Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public (2016)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

49 to be published by an agency are subject to disclo- sure unless the information comes within one of nine exemptions.681 Thus, unless a request for gov- ernment data is protected from disclosure by an exemption in the FOIA or by another law, it appears that a request for data may be allowable.682 How- ever, at least one court has ruled that an agency need not disclose records automatically but must weigh the effects of disclosure and nondisclosure and determine the best course to follow.683 C. State FOIA or Public Records Disclosure Laws and a Release of Data Likewise, state statutes that allow for the disclo- sure of data collected by state agencies may include an exemption permitting a transportation agency to withhold data. The New York Public Officers Law requires an agency to make available for public inspection and copying all records except those that come within certain exemptions that are similar to the exemptions in the federal FOIA.684 First, an applicable FOIA or public records dis- closure law may exempt certain personal data from disclosure. In Pennsylvania, it is not necessary to disclose “[a] record, the disclosure of which would be reasonably likely to result in a substantial and demonstrable risk of physical harm to the personal security of an individual.”685 Although Michigan’s FOIA includes a presumption in favor of disclosure, one exemption protects “[i]nformation of a personal nature” from disclosure “if public disclosure… would constitute a clearly unwarranted invasion of an individual’s privacy.”686 Similar to Michigan’s FOIA, the Illinois FOIA prohibits inspection and copying of “[p]rivate information, unless disclosure is required by another provision of [the Illinois FOIA], a state or federal law or court order.”687 The Illinois FOIA provides that personal information contained in public records may not be inspected or copied if the disclosure would constitute “a clearly unwarranted invasion of personal privacy” unless that Premera had made representations “regarding [the] confidentiality of private medical, financial, and personal information on which Plaintiffs and Class members relied in obtaining and purchasing Premera Blue Cross health insurance coverage.”668 The plaintiffs also claimed that the defendant “was not in compliance with many standards of data security.”669 The complaint alleges that the defendant’s conduct violated HIPPA, Washington’s Data Breach Notification Law,670 and the plaintiffs’ right to privacy at common law,671 as well as constituted negligence,672 breach of contract,673 and unjust enrichment.674 X. DISCLOSURES OF DATA UNDER THE FEDERAL OR A STATE FOIA OR STATE PUBLIC RECORDS DISCLOSURE LAW A. Introduction Three transportation agencies responding to the survey reported receiving requests to disclose secure data pursuant to a FOIA or other state public records disclosure law,675 whereas nine agencies reported that they had not received any requests for secure data.676 Four agencies advised that they had received requests for monitoring data,677 but eight agencies stated that they had not received any requests for monitoring data.678 B. The Federal FOIA and Release of Data The federal Freedom of Information Act of 1966679 creates a strong presumption of public access to agency records.680 Documents that are not required 668 Id. at 4. 669 Id. at 5. 670 Id. at 16 (citing Wash. Rev. cOde § 19.255.010). 671 Id. at 24. 672 Id. at 17. 673 Id. at 21. 674 Id. at 22. 675 Arkansas DOT, Indiana DOT, and City of Minneapolis–Public Works Dept. The Maine DOT and Ohio DOT did not respond to the question. 676 Alabama DOT, Arizona DOT, MoDOT, North Dakota DOT, Oklahoma DOT, Oregon DOT, Rhode Island DOT, South Carolina DOT, and Utah DOT. The Montana DOT’s response was “not known.” 677 Arkansas DOT, Arizona DOT, District of Columbia DOT, and City of Minneapolis–Public Works Dept. The Maine DOT and Ohio DOT did not respond to the question. 678 Alabama DOT, Indiana DOT (stating that details are not available), North Dakota DOT, Oklahoma DOT, Oregon DOT, Rhode Island DOT, South Carolina DOT, and Utah DOT. The Montana DOT’s response was “none known.” 679 Pub. L. No. 89-487, 80 Stat. 250, codified at 5 U.S.C. § 552, et seq. (2015). 680 5 U.S.C. § 552(d) (2015). 681 I5 U.S.C. §§ 552(b)(1)–(9) (2015). 682 5 U.S.C. § 552(a) (2015). 683 Gen. Servs. Admin. v. Benson, 415 F.2d 878, 880 (9th Cir. 1969). 684 N.Y. pUB. Off. LaW § 87(2) (2015). 685 65 pa. cONs. sTaT. §§ 67.708(b)(1)(i)–(ii) (2015). See also Glancy, supra note 4, at 301. 686 Mich. cOMp. LaWs seRv. § 15.231, et seq. (2015) and see id. § 15.243(a) (2015). See also Michigan Fed’n of Teachers v. University of Michigan, 481 Mich. 657, 753 N.W.2d 28 (Mich. 2008) (holding that names and addresses of teachers were part of a FOIA privacy exemption and therefore could not be disclosed) and Robert M. Vercruysse & Susan K. Friedlaender, Employee Privacy Rights in the Public and Private Employment Sector, 68 Mich. B.J. 608, 609 (1989). 687 5 iLL. cOMp. sTaT. § 140/7(1)(b) (2015).

