National Academies Press: OpenBook
« Previous: VIII. Remedies at Common Law for Invasion of Privacy
Page 43
Suggested Citation:"IX. Whether Transportation Agencies Are Potentially Liable for a Disclosure of Data." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 43
Page 44
Suggested Citation:"IX. Whether Transportation Agencies Are Potentially Liable for a Disclosure of Data." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 44
Page 45
Suggested Citation:"IX. Whether Transportation Agencies Are Potentially Liable for a Disclosure of Data." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 45
Page 46
Suggested Citation:"IX. Whether Transportation Agencies Are Potentially Liable for a Disclosure of Data." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 46
Page 47
Suggested Citation:"IX. Whether Transportation Agencies Are Potentially Liable for a Disclosure of Data." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 47
Page 48
Suggested Citation:"IX. Whether Transportation Agencies Are Potentially Liable for a Disclosure of Data." National Academies of Sciences, Engineering, and Medicine. 2016. Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public. Washington, DC: The National Academies Press. doi: 10.17226/23586.
×
Page 48

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

43 state legislature has waived immunity, as well as on the courts’ interpretation of the applicable legisla- tion.592 It is important to note that in states where a tort claims act permits a plaintiff to sue a public entity in tort, the legislation may have specific exceptions, exemptions, or exclusions to liability. In its response to the survey, the Florida DOT cited its state’s statute on sovereign immunity in which the State of Florida for itself and its agencies and subdi- visions “waives sovereign immunity for liability for torts, but only to the extent specified in this act.”593 The Illinois Local Governmental and Governmental Employees Immunity Act has “an extensive list of immunities based on specific governmental func- tions.”594 As observed by the North Carolina court in Turner v. N.C. DOT,595 the DOT may be sued for neg- ligence only as provided in the tort claims act. Because tort claims acts and similar legislation affecting governmental immunity are in derogation of the common law, the courts typically strictly con- strue the legislation.596 A defense for discretionary decisions made by pub- lic entities is one recognized under some states’ com- mon law and/or is a defense that has been codified in state tort claims legislation. In the Toomer case, the plaintiff’s complaint did not allege a waiver by North Carolina of its sovereign immunity that “shields the defendant’s conduct would have to have been inten- tional as mere negligence ordinarily will not suf- fice.586 Third, the law in some states demands that a violation of privacy must have been the result of “willful or outrageous” conduct, something that the writer argues is unlikely with regard to “routine” ITS operations.587 Finally, the commentator posits that some state or local government agencies are protected by sovereign immunity from common law privacy claims.588 In sum, the common law has not recognized a cause of action for a violation of privacy resulting from a disclosure of data collected on individuals when they are “on the public streets.”589 An inten- tional disclosure of secure data may state a claim in those states recognizing the common law tort of intrusion into seclusion. There is authority, however, that the disclosure of personal information, such as Social Security numbers and similar PII considered to be secure data, does not state a claim because the data are not embarrassing or highly offensive. IX. WHETHER TRANSPORTATION AGENCIES ARE POTENTIALLY LIABLE FOR A DISCLOSURE OF DATA A. Whether a Claim for a Release of Data Is Barred by Sovereign Immunity or a State Tort Claims Act Many states’ tort claims or governmental immu- nity acts retain sovereign immunity except for cer- tain designated claims or government functions. The survey asked transportation agencies whether they have immunity under state law from claims for a negligent or intentional disclosure of data. Seven transportation agencies reported that they have immunity from such claims,590 whereas eight agen- cies stated that they would not have immunity.591 The liability of a public entity in tort varies from state to state depending on the extent to which the 586 Id. 587 Id. at 180. 