Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

59 debit or credit cards or their mobile devices linked to a bank-issued card. The collection of customers’ elec- tronic personal data may also be used to benefit transit customers through increased convenience, more payment options, and additional services. Transit agencies that use electronic payment systems are able to serve their patrons more effec- tively while allowing the agencies to reduce their costs and increase efficiency. Transit agencies may use a closed-loop or open-loop system or both. An open-loop system, however, permits customers to use their own credit or debit card or mobile devices linked to their credit or debit card to pay for transit. An open-loop system also allows a transit agency to avoid owning and managing the entire lifecycle of a payment or payment card. Transit agencies may benefit from the new technologies because of conve- nience and efficiency, reduced cost of fare collection, data-sharing opportunities with third-party devel- opers, and improved traffic management and logis- tics. Thus, the latest electronic payment systems allow transit agencies to achieve significant opera- tional, cost-saving, and security benefits. Although electronic payment technology may encourage tran- sit agencies to monetize the data that they are collecting, no transit agency that responded to the survey is currently monetizing their customers’ elec- tronic personal data. Electronic payment systems that are now avail- able allow transit agencies to acquire, use, and archive a transit user’s personal and travel data while monitoring an individual’s movements in real- time. There are risks to privacy depending on the kinds of data being collected, used, disclosed, or retained; how access is controlled to the data; and how and to whom data are distributed. Because of the privacy risks, transit agencies need to be vigilant and may have to invest in measures to mitigate privacy risks. As discussed in the digest, because of the impor- tance of protecting transit users’ privacy, transit agencies must clearly disclose how they collect, use, and handle personal data. Transit agencies’ agree- ments, terms of use, and privacy policies are espe- cially important defenses in whole or in part to claims for breach of privacy or security of personal data. Although no cases against transit agencies involv- ing their collection of customers’ electronic data were located for the digest, Table 1 on Page 60 summarizes some of the claims and defenses that could be asserted. customers will be able to purchase products through a mobile application (mobile ticket) from an iOS or Android device. Once purchased, the customer would scan a 2D bar code of the mobile ticket on the farebox on the transit vehicle.”778 CDTA does not collect credit card information. It collects limited personal data “to support customer account management of product purchases and account balances as well as to understand travel usage and ridership trends.”779 Customers’ personal information is used to identify unique account infor- mation and protect customers from fraudulent account transactions, i.e., “to validate the customer’s identity during a customer service call with a CDTA account representative.”780 The sales and finance departments have access to the data. As for the retention of data, customers’ “[d]ata are retained for customer accounts that remain active. Inactive accounts are purged after 12 months.”781 As for the security of personal data, CDTA uses “secure communications (SSL) with no direct access to data sources except through web based applications….”782 Moreover, the “point of sale system is PA-DSS [Payment Application Data Security Standard] certified and the hosted web portals are Level 2 merchant status PCI certified.”783 CDTA uses “SAQ [Self-Assessment Questionnaire] A–EP certification.”784 SUMMARY AND CONCLUSIONS The gravity of privacy and security issues has increased as technology has evolved to allow transit agencies to adopt contactless electronic payment systems to collect fares. The technology permits transit agencies to provide patrons with several payment options, including the use of their own 778 Id. 779 Id. 780 Id. 781 Id. 782 Id. 783 For more information, see PCI Security Standards Council, List of Validated Payment Applications, https:// www.pcisecuritystandards.org/assessors_and_solutions/ vpa_agreement (last accessed Sept. 24, 2016). 784 See Infosec Island Blog, SAQ A and SAQ A-EP Clari- fication (Jan. 8, 2015), http://www.infosecisland.com/ blogview/24230-SAQ-A-and-SAQ-A-EP-Clarification.html (last accessed Sept. 24, 2016). See also PCI Compliance Guide, supra note 112.

60 Table 1. Summary of Possible Claims and Defenses in Connection with Transit Agencies’ Collection of Customers’ Electronic Data785 Possible Claims Possible Defenses Breach of express or implied contract Compliance with transit agency privacy policy and/or terms of use Compliance with state laws on data collection and security Transit agency policy and practices securing customers’ personal data Compliance with state law and/or industry PCI DSS requirements Whether customers own their data after providing them to a transit agency and possibly to others Whether a plaintiff has standing to bring an action against a transit agency that arises out of the agency’s collection, use, or disclosure of data Whether a plaintiff is able to show actual damages Negligence Whether an agency has sovereign immunity under state law Compliance with transit agency privacy policy and/or terms of use Transit agency did not fail to secure or protect personal data from disclosure Whether customers own their data after providing them to a transit agency and possibly to others Whether a plaintiff has standing to bring an action against a transit agency that arises out of the agency’s collection, use, or disclosure of data Whether a plaintiff is able to show actual damages Whether a disclosure was willful or intentional Whether data were collected or disclosed by a private contractor Federal constitutional claims Whether a claim is possible given the courts’ decisions narrowing the zone of (e.g., based on Bivens case or § 1983) privacy protected by the Constitution Privacy protected only when there is a violation of a privacy interest that implicates a fundamental liberty interest Compliance with transit agency privacy policy and/or terms of use No claim because there is no U.S. Supreme Court case holding that there is a constitutional right in one’s personal or locational data Transit agency did not fail to secure or protect personal data from disclosure Disclosure did not lead to bodily harm and/or was not humiliating in nature Whether the privacy interest at issue must be balanced against a competing governmental interest in disclosure Whether a disclosure was nonintentional Data collection in question was not a warrantless search No (or limited) constitutional protection of activities conducted in public No reasonable expectation of privacy in the data allegedly disclosed Collection or disclosure of data is not subject to a Bivens claim for reasons discussed in the digest Doctrine of respondeat superior inapplicable to government officials in terms of holding them liable for actions of their subordinates No Supreme Court decision clearly establishing that a transit agency’s collection or disclosure of personal data implicates a clearly established constitutional right, a prerequisite to a Bivens or § 1983 claim Qualified immunity of government officials to claims against them in their individual capacity 785 The reader is urged to consult the text of the digest where the possible claims and defenses are discussed in more detail. The summary in Table 1 is only for the purpose of highlighting some claims and defenses.

61 Possible Claims Possible Defenses Section 1983 claim applicable only to a person acting under color of state law Liability under § 1983 only for egregious government action that shocks the conscience Federal Privacy Act of 1974 Federal Privacy Act requires willful or intentional disclosure of data in violation of the statute Privacy Act applies only to federal agencies and possibly their contractors No cases located applying the Privacy Act to transit agency collection or use of customer electronic personal data Claimant’s failure to show damages Federal Electronic Communications Privacy Applicable only to intentional interceptions of data Act of 1986 (Federal Wiretap Act and Stored Communications Act) Federal Computer Fraud and Abuse Act Liability, inter alia, for intentionally accessing a computer without authorization or exceeding access authorization, but conduct must involve one of several listed factors to establish liability State constitutional violations of a right State’s constitution (or the state’s highest court) may not recognize a specific to privacy right to privacy and/or a right of action for a violation of a right to privacy Some violations of privacy must be balanced against a state interest in disclosure Qualified immunity for acting in good faith Compliance with state law and/or transit agency’s privacy policy or terms of use Adequate common-law tort remedies exist that preclude a constitutional claim State right-to-privacy statutes No state law (or case) located that specifically addresses privacy rights and transportation technologies Transit agency’s compliance with state laws on data collection and in regard to Web sites State law may apply only to state agencies State law may limit damages that are recoverable Encryption of data No further disclosure of data after the initial disclosure Transit agency compliance with state laws applicable to privacy policies State law on electronic communications Usually applicable only to unauthorized person who intercepts or stored data electronic communications or obtains access to archived data State data-breach notification laws State statutes may or may not apply to transit agencies State statutes may or may not provide for a private right of action Encryption of data Good faith defense of unintentional release of data Statutes vary in regard to the availability of civil penalties or damages for a breach of the statute State common-law claims for breach Not all states recognize a common-law right to privacy of privacy Acts probably not applicable to violations by state or local agencies Applicable to disclosure of information to the general public or when there is an intrusion into a private matter that is highly offensive Generally not applicable when data were obtained legitimately Good faith defense in some states No claim for disclosure of data that are already public

62 whether transit agencies’ privacy policies or terms-of-use agreements provide a ground for dismissal of a claim for breach of an express or implied contract or for negligence. It does not appear that there is either a specific constitutional right to privacy under the U.S. Constitution or a constitutional right to privacy in one’s personal or locational data as a result of decisions by the U.S. Supreme Court. Several cases that involve the DPPA illustrate that there is no constitutional basis for a claim based on the disclosure of personal data, including PII, even though the disclosure of the same data is a violation of a federal statute protecting the data. Moreover, customers have either expressly or impliedly consented to the collection of their electronic personal data. Thus, the methods that transit agencies use to collect customers’ electronic data do not involve a warrantless physical trespass and search. The digest also discusses whether there is a basis for a Bivens claim or a § 1983 claim for an alleged violation of the Constitution based on a transit agen- cy’s collection or misuse of a customer’s electronic personal data. A threshold and likely dispositive issue that would preclude a Bivens claim, as well as a § 1983 claim against a state or local public official, is that there is no case holding that a transit agency’s collection or use of a customer’s electronic personal data, including PII or locational data, violates a right to privacy under the U.S. Constitution. Privacy law in the United States is largely a crea- ture of state law. Although several federal laws address the privacy rights of individuals, such as the DPPA, no federal statutes have been identified that are implicated by government-owned or privately owned transit agencies’ collection or use of their customers’ electronic personal data. As for state constitutional and statutory law, at least 10 state constitutions protect an individual’s right to privacy, and in some states the courts have recognized a constitutional right to privacy. Some state courts have held that an individual may bring a cause of action for monetary damages for a viola- tion of a state constitutional provision, whereas other states’ high courts have not done so. Even when there is a basis for a constitutional claim, public officials usually have a qualified-immunity defense when they show they were acting in good faith. No cases were located for the digest that involved a claim against a transit agency for an alleged violation of a right to privacy under a state constitution based on an agency’s collection or use of a customer’s personal data, regardless of whether the data were collected electronically or otherwise. In some states, a state statute may be a source of privacy law applicable to the collection, use, disclosure, and/or retention by transit agencies of customers’ As discussed in the digest, transit agencies are subject to state laws and/or have their own policies on the retention of customers’ data. There are state laws, regulations, or guidelines that require data collectors and processors to limit access to and protect the security of customers’ data. In regard to government-owned transit agencies, some states have guidelines for the management of electronic records collected or maintained by government agencies. A wide disparity exists, however, among state laws and transit agencies’ privacy policies regarding the collection, use, disclosure, and reten- tion of customers’ electronic personal data. As discussed in the digest, all organizations that accept, process, transmit, or store customers’ credit and debit card data must comply with the PCI DSS. The federal government requires federal agencies to comply with the PCI DSS. Some states’ laws require that any entities that accept credit or debit cards or an electronic payment linked to one must comply with the PCI DSS. Agreements between transit agencies and banks or other parties for the trans- mission of payment data also require compliance with the PCI DSS. As for whether transit agencies may be subject to claims in contract or tort for privacy violations, in some states government-owned transit agencies may have immunity from certain claims, particu- larly claims for negligence or other torts. Whether a government-owned transit agency has immunity depends on the extent that the state legislature has waived immunity, as well as on the courts’ interpre- tation of the applicable legislation. A state tort claims act may apply only to the state and state agencies or may apply to both state and local govern- ments and their agencies. Some states have tort claims legislation that applies specifically to local governments and their agencies. Assuming there is no basis for immunity, a tran- sit customer may have a claim against a transit agency for breach of an express or implied contract that arises out of the agency’s collection or handling of a customer’s personal data. When a transit agency represents that it will safeguard customers’ personal data, the agency has an express or implied contrac- tual duty to keep customers’ data safe and secure. Nevertheless, there are at least four threshold issues that may preclude a claim in contract or tort against a transit agency: whether a transit customer has standing to assert a claim for a breach of privacy or security of personal data, whether a customer still owns data after providing the data to transit agen- cies and others, whether a plaintiff must allege and prove actual and appreciable damage based on the collection and dissemination of personal data, and

63 electronic data. Numerous states require government agencies to develop and establish commercially reason- able procedures to ensure that personal data collected by a government agency are secure and cannot be accessed, viewed, or acquired unless authorized by law. There seem to be no state laws, however, that specifi- cally address privacy rights and transportation tech- nologies. Rather, the statutes discussed in the digest regulate the privacy policies of government agencies or mandate when government entities, as well as private entities in some states, must notify individuals of secu- rity breaches that involve their personal data. Depend- ing on the circumstances, there may be remedies under state law when an unauthorized person inter- cepts electronic communications or obtains access to archived data. Indeed, some state legislatures have enacted laws with broader protection than is provided at the federal level. Transit agencies that use electronic payment systems may be required to comply with state law on the giving of notice when there is a breach of data security. Although state data-breach notification laws vary in their details, they typically include standards for notification, the types of personal data that trigger the laws, and the causes of action they allow. Although the breach-notification statutes apply to businesses and commercial entities as defined in each statute, in at least 23 states the stat- utes also apply to government agencies. Although some breach-notification laws provide for enforce- ment and civil penalties, it appears that only in 13 states and the District of Columbia would a person injured by a data breach have a private right of action and that at least 4 states exempt government agencies from enforcement proceedings. Some states’ statutes provide for the imposition of a civil penalty for a violation of a state statute that protects personal information and/or a violation of a requirement that an agency give notice of a breach of the security of personal information. Some state privacy statutes allow a plaintiff to recover actual damages for a privacy violation, whereas other state statutes specify criminal liability for a violation. In some states, however, a civil penalty will not be assessed unless an agency’s action was willful or intentional. State statutes typically provide that encryption is a defense to a claim for a data breach that involves any missing, lost, or stolen data. In the absence of constitutional or statutory remedies, tort law must be used to remediate a violation of a claimed right to privacy. At least 14 states and the District of Columbia recognize a right to privacy at common law. There are four potential bases for a claim in tort for an invasion of privacy that may apply to an unauthorized use or disclosure of personal data: public disclosure of private facts, intrusion upon seclusion, misappropriation, and false light. Not all states that allow a claim for inva- sion of privacy recognize all four types of claims. Nevertheless, there is an issue of whether transit agencies in some states may be held liable in tort for an invasion of privacy for collecting or mishandling a customer’s personal data. Transit customers have expressly or impliedly agreed to the collection of their personal data and/or have been informed of a transit agency’s practices in the agency’s notice of privacy practices or terms-of-use agreement. In some states, even if an individual alleges a privacy claim at common law against a transit agency, a government-owned agency may have immunity. An intentional disclosure of a customer’s personal data may state a claim in those states that recognize the common-law tort of intrusion into seclusion. There is authority, however, that the disclosure of personal information, such as SSNs and similar PII, does not state a claim because the data are not embarrassing or highly offensive. No cases were located for the digest in which a transit agency was held liable or even sued for an invasion of privacy because of the agency’s collection, use, disclosure, or retention of customers’ electronic personal data. Similar to the Federal FOIA, state statutes that allow for the disclosure of data collected by govern- ment agencies may include an exemption permit- ting an agency to withhold data. A threshold question is whether a state FOIA or equivalent law applies to political subdivisions of the state or to municipalities that own a transit system. As for exemptions, an applicable FOIA or public records disclosure law may exempt certain personal data from disclosure, exempt records that are specifically prohibited from disclosure by laws other than the state’s FOIA or other public records disclosure law, exempt disclosure when there is a possibility of a loss of federal or state funding, and exempt a disclo- sure of data used by law enforcement agencies. There is judicial precedent holding that the use of a FOIA to obtain information as a form of discovery for use in litigation typically is not permitted. As the Supreme Court held in N.L.R.B. v. Sears, Roebuck & Co.,786 supra, the purpose of the Federal FOIA is to inform the public about agency action, not to benefit private litigants. If government data are exempt under a FOIA, however, it is not presumed that the data are thereby privileged within the meaning of the discovery rules applicable to litigation. Finally, as discussed, four leadership agencies discussed in the digest are using a contactless or other electronic payment system: the MTA, MTC, RTA, and CDTA. 786 421 U.S. 132, 135–136, 95 S. Ct. 1504, 44 L. Ed. 2d 29 (1975).