Opinion
2:23-cv-00271-JHC
10-20-2023
EMAN BAYANI, individually and on behalf of all others similarly situated, Plaintiff, v. T-MOBILE USA, INC., Defendant.
ORDER RE: DEFENDANT'S MOTION TO DISMISS
John H. Chun United States District Judge
I
Introduction
This matter comes before the Court on Defendant T-Mobile USA, Inc.'s Motion to Dismiss. Dkt. # 19. The Court has reviewed the materials filed in support of and in opposition to the motion, pertinent portions of the record, and the applicable law. The Court finds that oral argument is unnecessary. Being fully advised, the Court GRANTS in part and DENIES in part the motion.
II
Background
According to Plaintiff Eman Bayani, T-Mobile is a telecommunications carrier that markets, sells, and maintains wireless cell phone service for the public. Dkt. # 1 at 3 ¶¶ 13-14, 11 ¶ 63. Bayani, who files this putative class action on behalf of himself and others similarly situated, is a resident of Illinois and opened a cell phone account with T-Mobile in December 2021. Id. at 3 ¶¶ 9-10.
Bayani alleges that he and the proposed class “were victims of a SIM card swapping scam perpetrated through their T-Mobile cellular accounts.” Id. at 1 ¶ 2. According to the complaint, a “SIM swap scam” occurs as follows: (1) a scammer contacts a cell phone service provider, like T-Mobile, and falsely claims that the victim's phone has been lost or damaged; (2) the scammer requests that the provider activate a new SIM card associated with the victim's telephone number but is within the scammer's phone; (3) the provider activates the new SIM card in the scammer's telephone, allowing the scammer to receive the victim's messages, calls, and data; (4) once the scammer has access to the victim's SIM card and phone number, they may be able to access the victim's private information such as login credentials, bank account details, email, or social media accounts. Id. at 1-2 ¶¶ 3-4.
“A ‘SIM swap' occurs when a phone number associated with one SIM becomes associated with a different SIM; no information contained on the previous SIM is transferred to the new SIM, other than the phone number.” Terpin v. AT&T Mobility, LLC, 2023 WL 2839068, at *1 (C.D. Cal. Mar. 28, 2023).
“Cellular phones, tablets, and other mobile devices utilize an integrated microchip called a subscriber identity module (‘SIM'); this SIM enables the device to authenticate to its wireless network[.] The wireless network uses SIM identification information to associate the specific device with a phone number, in order to route communications and associate wireless services with a specific customer account.” Id.
Bayani opened an account with T-Mobile on or around December 11, 2021. Id. at 4 ¶ 20. Then, between December 19-28, 2021, scammers accessed his SIM card on various occasions and stole “approximately $21,000 of cash reserves in [Bayani's] Coinbase account to purchase Bitcoin and transfer it out,” as well as about $2,700 from his banking account. Id. at 4-5 ¶¶ 2129. On January 10, 2023, after filing a police report and receiving a letter from T-Mobile confirming the unauthorized activity, Bayani opted out of T-Mobile's arbitration agreement. Id. at 5 ¶¶ 31-32; see also Dkt. ## 1-1 at 1, 1-2 at 2.
Coinbase is a cryptocurrency wallet: an application that holds cash reserves or the private keys necessary to access or transact cryptocurrency, such as Bitcoin. “Wallets do not physically hold cryptocurrency, but rather hold only the private keys required to transact with a given wallet address. . . . Wallets can be accessed remotely only when the user inputs the appropriate access credentials.” Id.
Bayani filed this putative class action on February 27, 2023, claiming that T-Mobile “failed to protect [his] and other customers' personal and financial data information” after scammers used T-Mobile's services “to access [his] personal information, including [his] email, banking, and investment accounts.” Dkt. # 1 at 1 ¶¶ 1-2. Bayani brings six causes of action, alleging that T-Mobile committed: (1) violations of the Federal Communications Act (“FCA”), see 47 U.S.C. §§ 201-22; (2) negligence; (3) negligent hiring, retention, and supervision; (4) violation of the Stored Communications Act (“SCA”), see 18 U.S.C. §2701 et seq.; (5) violation of the Computer Fraud and Abuse Act (“CFAA”), see 18 U.S.C. § 1030; and (6) violations of the Washington Consumer Protection Act (“CPA”), see Revised Code of Washington (“RCW”) 19.6. Dkt. # 1 at 10-18 ¶¶ 61-122.
T-Mobile moves to dismiss this case on various grounds, saying that (1) all but one of Bayani's claims are time-barred; and (2) Bayani fails to state a claim under the FCA, a theory of negligence, the SCA, the CFAA, or the CPA. Dkt. # 19 at 10-32.
III
Discussion
When considering a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), the Court construes the complaint in the light most favorable to the nonmoving party. Livid Holdings Ltd. v. Salomon Smith Barney, Inc., 416 F.3d 940, 946 (9th Cir. 2005). The Court must accept all well-pleaded facts as true and draw all reasonable inferences in favor of the plaintiff. Wyler Summit P'ship v. Turner Broad. Sys., Inc., 135 F.3d 658, 661 (9th Cir. 1998). “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
A. The Court Will Not Consider T-Mobile's Terms and Conditions at the Pleading Stage T-Mobile moves to dismiss claims one through five as barred by a one-year time limitation established in T-Mobile's Terms and Conditions (“T&Cs”). Dkt. # 20-1 at 2-6; see Dkt. # 19 at 14. T-Mobile asks the Court to consider the T&Cs at the pleadings stage and incorporate them by reference into the complaint. Dkt. # 19 at 14. For the reasons outlined below, the Court declines to do so.
