Articles

Customer responsible for costs deriving from hacked voice services

Customer responsible for costs deriving from hacked voice services

Customer responsible for costs deriving from hacked voice services

17.12.2014

NEC Nederland BV (NEC), the Dutch branch of NEC Corporation which is a worldwide provider of IT and communication solutions, uses voice services provided by KPN BV (KPN), a Dutch telecom provider. In order to use these voice services, NEC built their own PBX (Private Branch Exchange – which is a system that concentrates central office lines and enables intercommunication between a large number of telephone stations within NEC) connected through a router to the WAN (Wide Area Network).

Unauthorized parties have managed to get access to the data lines via a badly secured NEC PBX device and have set up a dial up service through which telephone traffic with East Timor has taken place. KPN has invoiced NEC for the costs involved, in the sum of EUR 176,895,00. KPN claims payment of the invoice stating that it was NEC’s obligation to monitor the traffic. NEC however states that KPN has a duty of care (statutory and reinforced by case law) which entails that telecom providers are obliged to monitor telephone traffic and take measures when deviating telephone traffic is noticed. Furthermore, NEC claims that KPN should have warned NEC about the risks of using voice services. Because KPN neither monitored the telephone traffic nor warned NEC of the risk (the hack was discovered during a test), NEC claims that it is not liable for the costs of the fraudulent use of the voice services.

The Court rejects NEC’s claim that KPN owes it a duty of care. NEC built their own PBX system, which makes them responsible for the hardware and, being a professional in the communications sector, they are supposed to be aware of the risks of using voice services. A previous hack of their PBX system resulted in damage amounting to EUR 40,000 and confirms that NEC were aware of the risks involved. Following this incident, NEC asked KPN if it was possible to cap the use of their lines as a safeguard. KPN explained that this was not possible and instead offered a tool to enable NEC to monitor traffic on a daily basis. NEC decided not to make use of this option.

NEC also tried to rely on jurisprudence relating to telephone traffic, by claiming that such traffic should be adequately monitored on a regular basis. This plea was also rejected because – contrary to other phone traffic - different providers are used to provide voice services and KPN cannot monitor the traffic on the data lines of other providers.

Therefore, the Court concluded that NEC cannot claim a duty of care from KPN and that NEC should pay KPN’s invoice.

[Source: District Mid-Netherlands, 2 July 2014, ECLI:NL:RBMNE:2014:2617]

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

07.08.2018 NL law
General Data Protection Regulation comes into effect

Short Reads - On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. The GDPR replaces the EU's prior directive governing the processing and transfer of personal data, which was in place since 1995. As a regulation, the GDPR is directly applicable in all 28 EU member states and thus removes the need for national implementing legislation. However, the GDPR allows member states discretion in certain areas, as a result of which national legislation may still be implemented. In the Netherlands, the GDPR Implementation Act came into effect on 25 May 2018.

Read more

12.07.2018 NL law
Algemene verordening gegevensbescherming van toepassing

Short Reads - Vanaf 25 mei 2018 zijn de Algemene verordening gegevensbescherming (Verordening (EU) 2016/679) (AVG) en de Uitvoeringswet Algemene verordening gegevensbescherming (Uitvoeringswet) van toepassing in Nederland. De AVG en de Uitvoeringswet vervangen de richtlijn betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens (Richtlijn 95/46/EG) en de Wet bescherming persoonsgegevens (Wbp).

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring