Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
30 been derived from general tort law, but government record-keeping on its citizens has resulted in âa distinct subspecies of statutory law.â369 Some federal laws, such as the Privacy Act of 1974 and the Free- dom of Information Act, broadly control the âuse and disclosure of federal government records about its citizens,â370 whereas other laws such as the DPPA or the Gramm Leach Bliley Act of 1999 (GLBA)371 govern narrow, specific issues that affect individu- als. Although several federal laws address the privacy rights of individuals, the protection of privacy rights has been left largely to the states.372 In summary, no federal statutes were located for the digest that protect transit customersâ electronic personal data. B. Privacy Act of 1974 The Privacy Act of 1974373 protects the privacy of records maintained by federal agencies on individu- als374 and regulates the agenciesâ release of privacy information.375 The Act is a âreaction to the perceived threat to personal privacy presented by computer- ized government records about its citizensâ and addresses problems âlargely beyond the reach of traditional tort law.â376 The Act requires each government agency to make certain information available to the public but provides further that [t]o the extent required to prevent a clearly unwarranted invasion of personal privacy, an agency may delete identify- ing details when it makes available or publishes an opinion, statement of policy, interpretation, staff manual, instruction, or copies of records referred to in subparagraph (D)â¦.377 The USDOT explains that the Privacy Act sets forth âhow the federal government should treat indi- viduals and their information and imposes duties upon federal agencies regarding the collection, use, dissemination, and maintenance of personally identifi- able information (PII).â378 The USDOT also observes for medical information, there is âno blanket constitutional privacy protectionâ¦.â364 Finally, a disclosure, of course, could be made by contractors charged with the responsibility to collect and safeguard data. Section 1983 requires that a violator act under color of law, but ââdoes not require that the accused be an officer of the State. It is enough that he is a willful participant in joint activ- ity with the State or its agentsâ¦.ââ365 Although it appears that a government-owned agencyâs contrac- tor could be subject to § 1983, it would have to be shown that the contractor violated a known, clearly established constitutional right to privacy. Unless the Supreme Court recognizes a constitu- tional right to privacy in transit customersâ electronic personal data, it appears that a complaint against a government-owned transit agency, its officers, or employees for collecting or mishandling customersâ data would fail to state a claim under § 1983. It has been held that there is no constitutional right to privacy even in PII of the type the DPPA protects or that is in an employeeâs personnel file.366 Unlike the DPPA, there is currently no federal statute that applies to customersâ personal data being collected electronically or otherwise by transit agencies. Moreover, in the absence of a clearly established constitutional or statutory right to privacy of which a reasonable person would have known, government- owned transit agencies or their officers or employees who are sued in their individual capacities appear to have qualified immunity to claims arising out of the collection of customersâ electronic data.367 Finally, a claim based on âmere negligenceâ for a disclosure of personal data ordinarily would be insufficient because âunder section 1983 there must be an inten- tional or deliberate deprivation of life, liberty, or property, or at least âdeliberate indifference.