1. The Court Declines to Incorporate the T&Cs by Reference
When considering a Rule 12(b)(6) motion, a district court may not typically “consider material outside the pleadings when assessing the sufficiency of a complaint[.]” Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 998 (9th Cir. 2018). When matters outside the pleadings are not excluded, the Rule 12(b)(6) motion converts to a motion for summary judgment under Rule 56. Id. Under the incorporation-by-reference doctrine, however, courts may examine documents properly incorporated into the complaint by reference. Tellabs, Inc. v. Makor Issues & Rts., Ltd., 551 U.S. 308, 322 (2007). “[C]ourts may take into account ‘documents whose contents are alleged in a complaint and whose authenticity no party questions, but which are not physically attached to the [plaintiff's] pleading.'” Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1160 (9th Cir. 2012). A document may be incorporated by reference into a complaint if the plaintiff (1) “refers extensively to the document” or (2) the document “forms the basis of the plaintiff's claim.” United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003).
T-Mobile contends that Bayani agreed to the T&Cs when he received a telephone number from the company=. Therefore, according to T-Mobile, the complaint “necessarily relies” on the T&Cs and forms the basis of Bayani's claim. Dkt. # 19 at 14-15.
In its motion, T-Mobile concedes that complaint does not extensively reference the T&CS, but that the T&Cs form the basis of the Bayani's claims because they govern the relationship between T-Mobile (the wireless provider) and Bayani (the customer). Dkt. # 19 at 15-16.
Bayani responds that the T&Cs do not form the basis of his claims. Dkt. # 26 at 12-14. Further, according to Bayani, because T-Mobile seeks to incorporate the T&Cs only as a defense to Bayani's claims, the Court must prohibit it from doing so. Id. at 14 (citing Khoja, 899 F.3d at 1002).
The T&Cs do not form the basis of Bayani's complaint. For example, the T&Cs are mentioned only five times in the complaint, explicitly and implicitly. Dkt. # 1 at 4 ¶ 19-20, 5 ¶ 32, 7 ¶ 41, 8 ¶ 53; see also Dkt. # 1-2 at 2 (confirmation that Bayani opted out of arbitration agreement). Only twice does the complaint explicitly refer to the T&Cs, and in one of these references, Bayani states that his claims do not “arise out of” the T&Cs. See Dkt. ## 1 at 4 ¶ 19, 1-2 at 2. Although Bayani does not dispute that a contract bound Bayani and T-Mobile when he possessed a T-Mobile phone number, the complaint does not seek recourse based on T-Mobile's violations of this contract but is based on T-Mobile's alleged violations of state and federal statute.
At this stage, it is not apparent to the Court that the T&Cs form the basis of Bayani's claims; the Court also recognizes that the Ninth Circuit has cautioned against incorporating documents that may merely serve as a defense to well-pled allegations to defeat otherwise cognizable claims. Khoja, 899 F.3d at 1003 (“Submitting documents not mentioned in the complaint to create a defense is nothing more than another way of disputing the factual allegations in the complaint[.] . . . Although the incorporation-by-reference doctrine is designed to prevent artful pleading by plaintiffs, the doctrine is not a tool for defendants to short-circuit the resolution of a well-pleaded claim.”). Because the T&Cs do not form the basis of Bayani's complaint, the Court concludes that they are inappropriate for incorporation.
Because the Court declines incorporation, it will not consider any other arguments premised on the contents of the T&Cs. T-Mobile maintains that the T&Cs, on grounds other than the limitation provision, preclude at least three of Plaintiff's claims, including: (1) negligence (Dkt. # 19 at 22-23), (2) CFAA violation (Dkt. # 19 at 28), and (3) CPA claims (Dkt. # 19 at 30-31). The Court will not consider the merits of any portion of these arguments at the pleading stage.
2. Bayani's Claims Are Not Time-Barred
T-Mobile contends that Bayani's claims are time-barred because the T&Cs require the parties to bring claims against one another “within one year of the date the claim arises.” Dkt. # 20-1 at 2-6; see Dkt. # 19 at 15. Because Bayani filed this action more than a year after the SIM swap, T-Mobile seeks dismissal of these claims. Although the Court has declined to consider the T&Cs by incorporation, see supra part III.A.2, even if it were to consider the substance of the T&Cs, T-Mobile's request fails because it requires the Court to perform fact-based inquiries at the pleading stage. See Dkt. # 19 at 15-16.
Both federal and state claim limitations periods may be shortened by contract. Parties may shorten a limitations period provided under federal statute so long as that statute does not prohibit such a shortening. See MFS Int'l, Inc. v. Int'l Telcom Ltd., 50 F.Supp.2d 517, 522 (E.D. Va. 1999) (citing Order of United Com. Travelers of Am. v. Wolfe, 331 U.S. 586 (1947))). Under Washington law, parties can also shorten statutory limitations periods: “[a] stipulated limitation period prevails over the general statute of limitations unless prohibited by statute or public policy, or unless the provision is unreasonable.” EPIC v. CliftonLarsonAllen LLP, 199 Wash.App. 257, 271, 402 P.3d 320 (2017). Contractual limitation clauses between three months to a year are reasonable for state claims. Id. (collecting cases); see, e.g., Gallion v. Medco Health Sols., Inc., No. 13-CV-0135-TOR, 2014 WL 1328764, at *5 (E.D. Wash. Apr. 2, 2014) (enforcing contractual one-year time limitation for negligence claim).
T-Mobile maintains that Bayani's decision to opt out of the arbitration clause demonstrates his assent to the T&Cs. Dkt. # 27 at 7. And T-Mobile says that Bayani “cannot cherry-pick terms from the T&Cs to support his claims.” Id. (citing Gray v. Amazon.com, Inc., 2023 WL 1068513 (W.D. Wash. Jan. 27, 2023)).
In opposition, Bayani contends that “in order for such a shortened period to be enforceable, the parties must have actually assented to it.” Dkt. # 26 at 13-14. While Bayani does not contest the existence of a contract with T-Mobile, he does not admit that he agreed to the T&Cs when entering the contract and asserts that T-Mobile has failed to show that he “was ever presented with or assented to the T&Cs.” Id. at 15 (citing Alvarez v. T-Mobile USA, Inc., 2011 WL 6702424, at *2 (E.D. Cal. Dec. 21, 2011)).
“[T]he existence of mutual assent or a meeting of the minds is a question of fact.” SeaVan Invs. Assocs. v. Hamilton, 125 Wash.2d 120, 126, 881 P.2d 1035 (1994). “The burden of proving a contract, whether express or implied, is on the party asserting it,” and that party “must prove each essential fact,” of the contract “including the existence of a mutual intention.” Johnson v. Nasi, 50 Wash.2d 87, 91, 309 P.2d 380 (1957).
In this case, although the existence of a wireless contract is not in dispute, whether Bayani assented to the terms of the T&Cs-so as to establish mutual assent-is a factual inquiry that should not be considered at the motion to dismiss stage. See e.g., Alvarez, 2011 WL 6702424, at *9. And a time-bar argument is an affirmative defense to a plaintiffs claim for relief, which Bayani need not anticipate and negate in his pleading. See Fed. R. Civ. Proc. 8(c)(1) (listing “statute of limitations” as an affirmative defense); see also Perry v. Merit Sys. Prot. Bd., 582 U.S. 420, 435 (2017). So although Bayani did not allege his mutual assent to the T&Cs-or the lack thereof-such details are not required at the pleading stage. The Court thus denies T-Mobile motion to dismiss claims 1-5 on time-bar grounds.
T-Mobile's assertion that, under Gray v. Amazon.com, Inc., Bayani cannot “avoid incorporation by alleging he didn't read or assent to part of the T&Cs[,]” is misplaced. Dkt. # 27 at 7. In Gray, plaintiffs contended that the district court may not consider arguments premised on the terms of a Privacy Notice because they were not on notice of these terms and therefore these policies were not binding on them. Gray, 2023 WL 1068513, at *5. The court in Gray rejected this argument because plaintiffs' complaint was based on Amazon's alleged breach of these terms and were extensively referenced throughout. Id. The complaint here neither extensively references the T&Cs nor bases its claims on them.
Bayani also contends that the Court may not consider the T&Cs' time-limitation because the T&Cs are a contract of adhesion, and their terms are unenforceable because they are substantively unconscionable. Dkt. # 26 at 16. Because the Court declines to incorporate the T&Cs and whether Bayani assented to the T&Cs is a fact-based inquiry, the Court declines to consider whether the T&Cs are substantively unconscionable at this point.
B. Bayani Alleges a Plausible FCA Claim
Under the FCA, T-Mobile is a telecommunications carrier engaged in interstate communication that furnishes communication services to the public. See 47 U.S.C. § 201(a). T-Mobile therefore has a duty to protect the confidentiality of the proprietary information of its customers, such as Bayani. 47 U.S.C. § 222(a). Under the FCA, T-Mobile must maintain the confidentiality of its customers' “Customer Proprietary Network Information” (“CPNI”). 47 U.S.C. § 222(c). CPNI is defined as:
(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and
(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information.47 U.S.C. § 222(h)(1) (emphasis added); see also 47 C.F.R. § 64.5103.
Under 47 C.F.R. § 64.201, “telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated contact, online account access, or an in-store visit.” With few exceptions, a telecommunications provider is prohibited from using, disclosing, or permitting access to a customer's CPNI. See 47 C.F.R. § 64.2005. Based on this statutory duty, T-Mobile, “must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” 47 C.F.R. § 64.2010(a).
Bayani asserts that T-Mobile violated its duties under § 222 of the FCA when it failed to protect his confidential personal information (“CPI”) and CPNI “by using, disclosing, or permitting access to their CPI and CPNI without the consent, notice, and/or legal authorization as required by the FCA.” Dkt. # 1 at 12 ¶ 70.
In the motion to dismiss, T-Mobile contends that this FCA claim fails for three reasons. First, T-Mobile says that “Bayani pleads no facts connecting any possible access to his CPNI to any of his alleged injuries.” Dkt. # 19 at 17. T-Mobile maintains that CPNI is a narrowly defined term, defined as “the logistical data collected by phone companies about a consumer's calls” but “does not relate to the content or substance of communications, whether calls or text messages.” Id. (emphasis in original). According to T-Mobile, “even if a criminal used Mr. Bayani's phone line as part of a scheme to access other accounts, unauthorized use of a phone line does not plausibly involve disclosure of CPNI. Id. at 18 (citing Terpin v. AT&T Mobility, LLC, 2023 WL 2839068, at *7 (C.D. Cal. Mar. 28, 2023)).
Second, T-Mobile also contends that “the FCA does not protect CPI” because (1) CPI is not defined by statute and appears only once in the FCA's prefatory provision; (2) in 2016 Congress expressly rejected a proposed rule to expand protections of CPI under the FCA; and (3) Bayani alleges no causal link connecting the disclosure of Bayani's CPI to the injuries he claims he suffered. See 47 U.S.C. § 222(a) (“Ever telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers”); Dkt. # 19 at 18-19.
Third, T-Mobile asserts that Bayani may not bring an FCA claim for any alleged “unreasonable” acts perpetrated by T-Mobile. 47 U.S.C. § 201(b) (“All charges, practices, classifications, and regulations for and in connection with such communication service, shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful[.]”). T-Mobile contends that claims brought under this section of the FCA are within the primary jurisdiction of the Federal Communications Commission (“FCC”) and, absent an FCC determination, a private plaintiff may not bring such a claim. Dkt. # 19 at 19-20 (citing In re Long Distance Telecomms. Litig., 831 F.2d 627, 631 (6th Cir. 1987); Havens v. Mobex Network Servs., LLC, 820 F.3d 80, 89 (3d Cir. 2016); N. Cnty. Commc 'ns Corp. v. Cal. Catalog & Tech., 594 F.3d 1149, 1158 (9th Cir. 2010) (“[I]t is within the Commission's purview to determine whether a particular practice constitutes a violation for which there is a private right to compensation[.]”)).
In response to T-Mobile's three assertions, first Bayani highlights that, on various occasions, T-Mobile informed Bayani that “an unknown party would have had access” to his CPNI during the December 2021 SIM swaps. Dkt. # 1-1 at 2-4; see Dkt. # 19 at 19-20. Bayani contends that at the pleading stage, he “cannot be expected to know, prior to discovery, the exact nature and extent of who accessed what information and how that information may have been used to harm him.” Dkt. # 26 at 19.
Second, Bayani concedes that the “focus of the FCA is on CPNI” and not on the broader concept of CPI. Id. at 20 n.3. Still, Bayani rebuts the notion that CPI only appears once in the FCA and says that CPI is mentioned “multiple times in the statute.” Id. at 20 n.3.
Third, Bayani maintains that “where the FCC has properly issued implementing regulations based on § 201(b), a plaintiff can bring claims based on a violation of such regulation.” Id. at 20 (citing Glob. Crossing Telecomms., Inc. v. Metrophones Telecomms., Inc., 550 U.S. 45, 54 (2007).
Bayani has plausibly alleged an FCA claim under the theory of T-Mobile's alleged CPNI disclosure, in violation of 47 U.S.C. § 222(c), and alleged “unreasonable” acts, in violation of 47 U.S.C. § 201(b).
As to T-Mobile's first argument, the Court recognizes that, at the pleading stage, it would be unreasonable for the Court to require Bayani “to know, prior to discovery, the exact nature and extent of who accessed what information and how that information may have been used to harm him.” See Dkt. # 26 at 19. The Court also notes that-in several letters to Bayani-T-Mobile acknowledged that an unknown party may have had access to his CPNI during the various times that the scammers accessed his SIM card. Although the definition of CPNI may be narrow, as T-Mobile contends, it would still be premature to dismiss Bayani's claims now. See Terpin v. AT&T Mobility, LLC, 399 F.Supp.3d 1035 (C.D. Cal. 2019) (ruling that customer sufficiently alleged that cell service provider permitted unauthorized access to CPNI, and thus stated a claim for unauthorized disclosure despite failing to identify any information that fell within definition of CPNI); see also Terpin, 2023 WL 2839068, at *7 (dismissing customer's FCA claims at summary judgment because the “SIM swap did not disclose any [CPNI] information” protected under § 222).
As to T-Mobile's second claim, Bayani seems to have abandoned the theory that T-Mobile violated the FCA when it disclosed his CPI information. See Dkt. # 1 at 11 ¶ 67; 47 U.S.C. § 222(a). In his response to the motion to dismiss, Bayani does not refute T-Mobile's assertion that “the FCA does not protect CPI, which in contrast to CPNI, is not defined in the statute or its implementing regulations”; nor does Bayani contest T-Mobile's contention that Congress's failure to expand the FCA's protections of CPI “strongly favor[s] construing the FCA to exclude the FCC's proposed interpretation, which would have expanded the statute's protections beyond CPNI.” Dkt. # 19 at 18-19. Consequently, the Court will not entertain any FCA claims based on T-Mobile's failure to protect the confidentiality of Bayani's CPI. See Dkt. # 1 at 11 ¶ 67.
T-Mobile's third argument fails because § 201(b) provides a right of action to private litigants. In Global Crossing, the Supreme Court held that it was an “unreasonable practice” for a telecommunications carrier to refuse to comply with an FCC regulation. Glob. Crossing, 550 U.S. 45 at 55 (“In our view, the FCC's § 201(b) “unreasonable practice” determination is a reasonable one . . . The carrier's refusal to [comply with an FCC regulation], despite the FCC's regulation requiring it to do so, can reasonably be called a ‘practice' ‘in connection with' the provision of that service that is ‘unreasonable.'”).
Global Crossing confirms that private litigants may bring an action for damages under § 207 when a carrier violates an FCC rule or regulation that lawfully implements 47 U.S.C. § 201(b). Id. at 54-55. Bayani contends that T-Mobile violated FCC regulation 47 C.F.R § 64.2010(a)-(d) when it failed to “properly authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact” and has therefore has a private cause of action under §201(b). Dkt. # 1 at 6 ¶¶ 33-46, 11-12 ¶¶ 69-72; see also Dkt. # 26 at 20.
For these reasons, the Court concludes that Bayani alleges plausible claims under the FCA to survive the motion to dismiss.
C. Bayani Alleges Plausible Negligence Claims
T-Mobile seeks dismissal of Bayani's negligence claims, contending that: (1) T-Mobile owed no duty to Bayani and (2) the “independent duty doctrine” bars Bayani's claims. Dkt. # 19 at 20-23.
In the motion to dismiss, T-Mobile does not differentiate between Bayani's second cause of action (negligence) and third cause of action (negligent hiring, retention, and supervision). The Court therefore addresses these two negligence claims together.
First, T-Mobile alleges that it owed no duty to protect Bayani from third-party scams because (1) T-Mobile did not commit any affirmative act that harmed Bayani and (2) had no special relationship with Bayani. Id. at 20-21 (citing Robb v. City of Seattle, 176 Wash.2d 427, 429-30, 295 P.3d 212 (2013)).
In response, Bayani contends that T-Mobile committed an affirmative act when it transferred Bayani's SIM card “without instituting proper procedures to protect access to [Bayani's] information” and exposed his account information to a scammer. Dkt. # 26 at 21.
The Court agrees. Under Washington law, negligence requires “(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the proximate cause of the injury.” Degel v. Majestic Mobile Manor, 129 Wash.2d 43, 48, 914 P.2d 728 (1996). Typically, absent a special relationship, “an actor owes no duty to protect an injured party from harm caused by the criminal acts of third parties.” Parrilla v. King County., 138 Wash.App. 427, 436, 157 P.3d 879 (2007). Even still, Washington law confirms that: [A]n actor might still have a duty to take action for the aid or protection of the plaintiff in cases involving misfeasance (or affirmative acts), where the actor's prior conduct, whether tortious or innocent, may have created a situation of peril to the
other. Liability for nonfeasance (or omissions), on the other hand, is largely confined to situations where a special relationship exists.Veridian Credit Union v. Eddie Bauer, LLC, 295 F.Supp.3d 1140, 1157 (W.D. Wash. 2017) (emphasis added) (citing Robb v. City of Seattle, 176 Wash.2d 427, 436, 295 P.3d 212 (2013). Under this theory, the defendant must have engaged in some “misfeasance” that “necessarily entails the creation of a new risk of harm to the plaintiff.” Robb, 176 Wash.2d at 437.
The Court therefore concludes that Bayani sufficiently alleges that T-Mobile had a duty under the theory of negligence because:
[T]he criminal conduct involved in a SIM swap is not “independent,” but is facilitated by the wireless carrier. Unlike a direct hack of data where the company may play a more passive role, SIM swaps are ultimately actualized by the wireless carrier. It is the company that effectuates the SIM card change.Williams v. AT&T Mobility, LLC, 2020 WL 1492803, at *4 (E.D. N.C. Mar. 25, 2020).
Although T-Mobile claims that Buckley v. Santander Consumer USA, Inc., 2018 WL 1532671 (W.D. Wash. Mar. 29, 2018) and Veridian Credit Union v. Eddie Bauer, LLC, 295 F.Supp.3d 1140, 1157 (W.D. Wash. 2017) are instructive, the Court disagrees. In both cases plaintiffs alleged that defendants failed to implement adequate security measures (committing nonfeasance or omissions), which differs from Bayani's claims that T-Mobile engaged in affirmative acts (misfeasance) that created his risk of harm. See Buckley, 2018 WL 1532671, at *4; Veridian, 295 F.Supp.3d at 1157-58.
Next, T-Mobile contends that the “independent duty doctrine” bars Bayani's negligence claims because “they arise from circumstances inextricably linked to contractual duties in the T&Cs rather than through an independently arising tort duty.” Dkt. # 19 at 22. Bayani refutes this, asserting that this doctrine is applied to a “narrow class of cases, primarily limiting its application to claims arising out construction on real property[.]” Dkt. # 26 at 22 (quoting Elcon Constr., Inc. v. E. Wash. Univ., 174 Wash.2d 157, 165, 273 P.3d 965 (2012)). Further, according to Bayani, his claims do not arise out of the contract between the parties, with T-Mobile's duty of care stemming from federal and state statute. Id. at 23.
For reasons discussed above, see supra part III.A, the Court declines to consider T-Mobile's argument. Because T-Mobile's “independent duty doctrine” claim hinges on Bayani's assent to the T&Cs, it would be inappropriate to consider it at the pleading stage. Bayani thus alleges plausible negligence claims.
D. Bayani Fails to Allege a Plausible SCA Claim
Bayani alleges that T-Mobile violated the SCA when it “knowingly divulge[d] . . . the contents of a communication while in electronic storage by that service[.]” Dkt. # 1 at ¶ 92 (citing 18 U.S.C. §2702(a)(1); 18 U.S.C. §2701). In its motion to dismiss, T-Mobile asserts that the complaint does not allege facts sufficient to show that T-Mobile (1) “knowingly” divulged the “contents” of a communication, or (2) that T-Mobile's actions otherwise fit the law governing “electronic storage” of the data, see 18 U.S.C. § 2702(a)(1), and “remote computing service” (“RCS”) providers, see 18 U.S.C. § 2702(a)(1). Dkt. # 19 at 23. In response, Bayani contends that (1) by “effectuating the SIM swap, T-Mobile knew that it was providing access to the content of [Bayani's] text messages to a new SIM card” and (2) that Bayani satisfies the remaining contested elements to allege a plausible SCA claim. Dkt. # 26 at 23-24 (emphasis in original).
1. The SCA's Definitions of “Knowingly” and “Contents”
First, T-Mobile maintains that because the complaint alleges only that T-Mobile “failed to protect [Bayani's] information due to negligent conduct,” it does not sufficiently aver that the company “knowingly” disclosed the contents of Bayani's communication as required by the SCA. Dkt. # 19 at 23-24; see 18 U.S.C. § 2702(a)(1) (“[An] entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service[.]”) (emphasis added); 18 U.S.C. § 2702(a)(2) (An “entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service[.]”) (emphasis added).
The Court disagrees. To be sure, SCA legislative history clarifies that “a knowing state of mind is (1) an awareness of the nature of the conduct, (2) an awareness of or a firm belief in the existence of the circumstance, and (3) an awareness of or a firm belief in the substantial certainty of the result.” See Long v. Insight Commc 'ns of Cent. Ohio, LLC, 804 F.3d 791, 797 (6th Cir. 2015) (quoting H.R. REP. NO. 99-647, at 49 (1986)). And the SCA's knowledge requirement was “intended to make clear that ‘reckless' or ‘negligent' conduct is not sufficient to constitute a violation of this section.'” Id. (citing S. REP. NO. 99-541, at 36-37 (1986)).
But the conduct in question is the unauthorized SIM card disclosure that occurred during the SIM card swaps. As previously outlined, see supra part III.C, the complaint alleges that T-Mobile committed an affirmative act when it transferred Bayani's SIM card to a scammer's phone. See e.g., Dkt. # 1 ¶ 2, 15 ¶ 96. Although T-Mobile disputes any liability arising from its participation in this alleged scam, it does not dispute that it was aware of the nature of its actions when it carried out the SIM transfers. See Dkt. 1-1 (various letters recognizing that T-Mobile had transferred Bayani's SIM card). For these reasons, the complaint satisfies the SCA's requirement that T-Mobile acted “knowingly.”
Second, T-Mobile contends that Bayani fails to allege that T-Mobile divulged the “contents” of his communication. See 18 U.S.C. §§ 2702(a)(1), 2702(a)(1). T-Mobile asserts that “[n]owhere does the [c]omplaint allege what ‘communication' was divulged, and this alone justifies the dismissal of his claim.” Dkt. # 19 at 24.
The SCA prohibits disclosures of the “contents of a communication[,]” which is defined as “any information concerning the substance, purport, or meaning of that communication.'” In re Zynga Priv. Litig., 750 F.3d 1098, 1104 (9th Cir. 2014) (citing 18 U.S.C. § 2510(8)); see 18 U.S.C. §2702(a)(1)). In other words, “Congress intended the word ‘contents' to mean a person's intended message to another (i.e., the ‘essential part' of the communication, the ‘meaning conveyed,' and the ‘thing one intends to convey').” Zynga, 750 F.3d at 1106.
After consideration of the allegations set forth in the complaint, the Court concludes that Bayani has alleged that T-Mobile disclosed the contents of his communications, in violation of the SCA. For example, the complaint alleges that Bayani lost access to his T-Mobile account three times in December 2021 because of unauthorized SIM swaps. Dkt. #1 at 4-5 ¶¶ 21, 23, 25. During that time, Bayani alleges that scammers accessed his Coinbase account and bank account because they had access Bayani's SIM card and text messages. Id. at 5 ¶¶ 29-30. These allegations were later confirmed by T-Mobile. Dkt. # 1-1; Dkt. # 1 at 5 ¶ 31. Because the very nature of the SIM swap scam involves the interception of text and phone calls by an unauthorized party, at the motion to dismiss stage, Bayani has alleged that T-Mobile plausibly divulged the contents of his communications to an unauthorized third party.
2. The SCA's Definitions of “Electronic Storage” and “Remoting Computing Service”
T-Mobile also contends that Bayani's SCA claim fails because his communications were not divulged “while in electronic storage” nor does T-Mobile provide a “remote computing service to the public[.]” Dkt. # 19 at 24-25.
Under the SCA:
(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and
(2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service[.]18 U.S.C. § 2702(a)(1)-(2) (emphasis added).
a. “Electronic Storage” under 18 U.S.C. § 2702(a)(1)
“Electronic storage” means (1) “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof;” and (2) “any storage of such communication by an electronic communication service for purposes of backup protection of such communication[.]” 18 U.S.C. § 2510(17). Bayani responds that the SIM swap scam itself satisfies the SCA's “electronic storage” element because-rather than being a typical hands-on phone theft-T-Mobile provided the scammers “with a duplicate SIM card,” which allowed the scammer's access to Bayani's “email accounts, banking accounts, and Coinbase account.” Dkt. # 26 at 24.
The Court disagrees. Without more information about how SIM cards store data, the Court struggles to follow the logic of this argument. Although the Court recognizes that the contents of Bayani's communications were compromised through the SIM swap, see supra part III.D.1, the complaint does not allege how the interception of these messages constitutes “temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission” or storage of such communications “for purposes of backup protection.” 18 U.S.C. § 2510(17). Without more information on how the storage capabilities of a SIM card align with the statutory definition of “electronic storage,” Bayani has failed to allege a plausible claim under 18 U.S.C. § 2702(a)(1).
b. “Remote Computing Service” under 18 U.S.C. § 2702(a)(2) “Remote computer service” is “the provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S.C. § 2711(2). “A ‘remote computing service' refers to ‘the processing or storage of data by an offsite third party.' In defining RCS, ‘Congress appeared to view ‘storage' as a virtual filing cabinet.'” Quon v. Arch Wireless Operating Co., 529 F.3d 892, 901 (9th Cir. 2008), rev'd and remanded on other grounds sub nom. City of Ontario, Cal. v. Quon, 560 U.S. 746 (2010)) (citations omitted).
‘“[Electronic communication service' means any service which provides to users thereof the ability to send or receive wire or electronic communications[.]” 18 U.S.C. § 2510(15).
T-Mobile says that Bayani's SCA claim fails under 18 U.S.C. 2702(a)(2) because he does not allege that T-Mobile provides remote computing services to customers. Dkt. # 19 at 26. T-Mobile says that a “company that provides only wireless text-messaging services” is solely a provider of electronic communication services and cannot provide remote computing services. Id. In response, Bayani asserts that T-Mobile may act as a provider of both services. Dkt. # 26 at 25.
Electronic communication services and remote computing services are often provided by the same entities. Theofel v. Farey-Jones, 359 F.3d 1066, 1070 (9th Cir. 2004). Whether an entity acts as a remote computing service or an electronic communications service “is context dependent, and depends, in part, on the information disclosed.” Low v. LinkedIn Corp., 900 F.Supp.2d 1010, 1023 (N.D. Cal. 2012)). Because T-Mobile does not dispute that it provides electronic communication services, see Dkt. # 19 at 26, the Court must determine whether, according to the complaint, T-Mobile also provides remote computing services, which would entail T-Mobile's provision of computer storage and processing services through an electronic communications system. See 18 U.S.C. § 2711(2).
In the complaint, Bayani explains that T-Mobile is a wireless cell phone service, which provides service plans across the country. See Dkt. # 1 at 3 ¶¶ 13-15. But Bayani does not include information as to the services that T-Mobile provides that may fall within the statutory definition of “remote computing.” It very well may be that all telecommunications providers like T-Mobile inherently provide storage or processing services in the normal course of wireless text and data service plans. Indeed, the Court recognizes that whether T-Mobile provided remote computing services to Bayani is a context-specific inquiry, and this consideration may be better suited after the pleading stage. Still, the complaint does not sufficiently explain how T-Mobile even generally provides “computer storage or processing services by means of an electronic communications service.” See 18 U.S.C. § 2711(2).
Because Bayani does not allege that (1) the contents divulged to the SIM swap scammers were in electronic storage, see 18 U.S.C. § 2702(a)(1), nor that (2) T-Mobile provides remote computing services, see 18 U.S.C. § 2702(a)(2), the Court dismisses the SCA claim. Dkt. # 1 at 14-15 ¶¶ 92-98.
The Court's ruling is without prejudice. A “district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc) (quoting Doe v. United States, 58 F.3d 494, 497 (9th Cir. 1995)).
E. Bayani Alleges a Plausible Claim under the CFAA
In his complaint, Bayani alleges that T-Mobile's violated two provisions of the CFAA. See 18 U.S.C § 1030(a)(5)(A), (C). A defendant violates these two provisions if it:
(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.18 U.S.C § 1030(a)(5)(A), (C).
T-Mobile further contends that the complaint fails to “allege facts sufficient to show that it violated either provision or that a violation caused a cognizable loss of at least $5,000.” Dkt. # 19 at 18.
1. Bayani Satisfies the Definition of “Knowingly”
According to T-Mobile, Bayani fails to allege a violation under § 1030(a)(5)(A) because he has not established that T-Mobile “knowingly” caused “the transmission of a program, information, code, or command,” thereby “intentionally cause[ing] damage without authorization, to a protected computer[.]” Dkt. # 19 at 27. T-Mobile contends that “at most” Bayani alleges that T-Mobile “negligently caused damage, but negligence is not sufficient” to violation this section. Id. (citing QVC, Inc. v. Resultly, LLC, 99 F.Supp.3d 525, 533 (E.D. Pa. 2015)).
In opposition, Bayani points to a later decision in the same case, QVC, Inc. v. Resultly, in which the court clarified that:
[I]t would be sufficient to allege that the defendant intended to engage in activity that he knew would impair the functionality of a protected computer, even if the primary purpose of the defendant 's conduct was not to cause a lack of functionality and the defendant believed that the loss of functionality would be temporary.QVC, Inc. v. Resultly, LLC, 159 F.Supp.3d 576, 593 (E.D. Pa. 2016) (emphasis added).
Applying QVC, even if T-Mobile believed that the wrongful SIM transfer was not induced by fraud, Bayani need only show that T-Mobile intended to participate in the SIM card transfer itself, not that T-Mobile intended to disrupt Bayani's SIM card access.
Reiterating the Court's previous discussion, see supra part III.C, regarding T-Mobile's “affirmative act” of transferring SIM card access to the scammer, Bayani has plausibly alleged that T-Mobile “knowingly” caused the SIM transfers at issue under the CFAA.
2. Bayani Satisfies the Definition of “Authorization”
T-Mobile also maintains that Bayani's CFAA claim fails because he has not shown that T-Mobile acted “without authorization.” See 18 U.S.C § 1030(a)(5)(A), (C); Dkt. # 19 at 28. T- Mobile bases this position on the contention that, by agreeing to the T&Cs, Bayani granted T-Mobile authorization to access and make changes to his SIM card. Dkt. # 19 at 28.
As discussed, see supra part III.A, the Court declines to consider arguments premised on the incorporation and contents of the T&Cs. Whether T-Mobile exceeded its authorization when it transferred Bayani's SIM card depends on Bayani's assent to the T&Cs and the Court will not consider that issue at the pleading stage.
Further, even if the Court were to consider the T&Cs, Bayani alleges that T-Mobile failed to employ proper authentication before transferring SIM access from his phone to the scammers and thereby exceeded its authority. See Dkt. # 1 at 1 ¶¶ 2-3, 6 ¶ 40, 16 ¶ 103. Recognizing that Bayani did not request a SIM transfer, but T-Mobile still effected the swap, Bayani has adequately pleaded that T-Mobile acted without authorization. 18 U.S.C § 1030(a)(5)(A).
3. Bayani Alleges a Cognizable Loss Under the CFAA
T-Mobile contends that Bayani's “allegations also do not satisfy the $5,000 ‘loss' threshold to bring a civil CFAA claim.” Dkt. # 19 at 19; See 18 U.S.C. § 1030(g). T-Mobile states that the CFAA has a narrow concept of “loss” and because Bayani only alleges theft from a cryptocurrency account, he has not met the damages threshold. Dkt. # 19 at 29 (citing Nowak v. Xapo, Inc., 2020 WL 6822888, at *4 (N.D. Cal. Nov. 20, 2020) (“losing the value of his stolen cryptocurrency is not a cognizable loss under the CFAA”)).
The Court disagrees. The CFAA provides a civil remedy for “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g). A “loss” is “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]” 18 U.S.C.§ 1030(e)(11); see Nowak, 2020 WL 6822888, at *4.
In the complaint, Bayani alleges that “scammers took approximately $21,000 of cash reserves in [Bayani's] Coinbase account to purchase Bitcoin and transfer it out[.]” Dkt. # 1 at 5 ¶ 29 (emphasis added). Although this cash was held in a cryptocurrency wallet, Bayani alleges that the stolen funds were real money and not cryptocurrency. Id. Because the complaint alleges a cognizable loss of at least $21,000 “cash reserves,” the Bayani has adequately pleaded a cognizable loss under the CFAA.
Bayani also alleges that $2,700 was transferred out of his Bank of America account, which was later used to purchase cryptocurrency. Dkt. # 1 at 5 ¶ 29.
For all these reasons, the Court concludes that Bayani alleged a plausible CFAA claim.
F. Bayani Alleges Plausible CPA Claims
Bayani contends that T-Mobile engaged in unfair or deceptive conduct that violates the CPA. To adequately plead a CPA claim, a plaintiff must allege: (1) an unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) with a public interest impact; (4) injury to business or property; and (5) causation. Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105, Wash.2d 778, 784-85, 719 P.2d 531 (1986). In the motion, T-Mobile says that Bayani's claim fails because he does not allege an unfair or deceptive act or practice. Dkt. # 19 at 30-32.
T-Mobile also contends that Bayani did not allege a per se violation of the CPA. A per se violation of the CPA occurs when the Washington state legislature has “expressly declared that violation of a particular statute constitutes an unfair or deceptive practice.” Eye Care Ctr. of Snohomish v. Chemat Tech., Inc., 2012 WL 12941686, at *2 (W.D. Wash. Dec. 14, 2012). Bayani states, however, that his complaint did not allege a per se violation of the CPA claim. Dkt. # 26 at 28. The Court will not address this argument.
1. Bayani Alleges an “Unfair Act or Practice” Under the CPA
A “practice is unfair [if it] causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits.” Klem v. Washington Mut. Bank, 176 Wash.2d 771, 787, 295 P.3d 1179 (2013) (quoting 15 U.S.C. § 45(n). According to T-Mobile, courts “regularly dismiss CPA claims where a business's contractual terms and disclosures allow consumers to anticipate and avoid potential injury, since they can decide not to buy the product or service.” Dkt. # 19 at 3031 (collecting cases). T-Mobile contends that Bayani had reason to anticipate any impending harm and had the means to avoid it because, despite reading various provisions of the T&Cs warning him of the risk of securing his online accounts with T-Mobile, he still began service with T-Mobile. Id. at 31. Further, T-Mobile suggests that Bayani should have used an alternative authentication method to secure his financial accounts, such as an authentication app or security key. For these reasons, according to T-Mobile, Bayani's injury “was reasonably avoidable” and he does not allege any unfair conduct. Id. at 32.
Bayani responds by highlighting two ways T-Mobile engaged in unfair practice: (1) T-Mobile's conduct was illegal under the FCA, SCA, and CFAA, which statutes “express a public policy requiring wireless carriers to safeguard consumers' data and accounts in particular ways”; and (2) T-Mobile permitted third parties to access and use Bayani's customer account that should have been accessible only to him. Dkt. # 26 at 27-28. According to Bayani, whether he had reason to anticipate this SIM swap scam is a question of fact to be resolved later.
The Court agrees. Bayani alleges that he has suffered a substantial injury that shows a plausible claim that T-Mobile committed an “unfair” practice or act under the CPA. First, the Court has already determined that it will not incorporate the T&Cs when considering the motion to dismiss, see supra part III.A, and will not consider whether Bayani could have reasonably anticipated the misuse of his SIM card when he opened a phone plan with T-Mobile. The Court currently lacks details as to exactly how the scammers accessed Bayani's financial accounts and declines to assign blame to Bayani at this juncture. It has not yet been established-and is a factual issue-whether Bayani could have reasonably avoided risk or anticipate injury to prevent the scammers' access to his accounts. Bayani has alleged an unfair practice or act under the CPA.
2. Bayani Alleges a “Deceptive Act or Practice” Under the CPA
T-Mobile contends that the complaint does not allege that it “did anything deceptive” and, even so, “no such allegations are possible given the plain disclosures in the T&Cs. Dkt. # 19 at 32. T-Mobile also says that the Court should apply Rule 9(b) for claims of deception under the CPA, and that Bayani cannot meet this standard, or the lesser pleading standard, because he “does not describe any allegedly deceptive conduct” by T-Mobile. Id.
“[A] party must state with particularity the circumstances constituting fraud or mistake.” Fed.R.Civ.P. 9(b).
a. A Heightened Pleading Standard Does Not Apply
“‘While not all claims brought under the Washington CPA must be pled with the specificity prescribed by Rule 9(b),' CPA claims that allege and depend upon a ‘unified course of fraudulent conduct' as the basis of the claims ‘sound in fraud,' and must be averred with particularity.” Gray, 2023 WL 1068513, at *6 (quoting Nemykina v. Old Navy, LLC, 461 F.Supp.3d 1054, 1058 (W.D. Wash. 2020); Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1103 (9th Cir. 2003)). As a result, “[f]ederal courts have concluded that Rule 9(b) applies to [CPA] claims alleging that the defendant intentionally misled the public.” Gray, 2023 WL 1068513, at *6 (quoting Cole v. Keystone RVCo., LLC, No. 18-cv-5182, 2018 WL 4051805, at *2 (W.D. Wash. Aug. 24, 2018)) (internal quotation omitted).
After review of the complaint, the Court concludes that Bayani does not allege that T-Mobile engaged in a “unified course of fraudulent conduct” that might suggest the application of a heightened pleading standard. Instead, the complaint alleges that T-Mobile's conduct is deceptive under the CPA “because it allowed third parties to access and use T-Mobile customer accounts that should have been accessible only to the customer and that customers reasonably expected to be secure.” Dkt. # 1 at 17-18 ¶ 115. Because Bayani does not allege that T-Mobile engaged in any consistent acts or practice of fraud to warrant a heightened standard under Rule 9(b), the Court declines to apply one. See Nemykina, 461 F.Supp.3d at 1058 (“[N]ot all claims brought under the Washington CPA must be pled with the specificity prescribed by Rule 9(b)[.]”).
b. Bayani Alleges a “Deceptive Act or Practice” Under the CPA
Deception exists when “the alleged act had the capacity to deceive a substantial portion of the public” and that “representation, omission or practice [] is likely to mislead a reasonable consumer.” Eng v. Specialized Loan Servicing, 20 Wash.App. 2d 435, 445-46, 500 P.3d 171 (2021) (internal quotations omitted) (emphasis in original).
Under this definition, Bayani alleges a plausible CPA claim. Bayani contends that T-Mobile engaged in affirmative acts within a larger SIM swap scam and then “failed to disclose or made deceptive statements designed to cover up for the fact that it is aware that its security procedures can and do fall short of its expressed and implied representations and promises, as well as its statutory duties.” Dkt. # 1 at ¶ 41. Indeed, Bayani needs only to allege that T-Mobile's alleged act had the capacity to deceive a substantial portion of the public, which the complaint adequately pleads. The Court therefore concludes that Bayani has adequately pleaded a CPA claim.
IV
Conclusion
For these reasons, the Court GRANTS in part and DENIES in part the motion.
Accordingly, the Court DISMISSES (1) Bayani's FCA claim based on T-Mobile's failure to protect the confidentiality of Bayani's CPI with prejudice, See 47 U.S.C. § 222(a), and (2) Bayani's SCA claims (Dkt. # 1 at 14-15 ¶¶ 91-98) without prejudice. Bayani is granted until November 16, 2023, to seek leave to amend his complaint under Rule 15(a)(2).