Articles

Customer responsible for costs deriving from hacked voice services

Customer responsible for costs deriving from hacked voice services

Customer responsible for costs deriving from hacked voice services

17.12.2014

NEC Nederland BV (NEC), the Dutch branch of NEC Corporation which is a worldwide provider of IT and communication solutions, uses voice services provided by KPN BV (KPN), a Dutch telecom provider. In order to use these voice services, NEC built their own PBX (Private Branch Exchange – which is a system that concentrates central office lines and enables intercommunication between a large number of telephone stations within NEC) connected through a router to the WAN (Wide Area Network).

Unauthorized parties have managed to get access to the data lines via a badly secured NEC PBX device and have set up a dial up service through which telephone traffic with East Timor has taken place. KPN has invoiced NEC for the costs involved, in the sum of EUR 176,895,00. KPN claims payment of the invoice stating that it was NEC’s obligation to monitor the traffic. NEC however states that KPN has a duty of care (statutory and reinforced by case law) which entails that telecom providers are obliged to monitor telephone traffic and take measures when deviating telephone traffic is noticed. Furthermore, NEC claims that KPN should have warned NEC about the risks of using voice services. Because KPN neither monitored the telephone traffic nor warned NEC of the risk (the hack was discovered during a test), NEC claims that it is not liable for the costs of the fraudulent use of the voice services.

The Court rejects NEC’s claim that KPN owes it a duty of care. NEC built their own PBX system, which makes them responsible for the hardware and, being a professional in the communications sector, they are supposed to be aware of the risks of using voice services. A previous hack of their PBX system resulted in damage amounting to EUR 40,000 and confirms that NEC were aware of the risks involved. Following this incident, NEC asked KPN if it was possible to cap the use of their lines as a safeguard. KPN explained that this was not possible and instead offered a tool to enable NEC to monitor traffic on a daily basis. NEC decided not to make use of this option.

NEC also tried to rely on jurisprudence relating to telephone traffic, by claiming that such traffic should be adequately monitored on a regular basis. This plea was also rejected because – contrary to other phone traffic - different providers are used to provide voice services and KPN cannot monitor the traffic on the data lines of other providers.

Therefore, the Court concluded that NEC cannot claim a duty of care from KPN and that NEC should pay KPN’s invoice.

[Source: District Mid-Netherlands, 2 July 2014, ECLI:NL:RBMNE:2014:2617]

 

Click here to see a printable version of this article

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

Team

Related news

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 2nd at 4 pm, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

19.08.2019 EU law
Enable “likes” and bear joint-controllership

Articles - The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV,  that a website operator that features “Like” social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors’ personal data collection and transmission to Facebook.

Read more

28.08.2019 NL law
Masterclass: e-signature and electronic identifiers

Masterclass - Stibbe is organising a Masterclass on 26 September 2019 in Amsterdam on the subject of e-signature and electronic identifiers. This Masterclass will cover the legal framework and focus especially on the numerous possibilities for applying the various electronic signatures in different situations. In addition, we explain the regulations governing electronic identifiers, and the mandatory European recognition they receive.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring