Protecting Personal Data in Public Transit

 Efforts to modernize public transit and provide better, more efficient services regularly require information about who, when, where, and how transit services are being used. Expanding data collection, however, increases the importance of strong, secure data management and privacy practices—something lacking in many U.S. transit agencies. The latest Mineta Transportation Institute (MTI) perspective, Personal Data Protection as a Driver for Improved Cybersecurity Practices in U.S. Public Transit, explores how the increase in cyberattacks against public transit agencies further underscores the importance and increasing responsibility transit agencies have to prioritize the protection of any personal data they collect, retain, or distribute.

A few of the issues further explored in the perspective include:

• The use of and debates surrounding facial recognition software—including previous interest expressed by Bay Area Rapid Transit (BART) leadership.

• The issues arising from the shift in fare payment systems from tokens and tickets to digital wallets and contactless credit cards, which potentially exposes Personally Identifiable Information (PII) to breaches.

• The unmistakable convenience and security challenges of increasingly common open-loop systems—mobile payment systems that allow users to pay for goods and services at multiple vendors using a single digital wallet or credit/debit card that gets processed by the regular card payment system and shows up on the customer’s monthly statement (e.g., Visa, Apple Pay, etc.) vs. closed-loop systems, which only allow for payment at a specific vendor (e.g. Starbucks app, reloadable transit cards, etc.)

• And other closely related topics, such as Health Insurance Portability and Accountability Act‘s (HIPAA) and paratransit, steps to protect PII, etc. 

“There are 17 countries with comprehensive national data protection laws in place—the United States is not among them,” emphasizes Principal Investigator Scott Belcher. “As more countries enact laws governing the data of their residents, U.S. entities are going to face an increasingly complex process of navigating extra-territorial and data export requirements.” 

As the U.S. Government pays increasing attention to the cyber vulnerabilities at public and private companies alike, the authors expect more federal and state guidance—if not laws—to pass in the coming years. Addressing these issues now means taking steps toward protecting personal data and building more robust cybersecurity practices. 

ABOUT THE MINETA TRANSPORTATION INSTITUTE

At the Mineta Transportation Institute (MTI) at San Jose State University (SJSU) our mission is to increase mobility for all by improving the safety, efficiency, accessibility, and convenience of our nations’ transportation system. Through research, education, workforce development and technology transfer, we help create a connected world. Founded in 1991, MTI is funded through the US Departments of Transportation and Homeland Security, the California Department of Transportation, and public and private grants, including those made available by the Road Repair and Accountability Act of 2017 (SB1). MTI is affiliated with SJSU’s Lucas College and Graduate School of Business.

ABOUT THE PRINCIPAL INVESTIGATOR

Scott Belcher is an MTI Research Associate and the President and CEO of SFB Consulting, LLC, where he specializes in transportation, transportation technology, the internet of things, smart cities, and the environment. Mr. Belcher serves on a number of public and private advisory boards. Mr. Belcher holds a JD from the University of Virginia, a Masters of Public Policy degree from Georgetown University, and a Bachelor of Arts degree from the University of Redlands in Redlands, California.

Media Contact:

Irma Garcia, 

MTI Communications and Operations Manager

O: 408-924-7560

E: Irma.garcia@sjsu.edu