Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

16 merchant’s terminal is not enabled for chip payment, or (2) the card is a chip card that prefers PIN verification and the terminal is chip-enabled requiring a signature verification.154 Transactions that do not require cardholder veri- fication are not affected by the liability shift. In summary, the most common financial networks, such as Visa and Mastercard, have inaugurated and implemented standards for credit and debit cards in the form of the PCI DSS.155 When a transit agency adopts an open bankcard method for fare payments, whether debit, credit, or prepaid, the transit agency becomes “just another merchant,” exposing the agency to payment risks such as claims for fraud and data breach.156 VI. CLAIMS IN CONTRACT OR TORT AGAINST TRANSIT AGENCIES FOR PRIVACY VIOLATIONS A. Claims Against Transit Agencies for Violating a Customer’s Right to Privacy or for Breach of Security of a Customer’s Personal Data When transit agencies have an express or implied agreement with customers regarding the agencies’ collection, use, disclosure, retention, and/or security of customers’ personal data, a customer may have a claim for breach of contract. A customer may have a tort claim against an agency even without an agree- ment when an agency fails to exercise due care in respect to the customer’s data. Nevertheless, no transit agency that responded to the survey reported that within the past 5 years, a customer had brought a legal action against the agency (or a contractor or agent of the agency) for an alleged violation of a customer’s privacy rights because of the agency’s collection or use of a customer’s personal data or because of a security breach. B. Whether Claims Against Government- Owned Transit Agencies Are Barred by Sovereign Immunity When a transit agency is government-owned, there is a threshold question of whether the agency has immunity from certain claims, particularly claims for negligence or other torts. Only five transit agencies that responded to the survey stated, however, that they had sovereign immunity to tort claims arising out of their collection of customers’ personal data.157 The liability of a government-owned entity in tort varies from state to state depending on the extent to which the state legislature has waived immunity, as well as on the courts’ interpretation of the applicable legislation.158 It is important to note that in states where a tort claims act permits a plaintiff to sue a public entity in tort, the legislation may have specific exceptions, exemptions, or exclusions to liability. For example, in Florida, the State waives sovereign immunity in tort for itself and its agencies and subdi- visions, “but only to the extent specified in this act.”159 A state tort claims act may apply only to the state and state agencies or to both state and local govern- ments and their agencies. Some states have tort claims acts that apply specifically to local govern- ments and their agencies. For example, the Illinois Local Governmental and Governmental Employees Immunity Act has “an extensive list of immunities based on specific governmental functions.”160 Because tort claims acts and similar legislation that affect governmental immunity are in derogation of 154 Id. at 3. 155 Transit Payment Systems, supra note 2, at 5. 156 Quibria, supra note 2, at 5, 14. 157 Central Florida Regional Transportation Authority (stating that the agency is protected by Florida statute and that its liability is limited to $200,000 per person and $300,000 per event); Lane Transit District (stating that the Oregon Tort Claims Act, or. rev. stat. §§ 30.260 to 30.300, which is a limited waiver of sovereign immunity, may apply); Metro Regional Transportation Authority (cit- ing ohio rev. coDe, ch. 2744); Port Authority of Allegheny County, Pennsylvania (stating that as a Commonwealth Agency, the Authority is protected by 42 Pa. con. stat. ann. § 8521, et. seq.); and Regional Transportation Dis- trict, Denver, Colorado (stating that “[t]o the extent such actions lie in tort or could lie in tort and RTD has not waived liability (i.e., motor vehicles, dangerous buildings, etc.) for such actions, the RTD is immune from such related to breach of security of personal data and the right to privacy”) (citing colo. rev. stat. § 24-10-108)). 158 See Larry W. Thomas, Tort Liability of Highway Agen- cies, in 4 selecteD stuDies in transPortation law (2003). 159 fla. stat. § 768.28(1) (2016) (emphasis supplied) [eff. until Dec. 31, 2018]. Although the applicable Florida Stat- ute must be consulted in its entirety, fla. stat. § 768.28(1) further provides that [a]ctions at law against the state or any of its agencies or subdivisions to recover damages in tort for money dam- ages against the state or its agencies or subdivisions for injury or loss of property, personal injury, or death caused by the negligent or wrongful act or omission of any employee of the agency or subdivision while acting within the scope of the employee’s office or employment under circumstances in which the state or such agency or subdi- vision, if a private person, would be liable to the claimant. 160 Sexton v. City of Chicago, 976 N.E.2d 526, 540 (Ill. App. 2012) (some internal quotation marks omitted).

17 the common law, the courts typically strictly construe the legislation.161 Government agencies may have immunity even for claims for an unauthorized disclosure of personal data. In Axtell v. University of Texas,162 a Texas appel- late court held that the disclosure by a state agency of confidential information was not actionable because the State had retained its immunity under the state tort claims act. In Axtell, a student sued a state university and its employees for sending the student’s educational records by a telefax machine to a local radio station without the student’s consent.163 The court held, however, that the university employ- ees’ negligence was not their use of a telefax machine but their release of the plaintiff ’s information by whatever means.164 Thus, the Texas Tort Claims Act’s limited waiver of immunity that applies to the use of tangible personal or real property did not apply to the disclosure of the plaintiff ’s information.165 Because immunity for the release of personal infor- mation had not been waived, the court affirmed the trial court’s dismissal of the plaintiff ’s action.166 In Tivnan v. Registrar of Motor Vehicles,167 the plaintiff sued employees of the Registry of Motor Vehicles for issuing a duplicate of his driver’s license to another individual in violation of Massachusetts Annotated Laws, Chapter 66A.168 The imposter ruined the plaintiff ’s credit and amassed over $150,000 in debt in the name of the plaintiff.169 The Massachusetts Appeals Court affirmed the trial court’s grant of a summary judgment and held that the privacy issue was governed by the Massachusetts Tort Claims Act (MTCA).170 The MTCA superseded Massachusetts Annotated Laws, Chapter 214, Section 3B, which provided that “parties injured by the violation of G. L. c. 66A [may] claim damages for injury against public employers….”171 The appeals court affirmed the trial court’s decision because under the MTCA, “the issuance of a license [is] specifically immunized” under Section 10(e).172 In Torres v. Attorney General,173 however, the plaintiff alleged that the Department of Social Services violated Massachusetts General Law, Chapter 66A, when the department released infor- mation to the Assistant Attorney General that contained the plaintiff ’s geographic location.174 The Supreme Judicial Court of Massachusetts held that the release was a violation of Massachusetts law. First, the plaintiff did not consent to the access to his personal data, and second, there was “no legisla- tive intent to grant the office of the Attorney General access to personal data held by one State agency simply because a data subject has brought a suit against one or more other State agencies.”175 The case was remanded to the Superior Court for an assessment of damages, attorney’s fees, and costs.176 Finally, public entities such as transit agencies may have immunity for claims arising out of their discretionary decisions. Immunity for a public enti- ty’s discretionary action may be recognized under a state’s common law and/or be an exception to a public entity’s liability under a state’s tort claims act or similar legislation. The courts have held that a government decision or function is discretionary in nature when the decision making occurred at the planning level and/or the decision making involved the consideration or evaluation of broad policy factors.177 Whether a governmental decision is discretionary and entitled to immunity is a question of law decided by the court.178 No cases were located for the digest, however, that involved the question of whether a transit agency has immunity for a claim that arises out of an agency’s collection, use, disclo- sure, or retention of data on the basis that the alleged privacy violation resulted from an agency’s policy-level decision or exercise of discretion. Indeed, 161 Nawrocki v. Macomb County Road Commission, 463 Mich. 143, 151, 615 N.W.2d 702, 707 (Mich. 2000) (Supreme Court of Michigan stating that “prior decisions of this Court…improperly broadened the scope of the highway exception” to governmental immunity and holding that the court was “duty bound to overrule past decisions that depart from a narrow construction and application of the highway exception….”). 162 69 S.W.3d 201 (Tex. App. 2002). 163 Id. at 263. 164 Id. at 266. 165 Id.. 166 Id. at 267. 167 50 Mass. App. Ct. 96, 734 N.E.2d 1182 (Mass. App. 2000). 168 Id., 50 Mass. App. Ct. at 96–97, 734 N.E.2d at 1183. 169 Id., 50 Mass. App. Ct. at 97, 734 N.E.2d at 1183. 170 Mass. ann. laws ch. 258. 171 Tivnan, 50 Mass. App. Ct. at 97, 734 N.E.2d at 1183 (citing Mass. ann. laws ch. 214, § 3B and Mass. gen. laws ch. 66A)). 172 Id., 50 Mass. App. Ct. at 102, 734 N.E.2d at 1186 (citing Mass. ann. laws ch. 258, § 10(e)). The plaintiff also failed to make a proper presentment as required under § 4 of the MTCA. Id., 50 Mass. App. Ct. at 103, 734 N.E.2d at 1187 (citing Mass. ann. laws ch. 258, § 4). 173 391 Mass. 1, 460 N.E.2d 1032 (Mass. 1984). 174 Id., 391 Mass. at 2–3, 460 N.E.2d at 1033. 175 Id., 391 Mass. at 11–12, 460 N.E.2d at 1038–1039. 176 Id., 391 Mass. at 16, 460 N.E.2d at 1041. 177 Miotke v. Spokane, 101 Wash. 2d 307, 334, 678 P.2d 803, 819 (1984) (stating that in Evangelical United Brethren Church v. State, 67 Wash. 2d 246, 407 P.2d 440 (1965), the court created a narrow exception to govern- mental immunity from tort liability in instances in which public officials engage in discretionary acts based on a four-part inquiry). See also Weiss v. Fote, 7 N.Y.2d 579, 167 N.E.2d 63, 200 N.Y.S.2d 409 (1960). 178 Truman v. Griese, 762 N.W.2d 75, 85 (S.D. 2009).

18 state law may provide a cause of action against a government agency for a privacy violation or breach of data security. The state law may apply to private entities as well. See Section XI.B. In summary, unless state law waives the immu- nity of government transit agencies, or in fact autho- rizes a cause of action against a government agency, a transit agency may be able to claim immunity for claims arising out of its collection, use, disclosure, or retention of a customer’s personal data. Section VI.C, however, examines whether in the absence of immu- nity, transit agencies may be subject to claims for breach of contract or negligence for a breach of privacy or a breach of security of customers’ personal data. In addition, Sections XI.C and D discuss whether tran- sit agencies are subject to suit for violations of state privacy laws or for failing to secure data properly to avoid an unauthorized disclosure of data. Section XII discusses whether transit agencies may be subject to claims at common law for privacy violations. C. Claims in Contract or Tort for Damages for Privacy Violations A transit customer may have a claim for breach of an express or implied contract against a transit agency arising out of the agency’s collection or handling of a customer’s personal data. As a federal court in North Carolina held, when a company makes “various representations in its published privacy policy that it would safeguard customers’ private information,” the defendant has an “implied contractual duty to keep [the plaintiff ’s] private financial information…safe and secure.”179 There are at least four threshold issues, however, that may preclude a claim in contract or tort against a transit agency based on its collection or use of customers’ personal data. First, assuming a transit agency does not have immunity to a claim, there may be an issue as to whether a transit customer even has standing to assert a claim for breach of privacy or of the security of personal data. For example, in Yunker v. Pandora Media, Inc.,180 the plaintiff alleged that Pandora violated Yunker’s privacy by permitting “advertising libraries” to have access to his PII. The court held that the plaintiff’s claim that Pandora’s disclosure of his PII “diminished” the value of his PII was not sufficient to confer standing under Article III of the U.S. Constitution.181 The plaintiff’s allegations that Pandora violated his privacy rights, however, were sufficient to confer standing.182 Transit customers may also be concerned that a breach of security in the handling of their personal data could result in identity theft. In Willingham v. Global Payments, Inc.,183 however, a federal court in Georgia held that the threat of future identity theft was not sufficient to confer standing. A second issue is whether transit customers own their personal data after they have provided the data to transit agencies and others. As noted, many transit agencies that responded to the survey stated that they own the personal data that they collect. Indeed, a federal court in New York has held that because of JetBlue’s privacy policy, the plaintiffs did not have “continued possessory interests over their personal information that entitled [them] to pursue legal action if ever those limits were exceeded.”184 In several other cases, the courts avoided ruling on the issue of whether the plaintiff continued to own his or her personal data. A federal court in California implied that individuals may no longer own their personal data when their data appear on the Internet and in public, financial, hospital, and company databases.185 Third, in claims involving a disclosure of PII, it has been held that a plaintiff must allege and prove “actual and appreciable damage based on the collection and dissemination of his PII.”186 It has also been held that a person’s PII does not have any “inherent” monetary value.187 In Strautins v. Trustwave Holdings, Inc.,188 the plaintiff Strautins brought a class action against Trustwave Holdings, Inc. (Trustwave), a provider of data security for the South Carolina Department of Revenue (SCDOR), for willful and negligent viola- tions of the Fair Credit Reporting Act, negligence, invasion of privacy by public disclosure of private facts, and breach of contract as a third-party benefi- ciary. The claims arose because of two cyber attacks on SCDOR in the fall of 2012. The court held that Strautins did not have stand- ing because her complaint was too speculative and 179 Owens v. Dixie Motor Co., 2014 U.S. Dist. LEXIS, at *1, 62 (E.D. N.C. 2014). See also Santos-Buch v. Finan- cial Industry Regulatory Auth., Inc., 32 F. Supp. 3d 475, 478 (S.D.N.Y. 2014) (holding in an action for breach of contract and invasion of privacy for defendant’s publish- ing of a record of plaintiff ’s disciplinary action on the defendant’s Web site that Santos-Buch failed to exhaust his administrative remedies). 180 2013 U.S. Dist. LEXIS 42691, at *1, 3 (N.D. Cal. 2013), motion granted by, in part, motion denied by, in part, dis- missed by, in part, by 2014 U.S. Dist. LEXIS 30829, at *1 (N.D. Cal., Mar. 10, 2014). 181 Id. at *10. 182 Id. 183 2013 U.S. Dist. LEXIS 27764, at *15, 23 (N.D. Ga. 2013). 184 In re JetBlue Airways Corp. Privacy Litigation, 379 F. Supp. 2d 299, 328 (E.D. N.Y. 2005). 185 White v. Social Security Admin., 2015 U.S. Dist. Lexis 82193, at *19 (N.D. Cal. 2015). 186 Yunker, 2013 U.S. Dist. LEXIS 42691, at *40. 187 Willingham v. Global Payments, Inc., 2013 U.S. Dist. LEXIS 27764, at *15, 23 (N.D. Ga. 2013). 188 27 F. Supp. 3d 871 (N.D. Ill. 2014).

19 failed to establish that Strautins’ PII was in fact “stolen and compromised.”189 Because all individuals who filed taxes during the relevant period did not have their data stolen, individuals whose PII may have been stolen were asked to call an SCDOR hotline to determine whether in fact their PII had been stolen. Strautins neither took the steps to verify whether her PII had been stolen nor received notice from Trustwave or SCDOR that her data had been stolen.190 Therefore, Strautins failed to meet the first element of standing, a showing of an injury.191 Fourth, transit agencies’ agreements with custom- ers, terms of use, or privacy policies may include language that would be sufficient to obtain a dismissal of a claim for breach of an express or implied contract or for negligence. In In re Sony Gaming Networks and Customer Data Security Breach Litigation,192 supra, the court dismissed the plaintiffs’ claim because of an explicit disclaimer in Sony’s terms of service. Likewise, in Cain v. Redbox Automated Retail, LLC, a federal court in Michigan held that the plaintiffs had consented to Redbox’s disclosure of their information for the purposes iden- tified in Redbox’s privacy policy.193 D. Negligence Claims Against a Transit Agency that Involve the Collection, Use, Disclosure, or Retention of Customers’ Electronic Personal Data The courts in some cases have also dismissed negligence claims because the plaintiff was unable to allege and prove damages-in-fact. In Sony, supra, the court held that, unless a plaintiff is able to prove a “special relationship” between the parties, a recovery in tort is barred unless the alleged economic damages are accompanied by some form of physical harm, such as personal injury or prop- erty damage.194 Moreover, in Sony, although the plaintiffs’ allegations of injury were sufficient for standing, the allegations were not sufficient to state a claim for negligence or for a violation of the California Business and Professions Code—it was not enough for the plaintiffs to allege a mere danger of a future harm.195 E. Liability of Transit Agency Contractors for Misuse of Customers’ Data One article has observed that “federal and state agencies have increasingly relied on outsourcing the gathering and managing of information to private companies because they do not face the same liabilities and limitations placed [on] government agencies.”196 In response to the survey, 10 transit agencies stated that their respective agency has an agreement with a contractor or agent (or other holder of customers’ personal data) for the purpose of collecting, using, disclosing, and/or retaining data obtained by a contactless (or other) electronic payment system. Twenty-three agencies said that they do not have such an agreement.197 There are fewer restraints or judicial scrutiny with regard to data collected or maintained by private contractors.198 Nevertheless, as discussed in Section X, the security of personal data collected by public and/or private entities may be regulated by statute in some states. Furthermore, other state laws may apply. In California, the Public Contract Code prohibits the release of proprietary informa- tion by a party contracting with a state agency.199 The Intelligent Transportation Society of America has issued nonbinding guidelines for its members in “an effort to self-regulate on the issue of data secu- rity and privacy protection.”200 Finally, no cases were located for the digest that concerned an action by a customer against a transit agency arising out of the agency’s collection or use of a customer’s electronic data. 189 Id. at 874. 190 Id. 191 Id. 192 903 F. Supp. 2d 942, 968 (S.D. Cal. 2012), motion granted by, in part, motion denied by, in part, dismissed by, in part, 996 F. Supp. 2d 942 7353 (S.D. Cal. 2014). 193 2015 U.S. Dist. LEXIS 131949, at *1, 35 (E.D. Mich. 2015). 194 24 Cal. App. 3d 799, 157 Cal. Rptr. 407 (1979). See In re Sony, 903 F. Supp. 2d at 961. 195 In re Sony, 903 F. Supp. 2d at 963, 966. 196 See Frank Douma & Jordan Deckenbach, The Chal- lenge of ITS for the Law of Privacy, 2009 U. ill. J.L. tech & Pol’y, 295, 312 (2009) (footnote omitted), hereinafter referred to as “Douma & Deckenbach.” See also Michael A. Froomkin, Symposium: Security Breach Notification Six Years Later: Government Data Breaches, 24 berkeley tech. L.J. 1019, 1022, 1024 (2009) (citing Fred H. Cate, Government Data Mining: The Need for a Legal Frame- work, 43 harv. c.r.-c. l. rev. 435, 439 (2008)), hereinafter referred to as “Froomkin.” 197 Agencies also provided copies of or links to their agreements with contractors involved in data collection and/or other tasks for the agencies. See Appendices C and D. 198 Douma & Deckenbach, supra note 196, at 322. 199 cal. Pub. coDe § 10426(c) (2016). 200 James D. Phillips & Katharine E. Kohm, Current and Emerging Transportation Technology: Final Nails in the Coffin of the Dying Right of Privacy, 18 rich. J.l. & tech. 1, P21 (2011–2012), hereinafter referred to as “Phillips & Kohm” (citing ITS America’s Fair Information and Privacy Principles, at 1, http://www.itsa.org/images/ mediacenter/itsaprivacyprinciples.pdf (last accessed Sept. 24, 2016)).