Mark Pestronk
Q: Could a travel agency be responsible for data breaches suffered by a GDS vendor or travel supplier? Such liability sounds ridiculous to me, but we are in the process of negotiating a lengthy travel-management contract with a prospective corporate client that seems to want protection from such breaches. Is there anything that we can add to the contract that will allay the client's concerns but will not make us liable for supplier or GDS data breaches?
A: The general rule is that, as an agent for travel suppliers, you are not liable for the suppliers' acts or omissions. There are two exceptions: first, you would be liable if you voluntarily undertook such responsibility in provisions of a contract such as the travel-management agreement that you're currently negotiating. Second, a court might hold that you should have known that a particular supplier or GDS vendor was prone to data breaches and that you were negligent in failing to warn about them when recommending a supplier or booking one chosen by the corporate account.
In a travel-management agreement drafted by an attorney for a corporate client you could conceivably see clauses that make you responsible for data breaches suffered by subcontractors or third parties chosen by you. Such clauses may appear in a so-called data processing addendum (DPA) or in the main body of the contract itself.
Because a travel supplier could be deemed to be your subcontractor or a third party chosen by you, such a clause could conceivably make you liable for data breaches. Your job is to avoid such liability by clarifying in the contract that travel suppliers and GDS vendors are not your subcontractors or third parties chosen by you and that you are not responsible for their acts or omissions.
If the account will not accept these blanket disclaimers, you could suggest compromise language. For example, you could undertake to report to the client about any data breaches you learn about and to endeavor to work with the supplier or GDS vendor to minimize lasting damage to the corporation's employees' personal information.
As to the second grounds for liability -- negligent failure to warn about the possibility of data breaches -- there are fortunately no relevant court precedents, and I doubt that there ever will be.
Unlike destination crime data or airline safety records, there is no central source of travel data-breach records that a travel agency can search, so it's hard to see how an attorney could even articulate exactly what a travel agency should do or should have done.
Travel Weekly articles mention six airlines suffering data breaches in the last six months: Iberia, Qantas, Hawaiian, WestJet, Air France KLM and Aeroflot. IHG and Marriott have recently settled cases about leaked customer data. Hertz suffered a major data breach in April.
A supplier that suffered this kind of adverse publicity is probably now less likely than most to suffer another data breach. So trying to impose a duty on travel agencies to warn about particular supplier data breaches is pointless.