A recent case contains some salutary lessons for service providers concerning liability for fraudulent use of their services. It appears that unless the contract has clear terms to the contrary then the service provider, not the end user, will pay for fraudulent use of a service by hackers even if the end user has not properly secured their network. .
In the case of Frontier Systems Ltd trading as Voiceflex v Frip Finishing Ltd  EWHC 1907 (TCC), 10 June 2014 the claimant, a provider of voice-over-internet protocol (VoIP) services, brought a breach of contract and damages claim against the defendant, one of the claimant’s end-users, in 2011 when an unknown third party hacked into the defendant’s computers and accumulated charges of £35,000 for numerous calls made to a premium rate telephone number in Poland.
The claim was rejected by the Technology and Construction Court which did not find any breach of contract on the following grounds: (i) the end-user’s obligations to secure its system was not set out in the contract, and (ii) there was no obligation under the contract for the end-user to pay for the unauthorised calls (only for the authorised ones).
The judge also rejected the claimant’s argument that the defendant breached an implied term in the contract by failing to use reasonable endeavours to secure their username and password. The judge accepted on bringing expert opinion that an 8-digit password was strong enough and the defendant had no obligation to take additional precautions as the contract did not specify what the defendant should or should not have done.
On proper construction of the contract, the judge concluded, the defendant was only obliged to pay for calls it had actually made and not for fraudulent calls, as long as the defendant did not disclose its password. Also, the fact that the claimant added a provision that passed liability for fraud to its customers in 2012 suggested that this was not intended in the earlier contract with the defendant.
The decision highlights the need for VoIP service providers to set out system security requirements and also liability for fraudulent calls in their contracts It may also be prudent to oblige end-users to maintain their username and passwords by using a more robust password combination and by changing it regularly.