counsel to help them out.”).
[54] Five Recommendations When Reviewing Arbitration Clauses, SubPrime Auto Fin. News (Aug. 6, 2014), available at www.autoremarketing.com.
[55] Eric Berkowitz, Is Justice Served, L.A. Times Magazine, Oct. 22, 2006. See also Justin Scheck, JAMS Reverses Class Action Policy; Under Corporate Pressure, It Agrees To Enforce Exclusion Clauses, The Recorder 1 (Mar. 11, 2005).
[56] See Thomas J. Stipanowich, Punitive Damages and the Consumerization of Arbitration, 92 Nw. U. L. Rev. 1, 17 (1997) (“A comparison of available statistics suggests that commercial arbitrators tend to be more conservative than juries in terms of the frequency of punitive awards.”).
[57] See Thornburg note 41 supra at 273.
[58] See Horton & Chandrasekher note 41 supra.
[59] See Marcus Nieto & Margaret Hosel, Arbitration in California Managed Health Care Systems 22 (2000) (“[P]laintiffs in California health care claims generally do not have information about arbitrators’ decision records before selecting a neutral arbitrator. In contrast, health care plans do have information about the win-lose decisions of arbitrators. This information gap may favor health care plans.”); Jean Sternlight, Panacea or Corporate Tool?: Debunking the Supreme Court’s Preference for Binding Arbitration, 74 Wash. U. L.Q. 637, 683–684 (1996) (“[A] consumer’s attorney often relies on public information gained from other lawsuits to build her own claims of negligent or intentional misconduct. Repeat-player companies can gain similar information through private channels. Thus, by requiring private arbitration the company may again deprive the consumer of certain relief she might have obtained through litigation.” (citations omitted)).
[60] See e.g., Elizabeth Rolph, Erik Moller & John E. Rolph, Arbitration Agreements in Health Care: Myths and Reality, 60 Law & Contemp. Probs. 153, 158 (1997) (“The effects of private, binding arbitration are even more difficult to determine. Some organizations that use arbitration agreements have conducted internal evaluations, but the data necessary for a broad-based, non-proprietary evaluation are widely dispersed, private, and often well guarded. Consequently, few studies of private arbitration have been undertaken. . . .”); Jill Gross & Barbara Black, Perceptions of Fairness of Securities Arbitration: An Empirical Study, Univ. of Cincinnati Pub. L. Research Paper No. 08-01 (Feb. 6, 2008) (plaintiffs interviewed after going through a securities arbitration proceeding overwhelmingly think that the proceeding was “very unfair” or “somewhat unfair” in comparison with judicial proceedings), available at www.researchgate.net.
[61] Ting v. AT&T, 182 F. Supp. 2d 902, 932 (N.D. Cal. 2002). In affirming the holding of the trial court that this confidentiality provision was unconscionable, the Ninth Circuit reiterated that such confidentiality provisions contribute to an unfair repeat-player effect: by imposing a “gag order,” the court said, “AT&T has placed itself in a far superior legal posture by ensuring that none of its potential opponents have access to precedent while, at the same time, AT&T accumulates a wealth of knowledge on how to negotiate the terms of its own unilaterally crafted contract.” Ting v. AT&T, 319 F.3d 1126, 1152 (9th Cir. 2003). See also Sprague v. Household Int’l, 473 F. Supp. 2d 966, 974 (W.D. Mo. 2005) (secrecy terms in arbitration clauses are substantively unconscionable because they ensure that companies “reap[] the advantages of repeatedly appearing before the same group of arbitrators, while consumers do not”); Luna v. Household Fin. Corp. III, 236 F. Supp. 2d 1166, 1180–1181 (W.D. Wash. 2002) (secrecy clauses have the effect of “magnify[ying] the effect of [the] advantages” that “repeat arbitration participants enjoy . . . over one-time participants”); ACORN v. Household Int’l, Inc., 211 F. Supp. 2d 1160, 1172 (N.D. Cal. 2002) (“By keeping all awards confidential, any advantages that inure to Defendants as repeat participants are effectively concealed, thereby preventing the scrutiny critical to mitigating those advantages.”); Kinkel v. Cingular Wireless L.L.C., 857 N.E.2d 250, 275 (Ill. 2006) (confidentiality provision unconscionable when “Cingular . . . can accumulate experience defending these claims” while consumers have no access to precedent); Eagle v. Fred Martin Motor Co., 809 N.E.2d 1161, 1183 (Ohio Ct. App. 2004) (“[T]his confidentiality clause on its face brings about a result that the [consumer protection statute] seeks to prevent, namely the failure to inform the public about suppliers’ deceptive and unconscionable acts in an effort to correct these wrongs.”); Zuver v. Airtouch Communications, Inc., 103 P.3d 753, 765 (Wash. 2004) (confidentiality provision substantively unconscionable because it “hampers [the] ability to prove a pattern of discrimination or to take advantage of findings in past arbitrations”).
[62] Sternlight note 59 supra at 695. See also Michael A. Satz, How the Payday Predator Hides Among Us: The Predatory Nature of the Payday Loan Industry and Its Use of Consumer Arbitration to Further Discriminatory Lending Practices, 20 Temp. Pol. & Civ. Rts. L. Rev. 123, 151–152 (2010) (“The strongest argument against allowing the arbitration of payday loan disputes is the public justice critique, which essentially argues that society benefits as a whole from the discussion of the law. . . . When claims against payday lenders are taken private, society does not gain the benefit of learning about what these actors are doing and thereby loses, to a certain degree, its ability to determine the validity or invalidity of such conduct and whether to take collective action against it.”); Thornburg note 41 supra at 272; Arbitration: Happy Endings Not Guaranteed, Bus. Wk., Nov. 20, 2000 (“[E]ven when both sides walk away ‘winners,’ the public may lose by failing to hear about cases that involve product safety, anticompetitive behavior, or intellectual-property theft. But privacy is part of arbitration’s appeal to companies. ‘Companies don’t have to worry about disputes showing up in the paper,’ said William K. Slate II, AAA’s president and CEO.”).
[63] See, e.g., Steve Davidoff Solomon, Arbitration Clauses Let American Apparel Conceal Misconduct, DealBook, N.Y. Times (July 15, 2014) ( “if American Apparel hadn’t been able to use arbitration and confidentiality clauses to keep investors and the public in the dark over those [decades of sexual harassment] accusations, [the CEO] would most likely have been shown the exit some years earlier.”).
[64] See, e.g., Davis v. Prudential Sec., 59 F.3d 1186, 1190 (11th Cir. 1995).
[65] See David S. Schwartz, Enforcing Small Print to Protect Big Business: Employee and Consumer Rights Claims in an Age of Compelled Arbitration, 1997 Wis. L. Rev. 33, 46–47.
[66] See, e.g., Edward Brunet, Questioning the Quality of Alternative Dispute Resolution, 62 Tul. L. Rev. 1, 12–13 (1987); Mark E. Budnitz, Arbitration of Disputes Between Consumers and Financial Institutions: A Serious Threat to Consumer Protection, 10 Ohio St. J. on Disp. Resol. 267, 283–284 (1995); Carrington & Haagen note 41 supra at 348; Michael A. Satz, Mandatory Binding Arbitration: Our Legal History Demands Balanced Reform, 44 Idaho L. Rev. 19, 34 (2007) (companies often include secrecy clauses in arbitration agreements to “avoid negative publicity regarding its specific actions in the arbitration at issue, and negative publicity about its actions in general, thus, avoiding the attendant loss of goodwill that accompanies such publicity”).
[67] See, e.g., Sternlight note 59 supra at 683, 684 (“One way defendants can decrease a consumer’s expected return is to prevent the consumer from engaging in adequate discovery. Because the consumer will be more needful of discovery than will the company, which maintains the relevant records and has continuing access to the decisionmakers, even a seemingly neutral restriction on discovery will affect consumers adversely.” (internal citations omitted)).
[68] See Jeffrey W. Stempel, Mandating Minimum Quality in Mass Arbitration, 76 U. Cin. L. Rev. 383, 413–414 (2008).
[69] United Steelworkers of Am. v. Enter. Wheel & Car Corp., 363 U.S. 593, 598, 80 S. Ct. 1358, 4 L. Ed. 2d 1424 (1960).
[70] See Carrington & Haagen note 41 supra at 397–398. See also Richard C. Reuben, Democracy and Dispute Resolution: Systems Design and the New Workplace, 10 Harv. Negot. L. Rev. 11 (2005) (“[T]ransparency and rationality are not essential valves of arbitration. Arbitrators are generally not required to articulate reasons for their decisions in the form of written opinions, effectively precluding substantively judicial review of arbitral awards. Moreover, arbitrators do not have to make their decisions according to rules of law. . . .” (citations omitted)).
[71] See Gensler Letter at 7.
[72] See, e.g., United Paperworkers Int’l Union v. Misco, Inc., 484 U.S. 29, 39, 108 S. Ct. 364, 98 L. Ed. 2d 286 (1987) (arbitration award will stand even if the arbitrator’s factfinding was “silly” or if “court is convinced [the arbitrator] committed serious error”); Nationwide Mut. Ins. Co. v. Home Ins. Co., 429 F.3d 640, 643 (6th Cir. 2005) (standard of review for arbitrators’ decisions is “one of the narrowest standards of judicial review in all of American jurisprudence”); Baravati v. Josephthal, Lyon & Ross, Inc., 28 F.3d 704, 706 (7th Cir. 1994) (judicial review of arbitrators’ decisions is so narrow that “perhaps it ought not be called ‘review’ at all”); Upshur Coals Corp. v. United Mine Workers of Am. Dist. 31, 933 F.2d 225, 231 (4th Cir. 1991) (“[U]nless the arbitrator appears utterly to have failed to execute his duty to interpret the contract or the relevant law, the arbitrator’s decision must stand.”); Michael H. LeRoy, Crowning the New King: The Statutory Arbitrator and the Demise of Judicial Review, 2009 J. Disp. Resol. 1 (in study of employment arbitration awards, finding that federal district courts vacate arbitration awards only 4.3% of the time).
[73] See, e.g., Allstate Settlement Corp. v. Rapid Settlements, Ltd., 559 F.3d 164 (3d Cir. 2009) (upholding injunction against arbitration when company “transparent[ly] attempt[ed] to use this arbitration scheme to evade the legislatures’ intentions to protect the recipients of structured settlement payments”); Satz note 62 supra at 147 (“By limiting the appeals process, both the procedural and substantive rights of consumers are placed at a high risk of injury.”).
[74] See, e.g., Jeffrey W. Stempel, Keeping Arbitrations From Becoming Kangaroo Courts, 8 Nev. L.J. 251, 258 (2007) (“Where arbitration is not specific to a guild, trade, or particular business activity, the traditional rationale of promoting arbitration for its ‘rough justice’ loses much of its force. By contrast, the case for insisting that mass arbitration results be consistent with substantive law becomes overwhelmingly strong.”); Stempel note 68 supra at 401–408 (discussing quality concerns surrounding mass arbitration, and noting that “[a]n inaccurate decision at great variance from substantive rules of law cannot be fair, no matter how unbiased the decisionmaker”); Symposium, The Current State of Securities Arbitration, 76 U. Cin. L. Rev. 589, 596 (2008) (comments of Kenneth E. Meister) (the depth of the arbitrator’s knowledge of the law will “vary from case to case” and that “arbitrators do not usually enforce statutes of limitations that would be applicable in court”).
[75] See, e.g., Nat’l Cas. Co. v. First State Ins. Grp., 430 F.3d 492, 496 (1st Cir. 2005) (“[a]rbitral awards are nearly impervious to judicial oversight”); Berkowitz note 55 supra at 24 (discussing court cases that allow arbitration awards to stand even in the face of “substantial injustice,” with one former judge and arbitrator noting that: “[Judges] can rule on the basis of the tea leaves . . . the fact is that arbitrators make mistakes . . . and there is no appeal if I make a stupid or diabolical mistake, or one that is made in bad faith. The parties are on their own.”).
[76] Cole v. Burns Int’l Sec. Services, 105 F.3d 1465, 1476 (D.C. Cir. 1997). See also Thornburg note 41 supra at 272 (“The public nature of litigation, and its status as a function of government, is a way in which society enunciates its values, and in which it creates and enforces the rules that govern primary behavior. From the standpoint of the legal system, arbitration can eliminate the ability of courts to perform this declarative function.”).
[77] Stempel note 68 supra at 421.
[78] See, e.g., Theodore Eisenberg & Geoffrey P. Miller, Cornell Legal Studies Research Paper Series, The Flight from Arbitration: An Empirical Study of Ex Ante Arbitration Clauses in Publicly-Held Companies’ Contracts (Aug. 30, 2006), available at http://papers.ssrn.com. See also Theodore Eisenberg, Geoffrey P. Miller & Emily Sherwin, Arbitration’s Summer Soldiers: An Empirical Study of Arbitration Clauses in Consumer and Nonconsumer Contracts, 41 U. Mich. J.L. Reform 871 (2008); Liz Kramer, Dissonance Between SCOTUS and BUSINESS on Arbitration, Arbitration Nation (Apr. 23, 2012), http://arbitrationnation.com; Art Levine, Why Does Chamber of Commerce Favor Arbitration for Workplace Rape Victims, But Oppose It For Union Workers?, Huffington Post (July 17, 2009), www.huffingtonpost.com (noting hypocrisy in that Chamber of Commerce and businesses “fervently . . . embrace arbitration when it allows them to avoid being held accountable for negligence towards employees or the defrauding of consumers” but oppose binding arbitration with unions under provisions of Employee Free Choice Act).
[79] See System Slowdown: Can Arbitration Be Fixed?, Inside Counsel, May 2007, at 50–58.
[80] See AT&T Mobility L.L.C. v. Concepcion, 563 U.S. 333, 131 S. Ct. 1740, 179 L. Ed. 2d 742 (2011).
[81] See Martha Neil, After Supreme Court Win Forcing Customers to Arbitrate, AT&T Now Sues to Stop the Arbitration, A.B.A. J. (Aug. 17, 2011).
[82] See Comment of NCLC, et al., In re Data Breach Reporting Requirements, WC Dkt. No. 22-21 at 2 (Feb. 21, 2023), https://www.fcc.gov/ecfs/search/search-filings/filing/10221288986781.
[83] See Northport Health Services of Arkansas, LLC v. U.S. Dept. of Health and Human Services, 14 F.4th 856 (8th Cir. 2021).
[84] 42 U.S.C. §§ 1395i-3(f)(1), 1396r(f)(1). See also 42 U.S.C. § 1395i-3(d)(4)(B).
[85] See Northport Health Services of Arkansas, LLC v. U.S. Dept. of Health and Human Services, 14 F.4th at 872 (8th Cir. 2021).
[86] See id. at 866-869.
[87] Comment of CTIA at 18-25 (Jan. 16, 2024), https://www.fcc.gov/ecfs/search/search-filings/filing/101161635126038.
[88] EPIC et al. Data Breach Reply Comment at 6 n. 18 (citing to 2007 CPNI Order at ¶ 1 n. 2).
[89] See Fed. Commc’ns Comm’n, In re Data Breach Reporting Requirements, Report and Order, FCC 23-111 at ¶¶ 16-18, 20, 118 (Rel. Dec. 21, 2023), https://docs.fcc.gov/public/attachments/FCC-23-111A1.pdf. [hereinafter ”Data Breach Report and Order”],
[90] See, e.g., id. at ¶¶ 117-26.
[91] See id. at ¶¶ 124-26.
[92] See id. at ¶ 126.
[93] 47 U.S.C. § 201(b).
[94] 47 U.S.C. § 201(b).
[95] Gonzales v. Oregon, 546 U.S. 243, 259 (2006) (citing to Natl. Cable & Telecomm. Ass’n v. Brand X Internet Services, 545 U.S. 967, 980 (2005)).
[96] See 14 FCC Rcd 14409, ¶ 141-42 (1999), available at https://digital.library.unt.edu/ark:/67531/metadc2931/m1/665/?q=FCC%20Rcd%20volume%2014%2014409.
[97] Id. at ¶ 142.
[98] See FNPRM at ¶ 103.
[99] See Data Breach Report and Order at ¶¶ 35, 52.
[100] See FNPRM at ¶ 105.
[101] See id. at ¶ 106.
[102] See id.
[103] Comment of Voice on the Net Coalition at 3-4 (Jan. 17, 2024) (responding to FNPRM ¶ 101).
[104] See EPIC FNPRM Comment at 10 n. 51 (citing to Verizon, Data Breach Investigations Report (2023)).
[105] See Data Breach Report and Order at ¶¶ 53, 55.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate