Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
16 merchantâs terminal is not enabled for chip payment, or (2) the card is a chip card that prefers PIN verification and the terminal is chip-enabled requiring a signature verification.154 Transactions that do not require cardholder veri- fication are not affected by the liability shift. In summary, the most common financial networks, such as Visa and Mastercard, have inaugurated and implemented standards for credit and debit cards in the form of the PCI DSS.155 When a transit agency adopts an open bankcard method for fare payments, whether debit, credit, or prepaid, the transit agency becomes âjust another merchant,â exposing the agency to payment risks such as claims for fraud and data breach.156 VI. CLAIMS IN CONTRACT OR TORT AGAINST TRANSIT AGENCIES FOR PRIVACY VIOLATIONS A. Claims Against Transit Agencies for Violating a Customerâs Right to Privacy or for Breach of Security of a Customerâs Personal Data When transit agencies have an express or implied agreement with customers regarding the agenciesâ collection, use, disclosure, retention, and/or security of customersâ personal data, a customer may have a claim for breach of contract. A customer may have a tort claim against an agency even without an agree- ment when an agency fails to exercise due care in respect to the customerâs data. Nevertheless, no transit agency that responded to the survey reported that within the past 5 years, a customer had brought a legal action against the agency (or a contractor or agent of the agency) for an alleged violation of a customerâs privacy rights because of the agencyâs collection or use of a customerâs personal data or because of a security breach. B. Whether Claims Against Government- Owned Transit Agencies Are Barred by Sovereign Immunity When a transit agency is government-owned, there is a threshold question of whether the agency has immunity from certain claims, particularly claims for negligence or other torts. Only five transit agencies that responded to the survey stated, however, that they had sovereign immunity to tort claims arising out of their collection of customersâ personal data.157 The liability of a government-owned entity in tort varies from state to state depending on the extent to which the state legislature has waived immunity, as well as on the courtsâ interpretation of the applicable legislation.158 It is important to note that in states where a tort claims act permits a plaintiff to sue a public entity in tort, the legislation may have specific exceptions, exemptions, or exclusions to liability. For example, in Florida, the State waives sovereign immunity in tort for itself and its agencies and subdi- visions, âbut only to the extent specified in this act.â159 A state tort claims act may apply only to the state and state agencies or to both state and local govern- ments and their agencies. Some states have tort claims acts that apply specifically to local govern- ments and their agencies. For example, the Illinois Local Governmental and Governmental Employees Immunity Act has âan extensive list of immunities based on specific governmental functions.â160 Because tort claims acts and similar legislation that affect governmental immunity are in derogation of 154 Id. at 3. 155 Transit Payment Systems, supra note 2, at 5. 156 Quibria, supra note 2, at 5, 14. 157 Central Florida Regional Transportation Authority (stating that the agency is protected by Florida statute and that its liability is limited to $200,000 per person and $300,000 per event); Lane Transit District (stating that the Oregon Tort Claims Act, or. rev. stat. §§ 30.260 to 30.300, which is a limited waiver of sovereign immunity, may apply); Metro Regional Transportation Authority (cit- ing ohio rev. coDe, ch. 2744); Port Authority of Allegheny County, Pennsylvania (stating that as a Commonwealth Agency, the Authority is protected by 42 Pa. con. stat. ann. § 8521, et. seq.); and Regional Transportation Dis- trict, Denver, Colorado (stating that â[t]o the extent such actions lie in tort or could lie in tort and RTD has not waived liability (i.e., motor vehicles, dangerous buildings, etc.) for such actions, the RTD is immune from such related to breach of security of personal data and the right to privacyâ) (citing colo. rev. stat. § 24-10-108)). 158 See Larry W. Thomas, Tort Liability of Highway Agen- cies, in 4 selecteD stuDies in transPortation law (2003). 159 fla. stat. § 768.28(1) (2016) (emphasis supplied) [eff. until Dec. 31, 2018]. Although the applicable Florida Stat- ute must be consulted in its entirety, fla. stat. § 768.28(1) further provides that [a]ctions at law against the state or any of its agencies or subdivisions to recover damages in tort for money dam- ages against the state or its agencies or subdivisions for injury or loss of property, personal injury, or death caused by the negligent or wrongful act or omission of any employee of the agency or subdivision while acting within the scope of the employeeâs office or employment under circumstances in which the state or such agency or subdi- vision, if a private person, would be liable to the claimant. 160 Sexton v. City of Chicago, 976 N.E.2d 526, 540 (Ill. App. 2012) (some internal quotation marks omitted).
17 the common law, the courts typically strictly construe the legislation.161 Government agencies may have immunity even for claims for an unauthorized disclosure of personal data. In Axtell v. University of Texas,162 a Texas appel- late court held that the disclosure by a state agency of confidential information was not actionable because the State had retained its immunity under the state tort claims act. In Axtell, a student sued a state university and its employees for sending the studentâs educational records by a telefax machine to a local radio station without the studentâs consent.163 The court held, however, that the university employ- eesâ negligence was not their use of a telefax machine but their release of the plaintiff âs information by whatever means.164 Thus, the Texas Tort Claims Actâs limited waiver of immunity that applies to the use of tangible personal or real property did not apply to the disclosure of the plaintiff âs information.165 Because immunity for the release of personal infor- mation had not been waived, the court affirmed the trial courtâs dismissal of the plaintiff âs action.166 In Tivnan v. Registrar of Motor Vehicles,167 the plaintiff sued employees of the Registry of Motor Vehicles for issuing a duplicate of his driverâs license to another individual in violation of Massachusetts Annotated Laws, Chapter 66A.168 The imposter ruined the plaintiff âs credit and amassed over $150,000 in debt in the name of the plaintiff.169 The Massachusetts Appeals Court affirmed the trial courtâs grant of a summary judgment and held that the privacy issue was governed by the Massachusetts Tort Claims Act (MTCA).170 The MTCA superseded Massachusetts Annotated Laws, Chapter 214, Section 3B, which provided that âparties injured by the violation of G. L. c. 66A [may] claim damages for injury against public employersâ¦.â171 The appeals court affirmed the trial courtâs decision because under the MTCA, âthe issuance of a license [is] specifically immunizedâ under Section 10(e).172 In Torres v. Attorney General,173 however, the plaintiff alleged that the Department of Social Services violated Massachusetts General Law, Chapter 66A, when the department released infor- mation to the Assistant Attorney General that contained the plaintiff âs geographic location.174 The Supreme Judicial Court of Massachusetts held that the release was a violation of Massachusetts law. First, the plaintiff did not consent to the access to his personal data, and second, there was âno legisla- tive intent to grant the office of the Attorney General access to personal data held by one State agency simply because a data subject has brought a suit against one or more other State agencies.â175 The case was remanded to the Superior Court for an assessment of damages, attorneyâs fees, and costs.176 Finally, public entities such as transit agencies may have immunity for claims arising out of their discretionary decisions. Immunity for a public enti- tyâs discretionary action may be recognized under a stateâs common law and/or be an exception to a public entityâs liability under a stateâs tort claims act or similar legislation. The courts have held that a government decision or function is discretionary in nature when the decision making occurred at the planning level and/or the decision making involved the consideration or evaluation of broad policy factors.177 Whether a governmental decision is discretionary and entitled to immunity is a question of law decided by the court.178 No cases were located for the digest, however, that involved the question of whether a transit agency has immunity for a claim that arises out of an agencyâs collection, use, disclo- sure, or retention of data on the basis that the alleged privacy violation resulted from an agencyâs policy-level decision or exercise of discretion. Indeed, 161 Nawrocki v. Macomb County Road Commission, 463 Mich. 143, 151, 615 N.W.2d 702, 707 (Mich. 2000) (Supreme Court of Michigan stating that âprior decisions of this Courtâ¦improperly broadened the scope of the highway exceptionâ to governmental immunity and holding that the court was âduty bound to overrule past decisions that depart from a narrow construction and application of the highway exceptionâ¦.â). 162 69 S.W.3d 201 (Tex. App. 2002). 163 Id. at 263. 164 Id. at 266. 165 Id.. 166 Id. at 267. 167 50 Mass. App. Ct. 96, 734 N.E.2d 1182 (Mass. App. 2000). 168 Id., 50 Mass. App. Ct. at 96â97, 734 N.E.2d at 1183. 169 Id., 50 Mass. App. Ct. at 97, 734 N.E.2d at 1183. 170 Mass. ann. laws ch. 258. 171 Tivnan, 50 Mass. App. Ct. at 97, 734 N.E.2d at 1183 (citing Mass. ann. laws ch. 214, § 3B and Mass. gen. laws ch. 66A)). 172 Id., 50 Mass. App. Ct. at 102, 734 N.E.2d at 1186 (citing Mass. ann. laws ch. 258, § 10(e)). The plaintiff also failed to make a proper presentment as required under § 4 of the MTCA. Id., 50 Mass. App. Ct. at 103, 734 N.E.2d at 1187 (citing Mass. ann. laws ch. 258, § 4). 173 391 Mass. 1, 460 N.E.2d 1032 (Mass. 1984). 174 Id., 391 Mass. at 2â3, 460 N.E.2d at 1033. 175 Id., 391 Mass. at 11â12, 460 N.E.2d at 1038â1039. 176 Id., 391 Mass. at 16, 460 N.E.2d at 1041. 177 Miotke v. Spokane, 101 Wash. 2d 307, 334, 678 P.2d 803, 819 (1984) (stating that in Evangelical United Brethren Church v. State, 67 Wash. 2d 246, 407 P.2d 440 (1965), the court created a narrow exception to govern- mental immunity from tort liability in instances in which public officials engage in discretionary acts based on a four-part inquiry). See also Weiss v. Fote, 7 N.Y.2d 579, 167 N.E.2d 63, 200 N.Y.S.2d 409 (1960). 178 Truman v. Griese, 762 N.W.2d 75, 85 (S.D. 2009).
18 state law may provide a cause of action against a government agency for a privacy violation or breach of data security. The state law may apply to private entities as well. See Section XI.B. In summary, unless state law waives the immu- nity of government transit agencies, or in fact autho- rizes a cause of action against a government agency, a transit agency may be able to claim immunity for claims arising out of its collection, use, disclosure, or retention of a customerâs personal data. Section VI.C, however, examines whether in the absence of immu- nity, transit agencies may be subject to claims for breach of contract or negligence for a breach of privacy or a breach of security of customersâ personal data. In addition, Sections XI.C and D discuss whether tran- sit agencies are subject to suit for violations of state privacy laws or for failing to secure data properly to avoid an unauthorized disclosure of data. Section XII discusses whether transit agencies may be subject to claims at common law for privacy violations. C. Claims in Contract or Tort for Damages for Privacy Violations A transit customer may have a claim for breach of an express or implied contract against a transit agency arising out of the agencyâs collection or handling of a customerâs personal data. As a federal court in North Carolina held, when a company makes âvarious representations in its published privacy policy that it would safeguard customersâ private information,â the defendant has an âimplied contractual duty to keep [the plaintiff âs] private financial informationâ¦safe and secure.â179 There are at least four threshold issues, however, that may preclude a claim in contract or tort against a transit agency based on its collection or use of customersâ personal data. First, assuming a transit agency does not have immunity to a claim, there may be an issue as to whether a transit customer even has standing to assert a claim for breach of privacy or of the security of personal data. For example, in Yunker v. Pandora Media, Inc.,180 the plaintiff alleged that Pandora violated Yunkerâs privacy by permitting âadvertising librariesâ to have access to his PII. The court held that the plaintiffâs claim that Pandoraâs disclosure of his PII âdiminishedâ the value of his PII was not sufficient to confer standing under Article III of the U.S. Constitution.181 The plaintiffâs allegations that Pandora violated his privacy rights, however, were sufficient to confer standing.182 Transit customers may also be concerned that a breach of security in the handling of their personal data could result in identity theft. In Willingham v. Global Payments, Inc.,183 however, a federal court in Georgia held that the threat of future identity theft was not sufficient to confer standing. A second issue is whether transit customers own their personal data after they have provided the data to transit agencies and others. As noted, many transit agencies that responded to the survey stated that they own the personal data that they collect. Indeed, a federal court in New York has held that because of JetBlueâs privacy policy, the plaintiffs did not have âcontinued possessory interests over their personal information that entitled [them] to pursue legal action if ever those limits were exceeded.â184 In several other cases, the courts avoided ruling on the issue of whether the plaintiff continued to own his or her personal data. A federal court in California implied that individuals may no longer own their personal data when their data appear on the Internet and in public, financial, hospital, and company databases.185 Third, in claims involving a disclosure of PII, it has been held that a plaintiff must allege and prove âactual and appreciable damage based on the collection and dissemination of his PII.â186 It has also been held that a personâs PII does not have any âinherentâ monetary value.187 In Strautins v. Trustwave Holdings, Inc.,188 the plaintiff Strautins brought a class action against Trustwave Holdings, Inc. (Trustwave), a provider of data security for the South Carolina Department of Revenue (SCDOR), for willful and negligent viola- tions of the Fair Credit Reporting Act, negligence, invasion of privacy by public disclosure of private facts, and breach of contract as a third-party benefi- ciary. The claims arose because of two cyber attacks on SCDOR in the fall of 2012. The court held that Strautins did not have stand- ing because her complaint was too speculative and 179 Owens v. Dixie Motor Co., 2014 U.S. Dist. LEXIS, at *1, 62 (E.D. N.C. 2014). See also Santos-Buch v. Finan- cial Industry Regulatory Auth., Inc., 32 F. Supp. 3d 475, 478 (S.D.N.Y. 2014) (holding in an action for breach of contract and invasion of privacy for defendantâs publish- ing of a record of plaintiff âs disciplinary action on the defendantâs Web site that Santos-Buch failed to exhaust his administrative remedies). 180 2013 U.S. Dist. LEXIS 42691, at *1, 3 (N.D. Cal. 2013), motion granted by, in part, motion denied by, in part, dis- missed by, in part, by 2014 U.S. Dist. LEXIS 30829, at *1 (N.D. Cal., Mar. 10, 2014). 181 Id. at *10. 182 Id. 183 2013 U.S. Dist. LEXIS 27764, at *15, 23 (N.D. Ga. 2013). 184 In re JetBlue Airways Corp. Privacy Litigation, 379 F. Supp. 2d 299, 328 (E.D. N.Y. 2005). 185 White v. Social Security Admin., 2015 U.S. Dist. Lexis 82193, at *19 (N.D. Cal. 2015). 186 Yunker, 2013 U.S. Dist. LEXIS 42691, at *40. 187 Willingham v. Global Payments, Inc., 2013 U.S. Dist. LEXIS 27764, at *15, 23 (N.D. Ga. 2013). 188 27 F. Supp. 3d 871 (N.D. Ill. 2014).
19 failed to establish that Strautinsâ PII was in fact âstolen and compromised.â189 Because all individuals who filed taxes during the relevant period did not have their data stolen, individuals whose PII may have been stolen were asked to call an SCDOR hotline to determine whether in fact their PII had been stolen. Strautins neither took the steps to verify whether her PII had been stolen nor received notice from Trustwave or SCDOR that her data had been stolen.190 Therefore, Strautins failed to meet the first element of standing, a showing of an injury.191 Fourth, transit agenciesâ agreements with custom- ers, terms of use, or privacy policies may include language that would be sufficient to obtain a dismissal of a claim for breach of an express or implied contract or for negligence. In In re Sony Gaming Networks and Customer Data Security Breach Litigation,192 supra, the court dismissed the plaintiffsâ claim because of an explicit disclaimer in Sonyâs terms of service. Likewise, in Cain v. Redbox Automated Retail, LLC, a federal court in Michigan held that the plaintiffs had consented to Redboxâs disclosure of their information for the purposes iden- tified in Redboxâs privacy policy.193 D. Negligence Claims Against a Transit Agency that Involve the Collection, Use, Disclosure, or Retention of Customersâ Electronic Personal Data The courts in some cases have also dismissed negligence claims because the plaintiff was unable to allege and prove damages-in-fact. In Sony, supra, the court held that, unless a plaintiff is able to prove a âspecial relationshipâ between the parties, a recovery in tort is barred unless the alleged economic damages are accompanied by some form of physical harm, such as personal injury or prop- erty damage.194 Moreover, in Sony, although the plaintiffsâ allegations of injury were sufficient for standing, the allegations were not sufficient to state a claim for negligence or for a violation of the California Business and Professions Codeâit was not enough for the plaintiffs to allege a mere danger of a future harm.195 E. Liability of Transit Agency Contractors for Misuse of Customersâ Data One article has observed that âfederal and state agencies have increasingly relied on outsourcing the gathering and managing of information to private companies because they do not face the same liabilities and limitations placed [on] government agencies.â196 In response to the survey, 10 transit agencies stated that their respective agency has an agreement with a contractor or agent (or other holder of customersâ personal data) for the purpose of collecting, using, disclosing, and/or retaining data obtained by a contactless (or other) electronic payment system. Twenty-three agencies said that they do not have such an agreement.197 There are fewer restraints or judicial scrutiny with regard to data collected or maintained by private contractors.198 Nevertheless, as discussed in Section X, the security of personal data collected by public and/or private entities may be regulated by statute in some states. Furthermore, other state laws may apply. In California, the Public Contract Code prohibits the release of proprietary informa- tion by a party contracting with a state agency.199 The Intelligent Transportation Society of America has issued nonbinding guidelines for its members in âan effort to self-regulate on the issue of data secu- rity and privacy protection.â200 Finally, no cases were located for the digest that concerned an action by a customer against a transit agency arising out of the agencyâs collection or use of a customerâs electronic data. 189 Id. at 874. 190 Id. 191 Id. 192 903 F. Supp. 2d 942, 968 (S.D. Cal. 2012), motion granted by, in part, motion denied by, in part, dismissed by, in part, 996 F. Supp. 2d 942 7353 (S.D. Cal. 2014). 193 2015 U.S. Dist. LEXIS 131949, at *1, 35 (E.D. Mich. 2015). 194 24 Cal. App. 3d 799, 157 Cal. Rptr. 407 (1979). See In re Sony, 903 F. Supp. 2d at 961. 195 In re Sony, 903 F. Supp. 2d at 963, 966. 196 See Frank Douma & Jordan Deckenbach, The Chal- lenge of ITS for the Law of Privacy, 2009 U. ill. J.L. tech & Polây, 295, 312 (2009) (footnote omitted), hereinafter referred to as âDouma & Deckenbach.â See also Michael A. Froomkin, Symposium: Security Breach Notification Six Years Later: Government Data Breaches, 24 berkeley tech. L.J. 1019, 1022, 1024 (2009) (citing Fred H. Cate, Government Data Mining: The Need for a Legal Frame- work, 43 harv. c.r.-c. l. rev. 435, 439 (2008)), hereinafter referred to as âFroomkin.â 197 Agencies also provided copies of or links to their agreements with contractors involved in data collection and/or other tasks for the agencies. See Appendices C and D. 198 Douma & Deckenbach, supra note 196, at 322. 199 cal. Pub. coDe § 10426(c) (2016). 200 James D. Phillips & Katharine E. Kohm, Current and Emerging Transportation Technology: Final Nails in the Coffin of the Dying Right of Privacy, 18 rich. J.l. & tech. 1, P21 (2011â2012), hereinafter referred to as âPhillips & Kohmâ (citing ITS Americaâs Fair Information and Privacy Principles, at 1, http://www.itsa.org/images/ mediacenter/itsaprivacyprinciples.pdf (last accessed Sept. 24, 2016)).