Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

38 X. RIGHT TO PRIVACY UNDER STATE LAWS A. Introduction In the absence of a federal statute applicable to privacy and the states, statutes in some states may be a source of privacy law applicable to the collec- tion, use, disclosure, and/or retention of customers’ electronic personal data by transit agencies. There seem to be no state laws, however, “that specifically address privacy rights and transportation technolo- gies.”515 Although many of the state laws discussed in the following section apply to state agencies or state and local agencies, the requirements may serve as a useful guide to private entities that collect customers’ electronic personal data. The statutes discussed in this section regulate the privacy policies of government agencies or mandate when government entities, as well as private entities in some states, must notify individuals of security breaches that involve their personal data. The stat- utes apply to state agencies or state and local agen- cies, but none apply solely to local agencies.516 For example, Connecticut, Hawaii, and Massachusetts have laws governing personal data that are collected by state and local government agencies.517 The data-breach notification laws in California, Florida, Illinois, Indiana, Maine, and Michigan refer to state agencies.518 For example, the Indiana Fair Information Practices Act identifies the obligations of state agencies that maintain a personal information system and defines the term state agency as “every agency, board, commission, department, bureau, or other entity of the administrative branch of Indiana state government.”519 Delaware, Iowa, and Texas have enacted laws governing state agencies’ Web sites.520 New York has statutes regulating state agencies and their use of data that are neither data-breach notifi- cation laws nor laws regulating agency Web sites.521 distress, because their actions were not intentional, and the plaintiff did not allege or prove any physical harm or genuine and serious mental distress.506 In 1996 the New York Court of Appeals held in Brown v. State,507 a class action alleging that the actions of the police in questioning only nonwhite males were unconstitutional, that “a cause of action to recover damages may be asserted against the State for a violation of the Equal Protection and Search and Seizure Clauses of the Constitution.”508 Following the precedent set in Bivens, the court held that there was an implied right of action: “implying a damage remedy here is consistent with the purpose underlying the duties imposed by these provisions and is necessary and appropriate to ensure the full realization of the rights they state.”509 Unlike in Bivens, however, an immunity defense was not avail- able because New York had waived immunity for the acts of its officers and employees.510 Although in Brown, the New York Court of Appeals recognized an implied cause of action for a violation of the right to privacy, an appellate court in New York in Augat v. State511 held that because the plaintiffs had adequate common-law tort remedies, their claims based on alleged violations of the right to due process or freedom of association were not cognizable.512 The court distinguished the Brown case on the basis that the plaintiff in Brown did not have an adequate, alternative remedy under the common law as the plaintiffs had in Augat.513 Some states do not recognize an implied cause of action for a state constitutional violation, such as Tennessee.514 No cases were located for the digest that involved a claim against a transit agency for an alleged violation of a right to privacy under a state constitution that concerned an agency’s collection or use of a customer’s personal data collected electronically or otherwise. 506 Id. at 1095–1096. 507 89 N.Y.2d 172, 652 N.Y.S.2d 223, 674 N.E.2d 1129 (1996). 508 Id., 89 N.Y.2d at 188, 652 N.Y.S.2d at 232–233, 674 N.E.2d at 1138–1139. 509 Id., 89 N.Y.2d at 189, 652 N.Y.S.2d at 233, 674 N.E.2d at 1139–1140. 