Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
10 distributed.81 The use of an electronic payment system that relies on banking and credit transactions only serves to heighten some observersâ privacy concerns.82 It has also been argued that electronic payment technology could be used to create a âcentralized ware- houseâ of data on an individualâs activities that could be abused.83 One commentator argues that a single card that is used for multiple applications âcould become a default personal identification card,â collect more data than are needed for many transactions, and serve as an âelectronic trailâ on an individual.84 Several agencies that responded to the survey maintain either that they own the data they collect or that they do not retain any data. Other agenciesâ answers vary regarding the type of personal data they collect, who owns or has access to the data and under what circumstances, how long they retain data, and the safeguards they use to prevent hacking and misuse of customersâ personal data.85 The foregoing issues are important because transit agencies assume risks when accepting electronic payments and thus may have to invest in ârisk mitigation resources.â86 Transit agenciesâ acceptance of credit and debit cards and devices linked to a customerâs bank-issued card may expose agencies to payment risks, including claims for fraud; breach of contract, either express or implied; breach of privacy and/or security; and/or breach of a state privacy law or breach-notification law.87 As discussed in more detail in Section IV, transit agencies that use electronic payment systems that require a customerâs credit or debit card data are considered card merchants and must comply with the PCI DSS âto protect personal and financial consumer information.â88 IV. TRANSIT AGENCIESâ CONTROL OF ACCESS TO AND SECURITY OF CUSTOMERSâ PERSONAL DATA A. Collection and Control of Access to Customersâ Personal Data There are state laws, regulations, or guidelines that require data collectors and processors to limit access to and protect the security of customersâ personal data.89 Eleven transit agencies that responded to the survey stated that there are federal or state constitutional provisions, laws, or regula- tions of which they are aware that apply to their agencyâs (or their contractorâs) collection, use, disclo- sure, or retention of customersâ data.90 The PCI DSS, discussed in Section V, as well as transit agency poli- cies, apply to transit agencies that collect fares paid via a patronâs bank-issued credit or debit card.91 Some states have guidelines for the management of electronic records collected or maintained by govern- ment agencies. The purpose of the Massachusetts guidelines is to âensure that government electronic records are created, maintained, disseminated and destroyed in a manner consistent with the transparency and accountability requirements of the Massachusetts Public Records Law, G. L. c. 66, § 1, et seq. and the standards set by the Records Conservation Board.â92 The security goals of the 81 Ann Joslin, National Center for Transit Research, Center for Urban Transportation Research, Regional Fare Policy and Fare Allocation, Innovations in Fare Equipment and Data Collection 2-29 (Mar. 2010) (footnote omitted), hereinafter referred to as âJoslin,â http://www.nctr.usf.edu/ pdf/77705.pdf (last accessed Sept. 24, 2016). 82 Joslin, supra note 81, at 2-30. 83 Id. 84 Id. See id. at 2-31 (providing examples of ways that transit agencies may protect data collected on their patrons). 85 See App. D, Transit agenciesâ responses to Questions 8(a)(3)â(5). 86 Quibria, supra note 2, at 14. 87 Id. 88 Id. at 17. 89 See, e.g., Electronic Records Management Guidelines at 1, § 2 (undated), hereinafter referred to as âMass. ERM Guidelines,â http://www.sec.state.ma.us/arc/arcpdf/ Electronic_Records_Guidelines.pdf (last accessed Sept. 24, 2016). 90 CDTA (citing New York State Privacy Protection Law); see http://www.dos.ny.gov/coog/shldno1.html; CT Transit (identifying PCI DSS compliance); Metra (identifying the Personal Information Protection Act, 805 ill. coMP. stat. 530; CAN-SPAM Act, 15 U.S.C. §§ 7701â7713 (2016)); (see feDeral traDe coMMission, a coMPliance guiDe for business electronic Mail act, https://www.ftc.gov/tips- advice/business-center/guidance/can-spam-act-compliance- guide-business (last accessed Sept. 24, 2016)); 815 ill. coMP. stat. 5111-15; and Identity Protection Act, 5 ill. coMP. stat. 179/1); MTC (identifying cal. sts. & hy. coDe § 31490, privacy policy for electronic toll collection or elec- tronic transit fare collection system but noting that the provision is âspecific to our industryâ and that âother stan- dard Federal and California state merchant-related privacy law also appliesâ); Niagara Frontier Transportation Authority (referring to the Federal Trade Commission Act; New York State Personal Privacy Protection Law (Public Officerâs Law, art. 6-A, §§ 91-99); New York State General Business Law § 899aa; and ISO 27001 (standard for best practices in operation)); ORCA (citing Washington Public Records Act, wash. rev. coDe § 42.56 and Uniform Unclaimed Property Act, wash. rev. coDe § 63.29); Regional Transportation District (stating that depending on the definition of personal information, the nature of the request, and the requestorâs identity, customer data may be dis- closed under the Colorado Open Records Act and that depending on the definition of personal information, the retention and disclosure of customer data may be limited under colo. rev. stat. § 24-72-113 (passive surveillance)). 91 See MTC Privacy Policy, supra note 53. 92 Section 1 applies to a âsupervisor of public records⦠called the supervisor of records, [who] shall take necessary measures to put the records of the commonwealth, coun- ties, cities or towns in the custody and condition required by law and to secure their preservation.â See Mass. ERM Guidelines, supra note 89, at 1, § 2.
11 guidelines are to ensure that only authorized person- nel have access to electronic records, provide for backup and recovery of records to protect against the loss of information, train personnel on how to safe- guard sensitive or classified electronic records, mini- mize the risk of unauthorized alteration or erasure of electronic records, ensure that the security of elec- tronic records is included in the âsecurity plansâ of computer systems, and comply, if mandated, with the requirements of Executive Order 504 and the Infor- mation Technology Division (ITD) Security Policies and Standards.93 B. Security of Customersâ Electronic Personal Data Data collected by transit agencies via electronic payment technology may be vulnerable to security issues similar to those that have plagued merchants and other processors of credit and debit cards. In In re Sony Gaming Networks and Customer Data Secu- rity Breach Litigation,94 a class action, it was alleged that because Sony âfailed to follow basic industry- standard protocols to safeguard its customersâ personal and financial information,â hackers were able to access Sonyâs network and steal the plain- tiffsâ personal information.95 The court held that Sonyâs lack of security that caused the loss of personal information and thus increased the risk of future harm to the plaintiffs was sufficient to confer standing.96 The court in the Sony case noted that there have been other cases in which hackers were able to steal customersâ personal information because of insufficient security.97 It costs transit and other agencies âmoney to stay in the security arms raceâ¦.â98 In 2008, a group of Massachusetts Institute of Technology students demonstrated the ease with which one could gain access to or hack MBTAâs electronic payment system.99 The research revealed that more than 1 billion smart cards had the same security weakness as the MBTA cards. Recent advancements in technology, however, may make the use of contactless cards, credit and debit cards, and NFC-enabled mobile devices less vulnerable to a theft of data. Credit or debit cards already provide more security through a series of encryption algorithms and electronic keys. One of these security measures is the 128-bit triple DES encryption that generates a unique digital watermark for every transaction (a dynamic CVC/CVV). Even if the CVC/CVV code is skimmed, it changes for each transaction. This security concept is similar to one-time password- issuing devices, where the identification code changes every few seconds, making a stolen code virtually ineffective.100 Although a magnetic strip or stripe has all the data one needs to clone a card, a contactless card does not have all of the information needed to mimic a contactless card transaction.101 Every time you do a Chip & PIN transaction, these are captured by the merchant. However, for contactless transac- tions, [a] cardholder name is not used, so it could be argued that things are moving in the right direction with the intro- duction of this technology in helping to preserve identity. When the reader does a transaction with your card, the card chip is required to perform cryptographic operations that prove it has secret cryptographic keys that are only known to the card-issuing bank. For each transaction, the crypto- graphic calculation required by the terminal changes, based on transaction details, so [that] itâ¦cannot simply be stored in advance by an attacker. Therefore, cloning your contactless card using only the details the attacker has sniffed from your contactless card is not possible. These are the same reasons that Chip & PIN cards cannot be cloned. The chip provides an extra level of difficulty for attackers.102 Furthermore, NFC-enabled mobile devices do not transmit all the data needed to make a âbogusâ magnetic stripe or NFC application âbecause the secret keys that you need to create the secure messages are never transmitted.â¦â103 In addition, the âpayment scheme rulesâ do not allow merchants to store security codes with the other details of the card.104 99 Ben Arnoldy & Uri Friedman, Not So Smart Cards Easily Hacked, the christian science Monitor (Aug. 19, 2008), http://www.csmonitor.com/USA/2008/0819/p01s01- usgn.html (last accessed Sept. 24, 2016). 100 Quibria, supra note 2, at 19â20 (footnotes omitted). 101 Tomorrowâs Transactions, supra note 13, at 23. 102 Id. at 44. 103 Id. at 23. 104 Id. at 44. 93 Mass. ERM Guidelines, supra note 89, at 9, § 7. Massachusetts Executive Order No. 504, signed on Sept. 19, 2008, ârecognizes the importance of protecting personal information and specifically outlines how all state agencies in the Executive Branch must address the security and confidentiality of personal information.â See http:// www.mass.gov/anf/research-and-tech/policies-legal-and- technical-guidance/legal-guidance/privacy-and-security/ exec-order-504/ (last accessed Sept. 24, 2016). For informa- tion on the Massachusetts ITD Security Policies and Stan- dards, see http://www.mass.gov/anf/searchresults.html? output=xml_no_dtd&client=mg_anf&proxystylesheet= massgov&getfields=*&ie=UTF-8&oe=UTF-8&tlen=215& sitefolder=anf&filter=0&requiredfields=&startsite= EOANFx&q=ITD+Security+Policies+and+Standards&site =EOANFx&x=0&y=0 (last accessed Sept. 24, 2016). 94 903 F. Supp. 2d 942, 968 (S.D. Cal. 2012), motion granted by, in part, motion denied by, in part, dismissed by, in part, 996 F. Supp. 2d 942 (S.D. Cal. 2014). 95 Id. at 950, 951. 96 Id. at 958. 97 See id. at 950, 951. 98 Tomorrowâs Transactions, supra note 13, at 33.
