Threats to internet security are constantly in the news, but organisations of all sizes will know that there is a real cost to be borne when systems are hacked. However, who should bear the cost?
In the recent case of Frontier Systems Ltd (t/a Voiceflex) v Frip Finishing Ltd  EWHC 1907 (TCC), the Court considered that question in the context of fraudulently inflated internet call traffic and found that it should not be the customer.
The Claimant, Voiceflex, provided internet telephony services to Frip. In October 2011, over one weekend, Frip’s router was hacked, its password breached, and for a period of 36 hours some 10,366 calls were made to a premium rate number overseas using Voiceflex’s service. Voiceflex issued an invoice for the cost of those calls, Frip refused to pay and a dispute arose.
Voiceflex claimed: (a) for damages for breach of contract; or in the alternative (b) for the price of the service supplied to Frip. There was also an ancillary argument as to the terms of the contract. Whilst neither party could point to one document at the time the contract was entered into, the Court found that Voiceflex’s standard terms and conditions were incorporated by a course of dealing, by being sent monthly with each invoice.
As to Voiceflex’s (a) claim, Voiceflex argued a breach of an express term, specifically that Frip agreed “not to divulge their password to any third party and use all reasonable endeavours to keep the same confidential and inaccessible to third parties.” It also argued a breach of implied terms, specifically that Frip would take all reasonable steps to ensure that “(a) its networks were adequately protected from being accessed by unauthorised third parties, whether by the installation of an appropriate firewall or otherwise; and ... (b) any hardware installed by or on behalf of Frip was installed in such a manner that it was secure from access by unauthorised third parties.”
The Court found that implied terms argued by Voiceflex were incorporated, but in respect of both express and implied terms, the allegations of breach failed for a lack of particularity and evidence (despite both sides having adduced expert evidence).
As to Voiceflex’s (b) claim, the Court found on the basis of the express terms of the contract that the trigger for payment was Frip’s use of the service not merely Voiceflex’s supply of the service. In addition, the Court drew the inference that if Frip did “use all reasonable endeavours to keep (its password) confidential and inaccessible to third parties” then it would not be liable to Voiceflex for the cost of calls made by unknown parties, namely those who actually used the service. As that argument of breach had failed, the Court concluded that on its proper construction, the agreement between the parties imposed an obligation on Frip to pay for the cost of calls which it actually made. Absent Frip being in breach of contract, it was not enough for Voiceflex as service provider simply to prove that it had made the service available to its customer in order to recover the cost of the calls made, not by the customer itself, but by unknown third parties as a result of the fraudulent activity.
The Court found that Voiceflex could therefore not recover from Frip the cost of the calls made fraudulently.
As an aside, Frip had argued that Ofcom’s General Condition 11 (GC11) provided a line of defence to the claim. GC11 provides that the communications provider shall not render any bill to an end-user in respect of services unless the amount stated “represents, and does not exceed, the true extent of any such service actually provided to the end-user”. Frip argued that because of the unauthorised and fraudulent use by third parties the bill did exceed the true extent of any such service actually provided to it.
Because of the Court’s primary findings it only dealt with this issue obiter (and therefore it is not binding authority). The Court found that it was not in dispute that the bill itself accurately reflected the number and cost of the relevant telephone calls. To have the meaning argued by Frip, clear words would be needed which referred to use as well as provision. GC11 did not allocate the risk of fraudulent calls to the communications provider and so Frip would not have been able to avoid liability by reliance on GC11.
It is rare for the Court to be asked to resolve liability between parties where one has been subject to hacking. Fraudulently inflated call traffic, and the obvious issues it causes between customer and supplier, is however prevalent. The judgment underlines the need for clear drafting and allocation of risk for such events, including specific requirements as to system security. Standard terms may not be sufficient. This was a point identified by Voiceflex, which amended its standard terms after the event - something which also influenced the Court’s judgment.