588 Id. 589 Garry, Douma, and Simon, supra note 2, at 104 (cit- ing Kendra Roseberg, Location Surveillance by GPS: Bal- ancing an Employer’s Business Interest with Employee Privacy, 6 Wash J.L. Tech. & aRTs 143, 150–154 (2010)). 590 Alabama DOT (citing aLaBaMa cONsT. (1901), Art. I, § 14); Arkansas DOT, Florida DOT, Indiana DOT (citing iNd. cOde § 34-13-3), MoDOT, Oregon DOT, and Rhode Island DOT. The Montana DOT’s response was “none known.” The Maine DOT and Ohio DOT did not respond to the question. 591 Arizona DOT, District of Columbia DOT, City of Minneapolis–Public Works Dept., North Dakota DOT, Oklahoma DOT, South Carolina DOT, and Utah DOT. The Maine DOT and Ohio DOT did not respond to the question. 592 See LaRRy W. ThOMas, Tort Liability of Highway Agencies, in seLecTed sTUdies iN TRaNspORTaTiON LaW, Vol. 4 (Transportation Research Board of the National Acade- mies of Science, Engineering, and Medicine, Washington D.C., 2003). 593 fLa. sTaT. § 768.28(1) (2015) (emphasis added). Although the applicable Florida Statute must be consulted in its entirety, fLa. sTaT. § 768.28(1) further provides that [a]ctions at law against the state or any of its agen- cies or subdivisions to recover damages in tort for money damages against the state or its agencies or subdivisions for injury or loss of property, personal injury, or death caused by the negligent or wrongful act or omission of any employee of the agency or subdivi- sion while acting within the scope of the employee’s office or employment under circumstances in which the state or such agency or subdivision, if a private person, would be liable to the claimant. 594 Sexton v. City of Chicago, 976 N.E.2d 526, 540 (Ill. App. 2012) (some internal quotation marks omitted). 595 733 S.E.2d 871, 874 (N.C. Ct. App. 2012) (holding that the DOT owed no duty to the decedents for failing to install warning signs on a road as there was no violation of the Manual on Uniform Traffic Control Devices and the DOT had no knowledge of an unsafe road condition). 596 Nawrocki v. Macomb County Road Commission, 463 Mich. 143, 151, 615 N.W.2d 702, 707 (Mich. 2000) (Supreme Court of Michigan holding that “prior decisions of this Court…improperly broadened the scope of the highway exception” to governmental immunity and holding that the court was “duty bound to overrule past decisions that depart from a narrow construction and application of the highway exception….”).

44 Whether a governmental decision is discretionary and entitled to immunity is a question of law decided by the court.602 In Axtell v University of Texas,603 a Texas appel- late court held that the disclosure by a state agency of confidential information was not actionable because the state had retained its immunity under the state tort claims act. In Axtell, a student sued a state university and its employees for sending the student’s educational records by a telefax machine to a local radio station without the student’s con- sent.604 The trial court dismissed the action because of the university’s immunity as a state institution. The plaintiff argued on appeal that the university lacked immunity because the Texas Tort Claims Act “provides a limited waiver of sovereign immunity when [a] personal injury is ‘caused by a condition or use of tangible personal or real property if the gov- ernmental unit would, were it a private person, be liable to the claimant according to Texas law.’”605 Axtell argued that the tangible personal property, i.e., the telefax machine, used to disclose his confi- dential information was the cause of his injuries.606 The court held, however, that the university employees’ negligence was not their use of a telefax machine, but their release of the plaintiff ’s informa- tion by whatever means.607 Thus, the Texas Tort Claims Act’s limited waiver