The latest perspective from the Mineta Transportation Institute (MTI) reiterates the importance – and responsibility – that transit agencies must bolster protection of personal data they collect, retain or distribute, especially as cyberattacks have been increasing among transit agencies.
The report, “Personal Data Protection as a Driver or Improved Cybersecurity Practices in U.S. Public Transit,” outlines the new data gathering opportunities the transit industry has access to collect Personal Identifiable Information (PII) and warns about the potential consequences a breach of the information could bring.
“Ultimately, transit agencies will be held to account just as any other business will be — regardless of industry — for the security of the data they collect, process and leverage for service delivery or other purposes. A failure to protect personal data in the process not only has a direct impact on the data owner, but it can also have a material impact on an agency’s operations, finances, compliance status and reputation,” the authors of the paper write.
A few of the issues further explored in the paper include:
- The use of and debates surrounding facial recognition software.
- The issues arising from the shift in fare payment systems from tokens and tickets to digital wallets and contactless credit cards, which potentially exposes PII to breaches.
- The convenience and security challenges of increasingly common open-loop systems—mobile payment systems that allow users to pay for goods and services at multiple vendors using a single digital wallet or credit/debit card that gets processed by the regular card payment system and shows up on the customer’s monthly statement (e.g., Visa, Apple Pay, etc.) vs. closed-loop systems, which only allow for payment at a specific vendor (e.g. Starbucks app, reloadable transit cards, etc.).
- And other closely related topics, such as Health Insurance Portability and Accountability Act‘s (HIPAA) and paratransit, steps to protect PII.
The paper recommends transit agencies and their vendors adequately account for and manage PII protection as part of an enterprise risk management policy and practice. The perspective also includes six steps to protect PII:
- Define PII for your organization and identify existing data that falls within these parameters already collected and stored by the organization.
- Review the types of information being collected, how it is used and whether the use case is worth the risk of storing the data.
- Articulate the organization’s privacy policies in accordance with local, state and federal laws, business needs, legal ramifications and customer data privacy interests.
- Ensure proper controls are in place, per agency cybersecurity policies and protocols, to limit internal and external access to PII.
- If data is managed by a vendor, include data collection, use and storage requirements in proposal requests and contracts—spell out the expectation that agency vendors must protect transit customer data.
- If the agency does not yet have the cybersecurity capabilities to reliably secure specific data flows, consider forgoing collection until such time that securing it is possible.
“There are 17 countries with comprehensive national data protection laws in place—the United States is not among them,” noted Principal Investigator Scott Belcher. “As more countries enact laws governing the data of their residents, U.S. entities are going to face an increasingly complex process of navigating extra-territorial and data export requirements.”
The authors expect more federal and state guidance, and possibly laws, to pass in the coming years as the U.S. government pays increasing attention to the cyber vulnerabilities at public and private companies. The authors say addressing these issues now means taking steps toward protecting personal data and building more robust cybersecurity practices.
The paper comes just more than a year after MTI published a report assessing the transit industry’s preparedness against cyberattacks. That report found most transit agencies do not have many of the basic policies or personnel in place to respond to a cyber incident.
In early December, the Transportation Security Administration published Security Directives for higher-risk freight and passenger rail and rail transit entities requiring owners and operators to designate a cybersecurity coordinator, report incidents within 24 hours, develop and implement a cybersecurity incident response plan and complete a cybersecurity vulnerability assessment.
The requirements included in the Security Directives apply to a select group of rail owners/operators. TSA also issued an Information Circular encouraging all owners/operators to implement the actions laid out in the Security Directives.
The perspective can be viewed on MTI's website.
