United States: Legal Developments In Connected Car Arena Provide Glimpse Of Privacy And Data Security Regulation In Internet Of Things

Last Updated: February 5 2016
Article by Paul Pittman

With the holiday season in the rear view, automobiles equipped with the newest technology connecting carmakers with their vehicles, vehicles with the world around them, and drivers with the consumer marketplace – Connected Cars – have moved from the lots to driveways. Automakers are remaking their fleets to offer unprecedented choice and convenience to drivers. However, as recent studies have shown, the connectivity inherent in Connected Cars, and the fast pace at which the industry is developing, raise privacy, data security, and physical safety concerns about the vulnerability of Connected Car computer systems. Lawmakers and regulators have begun to devote increased attention to this issue while plaintiffs' attorneys have been emboldened to haul automakers, manufacturers, and computer system developers into court. As one of the earliest entrants into and faster-growing components of the Internet of Things (IoT), Connected Cars represent a testing ground for the development of consumer privacy rights and security standards for the IoT. The approach by Congress and the courts to the governance of Connected Cars will likely guide the development of standards and practices across the IoT spectrum.

Internet of Things

Connected Cars are part of the growing and evolving Internet of Things. The IoT describes the ecosystem of everyday products and services that are equipped with "smart" technology that allows them to connect to other products or services to communicate and transfer information about users to retailers, manufacturers, and the like, typically via a wireless network. The IoT currently includes devices we use every day such as Fitbits, connected appliances, smartphones and smart TVs. As the industry grows, IoT devices will continue to permeate the objects we use on a daily basis.

Connected Cars in particular will compose the majority of the automotive fleet in the near future. The market for Connected Cars is projected to reach $54 billion in the next two years. It is estimated that by 2020 there will be 250 million Connected Cars on the road, and about 90 percent of new vehicles in Western Europe will be connected to the Internet. Connected Cars provide consumers with convenience and a personalized driving experience. Automakers and retailers gain access to consumers to provide improved services and to market products. Onboard computers allow for navigation technologies and integration with mobile devices that complement and enhance the vehicle technology. They also allow for the collection of driver data and other driver information to enable companies to efficiently deploy customized services and experiences. Automakers are developing Connected Car technology that will allow drivers to shop through the car dashboard, based on their location and preferences determined through data collection.

Connected Car Privacy and Security Vulnerabilities

The connectivity necessary for providing the features offered by Connected Cars may pose privacy and security dangers and vulnerabilities. Connected Cars can contain more than 50 separate electronic control units (ECUs) connected through a controller area network (CAN) or other network. Those ECUs communicate with each other and the CAN through use of digital messages called CAN packets. If CAN packets are not authenticated or encrypted, they may be susceptible to remote hacking through the vehicles' wireless and phone components. This wireless technology may also enable unauthorized access to other systems and data collected by the vehicle, such as location data and potentially payment card data used for dashboard shopping.

There are also concerns about Connected Cars being subject to remote interference and operation. Security researchers' published findings have sparked increased industry, regulatory, and congressional interest in this area. One notable example involved a report that researchers were able to remotely access a car and change the car's air-conditioning settings, switch the volume and station on the radio, turn on the windshield wipers, and display a picture of the researchers on the digital dashboard screen from 10 miles away. The researchers also were able to disable the vehicle's engine and brakes, control the steering wheel, and track the car's GPS coordinates. The researchers claim that they could gain access to the vehicle from as far as 70 miles away.

Evolving Legal Landscape

Proposed Legislation

As manufacturers develop the vehicles and infrastructure that enable the use of Connected Cars, the legal landscape is struggling to keep up. Congress has proposed but has not enacted new legislation. On July 21, 2015, Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) proposed legislation (S. 1806) requiring the Department of Transportation's National Highway Traffic Safety Administration (NHTSA) to team with the Federal Trade Commission (FTC) to establish certain consumer data privacy and car computer network security rules to prevent hacking in all motor vehicles manufactured for sale in the U.S. ("SPY Car Act"). The SPY Car Act was based on a February 2015 report by Senator Markey, who had surveyed automakers about cybersecurity threats to safety and the collection and storage of driving data, including location, driving history, and user data. The report found that nearly all cars on the market have wireless technologies and identified several purported weaknesses in the security of connected features in cars.

The SPY Car Act would require collaboration between the NHTSA and the FTC to implement cybersecurity standards for vehicle system and driving data security, including

  • hacking protection and mitigation;
  • a "cyber dashboard" display label affixed to the vehicle that describes the vehicle's compliance with cybersecurity and privacy requirements under the SPY Car Act; and
  • certain privacy standards including providing notice and choice regarding the use and collection of data, and limiting the use of driving data by manufacturers. Violators of the SPY Car Act cybersecurity standards would be penalized up to $5,000 per violation.

Violations of the privacy standards would be treated as unfair and deceptive acts or practices under Section 5 of the FTC Act.

In addition, in October 2015, Representatives Joe Wilson (R-S.C.) and Ted Lieu (D-Calif.) suggested legislation titled Examining Ways to Improve Vehicle and Roadway Safety: Vehicle Data Privacy that would require auto manufacturers to:

  • develop and implement a privacy policy regarding the collection, sharing, and use of driver and vehicle data;
  • file their privacy policies with the Secretary of Transportation;
  • retain data only for legitimate business purposes; and
  • implement reasonable security measures to prevent hacking. The proposed legislation would impose on auto manufacturers penalties of up to $1 million for failing to file a privacy policy or comply with an express privacy policy and fines of up to $100,000 for failing to prevent hacking.

The proposed legislation would also require the NHTSA to create an Automotive Cybersecurity Advisory Council to develop cybersecurity best practices for vehicle manufacturers.

Notably, the proposed legislation contains a safe harbor against FTC enforcement under Section 5 of the FTC Act for companies that file a privacy policy complying with these requirements. Unsurprisingly, the FTC has expressed disapproval of this provision, which could provide immunity to an auto manufacturer that does not follow its privacy policy and prohibit the FTC from enforcement actions against auto manufacturers for privacy-related misrepresentations on their websites, whether accessed through the vehicle or otherwise.

Self-Regulation

The automotive industry and even the FTC have cautioned that IoT-specific legislation may stifle IoT innovation and penalize companies that attempt to implement reasonable privacy and security measures. Many lawmakers have little understanding of the IoT and are not yet equipped to address the issues it presents. Notably, and despite the pending proposed SPY Car Act, the Senate passed a resolution on March 24, 2015, that recognizes the importance of the development of the IoT and resolves that public and private entities should guide the strategy for advancing the technology. The resolution calls for Congress and the industry to collaborate to advance a national Internet of Things strategy that does not result in overregulation that stifles and prevents innovation and growth.

The automotive industry has also taken steps toward self-regulation. In November 2014, the Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., published the Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services. These principles relate to the collection, use, and sharing of personal and vehicle information associated with vehicle technologies that collect, generate, record, and store this information. The principles call for automakers and manufacturers to ensure the following by 2017:

  • provide consumers with clear notice and choice in the use and collection of personal information;
  • use personal information in a way that is consistent with the context in which it was collected;
  • collect information only as legitimately needed, and retain it for only as long as necessary;
  • implement reasonable data security measures;
  • maintain the accuracy of the data, and provide access to users; and
  • remain accountable to consumers for adherence to these principles.

The Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., have also formed an Information Sharing and Analysis Center (ISAC) to share intelligence about vehicle cybersecurity threats and designed a framework to further the development of automotive cybersecurity best practices on how to safeguard against and respond to threats.

Enforcement

Whether the regulatory framework surrounding Connected Cars emanates from legislation or self-regulation, several agencies are poised to take the lead in enforcement activities in the area. In fact, the SPY Car Act requires collaboration between the FTC and the NHTSA in developing privacy and security standards for Connected Cars. The FTC has traditionally been the lead regulator of consumer privacy and data security standards by using its authority under Section 5 of the FTC Act to contend that a lack of reasonable security measures or other missteps amount to unfair or deceptive acts or practices. The FTC has indicated an intent to play a similar role with regard to Connected Cars as evidenced by the guidance IoT document it issued titled Internet of Things – Security and Privacy in a Connected World. This guidance document encourages companies operating in the IoT to implement "security by design" into their products, along with providing consumers notice and choice with regard to collection and use of the personal information, and ensuring that companies' data collection and use practices are transparent and minimize data collection, among other suggested best practices.

