Hacking – who bears the cost?

In summary:

Voiceflex provided internet telephony services to Frip, a decorative print finisher.

The Voiceflex service involved Frip transmitting IP packets from Frip’s router to a Voiceflex call server, via the internet (an “SIP trunk”).

In October 2011, over one weekend and the following Monday morning, Frip’s router and/or PBX was hacked, its password having been breached, and over 36 hours 10,366 calls made, the majority to an overseas premium rate number.

Voiceflex issued an invoice for around £35,000. The issue was whether Frip was liable to pay that invoice?

Voiceflex claimed (i) the price of the service supplied to Frip or (ii) damages for breach of contract.

A dispute arose over whose terms applied. The court found Voiceflex’s T&C’s applied, having either been accepted by Frip’s consultant during set-up or through a course of dealing, having been sent with each monthly invoice.

Voiceflex argued that Frip breached:

• An express term, not to divulge their password to any third party, and to use all reasonable endeavours to keep it confidential and inaccessible to third parties;
• And, implied terms to take reasonable steps to ensure (i) its networks were adequately protected from unauthorised third party access; and (ii) any hardware installed by Frip was similarly secure.

The Court found:

• Allegations of breach i.e. that Frip failed to secure its network, or take reasonable steps to protect its password, all failed for lack of evidence.  The court accepted that Frip’s use of an 8 digit numeric password was sufficient during the period in question.
• That the trigger for payment under the contract was Frip’s use of the service, not Voiceflex’s supply of the service.
• If Frip did use all reasonable endeavours to keep its password confidential and inaccessible, it would not be liable to Voiceflex for the cost of calls made by unknown parties.
• Absent Frip being in breach of contract, it was not enough for Voiceflex as service provider to simply prove it made the service available in order to recover the cost of calls made by an unknown third party.
• Ofcom’s General Condition 11 provides that a telecoms provider shall not render a bill to an end user for services unless the amount stated represents, and does not exceed, the true extent of the service actually provided to the end-user. In this case, the bill itself did accurately reflect the number and cost of the calls. GC11, however, did not allocate the risk of calls to the telecoms provider and therefore did not provide a defence (on these grounds at least) to Frip.

Hacking is an increasing problem and one that represents a real risk to business.  As such, it is important that both service providers and their customers seek to identify how hacking may occur, identify any specific requirements for system security, and allocate responsibility between the parties.

Dealing with the above via standard T&C’s will be difficult and service providers will no doubt be keen to be pro-active and offer security tools, or security services, to customers.

The Voiceflex case therefore brings into stark relief the need for telecom providers and their customers to revisit their contracts to cover the above issues.

For more advice on this issue please contact Tim Toomey or Judy Baker.

Tim Toomey, Partner, Commercial Litigation
Judy Baker, Partner, IP/IT
4 September 2014