Technology Contracting for Transit Projects (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

27 included in the cost of the equipment that the Air Force purchased from IDP, and because the contract did not require the Air Force to pay additionally or separately for warranty or upgrade services.370 Warranties, of course, may be disclaimed. In a case subject to New York law, including the New York UCC, Shema Kolainu-Hear Our Voices v. ProviderSoft, LLC,371 the plaintiff alleged claims for breach of implied warranty of merchantability, implied warranty of fitness for a particular purpose, and express warranty, as well as other claims. The contract contained an “explicit disclaimer of all warranties.”372 In upholding the disclaimer, the court ruled that there was no “substantive unconsciona- bility” that rendered the contract unenforceable.373 In responding to the survey, thirty-four agencies stated that they had secured the provisions that they wanted on a contractor’s, developer’s, licensor’s, or vendor’s representations and warranties.374 VIII. TECHNOLOGY CONTRACTS AND PROTECTION AGAINST CLAIMS ARISING UNDER STATE PRIVACY AND DATA-BREACH NOTIFICATION LAWS A. Introduction Transit agencies require that technology they procure will safeguard the data that transit agencies collect and use. Transit agencies, as other data- collectors or -processors, are concerned about their potential liability because of a data breach and the disclosure of their customers’ personally identifi- able information (PII) and other personal data. Although this part of the report briefly discusses privacy and security issues, they are addressed in detail in two recent Transportation Research Board legal publications.375 B. States Having Breach Notification Statutes That Apply to Government Agencies All states, except Alabama, New Mexico, and South Dakota, have enacted laws requiring that notice be given to the public when there is a security breach involving personal data.376 In at least twenty-three states, the breach notification statutes that apply to businesses and commercial entities also apply to government agencies.377 Although some state privacy and data-breach notification laws provide for enforce- ment and civil penalties, in at least thirteen states and the District of Columbia, a person injured by a data breach has a private right of action.378 However, at least four states exempt government agencies from “enforcement proceedings.”379 Some of the statutory provisions regarding enforcement, such as for damages or a civil penalty, apply to an agency’s failure to give notice of a secu- rity breach, whereas some provisions apply to any violation of the state’s privacy act protecting personal information maintained by an agency. Of the states in which the breach notification laws apply to govern- ment agencies, the states differ regarding a right of action against government agencies for a violation of the statute. In some states, no action is permitted against government entities,380 or there is no provi- sion for a private right of action.381 C. Claims Against Transit Agencies for Privacy Violations Some state privacy statutes allow a plaintiff to recover actual damages for a privacy violation caused 370 Id. at 1322, 1323. 371 832 F. Supp. 2d 194 (E.D.N.Y. 2010). 372 Id. at 200. 373 Id. at 201–02. 374 See Appendix C, transit agencies’ responses to ques- tion 14(c). Six agencies said that they had been unable to secure the terms that they wanted. Id. Two agencies did not respond to the question. Id. 375 Dr. Larry W. Thomas, LiaBiLity of transPortation entity for tHe unintentionaL reLease of secure data or tHe intentionaL reLease of monitoring data on move- ments or activities of tHe PuBLic, Legal Research Digest No. 71, National Highway Cooperative Research Program, Transportation Research Board of the National Acade- mies of Sciences, Engineering and Medicine, Washington, D.C., 2016, https://www.nap.edu/read/23586/chapter/1 (last accessed Feb. 24, 2017), and Dr. Larry W. Thomas, LegaL issues concerning transit agency use of customers’ eLectronic PersonaL data, Legal Research Digest No. 48, Transit Cooperative Research Program, Transportation Research Board of the National Academies of Sciences, Engineering and Medicine, Washington, D.C., 2017. 376 See Security Breach Notification Laws, See nationaL conference of state LegisLatures, (April 12, 2017), http://www.ncsl.org/research/telecommunications-and- information-technology/security-breach-notification- laws.aspx (last accessed Feb. 24, 2017). 377 Id. 378 See id. (other citations omitted). 379 Haw. rev. stat. ann. § 487N-2 (2016); fLa. stat. ann. § 817.5681 (2016); me. rev. stat. ann. tit. 10, § 1349 (2016); and tenn. code ann. § 47-18-2107 (2016). 380 See Haw. rev. stat. § 487N-3(a) (2016) and me. rev. stat. § 1349(2)(A) (2016) (stating that provisions on enforcement and for imposition of civil penalties for vio- lations of Maine’s statute on Notice of Risk to Personal Data are not applicable to the state). 381 See ga. code ann. § 10-1-910, et seq. (2016); 815 ILCS § 530/20 (2016) (no specific penalty found that applies to government agencies but a violation consti- tutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act); ind. code § 4-1- 11-2, et seq. (2016) (no provision located that permitted a civil action or imposed a civil penalty for a violation); and N.J. STAT. ANN. § 56:8-166 (2016) (although stating that it is “unlawful…to willfully, knowingly or recklessly vio- late sections 10 through 13 of this amendatory and sup- plementary act,” no provision located authorizing a cause of action or imposing a specific civil penalty).