Opinion
22-cv-3996 (PKC)
09-29-2023
CALVIN CHENG, Plaintiff, v. T-MOBILE USA, INC., Defendants.
OPINION AND ORDER
P. Kevin Castel United States District Judge
Plaintiff Calvin Cheng arranged to sell fifteen bitcoins, worth approximately $750,000, to a person he believed to be Brandon Buchanan, a nonparty to this case. Unfortunately, it was not Buchanan on the other end of the transaction, but someone who had seized control of Buchanan's mobile phone account-and thereafter certain aspects of Buchanan's internet presence-after executing a “SIM-swap attack.” Cheng transferred his bitcoins to this unknown imposter, but he never received payment.
Cheng now brings this action against T-Mobile, Buchanan's mobile service provider. He claims that he has been injured by T-Mobile's failure to protect Buchanan's customer information, which in turn led to the SIM-swap attack that resulted in his injury. He brings several state law claims sounding in negligence-claiming T-Mobile owed him a duty of care as someone doing business with its customers-as well as a state law consumer protection claim and two statutory federal claims. T-Mobile moves to dismiss the Complaint in its entirety.
BACKGROUND
I. Factual Background
The well-pleaded facts recounted below are taken from the Complaint and are assumed to be true for the purposes of this motion. In re Elevator Antitrust Litig., 502 F.3d 47, 50 (2d Cir. 2007). (ECF 1.) (“Complaint” or “Compl.”)
Brandon Buchanan, a nonparty to this case, was the co-founder and managing partner of Iterative Capital, which the Complaint describes as a hybrid investment fund involved in cryptocurrency trading. (Compl. ¶ 44.) Buchanan had been a customer of T-Mobile since 2016 and had been the victim of a previous SIM-swap attack in 2018. (Compl. ¶¶ 45, 46.) The Complaint describes “SIM-swapping” as a form of “account takeover fraud . . . whereby a criminal third-party convinces a wireless carrier like T-Mobile to transfer access to one of its legitimate customers' cellular phone number from the legitimate customer's registered SIM-card-a small portable chip that houses identification information connecting an account to the wireless carrier's network-to a SIM-card controlled by the criminal third-party.” (Compl. ¶ 13.) The Complaint alleges that T-Mobile has been on notice about the danger of SIM-swapping for many years and that there have been many well-publicized incidents of SIM-swap attacks against T-Mobile customers. (Compl. ¶¶ 20-31.)
After the 2018 incident, T-Mobile agreed to implement certain security measures on Buchanan's customer account. These included a prohibition on the transfer of Buchanan's phone number and SIM data to a new device unless Buchanan himself appeared in person and provided a secret Personal Identification Number (PIN). (Compl. ¶ 48.) Buchanan paid extra for this “ID theft protection” service. (Compl. ¶ 49.)
Sometime in May 2020, Buchanan was the victim of a second SIM-swap attack. (Compl. ¶ 52.) Unknown third parties were able to hijack Buchanan's SIM data and began to impersonate him online. (Compl. ¶ 52.) The Complaint alleges that T-Mobile representatives informed Buchanan that the SIM-swap attack appeared to be an “inside job” by a T-Mobile employee. (Compl. ¶ 55.)
Plaintiff Cheng is a customer of Iterative Capital who had made several bitcoin purchases from Iterative in the months prior to May 2020. (Compl. ¶¶ 57, 59.) These transactions were arranged through a mobile application called Telegram, which is an encrypted instant messaging software. (Compl. ¶ 60.) Cheng's transactions with Iterative were conducted in a particular Telegram chat room. (Compl. ¶¶ 63-64.) Cheng knew that Buchanan was an officer and principal of Iterative, and he knew that Buchanan was a member of this chat room. (Compl. ¶¶ 64-66.)
User accounts on Telegram are tied to mobile telephone numbers verified by text messages to those numbers. (Compl. ¶ 61.) Therefore, once the unknown party had control over Buchanan's phone, Buchanan's Telegram account was also compromised. (Compl. ¶ 62.) Impersonating Buchanan, the unknown third party messaged Cheng on May 17, 2020, and offered to purchase bitcoins from him at above-market prices. (Compl. ¶ 71.) The messages indicated they were sent by Buchanan, and they referenced previous transactions conducted between Cheng and another member of Iterative. (Compl. ¶ 72.) Cheng was convinced to send fifteen bitcoins to a digital wallet address he believed belonged to either Buchanan or Iterative, and he expected to receive an unspecified amount of U.S. dollars in return. (Compl. ¶ 73.) No money was received in return. (Compl. ¶ 74.)
