Your Guide to a Secure Transit System: The Public Transit Data Security & Privacy Audit Checklist

Introduction: Why Data Security Matters for Transit

Public transportation isn't just about moving people; it's a critical infrastructure service that collects and handles a wealth of data. This includes passenger travel patterns, payment information, employee details, and operational logistics - data that, if compromised, can have far-reaching consequences. A data breach can cripple a transit agency, disrupting vital services, eroding public trust, and triggering significant financial penalties. Beyond the immediate impact, a compromised data posture can damage an agency's reputation, hinder its ability to innovate, and ultimately undermine its core mission of providing safe and reliable transportation. In today's digital landscape, safeguarding this data isn's a luxury-it's a necessity for maintaining operational integrity, fostering passenger confidence, and upholding the public's trust. This article outlines a practical checklist to help transit agencies proactively address these critical data security and privacy concerns.

Understanding the Scope: What Data Are We Protecting?

The scope of your data security and privacy audit hinges directly on understanding what data you're responsible for protecting. It's not enough to just think about passenger names; the reality is far more complex. Let's break down the categories of data most commonly held by public transit agencies and the potential risks associated with each.

Passenger Data: This is often the most obvious category but extends far beyond just names. It includes:

• Contact Information: Names, addresses, email addresses, phone numbers.
• Travel History: Origin, destination, dates, times, routes taken. This data can reveal patterns of life and routines.
• Payment Information: Credit card details, mobile wallet credentials, fare card data. A significant breach here can lead to financial fraud.
• Demographic Data: Age, gender, income (often inferred from fare types or payment methods). This can be misused for discriminatory practices.
• Biometric Data: Increasingly, transit agencies are using biometric identifiers like facial recognition or fingerprint scanning for fare payment or security. This data is highly sensitive and requires stringent protection.
• Device Data: IP addresses, device IDs, location data collected through mobile apps.

Operational Data: Crucial for running the transit system, but also vulnerable:

• Vehicle Location & Performance Data: GPS data, speed, maintenance records. This could be exploited to disrupt service or compromise security.
• Network Infrastructure Data: Information about servers, routers, and other network devices.
• Security System Data: CCTV footage, access control logs, alarm system records.

Employee Data: Similar to any organization, transit agencies hold sensitive employee information:

• Personal Information: Names, addresses, Social Security numbers, payroll details.
• Performance Data: Attendance records, disciplinary actions.

Third-Party Data: Data shared with or received from vendors and partners. This introduces another layer of complexity, as you are reliant on their security practices.

Understanding the breadth of data you handle is the first, and arguably most important, step in building a robust data security and privacy framework. A thorough data inventory and classification exercise is a critical starting point.

The 10-Point Public Transit Data Security & Privacy Audit Checklist

Here's a breakdown of the key areas to examine. Consider this a foundation for a more comprehensive assessment. This isn't exhaustive, but will help identify significant areas of strength and potential weakness.

1. Data Inventory & Classification: Begin by mapping all data collected, processed, and stored. Categorize it based on sensitivity - for instance, Personally Identifiable Information (PII), financial records, or operational secrets. Knowing where it resides (databases, servers, cloud storage, employee devices) is crucial.

2. Access Controls & Permissions: Implement the principle of least privilege. Grant data access only to those who absolutely need it and only for the required purpose. Regularly audit and update user access rights to ensure ongoing appropriateness.

3. Data Encryption & Storage: Protect data at rest (when stored) and in transit (when moving between systems) using robust encryption methods. Securely manage encryption keys, as their compromise negates the effectiveness of encryption.

4. Third-Party Vendor Management: If utilizing vendors for ticketing, analytics, or other services, rigorously evaluate their data security practices. Clearly define data security and privacy requirements in vendor contracts.

5. Security Awareness Training: Regularly train all employees on data security best practices - covering topics like phishing awareness, secure password management, and proper data handling procedures.

6. Incident Response Plan: Develop a comprehensive plan outlining procedures for responding to data breaches or security incidents. Regularly test and update this plan to ensure its effectiveness.

7. Network Security: Assess the security of your network infrastructure, including firewalls, intrusion detection systems, and wireless access points. Implement appropriate security controls to protect against unauthorized access.

