“. . . some of these losses occur because of the actions of third parties who handle the data, over whom there is little or no control. The good news is that some of these risks can be mitigated by forethought and planning in these contracting arrangements.”
– Ally Fuqua, Attorney and Partner in the Fuqua-Abbott law firm
Many mobility management entities manage parking and transportation services on behalf of another party, such as a municipality, university or medical center. In the course of normal business operations, these entities collect vast amounts of data.
Some of this data is so-called Personally Identifiable Information (“PII”), which has been the subject of legislation – and litigation – in the U.S. and abroad. PII has been targeted for special protection as its misuse or careless handling can result in fraud, identity theft and other damages to an innocent person.
Determining Who is Responsible for Data Breaches
While some of the responsibility for protecting this data can be passed on to others, such as payment processors, not all can be so easily disposed of. The dangers are significant, industry experts say.
“Data break-ins at big box retailers like Target and Home Depot point out that no one, not even the largest and most sophisticated enterprises, are immune from theft of information,” says attorney Ally Fuqua. Fuqua, a parking industry veteran for over 14 years, is a lawyer whose private practice of Fuqua-Abbott primarily focuses on the representation of parking companies.
“These incidents cost organizations millions of dollars each year in direct losses from revenues, the losses of customers affected by theft of their PII and the added expense of investigating and remediating the incident,” says Fuqua. “There are also indirect losses such as business reputation and customer goodwill that can greatly impact future profits.”
Fuqua adds, “Unfortunately, at least some of these losses occur because of the actions of third parties who handle the data, over whom there is little or no control. The good news is that some of these risks can be mitigated by forethought and planning in these contracting arrangements.”
New Privacy Protection Rules Coming
With data break-ins becoming more commonplace and individuals facing difficult and expensive litigation to recover damages, legislatures around the world have begun shifting much of the onus for data protection on the data collectors. Far-ranging protection rights for the PII of individuals have been enacted into law in the European Union and Canada.
By presuming data collectors are directly responsible for data loss by statute, many legal defenses are automatically stripped away. Arguments such as the improper handling of the data by, or negligence of, third parties, are limited or negated by these laws.
Data collectors are now incentivized to maximize their PII protections while mitigating their risks with insurance and a proper contracting foundation.
Consultant Michael Drow has been deeply involved in helping management entities meet evolving data protection standards. Drow formerly led a major commercial parking operator’s strategic and technology initiatives. He now helps parking facility and solutions providers evaluate and implement new technologies, with a focus on mobility, to enhance their operations and customer engagement.
“In Europe,” says Drow, “if an individual says to an entity, you can’t use my data anymore, it’s that company’s responsibility to make sure that data is removed not only from its own systems, but from all those partners to whom the firm provided that data. I fully expect privacy rules will happen in North America as they have happened in Europe. ”
This becomes problematic for third party managers. For example, if the owner of a parking facility requests a list of monthly parkers from a parking company managing that facility, what information should or should not be provided? How is that information protected by the owner? Can the manager retrieve that information from that owner?
Defining Rights and Responsibilities
“The first step is having the contractual relationships that communicate and articulate those rights and responsibilities around data and personal information,” says Drow. “A parking operator working for a property owner or manager should have specific data terms in its contract – as the operator collects data, they will pass it to the property management firm upon request.”
Drow recognizes the reality the operator may need to share certain data with a third party upon request. “However,” says Drow, “the parking operator needs to have access to retrieve the data. It’s the receiving party’s responsibility to follow the data rules, as defined in the contract, as data is received. The sending party, in this case the parking operator, must also be able to confirm the receiving party is following these rules.”
This raises practical questions that must require technological answers. “How do you implement the technology and the day-to-day control?” Drow asks. “Who passes it around? How do you provide other systems the ability to access data and are you aware of where those elements are, so you can track what data has been passed and where is it being sent?”
“Unless these issues are addressed in the agreement between the owner and the manager,” says Fuqua, “the managing entity might be presumed to be responsible for the handling of this information, even if the owner’s negligence caused or significantly contributed to the incident. Careful wording of management agreements in this new age of data privacy is the first step.”
(Want more information? Contact Ally Fuqua at email@example.com; Michael Drow at firstname.lastname@example.org. Please check out our forums. If you have comments or suggestions, please share your experiences and ideas with us and other professionals visiting our site. Add your comments below – if Comments are “on” – or by contacting us directly here. Original image courtesy of Eli Christman, via Flicker at http://tinyurl.com/mxxyeqg.)