United States: Legal Developments In Connected Car Arena Provide Glimpse Of Privacy And Data Security Regulation In Internet Of Things

Last Updated: February 5 2016
Article by Paul Pittman

With the holiday season in the rear view, automobiles equipped with the newest technology connecting carmakers with their vehicles, vehicles with the world around them, and drivers with the consumer marketplace – Connected Cars – have moved from the lots to driveways. Automakers are remaking their fleets to offer unprecedented choice and convenience to drivers. However, as recent studies have shown, the connectivity inherent in Connected Cars, and the fast pace at which the industry is developing, raise privacy, data security, and physical safety concerns about the vulnerability of Connected Car computer systems. Lawmakers and regulators have begun to devote increased attention to this issue while plaintiffs' attorneys have been emboldened to haul automakers, manufacturers, and computer system developers into court. As one of the earliest entrants into and faster-growing components of the Internet of Things (IoT), Connected Cars represent a testing ground for the development of consumer privacy rights and security standards for the IoT. The approach by Congress and the courts to the governance of Connected Cars will likely guide the development of standards and practices across the IoT spectrum.

Internet of Things

Connected Cars are part of the growing and evolving Internet of Things. The IoT describes the ecosystem of everyday products and services that are equipped with "smart" technology that allows them to connect to other products or services to communicate and transfer information about users to retailers, manufacturers, and the like, typically via a wireless network. The IoT currently includes devices we use every day such as Fitbits, connected appliances, smartphones and smart TVs. As the industry grows, IoT devices will continue to permeate the objects we use on a daily basis.

Connected Cars in particular will compose the majority of the automotive fleet in the near future. The market for Connected Cars is projected to reach $54 billion in the next two years. It is estimated that by 2020 there will be 250 million Connected Cars on the road, and about 90 percent of new vehicles in Western Europe will be connected to the Internet. Connected Cars provide consumers with convenience and a personalized driving experience. Automakers and retailers gain access to consumers to provide improved services and to market products. Onboard computers allow for navigation technologies and integration with mobile devices that complement and enhance the vehicle technology. They also allow for the collection of driver data and other driver information to enable companies to efficiently deploy customized services and experiences. Automakers are developing Connected Car technology that will allow drivers to shop through the car dashboard, based on their location and preferences determined through data collection.

Connected Car Privacy and Security Vulnerabilities

The connectivity necessary for providing the features offered by Connected Cars may pose privacy and security dangers and vulnerabilities. Connected Cars can contain more than 50 separate electronic control units (ECUs) connected through a controller area network (CAN) or other network. Those ECUs communicate with each other and the CAN through use of digital messages called CAN packets. If CAN packets are not authenticated or encrypted, they may be susceptible to remote hacking through the vehicles' wireless and phone components. This wireless technology may also enable unauthorized access to other systems and data collected by the vehicle, such as location data and potentially payment card data used for dashboard shopping.

There are also concerns about Connected Cars being subject to remote interference and operation. Security researchers' published findings have sparked increased industry, regulatory, and congressional interest in this area. One notable example involved a report that researchers were able to remotely access a car and change the car's air-conditioning settings, switch the volume and station on the radio, turn on the windshield wipers, and display a picture of the researchers on the digital dashboard screen from 10 miles away. The researchers also were able to disable the vehicle's engine and brakes, control the steering wheel, and track the car's GPS coordinates. The researchers claim that they could gain access to the vehicle from as far as 70 miles away.

Evolving Legal Landscape

Proposed Legislation

As manufacturers develop the vehicles and infrastructure that enable the use of Connected Cars, the legal landscape is struggling to keep up. Congress has proposed but has not enacted new legislation. On July 21, 2015, Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) proposed legislation (S. 1806) requiring the Department of Transportation's National Highway Traffic Safety Administration (NHTSA) to team with the Federal Trade Commission (FTC) to establish certain consumer data privacy and car computer network security rules to prevent hacking in all motor vehicles manufactured for sale in the U.S. ("SPY Car Act"). The SPY Car Act was based on a February 2015 report by Senator Markey, who had surveyed automakers about cybersecurity threats to safety and the collection and storage of driving data, including location, driving history, and user data. The report found that nearly all cars on the market have wireless technologies and identified several purported weaknesses in the security of connected features in cars.