Buchanan subsequently discovered that he had been the victim of a SIM-swap attack, and on May 19, 2020, he emailed Iterative's clients to let them know that several of his accounts had been hacked and that the hackers had assumed his identity to make trades ostensibly on behalf of Iterative. (Compl. ¶ 76.) According to the Complaint, law enforcement inquiries into this incident are ongoing. (Compl. ¶¶ 77-79.)
Buchanan attempted to obtain Cheng's lost funds from T-Mobile, but T-Mobile refused to compensate either Buchanan or Cheng. (Comp. ¶¶ 80-81.)
II. Procedural History
Cheng first filed a complaint against T-Mobile in this Court in February 2021, and an amended complaint was filed that same month. (Cheng v. T-Mobile USA Inc., 21-cv-1085, (ECF 1, 9).) In April 2021, Cheng sought and was granted leave to amend his Complaint a second time. (21-cv-1085 (ECF 18, 19).) However, shortly thereafter he filed a notice of voluntary dismissal without prejudice under Rule 41(a)(1)(A)(i), Fed.R.Civ.P. (21-cv-1085 (ECF 20).)
Cheng initiated a new action and filed a new Complaint in May 2022. He brings claims for: (1) violation of the Federal Communication Act (“FCA”); (2) violation of the Computer Fraud and Abuse Act (“CFAA”); (3) negligence; (4) violation of the New York Consumer Protection Act, N.Y. G.B.L § 349; (5) negligent hiring, retention, and supervision; and (6) gross negligence. (ECF 1.) T-Mobile has moved to dismiss the Complaint in its entirety. (ECF 20.)
As discussed below, the Court will grant the motion as to all claims and the Complaint will be dismissed.
DISCUSSION
I. Applicable Law.
Defendants move to dismiss under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. To survive a motion to dismiss under Rule 12(b)(6), “a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (internal quotation marks omitted). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. “The plausibility standard . . . asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. Legal conclusions and “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements,” are not entitled to any presumption of truth. Id.
II. Cheng's negligence-based claims will be dismissed for failure to plausibly allege a duty of care.
Plaintiff brings claims for negligence, gross negligence, and negligent hiring, retention, and supervision. To establish a prima facie case of negligence under New York law plaintiff must show: “(1) the defendant owed the plaintiff a cognizable duty of care as a matter of law; (2) the defendant breached the duty; and (3) plaintiff suffered damage as a proximate result of that breach.” Curley v. AMR Corp., 153 F.3d 5, 13 (2d Cir. 1998). “If the defendant owes no duty to the plaintiff, the action must fail.” Pasternack v. Lab'y Corp. of Am. Holdings, 807 F.3d 14, 19 (2d Cir. 2015), as amended (Nov. 23, 2015)). “Although juries determine whether and to what extent a particular duty was breached, it is for the courts first to determine whether any duty exists.” Id. (quoting Darby v. Compagnie Nat'l Air France, 96 N.Y.2d 343, 347 (2001)). All three claims sounding in negligence are premised on the same breach of duty.
The parties' brief their respective positions assuming the applicability of New York law. This amounts to implied consent to the application of New York law. See Tehran-Berkeley Civ. & Env't Engineers v. Tippetts-Abbett-McCarthy-Stratton, 888 F.2d 239, 242 (2d Cir. 1989) (“The parties' briefs . . . rely on New York law. Under the principle that implied consent to use a forum's law is sufficient to establish choice of law, we will apply New York law to this case.” (internal citations omitted)).
“[A] claim for negligent hiring, supervision or retention” includes “the standard elements of negligence.” Doe v. Alsaud, 12 F.Supp.3d 674, 680 (S.D.N.Y. 2014) (internal quotation marks omitted). “[G]ross negligence also involves the commission or omission of an act or duty owing by one to another.” In re Platinum-Beechwood Litigation, 377 F.Supp.3d 414, 421 (S.D.N.Y. 2019) (internal quotation marks omitted).
The “threshold question” here is what-if any-duty of care did T-Mobile owe to Cheng, a third party with whom it is alleged T-Mobile had no relationship, contractual or otherwise. See Hamilton v. Beretta U.S.A. Corp., 96 N.Y.2d 222, 232 (2001). The Complaint alleges that T-Mobile “owes a duty of care to foreseeable victims who transact business with legitimate T-Mobile customers or those who they have reason to believe to be are [sic] legitimate T-Mobile customers.” (Compl. ¶ 169.) Cheng does not identify any existing authority establishing the existence of such a duty; he instead asks this Court to “find” that T-Mobile owed him a novel and “narrow” duty of care. (Opp. Br. (ECF 22) at 6.)
“Courts traditionally ‘fix the duty point by balancing factors, including the reasonable expectations of parties and society generally, the proliferation of claims, the likelihood of unlimited or insurer-like liability, disproportionate risk and reparation allocation, and public policies affecting the expansion or limitation of new channels of liability.'” Hamilton, 96 N.Y.2d at 232 (quoting Palka v Servicemaster Mgt. Servs. Corp., 83 N.Y.2d 579, 586 (1994)). “Thus, in determining whether a duty exists, ‘courts must be mindful of the precedential, and consequential, future effects of their rulings, and limit the legal consequences of wrongs to a controllable degree.'” Id. (quoting Lauer v. City of New York, 95 N.Y.2d 95, 100 (2000)).
Cheng suggests that the higher level of protection added to Buchanan's account indicates that T-Mobile was on notice of the possibility of another SIM-swap attack, and thereby the possibility that a third-party, like Cheng, could be affected. T-Mobile, therefore, it is alleged, acted negligently by processing the SIM-swap in contravention of its own policies. While these allegations might be directly relevant to an action brought by Buchanan, under New York law “foreseeability of harm” to some third-party “does not define duty.” 532 Madison Ave. Gourmet Foods, Inc. v. Finlandia Ctr., Inc., 96 N.Y.2d 280, 289 (2001). The mere allegation that Cheng was a foreseeable victim does not, standing alone, create a duty of care owed to Cheng by T-Mobile. “Absent a duty running directly to the injured person there can be no liability in damages, however careless the conduct or foreseeable the harm.” Id.
In certain circumstances, “[a] duty may arise from a special relationship that requires the defendant to protect against the risk of harm” to a plaintiff who is a third party. Id. (citing Eiseman v. State of New York, 70 N.Y.2d 175, 187-188 (1987)). A textbook example include a landlord's “duty to protect tenants, patrons and invitees from foreseeable harm caused by the criminal conduct of others while they are on the premises, because the special relationship puts them in the best position to protect against the risk.” Id. (citing Nallan v. Helmsley-Spear, Inc., 50 N.Y.2d 507, 518-519 (1980)). But the Complaint does not allege Cheng had any relationship with T-Mobile, much less a special one. And even duties of this type should not effectively “extend to members of the general public.” Id.
Cheng describes the proposed duty as a “narrow” one owed by T-Mobile to Cheng and those similarly situated. (Opp. Br. at 6.) The Court disagrees that the duty is “narrow.” The class of persons owed this duty is uncommonly broad: it includes not only T-Mobile customers, not only anyone who interacts with a T-Mobile customer-a category already so broad as to verge on the “general public”-but it also includes anyone interacting with a malevolent actor who impersonates a T-Mobile customer. When examining whether a duty of care is owed, New York Courts are instructed that it is their “responsibility . . ., in fixing the orbit of duty, ‘to limit the legal consequences of wrongs to a controllable degree.'” Strauss v. Belle Realty Co., 65 N.Y.2d 399, 402 (1985) (quoting Tobin v Grossman, 24 N.Y.2d 609, 619 (1969)). New York cases addressing the duty of care owed to non-customers by utilities-which, like T-Mobile, provide basic services to large swathes of the population-are instructive. When “determining the liability of utilities for consequential damages for failure to provide service-a liability which could obviously be ‘enormous' . . . courts have declined to extend the duty of care to noncustomers.” Id. at 403; see Moch Co. v. Rensselaer Water Co., 247 N.Y. 160 (1928) (holding water works company not liable under negligence theory where it allegedly failed to supply sufficient water pressure to city hydrants and as a result a warehouse burned down).
Bearing this guidance and these examples in mind, the Court declines to impose a novel and expansive duty of care owed by providers of cellular telephone services such as T-Mobile. The supposed duty is not well-cabined and allowing an action based upon it is “not likely to contain liability to manageable levels.” See Strauss, 65 N.Y.2d at 404. “Time and again” New York courts have required “‘that the damaged plaintiff be able to point the finger of responsibility at a defendant owing, not a general duty to society, but a specific duty to him.'” Lauer, 95 N.Y.2d at 100 (2000) (quoting Johnson v Jamaica Hosp., 62 N.Y.2d 523, 527 (1984)). Cheng cannot meet this requirement.
Since T-Mobile did not owe Cheng a legally cognizable duty of care, he has failed to state negligence-based claims for (1) negligence, (2) gross negligence, or (3) negligent hiring, retention, and supervision. These claims will be dismissed.
III. Cheng's FCA claim will be dismissed because there is no plausible allegation that T-Mobile possessed Cheng's data.
Cheng brings a claim for violation of the Federal Communication Act (“FCA”), 47 U.S.C. §§ 201 et seq., premised on the unauthorized disclosure of confidential and proprietary customer information. Section 206 of the FCA states that a common carrier “shall be liable to the person or persons injured” by FCA violations “for the full amount of damages sustained in consequence” of the violation. Id. § 206. Section 222 provides that “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of . . . customers.” Id. § 206. The Complaint alleges that T-Mobile, a common carrier, violated the Section 222 when it failed to protect the confidentiality of the information in Buchanan's account during the SIM-swap attack; therefore, T-Mobile is liable to Cheng-the person injured-under Section 206. Cheng also asserts that T-Mobile is liable for violations of Section 201(b), which prohibits “unjust and unreasonable” practices. Id. § 201(b).
The Second Circuit has explained that “Section[] 206 . . . of the Communications Act grant[s] private parties . . . an express right of action against common carriers that improperly disseminate their [customer proprietary network information, or] CPNI.” Conboy v. AT & T Corp., 241 F.3d 242, 253 (2d Cir. 2001) (emphasis added). The Complaint does not allege that T-Mobile had access to any of Cheng's data, much less that it failed to protect that data; he therefore cannot bring a claim under Section 206 of the FCA. The out-of-circuit case relied on by Cheng in support of this claim is not to the contrary. In Terpin v. AT&T Mobility, LLC, 399 F.Supp.3d 1035 (C.D. Cal. 2019), the plaintiff was allowed to proceed against AT&T Mobility, LLC on an “unauthorized disclosure” claim, premised on sections 206 and 222 of the FCA. The plaintiff there alleged that he had lost a substantial sum of cryptocurrency after an instance of account takeover fraud. The key difference, however, was that the plaintiff in Terpin was alleged to be himself a customer of AT&T Mobility, and it was his own information at issue. Terpin, 399 F.Supp.3d at 1046.
Plaintiff's opposition memorandum of law appears to acknowledge the requirement that liability be tethered to disclosure of his own information by asserting that the Complaint contains allegations that T-Mobile “violated §222 of the FCA by disclosing proprietary information and CNPI of Buchanan (and Plaintiff).” (Opp. Br. at 20.) (emphasis added). But the cited portion of the Complaint contains no such allegation regarding Cheng's own information, and it simply quotes Section 222 of the FCA. (Compl. ¶ 145.) This is insufficient to state a claim under the FCA.
The FCA claim will be dismissed.
IV. The CFAA claim will be dismissed because there is no plausible allegation of unauthorized access.
Cheng also brings a claim for violation of The Computer Fraud and Abuse Act (“CFAA”). The CFAA “makes it illegal ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.'” Van Buren v. United States, 141 S.Ct. 1648, 1652 (2021) (quoting 18 U.S.C. § 1030(e)(6)). The CFAA is “principally a criminal statute” but “also establishes a private cause of action against a person who ‘knowingly accessed a computer without authorization or exceeding authorization,' and whose prohibited access result in [a] ‘loss' in excess of $5,000.” LivePerson, Inc. v. 24/7 Customer, Inc., 83 F.Supp.3d 501, 511 (S.D.N.Y. 2015) (citing 18 U.S.C. § 1030(g)). To state a claim a plaintiff “must plead that the Defendant (1) accessed a ‘protected computer'; (2) ‘without any authorization or exceeding its authorized access'; and (3) caused ‘loss' in excess of $5,000.” Id. (citing 18 U.S.C. § 1030(g)).
