Q: In the Aug. 8 Legal Briefs column, you wrote that if a fraudster breaks into our GDS over a weekend and issues a bunch of noncredit-card tickets for travel on Sunday, we can be relieved of liability for debit memos if ARC finds that we were "exercising reasonable care" to protect our ticketing ability at the time of the hack. How do we establish "reasonable care"?
A: Let me begin by noting that this Saturday-night hacking problem is now fairly common. At least once a week, I am consulted for advice by agencies who were victimized.
The hackings have three things in common. First, the travel originates in West Africa, usually from a Francophone country like Ivory Coast. Second, outbound travel on the tickets is usually on a Sunday, so by the time you discover the problem the outbound legs of the tickets have been used. Third, in my experience, only Sabre agencies have been victimized.
ARC rarely issues a letter with a determination that the agency exercised "reasonable care," so if you want to be relieved of liability, you probably have to file a complaint with the Travel Agent Arbiter.
In the arbiter proceeding, you would have the burden of proof. You would have to present evidence that you had instructed your staff not to respond to emails or calls with requests for logins that appear to come from your GDS. You would also have to prove that you had taken more steps. Section B of the ARC agreement states:
"Reasonable care" includes effective electronic challenge and authentication, e.g., login credentials or security credentials, including, for example, usernames, PINs and passwords of any user accessing agent hardware, systems or any other systems or hardware which can be used to issue ARC traffic documents/data/numbers in an electronic format. At a minimum, agent must implement appropriate physical, electronic and managerial procedures and systems to prevent unauthorized access, disclosure, alteration or destruction of transactional data."
This somewhat obscure language appears to mean that you need a username and password login, which, of course, GDSs require. You may also need a PIN, but I don't think the GDSs require a PIN.
This also appears to mean that you must instruct your staff not to respond to phishing emails or calls. Beyond that, the ARC agreement does not really provide any guidance.
One GDS vendor's standard contract has some other useful steps, such as implementing firewalls; maintaining regularly updated antivirus and anti-malware tools; using the latest versions of application software and operating systems with all security updates applied as soon as possible; and using strong passwords, with no sharing of credentials among several individuals or using of the same password for multiple websites.
If no advisor admits to giving out their credentials, then you could also hire an IT consultant to review everyone's outgoing emails and texts to ensure that no one did. Your proof of all these steps would take the form of oral or written testimony in the arbiter case.