Mark Pestronk
Q: You have written several Legal Briefs columns on agencies that have received very large debit memos after someone hacked into the GDS over a weekend and issued tickets for immediate departure. The tickets are always issued as cash sales, so the agency ends up owing the cash. I understand that agencies can be exonerated from the debt if they can prove that they were exercising "reasonable care" at the time of the hack. However, ARC takes the position that if an advisor falls for a phishing email and gives out their login, then it follows that the agency was not exercising reasonable care. Has the agency community made any progress in getting ARC to soften its position? Also, is it still just Sabre agencies that have suffered the hacking?
A: In late November, ARC published an amendment to the ARC Agent Reporting Agreement on this subject. The amendment becomes effective on Jan. 30.
I wouldn't say that ARC has softened its position. Rather, ARC has done a service to the agency community by spelling out exactly what agencies need to do to protect themselves from GDS hacking and exactly what they need to have done in order to be found to have exercised "reasonable care."
So according to ARC, reasonable care includes, but is not limited to, the following measures, which I have paraphrased for brevity:
- Effective and unique login credentials for access to the GDS and any other agency systems that can be used to issue tickets.
- If permitted by the GDS, a password that has 14 characters -- a combination of uppercase letters, lowercase letters, numbers and symbols -- and that is different from all previous passwords.
- Use of multifactor authentication (i.e., codes in texts or emails) when made available by the GDS.
- Installation and record logs of all security patches and system updates made available by the agency's computer operating system and browser.
- Installation and maintenance of industry-standard antivirus software, firewall software and anti-malware on all computers and regular use thereof and record logs of such use.
- Use and maintenance of effective and current anti-spam and anti-phishing email-filtering systems and effective use of anti-phishing toolbars.
- Appropriate maintenance of security, encryption and password protection on agents' computers and any wireless internet systems used by the agency's computers.
- Attendance of a key agency representative and all personnel that issue tickets at ARC-approved fraud and security webinars in the previous 12 months.
- Installation of computer operating system updates with all the latest patches and with automatic updates enabled.
- Latest browser patches installed and automatic updates enabled.
I don't think many agencies take all 10 of these measures, but it looks like they should in the near future. If they can prove that they do, then they can be exonerated even if an agent falls for a phishing email.
Finally, as far as I know, only Sabre agencies have been hacked, probably because the hackers are familiar with that system.