The Complaint does not plausibly allege that, when T-Mobile accessed is own records of Buchanan's account, it was acting without authorization or exceeding its authorized access. The Complaint alleges that Buchanan “requested additional protections be added to his T-Mobile account” and “T-Mobile agreed to Buchanan's request” by adding internal “security measures” that would be followed. (Compl. ¶¶ 47-48.) Nothing about this allegation indicates that T-Mobile, by enacting this policy governing its employees' conduct, had relinquished its own control and ability to access Buchanan's account. The Complaint alleges that these policies were not followed, and Buchanan's request was not honored. But “the ‘exceeds authorized access' clause” does not “criminalize[] every violation of a computer-use policy,” Van Buren, 141 S.Ct. at 1661, nor does it make such a violation a sufficient basis for a private damages action. The Complaint does not allege that any employee went to “particular areas in [T-Mobile's] computer-such as files, folders, or databases-to which their computer access does not extend.” Id. at 1652. There is no allegation that a T-Mobile agent executed the SIM-swap on the T-Mobile account without the proper T-Mobile credentials to do so, or otherwise accessed systems they were not permitted to use.
The Complaint does assert in a conclusory manner that T-Mobile violated the CFAA and “exceeded its authority,” or was “without . . . authorization,” when it executed the SIM-swap. (Compl. ¶ 157). But without a plausible factual showing these are simply legal conclusions entitled to no weight. The relevant question is whether T-Mobile “could use the system to retrieve” the information in question, Van Buren, 141 S.Ct. at 1662, which per the Complaint T-Mobile plainly could do.
Additionally, the facts alleged in the Complaint, if proved, would not plausibly show that T-Mobile or any of its agents were “knowingly” committing such a violation. The same is true even if the Court accepted Cheng's theory regrading “authorization.” The Complaint alleges that T-Mobile put policies in place to protect Buchanan's account, but criminal third parties impersonating Buchanan took control of the account; that is, T-Mobile or its agent acted as it did because they believed they had the accountholder's “authorization.” Therefore, Cheng has not adequately pleaded that T-Mobile or its agents “knowingly accessed a computer without authorization or exceeding authorization.” LivePerson, Inc., 83 F.Supp.3d at 511.
The CFAA claim will be dismissed.
V. The GBL § 349 claim will be dismissed because no direct injury is alleged.
Section 349 of the New York General Business Law declares “unlawful” any “deceptive acts or practices in the conduct of any business, trade or commerce.” N.Y. Gen. Bus. Law § 349. “[T]he scope of the statute is intentionally broad, applying to virtually all economic activity.” Blue Cross & Blue Shield of N.J., Inc. v. Philip Morris USA Inc., 3 N.Y.3d 200, 205 (2004) (internal quotation marks omitted). “In order to make out a valid section 349 claim, a plaintiff must allege [1] a deceptive act or practice [2] directed toward consumers and [3] that such act or practice resulted in actual injury to a plaintiff.” Id. at 205-06. However, “standing under GBL § 349 requires a direct rather than a derivative injury.” Frintzilas v. DirecTV, LLC, 731 Fed.Appx. 71, 72 (2d Cir. 2018). “An injury is indirect or derivative when the loss arises solely as a result of injuries sustained by another party.” Blue Cross & Blue Shield of N.J., 3 N.Y.3d at 207. It is not sufficient that a plaintiff merely “incurred costs due to the alleged deception.” City of New York v. Smokes-Spirits.Com, Inc., 12 N.Y.3d 616, 622 (2009). New York law requires something “more than an allegation of ‘but for' cause to state a claim for relief under” the statute. Id. at 623.
The Complaint fails to state a claim under GBL § 349 because there is no direct injury alleged. T-Mobile allegedly violated an agreement with Buchanan, and this led to a chain of events whereby a third-party criminal allegedly defrauded Cheng. There is not allegation that T-Mobile ever interacted with or directly injured Cheng. The only injury to Cheng from T-Mobile is therefore indirect and derivative.
Additionally, this argument was raised by T-Mobile in its memorandum of law in support of the motion to dismiss and Cheng's opposition does not address the derivative nature of his injury. “[A] plaintiff's failure to address an issue in its opposition raised by its adversary amounts to a concession or waiver of the argument.” Cole v. Blackwell Fuller Music Publishing, LLC, 16 Civ. 7014 (VSB), 2018 WL 4680989 (S.D.N.Y. Sept. 28, 2018) (“Plaintiffs silence in his opposition concedes Defendants' arguments concerning the Amended Complaint's failure to state a claim and Plaintiff's claims are thus dismissed for that additional reason.”).
For both reasons the claim under GBL § 349 will be dismissed. CONCLUSION
The Court has considered all arguments presented by the parties, including those not explicitly addressed herein. The motion to dismiss is GRANTED.
The Clerk is respectfully directed to terminate the motion (ECF 20), enter judgment, and close the case.
SO ORDERED