of immunity that applies to the use of tangible personal or real property did not apply to the disclosure of the plaintiff ’s informa- tion.608 Because immunity for the release of personal information had not been waived, the court affirmed the trial court’s dismissal of the plaintiff ’s action.609 In Tivnan v. Registrar of Motor Vehicles,610 the plaintiff sued employees of the Registry of Motor Vehicles for issuing a duplicate driver’s license in his name to another individual in violation of the Anno- tated Laws of Massachusetts Law Chapter 66A.611 The imposter ruined the plaintiff ’s credit and amassed over $150,000 in debt in the name of the plaintiff.612 The court held that the privacy issue was governed by the Massachusetts Tort Claims Act State, its agencies, and officials sued in their official capacities….”597 Moreover, the court stated that [t]he essence of the doctrine of public official immunity is that public officials engaged in the performance of their governmental duties involving the exercise of judgment and discretion, and acting within the scope of their authority, may not be held liable for such actions, in the absence of malice or corruption.598 Most states have a tort claims act or similar leg- islation with a provision that immunizes a state agency for its exercise or performance of discretion- ary functions; the exemption usually is identical or similar to the one in the Federal Tort Claims Act (FTCA). The FTCA grants jurisdiction to federal dis- trict courts of civil actions on claims against the United States, for money damages…for injury or loss of property, or personal injury or death caused by the negligent or wrongful act or omission of any employee of the Government while acting within the scope of his office or employment, under circumstances where the United States, if a private person, would be liable to the claimant in accordance with the law of the place where the act or omission occurred.599 However, the FTCA does not allow a civil action against the United States for: Any claim based upon an act or omission of an employee of the Government, exercising due care, in the execution of a statute or regulation, whether or not such statute or regula- tion be valid, or based upon the exercise or performance or the failure to exercise or perform a discretionary function or duty on the part of a federal agency or an employee of the Govern- ment, whether or not the discretion involved be abused.600 The courts generally have held that a government decision or function is discretionary in nature when the decisionmaking at issue occurred at the plan- ning-level and/or the decisionmaking involved the consideration or evaluation of broad policy factors.601 597 Toomer, 155 N.C. App. at 480, 574 S.E.2d at 91. 598 Id. at 481, 574 S.E.2d at 91 (emphasis added). 599 28 U.S.C. § 1346(b)(1) (2015) (emphasis added). 600 28 U.S.C. § 2860(a) (2015) (emphasis added). See, e.g., caL. gOv’T cOde § 820.2 (2015) (concerning discretion- ary acts); iNd. cOde § 34-14-3-3(7) (2015); iOWa cOde § 669.14(1) (2015); kaN. sTaT. aNN. § 75-6104(e) (2015); NeB. Rev. sTaT § 81-8,219(1) and ch. 41 (2015); OhiO Rev. cOde § 2743.02 (2015); Ok. sTaT. § 155(5) (2015); Texas civ. pRac. & ReM. cOde § 101.056 (2015); UTah cOde § 63G-7- 301(5)(a) (2015); va. cOde § 33.1-70.1 (2015); and Wis. sTaT. §§ 893.80 and 893.82 (2015). 601 Miotke v. Spokane, 101 Wash. 2d 307, 334, 678 P.2d 803, 819 (1984) (stating that in Evangelical United Brethren Church v. State, 67 Wash. 2d 246, 407 P.2d 440 (1965), the court created a narrow exception to governmental immu- nity from tort liability in instances in which public offi- cials engage in discretionary acts based on a four-part inquiry). See Weiss v. Fote, 7 N.Y.2d 579, 167 N.E.2d 63, 200 N.Y.S.2d 409 (1960). 602 Truman v. Griese, 2009 S.D. 8, 33, 762 N.W.2d 75, 85 (2009). 603 69 S.W.3d 261 (Tex. App. 2002). 604 Id. at 263. 605 Id. at 264 (quoting Tex. civ. pRac. & ReM. cOde aNN. § 101.021(2) (1997)). 606 Id. 607 Id. at 266. 608 Id. 609 Id. at 267. 610 50 Mass. App. Ct. 96, 734 N.E.2d 1182 (2000). 611 Id. at 96–97, 734 N.E.2d at 1183. 612 Id. at 97, 734 N.E.2d at 1183.