8. Physical Security: Don't overlook the physical security of data centers and other facilities housing sensitive data. Implement access controls, surveillance systems, and other measures to prevent unauthorized access.

9. Data Retention & Disposal: Establish clear policies for data retention and disposal. Ensure that data is securely deleted when it is no longer needed, in compliance with legal and regulatory requirements.

10. Regular Audits & Monitoring: Implement ongoing monitoring and auditing of data access and security controls. Regularly review audit logs and security reports to identify potential vulnerabilities and security incidents.

1. Data Inventory & Classification: Knowing What You Have

Before you can secure your data, you need to understand exactly what data you have, where it resides, and how sensitive it is. A comprehensive data inventory and classification is the foundational step in any robust data security and privacy program. Think of it as cataloging everything in your digital warehouse - you can't protect what you don't know exists.

This isn't just about identifying passenger names and addresses. It includes:

• Passenger Data: Names, contact information, travel history, payment details (credit card numbers, transit cards), demographic information, loyalty program data.
• Employee Data: Personal information, payroll details, performance reviews, access credentials.
• Operational Data: Schedules, routes, vehicle maintenance records, security camera footage, fare collection data, real-time location data of vehicles and buses.
• Third-Party Data: Data received from vendors, partners, or shared through APIs.

Classification is Key: Once you've inventoried your data, categorize it based on sensitivity. Common classifications include:

• Public: Information freely available and intended for public consumption (e.g., route maps, general schedules).
• Internal: Data for internal use only, not intended for public release (e.g., employee directories).
• Confidential: Sensitive data requiring stricter protection (e.g., passenger financial information, employee performance reviews).
• Restricted: Highly sensitive data requiring the highest level of protection (e.g., security camera footage with identifiable individuals, detailed incident reports).

Practical Steps:

• Automated Discovery Tools: Consider using tools that can automatically scan your systems and identify data assets.
• Data Mapping: Create a visual map of data flows - tracing how data is collected, stored, processed, and shared.
• Data Owners: Assign data owners responsible for the accuracy and security of specific data sets.
• Regular Review: Data inventories aren't static. They need to be reviewed and updated regularly as your operations and data landscape evolve.

2. Access Controls & Permissions: Who Can See What?

Think of your transit agency's data like a valuable treasure. You wouldn't just leave the vault door wide open to anyone, would you? Access controls and permissions are the equivalent of securing that vault, ensuring only authorized personnel can view, modify, or delete sensitive information.

The principle of least privilege is the guiding star here. It means granting users access only to the data and systems they absolutely need to perform their jobs. A customer service representative shouldn't have access to payroll records, and a maintenance technician shouldn't need to view passenger demographics.

Beyond Usernames and Passwords:

While strong passwords and multi-factor authentication (MFA) are essential first steps, effective access controls go much deeper. Consider:

• Role-Based Access Control (RBAC): Group users into roles (e.g., Ticket Agent, System Administrator, Data Analyst) and assign permissions based on those roles. This simplifies management and ensures consistency.
• Attribute-Based Access Control (ABAC): A more granular approach that evaluates access based on user attributes (e.g., department, security clearance), resource attributes (e.g., data classification), and environmental factors (e.g., time of day, location).
• Regular Reviews: Access rights aren't a "set it and forget it" situation. Conduct periodic reviews - at least annually, and ideally more frequently - to ensure permissions are still appropriate and necessary. When employees change roles or leave the agency, immediately revoke their access.
• Data Segmentation: Break down your data into segments based on sensitivity and access requirements. This limits the impact of a potential breach - if one segment is compromised, it doesn's expose everything.
• Logging and Monitoring: Implement robust logging and monitoring to track data access activity. This provides an audit trail and helps identify suspicious behavior.
• Privileged Access Management (PAM): Special controls and monitoring for users with elevated privileges (e.g., system administrators) are crucial as they have the power to make significant changes.

Failing to properly manage access controls isn't just a security risk; it's a legal and reputational one. Strong access controls build trust, protect your data, and contribute to the overall resilience of your transit agency.

3. Data Encryption & Storage: Securing Data at Rest and in Transit

Encryption is your frontline defense against unauthorized access to sensitive data, whether it's sitting on a server or moving across a network. It's not enough to just have passwords; encryption transforms data into an unreadable format, protecting its confidentiality even if a system is breached. Let's break down how to secure data both "at rest" (stored) and "in transit."

Encryption at Rest: Protecting Stored Data

This refers to encrypting data while it's physically stored - on hard drives, databases, cloud storage, and even on employee devices. Common methods include:

• Full Disk Encryption (FDE): Encrypts the entire hard drive, protecting all data on the device. Essential for laptops and mobile devices.
• Database Encryption: Protects data within databases, often using Transparent Data Encryption (TDE) which encrypts data without requiring changes to applications.
• File-Level Encryption: Individual files or folders can be encrypted, providing granular control over data protection.
• Cloud Storage Encryption: Ensure your cloud provider offers robust encryption options, and consider utilizing client-side encryption to control the encryption keys yourself.

Encryption in Transit: Safeguarding Data in Motion

Data is vulnerable while it's being transferred - whether it's an email, a file upload, or communication between servers. Securing data in transit involves:

• HTTPS/TLS: Mandatory for all websites and applications. Ensures data is encrypted during transmission using the Transport Layer Security (TLS) protocol (formerly Secure Sockets Layer or SSL).
• VPNs (Virtual Private Networks): Create a secure, encrypted tunnel for data transmission, particularly useful for remote access to networks.
• Secure Email Protocols: Utilize encryption protocols like S/MIME or PGP to protect email content and attachments.
• Secure File Transfer Protocols: Use protocols like SFTP (Secure FTP) or FTPS (FTP over SSL/TLS) for secure file transfers.

Key Management is Critical: Encryption is only as strong as the security of your encryption keys. Implement robust key management practices, including secure storage, regular rotation, and strict access control. Consider a Hardware Security Module (HSM) for added protection. Regularly audit your encryption implementation and key management processes to ensure ongoing effectiveness.

4. Third-Party Vendor Management: Holding Partners Accountable

Your transit agency likely relies on a network of third-party vendors - for ticketing systems, data analytics, payment processing, and more. While these partnerships are essential for efficient operations, they also introduce significant data security and privacy risks. You're only as secure as your weakest link, and a vendor with lax practices can compromise the entire system.

Effective third-party vendor management isn't about being adversarial; it's about fostering a culture of shared responsibility. Here's how to hold your partners accountable:

• Due Diligence is Key: Before engaging a vendor, conduct thorough background checks and security assessments. Review their security policies, certifications (like SOC 2 or ISO 27001), and incident response plans. Don't just take their word for it - verify their claims.
• Contractual Safeguards: Data security and privacy requirements must be explicitly stated in vendor contracts. Include clauses addressing data encryption, access controls, breach notification timelines, audit rights, and compliance with applicable regulations. Ensure right to audit their security controls.
• Ongoing Monitoring and Assessment: Due diligence shouldn't end at contract signing. Implement ongoing monitoring and periodic security assessments to ensure vendors continue to meet contractual obligations. Request regular security reports and participate in vendor audits, if possible.
• Tiered Risk Assessment: Not all vendors pose equal risk. Categorize vendors based on the sensitivity of the data they access and the potential impact of a breach. Focus your oversight efforts on high-risk partners.
• Breach Response Collaboration: Establish clear procedures for collaborating with vendors in the event of a data breach. Define roles, responsibilities, and communication channels.

Failing to adequately manage third-party risk can expose your agency to significant legal, financial, and reputational damage. Proactive vendor management is an investment in your agency's long-term security and resilience.

5. Incident Response Planning: Preparing for the Inevitable

Let's face it: despite your best efforts, a data breach can happen. The difference between a manageable incident and a catastrophic event often boils down to how prepared you are. An Incident Response Plan (IRP) is your roadmap for navigating a breach, minimizing damage, and restoring operations.

What's in a Good Incident Response Plan?

A well-crafted IRP isn't just a document; it's a living process that should be regularly tested and updated. Key components include:

• Defined Roles & Responsibilities: Clearly outline who is responsible for what during an incident (e.g., incident commander, communications lead, technical recovery team).
• Communication Protocols: Establish clear lines of communication - both internal (amongst your team) and external (to affected passengers, law enforcement, regulators). Who speaks for the agency? How will you notify stakeholders?
• Containment Strategies: How will you quickly isolate the affected systems or data to prevent further compromise? This might involve disconnecting networks, shutting down servers, or deploying specialized security tools.
• Eradication Procedures: What steps will you take to remove the malware or vulnerability that caused the breach? This may involve data wiping, system reimaging, or patching vulnerabilities.
• Recovery & Restoration: How will you restore affected systems and data to a functional state? This includes data recovery from backups, rebuilding infrastructure, and verifying system integrity.
• Post-Incident Activity: This crucial phase involves a thorough analysis of the incident, identifying root causes, documenting lessons learned, and updating security controls to prevent recurrence.
• Regular Testing & Simulations: Tabletop exercises, simulated attacks, and full-scale drills are essential for validating your plan and ensuring that your team knows their roles.

Don't Wait for an Incident - Test Your Plan Now!

An IRP is useless if it's never been tested. Schedule regular drills and exercises to identify gaps and weaknesses. The cost of preparedness is far less than the cost of recovering from a major data breach. Consider involving external cybersecurity experts to conduct penetration testing and red team exercises to simulate real-world attacks.

6. Data Retention and Disposal: Managing Data Lifecycle

Data isn't useful forever - and keeping it around longer than necessary creates unnecessary risk and consumes valuable resources. Establishing a robust data retention and disposal policy is critical for both legal compliance and operational efficiency.

Why is Data Retention Important?

Legal and regulatory frameworks often dictate how long specific types of data must be retained. Examples include financial records, incident reports, and passenger data subject to privacy regulations. Failure to meet these requirements can result in significant penalties. Furthermore, retaining data for too long increases the potential impact of a data breach. The longer data resides within your systems, the greater the risk it falls into the wrong hands.

Defining Your Retention Periods:

Your data retention periods should be based on:

• Legal and Regulatory Requirements: Prioritize compliance with applicable laws (e.g., tax laws, privacy regulations).
• Business Needs: Determine how long data is needed for operational purposes, such as reporting, analysis, or historical record-keeping.
• Data Sensitivity: More sensitive data may require shorter retention periods.

Secure Data Disposal: Beyond Deletion

Simply deleting a file isn't enough. Data can often be recovered from deleted files, especially on hard drives and solid-state drives. Secure disposal methods are essential:

• Data Wiping: Utilize specialized software to overwrite data multiple times, rendering it unrecoverable.
• Physical Destruction: For hard drives and other storage media, consider physical destruction through shredding or degaussing (using a powerful magnetic field).
• Secure Cloud Deletion: If using cloud services, ensure that your provider offers secure deletion options that meet your organization's requirements.
• Documentation: Maintain a detailed record of all data disposal activities, including the type of data, the disposal method, and the date of disposal.

Regular Review is Key:

Data retention policies are not "set and forget." Regularly review your policies to ensure they remain compliant with evolving regulations and aligned with your organization's needs.

7. Privacy Policy & Transparency: Building Passenger Trust

Passengers aren't just riders; they're individuals entrusting you with their data. A robust privacy policy isn't a legal formality; it's a cornerstone of building and maintaining that trust. Transparency isn't just nice to have - it's essential for fostering a relationship built on respect and accountability.

Beyond the Legalese: Making Your Policy Accessible & Understandable

Many privacy policies are dense, filled with legal jargon, and buried deep within a website. That's a missed opportunity. Your policy should:

• Be Written in Plain Language: Avoid complex legal terms whenever possible. Explain data practices in a way that the average passenger can understand.
• Be Easily Findable: Make it prominent on your website, app, and other communication channels. A clear link in the footer of every page is a must.
• Highlight Key Information: Use summaries, FAQs, and visuals to draw attention to the most important aspects of your data practices - what data you collect, why you collect it, and how it's used.
• Be Dynamic: Privacy practices evolve. Regularly review and update your policy to reflect changes in technology, regulations, and your internal procedures. Clearly indicate the date of the last update.

Transparency in Practice: Going Above and Beyond

Transparency extends beyond a static privacy policy. Consider:

• Data Collection Notices: Provide clear notices at the point of data collection (e.g., when using Wi-Fi on a bus or train).
• Data Usage Explanations: Explain how data is used to improve services, enhance safety, or personalize the passenger experience.
• Passenger Rights: Clearly outline passenger rights regarding their data, including access, correction, and deletion requests.
• Contact Information: Provide clear and accessible contact information for questions or concerns about privacy. A dedicated privacy officer or team is a great addition.
• Regular Communication: Keep passengers informed about any significant changes to data practices through email newsletters, social media posts, or website announcements.

Ultimately, demonstrating a commitment to privacy and transparency isn't just about complying with the law; it's about showing passengers that you value their trust and respect their right to privacy.

8. Regulatory Compliance: Staying on the Right Side of the Law

Navigating the legal landscape of data privacy can feel overwhelming, but it's absolutely essential for transit agencies. Several key regulations directly impact how you handle passenger and employee data. Let's break down some of the most relevant.

Key Regulations to Know:

• GDPR (General Data Protection Regulation): While primarily a European law, GDPR applies to any organization that processes the data of EU residents, regardless of location. This means if your transit system serves even a small number of EU citizens, you must comply. Key principles include data minimization, purpose limitation, and data subject rights (access, rectification, erasure).
• CCPA/CPRA (California Consumer Privacy Act/California Privacy Rights Act): These laws grant California residents significant control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of their data. CPRA strengthened CCPA by expanding consumer rights and creating the California Privacy Protection Agency.
• State-Specific Privacy Laws: Numerous states are enacting their own privacy laws, often building on the CCPA model. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) are among the leaders. Stay informed about the laws applicable in the states where you operate.
• HIPAA (Health Insurance Portability and Accountability Act): If your transit system collects or handles protected health information (PHI), HIPAA compliance is mandatory. This includes patient data collected through on-site clinics or related services.
• FTC Act (Federal Trade Commission Act): The FTC has broad authority to regulate unfair or deceptive trade practices, including those related to data security and privacy. Failing to adequately protect sensitive data can lead to FTC enforcement actions.

Staying Compliant: Proactive Steps:

• Data Mapping: Understand what personal data you collect, where it's stored, and who has access to it.
• Privacy Policy: Maintain a clear, accessible privacy policy that outlines your data practices.
• Data Subject Rights Requests: Establish a process for responding to data subject requests (access, deletion, etc.) in a timely manner.
• Security Measures: Implement appropriate technical and organizational security measures to protect personal data.
• Regular Audits: Conduct regular audits to assess your compliance posture and identify areas for improvement.
• Stay Updated: Regulations are constantly evolving. Subscribe to industry news sources and legal updates to remain informed.

Disclaimer: This is for informational purposes only and does not constitute legal advice. Consult with legal counsel to ensure compliance with all applicable laws and regulations.

9. Security Awareness Training: Empowering Your Team

Your strongest defense against data breaches isn't just technology; it's your people. Security awareness training is no longer a nice-to-have-it's a critical component of a robust data security posture. Phishing emails, weak passwords, and unintentional data sharing are common entry points for attackers, and often stem from human error.

Effective training goes beyond just identifying phishing scams. It should cover:

• Password Best Practices: Creating strong, unique passwords and using password managers.
• Phishing and Social Engineering: Recognizing and avoiding deceptive tactics.
• Data Handling Procedures: Proper handling of sensitive data, both digital and physical.
• Mobile Device Security: Securing personal and work devices used for accessing transit data.
• Reporting Suspicious Activity: Clear instructions on how and to whom to report potential security incidents.

Training shouldn't be a one-time event. Regular refreshers, simulated phishing exercises, and updates on emerging threats are essential to maintain vigilance. Make it engaging, interactive, and relevant to your team's daily tasks. Ultimately, empowering your team to be the first line of defense is paramount to protecting your transit agency's data.

10. Auditing & Monitoring: Continuous Improvement & Detection

Auditing and monitoring aren't one-time tasks; they's the backbone of a continuously improving security posture. Think of it as a constant pulse check on your data protection efforts. Simply having security controls in place isn's enough-you need to actively verify that they's working as intended and detect any anomalies that might indicate a breach.

This involves implementing a layered approach to monitoring:

• Log Management: Centralize and analyze logs from all critical systems (servers, databases, network devices, applications). Automated analysis can flag suspicious activity.
• Security Information and Event Management (SIEM) Systems: These powerful tools correlate data from various sources to provide a comprehensive view of your security landscape.
• Vulnerability Scanning: Regularly scan your systems for known vulnerabilities and misconfigurations.
• Intrusion Detection/Prevention Systems (IDS/IPS): Monitor network traffic for malicious activity and automatically block threats.
• User Behavior Analytics (UBA): Establish baseline user behavior and detect deviations that could indicate compromised accounts or insider threats.
• Regular Security Audits: Conduct periodic, independent audits to assess the effectiveness of your security controls and identify areas for improvement. These should go beyond just technical assessments and include review of policies, procedures, and employee training.

