EPIC and NCL Urge Ninth Circuit to Hold Telecoms Accountable for Weak Security Allowing SIM Swap Fraud

In an amicus brief filed last week, EPIC and the National Consumers League (NCL) urged the Ninth Circuit to hold carriers liable when they fail to sufficiently protect consumers from SIM swap attacks, which can allow a fraudster to wipe out a person’s entire life savings.

SIM swaps are scams in which a fraudster gets a consumer’s telecom carrier to turn control of the consumer’s phone number over to the fraudster, often by trickery or bribery. The fraudster then can receive messages intended for the victim and use this information to access the victim’s private accounts by subverting text-based multi-factor authentication. A SIM swap attack can’t succeed without the help of a carrier’s employee or agent and carriers are in the best position to stop these attacks, but because the carriers do not themselves suffer losses from the attacks, they do little to try to prevent them.

In this case, Terpin v. AT&T, a fraudster bribed an AT&T employee to do a SIM swap and then proceeded to steal millions of dollars of cryptocurrency from the plaintiff. Terpin sued AT&T for violating its legal duty to protect his customer information, but the district court held that the SIM swap did not involve data protected by the Federal Communications Act (FCA) and moreover that AT&T could not be held liable because it said that it “cannot guarantee” data security in its customer contracts.

EPIC and NCL’s brief emphasized to the Ninth Circuit that SIM swapping is an increasingly common scam that has resulted in average consumers losing their life savings. The two advocacy organizations argued that telecom carriers can’t immunize themselves for unreasonably deficient cybersecurity practices using boilerplate contract terms, and that SIM swapping attacks inherently involve data protected by the FCA.

EPIC regularly submits amicus briefs and regulatory comments related to deficient data security practices. EPIC filed the initial 2005 petition that gave rise to Federal Communications Commission’s (FCC’s) 2007 CPNI Order which imposed more explicit obligations on telecom carriers to protect consumers from scammers who would defraud them by exploiting their carrier’s weak cybersecurity practices.