The SPY Car Act would require collaboration between the NHTSA and the FTC to implement cybersecurity standards for vehicle system and driving data security, including

  • hacking protection and mitigation;
  • a "cyber dashboard" display label affixed to the vehicle that describes the vehicle's compliance with cybersecurity and privacy requirements under the SPY Car Act; and
  • certain privacy standards including providing notice and choice regarding the use and collection of data, and limiting the use of driving data by manufacturers. Violators of the SPY Car Act cybersecurity standards would be penalized up to $5,000 per violation.

Violations of the privacy standards would be treated as unfair and deceptive acts or practices under Section 5 of the FTC Act.

In addition, in October 2015, Representatives Joe Wilson (R-S.C.) and Ted Lieu (D-Calif.) suggested legislation titled Examining Ways to Improve Vehicle and Roadway Safety: Vehicle Data Privacy that would require auto manufacturers to:

  • develop and implement a privacy policy regarding the collection, sharing, and use of driver and vehicle data;
  • file their privacy policies with the Secretary of Transportation;
  • retain data only for legitimate business purposes; and
  • implement reasonable security measures to prevent hacking. The proposed legislation would impose on auto manufacturers penalties of up to $1 million for failing to file a privacy policy or comply with an express privacy policy and fines of up to $100,000 for failing to prevent hacking.

The proposed legislation would also require the NHTSA to create an Automotive Cybersecurity Advisory Council to develop cybersecurity best practices for vehicle manufacturers.

Notably, the proposed legislation contains a safe harbor against FTC enforcement under Section 5 of the FTC Act for companies that file a privacy policy complying with these requirements. Unsurprisingly, the FTC has expressed disapproval of this provision, which could provide immunity to an auto manufacturer that does not follow its privacy policy and prohibit the FTC from enforcement actions against auto manufacturers for privacy-related misrepresentations on their websites, whether accessed through the vehicle or otherwise.

Self-Regulation

The automotive industry and even the FTC have cautioned that IoT-specific legislation may stifle IoT innovation and penalize companies that attempt to implement reasonable privacy and security measures. Many lawmakers have little understanding of the IoT and are not yet equipped to address the issues it presents. Notably, and despite the pending proposed SPY Car Act, the Senate passed a resolution on March 24, 2015, that recognizes the importance of the development of the IoT and resolves that public and private entities should guide the strategy for advancing the technology. The resolution calls for Congress and the industry to collaborate to advance a national Internet of Things strategy that does not result in overregulation that stifles and prevents innovation and growth.

The automotive industry has also taken steps toward self-regulation. In November 2014, the Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., published the Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services. These principles relate to the collection, use, and sharing of personal and vehicle information associated with vehicle technologies that collect, generate, record, and store this information. The principles call for automakers and manufacturers to ensure the following by 2017:

  • provide consumers with clear notice and choice in the use and collection of personal information;
  • use personal information in a way that is consistent with the context in which it was collected;
  • collect information only as legitimately needed, and retain it for only as long as necessary;
  • implement reasonable data security measures;
  • maintain the accuracy of the data, and provide access to users; and
  • remain accountable to consumers for adherence to these principles.

The Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., have also formed an Information Sharing and Analysis Center (ISAC) to share intelligence about vehicle cybersecurity threats and designed a framework to further the development of automotive cybersecurity best practices on how to safeguard against and respond to threats.

Enforcement

Whether the regulatory framework surrounding Connected Cars emanates from legislation or self-regulation, several agencies are poised to take the lead in enforcement activities in the area. In fact, the SPY Car Act requires collaboration between the FTC and the NHTSA in developing privacy and security standards for Connected Cars. The FTC has traditionally been the lead regulator of consumer privacy and data security standards by using its authority under Section 5 of the FTC Act to contend that a lack of reasonable security measures or other missteps amount to unfair or deceptive acts or practices. The FTC has indicated an intent to play a similar role with regard to Connected Cars as evidenced by the guidance IoT document it issued titled Internet of Things – Security and Privacy in a Connected World. This guidance document encourages companies operating in the IoT to implement "security by design" into their products, along with providing consumers notice and choice with regard to collection and use of the personal information, and ensuring that companies' data collection and use practices are transparent and minimize data collection, among other suggested best practices.

NHTSA is a relatively new entrant into the data privacy and security enforcement arena, but it will be tasked with ensuring that automakers and manufacturers implement security standards sufficient to protect Connected Car computer systems from being accessed and physically controlled. NHTSA has published guidance on automotive cybersecurity, including application of the National Institute of Standards and Technology (NIST) Risk Management framework in the automotive cybersecurity context. And NHTSA recently completed an investigation of an auto manufacturer and its computer system vendor related to vehicle cybersecurity, which is particularly important since some technology company vendors supply these same systems to other car manufacturers. Automakers appear to be receptive to NHTSA's approach as they recently announced a data sharing safety agreement that reaffirms the commitment of NHTSA and automakers to collaborate on the development of cybersecurity best practice, and the continued sharing of information on cybersecurity threats and countermeasures to repel potential hackers.  As Connected Car technology grows to encompass more products and services, the Federal Communications Commission (FCC) may also emerge as an enforcement player under its expanded enforcement authority over "telecommunications service" providers. Internet service providers that offer the wireless Internet services that fuel Connected Car connectivity could face increased scrutiny by the FCC, and potential fines, over the adequacy of their privacy practices and security standards for the collection of consumer personal information crossing their wireless networks.

Litigation

Class actions alleging claims based on privacy and security issues related to Connected Cars have already been filed. In an action filed in California federal court, the plaintiffs sought to certify a class of car owners who allege that the defendant car manufacturers created and concealed data privacy and vehicle security vulnerabilities through the continued use of the CAN system. The plaintiffs alleged that the CAN system is susceptible to being hacked, which could allow for the collection of data stored on the CAN system and for the control of certain vehicle functions such as steering, braking, and acceleration. The plaintiffs asserted claims for express and implied breach of warranty, fraud, false advertising, and violations of consumer protection laws. The plaintiffs sought injunctive relief, updates to the CAN system to secure and protect vehicles and data, and recovery of economic losses associated with the loss of their vehicles' value.

The defendant car manufacturers moved to dismiss the action, arguing that the plaintiffs did not suffer any "injury in fact" because their cars have not been hacked or taken control of, nor had their data been breached. The defendants relied primarily on Clapper v. Amnesty Int'l, where the Supreme Court held that to establish standing, a plaintiff must allege more than a speculative injury, but rather the injury alleged must be "concrete and particularized" and "actual or imminent." The defendants also asserted that the plaintiffs lacked standing to bring an invasion of privacy claim because the plaintiffs did not have a reasonable expectation in the privacy of the personal data collected by the Connected Car and that the type of data collected did not cause a "serious invasion of privacy." The plaintiffs claimed that they had been injured by the defendant car manufacturers' alleged misrepresentations about the alleged privacy and security defects, and asserted that they would not have purchased the vehicles or that they paid an inflated price for their vehicles.

Consistent with the Clapper decision, the court recently dismissed the plaintiffs' complaint (with leave to amend) for a lack of standing, finding that the plaintiffs did not allege that their or any other class members' cars have been hacked and therefore their alleged injuries are not certainly impending, but rather speculative and unproven at this point. Notably, the court emphasized the lack of any actual incidents of car hacking suffered by the class plaintiffs, or any other plaintiffs, outside of a controlled environment. The court suggested that it might arrive at a different conclusion on the issue of standing should a Connected Car actually be hacked, noting that "all of this is not to say that a future risk of harm can never satisfy injury in fact analysis" and that "a credible threat of harm is sufficient to constitute actual injury for standing purposes."

The court also rejected the plaintiffs' claims for economic loss, finding a lack of any demonstrable impact on the value of the vehicles such as declining values, recalls, or out-of-pocket expenses for replacing or discontinuing use of their vehicles. Finally, the court distinguished driver, performance, and location data from Social Security numbers or payment card numbers, finding that this type of data is not protected under California state privacy laws.

Plaintiffs assert similar claims in another class action pending in Illinois federal court, which also includes a claim against the vehicle "infotainment" manufacturer. Plaintiffs allege that the vehicle infotainment system is part of a design defect in the vehicle because it is not properly separated from the vehicle CAN system that connects to the vehicle engine control units and is susceptible to being hacked (via the 3G cellular network and radio connection). The vehicle computer system defendants argue that the plaintiffs' claims against them should be dismissed due to a lack of privity or any other actionable relationship between the plaintiffs and the vehicle infotainment manufacturer. The lack of any actual instances of cars being hacked could determine the outcome here, just as it did in the California litigation. Nonetheless, this case warrants following as it involves the potential liability of the component part manufacturers for data privacy and security vulnerabilities in Connected Cars.

Impact on Regulatory Framework

The evolving nature of the regulatory framework creates uncertainty for automakers, manufacturers, and technology companies that are attempting to innovate in this field. As the regulatory framework around Connected Cars evolves, it will be important for companies to keep apprised of new litigation and agency, industry, and legislative developments while maintaining flexibility in their products should new or stricter privacy and security standards be implemented or other regulators step into the fray.

As it stands, class action plaintiffs still face an uphill battle in bringing claims related to the data privacy and security of Connected Cars. Courts do not appear inclined to allow class plaintiffs to proceed on claims where no actual injury (hacking) has been manifested. Of course, if reports of actual incidents of car hacking begin to occur and there are actual instances of harm, the potential impact to businesses from the litigation and legislation that such instances might inspire could be significant.

Indeed, even the current legislation proposed by the Senate and House bills could create rigid compliance standards that could be costly, inefficient, and ineffective for protecting consumer privacy and securing vehicle safety as they are bypassed by hackers. The legislation could also subject companies that have made reasonable efforts to implement privacy and security standards to fines, and deter vehicle computer system security research. Importantly, onerous legislation could stifle innovation in the Connected Car arena by placing unnecessary limitations on the design and development of Connected Car computer systems.

For now, companies involved as stakeholders in developing privacy and data security standards for Connected Cars need to continue to remain aware of efforts by non-stakeholders to regulate this fast-moving technology. The privacy framework set forth in the Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services will likely be considered by regulators investigating these practices by automakers, manufacturers, and tech companies following a breach. The principles are largely consistent with the legislation proposed by Congress, but notably lack the guidance on security standards for Connected Cars to prevent hacking into Connected Car computer systems contained in the proposed legislation.

Companies also should continue to monitor guidance, enforcement activities, and investigations by the FTC and NHTSA. NHTSA is actively developing cybersecurity guidelines and best practices for securing automotive computer systems and reducing vulnerabilities. In addition, the FTC has expressly encouraged companies to build security into their products along with policies ensuring data minimization, notice, and choice. The use of guidelines and best practices by enforcement agencies, rather than calls for congressional action, suggests that agencies are content to allow the Connected Car industry to self-regulate at this time. Consequently, the more companies conform with this existing regulatory framework and show effectiveness in protecting consumer data from hackers, the less likely legislators are to push for specific privacy or cybersecurity legislation relating to Connected Cars. Further, companies that comply with the industry self-regulatory and agency guidance should be better positioned to defend against any claims in purported class actions that the company failed to follow reasonable privacy and security standards.

The Long View

The impact of the development of the regulatory framework governing Connected Cars on the development of IoT regulation as a whole cannot be underestimated. Many of the same privacy, data security, and physical safety concerns that arise with Connected Cars also arise with health devices, home automation systems, and smart energy grids. As a result, the industry response to the existing Connected Car regulatory framework, and the government's assessment of the efficacy of self-regulation on consumer protection, will likely determine whether this framework is applied in other IoT settings or replaced with more government regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions