NEC Nederland BV (NEC), the Dutch branch of NEC Corporation which is a worldwide provider of IT and communication solutions, uses voice services provided by KPN BV (KPN), a Dutch telecom provider. In order to use these voice services, NEC built their own PBX (Private Branch Exchange – which is a system that concentrates central office lines and enables intercommunication between a large number of telephone stations within NEC) connected through a router to the WAN (Wide Area Network).
Unauthorized parties have managed to get access to the data lines via a badly secured NEC PBX device and have set up a dial up service through which telephone traffic with East Timor has taken place. KPN has invoiced NEC for the costs involved, in the sum of EUR 176,895,00. KPN claims payment of the invoice stating that it was NEC’s obligation to monitor the traffic. NEC however states that KPN has a duty of care (statutory and reinforced by case law) which entails that telecom providers are obliged to monitor telephone traffic and take measures when deviating telephone traffic is noticed. Furthermore, NEC claims that KPN should have warned NEC about the risks of using voice services. Because KPN neither monitored the telephone traffic nor warned NEC of the risk (the hack was discovered during a test), NEC claims that it is not liable for the costs of the fraudulent use of the voice services.
The Court rejects NEC’s claim that KPN owes it a duty of care. NEC built their own PBX system, which makes them responsible for the hardware and, being a professional in the communications sector, they are supposed to be aware of the risks of using voice services. A previous hack of their PBX system resulted in damage amounting to EUR 40,000 and confirms that NEC were aware of the risks involved. Following this incident, NEC asked KPN if it was possible to cap the use of their lines as a safeguard. KPN explained that this was not possible and instead offered a tool to enable NEC to monitor traffic on a daily basis. NEC decided not to make use of this option.
NEC also tried to rely on jurisprudence relating to telephone traffic, by claiming that such traffic should be adequately monitored on a regular basis. This plea was also rejected because – contrary to other phone traffic - different providers are used to provide voice services and KPN cannot monitor the traffic on the data lines of other providers.
Therefore, the Court concluded that NEC cannot claim a duty of care from KPN and that NEC should pay KPN’s invoice.
[Source: District Mid-Netherlands, 2 July 2014, ECLI:NL:RBMNE:2014:2617]