The top European city for landmark-focused tourism is:
This page is protected by Copyright laws. Do Not Copy.

MARK PESTRONK: LEGAL BRIEFS

Take 'reasonable care' to avoid liability for fraudulent tickets

By: Mark PestronkNovember 16, 2009

Mark PestronkQ: Somehow, someone outside my agency accessed our GDS and caused e-tickets to be issued on two Sundays when nobody at the agency was working. The tickets were cash (i.e., non-credit-card) sales for travel on an African airline between points in Europe and points in West Africa on the day after they were issued. In the first case, we did not become aware of the fraud until after our ARC report was filed, and ARC drafted the cash from our account. In the second case, we were on the lookout, so we discovered the fraud in time for us to void the sales on the following day. Now the airline has sent us debit memos for the voided tickets. Is our agency liable for these tickets?

A: Your agency has been the victim of a kind of identity theft that has befallen a few of my clients. The identity that has been stolen is your GDS login, your ARC number and your ARC-assigned ticketing sequence.

In the cases that I am familiar with, the agency did nothing wrong: No one gave out any of the aforementioned information, and no one has any idea how the thieves could have broken into the GDS. When the agencies contacted their GDS vendors, they were told that the break-in could not have been due to any GDS vulnerability, either.

So, who is liable? In the paper-ticket era, your agency would have been liable for tickets written on stolen ticket stock, unless you could show that you exercised reasonable care in safeguarding the stock at the time of the theft. With e-tickets, the ARC Agent Reporting Agreement has an analogous but little-known rule:

"The agent shall exercise reasonable care in the issuance or disclosure of ARC traffic documents/data/numbers in an electronic format, to prevent the unauthorized issuance or use of such traffic documents/data/numbers.

"'Reasonable care' includes effective, electronic challenge and authentication, e.g., security devices, including, for example, user names, PIN and password, of any user accessing agent hardware, systems or any other systems or hardware which can be used to issue traffic documents/data/numbers in an electronic format.

"At a minimum, the agent shall implement appropriate physical, electronic and managerial procedures and systems to prevent unauthorized access, disclosure, alteration or destruction of transactional data."

In other words, access to the GDS and back office must be password-protected, and you must instruct everyone with a password not to give it out or let other parties use the GDS. I have no doubt that your agency takes these steps, so you were exercising reasonable care at the time of the theft.

Since the issuance of the tickets was not your fault, you do not have to pay for them. Therefore, you should dispute the debit memos, promptly and professionally, in a business letter, explaining that you were in compliance with the ARC requirement quoted above and that the fraud was obviously the work of thieves in Europe or West Africa. That should make the carrier leave you alone.

As ARC has recommended, every agency should inspect its weekend ticketing records every Monday morning. Look for signs of weekend fraud, promptly void the fraudulent tickets and report the matter to ARC immediately.

Mark Pestronk is a Washington-based lawyer specializing in travel law. To submit a question for Legal Briefs, email him at mark@pestronk.com.

Leave a Comment

Leave a Comment

Comment Guidelines
Your
Comment: 		characters remaining