Legal Issues and Emerging Technologies (2022)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

TCRP LRD 59 31 secret that is the subject of the action.”254 Owners may also ob- tain damages for actual loss caused by the misappropriation of the trade secret.255 The DTSA supplements, but does not preempt, state law.256 D. UTSA and State Laws Technology acquired or developed by transit agencies may be protected as a trade secret under a state’s UTSA that applies to a misappropriation of trade secrets.257 UTSA is a model law drafted by the National Conference of Commissioners on Uni- form State Laws. It codifies the basic principles of common law trade secret protection. Forty-nine states, the District of Columbia, and the U.S. Virgin Islands have adopted the UTSA in modified or un- modified form. New York is the only state that has yet to adopt the UTSA in any form.258 The UTSA has three primary functions: (i) defines the types of information eligible for trade secret protection; (ii) provides a private cause of action for trade secret misappropriation; and (iii) provides remedies for misappropriation, including injunc- tions, damages and, in certain cases, attorneys’ fees. The UTSA defines “trade secret” as follows: Trade secret” means information, including a formula, pattern, com- pilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circum- stances to maintain its secrecy. 259 California courts have found that “information” has a broad meaning under the California UTSA: The definition of trade secret is ... unlimited as to any particular class or kind of matter and may be contrasted with matter eligible for pat- ent or copyright protection, which must fall into statutorily defined categories. A trade secret may consist of any formula, pattern, device or compilation of information which is used in one’s business, and which gives him an opportunity to obtain an advantage over competi- tors who do not know or use it. It may be a formula for a chemical compound, a process of manufacturing, treating or preserving mate- rials, a pattern for a machine or other device or list of customers. 260 Under Washington law, key “in determining whether in- formation has ‘independent economic value,’ as required to be considered a trade secret, is the effort and expense required to develop it.”261 254 18 U.S.C § 1836(b)(2). 255 Id. 256 18 U.S.C. § 1838. 257 Uniform Trade Secrets Act (1985). 258 S.B. 2468, 242 Leg. Sess. (N.Y. 2019). 259 UTSA § 1(4). 260 Altavion, Inc. v. Konica Minolta Sys. Lab., Inc., 226 Cal. App. 4th 26, 53, 171 Cal.Rptr.3d 714 (Ct. App. 2014). 261 See A Place for Mom v. Perkins, No. C20-1028-JCC, 2020 WL 4430997, at *3 (W.D. Wash. July 31, 2020); Wash. Rev. Code Ann. § 19.108.010(4)(a)-(b). In Missouri, to determine whether information is actually a trade secret, courts consider factors such as “the extent to which the information is known outside of [plaintiff ’s] business; ... the amount of effort or money expended by [plaintiff] in develop- ing the information; [and] ... the ease or difficulty with which the information could be properly acquired or duplicated by others.”262 New York, which has not adopted the UTSA, uses a six- factor balancing test to determine whether information quali- fies as a “trade secret.” The general common law definition of a trade secret is “any formula, pattern, device or compilation of information which is used in one’s business, and which gives [the business owner] an opportunity to obtain an advantage over competitors who do not know or use it.”263 Courts consider the following factors as guideposts in determining whether in- formation qualifies as a trade secret, although no one factor is dispositive: (1) the extent to which the information is known outside of [the] business; (2) the extent to which it is known by employees and others involved in [the] business; (3) the extent of measures taken by [the business] to guard the secrecy of the information; (4) the value of the information to [the business] and [its] competitors; (5) the amount of effort or money expended by [the business] in devel oping the information; and (6) the ease or difficulty with which the information could be prop- erly acquired or duplicated by others. 264 None of these factors is intended to be dispositive. The New York definition of trade secret could potentially cover more in- formation than the UTSA. V. CYBERSECURITY Separate from data privacy is data security. Transit agency information technology (IT) systems collect and maintain vast amounts of PII and other sensitive information about the secu- rity, operations, facilities, critical infrastructure, and other as- sets or capital projects. Disclosure of this information could be detrimental to the security of transit operations, infrastructure, employees, or customers. As new technologies emerge, the security of data collected and the protection of systems against intrusion will be promi- nent concerns. The same principles and practices that govern securing existing technology will generally apply to innovative and untested technologies. Transit agencies must protect the confidentiality, integrity, and availability of PII and effectively respond to data breaches and security incidents. Similarly, there 262 Brown v. Rollet Bros. Trucking Co., 291 S.W.3d 766, 776 (Mo. Ct. App. 2009) (internal quotations omitted); Trone Health Servs., Inc. v. Express Scripts Holding Co., 974 F.3d 845, 855 (8th Cir. 2020). 263 Ashland Mgmt. Inc. v. Janien, 624 N.E.2d 1007, 1013 (N.Y. 1993). 264 Ashland, 624 N.E.2d at 1013 (quoting Restatement of Torts § 757 cmt. b).

32 TCRP LRD 59 is the need to protect computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the ser- vices they provide.265 Taken as a whole, this is cybersecurity. There are state laws, regulations, and guidelines that require data collectors and processors to limit access to—and protect the security of—customers’ personal data. It is important for transit agency lawyers to understand these laws to help their organizations manage risks by implementing and maintaining appropriate privacy and data security policies and procedures. Similar to the private sector, state and local government agen- cies are subject to a patchwork of data security laws and other restrictions when collecting, storing, using, and disclosing PII. Many states have enacted general data security and breach noti- fication statutes that typically apply equally to government and private entities. A. Cyber Threats A cyberattack can take many forms. A cyber attacker may breach systems and steal consumer credit card data, social secu- rity numbers, and other valuable personal information. They may launch a denial-of-service (DoS) or distributed denial- of-service (DDoS) attack. This type of attack floods network servers or systems, rendering them unusable for hours or days. Another form of cyberattack is modification, which is when information is changed. Alternatively, systems can be changed, resulting in damage to vehicles or cargo. Rapid developments in new transportation technologies can introduce additional security concerns of which transit agencies must be aware. Emerging technology provides more entry points for hackers. Many fleet operators use telematics to streamline operations and to track the location, status, and condition of the vehicles. The rail industry uses electronic sen- sors, network technology, and automation. PTC, track signals, communications systems, and power delivery all rely on these technologies.266 Electric fare payment and automatic fare collec- tion systems collect and store credit card data and other valu- able personal information. New mobility service providers can receive, collect, retain, and use massive amounts of data about users and the service, including names, contact information, payment information, geolocation data and other valuable personal information as well as confidential and proprietary information. 265 More thorough guidance for transit agency on managing sensi- tive information than is appropriate in this report was addressed in a 2005 National Cooperative Highway Research Program (NCHRP) Report. National Cooperative Highway Research Program, NCHRP Report 525: Surface Transportation Security, Volume 5: Guid- ance for Transportation Agencies on Managing Sensitive Information, National Academies of Sciences, Engineering, and Med- icine, Washington, D.C., 2005, https://doi.org/10.17226/23417. 266 See, e.g., Victoria J. Hodge, et al., Wireless Sensor Networks for Condition Monitoring in the Railway Industry: A Survey, 16 IEEE Transactions on Intelligent Transportation Systems, Issue 3, (Jun. 2015), https://ieeexplore.ieee.org/document/6963375. A cyberattack on these systems not only exposes sensitive customer data and PII, but it can also put vehicles and passen- gers in jeopardy, damage assets or commercial advantage, and incur legal troubles.267 B. Cybersecurity Generally Cybersecurity is the protection of computer systems and net- works from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirec- tion of the services they provide. Cybersecurity generally pro- tects confidentiality, integrity, and availability, known as the CIA Triad.268 Confidentiality refers to theft of information. Integrity refers to preventing modification or asset damage. Availability refers to making information or an asset unavailable. Several states have incorporated these terms into their cybersecurity statutes.269 Government agencies are increasingly targeted by cyber attackers.270 A report by the U.S. Government Accountability Office found that federal agencies reported 35,277 cyber security incidents in the fiscal year 2017, which was a 14 percent increase over the previous year.271 The threat of a cybersecurity breach is one of the biggest challenges facing the transportation industry. The U.S. Department of Homeland Security has designated the Transportation System Sector as one of 16 critical infrastruc- ture sectors whose disruption would have a debilitating effect on our nation’s security.272 The transportation system is part of the 267 See, e.g., KPMG, Protecting the Fleet … and the Car Business (2017), https://advisory.kpmg.us/content/dam/advisory/en/ pdfs/protecting-the-fleet-web1.pdf. 268 See, e.g., In the Matter of Use of Spectrum Bands Above 24 Ghz for Mobile Radio Servs., 30 FCC Rcd. 11878 (2015). 269 See, e.g., Mich. Comp. Laws Ann. § 18.222 (“‘Cybersecurity incident’ means an event occurring on or conducted through a com- puter network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communi- cations systems or networks, physical or virtual infrastructure con- trolled by computers or information systems, or information resident on any of these.”). 270 See U.S. Gov’t Accountability Office, Cybersecurity Challenges Facing the Nation – High Risk Issue https://www. gao.gov/key_issues/ensuring_security_federal_information_systems/ issue_summary. The Center for Strategic and International Studies (CSIS) tracks significant cyber incidents. The United States has been victim to over one hundred major incidents since 2006. See Center for Strategic and International Studies, https://www.csis.org/ programs/technology-policy-program/significant-cyber-incidents. 271 U.S. Gov’t Accountability Office, Agencies Need to Improve Implementation of Federal Approach to Securing Sys- tems and Protecting against Intrusions, GAO-19-105 (Dec. 18, 2018), https://www.gao.gov/products/GAO-19-105. 272 The Critical Infrastructures Protection Act of 2001, 42 U.S.C. § 5195c, defines “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

TCRP LRD 59 33 nation’s critical infrastructure according to the U.S. Cybersecu- rity and Infrastructure Security Agency (CISA).273 Despite the critical role that transit agencies play, research from the Mineta Transportation Institute (MTI) found “far too many agencies have not implemented adequate cyber security measures” and are ill prepared to identify, protect from, detect, respond to, and recover from cybersecurity vulnerabilities and threats.274 MTI assessed the readiness of transit agencies to under stand, mitigate, and respond to the growing threat of cyber security and found that “many transit agencies do not fully appreciate the risks posed by cybersecurity vulnerabilities nor the necessity to prepare for the inevitable attempts.”275 MTI’s research found that more than 81 percent of agencies reported feeling prepared for a cybersecurity threat, yet only 60 percent have a cybersecurity program in place.276 Other key findings in- clude that most agencies do not have many of the basic policies and procedures in place to respond in the event of an incident.277 Other key findings: • 47 percent audit their cybersecurity program at least once per year • 42 percent do not have an incident response plan; of those that have one, more than one-half have not had a drill in over a year • 36 percent do not have a disaster recovery plan • 53 percent do not have a continuity in operations plan • 58 percent do not have a business continuity plan • 67 percent do not have a crisis communications plan Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,278 makes federal agencies accountable for managing cybersecurity risks to their ecosystem, and it further encourages them to work with all enti- ties to adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework.279 C. Federal Laws Applicable to Cybersecurity Generally In the United States, no single federal law regulates informa- tion security, cybersecurity, and privacy throughout the coun- 273 U.S. Cybersecurity and Infrastructure Security Agency, Identifying Critical Infrastructure During Covid-19 (revised Aug. 18, 2020), www.cisa.gov/identifying-critical-infrastructure- during- covid-19. 274 Scott Belcher, et al., Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness, Mineta Transp. Inst. (Sept. 2020), https://transweb.sjsu. edu/sites/default/files/1939-Belcher-Transit-Industry-Cyber- Preparedness.pdf. 275 Id. at 31. 276 Id. 277 Id. at 38. 278 Donald J. Trump, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, 82 FR 22391, May 16, 2017. 279 Nat’l Institute of Standards and Technology (NIST), Cybersecurity Framework (updated May 21, 2020), http://www. nist.gov/cyberframework/. try. Several states have their own cybersecurity and data breach notification laws. Similar to the private sector, state and local government agencies are subject to a patchwork of industry- specific data security laws and other restrictions when they re- ceive, maintain, use, or transmit data containing PII and other sensitive or confidential information. Many states have enacted general data security and breach notification statutes that typi- cally apply equally to government and private entities. 1. Electronic Communications Privacy Act and Stored Communications Act The Stored Communications Act (SCA) is part of the Elec- tronic Communications Privacy Act (ECPA), also known as the Wiretap Act, and generally prohibits an individual from access- ing stored electronic communications without proper authori- zation.280 These acts are privacy statutes that forbid the inten- tional use, disclosure, or access to any wire, oral, or electronic communication without authorization. In addition to criminal penalties for malicious hackers, these acts provide a private right of action in case of a breach. 2.  Computer Fraud and Abuse Act The Computer Fraud and Abuse Act (CFAA), 18 USC §§ 1030 et seq., prohibits individuals from knowingly or inten- tionally accessing a computer without authorization or exceed- ing the authorization provided. It is intended to punish hackers of computer systems and others who damage computer systems and misappropriate confidential and sensitive information. 3.  FTC Act  The FTC authority under the Federal Trade Commission Act, 15 U.S.C.A. § 45, extends to its recommended guidelines regarding cybersecurity. The FTC protects consumers’ privacy by enforcing Section 5(a) of the FTCA and penalizing com- panies for failing to have adequate cybersecurity.281 Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce” and states an act may be considered “unfair” if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”282 The FTC has the ability to enforce cybersecurity failures as “unfair” under 15 U.S.C.A. § 45(a).283 The FTC has authority to bring actions against companies or individuals that engage in unfair or deceptive acts or practices, including those involving vehicle data privacy and security. 280 18 U.S.C 119, 18 U.S.C. 121. 281 15 U.S.C. § 45. 282 15 U.S.C. § 45(n). 283 See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).

34 TCRP LRD 59 D. Federal Cybersecurity Laws Applicable to Federal Agencies, Federal Contractors, and Recipients of Federal Funds 1.  The Federal Information Security Modernization Act  of 2014 The Federal Information Security Management Act of 2002, and its replacement the Federal Information Security Modern- ization Act of 2014 (FISMA),284 is the framework for cyber- security in the federal government.285 FISMA requires agencies to develop, implement, and maintain a security program that as- sesses information security risks and provides adequate security for the operations and assets of programs and software systems under agency and contractor control.286 Under FISMA, federal agencies and their contractors are re- quired to develop agency-wide information security programs.287 The law directs agency heads to ensure that: (1) infor mation security management processes are integrated with budgetary planning; (2) senior agency officials, including chief information officers, carry out their information security responsibilities; and (3) all personnel are held accountable for complying with the agency-wide information security program.288 FISMA requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major incident has occurred.289 FISMA defines “incident” as “an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a vio- lation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”290 FISMA re- quires the Office of Management and Budget (OMB) to define a major incident and directs agencies to report major incidents to Congress within seven days of identification.291 Federal agencies 284 At the end of its term, the 113th Congress passed the Federal Information Security Modernization Act, S. 2521; the National Cyber- security Protection Act, S. 2519; the Cybersecurity Enhancement Act, S. 1353; section 1632 of the National Defense Authorization Act of 2015; and the Cybersecurity Workforce Assessment Act, H.R. 2952. 285 44 U.S.C. §§ 3551, et seq. (added Pub.L. 113-283, § 2(a), Dec. 18, 2014, 128 Stat. 3073); see Brian E. Finch & Justin A. Chiarodo, 10 Things Government Contractors Should Know About Cybersecurity Compliance, 55 Gov’t Contractor ¶ 364, Nov. 20, 2013, at 2-3; Deborah Norris Rodin, The Cybersecurity Partnership: A Proposal for Cyberthreat Infor- mation Sharing Between Contractors and the Federal Government, 44 Pub. Cont. L.J. 505, 514 (2015). 286 In re U.S. Office of Personnel Management Data Security Breach Litigation, C.A.D.C.2019, 928 F.3d 42, 442 U.S.App.D.C. 42, rehearing en banc denied. 287 44 U.S.C. § 3554. 288 Id. 289 Id. 290 See 44 U.S.C. § 3552(b)(2). FISMA also uses the terms “security incident” and “information security incident” in place of incident. 291 U.S. Computer Emergency Readiness Team (US-CERT) Federal Incident Notification Guidelines, https://us-cert.cisa.gov/sites/default/ files/publications/Federal_Incident_Notification_Guidelines.pdf. should comply with the criteria set out in the most recent OMB guidance when determining whether an incident should be designated as major.292 OMB must ensure that data breach noti- fication policies require agencies, after discovering an unauthor- ized acquisition or access, to notify: (1) Congress within 30 days, and (2) affected individuals as expeditiously as practicable. 2.  Sensitive Security Information The U.S. Department of Transportation (DOT) and the De- partment of Homeland Security (DHS), through the Transpor- tation Security Administration (TSA), have promulgated regu- lations that provide requirements for handling sensitive security information (SSI).293 SSI is information that, if publicly released, would be detri- mental to transportation security, as defined by Federal Regula- tion 49 C.F.R. Part 15. SSI is information obtained or developed in the conduct of security activities, including research and devel opment, the disclosure of which the Secretary of DOT has determined would (1) constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file); (2) reveal trade secrets or privileged or confidential information obtained from any person; or (3) be detrimental to transportation safety.294 While modes of ground transportation, such as buses and rail, are not expressly referenced, the regulations generally apply in any transportation setting.295 The SSI regulations apply to transit agencies as “covered persons” because they are either a grantee of DOT, DHS, or both; or a transit agency for which a vulnerability assessment has been directed, created, held, funded, provided to or approved by the DOT.296 The U.S. DOT’s Federal Highway Administration provides the following guidance for handling SSI for external parties: (1) Do not leave SSI unattended on your desk, in your office or any other place you carry it. Remember to check for SSI, when you leave for meetings, lunch, brief trips to the restroom, filing room, a col- league’s office or before you leave at night. In these cases be sure to place it in a locked desk drawer, or locked file cabinet. (2) Turn off or lock your computer when working with SSI before you leave your desk to ensure that no SSI is compromised. (3) Only share SSI documents or information with a covered party who has a need to know. When in doubt, contact the DOT Office of Intelligence, Security, and Emergency Response at (202) 366-6525 or 292 FY 2020 Inspector General Federal Information Security Mod- ernization Act of 2014 (FISMA) Reporting Metrics, Version 4.0, April 17, 2020, https://www.cisa.gov/sites/default/files/publications/ FY_2020_IG_FISMA_Metrics.pdf. 293 A more thorough analysis of SSI and PCII than is appropriate in this report will be addressed in a forthcoming TCRP Research Digest. Transit Cooperative Research Program, SSI and PCII are the Navigating the Complexities of Sensitive Security Information (SSI) and Protected Critical Infrastructure Information (PCII), TCRP J-05/Topic 19-03 (Active). 294 49 C.F.R. § 15.5. 295 James W. Conrad, Protecting Private Security-Related Informa- tion from Disclosure by Government Agencies, 57 Admin. L. Rev. 715, 750 (2005). 296 49 C.F.R. §§ 15.7(g), 15.7(l).

TCRP LRD 59 35 SSI@dot.gov. Do not discuss SSI at all with friends or family (unless they are covered parties with a need to know), and do not discuss SSI with colleagues in public places. If you need to discuss SSI over the telephone, make every effort to use a land line and be aware of your surroundings. If forced to discuss SSI in a public place, use common sense and discuss as privately as possible–not within the ear-shot of other people. If it is necessary to mention SSI over a cellular phone, take all precautions to discuss sparingly and privately. (4) Do not deliver any SSI to anyone by leaving it unattended on [that person’s] desk; personally hand deliver any SSI to the intended recipi- ent. You have a duty to make sure that the SSI recipient knows that the document(s) contain SSI so [the recipient] can take appropriate steps concerning SSI handling protection. (5) When carrying or delivering SSI, place [the SSI] in an unmarked folder or envelope. (6) Do not take SSI home, either hard or soft-copy, without written permission from your supervisor. If you do take SSI home, always keep the SSI on your person (ideally in a locked briefcase) during transit and protect as you would in your office. (7) Password-protect all SSI documents sent via e-mail. Do not in- clude the password in the body and/or e-mail introduction forward. Passwords shall conform to the following guidelines: eight character minimum length; at least one letter capitalized, contain at least one number; and not be a word in the dictionary. Take the correct pass- word precaution and disclose the password to the recipient in person or by phone. (8) SSI should always be marked as such with a protective marking in the header and a distribution limitation statement in the footer (see below). For paper records, the protective marking must be at the top and the distribution limitation statement at the bottom of (1) the out- side of any front and back cover, including a binder cover or folder, if the document has a front and back cover; (2) any title page; and (3) each page of the document. When in doubt whether a document should be marked SSI, contact the DOT Office of Intelligence, Secu- rity, and Emergency Response at (202) 366-6525 or SSI@dot.gov. (9) No SSI should be posted or appear on your Internet or Intranet web sites without prior approval. It is your duty to be diligent in ob- serving any SSI that erroneously appears and contact the appropriate parties to have it removed. You may contact the DOT Office of Intel- ligence, Security, and Emergency Response at (202) 366-6525 or SSI@ dot.gov for assistance. (10) Properly dispose of all SSI in your possession that you no longer need (e.g., extra copies, obsolete versions, etc.) by using a shredder or cutting manually to less than ½ inch. SSI on electronic media should be destroyed so as to render the media unusable and preclude its reconstruction. 297 SSI is limited in its disclosure and is protected from disclo- sure under FOIA. With respect to emerging technologies, SSI concerns may arise from the infrastructure necessary for connected and AVs. Smart pavement, bridges, and—more broadly—smart high- ways, can become the backbone of transportation systems and will likely be critical infrastructure.  297 Fed. Highway Admin., Short Guide to Handling Sensitive Secu- rity Information (SSI) for External Parties, https://www.fhwa.dot.gov/ legsregs/directives/orders/ssi/ssishortguide.htm. See also Restrictions on the Disclosure of SSI, 49 C.F.R. §§ 15.9(a)(1)-(2), 15.9 (a)(4)(c) (lay- ing out the responsibilities for protecting secure information). 3.  Federal Acquisition Regulations The Federal Acquisition Regulations (FAR) Part 39 (Acqui- sition of Information Technology) briefly addresses cyber issues.298 Under 48 C.F.R. § 39.106: The contracting officer shall insert a clause substantially the same as the clause at 52.239–1, Privacy or Security Safeguards, in solicitations and contracts for information technology which require security of information technology, and/or are for the design, development, or operation of a system of records using commercial information tech- nology services or support services. For such a contract, FAR 52.239-1, Privacy or Security Safeguards requires that the contractor report breaches to the government if new or unanticipated threats or hazards are dis- covered or if existing safeguards have ceased to function. The reporting requirement is limited to contracts “which require security of IT, and/or are for the design, development, or opera- tion of a system of records using commercial IT services or sup- port services.”299 Under the FAR, contractors must protect information sys- tems that process, store or transmit “federal contract informa- tion” (FCI).300 FCI means “not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transac- tional information, such as [information] necessary to process payments.”301 This definition “includes any information used in the performance of a contract that originated from or will be provided to the Government, apart from information that is public or is “simple transactional information.”302 FAR specifies fifteen basic security measures or controls that contractors must implement to protect information systems: (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other infor mation systems). (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (iii) Verify and control/limit connections to and use of external infor- mation systems. (iv) Control information posted or processed on publicly accessible information systems. (v) Identify information system users, processes acting on behalf of users, or devices. (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational infor- mation systems. 298 48 C.F.R. § 39.106 (requiring the Contracting Officer to include a clause for security of information technology). 299 Id. 300 48 C.F.R. § 52.204-21(b)(1) (Basic Safeguarding of Covered Contractor Information Systems). 301 Id. 302 John Chierichella, Townsend Bourne, and Melinda Biancuzzo, Achieving Cyber Fitness in 2017, 59 NO. 4 Gov’t Contractor ¶ 25.

36 TCRP LRD 59 (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. (x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational informa- tion systems) at the external boundaries and key internal boundaries of the information systems. (xi) Implement subnetworks for publicly accessible system compo- nents that are physically or logically separated from internal networks. (xii) Identify, report, and correct information and information sys- tem flaws in a timely manner. (xiii) Provide protection from malicious code at appropriate locations within organizational information systems. (xiv) Update malicious code protection mechanisms when new re- leases are available. (xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. This clause is required in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in—or transiting through—its information system.303 E. State Laws Applicable to Cybersecurity State and local public transit agencies have legal obligations for data security and must verify whether the state imposes any additional or separate notification requirements on them. According to the National Conference of State Legislators, in 2019, “at least 43 states and Puerto Rico introduced or consid- ered close to 300 bills or resolutions that deal significantly with cyber security,” and 31 states enacted cybersecurity-related legis- lation.304 These measures included the following: • Requiring government agencies or businesses to implement training or specific types of security policies and practices; • Restructuring government for improved security; • Providing for the security of utilities and critical infrastructure; • Exempting cybersecurity operations information from public records laws; and • Addressing the security of connected devices. 1. State Unfair and Deceptive Acts and Practices Statutes State Unfair and Deceptive Acts and Practices (UDAP) statutes, which are enforced by state attorneys general, work alongside the FTC Act to protect consumers’ privacy. These 303 48 C.F.R. § 4.1903. 304 Nat’l Conference of State Legislators, Cybersecurity Legisla- tion: 2019, Jan. 1, 2020, https://www.ncsl.org/research/ telecommunications- and-information-technology/cybersecurity-legislation-2019.aspx. requirements range from simply requiring adoption of “rea- sonable” security plans to requiring specific steps. These laws are largely punitive, carrying the threat of large fines, consent decrees, or lawsuits. New York, for example, uses several sec- tions of its General Business Law (GBL) to enforce cyber security lapses.305 The New York statute specifically looks to Section 5 of the FTC Act to interpret what constitutes a deceptive act and practice.306 Records contained in an indexed computer data base may be protected by the New York state Personal Privacy Pro- tection Law (PPPL), which was enacted to protect against the danger to personal privacy posed by modern computerized data collection and retrieval systems.307 2.  State Breach Notification Laws All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving PII.308 Security breach laws typically have provisions regarding who must comply with the law, definitions of what constitutes “personal information,” what constitutes a breach, requirements for notice (e.g., timing or method of notice, who must be notified), and exemptions, such as exemptions for encrypted information. Some state statutes specifically apply to state and local en- tities. For example, Alabama has a general data breach statute that applies to covered entities, including state and local gov- ernment entities, that acquire or use any Alabama resident’s sensitive PII.309 Other states, such as California, have a separate statute that applies to state and local agencies that is substan- tially similar to the general statute.310 Texas, by contrast, requires state agencies that own, license, or maintain computerized data that includes sensitive personal information, confidential infor- mation, or information the disclosure of which is regulated by law shall, in the event of a breach or suspected breach of sys- tem security or an unauthorized exposure of that information, 305 N.Y. Gen. Bus. Law §§ 349, 350, and 899-aa. 306 In re Marriott International, Inc., Customer Data Sec. Breach Litig., 2020 WL 869241, at *36 (D. Md. Feb. 21, 2020). (“Moreover, New York courts specifically interpret § 349 “by looking to the definition of deceptive acts and practices under [S]ection 5 of the Federal Trade Commission Act.”). 307 See N.Y. Pub. Off. Law, Art. 6-A (McKinney); Spargo v. New York State Commission on Government Integrity, 140 A.D.2d 26, 531 N.Y.S.2d 417 (3d Dep’t 1988). 308 Nat’l Conference of State Legislatures, Security Breach Noti- fication Laws, Mar. 8, 2020, www.ncsl.org/research/ telecommunications- and-information-technology/security-breach-notification-laws.aspx. 309 See, e.g., Ala. Code §§ 8-38-1 to 8-38-12 (The statute defines “covered entity” to include: A person, partnership, or sole proprietor- ship; business entities including corporations, nonprofits, trusts, estates, cooperative associations; the State of Alabama, a county, a municipality, or an instrumentality of the state, a county, or a municipality). See also Alaska Stat. Ann. §§ 45.48.010-45.48.090 (“covered entities” include any state agency, other than judicial branch agencies); Fla. Stat. Ann. § 501.171 (“covered entity” defined as any commercial entity, including a government entity, that acquires, maintains, stores, or uses personal information). 310 Cal. Civ. Code § 1798.29.

TCRP LRD 59 37 comply with the general data breach notification requirements and are subject to additional requirements.311 Connecticut has a statute that applies to state contractors and contains specific data security and breach notification requirements that must be included in contracts.312 State and local transit agencies should consult their state’s laws when implementing emerging technologies to ensure compliance with applicable data security and breach notifica- tion requirements. F. Cybersecurity Risks Associated with Autonomous and CVs Conventional vehicles offer dozens of portals that hackers could use to breach a vehicle’s electronic systems, “including seemingly innocuous entry points such as the airbag, the light- ing system, and the tire pressure monitoring system (TPMS).”313 Advanced driver assistance technologies, including those used in AVs and CVs, depend on an array of electronics, sensors, and computer systems and are entirely dependent on the vehicles sharing and coordinating data with each other and an external network, both locally and through centralized infra structure. The data can include information about the exact loca tion of vehicles as well as how and where drivers operate their cars, and on-board computers and systems that are capable of controlling the vehicles remotely, including disabling the vehicle entirely.314 For these reasons, “[p]rotecting autonomous vehicles from hackers is of paramount concern to federal and state govern- ments, manufacturers, and service providers.”315 In March 2018, security professional association ISACA published its global survey on smart cities, which identified vul- nerability to malware, ransomware, and DoS attacks as a major security threat to smart infrastructure.316 “Smart infrastructure” refers to pavement systems that transform roads into large sen- sor, data, and connectivity networks for next generation and autonomous vehicles. Sensors in the roadways allow vehicles to communicate with the road, and the road with the vehicles. They also detect moisture levels, temperature, strain, vibration and weight-in-motion, and collect data. Similarly, smart bridges incorporate sensors to monitor a variety of situations, including speeding and overhead truck weight, structural health, temper- ature, and data transmission. Smart pavement, bridges, and— more broadly—smart highways, can become the backbone of transportation systems and will likely be critical infrastructure.  311 Tex. Gov’t Code § 2054.1125. 312 Conn. Gen. Stat. §§ 4e-70, 4e-71. 313 Bill Canis, Issues in Autonomous Vehicle Testing and Deployment, Cong. Research Serv., R45985, v. 11, Feb. 11, 2020), https://fas.org/ sgp/crs/misc/R45985.pdf. 314 Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway— With Me in It, Wired, Jul. 21, 2015, https://www.wired.com/2015/07/ hackers-remotely-kill-jeep-highway/. 315 Id. 316 ISACA, Smart Cities New Threats and Opportunities, www.isaca.org/-/media/info/smart-cities-survey/index.html. The U.S. DOT NHTSA has numerous resources dedicated to vehicle cybersecurity, including Cybersecurity Best Practices for Modern Vehicles.317 The NHTSA encouraged the formation of the Automotive Information Sharing and Analysis Center (Auto-ISAC), an industry environment emphasizing cyber- security awareness and collaboration across the automotive in- dustry.318 In July 2016, Auto-ISAC released a set of cybersecurity best practice guides to assist automotive industry stakeholders with identifying, prioritizing, treating, and monitoring vehicle cybersecurity risks.319 G. Physical Security to Systems The technical means of data and privacy protection are only as secure as the physical means preventing access to stored or live data. For example, requiring an extremely sophisticated password schema is of insignificant effect if user passwords are widely known to be written and stored in an unlocked desk drawer. Many cybersecurity incidents are caused by lost or sto- len devices, such as laptops, mobile phones, USB drives, and even servers being stolen from locations such as office build- ings. Unless such devices are properly encrypted, those thefts are data breaches for the organization from which they were sto- len. Unprotected laptops that are stolen, for example, can be the foundation for negligence lawsuits.320 Further, sometimes access to the data is caused by physical entry, such as people posing as staff or simply breaking into an office. Physical security incorpo- rates security guards, alarm systems, locks, background checks, and similar measures. There are controls to implement to identify where sensitive information is accessed and add physical security as needed: • With open-office floor plans, remove physical barriers that shield computer screens. A secure room should have full height walls and fireproof ceilings. 317 Nat’l Highway Traffic Safety Admin., Cybersecurity Best Practices for Modern Vehicles Cybersecurity, (Report No. DOT HS 812 333, Oct. 2016), https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/ documents/812333_cybersecurityformodernvehicles.pdf. See also Nat’l Highway Traffic Safety Admin., Vehicle Cybersecurity, https:// www.nhtsa.gov/technology-innovation/vehicle-cybersecurity. 318 Auto-ISAC, https://automotiveisac.com/. More thorough guid- ance and information regarding automated vehicles than is appropriate in this report is the subject of a forthcoming National Cooperative Highway Research Program (NCHRP) Report. 319 Automotive Information Sharing and Analysis Center, Best Practice Guides, https://automotiveisac.com/best-practices/. Auto-ISAC has developed supplemental Best Practice Guides to pro- vide Members and appropriate industry stakeholders additional infor- mation and implementation guidance for each of the seven key cyber- security functions, which are the highest level of Best Practice categorization and guide management of vehicle cyber risk. See also SAE J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Sys- tems; NIST 800-64: Security Considerations in the Systems Develop- ment Lifecycle; NIST SP 800-121 Guide to Bluetooth Security; NIST SP-127: Guide to Securing WiMAX Wireless Communications; ISO 17799: Mobile Phone Security. 320 Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1366 (S.D. Fla. 2017).