Determining liability following a hacker attack

B used A’s Enterprise Messaging Platform to send messages to targets via SMS. A charged service fees based on the number of messages sent by B. Under their contract, B can manage and modify the list of targets at any time, and is responsible for establishing and maintaining its own hardware/software systems, as well as safeguarding its platform credentials. Any messages sent through B’s account shall be deemed its actions. If the account suffers a hacker attack, this will not be considered a breach of contract by A.
 
On 21 November 2022, B’s account system was hacked. The hacker logged into B’s account and issued telecommunication instructions to send international verification code messages related to stocks via SMS. A demanded payment from B for the service fees corresponding to the messages sent. B argued that A violated its contractual obligations for failing to take measures after the hack, and was only willing to pay a minimal portion of the service fees. The dispute led a lawsuit between both parties in court.
 
There were two key focus areas of the dispute:

• Should B be liable for the service fees incurred when hacker(s) infiltrated the username and password under its control within the Enterprise Messaging Platform account and subsequently sent SMS messages through that account?
• Did A fulfill its contractual obligations, and was it at fault?

 
Analysis
 
First, pursuant to the contract, B shall be responsible for establishing and maintaining its own hardware/software systems, as well as safeguarding its platform credentials. Any messages sent through B’s account shall be deemed its actions. Consequently, the hacker’s unauthorised access and misuse of B’s account do not constitute a breach by A. B remains liable for the resultant service fees.
 
Second, B alleged breach by A on the grounds that: The contract stipulates sending SMS and corresponding prices for the Hong Kong region, but lacks SMS service and pricing terms for other regions (except Mainland China). However, most of the service fees in this case were incurred from sending SMS to regions outside Hong Kong. A failed to implement technical restrictions limiting messages to Hong Kong and was at fault.
 
This constitutes the core dispute. A contended that: No contractual restriction existed regarding message destinations. B inquired about non-Hong Kong service prices during negotiations. In fact, B’s clientele extended beyond Hong Kong, and the contract explicitly allows it to manage and modify the list of target recipients at any time. Thus, A had no obligation to technically restrict messaging destinations and committed neither breach nor fault. The litigation request of A has been upheld by both the first and second instance courts.
 
Legal perspective
 
The first-instance court held that the service contract in question reflected the genuine intentions of both parties and did not violate laws and regulations. The exemption clause in the contract stipulates that A has made every effort to ensure the security and stability of its system during the design but does not guarantee absolute security or stability. When B transmits data over A’s network, interruptions, pauses, delays, or other issues may occur. The clause also acknowledges the possibility of hacking attacks and the occurrence of temporary system failures or unpredictable risks. B has agreed that such incidents will not be considered a breach by A and that A will therefore be exempt from liability.
 
Concerning hacking attacks, both parties explicitly included them as potential causes of failure and unpredictable risks when negotiating the contract. Each party bears significant responsibility for the security of its own network, and both were aware of and could anticipate the risks associated with cyberattacks. Because B’s system was hacked, A received abnormal instructions that resulted in excessive text message transmissions. Given that A’s service model relies on a third party, and A has paid for the services rendered, and considering the highly information-based nature of the cooperation between A and B, it was agreed at the time of contract signing that A would not be obligated to proactively identify abnormal instructions from B. Moreover, the abnormal text messages in this case occurred within a short period after the hacking attack. Therefore, A’s failure to detect the attack promptly does not constitute a breach of its duty of care.
 
Conclusively, the court holds that B should fulfil its obligations to A for the consequences arising from the hacking attack.
 
Personal perspective
 
While ultimate liability rests with the hacker(s) who illegally infiltrated the computer information system (which is beyond the scope of this case), the court must render a legal assessment on the following issue based on privity of contract: When the contracting party (A) performs its obligations amidst the third party cyberattacks, should the counterparty (B) be required to provide consideration?
 
Linjun Niu
E-mail: linjun.niu@kangdalawyers.com
 
Linjun Niu is a partner at Kangda Law Firm in Beijing, and an independent external lawyer member of the China Development Bank Loan Committee. He also serves on the Legal Professional Committee for the Digital Economy and Artificial Intelligence at the Beijing Lawyers Association.
 
Niu began practicing law in 2000 and has more than 20 years of experience in dispute resolution and legal advisory services. His practice areas include energy, finance, securities, and corporate law. Known for his diligence and professionalism, Niu excels in addressing complex and challenging legal issues with clarity and precision manner.