The Mineta Transportation Institute at San Jose State University is an organized research and...

The Mineta Transportation Institute at San Jose State University is an organized research and training unit with a network of faculty, research and administrative staff, and students committed to increasing mobility for all.

Photo: Jefferson Santos/Unsplash

The Mineta Transportation Institute (MTI) released the issues explored in its latest perspective, Personal Data Protection as a Driver for Improved Cybersecurity Practices in U.S. Public Transit.

The perspective explores how the increase in cyberattacks against public transit agencies further underscores the importance and increasing responsibility transit agencies have to prioritize the protection of any personal data they collect, retain, or distribute.

A few of the issues further explored in the perspective include:

  • The use of and debates surrounding facial recognition software—including previous interest expressed by Bay Area Rapid Transit (BART) leadership.
  • The issues arising from the shift in fare payment systems from tokens and tickets to digital wallets and contactless credit cards, which potentially exposes Personally Identifiable Information (PII) to breaches.
  • The convenience and security challenges of increasingly common open-loop systems—mobile payment systems that allow users to pay for goods and services at multiple vendors using a single digital wallet or credit/debit card that gets processed by the regular card payment system and shows up on the customer’s monthly statement (e.g., Visa, Apple Pay, etc.) vs. closed-loop systems, which only allow for payment at a specific vendor (e.g. Starbucks app, reloadable transit cards, etc.)
  • And other closely related topics, such as Health Insurance Portability and Accountability Act‘s (HIPAA) and paratransit, steps to protect PII, etc. 

“There are 17 countries with comprehensive national data protection laws in place—the United States is not among them,” said Scott Belcher, principal investigator. “As more countries enact laws governing the data of their residents, U.S. entities are going to face an increasingly complex process of navigating extra-territorial and data export requirements.” 

MTI said addressing these issues means taking steps toward protecting personal data and building more robust cybersecurity practices.