ââ368 VIII. WHETHER THERE ARE FEDERAL STATUTES THAT APPLY TO TRANSIT AGENCIESâ CUSTOMERSâ ELECTRONIC PERSONAL DATA A. Evolution of Federal Statutory Privacy Rights With respect to federal statutes protecting indi- vidualsâ right to privacy, the laws historically have 364 Id. at *42 (citing Cooksey v. Boyer, 289 F.3d 513, 517 (8th Cir. 2002)). See also Kraege v. Tomko, 687 F. Supp. 2d 834, 835 (W.D. Wis. 2009) (holding that a claim against a state employee for violating the DPPA by releasing the plaintiffâs personal information was one essentially against the State and therefore barred by sovereign immunity). 365 Fadjo, 633 F.2d 1172, 1175 (5th Cir. 1981) (citations omitted). 366 Kiminski, 2013 U.S. Dist. LEXIS 157829, at *40 (citation omitted). 367 See Harlow v. Fitzgerald, 457 U.S. 800, 818, 102 S. Ct. 2727, 73 L. Ed. 2d 396 (1982). 368 Froomkin, supra note 196, at 1053. 369 McCarthy, supra note 204, at § 5.83. 370 Id. § 6.135. 371 GrammâLeachâBliley Act of 1999, § 501, 15 U.S.C. § 6801 (2016). 372 Katz, 389 U.S. at 350â351, 88 S. Ct. at 511, 19 L. Ed. 2d at 581 (footnote omitted). 373 See 5 U.S.C. § 552a (2016). 374 5 U.S.C. § 552a(b) (2016). See also 5 U.S.C. § 552(d)(1) (2016); Douma & Deckenbach, supra note 196, at 306. 375 5 U.S.C. §§ 552(a) and (b) (2016). 376 McCarthy, supra note 204, at § 5.85. 377 5 U.S.C. § 522(a)(2)(E) (2016). 378 U.S. Depât of Transp., Privacy Impact Assessment (Update), National Registry of Certified Medical Examiners (National Registry) (Aug. 20, 2012), https://www. transportation.gov/sites/dot.dev/files/docs/FMCSA_PIA_ National_Registry_082012.pdf (last accessed Sept. 24, 2016).
31 In Stephens v. Tennessee Valley Authority,388 a former Tennessee Valley Authority (TVA) employee sued TVA under the Privacy Act for violating his federal civil rights when it publicly circulated a memorandum accusing the plaintiff of accepting kickbacks and violating several laws.389 After the document was released to the media, TVA recalled and replaced it with a sanitized document that did not personally identify the plaintiff; however, one copy of the original document was released publicly.390 The court held that the plaintiff could not recover for a violation of the Privacy Act even though there was a wrongful disclosure, because the agency had not acted willfully or intentionally.391 By recall- ing and sanitizing the document, TVA demonstrated a concern for the plaintiff âs privacy interests.392 In a 2008 case brought under the Privacy Act, however, American Federation of Government Employees v. Hawley,393 the plaintiffs alleged that the defendants violated the Aviation and Transportation Security Act (ATSA)394 and the Privacy Act395 by fail- ing to establish appropriate safeguards to insure the security and confidentiality of personnel records. A federal court in the District of Columbia explained what is meant by the Privacy Actâs requirement that a violation be intentional or willful: An agency acts in an intentional or willful manner âeither by committing the act without grounds for believing it to be lawful[] or by flagrantly disregarding othersâ rights under the Act.â â¦To rise to this level, â[t]he violation must be so patently egregious and unlawful that anyone undertaking the conduct should have known it [to be] unlawful.â396 The plaintiffs alleged that the defendants were informed repeatedly of ârecurring, systemic, and fundamental deficiencies in [their] information security,â but that the defendants âdemonstrated reckless disregard for privacy rights when [they] failed to effectively secure the external hard drive that maintained the personal information of [their] personnel workforce.â397 The court held, inter alia, that Section 208 of the E-Government Act of 2002 âestablishes the requirement for agencies to conduct privacy impact assessments (PIAs) for electronic information systems and collections.â379 The Privacy Act governs government or govern- ment-controlled corporations but not private enti- ties.380 The Privacy Act applies, however, to âcertain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.â381 When disclosing records, no federal agency or its contrac- tors may disclose PII without the affected individu- alâs written consent.382 If the Privacy Act and privacy regulations provide different standards, a federal agency must abide by whichever provision allows for the least disclosure.383 Section 552g(1) of the Privacy Act states: Whenever any agencyâ¦fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fair- nessâ¦or fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.384 Although an individual may bring a civil action when an agency wrongfully discloses personal data, a plaintiff has the burden of showing that the agency willfully or intentionally disclosed the data.385 The Privacy Act has apparently not been applied to data breaches resulting from unauthorized access.386 There are four essential elements that must be established when a plaintiff makes a claim under the Privacy Act: (1) the information is covered by the Act as a ârecordâ contained in a âsystem of records;â (2) the agency âdisclosedâ the information; (3) the disclosure had an âadverse effectâ on the plaintiff (an element which separates itself into two components: (a) an adverse effect standing requirement and (b) a causal nexus between the disclosure and the adverse effect); and (4) the disclosure was âwillful or intentional.â387 379Id. 380 John M. Eden, When Big Brother Privatizes: Com- mercial Surveillance, the Privacy Act of 1974, and the Future of RFID, Duke l. anD tech. rev. 20, P4 (2005) (citing 5 U.S.C. § 522(a) and (a)(1)), hereinafter referred to as âEden.â 381 65 Fed. Reg. 82482 (Dec. 28, 2000). 382 Id. 383 Id. 384 5 U.S.C. §§ 552a(g)(1)(A)â(D) (2016) (emphasis sup- plied). 385 5 U.S.C. § 552a(g)(4) (2016). 386 Froomkin, supra note 196, at 1034. 387 Quinn v. Stone, 978 F.2d 126, 131 (3d Cir. 1992) (emphasis supplied). 388 754 F. Supp. 579, 584 (E.D. Tenn. 1990). 389 Id. at 580. 390 Id. at 581. 391 Id. at 582. 392 Id. at 583. See also Wisdom v. Depât of Housing and Urban Dev., 713 F.2d 422, 424â425 (8th Cir. 1983) (holding that the Department of Housing and Urban Development had not acted intentionally or willfully in disclosing informa- tion to the IRS pertaining to an individualâs default on a home loan). 393 543 F. Supp. 2d 44 (D.D.C. 2008). 394 Id. at 45 (citing 49 U.S.C. §§ 44901 and 44935). 395 Id. (citing 5 U.S.C. § 552a). 396 Id. at 51 (citations omitted) (some internal quotation marks omitted). 397 Id. at 52 (citations omitted) (some internal quotation marks omitted).
32 As discussed in the following section, no federal statutes have been identified that are implicated by government-owned or privately owned transit agenciesâ collection or use of their customersâ electronic data.409 C. The Electronic Communications Privacy Act of 1986 The Electronic Communications Privacy Act (ECPA), although a criminal statute, creates a cause of action for damages and other relief against electronic trespassers or âcomputer hackers.â410 If an unauthor- ized party gains access to a transit agencyâs data âby intercepting an electronic communication or accessing information stored about such communication,â the unauthorized interception may violate the ECPA.411 Title I of the ECPA amended the Federal Wiretap Act so that it applies to the interception of electronic communications,412 whereas Title II created the Stored Communications Act (SCA) to cover unauthorized access to stored communications and records.413 1. Federal Wiretap Act The Federal Wiretap Act414 proscribes the inter- ception of electronic communications, as well as wire and oral communications. Thus, the Act applies, inter alia, to any person who âintentionally inter- cepts, endeavors to intercept, or procuresâ another person to intercept an electronic communication.415 The Act also applies to someone who intentionally discloses or uses, or endeavors to disclose or use, the contents of any electronic communication know- ing or having reason to know that the electronic communication was intercepted in violation of the statute.416 An interception means the acquisition of an electronic communication ââthrough the use of any electronic, mechanical, or other deviceââ417 that the plaintiffsâ allegations that the agency had negligently lost control of their personal data by fail- ing to establish safeguards to prevent the loss of hard drives stated a claim.398 In subsequent proceed- ings, however, the court granted the defendantsâ motion for summary judgment because the undis- puted facts showed that neither had there been a violation of the Privacy Act nor had the plaintiffs sustained any actual damages. In 2014 in Kelley v. FBI,399 a federal court in the District of Columbia held that the plaintiffsâ allega- tions were sufficient to state a claim against the FBI under the Privacy Act.400 In Kelley, after the plain- tiffs received a number of harassing emails, they notified the FBI of the cyberstalking.401 During the investigation, the plaintiffs consented to giving the FBI the passwords to their email accounts so that the FBI could track the Internet Protocol (IP) address of the stalker.402 The FBI promised not to release the plaintiffsâ names, but their names were released when the media received some of the harassing emails that the plaintiffs had received.403 The plaintiffs alleged that their information and report to the FBI were maintained in a system of records that identified them by name or identifica- tion number, that the FBI shared this information with the Department of Defense, and that both agencies disclosed the information to the media.404 As of July 2016, there were no further reported proceedings in the Kelley case. Finally, the Privacy Act provides that a person shall be entitled to recover no less than $1,000.405 In 2004, in Doe v. Chao,406 the Supreme Court held that in the absence of proof of actual damages, the peti- tioner could not recover for a violation of the Privacy Act even though the government repeatedly disclosed the claimantâs SSN.407 It was not sufficient to show that the government intentionally or willfully violated the Act; the claimant also had to show an adverse effect, i.e., actual damages.408 398 Id. at 51â53. 399 2014 U.S. Dist. LEXIS 128403, at *1 (D.D.C. 2014). 400 Id. at *50â51. 401 Id. at *7â8. 402 Id. at *8â9. 403 Id. at *11â12. 404 Id. at *51â52. The court dismissed all other claims for either lack of jurisdiction or failure to state a claim. Id. at *28. 405 Froomkin, supra note 196, at 1034 (citing 5 U.S.C. § 552(q)(4)). 406 540 U.S. 614, 124 S. Ct. 1204, 157 L. Ed. 2d 1122 (2004). 407 Id., 540 U.S. at 616, 124 S. Ct. at 1206, 157 L. Ed. 2d at 1129. 408 Id., 540 U.S. at 627, 124 S. Ct. at 1212, 157 L. Ed. 2d at 1134. 409 Thomas Garry, Frank Douma & Stephen Simon, supra note 203, at 97, 103. 410 Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817, 820 (2000) (quoting State Wide Photo- copy Corp. v. Tokai Financial, Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995)). 411 Lars Smith, Symposium Review: RFID and Other Embedded Technologies: Who Owns the Data?, 22 santa clara coMPuter & high tech. L.J. 695, 751 (2006). See Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 101-303, 100 Stat. 1848 (1986) (codified at 18 U.S.C. §§ 1367, 2510â2521, 2701â2710, 3121â3126). 412 United States v. Steiger, 318 F.3d 1039, 1046 (11th Cir. 2003), cert. denied, 538 U.S. 1051, 123 S. Ct. 2120, 155 L. Ed. 2d 1095 (2003). 413 Id. at 1047 (citing 18 U.S.C. § 2701(a)). 414 18 U.S.C. §§ 2510â2522 (2009). 415 18 U.S.C. § 2511(1)(a) (2009). 416 18 U.S.C. § 2511(c) (2009). 417 Crowley, 166 F. Supp. 2d at 1268 (quoting 18 U.S.C. § 2510).
33 communication at all with the defendant.429 All that is required for a violation of the statute is the defendantâs âact of accessing electronically stored data.â430 In JetBlue Airways Corp., supra, the court held that companies that provide traditional products and services over the Internet, as opposed to Inter- net access itself, are not âelectronic communication serviceâ providers within the meaning of the ECPA.431 JetBlue was not an electronic communication service provider simply because it maintained a Web site that allowed for the transmission of electronic communications between it and its customers. In Yunker, supra, the plaintiff failed to show that a disclosure of Yunkerâs PII violated the SCA, because the plaintiff failed to show that his PII was in temporary or immediate storage after he sent it to Pandora.432 Although not applicable to transit agencies, Section 2702(a) of the SCA prohibits voluntary disclosure of a customerâs electronic data by persons or entities providing an electronic communication service or remote computing service to the public.433 Although the SCA provides for criminal liability, an aggrieved party may bring a civil action for a violation of the Act, subject to a 2-year statute of limitations,434 and recover actual damages and âany profits made by a violation,â435 plus âattorneyâs fees and other litigation costs.â436 If damages are awarded, the amount is to be for no less than $1,000.437 3. Whether the SCA Applies to Transit Agencies A Department of Justice resource manual states that the section of the SCA on violations is âintended to address âcomputer hackersâ and corporate spies.â438 The SCA applies to violations by the United States, as those violations âmay give rise to a cause of action and may result in disciplinary action against offending offi- cials or employeesâ; however, the SCA does not mention violations by state or local government agencies.439 In contemporaneously with the transmission of the electronic communication.418 Section 2520 authorizes a civil action for an inter- ception, disclosure, or intentional use of an electronic communication in violation of the Act. A plaintiff may seek preliminary and other equitable or declar- atory relief; damages, including punitive damages in appropriate cases; and a âreasonable attorneyâs fee and other litigation costs reasonably incurred.â419 2. Stored Communications Act Section 2701 of the SCA prohibits the intentional accessing of electronic data without authorization or in excess of oneâs authorization.420 Section 2701(a) applies to anyone, except as provided in subsection (c), who âintentionally accesses without authoriza- tion a facility through which an electronic communi- cation service is provided; orâ¦intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storageâ¦.â421 Section 2701 prohibits only unauthorized access and not the misappropriation or disclosure of infor- mation.422 Thus, the section âoutlaws illegal entry, not larceny.â423 A person with authorized access to a data- base does not violate the section no matter how mali- cious or larcenous the intended use of that access.424 Communications are in electronic storage within the meaning of the SCA even when âthe storage is transitory and lasts for only a few seconds.â425 More- over, information stored on a server and conveyed from a private Web site to users is subject to the SCA,426 as well as information held temporarily in random-access memory.427 In In re Intuit Privacy Litigation,428 the plaintiffs alleged that the defendant implanted âcookiesâ on their computer hard drives when they visited certain Web sites. The court held that for there to be a violation of Section 2701, a defendant need not âbe a third party to an electronic communication [that] eventually [is] in electronic storage in a facilityâ or even that there be a 418 Steiger, 318 F.3d at 1047 (citations omitted). 419 18 U.S.C. § 2520 (2016). 420 Sherman, 94 F. Supp. 2d at 820. 421 18 U.S.C. § 2701(a) (2016). 422 Therapeutic Research Faculty v. NBTY, Inc., 488 F. Supp. 2d 991, 997â998 (E.D. Cal. 2007). 423 Sherman, 94 F. Supp. 2d at 821. 424 Id. 425 Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443, 450 (C.D. Cal. 2007) (citation omitted). 426 Steiger, 318 F.3d at 1047 (citing Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876 (9th Cir. 2002)). 427 Columbia Pictures, Inc., 245 F.R.D. at 446 (decision involving a ruling on discovery). 428 138 F. Supp. 2d 1272 (C.D. Cal. 2001). 429 Id. at 1275â1276. 430 Id. at 1276 (footnote omitted). 431 18 U.S.C. § 2702 (2016). 432 Yunker, 2013 U.S. Dist. LEXIS 42691, at *26. 433 Sherman & Co., 94 F. Supp. 2d at 820. 434 18 U.S.C. § 2707(f) (2016). 435 18 U.S.C. § 2707(c) (2016). 436 18 U.S.C. § 2707(b)(3) (2016). 437 18 U.S.C. § 2707(c) (2016). 438 Department of Justice, Unlawful Access to Stored Communicationsâ18 U.S.C. § 2701, https://www.justice. gov/usam/criminal-resource-manual-1061-unlawful- access-stored-communications-18-usc-2701 (last accessed Sept. 24, 2016). 439 Charles Doyle, Congressional Research Service, Privacy: An Abridged Overview of the Electronic Commu- nications Privacy Act, at 7 (2012), https://www.fas.org/sgp/ crs/misc/R41734.pdf (last accessed Sept. 24, 2016).
34 The factors in subclauses (c)(4)(A)(i)(I)â(V) are: (I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $ 5,000 in value; (II) the modification or impairment, or potential modifica- tion or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (III) physical injury to any person; (IV) a threat to public health or safety; (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the adminis- tration of justice, national defense, or national securityâ¦.447 Moreover, â[d]amages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages.â448 E. Driverâs Privacy Protection Act Although the DPPA449 is not relevant to transit agenciesâ collection of customersâ electronic data, as discussed in Section VII.D, there are judicial prece- dents holding that a disclosure of data that violates the statute does not also give rise to a constitutional privacy claim.450 F. Other Federal Laws Applicable to Collection of Customersâ Electronic Data 1. Federal Trade Commission Act The Federal Trade Commission Act451 (FTC Act) regulates companiesâ privacy notices to consumers concerning how they collect and use consumer data, including locational data. One transit agency that responded to the survey stated that its collection of customersâ electronic data is subject to the FTC.452 The FTC Act only states, however, that the FTC is âempowered and directed to prevent persons, part- nerships, or corporationsâ¦from using unfair meth- ods of competitionâ¦and unfair or deceptive acts or practices in or affecting commerce.â453 In FTC v. Wyndham Worldwide Corporation454 in 2014, a federal district court in New Jersey stated Tucker v. X,440 the Fourth Circuit held that âa govern- mental entity that violates the dictates of § 2703(a) or (b) may be held civilly liable for such violation.... In contrast, the language of § 2703(c) does not prohibit any governmental conduct, and thus a governmental entity may not violate that subsection by simply accessing information improperly.â441 D. Computer Fraud and Abuse Act The Computer Fraud and Abuse Act (CFAA),442 a long and complex statute, appears at first to be directed primarily at the prevention of unauthorized disclosure of data involving the national defense or foreign relations of the United States.443 Other provi- sions of the CFAA have broader applicability, however, as the Act applies, inter alia, to anyone who: (a) ⦠(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtainsâ (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); â¦or (C) information from any protected computer; â¦. (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period; [and] (5) â¦. (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and lossâ¦.444 The CFAA provides that â[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.â445 There is a basis for a civil action only if, however, âthe conduct involves 1 of the factors set forth in subclausesâ¦(I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).â446 440 83 F.3d 688 (4th Cir. 1996). 441 Id. at 693. 442 18 U.S.C. § 1030 (2016). 443 18 U.S.C. § 1030(a) (2016). 444 18 U.S.C. § 1030(a)(2)(A) and (C), (4), (6), and (7) (2016). 445 18 U.S.C. § 1030(g) (2016). 446 Id. 447 18 U.S.C. § 1030(c)(4)(A)(i)(I) to (V) (2016). 448 18 U.S.C. § 1030(g) (2016). 449 18 U.S.C. §§ 2721â2725 (2016). 450 The DPPA protects personal information collected by a state Department of Motor Vehicles. 451 15 U.S.C. § 45 (2016). 452 Response of Capital Area Transportation Authority to Question 3. 453 15 U.S.C. § 45(a)(2) (2016). 454 10 F. Supp. 3d 602 (D.N.J. 2014), affâd, 2015 U.S. App. LEXIS 14839 (3d Cir. N.J., Aug. 24, 2015).
