Legal Implications of Video Surveillance on Transit Systems (2018)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

20 principles.”265 The officers were not liable for an intentional infliction of emotional distress, because their actions were not intentional, and the plaintiff did not allege or prove any physical harm or genuine and serious mental distress.266 The New York Court of Appeals held in Brown v. State,267 a class action alleging that the actions of the police in questioning only non-white males were unconstitutional, held that “a cause of action to recover damages may be asserted against the State for a violation of the Equal Protection and Search and Seizure Clauses of the Constitution.”268 Follow- ing the precedent set in Bivens, the court held that there was an implied right of action: “implying a damage remedy here is consistent with the purpose underlying the duties imposed by these provisions and is necessary and appropriate to ensure the full realization of the rights they state.”269 However, unlike in Bivens, an immunity defense was not available because New York had waived immunity for the acts of its officers and employees.270 Although in Brown the New York Court of Appeals recognized an implied cause of action for a violation of a right to privacy, in Augat v. State,271 the Supreme Court of New York, Appellate Division held that, because the plaintiffs had adequate common law tort remedies, their claims based on alleged violations of the rights to due process or freedom of association were not cognizable.272 The court distinguished the Brown case on the basis that the plaintiff in Brown did not have an adequate, alternative remedy under the common law as the plaintiffs had in Augat.273 In Christie v. Borough of Folcroft,274 a federal court in Pennsylvania stated that state courts have allowed non-monetary relief but that no state case has upheld a claim for monetary damages under the Pennsylvania Constitution.275 In responding to the survey, nine transit agencies (12.50%) reported that their agency had been involved in an administrative proceeding or a legal action resulting from the agency’s use of video surveillance. Sixty-two agencies (86.11%) stated that they had not had any administrative or legal actions arising out the agency’s use of video surveil- lance.276 For example, the Dallas Area Rapid Transit (DART) stated that usually the surveillance issue arises in pre-trial motions but that DART has prevailed in every instance to date. Although three other agencies described their claims experience, none of the reported claims was a claim for damages based on the agencies’ use of video surveillance. Finally, no cases were located for this digest that involved a claim against a transit agency for an alleged violation of a right to privacy under a state constitution based on an agency’s use of video surveillance. VI. WHETHER THERE ARE FEDERAL AND STATE STATUTES THAT APPLY TO VIDEO SURVEILLANCE A. Evolution of Federal Statutory Privacy Rights With respect to federal statutes protecting indi- viduals’ right to privacy, the laws historically have been derived from general tort law, but government record-keeping on its citizens has resulted in “a distinct subspecies of statutory law.”277 Some federal laws, such as the Privacy Act and FOIA, broadly control the “use and disclosure of federal government records about its citizens,”278 whereas other laws, such as the Drivers Privacy and Protec- tion Act of 1994 (DPPA)279 or the Gramm–Leach– Bliley Act of 1999,280 govern narrow, specific issues that affect individuals. Although several federal laws address the privacy rights of individuals, the protec- tion of privacy has been left largely to the states.281 Although no federal statutes were located for this digest authorizing or prohibiting transit agencies’ use of video surveillance, arguably the use of video surveillance by public transit authorities is rooted 265 Id. at 1094. 266 Id. at 1095–96. 267 89 N.Y.2d 172, 652 N.Y.S.2d 223, 674 N.E.2d 1129 (1996). 268 Id. at 188, 652 N.Y.S.2d at 232–33, 674 N.E.2d at 1138–39. 269 Id. at 189, 652 N.Y.S.2d at 233, 674 N.E.2d at 1139–40. 270 Id. at 195, 652 N.Y.S.2d at 237, 674 N.E.2d at 1143 (citing N.Y. Court of Claims Act § 9(2)). 271 244 A.D.2d 835, 666 N.Y.S.2d 249 (N.Y. App. 1997). 272 Id. at 837, 666 N.Y.S.2d at 251–52. 273 Id. at 837–38, 666 N.Y.S.2d at 251–52. Furthermore, the court in Augat did not address whether there was a cause of action for the constitutional violations alleged by the plaintiffs because their notice of intention to file was untimely. Id., 666 N.Y.S.2d at 251, 244 A.D. 2d at 836–37. 274 No. 04-5944, No. 04-5972, 2005 U.S. Dist. LEXIS 21569, at *1 (E.D. Pa. 2005). 275 Id. at *37. 276 See Appendix C, transit agencies’ responses to ques- tion 23. One agency (1.39%) did not respond to the ques- tion. 277 McCarthy, supra note 124, at § 5.83. 278 Id. at § 6.135. 279 Pub. L. No. 103-322, 108 Stat. 2099 (codified at 18 U.S.C. §§ 2721–2725 (2017)). 280 Pub. L. No. 106-102, § 501, 113 Stat. 1338, (codified at 15 U.S.C. § 6801 (2017)). 281 Katz, 389 U.S. at 350–51, 88 S. Ct. at 511, 19 L. Ed. 2d at 581 (footnote omitted).

