Proof of ‘reasonable care’ protects agencies in phishing fraud
Mark Pestronk is a Washington-based lawyer specializing in travel law.
Q:Our agency received tens of thou- sands of dollars in debit memos because an employee or an inde-
pendent contractor gave out his or her
GDS login credentials in response to a
phishing email that appeared to be from
our GDS vendor. The email looked very
By the time we discovered the fraud
and voided the tickets, the travelers had
mostly already flown on Monday. Unlike
most frauds, there were no credit cards
involved, as the fraudster designated them
as cash sales. We reported the incident to
ARC and the local police. Are we liable for
these debit memos?
THE PALM BEACHES & BOCA RATON The best way to experience Florida
A:According to ARC’s policy, your agency failed to “exercise reason- able care” to prevent unauthorized
issuance of electronic tickets, which means
that ARC will not excuse your agency from
liability. ARC would now take the same position even if no one at your agency admitted to giving out login credentials, as ARC
presumes that someone must have done so.
Under the ARC Agent Reporting Agreement, ARC can relieve your agency of liability if ARC determines, after an investigation,
that your agency was exercising reasonable
care at the time of the theft. One of the ways
in which agencies must exercise reasonable
care is to safeguard GDS login credentials.
The Abidjan fraud has been going on for
almost two years now. At first, ARC could
not determine how the GDS break-ins occurred, so ARC eventually sent letters to
victimized agencies exonerating them from
liability on the grounds that they appeared
to have exercised reasonable care.
In those early cases, no one admitted giving out login credentials, and neither the
agencies nor ARC may have known how
the security breach occurred. However, in
the last few months, ARC appears to have
discovered cases where an agent gave out
For more than 100 years, travelers from
around the world have stayed, played and enjoyed
America’s First Resort Destination®
Now it’s your turn.
for Tour Operators
and Travel Agents
fraud has been
going on for
47 MILES OF BEACHES | 125 MILES OF WATERWAYS | 160 GOLF COURSES
25 TRENDY DOWNTOWN & WORLD-CLASS SHOPPING DISTRICTS
120+ FAMILY-FRIENDLY ATTRACTIONS & PARKS | 75 CULTURAL & HISTORIC SITES
CELEBRITY-CHEF RESTAURANTS | HIP BARS & VIBRANT NIGHTLIFE
A Shopper’s Paradise
Director of Sales - North America
In all of the recent instances that I know
of, if an agency admits that someone gave out
those credentials by mistake, ARC has found
that the agency has not exercised reasonable
care. Most recently, after an agency denied
that anyone fell for a phishing email, ARC
has been deciding that someone must have
done so, and ARC is quite possibly correct.
The very interesting legal issue here is
whether falling for a phishing email, in and
of itself, shows that the agency failed to
exercise reasonable care. ARC apparently
thinks so, which spells danger for agencies.
Agencies that receive a “no reasonable
care” letter from ARC can appeal the case
to the travel agent arbiter. No agency has
done so yet, but I predict that some will do
Phishing emails today appear so genuine
that it’s easy to see how a very busy or unsophisticated agent could be entrapped, no
matter what precautions the agency took to
safeguard login credentials, so the arbiter’s
decisions should be interesting.
In the meantime, it is urgent for every
owner and manager to instruct all employees and independent contractors never to
give out their GDS login via computer or
telephone, no matter who asks for it. Believe it or not, phishermen masquerade as
agency owners and managers, too.
To submit a question for Legal Briefs,
email Mark Pestronk at mark@pestronk