Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Introduction, 3 I. Contactless Electronic Payment System Technology Used by Transit Agencies, 4 A. The Evolution of Contactless Payment Cards, 4 B. Closed-Loop and Open-Loop Payment Systems, 5 C. Mobile Device Payment Applications, 5 D. Transit Agencies’ Use of Electronic Payment System Data, 7 E. Monetization of Customers’ Electronic Personal Data, 7 II. Transit Agencies’ Agreements and Privacy Policies Governing the Collection and Use of Customers’ Electronic Data, 8 III. Privacy Risks Associated with Transit Agencies’ Collection of Customers’ Electronic Data, 9 IV. Transit Agencies’ Control of Access to and Security of Customers’ Personal Data, 10 A. Collection and Control of Access to Customers’ Personal Data, 10 B. Security of Customers’ Electronic Personal Data, 11 C. State Laws and Transit Agency Policies on Retention of Personal Data, 12 V. Transit Agency Compliance with the Payment Card Industry Data-Security Standards, 12 A. The Payment Card Industry Data-Security Standards, 12 B. Liability of Transit Agencies for Failure to Comply with the PCI DSS, 13 C. Effect of Change from Magnetic Strips to Embedded Chips, 15 VI. Claims in Contract or Tort Against Transit Agencies for Privacy Violations, 16 A. Claims Against Transit Agencies for Violating a Customer’s Right to Privacy or for Breach of Security of a Customer’s Personal Data, 16 B. Whether Claims Against Government-Owned Transit Agencies Are Barred by Sovereign Immunity, 16 C. Claims in Contract or Tort for Damages for Privacy Violations, 18 D. Negligence Claims Against a Transit Agency that Involve the Collection, Use, Disclosure, or Retention of Customers’ Electronic Personal Data, 19 E. Liability of Transit Agency Contractors for Misuse of Customers’ Data, 19 VII. Whether Privacy Rights Under the U.S. Constitution Apply to Transit Customers’ Electronic Personal Data, 20 A. Evolution of Privacy Rights, 20 B. The Fourth Amendment and a Constitutional Right to Privacy, 23 C. Whether There Is an Implied Constitutional Claim for a Privacy Violation, 26 D. Whether Transit Agencies Are Subject to § 1983 Actions for Collecting, Using, Disclosing, and/or Retaining Customers’ Electronic Data, 28 VIII. Whether There Are Federal Statutes that Apply to Transit Agencies’ Customers’ Electronic Personal Data, 30 A. Evolution of Federal Statutory Privacy Rights, 30 B. Privacy Act of 1974, 30 C. The Electronic Communications Privacy Act of 1986, 32 D. Computer Fraud and Abuse Act, 34 E. Driver’s Privacy Protection Act, 34 F. Other Federal Laws Applicable to Collection of Customers’ Electronic Data , 34 CONTENTS IX. The Right to Privacy Under State Constitutions, 36 A. State Constitutions that Recognize a Right to Privacy, 36 B. States Recognizing an Implied Cause of Action for a Violation of a State Constitutional Provision, 37 X. Right to Privacy Under State Laws, 38 A. Introduction, 38 B. State Privacy Statutes Applicable to State and Local Agencies, 39 C. Whether There Are Separate Claims Based on the Type of Data Transit Agencies Collect or How the Agencies Collect or Use Data, 41 D. Privacy Policies Required by State Law, 43 E. State Legislation Applicable to Electronic Communications or Stored Data, 43 XI. Application of State Data-Breach Notification Laws to Transit Agencies, 44 A. State Data-Breach Notification Statutes, 44 B. Data-Breach Notification Laws Applicable to Transit Agencies, 46 C. Liability for Civil Penalties, 47 D. Liability for Damages, 47 E. Enforcement Power Delegated to the Attorney General, 48 F. Miscellaneous Provisions, 49 XII. Remedies at Common Law for Invasion of Privacy, 49 A. States that Recognize an Invasion of Privacy at Common Law, 49 B. Public Disclosure of Private Facts, 50 C. Intrusion Upon Seclusion, 51 D. Claims for Appropriation or False Light, 52 E. Applicability to Transit Agencies of a Common-Law Right to Privacy, 52 XIII. Disclosures of Data Under the Federal or a State FOIA or Equivalent Law, 52 A. The Federal FOIA and Release of Personal Data, 52 B. State FOIAs or Public Records Disclosure Laws and Customers’ Personal Data, 53 C. Agency Waiver of Privacy Exemption, 54 D. Whether Both FOIA Requests and Discovery Requests May Be Used to Obtain Transit Agencies’ Customers’ Electronic Personal Data, 54 E. The Use of Subpoenas to Obtain Data from a Transit Agency, 55 XIV. Four Leadership Agencies that Use Contactless or Other Electronic Payment Systems, 56 A. Metropolitan Transportation Authority, 56 B. Metropolitan Transportation Commission, 57 C. Regional Transportation Authority, 57 D. Capital District Transportation Authority, 58 Summary and Conclusions, 59 Appendix A: List of Transit Agencies Responding to the Survey, A-1 Appendix B: Survey Questions, B-1 Appendix C: Summary of the Transit Agencies’ Responses to the Survey, C-1 Appendix D: Copies of Documents Provided by Transit Agencies, D-1