Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

4data-breach notification statutes apply to transit agencies and, if so, whether customers have a cause of action under the statutes against a public or private transit agency for a violation of the law. Section XII discusses whether an individual may hold a transit agency liable in tort for an invasion of privacy as a result of an agency’s collection, use, or disclosure of personal data. Section XIII examines whether a customer’s data collected by government-owned transit agencies are subject to disclosure under a state Freedom of Information Act (FOIA) or public records disclosure law and whether a FOIA or equivalent law may be used as a form of discovery in litigation. Section XIII also discusses whether a subpoena may be used to compel the production of a customer’s personal data collected by a transit agency. Finally, Section XIV discusses four leadership agencies that are using a variety of the latest electronic payment systems—the Metropolitan Transportation Authority (MTA), serving the New York area and beyond; the Metropolitan Transportation Commission (MTC), serving the San Francisco Bay Area; the Regional Transportation Authority (RTA), serving Chicago and northeastern Illinois; and the Capital District Transportation Authority (CDTA), serving the Albany, New York, area. The digest discusses information and documents obtained by a survey of transit agencies on their current contactless electronic fare collection system or systems, whether they plan to adopt a new payment system, and the kinds of data that they collect on customers. Of the 62 transit agencies that responded to the survey, 29 agencies stated that they are using one or more electronic fare payment systems. Twenty-two agencies stated that their current electronic payment system collects custom- ers’ personal data. Although the results of the survey are discussed throughout the digest, Appendix C summarizes the transit agencies’ responses. I. CONTACTLESS ELECTRONIC PAYMENT SYSTEM TECHNOLOGY USED BY TRANSIT AGENCIES A. The Evolution of Contactless Payment Cards Since the introduction of contactless smartcards, the gravity of privacy and security issues has increased as technology has evolved to allow transit agencies to use other forms of electronic payment systems. For example, contactless payment cards now in wide use globally have an embedded short- range radio frequency identification chip (RFID) that enables an electronic reader to charge a credit or debit card when the card is passed in close proximity to a reader.2 Although many transit agencies issue smartcards for patrons to pay transit fares, current technology enables transit agencies to provide patrons with several payment options. A payment system may be a proprietary one in which a transit operator estab- lishes and operates its own payment system3 or a nonproprietary system that accepts credit and debit cards issued, for example, by American Express, Discover, Mastercard, and Visa.4 Transit agencies that responded to the survey described the type of contactless or other electronic payment system or systems they are using,5 as well as any system or systems they are considering adopting.6 As discussed herein, current technology enables transit agencies to permit transit customers to pay for transit by using their own credit or debit cards or their mobile devices that are linked to a bank-issued card.7 Regardless of newer payment methods, some transit patrons will continue to need a method of payment that does not require a bank- issued card or a mobile device.8 As electronic payment systems have evolved, they have more data-processing capability and have become more reliable. The collection of data on tran- sit customers’ behavior enables the agencies to serve their patrons more effectively,9 while allowing the 2 Nasreen Quibria, Sr., Federal Reserve Bank of Boston, The Contactless Wave: A Case Study in Transit Payments, at 3 and 8 (June 2008), hereinafter referred to as “Quibria,” https://www.bostonfed.org/economic/cprc/publications/ briefings/transit.pdf (last accessed Sept. 24, 2016). See also First Data, Transit Payment Systems: A Case for Open Payments, at 6 (May 2010), hereinafter referred to as “Transit Payment Systems,” https://www.firstdata.com/ downloads/thought-leadership/transit-payment-systems_ wp.pdf (last accessed Sept. 24, 2016). 3 For example, transit agencies may also adopt a contact- less electronic payment system that allows a patron to use a transit system card to pay fares as well as to make purchases from participating retail merchants. Quibria, supra note 2, at 7. 4 Quibria, supra note 2, at 5 (footnote omitted). 5 See App. C, Transit agencies’ responses to Question 2. 6 See App. C, Transit agencies’ responses to Question 4. 7 See Elisa Tavilla, Federal Reserve Bank of Boston, Transit Mobile Payments: Driving Consumer Experience and Adoption, at 2 and 6 (Feb. 2015), hereinafter referred to as “Tavilla,” http://www.bostonfed.org/bankinfo/payment- strategies/publications/2015/transit-mobile-payments.pdf (last accessed Sept. 24, 2016). 8 Philip Keitel, Federal Reserve Bank of Philadelphia, The Electronification of Transit Fare Payments: Examining the Case for Partnerships between Payments Firms and Transit Agencies, at 20 (Apr. 2011) (footnote omitted), https://ideas.repec.org/p/fip/fedpdp/11-02.html (last accessed Sept. 24, 2016). 9 Quibria, supra note 2, at 22.

5agencies to reduce costs and increase their effi- ciency.10 For example, maintenance costs are less because there are no moving parts associated with the latest electronic payment systems.11 B. Closed-Loop and Open-Loop Payment Systems Electronic fare payment systems used by transit agencies may be described as “closed-loop” or “open- loop” systems. In a closed-loop transit network system, a transit agency issues its own card and has its own payment network to process payment trans- actions.12 Moreover, in a closed-loop transit network system, an agency’s own contactless cards are used only to pay for transit.13 Several transit agencies that responded to the survey stated that their electronic system is a closed- loop system.14 For example, the MTA, which includes New York City Transit Authority (NYCT), Metro- North Commuter Railroad (MNR), Long Island Rail Road (LIRR), MTA Bus Company, and Staten Island Railway (SIR), stated that its “current system is based on the MetroCard, which is a magnetic strip closed-loop card that serves NYCT subways and buses, MTA Bus Company’s buses, SIR’s railway cars and certain other regional transportation providers.” Likewise, MTC reported that it has a closed-loop contactless payment system for public transit that is used by 22 regional operators under the brand name of Clipper.®15 ORCA (One Regional Card for All) is a smart card fare payment system for the Puget Sound region. ORCA’s current system is a closed-loop one that uses a “contactless MIFARE DESFire EV1 card.” The ORCA Regional Fare Coor- dination Program includes Community Transit, Everett Transit, King County Metro, Kitsap Transit, Pierce Transit, Sound Transit, and Washington State Ferries. In an open-loop transit system, customers may use their transit agency cards to pay for transit as well as to make purchases at participating retail merchants.16 An open-loop system may also enable customers to use their own bank-issued credit or debit cards or mobile devices linked to a customer’s credit or debit card to pay for transit trips.17 When a card is read by a transit agency’s electronic reader, the issuer of the credit or debit card processes the payment over its “regular card payment network.”18 Although transit authorities pay interchange fees to the issuing banks,19 an open-loop system reduces transit agencies’ expense for infrastructure while eliminating any need for a transit agency “to own and manage the entire card lifecycle.”20 Transit patrons may prefer to use the cards and accounts that they already have rather than obtain and carry a “transit-specific” card.21 The agencies that are members of the ORCA program are considering the next generation system for ORCA that is likely to be an account-based system with “open architecture.” A transit system may have both closed- and open- loop payment systems. The Lane Transit District in Oregon “is considering [the] use of a mobile ticket payment system and a fare card system utilizing smart card technology,” a system that “will use both closed-payment and open-payment methodologies.”22 C. Mobile Device Payment Applications Transit agencies may add payment by mobile devices, such as smartphones and tablets, to their open-loop payment systems.23 Mobile payments may 10 Id. at 2. 11 Center for Urban Transportation Research, Resource for Advanced Public Transit Systems, Electronic Fare Pay- ment Systems, at 4, hereinafter referred to as “CUTR.” 12 Quibria, supra note 2, at 7. 13 David G.W. Birch, Mike Burden, Simon Laker & John Elliott (Jane Adams, ed.), Tomorrow’s Transactions, the transit reaDer, at 10 (2013), hereinafter referred to as “Tomorrow’s Transactions,” http://www.chyp.com/ wp-content/uploads/2015/01/The-Transit-Reader.pdf (last accessed Sept. 24, 2016). 14 See App. C, Transit Agencies’ responses to Question 2. 15 See App. C, MTC’s response to Question 2. 16 Quibria, supra note 2, at 7. 17 Quibria, supra note 2, at 8. See also Transit Payment Systems, supra note 2, at 5. 18 Transit Payment Systems, supra note 2, at 8. 19 Quibria, supra note 2, at 14. [T]he card-issuing bank in a payment transaction deducts the interchange fee from the amount it pays the acquiring bank that handles a credit or debit card trans- action for the transit authority. The acquiring bank then pays the transit authority the amount of the transaction (the fare) minus both the interchange fee and an addi- tional, usually smaller fee for the acquiring bank, which is often referred to as a discount rate, an add-on rate or pass-through. Transit Payment Systems, supra note 2, at 10. 20 Quibria, supra note 2, at 13. 21 Id. See also Transit Payment Systems, supra note 2, at 8. 22 See App. C, MTA’s response to Question 4 (describing both closed- and open-loop methods of payment). 23 See PCI Security Standards Council, Accepting Mobile Payments with a Smartphone or Tablet, at 1 (2014), https:// www.pcisecuritystandards.org/documents/accepting_ mobile_payments_with_a_smartphone_or_tablet.pdf (last accessed Sept. 24, 2016); steve Quirolgico, Jeffrey voas, toM karygiannis, christoPh Michael & karen scarfone, u.s. DePartMent of coMMerce, vetting the security of Mobile aPPlications 8 (NIST Special Publication 800-163, 2015), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-163.pdf (last accessed Sept. 24, 2016).

6be made using “SMS/MMS, mobile Internet and contactless chip (e.g., NFC technology).”24 SMS means “short messaging service” and refers to text messaging.25 MMS means “multimedia messaging service” and is used to send images, audio files, videos, and other multimedia.26 “Mobile Internet” refers to the Internet that is accessed by a mobile device rather than by a computer.27 Today’s electronic payment technology permits a consumer to use his or her smartphone to pay for transit and even select which bank account will be debited for the purchase.28 There are other services that are available when transit operators accept fares via mobile phone that are not available with contactless credit and debit cards.29 Patrons may use their mobile phones to manage and check the balance of their account, or if their transit account is a stored-value account, they may use their phone to replenish the account.30 Customers may use their mobile devices to take care of trip planning, ticket- ing, and related travel, as well as to receive real- time alerts and promotional offers. Transit agencies are able to communicate with customers, collect data on ridership, and even integrate payments for other services, such as parking and taxis.31 In its response to the survey, the CDTA serving the Albany, New York, area explained that its current system is capable of processing EMV® (Europay, Mastercard, and Visa)-compliant payment cards, as well as mobile-ticketing transactions in the future.32 MTA stated that MNR and LIRR have implemented pilots for mobile-ticketing applications whereby customers will be able to pay for commuter rail by using a mobile device. The Regional Transportation District (RTD), serving Denver, Colorado, which is considering the deployment of mobile (smartphone) ticketing within the next 2 years, stated that the RTD assumes that personal data will be collected as needed to facilitate financial and operational transactions. Although one electronic payment option is the use of mobile phones with Near Field Communica- tions (NFC) capability in open-loop payment systems, only eight transit agencies that responded to the survey reported that they are planning to provide for the use of NFC-enabled mobile phones or other mobile devices to pay for transit. CDTA stated, however, that “[i]n the future, customers will be able to purchase products through a mobile application (mobile ticket) from an iOS or Android device. Once purchased, the customer would scan a [two dimen- sional (2D)] bar code of the mobile ticket on the fare- box on the transit vehicle.”33 MTA said that NFC-enabled devices are one of the media types that will be supported by its New Fare Payment System (NFPS).34 An NFC-enabled phone is able to receive time- and location-sensitive messages.35 NFC technology, already in more than 18 percent of cell phones worldwide, reportedly is expected to increase that share to 64 percent by 2018.36 In addition to NFC technology for mobile contactless payments, “remote m-payments” may be used for mobile payments by using “a cellular phone’s text messaging capability... to send credit or debit card information to the merchant.”37 A consumer establishes an account with a mobile payment service provider (MPSP) and links a financial account to the MPSP account.38 As the number of NFC-enabled mobile phones increases, it seems likely that more transit riders 24 Transit Payment Systems, supra note 2, at 6. 25 David W. Freese, Regulation of Mobile Payments, 127 banking L.J. 485, 486 (2010), and Brianna L. Reed, Mobi- lizing Payments: Behind the Screen of the Latest Payment Trend, 14 J. high tech. L. 451, 455 (2014), hereinafter referred to as “Reed.” See also Meena Aharam Rajan, The Future of Wallets: A Look at the Privacy Implications of Mobile Payments, 20 coMMlaw consPectus 445, 448–51 (2012). 26 Sam Costello, About Tech, What is SMS and MMS Text Messaging on the iPhone?, http://ipod.about.com/od/ iphonesoftwareterms/g/sms_definition.htm (last accessed Sept. 24, 2016). 27 See Avhilash Nair, Mobile Phones and the Internet: Legal Issues in the Protection of Children, 20 int’l rev. l. coMPuters & tech. 177, 178 (2006). 28 Transit Payment Systems, supra note 2, at 14. 29 Tomorrow’s Transactions, supra note 13, at 27. 30 Transit Payment Systems, supra note 2, at 14. 31 Tavilla, supra note 7, at 13. 32 EMV® is a global standard for credit and debit pay- ment cards based on chip card technology that takes its name from the card schemes and its developers Europay, Mastercard, and Visa. See https://www.level2kernel.com/ emv-guide.html (last accessed Sept. 24, 2016). 33 A two-dimensional or 2D bar code enables the embed- ding of Web addresses, text, or other data in a camera- readable format. See http://www.csuci.edu/news/documents/ 2011-2dbarcodeinfo.pdf (last accessed Sept. 24, 2016). 34 See also Rian Boden, NFC World+, MTA seeks sys- tems integrator to move NFC fare payments forward (Apr. 13, 2016), http://www.nfcworld.com/2016/04/13/343947/ mta-seeks-systems-integrator-to-move-nfc-fare-payment- forward/ (last accessed Sept. 24, 2016). 35 Transit Payment Systems, supra note 2, at 14. 36 High Technology Law, NFC-Enabled Cellphone Ship- ments to Soar Fourfold in Next Five Years (Feb. 27, 2014), http://press.ihs.com/press-release/design-supply-chain/ nfc-enabled-cellphone-shipments-soar-fourfold-next-five- years (last accessed Sept. 24, 2016). See also a description of remote m-payment at http://www.justaskgemalto.com/ us/what-difference-between-remote-m-payment-and- proximity-m-payment/ (last accessed Sept. 24, 2016). 37 Reed, supra note 25, at 455. 38 Id.

7will have NFC-enabled phones.39 In some areas, such as Salt Lake City, Utah, and Chicago, Illinois, transit customers with NFC-enabled phones are able to pay fares with Apple Pay,® Google Wallet,™ and Softcard.™40 According to the Smart Card Alliance, “NFC will soon be available as standard functionality in many mobile phones and will allow consumers to perform safe contactless transactions, access digital content, and connect electronic devices simply.”41 The Apple iPhone® 6 and iPhone 6 Plus are the first Apple mobile phones to have built-in NFC technology.42 There are, however, other NFC-enabled mobile phones.43 The Greater Cleveland Regional Transportation Authority (GCRTA) reported a pilot project for a mobile-ticketing solution and software as a cloud- based service. GCRTA will not be storing data because a user will create an account through his or her mobile phone. In that connection, one developer of mobile payment applications states that its Next- Wave Mobile Business System is “a comprehensive platform that enables transit operators to rapidly and securely provide new mobile services to their customers,” such as an agency-branded mobile app backed by a cloud-based array of support services.44 The system is said to simplify “the complexities of deploying mobile services by providing a cloud- based platform that integrates with both closed- and open-loop contactless fare systems, payment proces- sors, mobile networks, NFC platforms, and both iOS and Android smartphones and tablets.”45 D. Transit Agencies’ Use of Electronic Payment System Data Some of the potential benefits to transit agencies of the newest technologies for electronic payment systems are convenience, reduced cost of fare collection, increased efficiency, data-sharing opportunities with third-party developers, and improved traffic management and logistics. Advanced electronic payment systems enable transit agencies to collect information that previously had to be “collected manually by counting passengers at the ticket booth.”46 Transit agencies may collect personal data to improve an agency’s traffic management and logistics, allocate resources, provide more efficient timetables and reduce delays, and increase staff and surveillance at certain locations.47 The newest electronic payment systems should permit transit agencies to achieve significant oper- ational, cost-saving, and security benefits.48 The U.S. Department of Transportation (USDOT) has studied how electronic fare collection data may be used to identify the travel behavior of seniors and persons with disabilities, including the bus routes used by the most elderly and disabled riders, the times when they prefer to travel, their travel trends, and their origins and destinations.49 The collection of customers’ electronic personal data may also be used to benefit transit customers. Electronic payment technology provides customers with more convenience, payment options, and services, such as when agencies are able to bundle transit fares and admission fees for local attractions or offer awards.50 E. Monetization of Customers’ Electronic Personal Data Although electronic payment technology may encourage transit agencies to monetize the data that they are collecting as a way of enhancing reve- nue, no transit agency that responded to the survey is currently monetizing customers’ data.51 The Chicago Transit Authority (CTA) and Ventra® partic- ipating transit agencies have used aggregate data, not data containing PII, to market Ventra.52 The MTC, serving the San Francisco Bay area, does not provide PII associated with its Clipper program to 39 Tavilla, supra note 7, at 5 and 11 (footnotes omitted). 40 Id. at 10 (footnote omitted). 41 Smart Card Alliance, http://www.smartcardalliance. org/smart-cards-applications-nfc/ (last accessed Sept. 24, 2016). According to its Web site, the alliance “is a not-for- profit, multi-industry association working to stimulate the understanding, adoption, use and widespread applica- tion of smart card technology.” 42 See Rapid NFC, http://nfc.today/nfc-enabled-phones (last accessed Sept. 24, 2016). 43 NFC World+, “NFC phones: The Definitive List,” http://www.nfcworld.com/nfc-phones-list/%20and%20 Rapid%20NFC,%20http:/rapidnfc.com/nfc_enabled_ phones (last accessed Sept. 24, 2016). 44 Cubic Transportation Systems, Cubic Launches Next-Wave Mobile Business System for Transit Agencies (Sept. 30, 2013), http://www.cubic.com/News/Press-Releases/ ID/931/Cubic-Launches-NextWave-Mobile-Business- System-for-Transit-Agencies (last accessed Sept. 24, 2016). 45 Id. 46 Quibria, supra note 2, at 22. 47 Id. 48 Tomorrow’s Transactions, supra note 13, at 39. 49 fabian cevallos, Xiaobo wang, & Jon skinner, feD. transit aDMin., using Data froM an electronic fare collection systeM to iDentify the travel behavior of seniors anD the DisableD coMMunity 10–11 (2010), http://lctr.eng.fiu.edu/re-project-link/project451106.htm (last accessed Sept. 24, 2016). 50 Tavilla, supra note 7, at 3, 14–15. 51 See App. C, Transit agencies’ responses to Question 10. 52 CTA, Ventra Privacy Policy, hereinafter referred to as “CTA Privacy Policy,” https://www.ventrachicago.com/ privacy-policy/ (last accessed Sept. 24, 2016).