NHTSA is a relatively new entrant into the data privacy and security enforcement arena, but it will be tasked with ensuring that automakers and manufacturers implement security standards sufficient to protect Connected Car computer systems from being accessed and physically controlled. NHTSA has published guidance on automotive cybersecurity, including application of the National Institute of Standards and Technology (NIST) Risk Management framework in the automotive cybersecurity context. And NHTSA recently completed an investigation of an auto manufacturer and its computer system vendor related to vehicle cybersecurity, which is particularly important since some technology company vendors supply these same systems to other car manufacturers. Automakers appear to be receptive to NHTSA's approach as they recently announced a data sharing safety agreement that reaffirms the commitment of NHTSA and automakers to collaborate on the development of cybersecurity best practice, and the continued sharing of information on cybersecurity threats and countermeasures to repel potential hackers.  As Connected Car technology grows to encompass more products and services, the Federal Communications Commission (FCC) may also emerge as an enforcement player under its expanded enforcement authority over "telecommunications service" providers. Internet service providers that offer the wireless Internet services that fuel Connected Car connectivity could face increased scrutiny by the FCC, and potential fines, over the adequacy of their privacy practices and security standards for the collection of consumer personal information crossing their wireless networks.

Litigation

Class actions alleging claims based on privacy and security issues related to Connected Cars have already been filed. In an action filed in California federal court, the plaintiffs sought to certify a class of car owners who allege that the defendant car manufacturers created and concealed data privacy and vehicle security vulnerabilities through the continued use of the CAN system. The plaintiffs alleged that the CAN system is susceptible to being hacked, which could allow for the collection of data stored on the CAN system and for the control of certain vehicle functions such as steering, braking, and acceleration. The plaintiffs asserted claims for express and implied breach of warranty, fraud, false advertising, and violations of consumer protection laws. The plaintiffs sought injunctive relief, updates to the CAN system to secure and protect vehicles and data, and recovery of economic losses associated with the loss of their vehicles' value.

The defendant car manufacturers moved to dismiss the action, arguing that the plaintiffs did not suffer any "injury in fact" because their cars have not been hacked or taken control of, nor had their data been breached. The defendants relied primarily on Clapper v. Amnesty Int'l, where the Supreme Court held that to establish standing, a plaintiff must allege more than a speculative injury, but rather the injury alleged must be "concrete and particularized" and "actual or imminent." The defendants also asserted that the plaintiffs lacked standing to bring an invasion of privacy claim because the plaintiffs did not have a reasonable expectation in the privacy of the personal data collected by the Connected Car and that the type of data collected did not cause a "serious invasion of privacy." The plaintiffs claimed that they had been injured by the defendant car manufacturers' alleged misrepresentations about the alleged privacy and security defects, and asserted that they would not have purchased the vehicles or that they paid an inflated price for their vehicles.

Consistent with the Clapper decision, the court recently dismissed the plaintiffs' complaint (with leave to amend) for a lack of standing, finding that the plaintiffs did not allege that their or any other class members' cars have been hacked and therefore their alleged injuries are not certainly impending, but rather speculative and unproven at this point. Notably, the court emphasized the lack of any actual incidents of car hacking suffered by the class plaintiffs, or any other plaintiffs, outside of a controlled environment. The court suggested that it might arrive at a different conclusion on the issue of standing should a Connected Car actually be hacked, noting that "all of this is not to say that a future risk of harm can never satisfy injury in fact analysis" and that "a credible threat of harm is sufficient to constitute actual injury for standing purposes."

