The technical framework conducive to telephone fraud is simple.
Voicemail boxes that are not configured with specific passwords and are therefore accessible via the default password (0000) are used by fraudsters to gain access to a business's private automatic branch exchange.
Once unauthorised access has been gained, fraudsters can route calls to international destinations, for which the legitimate account holder is charged. The account holder is subsequently notified by the telecoms operator – often several weeks after a huge and unusual spike in use. The telecoms operator may then maintain that the invoice is due and threaten to cut off service if the account holder fails to pay.
But who should pay the cost of this fraud?
In some cases, account holders have brought liability actions against installation and maintenance service providers on the grounds that they breached their duty to advise customers on the need to replace default passwords with more complex passwords that help to secure the system.
Court decisions that analyse service providers' obligations vary according to the facts of each case: some hold the service provider liable for failure to advise the customer, while others consider that this duty was fully met. The legal issue of whether the duty to advise has been met must be analysed on a case-by-case basis in light of the factual elements.
For instance, in a February 5 2015 decision the Nanterre Commercial Court found a service provider liable for:
- failing to conduct an annual telephone system security check;
- neglecting to sensitise its customer to security issues; and
- failing to provide training on how to handle the security aspects of the telephone system.
Similarly, in a March 25 2014 decision the Versailles Court of Appeal held another service provider liable for not having verified the security status of its customer's telephone system during an annual check.
Conversely, in a November 18 2014 decision the Versailles Court of Appeal denied a liability claim when the service provider showed that it had duly informed and trained the customer during the telephone system installation process. The service provider demonstrated this by:
- producing a job sheet that expressly referred to "customer training"; and
- pointing out that, further to its recommendations, a majority of the passwords had been switched from the default passwords.
Service providers should take heed of these court decisions to avoid exposure to liability and the risk of bearing the cost of fraudulent telephone use.
The courts' assessments of the existence and fulfilment of the duty to advise is eminently factual. It is essential to analyse various factors relating to the content of the contract and the manner in which it is carried out, as follows:
- Which terms of the contract delineate the service provider's obligations? In the absence of an express indication of a duty to advise its customer, can the existence and scope of such a duty be inferred from the terms of the contract? In particular, as in the February 5 2015 Nanterre Commercial Court decision, is the service provider obliged to check the system's security status?;
- During the system installation process, can the service provider rely on a job sheet indicating that it provided customer training on how to use the telephone system? It was on this basis that the November 18 2014 Versailles Court of Appeal decision held that the customer had been advised by the service provider of the necessary security measures to be taken in order to prevent hacking. Conversely, a service provider that merely furnishes documentation about the telephone system, without alerting the customer to the security risks, does not fulfil its duty to advise;
- Has the customer changed the passwords for certain telephones? According to the November 18 2014 Versailles Court of Appeal decision, the fact that a majority of the passwords had been modified by the users seemed to confirm that the service provider had duly satisfied its duty to advise; and
- During a maintenance visit, was the service provider informed of the trivial nature of the passwords, without advising the customer of the associated risks? This was one of the circumstances taken into account in the February 5 2015 Nanterre Commercial Court decision.
Further, when telephone fraud occurs the customer should seek help from the telecoms operator in order to file a complaint with the police efficiently and thus fight this new form of criminal conduct.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.