510 Id., 89 N.Y.2d at 195, 652 N.Y.S.2d at 237, 674 N.E.2d at 1143 (citing N.Y. Court of Claims Act § 9(2)). 511 244 A.D.2d 835, 666 N.Y.S.2d 249 (N.Y. App. 1997). 512 Id., 244 A.D.2d at 837, 666 N.Y.S.2d at 251–252. 513 Id., 244 A.D.2d at 837–838, 666 N.Y.S.2d at 251–252. Furthermore, the court in Augat did not address whether there was a cause of action for the constitutional viola- tions alleged by the plaintiffs because their notice of inten- tion to file was untimely. Id., 666 N.Y.S.2d at 251, 244 A.D.2d at 836–837. 514 Wooley v. Madison County, Tennessee, 209 F. Supp. 2d 836 (W.D. Tenn. 2002). See Humble, supra note 491. 515 Douma & Deckenbach, supra note 196, at 309. 516 Tennessee’s Identity Theft Deterrence Act of 1999 and Nevada’s Security of Personal Information statute are applicable to government agencies but neither statute defines the term. See tenn. coDe § 47-18-2101, et seq. (2016) and nev. rev. stat. § 603A.030, et seq. (2016). 517 conn. gen. stat. ann. §§ 4-190(1) and 4-193 (2016); haw. rev. stat. §§ 286-172(a) and (d) (2016); and Mass. gen. laws ch. 66A, §§ 1–3 (2016). 518 cal. civ. coDe § 1798.3(b)(4) (2016); fla. stat. ann. §§ 216.011(1)(qq), 282.0041(1), and 282.318 (2016) (the later section being the Information Technology Security Act appli- cable to state agencies); 815 ill. coMP. stat. 530/12 (2016) [eff. until Jan. 1, 2017]; inD. coDe ann. §§ 4-1-6-1(d) to 4-1-6- 8.6 (2016); Me. rev. stat. tit. 10, §§ 1347(5) and 1348 (2016); and Mich. coMP. laws §§ 445.63(a) and 445.72 (2016). 519 inD. coDe ann. §§ 4-1-6-1(d) to 4-1-6-8.6 (2016). 520 Del. coDe ann. tit. 29, §§ 5804(10) and 9018C to 9021C (2016); iowa coDe §§ 17A.2(1), 22.11, and 22.12 (2016); and teX. gov’t coDe §§ 2054.002(13) and 2054.126 (2016). 521 N.Y. Pub. off. law §§ 91-99 (2016).

39 Although some states have laws, regulations, and guidelines that apply to state agencies or to state and local agencies, none were located for the digest that apply specifically to transit agencies. B. State Privacy Statutes Applicable to State and Local Agencies The state privacy statutes applicable to personal information collected and maintained by state and local agencies have a variety of names.526 State stat- utory provisions that require state and local agen- cies, and in some states private entities, to give notice of a security breach of personal data that they collect are discussed in Section XI. Some states’ statutes mirror the Federal Privacy Act’s protection against disclosure of personal infor- mation, as well as the Privacy Act’s protection of agencies for nonintentional, nonwillful disclo- sures.527 California’s Information Practices Act of 1977 (IPA) states that (a) The right to privacy is being threatened by the indiscrimi- nate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies. In Colorado, a statute governing the inspection, copying, and photographing of records is applicable “to any officer or employee of the state, of any agency, institution, or political subdivision of the state....”522 Pennsylvania’s Breach of Personal Information Notification Act requires an “entity” to notify resi- dents of data breaches that involve their personal information. An “entity” is defined as “a state agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.”523 State and local agencies in Maine, Minnesota, and Montana that collect personal information on their Web sites must comply with certain statutory requirements.524 Some states’ laws that protect information collected by state agencies mandate “openness on the kind of information being collected; avenues of access for the citizens to see what information is being collected about them and to make appropriate corrections; limitations on secondary usage of indi- vidual information; and security requirement for how that information is maintained.”525 522 colo. rev. stat. 24-72-202(2) (2016). See also Mass. gen. laws ch. 66A, § 1-3 (2016); and va. coDe ann. § 2.2- 3801 (2016). 523 73 Pa. cons. stat., ch. 43, §§ 2302, 2303 (2016) (Breach of Personal Information Notification Act). See also Minn. stat. ann. § 13.02, subdiv. 