Don't forget to document your audit findings and remediation efforts. A clear audit trail provides valuable insights for future improvements and demonstrates accountability. Finally, regularly review and update your monitoring capabilities to stay ahead of evolving threats-the attacker's innovation requires equal vigilance on your part.

Beyond the Checklist: Ongoing Security Best Practices

Completing a data security and privacy audit checklist is a vital first step, but it's not a "set it and forget it" solution. Maintaining a strong security posture requires a continuous cycle of assessment, adaptation, and improvement. Here's how to build that ongoing commitment:

1. Embrace a Risk-Based Approach: Security isn't about eliminating all risk - it's about prioritizing and mitigating the most significant risks. Regularly reassess your threat landscape, considering emerging threats and changes in your systems and data.

2. Automate Where Possible: Manual processes are prone to error. Automate tasks like vulnerability scanning, patching, and log analysis to improve efficiency and reduce the risk of human oversight.

3. Implement Continuous Monitoring: Real-time monitoring of your systems and data is crucial for detecting and responding to threats quickly. Utilize Security Information and Event Management (SIEM) tools to aggregate and analyze logs from various sources.

4. Foster a Security-First Culture: Data security is everyone's responsibility. Promote a culture of security awareness and encourage employees to report suspicious activity. Regularly communicate security updates and best practices.

5. Stay Informed About Emerging Technologies & Threats: The cybersecurity landscape is constantly evolving. Subscribe to industry newsletters, attend webinars, and follow reputable security blogs to stay informed about the latest threats and technologies.

6. Regularly Review and Update Your Policies & Procedures: Don't let your security policies gather dust. Review and update them at least annually, or more frequently as needed, to reflect changes in your environment and the threat landscape.

7. Simulate Attacks (Red Teaming/Penetration Testing): Periodically engage external security experts to simulate real-world attacks. These exercises can identify vulnerabilities that might be missed by internal assessments.

8. Vendor Risk Management: Ensure that your third-party vendors also adhere to robust security practices. Assess their security controls and implement contractual requirements to protect your data.

Conclusion: Building a Resilient Transit System

Protecting passenger data and ensuring operational resilience isn't a one-time project; it's an ongoing commitment. By proactively implementing the steps outlined in this checklist and fostering a culture of data security and privacy awareness across your agency, you're not just mitigating risks - you're building a foundation of trust with your riders, strengthening your operations, and safeguarding the future of your transit system. Remember that adaptability is key. Regularly review and update your security practices to stay ahead of evolving threats and regulatory changes, ensuring your agency remains a secure and reliable cornerstone of the community.

Resources & Links

• National Institute of Standards and Technology (NIST) - Cybersecurity Framework - Provides a foundational framework for understanding and improving cybersecurity posture.
• Cybersecurity and Infrastructure Security Agency (CISA) - Offers resources, alerts, and best practices for critical infrastructure protection, including transportation.
• Federal Transit Administration (FTA) - Provides guidance and regulations related to transit system safety and security.
• Privacy Rights Clearinghouse - Provides information and resources on data privacy issues.
• Center for Democracy & Technology - Focuses on digital rights and privacy, offering relevant insights.
• Electronic Frontier Foundation (EFF) - Advocates for digital rights and privacy, including data protection.
• International Organization for Standardization (ISO) - Provides standards for various management systems, including information security (ISO 27001).
• SANS Institute - Offers cybersecurity training and certifications, useful for understanding technical aspects of security.
• Information Systems Audit and Control Association (ISACA) - Provides resources and certifications related to IT governance, risk management, and security.
• U.S. Government Accountability Office (GAO) - Reports and studies on government programs, including transportation and security. Search for reports related to transit security.
• FTA Transit Security - Specific resources from the FTA on transit security practices.
• Principles of Security & Privacy - Offers consultancy and resources on security and privacy implementation.
• Ponemon Institute - Conducts research on data privacy and security, including cost of data breaches.