That was the question which was considered in a recent case*. This week’s post is a guest blog from New Square Chambers’ David Warner. The post discusses an unwanted situation when an invoice was received from a telephone service provider for £35,000 worth of phone calls, which the defendant never made.
The defendant, FRIP, entered into a contract with Voiceflex for the provision of a telephone service for its Manchester factory. The service to be provided by Voiceflex allowed for telephone calls to be made over the internet using VoIP. It was little used – bills on average were less than £10 per month. At least, that was the position until October 2011 when hackers gained access to FRIP’s access credentials. Over the course of the weekend that followed, calls with a total value of £35,000 were made. In excess of 10,300 calls were made by this method in two days.
Voiceflex duly issued a claim for £35,000. FRIP denied the claim on the basis that it had no liability to pay for calls that it had neither made nor authorised.
The dispute raised two principal issues for the court to resolve, namely:
- Whether pursuant to the terms of the contract between the two companies, FRIP had a liability to pay for telephone calls fraudulently made by third parties?
- Alternatively, had FRIP failed to use reasonable endeavours to protect the confidentiality of its login credentials and, if so, did this entitle Frontier to damages in respect of that alleged failure?
The claim for the price
What was striking was that the written terms and conditions that governed the contract failed to identify clearly the nature of the service that was to be provided and paid for. Voiceflex claimed that its right to be paid the price of the calls was dependent only on having ‘supplied’ the service to FRIP. For its part, FRIP contended that it was only liable to pay for the service that it ‘used’. The court had to decide which of those constructions was correct.
The court looked to the language used by the parties in the other terms of the agreement. Those clauses contained restrictions on what could and could not be transmitted by FRIP when ‘using’ the service. The court, was persuaded that these references led to the inference that, under the contract, FRIP’s liability was to pay for those services which it actually used. There was no liability to pay for calls made by others simply because the service had been made available by Voiceflex.
Breach of contract – keeping the login secure
Voiceflex sought to base the second limb of its case on that obligation to safeguard the login credentials. To shore it up, Voiceflex pleaded a number of implied terms requiring FRIP to take reasonable steps to keep those credentials confidential. However, these terms failed to get Voiceflex home because it failed properly to plead what FRIP did or failed to do in that regard. Voiceflex focussed on the fact that that the system had been hacked to make good its case and not enough on what it said FRIP should have done to prevent it. What was needed was a clear statement of what FRIP had failed to do to meet its contractual obligations. The court found that there was no breach of the express term of the contract because, on the basis of the expert evidence and the method of hacking used, the eight digit password employed by FRIP represented a reasonable (and so contractually compliant) attempt to keep the login credentials secure.
Incidents involving the fraudulent use of internet telephony are, regrettably, not uncommon and the cost to the party left to pick up the tab can be substantial. What this demonstrates is just how important it is for contracting parties (in whatever field) to agree and clearly define the allocation of risk in the contract, removing possible ambiguities. In particular, any contract should state in clear terms:
- The nature of the service being provided
- Who bears responsibility for shouldering the cost resulting from any fraudulent activity
- Whether liability to pay the relevant charges for the service arises because it has been made available to the customer (irrespective of who uses it) or only if and when it is used by the customer
- What specific requirements as to system security the customer has and how these can be satisfied.
The need for clear drafting with regard to the allocation of risk for fraud was a point identified by Voiceflex, but too late. It amended its standard terms after the event to define better its customer’s liabilities. This was a factor that influenced the court’s judgment in construing the existing contract.
*Frontier Systems Limited (T/A Voiceflex) v FRIP Finishing Limited  EWHC 1907