Q: I have a few questions about liability for data breaches. I know that ARC's position is that we are liable to pay for tickets issued by our GDS under our ARC number after a thief uses an agent's login. Are we also liable if a hacker steals our clients' credit card numbers and runs up huge credit cards bills? I know that the card company will reverse the charges and absorb the loss, but what if the fraud results in the cardholder being turned down for a home mortgage for his dream house or he suffers another unreimbursable loss? Finally, what steps can we take to prevent being victimized by a cyber thief?
A: Contrary to popular belief, there is no federal or state statute, regulation or court precedent that holds that a travel business is automatically liable for data breaches. As one court put it, "The fact that a company has suffered a data breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security."
Even ARC agrees that you are not necessarily always liable when a cyber thief obtains an agent's GDS login and issues tickets. ARC will blame you only if you failed to "exercise reasonable care" to prevent unauthorized issuance of electronic tickets.
Under the ARC Agent Reporting Agreement, ARC can relieve your agency of liability if ARC determines that your agency was exercising "reasonable care" at the time of the theft. One of the ways in which agencies must exercise reasonable care is to safeguard GDS login credentials.
If a cyber thief steals your client's credit card information and other personal data and your client suffers an unreimbursed loss, the courts have generally applied the same reasonable-care standard. The cardholder cannot successfully sue your agency unless he proves that your lack of reasonable care (i.e., negligence) caused the loss.
To prove negligence, the cardholder (or a group suing you in a class action) would have to prove that you had a recognized duty, which you failed to observe, and that your failure directly caused the unreimbursed loss. As far as I know, very few consumers have ever succeeded in such a claim.
Nevertheless, just because it is difficult to successfully sue a credit card merchant for a data breach, it does not necessarily follow that you should not bother to guard against breaches. Many states require you to disclose the breach to your clients, and your reputation could be ruined if clients cannot trust you with their credit cards.
The three simplest methods to guard against data breaches are to safeguard logins, use complicated passwords and encrypt credit card numbers. Train all employees never to disclose their computer or GDS logins in response to any email, a pop-up window or a phone call purporting to be from the GDS vendor. Outlaw passwords that are easily guessed by trained thieves and password-cracking programs, such as pet names and favorite vacation spots.
Do not keep paper copies of credit card numbers, and do not enter them into your computer unless they are entered into software or a website that makes most of the number unreadable.
Beyond these simple steps, the Federal Trade Commission has published an understandable and practical guide.