7a (2016); ohio rev. coDe § 1347.01, et seq.; and R.I. gen. laws § 11-49.3-4(1) (2016) (stating that any “municipal agency, state agency, or per- son that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification….”). 524 Me. rev. stat. tit. 1, § 541(2) (also applicable to a county, municipality, or other political subdivision) and § 542 (2016); Minn. stat. ann. §§ 13.02, subdiv. 7a and 13.15 (2016); and Mont. coDe ann. §§ 2-17-551(2) and 2-17-552 (2016). 525 Douma & Deckenbach, supra note 196, at 308–09 (citing colo. rev. stat. § 24.72.204(3)(a); conn. gen. stat. ann. § 4.190; fla. stat. ann. § 282.318; haw. rev. stat. § 286.172; Minn. stat. § 13.01; N.Y. Pub. off. § 91 and ohio rev. coDe ann. § 1347.01)). See also Del. coDe ann. tit. 29, §§ 9017C-9021C (2016); iowa coDe § 22.11 (2016) (“It is the intent of this section to require that the information policies of state agencies are clearly defined and subject to public review and comment.”); Me. rev. stat. tit. 1, §§ 542 (2016) (“Each public entity that has a publicly accessible site on the Internet associated with it shall develop a pol- icy regarding its practices relating to personal informa- tion and shall post notice of those practices on its publicly accessible site on the Internet.”); Mass. ann. laws ch. 66A, § 3 (2016) (stating that “the Secretary of each executive office shall promulgate regulations to carry out purposes of this chapter which shall be applicable to all agencies.”); Minn. stat. ann. § 13.15, subdiv. 3 (2016), A government entity that creates, collects, or main- tains electronic access data or uses its computer to install a cookie on a person’s computer must inform persons gaining access to the entity’s computer of the creation, collection, or maintenance of electronic access data or the entity’s use of cookies before requiring the person to pro- vide any data about the person to the government entity. As part of that notice, the government entity must inform the person how the data will be used and disseminated, including the uses and disseminations in subdivision 4. Mont. coDe ann. § 2-17-550 to 53 (2016) (Governmen- tal Internet Information Privacy Act); and teX. gov’t coDe ann. § 2054.126(a)(2) (2016) (requiring the adoption of a policy that “protects the personal information of mem- bers of the public who access information from or through a generally accessible Internet site maintained by or for a state agency”). 526 See California’s Information Practices Act of 1977, cal. civ. coDe § 1798, et seq. (2016); Illinois’s Personal Infor- mation Protection Act, 815 ill. coMP. stat. § 530/1, et seq. (2016); Louisiana’s Database Security Breach Notification Law, la. rev. stat. § 51:3071, et seq. (2016); Maine’s Notice of Risk to Personal Data Act, Maine rev. stat. tit. 10, § 1346, et seq. (2016); Michigan’s Identity Theft Protection Act, Mich. coMP. laws § 445.63, et seq. (2016); Minnesota’s Government Data Privacy Act, Minn. stat. § 13.01, et seq. (2016); Nevada’s Security of Personal Information, nev. rev. stat. § 603A.030, et seq. (2016); Oklahoma’s Security Breach Notification Act, okla. stat. § 24-161, et seq. (2016); Pennsylvania’s Breach of Personal Information Notification Act, 73 Pa. cons. stat. § 2301, et seq. (2016); Rhode Island’s Identity Theft Protection Act of 2005, R.I. gen. laws § 11-49.2-1, et seq. (2016); Tennessee’s Identity Theft Deter- rence Act of 1999, tenn. coDe § 47-18-2101, et seq. (2016); and Virginia’s Government Data Collection and Dissemina- tion Practices Act, va. coDe ann. § 2.2-3800, et seq. (2016). 527 See Indiana Fair Information Practices Act, inD. coDe ann. §§ 4-1-6-1 to 4-1-6-8 (2016) and § 4-1-6-19(d) (2016) (defining state agency). See also Massachusetts Fair Information Practices Act, Mass. gen. laws ch. 66A, §§ 1-3 (2016) (imposing duties on state agencies regarding personal data they maintain); N.Y. Pub. off. law § 95 (2016); and Government Data Collection and Dissemina- tion Practices Act, va. coDe ann. §§ 2.2-3800 and 2.2- 3801(2) (2016).

40 storage, maintenance, dissemination, and access to government data in government entities.”539 The MGDPA applies to all “data in which any individual is or can be identified as the subject of that data.”540 In defining the term “data,” the MGDPA uses the term “not data on individuals” to mean that there is no identification of individuals in the data.541 In Ohio, the privacy statutes that govern personal information systems require every state or local agency that maintains a personal information system to take steps and implement procedures to monitor the accuracy of the data and protect personal information in the system.542 Agencies are directed to “collect, maintain, and use” only personal information that is necessary and relevant to the agencies’ functions as required by law.543 The term “personal information” is defined as any information that describes anything about a person, or that indicates actions done by or to a person, or that indi- cates that a person possesses certain personal characteris- tics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person.544 Virginia’s Government Data Collection and Dissemination Practices Act (GDCDPA) states that “an individual’s privacy is directly affected by the extensive collection, maintenance, use and dissemi- nation of personal information”545 and that proce- dures must be established for systems having records on individuals.546 The Virginia statute applies to “any agency…or governmental entity of the Commonwealth or of any unit of local govern- ment,”547 as well as any entity, public or private, having a contract to operate “a system of personal information….”548 The GDCDPA requires govern- ment agencies and entities to adhere to 10 principles of information practice, including a prohibition on keeping PII in a secret system, a requirement that agencies take precautions to prevent misuse of PII, and a prohibition on the collection of PII unless authorized by law.549 (b) The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the mainte- nance of personal information. (c) In order to protect the privacy of individuals, it is neces- sary that the maintenance and dissemination of personal information be subject to strict limits.528 California’s IPA governs the collection, use, and disclosure of personal information held by state agen- cies; however, the statute does not apply to city or county agencies.529 In California, each agency must keep only that amount of personal information that is “relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government.”530 As discussed in Section X.C, the IPA provides an individual with a private right of action to redress a violation of a privacy right. In Colorado, each governmental entity is required to create a privacy policy to standardize the “collec- tion, storage, transfer, and use of personally identifi- able information” within each such governmental entity.531 The statute does not create, however, a “private cause of action based on alleged violations” of the section.532 In Massachusetts, state agencies must “maintain personal data with such accuracy, completeness, time- liness, pertinence, and relevance as is necessary to assure fair determination of a data subject’s qualifica- tions”533 and have policies for safeguarding individu- als’ private information.534 Furthermore, a state agency may not “collect or maintain more personal data than are reasonably necessary for the perfor- mance of the [agency’s] statutory function.”535 Holders of personal information must identify one individual who is responsible for a data system to prevent access to or the dissemination of personal data.536 Govern- ment agencies are authorized to promulgate neces- sary rules and regulations.537 In contrast to Colorado, Massachusetts law creates a private cause of action for a violation of its privacy law.538 The Minnesota Government Data Privacy Act (MGDPA) “regulates the collection, creation, 528 cal. civ. coDe § 1798.1 (2016) (emphasis supplied). 529 cal. civ. coDe § 1798.14 (2016). 530 Id. 531 colo. rev. stat. § 24-72-502(1) (2016). 532 colo. rev. stat. § 24-72-502(3) (2016). 533 Mass. ann. laws ch. 66A, § 2(h) (2016). 534 Mass. ann. laws ch. 66A, § 2 (2016). 535 Mass. ann. laws ch. 66A, § 2(l) (2016). 536 Mass. ann. laws ch. 66A, § 2(a) (2016). 537 Mass. ann. laws ch. 66A, § 3 (2016). 538 Mass. ann. laws ch. 214, § 3B (2016). 539 Minn. stat. § 13.01, subdiv. 3 (2016) (emphasis supplied). 540 Minn. stat. § 13.02, subdiv. 5 (2016). 541 Minn. stat. § 13.02, subdiv. 4 (2016). 542 ohio rev. coDe §§ 1347.05(F) and (G) (2016). The terms “state agency” and “local agency” are defined in ohio rev. coDe § 1347.01 (2016). 543 ohio rev. coDe § 1347.05(H) (2016). 544 ohio rev. coDe § 1347.01(E) (2016). 545 va. coDe ann. § 2.2-3800(B)(1) (2016). 546 va. coDe ann. § 2.2-3800(B)(4) (2016). 547 va. coDe ann. § 2.2-3801 (2016). 548 Id. 549 va. coDe ann. §§ 2.2-3800(C)(1)–(10) (2016).

41 A case involving the IPA is Bates v. Franchise Tax Bd.,559 in which the plaintiffs sued two state agen- cies and individuals who worked in those agen- cies.560 The IPA imposes “limitations on the right of governmental agencies to disclose personal informa- tion about an individual.”561 Although public entities in California are immune from suit in the absence of a constitutional or statutory provision that “declares them to be liable,”562 Section 1798.45 of the IPA provides for a private right of action against a state agency that violates the IPA.563 As stated, in the event of a violation of Sections 1798.48(b) or (c), an agency may be held liable to a plaintiff for actual damages, including damages for mental suffering and attorney’s fees.564 In Bates, the court held that, because the IPA does not have a claims procedure functionally equivalent to California’s Government Claims Act, the plaintiffs could not avoid the requirement to file their claim for damages under the Government Claims Act. The court held that IPA Sections 1798.5 and 1798.48 “constitute[] a statutory expression of governmental liability for damages, which, under Government Code section 815, controls over the immunity provided in Government Code section 860.2.”565 Although the court held that the plaintiffs had an otherwise viable claim under the IPA, the plaintiffs failed to comply with the Government Claims Act,566 “a prerequisite to a damages action against the State.”567 The Massachusetts privacy law applies to any holder of personal information. A holder is any agency that collects, uses, maintains or disseminates personal data or any person or entity which contracts or has an arrange- ment with an agency whereby it holds personal data as part or as a result of performing a governmental or public function or purpose.568 Any holder violating any provision of the privacy law may be held “liable to any individual who suffers Finally, almost 20 states already regulate the use of the RFID technology that was discussed in Section I.550 Three areas targeted by the laws include the prohi- bition of target tracking or monitoring,551 skimming of RFID in identity cards,552 and/or the embedding of SSNs.553 C. Whether There Are Separate Claims Based on the Type of Data Transit Agencies Collect or How the Agencies Collect or Use Data Although some state privacy laws include a provi- sion authorizing a private right of action for a viola- tion of the statute,554 the statutes reviewed for the digest have not established different causes of action based on the types of customers’ electronic personal data (e.g., PII, financial, or locational data) that transit agencies collect or how they collect, use, disclose, or retain the data. A few statutes that were located limit a cause of action to an intentional, will- ful, or knowing violation of privacy. For example, California’s IPA does not create separate claims based on different types of data or how an agency collects, uses, discloses, or retains data. Under the IPA, there are two possible claims for damages. The IPA provides that an individual may bring a civil action against an agency if the agency (a) refuses to comply with an individual’s lawful request to inspect records,555 (b) fails to main- tain records accurately,556 or (c) fails to comply with any other provision of the applicable chapter or rule promulgated thereunder in a manner that affects an individual adversely.557 An agency may be held liable for a violation of Sections 1798.45(b) or (c) for an individual’s actual damages, including damages for mental suffering, and reasonable attorney’s fees and costs as determined by the court.558 550 See National Conference of State Legislatures, Radio Frequency Identification (RFID) Privacy Laws, http://www. ncsl.org/research/telecommunications-and-information- technology/radio-frequency-identification-rfid-privacy-laws. aspx (last accessed Sept. 24, 2016). 551 Supra note 550. See Mo. ann. stat. § 167.168 (2016); n.h. rev. stat. § 189:68(II) (2016); or. rev. stat. § 339.890 (2016); and R.I. gen. laws § 42-153-1 (2016). 552 Supra note 550. See ala. coDe § 13A-8-113 (2016); cal. civ. coDe § 1798.79 (2016); 720 ill. coMP. stat. § 5/16-0.1 (2016); nev. rev. stat. ann. § 205.46515 (2016); wash. rev. coDe §§ 9A.58.020, 19.300.020, and 19.300.030 (2016). 553 5 ill. coMP. stat. 179/30 (2016). 554 See, however, colo. rev. stat. § 24-72-501-02(3) (2016); fla. stat. § 627.4091(3) (2016); and S.C. coDe ann. §§ 30-2-300(3) and 30-2-340 (2016) (stating that “an affected individual may petition the court for an order directing compliance with this section, but liability may not accrue”). 555 cal. civ. coDe § 1798.45(a) (2016). 556 cal. civ. coDe § 1798.45(b) (2016). 557 cal. civ. coDe § 1798.45(c) (2016). 558 cal. civ. coDe §§ 1798.48(a) and (b) (2016). 559 124 Cal. App. 4th 367, 21 Cal. Rptr. 3d 285 (Cal. App. 2004), review denied (Feb 23, 2005). 560 Id., 124 Cal. App. 4th at 373, 21 Cal. Rptr. 3d at 288. 561 Id., 124 Cal. App. 4th at 376, 21 Cal. Rptr. 3d at 290 (emphasis supplied). 562 Id., 124 Cal. App. 4th at 381, 21 Cal. Rptr. 3d at 294 (citing cal. gov. coDe § 815(a) (internal quotation marks omitted)). 563 Id., 124 Cal. App. 4th at 381–382, 21 Cal. Rptr. 3d at 294–295 (citing cal. civ. coDe § 1798.45). 564 Id., 124 Cal. App. 4th at 382, 21 Cal. Rptr. 3d at 295 (citing cal. civ. coDe § 1798.48). 565 Id. 566 cal. gov’t coDe § 905.2. 567 Bates, 124 Cal. App. 4th at 382, 21 Cal. Rptr. 3d at 295. 568 Mass. ann. laws. ch. 66A, § 1 (2016).

42 (2) Intentionally using or disclosing the personal informa- tion in a manner prohibited by law; (3) Intentionally supplying personal information for storage in, or using or disclosing personal information maintained in, a personal information system, that he knows, or has reason to know, is false; (4) Intentionally denying to the person the right to inspect and dispute the personal information at a time when inspection or correction might have prevented the harm.576 In authorizing a private right of action for damages, the Ohio privacy statute does not use the term “state or local agency” in Section 1347.10(A), but does use the terms “state” or “local agency” in Subpart B in regard to injunctions.577 Moreover, Section 1347.10(A) does not provide that a state or local agency may be held liable for damages, but Subsection (B) authorizes an action for an injunc- tion against a state or a local agency.578 The terms “state agency” and “local agency” are defined, but the definitions do not include natural persons.579 Section 1347.15(B) of the Ohio statute requires each state agency to adopt rules regulating access to the confidential personal information that the agency keeps. If a person is harmed by a violation of an agency rule required by Subsection B, the person may bring an action in the court of claims against any person who “directly and proximately caused the harm.”580 The Ohio statute further directs that (1) No person shall knowingly access confidential personal information in violation of a rule of a state agency described in division (B) of this section. (2) No person shall knowingly use or disclose confidential personal information in a manner