45 B. Claims Against Transportation Agencies Arising Out of the Disclosure of Secure Data or Monitoring Data 1. Disclosure of Secure Data Nine transportation agencies reported that there are laws in their state that provide an individual with a cause of action against the agency for the dis- closure of secure data.620 (Seven agencies stated that there are no such laws in their state.)621 The statutes the agencies cited range from allowing a plaintiff to recover actual damages to a more limited recovery of damages. Some of the cited statutes impose crimi- nal liability for a violation rather than allow for a recovery of damages. The Oregon DOT identified Oregon Revised Statutes (ORS) Section 802.191(1), which permits a recovery of actual damages: A person aggrieved by an intentional violation of ORS 802.175 (Definitions for ORS 802.175 to 802.191) to 802.187 (Relationship to other privacy statutes) may bring an action at law against a person who has knowingly obtained or used personal information about the aggrieved person in violation of ORS 802.175 (Definitions for ORS 802.175 to 802.191) to 802.187 (Relationship to other privacy statutes). The action shall be for actual damages or $2,500, whichever is greater, plus attorney fees and court costs reasonably incurred in the action.622 The City of Minneapolis-Public Works Department cited the Minnesota Government Data Practices Act (MGDPA) as governing authority. Section 13.05, subdivision 3 of the MGDPA states that in respect to the duties of a responsible authority the [c]ollection and storage of all data on individuals and the use and dissemination of private and confidential data on individuals shall be limited to that necessary for the admin- istration and management of programs specifically autho- rized by the legislature or local governing body or mandated by the federal government.623 The MGDPA includes limitations on the collec- tion and use of data: “Private or confidential data on an individual shall not be collected, stored, used, or (MTCA).613 The MTCA superseded the Annotated Laws of Massachusetts Chapter 214, Section 3B, which provided that “parties injured by the viola- tion of G. L. c. 66A [may] claim damages for injury against public employers….”614 The case was dis- missed because under the MTCA, “the issuance of a license [is] specifically immunized” under Sec- tion 10(e).615 On the other hand, in Torres v. Attorney General,616 the plaintiff alleged that the Department of Social Services violated the General Laws of Massachusetts Chapter 66A when the department released infor- mation to the Assistant Attorney General contain- ing the plaintiff ’s geographic location.617 The Supreme Judicial Court of Massachusetts held that the release was a violation of Massachusetts law. First, the plaintiff did not consent to the access to his personal data, and, second, there was “no legislative intent to grant the office of the Attorney General access to personal data held by one State agency simply because a data subject has brought a suit against one or more other State agencies.”618 The case was remanded to the Supe- rior Court for an assessment of damages, attor- ney’s fees, and costs.619 In sum, unless a state law provides for a cause of action against state agencies for a disclosure of secure data or monitoring data, a transportation agency may have immunity on one of several bases: The agency’s sovereign immunity may not have been waived; a state tort claims or the equivalent may waive immunity only for specific transporta- tion or highway functions; a tort claims act may exclude or exempt certain transportation or high- way functions from liability; or the transportation agency may have immunity for the performance of its functions that involve the exercise of discretion. However, some states’ privacy law provides a pri- vate right of action for a violation of the statute that is an exception to a transportation agency’s sovereign immunity or that is an exception to immunity that otherwise exists under the state’s tort claims act or equivalent. 613 Mass. aNN. LaWs ch. 258. 614 Tivnan, 50 Mass. App. Ct. at 97, 734 N.E.2d at 1183 (citing Mass. aNN. LaWs, ch. 214, § 3B and Mass. geN. LaWs, ch. 66A)). 615 Id. at 102, 734 N.E.2d at 1186 (citing Mass. aNN. LaWs, ch. 258, § 10(e)). The plaintiff also failed to make a proper presentment as required under § 4 of the MTCA. Id. at 103, 734 N.E.2d at 1187 (citing Mass. aNN. LaWs, ch. 258, § 4). 616 391 Mass. 1, 460 N.E.2d 1032 (1984). 617 Id. at 2–3, 460 N.E.2d at 1033. 618 Id. at 11–12, 460 N.E.2d at 1038–1039. 619 Id. at 16, 460 N.E.2d at 1041. 620 Alabama DOT (reporting that tort claims could be brought against individual officials), Arkansas DOT, Arizona DOT, District of Columbia DOT (reporting that the District of Columbia Municipal Regulations (DCMR) in 1 DCMR § 1500 provide “in part that individuals that misuse or destroy public records are subject to penalty”), Florida DOT, North Dakota DOT, Oregon DOT, South Carolina DOT, and Utah DOT (providing a copy of its requirements for the handling of Bluetooth data). 621 Indiana DOT, City of Minneapolis–Public Works Dept., MoDOT, Montana DOT, Oklahoma DOT, Rhode Island DOT, South Carolina DOT, and Utah DOT. 622 OR. Rev. sTaT. § 802.191(1) (2015) (emphasis added). 623 MiNN. sTaT. § 13.025, subdiv. 3 (2015).

46 and in good faith believed” that it was complying with the statute.629 Other statutory provisions cited by the transporta- tion agencies authorize the recovery of attorney’s fees under the state’s FOIA or provided that a violation of the FOIA constituted a misdemeanor. For example, the Arkansas FOIA permits an “action to enforce the rights granted by this chapter” and further allows for the recovery of “reasonable attorney fees and other litigation expenses reasonably incurred by a plaintiff who has substantially prevailed unless the court finds that the position of the defendant was substan- tially justified or that other circumstances make an award of these expenses unjust….”630 In its response, the department referred to another provision in the state’s FOIA that states that “[a]ny person who negli- gently violates any of the provisions of this chapter shall be guilty of a Class C misdemeanor.”631 The Arizona DOT referred to a provision of its laws on motor vehicle records providing that “[a] person who violates this section is guilty of a class 1 misdemeanor.”632 The South Carolina DOT cited Title 39 of the South Carolina Code. Section 39-1-90(A) requires that a person conducting business in the state and owning or licensing a data system that includes PII must disclose a data breach to state residents.633 The notification statute appears to apply only to persons and organizations conducting business in the state.634 No transportation agency responding to the sur- vey reported having had a claim in the past 5 years for an unintentional disclosure of secure data.635 Nevertheless, some cases were located for the digest involving claims against state agencies for disclos- ing secure data such as PII. As seen in Kiminski, the court dismissed a § 1983 action against a state agency’s officials and employ- ees because of a former employee’s accessing of the plaintiffs’ motor vehicle data, because there was no constitutional right to privacy in the information disseminated by government entities for any pur- poses other than those stated to the individual at the time of collection in accordance with section 13.04, except as provided in this subdivision.”624 Section 13.04, subdivision 1 of the MGDPA pro- vides that “[t]he rights of individuals on whom the data is stored or to be stored shall be as set forth in this section.”625 Damages are recoverable for a violation of the MGDPA as provided in Section 13.08, subdivision 1: Notwithstanding section 466.03, a responsible authority or government entity which violates any provision of this chapter is liable to a person or representative of a decedent who suffers any damage as a result of the violation, and the person damaged or a representative in the case of private data on decedents or confidential data on decedents may bring an action against the responsible authority or gov- ernment entity to cover any damages sustained, plus costs and reasonable attorney fees. In the case of a willful viola- tion, the government entity shall, in addition, be liable to exemplary damages of not less than $1,000, nor more than $15,000 for each violation. The state is deemed to have waived any immunity to a cause of action brought under this chapter.626 Unless a state privacy law provides otherwise, it appears that a transportation department would be held liable in some states only for an intentional disclosure, but not for an unintentional disclosure, of secure data. One source states that “tort liability for invasion of privacy requires intentional conduct on the part of the defendant. A few states expressly disapprove [of] negligence as a basis for privacy tort liability.”627 As noted, the federal Privacy Act applies only to intentional or willful disclosures. On the other hand, in some states a public author- ity may be held liable for the unintentional disclo- sure of secure data. Under Minnesota’s MGDPA, actual damages are recoverable for a disclosure of private or confidential data, and exemplary dam- ages as provided in the statute when there is a will- ful breach of the MGDPA.628 Moreover, in the event of an unintentional release of secure data there may be a good faith defense that also may be codified in some state statutes. For example, Iowa Code Section 22.10(3) does not per- mit an award of damages against an agency when the agency shows that it made reasonable efforts to prevent disclosure or “had good reason to believe 624 MiNN. sTaT. § 13.025, subdiv. 4 (2015). 625 MiNN. sTaT. § 13.04, subdiv. 1 (2015) (emphasis added) 626 MiNN. sTaT. § 13.08, subdiv. 1 (2015) (emphasis added). 627 Dorothy Glancy, supra note 584, at 179–80 (empha- sis added). 628 MiNN. sTaT. § 13.08, subdiv. 1 (2015). 629 iOWa cOde § 22.10(3)(b)(2) (2015). 630 aRkaNsas cOde aNN. § 25-19-107(d) (2015). 631 aRkaNsas cOde aNN. §§ 25-19-104 (2015). 632 aRiz. Rev. sTaT. § 28-457 (2015). 633 S.C. cOde § 39-1-90(A) (2015). 634 See S.C. cOde § 39-1-90(D)(2) (2015) that refers to § 37-20-110(10) (defining a person to mean a natural per- son, an individual, or an organization as defined in § 37-1- 301(20)). 635 Alabama DOT, Arkansas DOT, Arizona DOT, Indiana DOT, City of Minneapolis–Public Works Dept., MoDOT, North Dakota DOT, Oklahoma DOT, Oregon DOT, Rhode Island DOT, South Carolina DOT, and Utah DOT. The Maine DOT, Montana DOT, and Ohio DOT did not respond to the question.

47 equivalent to California’s Government Claims Act, the plaintiffs could not avoid the requirement to file their claim for damages under the Government Claims Act. The court held that IPA Sections 1798.5 and 1798.48 “constitute[] a statutory expression of governmental liability for damages, which, under Government Code section 815, controls over the immunity provided in Government Code section 860.2.”646 Although the court held that the plaintiffs had an otherwise viable claim under the IPA, the plaintiffs failed to comply with the Government Claims Act,647 “a prerequisite to a damages action against the State.”648 A New York decision involved Section 202(4)(a) of the New York Vehicle and Traffic Law pursuant to which the commissioner has the “discretion to con- tract with the highest responsible bidder or bidders to furnish” certain registration information for the period specified in the statute.649 Subsection (4)(b) required the commissioner to “notify each vehicle registrant that the registration information specified in paragraph (a) of this subdivision has been or will be furnished to the contracting party.”650 In Lamont v. Commissioner,651 decided prior to the Congress’s enactment of the DPPA, a federal court in New York held that the state’s sale of vehicle registration lists to a contractor who used the information to compile directories was not an invasion of privacy because the information was not “vital or intimate.”652 Accord- ing to the court, as of the date of the Lamont case, 18 other states had similar statutes.653 In sum, it appears that in some states a claim is possible under state law against a transportation agency for a disclosure of secure data such as PII. Moreover, unless a state privacy statute applies both to intentional and unintentional disclosures of secure data, a plaintiff may have to show that an agency’s violation was intentional. Unless a pri- vacy statute authorizes the recovery of specified or liquidated damages or provides for a civil penalty for a violation, a plaintiff would have to prove actual damages. 2. Disclosure of Monitoring Data Six agencies reported that there are laws in their state that provide an individual with a cause of action for the intentional disclosure of monitoring even though the data were protected by the DPPA.636 As discussed previously, in that court the plaintiff ’s only remedy was a statutory claim under the DPPA. In Collier, the disclosure of the plaintiff ’s per- sonal information protected by the DPPA did not state a cause of action for a constitutional violation of privacy under § 1983, but did state a cause of action under § 1983 for a clear violation of the statu- tory duty imposed by the federal DPPA.637 In Toomer, under the circumstances of that case the arbitrary disclosure by the DOT Secretary of a former employee’s personnel file that contained PII was held to state a § 1983 claim. The reason was that the secretary’s intentional, malicious action was a violation of the Fourth Amendment, an action that also stated a claim under North Carolina’s com- mon law right to privacy against government intru- sion into seclusion.638 In Behar, the court upheld a PennDOT regulation that allegedly violated the plaintiff ’s right to privacy because of the necessity of balancing the individu- al’s privacy interest in medical matters against Pennsylvania’s interest in public safety on its roadways.639 Other cases located for the digest include Bates v. Franchise Tax Bd.,640 in which the plaintiffs sued two state agencies and individuals who worked in those agencies under California’s IPA.641 The IPA imposes “limitations on the right of governmental agencies to disclose personal information about an individual.”642 Although public entities in California are immune from suit in the absence of a constitu- tional or statutory provision that “declares them to be liable,”643 Section 1798.45 of the IPA provides for a private right of action against a state agency that violates the IPA.644 In the event of a violation of Sec- tions 1798.48(b) or (c), an agency may be held liable to a plaintiff for actual damages, including damages for mental suffering and attorney’s fees.645 However, in Bates the court held that because the IPA does not have a claims procedure functionally 636 Kiminski, 2013 U.S. Dist. LEXIS 157829, at *25 (cita- tion omitted). 637 Collier, 477 F.3d at 1308–1309. 638 Toomer, 155 N.C. App. at 470, 481, 574 S.E.2d at 84, 91. 639 Behar, 791 F. Supp. 2d at 398, 390–400. 640 124 Cal. App. 4th 367, 21 Cal. Rptr. 3d 285 (2004). 641 Id. at 373, 21 Cal. Rptr. 3d at 288. 642 Id. at 376, 21 Cal. Rptr. 3d at 290 (emphasis added). 643 Id. at 381, 21 Cal. Rptr. 3d at 294 (citing caL. gOv’T cOde § 815(a) (internal quotation marks omitted)). 644 Id. at 381–382, 21 Cal. Rptr. 3d at 294–295 (quoting caL. civ. cOde § 1798.45). 645 Id. at 382, 21 Cal. Rptr. 3d at 295 (quoting caL. civ. cOde § 1798.48). 646 Id. 647 caL. gOv’T cOde § 905.2. 648 Bates, 124 Cal. App. 4th at 382, 21 Cal. Rptr. 3d at 295. 649 N.Y. veh. & TRaf. LaW § 202(4)(a)). 650 N.Y. veh. & TRaf. LaW § 202(4)(b)). 651 269 F. Supp. 880 (S.D.N.Y. 1967). 652 Id. at 883. 653 Id. (citations omitted).

48 companies because they do not face the same liabili- ties and limitations placed [on] government agen- cies.”658 For example, the California Public Contract Code prohibits release of proprietary information by a party contracting with a state agency.659 Although there are fewer restraints on and/or judicial scrutiny of data collected or maintained by private contractors,660 the Intelligent Transportation Society of America has issued nonbinding guidelines for its members in “an effort to self-regulate on the issue of data security and privacy protection.”661 D. Causes of Action Alleged Against Private Companies for Privacy Violations A review of some complaints against private com- panies for a data breach illustrates the causes of action that plaintiffs are alleging. For example, in Antman v. Uber Technologies, Inc.,662 filed March 12, 2015, in the Northern District of California (San Francisco Division), the plaintiff brought a class action alleging that the defendant failed to “secure and safeguard” Uber’s drivers’ PII that was stolen in 2014. The complaint included one count for a violation of California’s IPA Sections 1798.81.5 and 1798.82663 and another count for a violation of California’s Unfair Competition Law.664 In Webb v. Premera Blue Cross,665 filed April 6, 2015, in the Western District of Washington, also a class action, the plaintiffs alleged that PII, financial information, and medical records “were compro- mised” because of a data breach that occurred at Premera Blue Cross in approximately May 2014.666 The plaintiff alleged that the data breach involved the theft of names, addresses, birth dates, Social Security numbers, credit card information, and pri- vate medical data.667 The plaintiff alleged, inter alia, data.654 Nine agencies reported that there are no such laws in their state regarding the intentional disclosure of monitoring data.655 As for specific information, the Arkansas DOT cited Arkansas Code Annotated Section 12-12-1807 that pertains to the use of ALPRs in Arkansas: (a) A person who violates this subchapter shall be subject to legal action for damages to be brought by any other person claiming that a violation of this subchapter has injured his or her business, person, or reputation. (b) A person so injured shall be entitled to actual damages or liquidated damages of one thousand dollars ($1,000), whichever is greater, and other costs of litigation. No cases were located for the digest, and the transportation agencies did not report any claims involving an agency’s intentional release of monitor- ing data.656 No statutes were located for the digest that provide a cause of action specifically for the dis- closure of monitoring data of the type collected by ITS. Finally, it appears that the approach in some states is to deal with monitoring data on an issue by issue basis by limiting or prohibiting the use of cer- tain technology or by limiting or prohibiting the use of certain secure or monitoring data. C. Liability of Contractors for Data Disclosure Nine transportation agencies reported that they have contracts with persons or private entities to collect and/or maintain secure data or monitoring data.657 Copies of or links to agreements furnished by the agencies are included in Appendix C. As com- mentators have observed, “federal and state agen- cies have increasingly relied on outsourcing the gathering and managing of information to private 654 Arkansas DOT, District of Columbia DOT (reporting that “1 DCMR §1500 states in part that individuals that misuse or destroy public records are subject to penalty”), Florida DOT, City of Minneapolis–Public Works Dept. (cit- ing Minnesota Government Data Practices Act, MiNN. sTaT. § 13.01, et seq.), South Carolina DOT (citing notification of data breach law, S.C. cOde § 39-1-90), and Utah DOT. The Florida DOT referred to the waiver of immunity, fLa. sTaT. § 768.28(1). 655 Alabama DOT, Arizona DOT, Indiana DOT, MoDOT, Montana DOT, North Dakota DOT, Oklahoma DOT, Oregon DOT, Rhode Island DOT, and Utah DOT. 656 Alabama DOT, Arkansas DOT, Arizona DOT, Dis- trict of Columbia DOT, Indiana DOT, City of Minneapolis– Public Works Dept., MoDOT, North Dakota DOT, Oklahoma DOT, Oregon DOT, Rhode Island DOT, South Carolina DOT, and Utah DOT. The Maine DOT, Montana DOT, and Ohio DOT did not respond to the question. 657 Arizona DOT, Florida DOT, Indiana DOT, City of Minneapolis–Public Works Dept., MoDOT, North Dakota DOT, Oregon DOT, Rhode Island DOT, and Utah DOT. The Maine DOT, Montana DOT, and Ohio DOT did not respond to the question. 658 Douma and Deckenbach, supra note 2, at 312 (foot- note omitted). See also Froomkin, supra note 213, at 1022, 1024 (citing Fred H. Cate, Government Data Mining: The Need for a Legal Framework, 43 haRv. C.R.–C. L. Rev. 435, 439 (2008)). 659 caL. pUB. cOde § 10426(c) (2015). 660 Douma and Deckenbach, supra note 2, at 322. 661 Phillips and Kohm, supra note 1, at P21 (citing ITS America’s Fair Information and Privacy Principles 1, ITS America, available at http://www.itsa.org/images/media- center/itsaprivacyprinciples.pdf (last accessed Oct. 12, 2015)). 662 Case No. 3:15-CV-01175, 2015 U.S. Dist. LEXIS 141945 (N.D. Calif. 2015) [hereinafter Antman Compl.]. 663 Id. at 3. 664 Id. at 12 and 14 (citing caL. BUs. & pROf. cOde § 17200, et seq.). 665 Case No. 2:2015-cv-00539 (W.D. Wash. 2015) [herein- after Webb Compl.]. 666 Id. at 1. 667 Id. at 2.

Next: X. Disclosures of Data Under the Federal or a State FOIA or State Public Records Disclosure Law »
Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB's National Cooperative Highway Research Program (NCHRP) Legal Research Digest 71: Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public reviews the statutes, regulations, and common law regarding the release of data collected for transportation purposes. Included in this research are questions concerning the application of public records laws and the application of any constitutional, statutory, or common law privacy rights. The digest also researches and identifies statutes and common law dealing with the collection of data on the activities of the public, includes a literature search of topics addressing these issues, and also includes a search of state and federal laws focusing on this and similar topics.

Appendixes A through D provide background on the research effort.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!