35 protections, responsibilities, and remedies established under the Act.461 Regulation E does not appear to apply to transit agencies as they are not financial institutions and do not issue âaccess devicesâ to consumers for the purpose of obtaining government benefits.462 Regulation E does apply to banks, however, that issue reloadable cards that are or could be used for transit.463 The GLBA creates an obligation for financial institutions to protect the privacy of customersâ data by requiring the institutions to follow the standards created by an agency that regulates financial insti- tutions in their jurisdiction.464 The GLBA regulates how financial institutions may collect and disclose information; sets forth measures that financial institutions must adopt to safeguard information; and prohibits the use of false pretenses to access information.465 The GLBA also provides for criminal and civil penalties for noncompliance.466 Other federal laws that apply to the protection of personal data are the healthcare privacy laws, including the Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health Act, Fair Credit Reporting Act, Bank Secrecy Act, and the Childrenâs Online Privacy Protection Act (COPPA).467 In its response to the survey, the Capital Area Transportation Authority of Lansing, Michigan, explained that it complies with the requirements of the Childrenâs Online Privacy Protection Act (COPPA) and the FTCâs rule inter- preting COPPA [16 C.F.R. § 512, et seq.]. The site is not directed to children, and we do not knowingly collect any personally identifiable information on the site from chil- dren under 13 years of age. Finally, although there are federal laws requiring regulated entities to have privacy policies, the laws that rapidly evolving digital and privacy issues are in an âongoing struggleâ over a âvariety of thorny legal issues that Congress and the courts will continue to grapple withâ¦.â455 Nevertheless, the court held that even in the absence of more formal notice via rulemaking, the FTC could bring an action against the defendant under the FTC Act. When ââan agency...is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.ââ456 The court recognized that the FTC has broad authority to regulate the security of data even if explicit language is not included in the statute. The court reasoned that âthe FTCâs unfairness authority over data securityâ would not âlead to a result that is incompatible with more recent legisla- tionâ or âplainly contradict congressional policy.â457 Because Section 5 of the FTC Act âcodifies a three- part test that proscribes whether an act is âunfair,ââ the court was not convinced by the defendantâs argu- ment that regulations are the only way to provide fair notice.458 Therefore, prior to bringing an action for a violation of the Act, the FTC was not required to promulgate regulations explaining which data- security practices are forbidden or required by the FTC Act. The court stated that a ruling for the defendant would mean that âthe FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitionsâa result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.â459 The FTCâs 2007 Identity Theft Red Flags Regula- tions and Guidelines (Red Flags Regulations) issued pursuant to Section 114 of the Fair and Accurate Credit Transactions Act of 2003 apply only to entities that extend credit. According to the ABA, however, â[i]t has become clear that a businessâs failure to implement information security and privacy protection best practices could constitute unfair trade practicesâ¦.â460 2. Other Federal Laws and Regulations The Electronic Fund Transfers Act (EFTA) and the Federal Reserveâs Regulation E exempt elec- tronic benefit transfer systems established by state and local governments from the disclosure 455 Id. at 610. 456 Id. at 617, 619 (citation omitted). 457 Id. at 612 (citation omitted) (internal quotation marks omitted) (emphasis in original). 458 Id. at 619 (citation omitted). 459 Id. at 621 (emphasis in original). 460 Rubens, supra note 111. See Federal Trade Commân, Red Flags Regulations, http://ftc.gov/os/fedreg/2007/ november/071109redflags.pdf (last accessed Sept. 24, 2016). 461 15 U.S.C. §§ 1693b(d)(1)-(2) (2016). 462 12 C.F.R. §§ 1005.2(i) and 1005.15 (2016). 463 Smart Card Alliance, A Guide to Prepaid Cards for Transit Agencies, at § 4.4, http://d3nrwezfchbhhm. cloudfront.net/pdf/Prepaid_Cards_for_Transit_ Agencies_20110212.pdf (last accessed Sept. 24, 2016). 464 Edward J. Janger, Locating the Regulation of Data Privacy and Data Security, 5 brook. J. corP. fin. & coM. L. 97, at 101â02 (2010) (citing 15 U.S.C. § 6801). 465 Rachael M. Peters, So Youâve Been Notified, Now What: The Problem with Current Data-Breach Notification Laws, 56 ariz. l. rev. 1171,1180 (2014) (citing 18 U.S.C. § 6821(b)). 466 Id. (citing 18 U.S.C. § 6823). 467 Id. at 1177. It may be noted that COPPA provides that â[i]t is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowl- edge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).â 15 U.S.C. § 6502(a)(1).