prohibited by law.581 any damage as a result of such violations,” including exemplary damages.569 In Minnesota, the MGDPA does not establish differ- ent claims based on a particular type of data or how the data were collected, used, disclosed, or maintained. Rather, the MGDPA applies to all data “collected, created, received, maintained or disseminated by any government entity regardless of its physical form, stor- age media or conditions of use.”570 State agencies are responsible for the accurate “collection, use and dissemination of any set of data on individuals and other government data.”571 It should be noted that when a government entity enters into a contract with a private entity for data services, “all of the data created, collected, received, stored, used, maintained, or disseminated by the private person in performing those functions [are] subject to the requirements” of the MGDPA.572 If there is a breach in security, a govern- ment entity that collects, creates, receives, maintains, or disseminates private or confidential data on indi- viduals must give notice of the breach.573 Likewise, in Ohio, a state statute applies to a wrongful disclosure of personal information.574 Although an action may be brought for certain inten- tional violations as permitted by statute, claims are not differentiated based on the type of personal infor- mation or the manner of its collection, use, disclo- sure, or retention. The statute authorizes a person to bring a cause of action against any person when the injured person has been harmed by the use of personal information contained in a personal infor- mation system. A claim must be based, however, on one or more of four kinds of intentional conduct.575 (1) Intentionally maintaining personal information that he knows, or has reason to know, is inaccurate, irrelevant, no longer timely, or incomplete and may result in such harm; 569 Mass. ann. laws ch. 214, § 3B (2016) (stating also that “[n]otwithstanding any liability for actual damages as may be shown, such holder shall be liable for exemplary damages of not less than one hundred dollars for each violation together with such costs and reasonable attor- ney’s fees as may be incurred in said action”). 570 Minn. stat. § 13.02, subdiv. 7 (2016) (emphasis supplied). 571 Minn. stat. § 13.02, subdiv. 17 (2016) (emphasis supplied). 572 Minn. stat. § 13.05, subdiv. 11 (2016) (emphasis supplied). 573 Minn. stat. § 13.055, subdiv. 2(a) (2016) (emphasis supplied). 574 ohio rev. coDe § 1347.10(A) (2016). 575 The term “system” is defined to mean, inter alia, “any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person.” ohio rev. coDe § 1347.01(F) (2016). 576 ohio rev. coDe §§ 1347.10(A)(1)–(4) (2016). Section § 1347.10(A) states that one “who is harmed by the use of personal information that relates to him and that is main- tained in a personal information system may recover damages in a civil action from any person who directly and proximately caused the harm….” 577 ohio rev. coDe § 1347.10(B) (2016) (“Any person who, or any state or local agency that, violates or proposes to violate any provision of this chapter may be enjoined by any court of competent jurisdiction. …An action for an injunction may be prosecuted by the person who is the subject of the violation, by the attorney general, or by any prosecuting attorney.”) 578 Id. 579 ohio rev. coDe §§ 1347.01(A)–(B) (2016). See ohio rev. coDe § 1347.12(A)(5) (2016) (individual defined as a natural person.) 580 ohio rev. coDe § 1347.15(G) (2016). 581 ohio rev. coDe §§ 1347.15(H)(1)–(2) (2016) (empha- sis supplied).

