TPEP Security

Adopted Rules: Closed to Comments

Effective Date: 
Thursday, March 7, 2013
Download Copy of Adopted Rule (.pdf): 



Statement of Basis and Purpose of Rule



On December 13, 2012, the TLC promulgated rules for the Authorization of TPEP Providers, which contained requirements that TPEP Providers must meet in order to be authorized to sell, lease, make available for use, install, service, and repair TPEP Systems in Taxicabs. These rules establish the information security standards that said TPEP Systems must meet in order to be approved by the Commission for sale, lease, or use in Taxicabs.


The rules require that the TPEP Data collected, transmitted, processed, maintained and stored by all TPEP Providers and their employees, agents and subcontractors must be safeguarded to provide:


1)    a secure medium for the TPEP Data and TPEP system components,

2)    protection of personal information of the TPEP Provider and subcontractor employees, and

3)    protection of personal information of members of the riding public who pay by credit, debit or prepaid card.


The rules require that the TPEP Provider:


  • Establishes policies for information security, authentication, remote access, anti-virus security, application development security, digital media re-use and disposal, encryption, passwords, user responsibilities, and vulnerability management;
  • Complies with copyrights and develops appropriate controls and procedures to protect the Database Management Systems;
  • Limits access to TPEP Data, by providing safeguards such as firewalls and fraud prevention;
  • Maintains the confidentiality of personal information; and
  • Develops controls for network management and procedures for security incident management.


The Commission’s authority for this rules change is found in section 2303 of the New York City Charter and section 19-503 of the New York City Administrative Code.



Proposed Rule: