4. Are UCAN's Claims Pre-empted by Federal Law?

To defeat UCAN's claims that violations of Pub. Util. Code §§ 451, 2890 and 2896 have occurred here, Mpower relies on the provisions of its Master Service Agreement with Edelweiss, as well as on the warning that was included in the "welcome kit" Mpower furnished to Edelweiss in 2005.

As to the Master Service Agreement, Mpower points out that item 5 of the Installation Policy and Procedures included in this agreement (a copy of which is attached to the Joint Stipulation as Exhibit A) provides that the "Customer acknowledges that it is the Customer's responsibility to adequately secure its computer network, circuits, and customer premises equipment from unauthorized access by 3rd parties." Mpower argues that Edelweiss failed to secure its equipment adequately, and that it is therefore reasonable to hold Edelweiss liable for the allegedly unauthorized calls placed through its facilities.7

Mpower also relies on the warning to secure equipment that appeared in the welcome kit that Mpower furnished to its new customers. As noted above, that warning urged new customers to "please be aware that there is a new fraud trend involving international long distance. If you use your own voicemail and/or PBX system and it has a paging feature, it may be susceptible to hackers. These hackers are redirecting voicemail pages to fraudulent telephone numbers in various foreign countries." The warning also stated that if the customer did not take steps to protect itself from this fraud, "you may be held responsible for fraudulent long distance calls."

In its briefs, Mpower argues that item 5 in the service agreement and the welcome kit warning demonstrate not only that UCAN's claims under the Public Utilities Code are without merit, but also that these claims are preempted by federal law. Specifically, Mpower argues that this case is controlled by the decision of the FCC in Directel v. AT&T Corp., 11 FCC Rcd 7554 (1996), as well as a predecessor FCC decision, Chartways Technologies, Inc. v. AT&T Communications, 8 FCC Rcd 5601 (1993). Mpower characterizes these decisions as follows:

Mpower's billing and collecting such charges from the customer clearly conformed to long-standing FCC policy in cases involving toll fraud carried out by unknown persons through unauthorized remote access to the outbound calling capabilities of customers' networks and equipment. In Directel v. AT&T (1996) 11 FCC Rcd 7554 . . . , which involved PBX hacking . . . the FCC directly addressed tariff provisions that placed the cost burden on the customer for fraudulent calls. The complainant in that case contended that such provisions were unjust and unreasonable in violation of 47 U.S.C. § 201(b). The FCC disagreed. Citing Chartways, supra, as controlling, the FCC concluded, "In the absence of evidence that the customer lacked the ability to control calling through its PBX or that AT&T was in a position to restrict access to and egress from the PBX, or had otherwise acted in negligent manner with regard to the calls," such provisions properly place liability on the customer. (Directel at ¶¶ 17-19, 20.) (Mpower Opening Brief at 12-13; citation omitted.)

In view of what it considers the clear federal policy expressed in Directel, Mpower argues that UCAN's state law claims are preempted by federal law:

In light of the FCC's having adopted [the] explicit policy [set forth in Directel] pursuant to its authority over rates, terms, and conditions of interstate and international telecommunications services, state "cramming" laws or regulations are preempted to the extent that they would force Mpower to bear the burden of toll fraud under the circumstances of this case. "Under the obstruction strand of conflict preemption, an aberrant or hostile state rule is preempted to the extent it actually interferes with the `methods by which the federal statute was designed to reach [its] goal.' (Ting v. AT&T (9th Cir. 2003) 319 F.3d 1126, 1137, quoting International Paper Co. v. Ouelette (1987) 479 U.S. 481, 494 . . .) Clearly, holding Mpower responsible for any toll fraud suffered by the customer cannot be reconciled with the FCC's opposite determination in Directel that carriers may hold customers responsible for toll fraud. (Id. at 15.)

In its briefs, UCAN argues that the Directel and Chartways cases are distinguishable and do not establish a policy of federal preemption under the facts to which the parties have stipulated. UCAN argues that toll fraud perpetrated through a PBX system - the type of fraud at issue in Chartways and Directel - has long been a well-known risk, whereas the modem hacking that apparently took place here is much more sophisticated technologically:

[R]ather than simply exploiting a well-known weakness of a simple telephone line switching system by simply dialing a phone number, the details of alleged modem hacking events are complicated and still largely unknown. The known schemes involve, by way of IP communications sent into the customer's premises by Mpower, (1) circumventing and exploiting the DSL modem supplied to the customer by Mpower, (2) somehow manipulating the customer's computer software to access attached hardware, (3) manipulating the attached hardware to make calls using the customers' service. The modem hacking Mpower suggests is highly complicated, highly technical fraud. In contrast, PBX hacking involves none of [the] types of circumvention and manipulation involved in modem hacking." (UCAN Reply Brief p. 20.)

UCAN also points out that the fraud warning given to Edelweiss when it first became an Mpower customer was concerned solely with PBX and voice-mail service; it did not warn the new customer about the possibility of toll fraud perpetrated through modem hacking. UCAN emphasizes that the 2005 warning quoted above tells customers only that if they have their "own voicemail and/or PBX system and it has a paging feature, it may be susceptible to hackers," who can "redirect[] voicemail pages to fraudulent telephone numbers in various foreign countries."

UCAN argues that this warning was insufficient to alert Edelweiss to the kind of fraud that occurred in this case, in which the modem that Mpower had supplied to Edelweiss was apparently hacked so that international calls to GlobalStar phone numbers could be placed on Edelweiss's fax line.

In analyzing whether Edelweiss's state law claims are preempted by federal law, we think it is useful to begin by reviewing the parties' stipulation as to how the telephone package that Edelweiss had purchased from Mpower was configured. On this question, the Joint Stipulation states:

During the period from August 1, 2006 through August 31, 2006, a Brother MFC 7220 combined printer, scanner, and fax machine ("fax machine") was connected at the Customer's [i.e., Edelweiss's] premises to one of the POTS lines provided by Mpower. This POTS line was identified by telephone number 858-751-0376 (the "fax line"). The fax machine was also connected at the Customer's premises to the DSL Internet access line. Ms. Stepanova asserts that Windows Firewall and another antivirus program, which Ms. Stepanova believes was Norton Antivirus, was installed on the computer. The Customer asserts that none of the Customer's lines was connected to a PBX and that the customer did not have voicemail; Mpower has no basis for a belief to the contrary. (Joint Stipulation, ¶ 4.)

Based on these facts and the cases discussed below, we do not believe that the FCC decisions cited by Mpower establish the sweeping federal policy that Mpower claims. On the contrary, the FCC's brief decision in Directel - the principal federal case on which Mpower relies - emphasized that the dispute there was being decided on the pleadings, since the complainant had submitted no declarations, affidavits, or other evidence concerning the measures it had taken to secure its PBX systems against unauthorized use. On this question, the FCC said:

With regard to its alternative claim of unreasonableness under Section 201(b) of the [Communications] Act, Directel has presented no facts to support a finding that the subject tariff provisions are unlawful within the meaning of Section 201(b). Directel's own admission that toll-fraud occurrences at both the Westerville and Cincinnati PBXs ceased promptly after its PBX vendors took certain unspecified preventive measures belies any claim by Directel that it lacked the ability to control access to and egress from the PBXs and that such control was the responsibility of AT&T. Further, Directel has provided no information that would indicate whether, and if so, to what extent, it discussed PBX security measures with its PBX vendors or whether measures were put in place to restrict access to the PBX facilities at the time of their installations. Moreover, as was the case in Chartways, Directel has failed to cite any authority or provide any persuasive argument to support a finding that AT&T had any affirmative duty to warn Directel about toll-fraud risks, nor has it alleged specific facts that might indicate that AT&T acted unreasonably in its communications with Directel at the time the fraudulent calls occurred. (11 FCC Rcd at 7562-63; footnote omitted.)

We also agree with UCAN that the warning to new customers that appeared in Mpower's welcome kit dealt solely with toll fraud perpetrated through PBX and voice-mail service. As noted above, the warning told customers that "if you use your own voicemail and/or PBX system and it has a paging feature, it may be susceptible to hackers." The warning also emphasized that "if you do not take steps to safeguard your voicemail and/or PBX systems from this potential threat, you may be held responsible for fraudulent long distance calls." (Joint Stipulation, Exh. B.) Modem hacking is not mentioned in the welcome kit warning.8

Although UCAN has not cited any authority to support its claim that hacking a computer modem is substantially more complicated than hacking a PBX, a review of applicable literature we have located lends considerable support to this assertion. First, it is clear that warnings about the risk of toll fraud perpetrated through PBXs and voice mail systems have been around since the mid-1990s. For example, a short 1998 article entitled [ISN] Toll Fraud: The Crime of the 90's warned readers that there were several ways a PBX could be compromised, including "crack[ing] the authorization codes for the remote access feature, . . . [which] allows a caller to dial into the system, enter an authorization code and get an outbound line." Another vulnerability of PBX systems, the article said, was the remote access port, which "allows a remote user, including the PBX vendor, to access the system for maintenance. The maintenance ports have standard user IDs. The standard IDs are well known to the hacker community."9

In recent years, modems have become ubiquitous in the public switched telephone network. However, as a recent treatise on information security notes, modems can be hacked through software programs known as "war dialers." The treatise defines war dialing as follows:

War dialing is the action of dialing a given list or range of phone numbers and recording those that answer with handshake tones - a predetermined signal used to establish connections between two terminal devices (and so might be entry points to computer or telecommunications systems). It can detect modem, fax or private branch exchanges (PBXs) tones and log each one separately for nefarious purposes. III HANDBOOK OF INFORMATION SECURITY (H. Bidgoli, ed., John Wiley & Sons, 2006), (emphasis in original) at 31 (hereinafter Security Handbook).

As noted above, Mpower does not dispute UCAN's assertion that two security systems, Windows Firewall and an antivirus program, had been installed on Edelweiss's computer in 2006. (Joint Stipulation, ¶ 4.) However, the Security Handbook points out that while such measures can provide helpful security for home office and other small systems,10 even apparently well-designed firewalls can be vulnerable to hacking:

[T]o ensure security, firewalls are [often] added to protect the internal network. However, this is not absolutely safe. If the firewall is not carefully configured, it may provide a false sense of security and permit outsiders to hack internal systems. An inadequately configured firewall can make internal hosts visible to the outside world, may pass traffic from untrusted hosts and ports that are supposed to be blocked, and may provide an incorrect proxy server that lets malicious traffic into the internal network. Insiders can invoke malicious software to leak information or import malicious codes. Administrators and users may install tools on systems so that they can work remotely and conveniently. These tools may become backdoors for outside intruders." (Id. at 80.)11

Even though the security measures that Edelweiss installed were not effective against the hacking that apparently took place in this case, this does not mean that Edelweiss would automatically be liable under federal law for the satellite calls that the hacking made possible. In a line of decisions dating back to the mid-1990s, the FCC and the federal courts have recognized that business customers should not be held liable for unauthorized calls where the customer has used reasonable measures to protect its system against hacking, even if these measures prove to be unsuccessful.

The first of these decisions was United Artists Payphone Corp. v. New York Telephone Company, 8 FCC Rcd 5563 (1993). In that case, United Artists (UA) contended that New York Telephone Company (NYT) and AT&T had acted unlawfully in attempting to collect charges for unauthorized interstate and international calls that were either originated or accepted at UA's payphones. Among other arguments, UA contended that it was not a customer of AT&T under the applicable federal tariff, because (1) UA had not presubscribed its payphones to AT&T, and (2) UA had taken affirmative steps to control unauthorized operator-assisted and direct-dialed calls to and from its payphones. AT&T, while conceding that UA had not presubscribed its payphones, argued that UA should be deemed to have "constructively ordered" AT&T service because the security measures that UA put in place were ineffective.

The FCC agreed that the question of whether UA had implemented adequate security measures was crucial to resolution of the constructive ordering issue. The FCC described UA's security precautions as follows:

The record shows that UA implemented a number of measures designed to control potentially fraudulent operator-assisted or direct-dialed calling. First, when ordering public access lines from NYT, UA told NYT that the payphone lines in question were to have no primary interexchange carrier . . . Further, if operator-assisted interexchange calls did originate or terminate at UA payphones, the originating line and billed number screening services that UA ordered from NYT for all of its payphone lines were intended to inform operator service providers of any billing restrictions on those lines. UA also ordered NYT's 10XXX Restrict service, which was intended to block both operator-assisted and direct-dialed 10XXX sequences . . . In addition to the network-based fraud control services it ordered, UA programmed its payphones to block operator-assisted and direct-dialed calling outside of the local area. Beyond all of these preventative steps, UA monitored calling from its phones and regularly reported any apparently fraudulent calling to NYT and AT&T. (8 FCC Rcd at 5566; footnotes omitted.)

The FCC then held that because these preventive measures were reasonable under the circumstances, UA could not be considered a constructive customer of AT&T:

Based on the record before us, we find that UA took reasonable steps to secure its payphones against fraudulent calling and that it therefore did not constructively order the services used to make the calls at issue. Because UA did not intentionally or constructively order services from AT&T, UA was not AT&T's customer and cannot be held liable for the disputed charges. (Id.; footnote omitted.)

In recent years, the federal district courts have shown considerable skepticism toward claims of constructive ordering, in part because of the growing sophistication of hackers. For example, in AT&T Corp. v. Midwest Paralegal Services, Inc., 2007 U.S. Dist. LEXIS 33546, a U.S. District Court in Wisconsin rejected AT&T's argument that a paralegal firm had constructively ordered service from AT&T when the firm's PBX system was hacked and over $10,000 worth of unauthorized calls were made to the Philippines. The court noted that each extension on the paralegal firm's PBX system was encrypted with a four-digit code that the caller was required to enter in order to access the extension's voice-mail. After reviewing prior authority (including United Artists Payphone), the court concluded that this security measure was sufficient to defeat AT&T's motion for summary judgment based on the constructive ordering theory:

AT&T asserts that Midwest Paralegal, similar to the defendants in Community Health Group, [12] failed to adequately institute affirmative safeguarding measures to protect its telephone system from fraud and abuse. However, the circumstances in Community Health Group substantially differ from those in this case. In Community Health Group, the defendants failed to present any evidence `showing that they acted in any way to control the unauthorized charging of AT&T [long distance] calls to their system before the fraud occurred.' [931 F. Supp. at 723.] Here, Midwest Paralegal submits evidence demonstrating that, at the time the unauthorized calls occurred, its telephone system required a caller to enter a four-digit access code before the caller could access Midwest Paralegal's network remotely . . . In addition, Midwest Paralegal submits the affidavit of Gierl, the technician who installed and services Midwest Paralegal's telephone system. Suggesting that Midwest Paralegal took reasonable steps to secure its telephone system, Gierl stated that the call-in feature on Midwest Paralegal's telephone system was a standard feature in voice mail systems in business settings, and that based on his training and experience, the manner in which the unauthorized caller gained access to Midwest Paralegal's telephone system required an extremely high level of sophistication and knowledge in the telecommunications field. (2007 U.S. Dist. LEXIS 33546 at *20-*21.)

In AT&T Corp. v. The Ridge Company, 2008 U.S. Dist. LEXIS 48319, a U.S. District Court in Indiana reached a similar conclusion. In the Indiana case, hackers had gained access to the Ridge Company's telephone system through its voicemail feature, and over $27,000 of unauthorized calls were placed to countries in Africa and the Middle East over AT&T lines. AT&T argued that as a result of the hacking, Ridge should be deemed to have constructively ordered service from it. Ridge argued that it should not be considered a constructive AT&T customer because of the security measures it had implemented, which included assigning a four-digit pass code to each individual voice mail account, a pass code that had to be changed every 30 days to gain access to the account. In granting Ridge's motion for summary judgment and denying AT&T's, the court said:

AT&T's submissions never quite articulate why [Ridge's] precautions against unauthorized access fell short of reasonable. AT&T notes that stronger precautions were taken after the unauthorized use (six-digit pass codes were instituted), but subsequent remedial measures don't prove that earlier measures were unreasonable. See WIGMORE, EVIDENCE § 283, at 175 (Chadbourn rev. 1979). (2008 U.S. Dist. LEXIS 48319 at *8.)

When read together, United Artists Payphone, Midwest Paralegal, and AT&T v. Ridge Company suggest to us that it is very unlikely Edelweiss would be held liable under federal law for the long-distance calls at issue in this case. As noted above, Mpower does not dispute Edelweiss's assertion that both Windows Firewall and an antiviral program were installed on Edelweiss's computer in 2006. Further, even though the Security Handbook indicates that experts knew in 2006 that such measures do not provide complete security against hacking, it is unreasonable to expect small business customers like Ms. Stepanova and Edelweiss to have been familiar with these limitations.

Thus, based on the facts to which the parties have stipulated, we think UCAN has demonstrated that in 2006, Edelweiss took reasonable measures under the circumstances to secure its computer and telephone systems. In view of these measures and the cases described above, we conclude that (1) it is unlikely Edelweiss would be held liable under federal law for the unauthorized calls that occurred here, and (2) UCAN's state law claims against Mpower are not preempted by federal law.

7 Later in this decision, we will consider at length UCAN's argument that item 5 of the Installation Policy and Procedures is unconscionable under California law.

8 The parties' stipulation states that once a customer complains to Mpower about fraud, the customer is provided with a copy of Mpower's then-current "fraud guideline," which "instructs the customer to work with the customer's vendors to identify the root causes of the alleged fraud." (Joint Stipulation, ¶ 35.) The Joint Stipulation also notes that while the fraud guideline Mpower provided to Ms. Stepanova is no longer available, it did not mention modem hacking (although the current guideline on Mpower's website does). (Id.; Exh. O.)

For purposes of our analysis here, the contents of the fraud guideline are irrelevant. The Joint Stipulation notes that the guideline was not provided to Ms. Stepanova until October 30, 2006, more than six weeks after she had first complained about the allegedly unauthorized calls. In determining whether the security measures that Ms. Stepanova took were reasonable, we must look to the nature of the fraud warning she was given in the 2005 warning kit; i.e., before the cat was out of the bag.

9 The 1998 article can be found at http://lists.jammed.com/ISN/1998/11/0087.html.

10 The Security Handbook notes that in small office and home office systems, "often digital subscriber line (DSL) or cable modems include firewall functionality because of their `always on' connection status." III Security Handbook at 511.

11 According to the Security Handbook, it has been estimated that 80% of successful network attacks either penetrate or avoid firewall security. In order to be effective, a properly-configured firewall must typically be used with intrusion detection/prevention systems, vulnerability assessment technology, and antivirus technology in order to achieve a complete perimeter security solution. (Id. at 502-03.)

One reason that firewalls can be penetrated or avoided with relative ease is that there are apparently no uniform standards for them:

Another difficulty with firewalls is that there are no standards for firewall types, configuration, or interoperability. As a result, users must often be aware of how firewalls work to use them, and owners must be aware of these issues to evaluate potential firewall technology purchases. Many different devices can all be called firewalls, but that does not imply that these devices provide identical or even similar functionality. (Id. at 506.)

As the discussion in the text makes clear, we think it is expecting too much of a small business customer to be aware of these limitations. To most laymen and small business operators, a commercial firewall product seems like good computer security.

12 As indicated by the reference in Midwest Paralegal to AT&T Corp. v. Community Health Group, 931 F.Supp. 719 (S.D. Calif. 1993), some cases have held that businesses victimized by toll fraud should be considered constructive customers of AT&T where the businesses failed to implement reasonable measures to prevent unauthorized use of their telephone systems. In Community Health Group, the district court concluded that the defendant should be liable for unauthorized calls made from its PBX system, because even though the defendant claimed it had "relied on the anti-fraud expertise" of Centrex Equipment Associates and Pacific Bell to implement security measures, the health group had "provide[d] no explanation of how it relied on Centrex and PacBell, and no evidence that Centrex or PacBell had represented to [defendant] that they would institute any anti-fraud measures" until after the unauthorized calls had been discovered. In addition, the court noted that defendant had presented no other evidence of "affirmative safeguarding measures" that, under United Artists Payphone, "the FCC has recognized as a valid defense to a `constructive ordering' allegation." (931 F.Supp. at 723.)

Similarly, in American Telephone and Telegraph Co. v. Jiffy Lube International, Inc., 813 F. Supp. 1164 (D. Md. 1993), the court rejected the argument that Jiffy Lube should not be liable for unauthorized calls made by hacking its PBX system. Jiffy Lube's security was weak; the court noted that in order to use the PBX's remote access feature, one needed only to know the relevant 800 number. Once remote access had been obtained, the only additional step necessary to make international calls was to enter an access code, which was the word "LUBE". The court noted Jiffy Lube's admission that both the 800 number and the access code had been posted on a computer bulletin board for hackers. (Id. at 1165.)

In denying Jiffy Lube's motion for summary judgment motion and granting AT&T's, the district court noted that "Jiffy Lube ignores the fact that it created the vehicle and mechanism by which those long distance calls became possible," and also rejected the argument that "in terms of modern technology and knowledge of the same," AT&T was better equipped than its customers to "offer protection against `computer hackers'." (Id. at 1167-68.)

Previous PageTop Of PageNext PageGo To First Page