21 in federal law. For example, the FTA requires agencies receiving urbanized area grant program funds to spend 1% of the grant award on security improve- ments, including increased camera surveillance. Similarly, United States Department of Transportation regulations outline contents of security plans for certain rail systems. More- over, video surveillance systems received considerable attention in the Transit Security Design Considerations developed by the FTA to aid transit agencies in developing security strategies.282 However, an agency may decide that an expenditure for improvements in security is not necessary.283 B. Privacy Act of 1974 The Privacy Act of 1974284 protects the privacy of records maintained by federal agencies on individu- als285 and regulates the agencies’ release of individu- als’ information.286 The Act is a “reaction to the perceived threat to personal privacy presented by computerized government records about its citizens” and addresses problems “largely beyond the reach of traditional tort law.”287 The Act requires each government agency to make certain information available to the public but provides further “to the extent required to prevent a clearly unwarranted invasion of personal privacy, an agency may delete identifying details when it makes available or publishes an opinion, statement of policy, interpretation, staff manual, instruction, or copies of records referred to in subparagraph (D)….”288 The United States Department of Transportation (U.S. DOT) explains that the Privacy Act sets forth “how the federal government should treat individu- als and their information and imposes duties upon federal agencies regarding the collection, use, dissemination, and maintenance of personally identifiable information (PII).”289 The U.S. DOT also observes that § 208 of the E-Government Act of 2002 “establishes the requirement for agencies to conduct privacy impact assessments for electronic informa- tion systems and collections.”290 The Privacy Act governs government or government-controlled corporations but not private entities.291 However, the Privacy Act applies to “certain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.”292 When disclosing records, no federal agency or its contractors may disclose PII without the affected individual’s written consent.293 If the Privacy Act and privacy regulations provide different standards, then a federal agency must abide by whichever provision allows for the least disclosure.294 Section 552g(1) of the Privacy Act states: Whenever any agency . . . fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fair- ness…or fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.295 There are four essential elements that must be established when a plaintiff makes a claim under the Privacy Act— (1) the information is covered by the Act as a “record” contained in a “system of records”; (2) the agency “disclosed” the information; (3) the disclosure had an “adverse effect” on the plaintiff (an element which separates itself into two components: (a) an adverse effect standing requirement and (b) a causal nexus between the disclosure and the adverse effect); and (4) the disclosure was “willful or intentional.”296 Although the Privacy Act provides that a person is entitled to recover no less than $1,000,297 the Supreme Court has held that a plaintiff must prove actual damages to recover for a violation of the Privacy Act.298 290 Id. 291 John M. Eden, When Big Brother Privatizes: Com- mercial Surveillance, the Privacy Act of 1974, and the Future of RFID, 2005 Duke l. anD tech. reV. 20, P4 & n. 16 (2005) (citing 5 U.S.C. § 522(a)(1)). 292 65 Fed. Reg. 82,462, 82,482 (December 28, 2000). 293 Id. 294 Id. 295 5 U.S.C. §§ 552(g)(1)(C)–(D) (2017) (emphasis supplied). 296 Quinn v. Stone, 978 F.2d 126, 131 (3d Cir. 1992) (emphasis supplied). 297 A. Michael Froomkin, Symposium: Security Breach Notification Six Years Later: Government Data Breaches, 24 berkeley tech. L.J. 1019, 1055, 1034 (2009) (citing 5 U.S.C. § 552(q)(4)). 298 Doe v. Chao, 540 U.S. 614, 616, 627, 124 S. Ct. 1204, 1206, 1212, 157 L. Ed. 2d 1122, 1129, 1134 (2004) (claim arising out of the government’s repeated disclosure of the claimant’s Social Security number). 282 Charles A. Valente & William D. Nagel, “Privacy Impact Assessment for the Regional Camera Project,” at 15 & n.31 (citing 49 U.S.C. § 5307(c)(1)(j)(i)) (2015), http:// www.arjis.org/RegionalPolicies/Privacy%20Impact%20 Assessment.pdf (last accessed Aug. 22, 2017). See Dow Chemical Co. v. United States, 476 U.S. 227, 233–34, 106 S. Ct. 1819, 1824, 90 L. Ed. 2d 226, 234–35 (1986) (holding that the Environmental Protection Agency did not need explicit statutory authorization to employ methods of observation available to the public). 283 49 U.S.C. § 5307(c)(1)(J)(ii) (2017). 284 See Pub. L. No. 93-579, 88 Stat. 1896, (codified at 5 U.S.C. § 552a (2017). 285 5 U.S.C. § 552a(b) (2017). See also, 5 U.S.C. § 552(d)(1) (2017); Douma & Deckenbach, supra note 122, at 306. 286 5 U.S.C. §§ 552(a) and (b) (2017). 287 McCarthy, supra note 124, at § 5.85 p. 613. 288 5 U.S.C. § 522(a)(2)(E) (2017). 289 U.S. DeP’t of tranSP., Privacy Impact Assessment (Update) National Registry of Certified Medical Examin- ers (National Registry), at 1 (Aug. 20, 2012), https://www. transportation.gov/sites/dot.dev/files/docs/FMCSA_PIA_ National_Registry_082012.pdf (last accessed Aug. 22, 2017).

22 It is not sufficient for a plaintiff to show that the govern- ment intentionally or willfully violated the Act.299 Other than the Electronic Communications Privacy Act of 1986 (ECPA)300 discussed below, no federal statutes have been identified that are implicated by government-owned or privately-owned transit agen- cies’ use of video surveillance.301 No cases were located for this digest involving a claim under the Privacy Act or other federal statute arising out of a federal agency’s use of video surveillance or the disclosure of data captured by video surveillance. C. State Statutes Applicable to Video Surveillance Although there are statutes in some states that may regulate public agencies’ use of video surveillance,302 in general, state statutes on the use of public cameras are “sparse.”303 Some statutes apply to government-owned and privately-owned transit agencies. Some transit agencies responding to the survey identified statutes or ordinances that apply to their agency’s use of video surveillance of members of the public, employees, tran- sit operators, facilities and/or equipment.304 In Arizona, it is a misdemeanor for a person to use video surveil- lance in a public place without posting a notice.305 The San Francisco Bay Area Rapid Transit District stated that California provides for a consti- tutional right to privacy but that public areas are generally exempt.306 On one hand, California has enacted legislation providing that a transit agency operated by a city or a city and county, unless three statutory exceptions apply, must “only purchase and install equipment capable of storing recorded images for at least one year….”307 On the other hand, the state’s Local Assistance for Rural and Small County Law Enforcement title provides that funds allocated under the statute may not be used for any video surveillance or monitoring of the public.308 In Vo v. City of Garden Grove,309 a California appellate court held that a municipal ordinance requiring cyber- cafes to install video surveillance cameras was not an invasion of privacy interests. The District of Columbia Code provides that the Metropolitan Police Department will “maintain a right of access to all surveillance cameras and tech- nology” in the Video Interoperability for Public Safety (VIPS) program, which is part of its Homeland Secu- rity Program, “without limitation, except as stated in applicable rules or regulations governing the VIPS program.”310 Although a Florida statute applies to surveillance used to commit an offense of video voyeurism,311 the statute does not apply when law enforcement is conducting surveillance for a law enforcement purpose, to a security system when a written notice is posted conspicuously on the premises advising of the pres- ence of a video surveillance system, or when a video surveillance device is installed so that it is “clearly and immediately obvious.”312 The Hillsborough Transit Authority reported that its video surveillance data are confidential and exempt from Florida’s Public Records Act pursuant to Fla. Stat. §§ 119.071(3)(a) and 281.313 305 Guidelines for Public Video Surveillance, supra note 6, at 12, 40 n.544 (citing ariz. reV. Stat. § 13-1309 (2001)). 306 See Appendix C, San Francisco Bay Area Rapid Transit District’s response to question 22. 307 cal. GoV’t coDe §§ 34090.8(a)(1)–(3) (2017). 308 cal. GoV’t coDe § 30070(c) (2017). 309 115 Cal. App. 4th 425, 9 Cal. Rptr. 3d 257 (Cal. App. 2004). 310 D.C. coDe § 7-2231.10(c) (2017). 311 fla. Stat. § 810.145(2) (2017). 312 fla. Stat. §§ 810.145(5)(a)–(c) (2017). Subsection (d) states that the Act does not apply to the “[d]issemination, distribution, or transfer of images subject to this section by a provider of an electronic communication service … or a provider of a remote computing service….” (internal statutory citations omitted). 313 See Appendix C, Hillsborough Transit Authority’s response to question 22. 299 Id. at 627, 124 S. Ct. at 1212, 157 L. Ed. 2d at 1134. 300 Pub. L. No. 99-508, 100 Stat. 1848. 301 Garry, Douma, & Simon, supra note 123, at 97, 103. 302 D.C. coDe § 5-133.19 (2017) (concerning regulations for use of video surveillance by Metropolitan Police Department); Mich. coMP. laWS § 330.1724(9) (2017) (video surveillance permitted in a psychiatric hospital for purposes of safety, security, and quality improvement); tex. eDuc. coDe § 29.022 (2017) (video surveillance of spe- cial education settings); and tex. health & Safety coDe ann. § 555.025 (2017) (use of surveillance in state sup- ported living centers). 303 Slobogin, supra note 23, at 272. 304 See Appendix C, transit agencies’ responses to ques- tion 22(a)–(d), including: Casco Bay Island Transit District (identifying 33 C.F.R. parts 104 and 105); Centre Area Transportation Authority (stating that wiretapping stat- utes at the state level require notification of the public); CT Transit (identifying conn. Stat. § 53a-187); Department of Transportation and Public Works identifying Florida Statute, Chapter 119 (Public Officers, Employees, and Records)); Greater Cleveland Regional Transit Authority (identifying ohio reV. coDe §§ 2933.51 and 2933.52); Metropolitan Tulsa Transit Authority (identifying Okla- homa Security of Communications Act, 13 okla. Stat. § 176.1, et seq.); Pace (Regional Transportation Authority Suburban Bus Division) (identifying 720 ILCS 5/14-1, et seq.); Rhode Island Public Transit Authority (identifying R.I. Gen. laWS §§ 12-5.1-13 and 28-6.12-10); Sacramento Regional Transit District (identifying cal. GoV’t coDe § 6250, et seq. and cal. Pub. util. coDe § 99164); Salem Area Mass Transit District (identifying or. reV. Stat. § 165.540); Santa Clara Valley Transportation Authority (identifying cal. Penal coDe § 630–38 and cal. GoV’t coDe §§ 53160 to 53162); TriMet (identifying or. reV. Stat. §§ 163.700 and 163.702); and VIA Metropolitan Transit (identifying tex. Penal coDe § 16.02 and 18 U.S.C. § 119).

23 New Hampshire prohibits the state and its politi- cal subdivisions from using video surveillance on state highways314 but permits surveillance when “[i]t is undertaken for security and to facilitate law enforce- ment in the investigation of criminal activity at the state-owned park and ride facilities that provide regu- larly scheduled public transit service….”315 As for the state of Washington, Intercity Transit advised that the use of video by the agency creates a public record as defined by RCW 42.56. These records must be preserved pursuant to RCW 40.14.070.… Our system is configured so that DVRs hold approximately 200 hours of video, which equates to 10–14 days depending on how much the vehicles are in service. If video is not viewed/downloaded pursuant to an incident, investigation or public records request it is written over.316 D. Whether State Data-Collection Statutes Apply to Video Surveillance Data Although some states ban or limit the use of certain types of technology or devices,317 there seem to be no state laws “that specifically address privacy rights and transportation technologies.”318 Statutes in some states applicable to data collection on indi- viduals by state and/or local agencies may be a source of privacy law applicable to data captured by video surveillance.319 Transit agencies will want to consider whether any state statutes that apply to government- collection of data on individuals apply to video surveillance data. However, even when state infor- mation and data privacy laws are applicable, only some of the statutes authorize a private right of action for a violation of an individual’s privacy.320 California’s Information Practices Act of 1977 governs the collection, use, and disclosure of personal information held by state agencies; however, the statute does not apply to city or county agencies.321 The Minnesota Government Data Privacy Act “regulates the collection, creation, storage, mainte- nance, dissemination, and access to government data in government entities.”322 The Minnesota Govern- ment Data Privacy Act applies to all “data in which any individual is or can be identified as the subject of that data”323 and to all data collected by the government “regardless of its physical form, storage media, or conditions of use.”324 State law in Minnesota also applies to law enforce- ment agencies that use a portable recording system in investigations or to respond to emergencies, inci- dents, and requests for service.325 A portable record- ing system refers to a device worn by a peace officer that is capable of recording both audio and video.326 Minnesota’s statute requires that a law enforcement agency notify the Bureau of Criminal Apprehension within ten days of the agency’s acquisition of new surveillance technology that enlarges the surveil- lance capability of a portable recording device.327 In Ohio, the privacy statutes that govern personal information systems require every state or local agency that maintains a personal information system to take steps and implement procedures to monitor the accuracy of data and protect personal information in the system.328 The term personal information is defined as any information that describes anything about a person, or that indicates actions done by or to a person, or that indi- cates that a person possesses certain personal characteris- tics, and that contains, and can be retrieved from a system by[] a name, identifying number, symbol, or other identifier assigned to a person.329 314 N.H. reV. Stat. ann. § 236:130(II) (2017). 315 N.H. reV. Stat. ann. § 236:130(III)(g) (2017). 316 See Appendix C, Intercity Transit’s response to question 22. 317 For a complete analysis of state personal information and data breach statutes, see larry W. thoMaS, liability of tranSPortation entity for the unintentional releaSe of Secure Data or the intentional releaSe of MonitorinG Data on MoVeMentS or actiVitieS of the Public, National Cooperative Highway Research Program Legal Research Digest No. 71, Transportation Research Board 2016), p. 33. [hereinafter LRD 71] https://www.nap.edu/read/23586/ chapter/1 (last accessed Aug. 22, 2017). 318 Douma and Deckenbach, supra note 122, at 309. 319 LRD 71, supra note 317, at 28. See California’s Infor- mation Practices Act of 1977 (IPA), cal. ciV. coDe §§ 1798, - 1798.78 (2017); Illinois’s Personal Information Protection Act, 815 ILCS §§ 530/1 – 530/50 (2017); Louisiana’s Data- base Security Breach Notification Law, la. reV. Stat. §§ 51:3071 – 51:3075 (2017); Maine’s Notice of Risk to Per- sonal Data Act, Me. reV. Stat. tit. 10, §§ 1346 – 1350-B (2017); Michigan’s Identity Theft Protection Act, Mich. coMP. laWS §§ 445.63 – 445.7d (2017); Minnesota’s Government Data Practices Act, Minn. Stat. §§ 13.01 – 13.99 (2017); Nevada’s Security of Personal Information, neV. reV. Stat. §§ 603A.030 – 603A.92 (2017); Oklahoma’s Security Breach Notification Act, okla. Stat. §§ 24-161 – 24-166 (2017); Penn- sylvania’s Breach of Personal Information Notification Act, 73 Pa. conS. Stat. §§ 2301 - 2329 (2017); Rhode Island’s Iden- tity Theft Protection Act of 2005, R.I. Gen. laWS §§ 11-49.2-1 – 11-49.2-7 (2017); Tennessee’s Identity Theft Deterrence Act of 1999, tenn. coDe §§ 47-18-2101 – 47-18-2110 (2017); and Virginia’s Government Data Collection and Dissemination Practices Act, Va. coDe ann. §§ 2.2-3800 – 2.2-3809 (2017). 320 Douma & Deckenbach, supra note 122, at 308–09. 321 cal. ciV. coDe § 1798.14 (2017). 322 Minn. Stat. § 13.01, subdiv. 3 (2017). 323 Minn. Stat. § 13.01, subdiv. 5 (2017). 324 Minn. Stat. § 13.01, subdiv. 7 (2017). 325 Minn. Stat. § 13.824(a) (2017). 326 Minn. Stat. § 13.825(b)(1) and (2) (2017). 327 Minn. Stat. § 13.825, subdiv. 10 (2017). 328 ohio reV. coDe §§ 1347.0 and 1347.05(F) and (G) (2017). The terms state agency and local agency are defined in ohio reV. coDe § 1347.01 (2017). 329 ohio reV. coDe § 1347.01(E) (2017).

24 Some of the state privacy laws authorize a private right of action for a violation of the statute.330 Although the state statutes generally do not distin- guish between intentional and non-intentional violations, a few statutes limit a cause of action to an intentional, willful, or knowing violation of privacy. In addition, as of June 2017, all states except Alabama and South Dakota, have laws requiring that notice be given to the public if there is a security breach involving data having personal information.331 Although the breach notification statutes apply to businesses and commercial entities as defined in each statute, in at least twenty-three states, the statutes also apply to government agencies.332 The statutes typically provide that encryption is a defense to a claim for a data-breach for any missing, lost, or stolen data.333 A person injured by a data-breach has a private right of action in at least thirteen states and the 330 But see, colo. reV. Stat. § 24-72-501-02(3) (2017); fla. Stat. § 627.4091(3) (2017); and S.C. coDe ann. § 30-2- 300(3) (2017) (stating that “an affected individual may petition the court for an order directing compliance with this section, but liability may not accrue”). 331 See National Conference of State Legislatures, Secu- rity Breach Notification Laws (2017), http://www.ncsl.org/ research/telecommunications-and-information-technology/ security-breach-notification-laws.aspx (last accessed Aug. 22, 2017). See also, Mintz Levin, State Data Security Breach Notification Laws (Sept. 1, 2016), hereinafter referred to as “State Breach Notification Laws,” http://www.mintz.com/ newsletter/2007/PrivSec-DataBreachLaws-02-07/state_ data_breach_matrix.pdf (last accessed Aug. 22, 2017) (analyzing state laws by data and consumers protected; the statutes’ definition of a breach; covered entities; notice pro- cedures, timing, and exemptions; whether encryption is a safe harbor; preemption; penalties; and whether the stat- utes create a private right of action). 332 alaSka. Stat. §§ 45.48.090(2)(B) and (3) (2017) (stat- ing that the term covered person includes a government agency, meaning “a state or local governmental agency, except for an agency of the judicial branch”); see also, alaSka. Stat. § 45.48.090(4) (2017) (defining the term infor- mation collector to mean a “covered person who owns or licenses personal information in any form” on a state resi- dent); cal. ciV. coDe § 1798.14 (2017) (directing an agency to maintain only relevant and necessary personal informa- tion in its records); Ga. coDe. § 10-1-911(2) (2017) (defining the term “data collector” to include “any state or local agency or subdivision thereof ... or other government entity” but excepting agency records maintained primarily for traf- fic safety, law enforcement, or licensing purposes); haW. reV. Stat. § 487 N-1 (2017) (“Government agency” means any department, division, board, commission, public corpo- ration, or other agency or instrumentality of the state or any county); iDaho coDe. § 28-51-104(1) (2017) (defining the term agency to mean any public agency as defined in iDaho coDe § 74-101); 815 ILCS § 530/5 (2017) (stating that the term data collector includes government agencies); inD. coDe § 4-1-11-4 (2017) (defining the term state agency as set forth in Indiana Code § 4-1-10-2); see also, inD. coDe § 4-1-11-5(a) (2017) (requiring state agencies to disclose security breaches); kanSaS Stat. § 50-7a01(f) (2017) (defining term person to include a government or governmental subdi- vision or agency or other entity); Maine reV. Stat. tit. 10 § 1347(5) (2017) (defining the term person to include agen- cies of state government); see also, Maine reV. Stat. 10 § 1347(3) (2017) (defining the term information broker as being inapplicable to a governmental agency whose records are maintained primarily for traffic safety, law enforcement or licensing purposes); MaSS. Gen. laWS, ch. 93H, § 1(a) (2017) (defining the term agency to include “any agency, … authority of the commonwealth, or any of its branches, or of any political subdivision thereof”); Mich. coMP. laWS § 445.63 Sec. 3(a) (2017) (defining the term agency to include “a department, board, commission, office, agency, authority, or other unit of state government of this state”); Mont. coDe. § 2-6-1501(6)(a) (2017) (defining a state agency to include “an agency, authority, … or other instrumentality of the legislative or executive branch of state government,” as well as “an employee of a state agency acting within the course and scope of employment”); neV. reV. Stat. § 603A.030 (2017) (defining the term data collector to include “any governmental agency … that … handles, col- lects, disseminates or otherwise deals with nonpublic per- sonal information”); N.J. Stat. ann. § 56:8-161 (2017) (defin- ing a public entity to include the state, county, public agency, political subdivision, or other state public body); ohio reV. coDe §§ 1347.01(A) and (B) (2017) (defining state agency and local agency, respectively); see also, ohio reV. coDe. § 1347.01(D) (2017) (defining the term maintain to mean state or local ownership of, control over, responsibility for, or accountability for data systems and §§ 1347.12(A)(1) and (B)(1) (2017) (defining agency of a political subdivision); 24 okla. Stat. § 162(2) (2017) (stating that the term entity includes “governments, governmental subdivisions, agen- cies, or instrumentalities, or any other legal entity….”); 73 Pa. conSt. Stat. § 2302 (2017) (defining the term entity to include a state agency or a political subdivision of the Commonwealth); S.C. coDe §§ 37-1-301(18) and (20) 39-1-90 (2017) (statute applying also to a “governmental subdivi- sion”); tenn. coDe § 47-18-2102(9) (2017) (defining the term person to include a “governmental agency … and any other legal or commercial entity however organized….”); Vt. Stat. tit. 9, ch. 62 § 2430(3) (2017) (defining the term data collec- tor to include the state, state agencies, and political subdivi- sions of the state); Va. coDe § 18.2-186.6 (2017) (defining the term entity to include governments, governmental sub- divisions, agencies, or instrumentalities; WaSh. reV. coDe § 42.56.590(b) (2017) (stating that the term agency has the same meaning as in § 42.56.010); W. Va. coDe § 46A-2A-101 (2017) (defining the term entity to include governments, governmental subdivisions, agencies, or instrumentalities); WiS. Stat. § 134.98(1)(a)(2) (2017) (defining the term entity to include the state and any office, department, indepen- dent agency, or state government body, as well as a city, village, town, or county); V.I. coDe, 14 V.I. coDe. ann. § 2208(b) (2017) (applicable to any agency maintaining computerized data with personal information). 333 Jill Joerling, Note: Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 WaSh. u. J.l. & Pol’y 467, 471 (2010), hereinafter referred to as “Joerling.”