The court also rejected the plaintiffs' claims for economic loss, finding a lack of any demonstrable impact on the value of the vehicles such as declining values, recalls, or out-of-pocket expenses for replacing or discontinuing use of their vehicles. Finally, the court distinguished driver, performance, and location data from Social Security numbers or payment card numbers, finding that this type of data is not protected under California state privacy laws.

Plaintiffs assert similar claims in another class action pending in Illinois federal court, which also includes a claim against the vehicle "infotainment" manufacturer. Plaintiffs allege that the vehicle infotainment system is part of a design defect in the vehicle because it is not properly separated from the vehicle CAN system that connects to the vehicle engine control units and is susceptible to being hacked (via the 3G cellular network and radio connection). The vehicle computer system defendants argue that the plaintiffs' claims against them should be dismissed due to a lack of privity or any other actionable relationship between the plaintiffs and the vehicle infotainment manufacturer. The lack of any actual instances of cars being hacked could determine the outcome here, just as it did in the California litigation. Nonetheless, this case warrants following as it involves the potential liability of the component part manufacturers for data privacy and security vulnerabilities in Connected Cars.

Impact on Regulatory Framework

The evolving nature of the regulatory framework creates uncertainty for automakers, manufacturers, and technology companies that are attempting to innovate in this field. As the regulatory framework around Connected Cars evolves, it will be important for companies to keep apprised of new litigation and agency, industry, and legislative developments while maintaining flexibility in their products should new or stricter privacy and security standards be implemented or other regulators step into the fray.

As it stands, class action plaintiffs still face an uphill battle in bringing claims related to the data privacy and security of Connected Cars. Courts do not appear inclined to allow class plaintiffs to proceed on claims where no actual injury (hacking) has been manifested. Of course, if reports of actual incidents of car hacking begin to occur and there are actual instances of harm, the potential impact to businesses from the litigation and legislation that such instances might inspire could be significant.

Indeed, even the current legislation proposed by the Senate and House bills could create rigid compliance standards that could be costly, inefficient, and ineffective for protecting consumer privacy and securing vehicle safety as they are bypassed by hackers. The legislation could also subject companies that have made reasonable efforts to implement privacy and security standards to fines, and deter vehicle computer system security research. Importantly, onerous legislation could stifle innovation in the Connected Car arena by placing unnecessary limitations on the design and development of Connected Car computer systems.

For now, companies involved as stakeholders in developing privacy and data security standards for Connected Cars need to continue to remain aware of efforts by non-stakeholders to regulate this fast-moving technology. The privacy framework set forth in the Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services will likely be considered by regulators investigating these practices by automakers, manufacturers, and tech companies following a breach. The principles are largely consistent with the legislation proposed by Congress, but notably lack the guidance on security standards for Connected Cars to prevent hacking into Connected Car computer systems contained in the proposed legislation.

Companies also should continue to monitor guidance, enforcement activities, and investigations by the FTC and NHTSA. NHTSA is actively developing cybersecurity guidelines and best practices for securing automotive computer systems and reducing vulnerabilities. In addition, the FTC has expressly encouraged companies to build security into their products along with policies ensuring data minimization, notice, and choice. The use of guidelines and best practices by enforcement agencies, rather than calls for congressional action, suggests that agencies are content to allow the Connected Car industry to self-regulate at this time. Consequently, the more companies conform with this existing regulatory framework and show effectiveness in protecting consumer data from hackers, the less likely legislators are to push for specific privacy or cybersecurity legislation relating to Connected Cars. Further, companies that comply with the industry self-regulatory and agency guidance should be better positioned to defend against any claims in purported class actions that the company failed to follow reasonable privacy and security standards.

The Long View

The impact of the development of the regulatory framework governing Connected Cars on the development of IoT regulation as a whole cannot be underestimated. Many of the same privacy, data security, and physical safety concerns that arise with Connected Cars also arise with health devices, home automation systems, and smart energy grids. As a result, the industry response to the existing Connected Car regulatory framework, and the government's assessment of the efficacy of self-regulation on consumer protection, will likely determine whether this framework is applied in other IoT settings or replaced with more government regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.