50 Nevertheless, the Committee ruled that Section 409 did not exempt the records from disclosure, because the statute “precludes the use of certain records in a litigation context; it does not, however, exempt records from disclosure in every instance.”698 The Committee stated that the request should not have been denied on the basis of 23 U.S.C. § 409 unless the requestor intended to use the records for litigation purposes.699 The Committee also ruled that the records may be exempt under N.Y. Public Officers Law Section 87(2)(g), which exempts cer- tain inter-agency or intra-agency materials when they are “reflective of opinion, advice, recommenda- tion and the like.”700 In this case, the requested infor- mation was not intra/inter-agency communications but rather statistical or factual data that were not exempt from disclosure.701 Another example is Commissioner of Public Health v. Freedom of Information Commission,702 involving a request by a newspaper for all records associated with a report that a physician had engaged in violations of the applicable standard of care.703 The report included an exhibit with records from the Practitioner Data Bank and the Health- care Data Bank. The Supreme Court of Connecticut stated that federal statutes and regulations “strongly suggest that records” contained in the databases are not subject to disclosure under the FOIA.704 The court held that the Commissioner of Public Health could not disclose records that were received from the federal Healthcare Data Bank or the Practitioner Data Bank to an unauthorized per- son unless the records also originated from the agency’s own files and disclosure was required under the federal or Connecticut’s FOIA.705 A third exemption may be predicated on the possi- ble loss of federal or state funding. In Pennsylvania it is not necessary to disclose “[a] record, the disclosure of which…would result in the loss of Federal or State funds by an agency or the Commonwealth….”706 Fourth, data may be exempt from disclosure when the data are used for law enforcement purposes. In New York, when an individual requested the New York City DOT to provide a list of the locations of cameras used in the City’s Red Light Camera the subject of the information consents in writing to the disclosure.688 Second, state FOIAs or the equivalent may exempt records that are specifically prohibited from disclosure by laws other than the state’s FOIA or other public records disclosure law. In Pennsylvania, “[a] record of information[] identify- ing an individual who applies for or receives social services” may not be disclosed.689 In Bullock v. Southeastern Pennsylvania Transportation Author- ity,690 a case decided by the Office of Open Records,691 Bullock requested SEPTA’s Americans with Dis- abilities Act paratransit reports, including medical assessments, records, and written results and rec- ommendations.692 Because paratransit services “are social services[] and.. all the records requested relate to the application for, evaluation of and eligi- bility for the services,” the requested records were exempt from disclosure.693 In Illinois, “information specifically prohibited from disclosure by federal or State law or rules and regulations implemented by federal or State law” may not be disclosed.694 New York and Wisconsin have similar exemptions.695 In New York, the Committee on Open Govern- ment issued an advisory opinion with respect to a request directed to the New York State DOT by a reporter for the Albany Times Union for a list of “safety deficient locations.”696 The DOT denied the request based on an exemption in N.Y. Public Offi- cers Law Section 87(2)(a) and 23 U.S.C. § 409. The DOT argued that the information had been collected with the assistance of federal funds and that Section 409 provides that such information “shall not be subject to discovery or admitted into evidence in a Federal or State court proceeding.…”697 688 5 iLL. cOMp. sTaT. § 140/7(1)(c) (2015). 689 65 pa. cONs. sTaT. § 67.708(b)(28) (2015). 690 In the Matter of Janice Bullock, Complainant v. Southeastern Pennsylvania Transportation Authority, Docket No. AP 2010-0343 at 1 (2010) [hereinafter In re: Bullock]. 691 Although final determinations by the Office of Open Records are binding, they are subject to judicial review. See https://www.dced.state.pa.us/public/oor/fd/Final Determination.pdf. 692 In re: Bullock, supra note 690, at 1 (citing 65 pa. cONs. sTaT. § 67.708(b)(28)). 693 Id. at 3. 694 5 iLL. cOMp. sTaT. 140/7(a) (2015). 695 See N.Y. pUB. Off. § 87(2)(a) (2015); Wis. sTaT. § 19.36(1) (2015). 696 State of New York Department of State Committee on Open Government, FOIL-AO-12395 (Dec. 1, 2000) [herein- after FOIL-AO-12395], available at: http://docs.dos.NYgov/ coog/ftext/f12395.htm (last accessed Oct. 12, 2015). 697 23 U.S.C. § 409. 698 FOIL-AO-12395, supra note 696. 699 Id. 700 Id. 701 Id. 702 311 Conn. 262, 86 A.3d 1044 (Conn. 2013). 703 Id. at 265–266, 86 A.3d at 1046–1047. 704 Id. at 280, 86 A.3d at 1055. 705 Id. at 265, 86 A.3d at 1053–1055. 706 65 pa. cONs. sTaT. §§ 67.708(b)(1)(i)–(ii) (2015). See also Glancy, supra note 4, at 301.

51 that may be applicable to some data collected and maintained by transportation agencies.714 D. Agency Waiver of Privacy Exemption Exemptions under a FOIA or similar legislation may be waived. If an agency freely discloses “con- fidential information to a person without restrict- ing that person’s ability to disclose that informa- tion,” the agency will waive its FOIA exemption.715 It has been held that if a federal agency volun- tarily discloses information that is subject to the FOIA’s deliberative process privilege, the agency waives the right to claim later that the informa- tion is exempt.716 E. Whether Both FOIA Requests and Discovery Requests May Be Used to Obtain a Transportation Agency’s Data Transportation agencies may receive requests under a FOIA or an equivalent public records disclo- sure law for secure data or monitoring data.717 Indeed, in their responses to the survey nine trans- portation agencies reported receiving discovery requests and subpoenas for secure data,718 whereas two agencies stated that they had not received such requests and subpoenas.719 Seven transportation agencies reported receiving discovery requests and subpoenas for monitoring data,720 but five agencies Program,707 the DOT denied the request on the ground that the list was used only for law enforce- ment purposes.708 The New York Committee on Open Government ruled that the location of the cameras did not come within the law enforcement exemption in N.Y. Public Officers Law Section 87(2)(e). Moreover, because a camera’s location is disclosed on the citation that an individual receives, there is “nothing secret” about the loca- tion of cameras.709 A District of Columbia case, Wemhoff v. District of Columbia,710 illustrates how the secondary uses of roadside-collected data may present privacy issues. In Wemhoff, the plaintiff made a FOIA request for the names and addresses of motorists who received traffic violations because of being photographed by a red light camera. Wemhoff sought the information to solicit individuals for his lawsuit.711 The court’s examination of the relevant provision of the DPPA, discussed supra, focused on the impor- tance of maintaining drivers’ privacy: “This [narrow] construction ensures that individuals’ statutorily recognized rights to the privacy of their motor vehi- cle records are not sacrificed whenever a litigant raises the possibility of a tenuous connection between the protected information and issues tangentially related to a conceivable litigation strategy.”712 The court denied the request because it was not a “permissive use” within the meaning of the DPPA, and the disclosure would violate the DPPA and District of Columbia law.713 Another possible exemption is that some states’ agencies may be able to withhold data from the public under a “deliberative process” privilege, an exemption 707 State of New York Department of State Committee on Open Government, FOIL-AO-12412 (Dec. 19, 2000), [here- inafter FOIL-AO-12412], available at: http://docs.dos. ny.gov/coog/ftext/f12412.htm (last accessed Oct. 12, 2015). Each agency promulgates its own regulations and proce- dures regarding the availability of records. N.Y. pUB. Off. § 87(1)(b). After an agency’s decision the agency shall “immediately forward to the committee on open govern- ment a copy of such appeal when received by the agency and the ensuing determination thereon.” N.Y. pUB. Off. § 89(4) (a). If the request is denied or ignored, the person requesting the record may commence an action to compel compliance with the request. N.Y. pUB. Off. § 89(4)(b)–(c). See generally digiTaL Media LaW pROJecT, Access to Public Records in New York, available at: http://www.dmlp.org/legal-guide/access- public-records-new-york (last accessed Oct. 12, 2015). 708 FOIL-AO-12412, supra note 707 (internal quotation marks omitted). 709 Id. 710 887 A.2d 1004, 1004–1006 (D. C. App. 2005). 711 Id. at 1009. 712 Id. at 1011 (citing Pichler v. UNITE, 339 F. Supp. 2d 665, 668 (E.D. Pa. 2004) (internal quotation marks omitted)). 713 Id. at 1012. 714 Shell Oil Co. v. IRS, 772 F. Supp. 202, 203 (D. Del. 1991). 715 Patrick Lightfoot, Waiving Goodbye to Nondisclosure Under FOIA’s Exemption 4: The Scope and Applicability of the Waiver Doctrine, 61 caTh. U. L. Rev. 807, 808 (2012). 716 Shell Oil Co., 772 F. Supp. at 211 (holding that the IRS was required to release information requested by an oil company under FOIA that an IRS employee had previously read at a public meeting because a public reading of the document constituted a waiver of the FOIA exemptions). 717 See App. B, DOT responses to question 14(a) and (b). 718 Alabama DOT, Arizona DOT, Indiana DOT, City of Minneapolis–Public Works Dept., MoDOT, North Dakota DOT, Oklahoma DOT, Oregon DOT, and Rhode Island DOT. The Arizona DOT reported that “[a] public records report that provides request details is not available.” The District of Columbia DOT and the Florida DOT responded that the information on requests is not available. Although not responding directly to question 15(a) or (b) that distin- guishes between secure data and monitoring data, the Ohio DOT stated that the department responds to public records requests and discovery requests and subpoenas on a daily basis. 719 Arkansas DOT and South Carolina DOT. Montana DOT’s and Utah DOT’s response was not known. 720 Alabama DOT, Arizona DOT, City of Minneapolis– Public Works Dept., MoDOT, Oklahoma DOT, Oregon DOT, and Rhode Island DOT. The Arizona DOT stated that “[a] public records report that provides request details is not available.” The Florida DOT responded that the information on request is not available.