This summer, U.S. automakers pledged to ramp up motor vehicle
cyber protection measures by launching a new centre for cybersecurity
intelligence and analysis. This initiative, dubbed the Auto
Information Sharing and Analysis Centre (Auto ISAC, one of a number
of industry ISACs that have formed in recent months), is intended
to function as a clearinghouse for intelligence regarding cyber
threats to cars and their data networks.
The goal of Auto ISAC is to create an efficient means for the
timely identification and amelioration of cyber threats and other
tech-based vulnerabilities impacting the auto sector. The
announcement recognizes that today's cars are connected –
able to navigate, run engine diagnostics, monitor driver behaviour,
and provide customized on-board infotainment services.
This increased level of connectivity also engages privacy and
safety concerns. Automakers say that their concern for the
cybersecurity of their cars is just an extension of their shared
commitment to auto safety. Accordingly, Auto ISAC has the backing
of both the Alliance of Automobile Manufacturers and the
Association of Global Automakers. The associations have also
suggested that they would like to see auto suppliers,
telecommunications providers, and technology companies join their
security carpool. The involvement of these partners is important
given the modern realities of technology integration across
platforms and devices into various in-vehicle networks and motor
Balancing Connection and Protection
The announcement may also be driven by some political tailgating
– on both sides of the border. In February, U.S. Senator Ed
Markey (D.-Mass.) released a report on the cyber-preparedness of major
automakers, finding that security measures were inconsistent and
only 2 of the 16 companies studied had the capabilities to diagnose
or respond to a threat in real time. Senator Markey introduced legislation in July that would set
minimum standards and rules to protect data, security, and privacy
Policy for the information highway has also been a subject of
debate in Canada. Ontario, through Ontario Centres
of Excellence, has pledged $1 million to support innovative and
commercially viable projects through the Connected Vehicle/Autonomous Vehicle Program,
including projects aimed at addressing the significant regulatory
and infrastructure hurdles such connected cars create.
In March, the public interest group B.C. Freedom of Information
and Privacy Association (FIPA) released its study on privacy,
consumer choice, and onboard vehicle technology. The report,
entitled The Connected Car: Who is in the Driver's
Seat?, focuses on the privacy concerns created by
connected cars and recommends that the federal government enact
data protection regulations under the Personal Information
Protection and Electronic Documents Act (PIPEDA)
aimed specifically at regulating the auto sector.
Implications for the Rules of the Road
There are a number of concerns with any approach to motor
vehicle cybersecurity that relies on sector-specific regulation.
This is particularly true given the rapidly evolving interplay of
networked services, consumer practices, and technological
developments. A single vehicle may have an infotainment system
operated by a digital music company, a navigation system supplied
by an electronics company, telephone contacts populated over
Bluetooth, and a telematic system installed on behalf of an
insurance company. Indeed, it is difficult to define parameters for
such a narrowly-targeted policy in such a dynamic space. Regulating
a sector is problematic when the concept of 'sectors'
itself is fluctuating, both in the business landscape and
people's personal environments. A preferred approach would
maintain a uniformly applicable standard across industries,
products, and provinces.
Canadian automakers should not be lulled into a false sense of
security by the (current) absence of sector-targeted cybersecurity
regulations, nor should they be comforted by the thought that they
can hitch a ride on voluntary U.S. protocols like Auto ISAC.
Canadian automakers are subject to their own legal requirements
under Canada's privacy legislation, and complying with US
regulations or voluntary codes will likely not be sufficient in
Canada. For instance, there are notable differences between
PIPEDA and the Privacy Principles of the U.S. Alliance of
Automobile Manufacturers. In addition, Canada's anti-spam
laws (CASL) may require a different approach to software updates,
and the detailed management of appropriate consents.
OEMs and others in the auto industry may want to consider
establishing a privacy management program to stay abreast of legal
developments that impact their products and to address privacy
compliance in a meaningful and systematic way.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).