In June this year in the case of Frontier Systems Limited t/as Voiceflex –v- FRIP Finishing Limited [2014] EWHC 1907 the Technology & Construction Court had to consider who was responsible to pay where hackers had infiltrated a telephone system and made over 10,000 international calls. 

Background to the claim

Voiceflex carried on a business providing telephony services over the internet and Frip carried on a business as decorative print finishers and was therefore the customer and/or end user.  One weekend in October 2011 Frip’s router was hacked and over 10,000 international calls were made to a premium telephone number in Poland.  Voiceflex raised an invoice in respect of those calls which totalled £35,560.20.  Frip refused to pay as it had not made the calls and a dispute therefore arose.    

The service

The service which Voiceflex provided was one whereby Frip was permitted to use Voiceflex’s system to transmit IP packets from Frip’s router to Voiceflex’s call server via the internet.  The process is often called “SIP trunk” within the industry. 

The claim

Voiceflex brought two claims.  The first being for the price of services supplied to Frip, and in the alternative, a claim for damages for breach of contract.  The alternative claim was based upon breaches of one express term and a number of implied terms which were as follows:

1. Frip was not to divulge the router password and was to use all reasonable endeavours to keep it confidential and inaccessible to third parties;
2. Frip was to take all reasonable steps to ensure that its networks were adequately protected from being accessed by unauthorised third parties; and
3. Frip was to take all reasonable steps to ensure that any hardware installed by, or on behalf of, Frip was installed in such a manner that it was secure from access by unauthorised third parties. 

 The decision

 Claim for services

 The Court concluded that the proper construction of the contract was that Frip was only liable to pay for the cost of calls actually made.  It was therefore not the case that Voiceflex simply had to prove that it had made the service available to Frip in order to recover the costs of calls made, not by Frip, but by an unknown third party as a result of fraudulent activity.

What was detrimental to Voiceflex’s claim was the repeated reference in its terms and condition to “using” which lead the Court to conclude that the trigger for liability to pay was use of the service rather than the mere supply of the service.    

The Court then considered the question of use by an unknown third party rather than by Frip. The express term which confirmed an obligation on Frip not to divulge the password and to take reasonable steps to keep the password confidential was considered to be relevant.  The Court concluded that the inference that was to be drawn from that express term was that, if Frip complied with that obligation, it would not be liable for the cost of calls made by unknown third parties. 

The Court also took into the account the fact that Voiceflex had subsequently amended its terms and conditions so as to confirm that its customer would be liable to pay for calls made whether fraudulently or otherwise. 

Breach of Contract

As to the alternative argument, the Court accepted that the two implied terms outlined above were incorporated. However, the claim failed due to a lack of particularity and evidence in respect of the alleged breaches.  As to the allegation that Frip had not taken all reasonable steps to secure its network,  the Court found that Voiceflex had not put forward what Frip did, but should not have done; or conversely what Frip did not do, but should have done.  The claim therefore failed. 

Equally, and as to the allegation that Frip did not take all reasonable steps with regard to the password, the Court found that the allegation lacked any particularity and failed to allege what reasonable steps Frip should have taken to prevent such an event occurring.  It was suggested that the password strength was not sufficient being 8 digits, and it was submitted that the password could have been up to 20 digits.  The Court accepted the expert evidence that 8 digits was sufficiently strong and that in reality the number of digits was irrelevant as the software used to attack the password does not need to know how many digits.  

Finally, it was alleged by Voiceflex that Frip had left open port 5060.  It however failed to discharge the burden of proof and the Court concluded the port was not left open as alleged. 

General Condition 11

Frip attempted to defend the claim on a further ground.  That was that General Condition 11 prevented Voiceflex from raising an invoice in respect of the calls as the service had not in fact been provided to Frip. It was averred that the purpose of General Condition 11 was to place the risk of incurring the cost of calls fraudulently made by unknown third parties upon the service provider, as opposed to the end user. 

As the Court had already determined the matter as outlined above, the comments made were therefore obiter only.  The Court concluded that General Condition 11 simply meant that any bill rendered should be accurate. Moreover, that it was not intended to specifically address the situation where there had been fraudulent activity. 

Considerations for Service Providers

Hacking is now prevalent and service providers should be giving serious consideration to how such scenarios should be addressed when they arise but also how such situations can be prevented. It is important to ensure that what is decided is outlined clearly and concisely within the terms and conditions.    

In terms of prevention, it may be preferable to offer tools to enable the end user to secure the hardware and network which the end user has sole control over and is therefore solely responsible for.  Irrespective of whether the contract provides for the sole responsibility to lie with the end user, a pro-active approach should be considered by the service provider.  It is not commercially sensible for a network provider to simply rely on the end user and/or a re-seller to protect the systems against fraud.    

Voiceflex has, for example, introduced its own fraud detection application for its customers called Advanced Behavioural Based Analysis (“ABBA”) which monitors activity and can red flag, limit, block and/or  suspend activity.  Whilst this has been implemented as a standard feature of the service, Voiceflex has confirmed that many end users and re-sellers do not use the feature.  Voiceflex itself takes steps to attempt to access any apparent open ports and where an open port is found, it reports its finding to the client for immediate action to be taken.  

In terms of catering for when fraudulent activity occurs, it is important for service providers to review their terms and conditions in respect of their charges, whether that includes liability for any fraudulent activity and what triggers liability.  Equally it is important to undertake a review with regard to the obligations of the end user with regard to its hardware and network.  These obligations should be as specific as possible. 

If it is not the intention of the service provider to provide for the end user to be liable for fraudulent activity then it is going to be paramount to have rigid obligations as to what they must do to secure the network and hardware.  It should be made clear that should those obligations not be fully complied with, then the end user will become liable for any charges incurred by way fraudulent activity, as well as any other claims for damages for breach of contract.  If this approach is taken the onus should be squarely upon the end user to take steps to secure the network and hardware.   

This approach however carries risk for service providers.  They won’t be getting paid for any fraudulent activity and they have to place great trust in their customers in protecting against fraud when most do not appear to be taking the risk of fraud seriously.  The preferable approach would therefore be to charge for any fraudulent activity and place an obligation on the customer in respect of securing the network and hardware.  There is therefore an incentive for the end user to comply with the obligations to secure the network and hardware.  That is because if it does not then it will be footing the bill.  It is however advisable to offer an application or product to assist your customer in that regard or make recommendations in that regard.   

In any event, it is advisable to chat through with the end user at the outset of any contractual relationship what the position is regarding fraudulent activity and what steps are required with regard to securing the hardware and network.

If you require advice regarding a dispute that has arisen regarding charges incurred as a consequence of fraudulent activity then please contact Marcus Hayes, Head of Commercial Litigation.  Equally, should you require advice regarding your terms and conditions then please contact Karen Houghton, Head of Corporate.

Marcus Hayes & Jessica Eaton, Commercial Litigation, Mason Hayes Solicitors

Rupert Bravery (Economics 1978) Emergency Preparedness and Response Advisor, ExxonMobil and Marcus Hayes (Law 1984) Managing Director, Mason Hayes Solicitors have been awarded fellowships for their exceptional contributions to the University of Sussex.

Presenting Rupert Bravery, Deputy Vice-Chancellor Michael Davies described how Rupert had played a key role in supporting the University’s Mobil 1 Team Sussex motorsport team since 2008.

As well as securing sponsorship for the team from ExxonMobil and in-kind support from other corporate sponsors, Rupert has mentored the student team on many aspects of the national Formula Student competition; helped them to raise their profile at events such as the Goodwood Festival of Speed, and introduced them to patrons including Lance Sergeant Johnson Beharry VC and Richard Noble OBE.

In addition to helping the student team over many years, Rupert has also had a wider impact on staff and students within the University through his various careers talks and his participation on the School of Engineering and Informatics’ Advisory Board.

Receiving his fellowship, Rupert said he was ‘honoured and humbled’ and described how proud he was of the engineering students’ achievements to date, remaining friends with many of them for years after graduation. 

Like Rupert, Marcus Hayes was the first in his family to go to University and having carved out a successful career in law, he went on to establish both the Mason Hayes Scholarships and the Mason Hayes Charitable Trust Work Placement Scheme which provide financial and personal development support to those who need it most.   

Marcus has also visited the University on numerous occasions to provide mentoring, careers talks and most recently a commercial awareness seminar for law students.

On accepting the award, Marcus said ‘I am thrilled and delighted to receive this award.  From the moment I came to Sussex it had an embrace, and it not only provided me with a very good education but has enabled me to offer a variety of opportunities to undergraduates from first generation backgrounds or from backgrounds where personal circumstances would otherwise dictate an inability to enjoy the benefits of higher education. 

It has been a privilege to be associated with Sussex, both as a student and alumnus and I look forward to working further with the University for many years to come.’

Marcus also described how the biggest reward for him was to see first generation scholars growing in self-confidence and beginning to fulfil their ambitions. He mentioned fellow guest at the awards dinner, law alumna Ellie Taylor, who participated in the Mason Hayes Charitable Trust Work Placement Scheme and, following graduation, gained a scholarship from the Law Society –  she is due to start her first legal role in September.

Finally, he emphasised the value that alumni add to the University, for current students and for recent graduates, not only by providing financial support but also through giving inspiration, expertise and mentoring.

By Sally Atkinson,
Alumni Relations Manager
University of Sussex