Q: One of our longtime travel advisors recently went rogue. He accessed the GDS profiles of several leisure and corporate clients; copied their unencrypted credit card numbers, expiration dates and security codes; and then made a bunch of online purchases including airline tickets for himself and friends. He also fraudulently obtained his own United Perks Plus corporate frequent traveler program number, and he entered the number into a bunch of clients' pending reservations so that he could get frequent-flyer credit. Are his frauds considered a cyberbreach under the state laws that require us to notify clients and offer them something like free credit monitoring? If not, do we even have to inform the affected clients and thereby risk losing them? Can we just discretely offer to reimburse them, or must we do more, such as notifying our state attorney general?
A: Every state has a cyberbreach law, but the laws vary somewhat from state to state. So to find the correct answers, you look up the laws in your state as well as in any other states where your affected clients live.
Let's take the example of a Florida agency that has clients in California that were affected by the former advisor's frauds.
As you will see, you have to examine each state's law closely in order to find the right answers.
Both the Florida and California statutes protect personal information of "individuals." This rules out information belonging to corporations, such as the Perks Plus and Business Extra numbers. It would also rule out the corporate credit card numbers as long as no company employee's name is on the card.
By "rule out," I mean that you don't have to follow the strict notification requirements of the state laws; I don't mean that you should not notify the clients at all. You can certainly notify them if you wish and offer to reimburse them or take any other action as a gesture of goodwill.
For fraudulent charges on individuals' credit cards, the laws probably require notification, but there are additional issues to consider. If, as is usual in the agency business, the information resided only in the GDS, is notification the responsibility of the GDS vendor or of your agency?
Under the Florida statute, notification is the duty of any entity that "stores or uses personal information." This clearly includes your agency. So, you must notify the cardholders "as expeditiously as practicable" and not later than 30 days after discovering the fraud.
California's law is more complicated: The duty of notification applies to the entity that "owns or licenses the data," and under the standard GDS contracts, the GDS vendor is the sole owner of data in the system.
If you merely "maintain" the data, you must notify the data owner, which then has the responsibility to notify the affected individuals.
You have to notify the state government only if the breach affects at least 1,000 people in Florida or 500 in California.
As you can see, the data breach laws are complicated, and it is best to consult a knowledgeable attorney. For a good summary of each state's law, click here.