43 cannot be accessed, viewed or acquired unless autho- rized by law.”589 Arizona also mandates that agency Web sites have a privacy policy that discloses the information “gathering and dissemination practices” related to the Internet.590 The statute requires that agencies describe at a minimum the information an agency obtains from individuals online,591 how the information is to be used,592 and the circumstances under which an agency would disclose the informa- tion to other entities.593 California requires agencies that collect PII to establish a privacy policy and provide a copy of the policy to subscribers.594 Illinois requires that Web sites of state agencies not “use permanent cookies or other invasive track- ing programs that monitor and track website view- ing habits”595 unless the tracking adds user value and is “disclosed through a comprehensive online privacy statement.”596 In a similar manner, South Carolina requires state agencies to develop privacy policies to ensure that personal information is used only to fulfill a legitimate public purpose and directs that agencies “minimize instances where personal information is disseminated.”597 E. State Legislation Applicable to Electronic Communications or Stored Data Depending on the circumstances, there may be remedies under state law when an unauthorized person intercepts electronic communications or obtains access to archived data. Indeed, one source argues that “[s]tate statutes presently serve a more important role than federal law in prohibiting ille- gal behavior with computers because many state legislatures have enacted laws with broader protec- tion than provided at the federal level.”598 A violation of either subsection is a violation of a state statute as provided under Ohio Revised Code Section 124.341(A).582 Under Virginia’s GDCDPA, supra, an injunction may be sought against any person or agency that is violating or that is about to violate a provision of the privacy law.583 There is no provision in the Virginia statute for the recovery of damages except in the limited situation of a violation of Virginia Code Annotated Section 2.2-3808(A)(1).584 If there is a willful and knowing violation of § 2.2-3808(A), a civil penalty may be imposed in the amount set by the statute.585 D. Privacy Policies Required by State Law Numerous states require government agencies to develop and establish commercially reasonable procedures to ensure that personal data collected by a governmental agency are secure and cannot be accessed, viewed, or acquired unless authorized by law.586 Some states direct government agencies to adopt and implement privacy regulations and/or to display a privacy policy.587 Arkansas requires a state agency that has a Web site to include a privacy policy on the site and to describe the data being collected and how the data will be used.588 Arizona requires government agencies to “develop and establish commercially reasonable procedures to ensure that entity identifying information or personal identifying information that is collected or obtained by [a] governmental agency is secure and 582 ohio rev. coDe § 1347.15(H)(4) (2016). ohio rev. coDe § 124.341 is entitled “violation or misuse–whistle- blower protection.” 583 va. coDe ann. § 2.2-3809 (2016). 584 va. coDe ann. § 2.2-3808(A)(1) (2016) (stating that unless disclosure is required by law, an agency or a public officer, appointee, or employee of an agency may not require an individual to disclose his or her Social Security Number or deny “any service, privilege, or right to an individual” who refused to disclose his or her Social Security Number). 585 va. coDe ann. § 2.2-3809 (2016) (providing that if an agency or a specific public officer, appointee, or employee of an agency commits a violation, a court may impose a civil penalty of not less than $250 or more than $1,000 and that for a second or subsequent violation, a court may impose a penalty of not less than $1,000 or more than $2,500). 586 See, e.g., ariz. rev. stat. ann. § 41-4172 (2016). 587 See cal. sts. & hy. coDe § 31490 (2016) and Mass. ann. laws, ch. 66A, § 3 (2016) (stating that “the Secretary of each executive office shall promulgate regulations to carry out the purposes of this chapter which shall be applicable to all agencies….”). See also Ben F. Overton & Katherine E. Giddings, The Right of Privacy in Florida in the Age of Technology and the Twenty-First Century: A Need for Protection from Private and Commercial Intru- sion, 25 fla. st. u. l. rev. 25, 44–50 (1997). 588 ark. coDe ann. §§ 25-1-114(a)–(b) (2016). 589 ariz. rev. stat. ann. § 41-4172 (2016) [eff. until Aug. 6, 2016]. 590 ariz. rev. stat. ann. § 41-4152 (2016) [eff. until Aug. 6, 2016]. 591 ariz. rev. stat. ann. § 41-4152(2) (2016) [eff. until Aug. 6, 2016]. 592 ariz. rev. stat. ann. § 41-4152(4) (2016) [eff. until Aug. 6, 2016]. 593 ariz. rev. stat. ann. § 41-4152(5) (2016) [eff. until Aug. 6, 2016]. 594 cal. sts. & hy. coDe § 31490 (2016). 595 5 ill. coMP. stat. 177/10(a) (2016). 596 5 ill. coMP. stat. 177/10(b)(2) (2016). 597 S.C. coDe ann. §§ 30-2-20 and 30-2-300(3) (2016). 598 Charles Victor Lang, Note: Stolen Bytes: Business Can Bite Back, coluM. bus. l. rev. 251, 259 (1986) (foot- notes omitted) (stating also that “[t]hirty-six states pres- ently have computer crime statutes, a number which is bound to increase in the future”).