Threats to internet security are constantly in the news, but organisations of all sizes will know that there is a real cost to be borne when systems are hacked. However, who should bear the cost? In the recent case of Frontier Systems Ltd (t/a Voiceflex) v Frip Finishing Ltd  EWHC 1907 (TCC), the court considered that question in the context of fraudulently inflated internet call traffic and found that it should not be the customer.
James Hyde and Neil Jackson set out the key facts of the case below: The claimant, Voiceflex, provided internet telephony services to Frip. In October 2011, over one weekend, Frip’s router was hacked, its password breached, and for a period of 36 hours some 10,366 calls were made to a premium rate number overseas using Voiceflex’s service.
Voiceflex issued an invoice for the cost of those calls, Frip refused to pay and a dispute arose. Voiceflex claimed: (a) for damages for breach of contract; or in the alternative (b) for the price of the service supplied to Frip.
There was also an ancillary argument as to the terms of the contract. Whilst neither party could point to one document at the time the contract was entered into, the court found that Voiceflex’s standard terms and conditions were incorporated by a course of dealing, by being sent monthly with each invoice.
As to Voiceflex’s (a) claim, Voiceflex argued a breach of an express term, specifically that Frip agreed ‘not to divulge their password to any third party and use all reasonable endeavours to keep the same confidential and inaccessible to third parties.’
It also argued a breach of implied terms, specifically that Frip would take all reasonable steps to ensure that ‘(a) its networks were adequately protected from being accessed by unauthorised third parties, whether by the installation of an appropriate firewall or otherwise; and ... (b) any hardware installed by or on behalf of Frip was installed in such a manner that it was secure from access by unauthorised third parties.’
The court found that the implied terms argued by Voiceflex were incorporated, but in respect of both express and implied terms, the allegations of breach failed for a lack of particularity and evidence (despite both sides having adduced expert evidence).
As to Voiceflex’s (b) claim, the court found on the basis of the express terms of the contract that the trigger for payment was Frip’s use of the service, not merely Voiceflex’s supply of the service. In addition, the court drew the inference that, if Frip did ‘use all reasonable endeavours to keep (its password) confidential and inaccessible to third parties,’ it would not be liable to Voiceflex for the cost of calls made by unknown parties, namely those who actually used the service.
As that argument of breach had failed, the court concluded that on its proper construction, the agreement between the parties imposed an obligation on Frip to pay for the cost of calls that it actually made.
Absent of Frip being in breach of contract, it was not enough for Voiceflex as service provider simply to prove that it had made the service available to its customer in order to recover the cost of the calls made, not by the customer itself, but by unknown third parties as a result of the fraudulent activity. The court found that Voiceflex could therefore not recover from Frip the cost of the calls made fraudulently.
As an aside, Frip had argued that Ofcom’s General Condition 11 (GC11) provided a line of defence to the claim. GC11 provides that the communications provider shall not render any bill to an end-user in respect of services unless the amount stated ‘represents, and does not exceed, the true extent of any such service actually provided to the end-user’.
Frip argued that because of the unauthorised and fraudulent use by third parties the bill did exceed the true extent of any such service actually provided to it.
Commentary and applicability
Because of the court’s primary findings it only dealt with this issue obiter (which basically means therefore, it is not binding authority that has to be followed in other cases). Obiter commentary does, however, get followed by judges in future cases as a key part of the case and it may be that, if followed, this decision becomes the start of a precedent for law in the future.
In the case, the court found that it was not in dispute that the bill itself accurately reflected the number and cost of the relevant telephone calls. To have the meaning argued by Frip, clear words would be needed that referred to use as well as provision. GC11 did not allocate the risk of fraudulent calls to the communications provider and so Frip would not have been able to avoid liability by reliance on GC11.
What is important is that it is rare for the court to be asked to resolve liability between parties where one has been subject to hacking. Fraudulently inflated call traffic, and the obvious issues it causes between customer and supplier, as we all know, are increasingly prevalent.
The judgement underlines the need, where there is a possibility of hacking into services that your companies procure and consume or indeed sell, for a clear contract with drafting to cover a clear allocation of risk for such events, including specific requirements as to system security and who has to do what, including any acceptance of customer obligations or, if you are a supplier, the placing of customer obligations on your customers.
Standard terms may not be sufficient. This was a point identified by Voiceflex, which amended its standard terms after the event, something that also influenced the court’s judgement. From our viewpoint, this is quite an unusual case. However, given the prevalence of hacking we would envisage we may see more cases around liability for hacking in the coming years.
For more information, contact Charlotte Walker-Osborn:
Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.