With the holiday season in the rear view, automobiles equipped with the newest technology connecting carmakers with their vehicles, vehicles with the world around them, and drivers with the consumer marketplace – Connected Cars – have moved from the lots to driveways. Automakers are remaking their fleets to offer unprecedented choice and convenience to drivers. However, as recent studies have shown, the connectivity inherent in Connected Cars, and the fast pace at which the industry is developing, raise privacy, data security, and physical safety concerns about the vulnerability of Connected Car computer systems. Lawmakers and regulators have begun to devote increased attention to this issue while plaintiffs’ attorneys have been emboldened to haul automakers, manufacturers, and computer system developers into court. As one of the earliest entrants into and faster-growing components of the Internet of Things (IoT), Connected Cars represent a testing ground for the development of consumer privacy rights and security standards for the IoT. The approach by Congress and the courts to the governance of Connected Cars will likely guide the development of standards and practices across the IoT spectrum.
Internet of Things
Connected Cars are part of the growing and evolving Internet of Things. The IoT describes the ecosystem of everyday products and services that are equipped with “smart” technology that allows them to connect to other products or services to communicate and transfer information about users to retailers, manufacturers, and the like, typically via a wireless network. The IoT currently includes devices we use every day such as Fitbits, connected appliances, smartphones and smart TVs. As the industry grows, IoT devices will continue to permeate the objects we use on a daily basis.
Connected Cars in particular will compose the majority of the automotive fleet in the near future. The market for Connected Cars is projected to reach $54 billion in the next two years. It is estimated that by 2020 there will be 250 million Connected Cars on the road, and about 90 percent of new vehicles in Western Europe will be connected to the Internet. Connected Cars provide consumers with convenience and a personalized driving experience. Automakers and retailers gain access to consumers to provide improved services and to market products. Onboard computers allow for navigation technologies and integration with mobile devices that complement and enhance the vehicle technology. They also allow for the collection of driver data and other driver information to enable companies to efficiently deploy customized services and experiences. Automakers are developing Connected Car technology that will allow drivers to shop through the car dashboard, based on their location and preferences determined through data collection.
Connected Car Privacy and Security Vulnerabilities
The connectivity necessary for providing the features offered by Connected Cars may pose privacy and security dangers and vulnerabilities. Connected Cars can contain more than 50 separate electronic control units (ECUs) connected through a controller area network (CAN) or other network. Those ECUs communicate with each other and the CAN through use of digital messages called CAN packets. If CAN packets are not authenticated or encrypted, they may be susceptible to remote hacking through the vehicles’ wireless and phone components. This wireless technology may also enable unauthorized access to other systems and data collected by the vehicle, such as location data and potentially payment card data used for dashboard shopping.
There are also concerns about Connected Cars being subject to remote interference and operation. Security researchers’ published findings have sparked increased industry, regulatory, and congressional interest in this area. One notable example involved a report that researchers were able to remotely access a car and change the car’s air-conditioning settings, switch the volume and station on the radio, turn on the windshield wipers, and display a picture of the researchers on the digital dashboard screen from 10 miles away. The researchers also were able to disable the vehicle’s engine and brakes, control the steering wheel, and track the car’s GPS coordinates. The researchers claim that they could gain access to the vehicle from as far as 70 miles away.
Evolving Legal Landscape
Proposed Legislation
As manufacturers develop the vehicles and infrastructure that enable the use of Connected Cars, the legal landscape is struggling to keep up. Congress has proposed but has not enacted new legislation. On July 21, 2015, Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) proposed legislation (S. 1806) requiring the Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) to team with the Federal Trade Commission (FTC) to establish certain consumer data privacy and car computer network security rules to prevent hacking in all motor vehicles manufactured for sale in the U.S. (“SPY Car Act”). The SPY Car Act was based on a February 2015 report by Senator Markey, who had surveyed automakers about cybersecurity threats to safety and the collection and storage of driving data, including location, driving history, and user data. The report found that nearly all cars on the market have wireless technologies and identified several purported weaknesses in the security of connected features in cars.
The SPY Car Act would require collaboration between the NHTSA and the FTC to implement cybersecurity standards for vehicle system and driving data security, including
hacking protection and mitigation;
a “cyber dashboard” display label affixed to the vehicle that describes the vehicle’s compliance with cybersecurity and privacy requirements under the SPY Car Act; and
certain privacy standards including providing notice and choice regarding the use and collection of data, and limiting the use of driving data by manufacturers. Violators of the SPY Car Act cybersecurity standards would be penalized up to $5,000 per violation.
Violations of the privacy standards would be treated as unfair and deceptive acts or practices under Section 5 of the FTC Act.
In addition, in October 2015, Representatives Joe Wilson (R-S.C.) and Ted Lieu (D-Calif.) suggested legislation titled Examining Ways to Improve Vehicle and Roadway Safety: Vehicle Data Privacy that would require auto manufacturers to:
develop and implement a privacy policy regarding the collection, sharing, and use of driver and vehicle data;
file their privacy policies with the Secretary of Transportation;
retain data only for legitimate business purposes; and
implement reasonable security measures to prevent hacking. The proposed legislation would impose on auto manufacturers penalties of up to $1 million for failing to file a privacy policy or comply with an express privacy policy and fines of up to $100,000 for failing to prevent hacking.
The proposed legislation would also require the NHTSA to create an Automotive Cybersecurity Advisory Council to develop cybersecurity best practices for vehicle manufacturers.
Notably, the proposed legislation contains a safe harbor against FTC enforcement under Section 5 of the FTC Act for companies that file a privacy policy complying with these requirements. Unsurprisingly, the FTC has expressed disapproval of this provision, which could provide immunity to an auto manufacturer that does not follow its privacy policy and prohibit the FTC from enforcement actions against auto manufacturers for privacy-related misrepresentations on their websites, whether accessed through the vehicle or otherwise.
Self-Regulation
The automotive industry and even the FTC have cautioned that IoT-specific legislation may stifle IoT innovation and penalize companies that attempt to implement reasonable privacy and security measures. Many lawmakers have little understanding of the IoT and are not yet equipped to address the issues it presents. Notably, and despite the pending proposed SPY Car Act, the Senate passed a resolution on March 24, 2015, that recognizes the importance of the development of the IoT and resolves that public and private entities should guide the strategy for advancing the technology. The resolution calls for Congress and the industry to collaborate to advance a national Internet of Things strategy that does not result in overregulation that stifles and prevents innovation and growth.
The automotive industry has also taken steps toward self-regulation. In November 2014, the Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., published the Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services. These principles relate to the collection, use, and sharing of personal and vehicle information associated with vehicle technologies that collect, generate, record, and store this information. The principles call for automakers and manufacturers to ensure the following by 2017:
provide consumers with clear notice and choice in the use and collection of personal information;
use personal information in a way that is consistent with the context in which it was collected;
collect information only as legitimately needed, and retain it for only as long as necessary;
implement reasonable data security measures;
maintain the accuracy of the data, and provide access to users; and
remain accountable to consumers for adherence to these principles.
The Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers, Inc., have also formed an Information Sharing and Analysis Center (ISAC) to share intelligence about vehicle cybersecurity threats and designed a framework to further the development of automotive cybersecurity best practices on how to safeguard against and respond to threats.
Enforcement
Whether the regulatory framework surrounding Connected Cars emanates from legislation or self-regulation, several agencies are poised to take the lead in enforcement activities in the area. In fact, the SPY Car Act requires collaboration between the FTC and the NHTSA in developing privacy and security standards for Connected Cars. The FTC has traditionally been the lead regulator of consumer privacy and data security standards by using its authority under Section 5 of the FTC Act to contend that a lack of reasonable security measures or other missteps amount to unfair or deceptive acts or practices. The FTC has indicated an intent to play a similar role with regard to Connected Cars as evidenced by the guidance IoT document it issued titled Internet of Things – Security and Privacy in a Connected World. This guidance document encourages companies operating in the IoT to implement “security by design” into their products, along with providing consumers notice and choice with regard to collection and use of the personal information, and ensuring that companies’ data collection and use practices are transparent and minimize data collection, among other suggested best practices.
NHTSA is a relatively new entrant into the data privacy and security enforcement arena, but it will be tasked with ensuring that automakers and manufacturers implement security standards sufficient to protect Connected Car computer systems from being accessed and physically controlled. NHTSA has published guidance on automotive cybersecurity, including application of the National Institute of Standards and Technology (NIST) Risk Management framework in the automotive cybersecurity context. And NHTSA recently completed an investigation of an auto manufacturer and its computer system vendor related to vehicle cybersecurity, which is particularly important since some technology company vendors supply these same systems to other car manufacturers. Automakers appear to be receptive to NHTSA’s approach as they recently announced a data sharing safety agreement that reaffirms the commitment of NHTSA and automakers to collaborate on the development of cybersecurity best practice, and the continued sharing of information on cybersecurity threats and countermeasures to repel potential hackers. As Connected Car technology grows to encompass more products and services, the Federal Communications Commission (FCC) may also emerge as an enforcement player under its expanded enforcement authority over “telecommunications service” providers. Internet service providers that offer the wireless Internet services that fuel Connected Car connectivity could face increased scrutiny by the FCC, and potential fines, over the adequacy of their privacy practices and security standards for the collection of consumer personal information crossing their wireless networks.
Litigation
Class actions alleging claims based on privacy and security issues related to Connected Cars have already been filed. In an action filed in California federal court, the plaintiffs sought to certify a class of car owners who allege that the defendant car manufacturers created and concealed data privacy and vehicle security vulnerabilities through the continued use of the CAN system. The plaintiffs alleged that the CAN system is susceptible to being hacked, which could allow for the collection of data stored on the CAN system and for the control of certain vehicle functions such as steering, braking, and acceleration. The plaintiffs asserted claims for express and implied breach of warranty, fraud, false advertising, and violations of consumer protection laws. The plaintiffs sought injunctive relief, updates to the CAN system to secure and protect vehicles and data, and recovery of economic losses associated with the loss of their vehicles’ value.
The defendant car manufacturers moved to dismiss the action, arguing that the plaintiffs did not suffer any “injury in fact” because their cars have not been hacked or taken control of, nor had their data been breached. The defendants relied primarily on Clapper v. Amnesty Int’l, where the Supreme Court held that to establish standing, a plaintiff must allege more than a speculative injury, but rather the injury alleged must be “concrete and particularized” and “actual or imminent.” The defendants also asserted that the plaintiffs lacked standing to bring an invasion of privacy claim because the plaintiffs did not have a reasonable expectation in the privacy of the personal data collected by the Connected Car and that the type of data collected did not cause a “serious invasion of privacy.” The plaintiffs claimed that they had been injured by the defendant car manufacturers’ alleged misrepresentations about the alleged privacy and security defects, and asserted that they would not have purchased the vehicles or that they paid an inflated price for their vehicles.
Consistent with the Clapper decision, the court recently dismissed the plaintiffs’ complaint (with leave to amend) for a lack of standing, finding that the plaintiffs did not allege that their or any other class members’ cars have been hacked and therefore their alleged injuries are not certainly impending, but rather speculative and unproven at this point. Notably, the court emphasized the lack of any actual incidents of car hacking suffered by the class plaintiffs, or any other plaintiffs, outside of a controlled environment. The court suggested that it might arrive at a different conclusion on the issue of standing should a Connected Car actually be hacked, noting that “all of this is not to say that a future risk of harm can never satisfy injury in fact analysis” and that “a credible threat of harm is sufficient to constitute actual injury for standing purposes.”
The court also rejected the plaintiffs’ claims for economic loss, finding a lack of any demonstrable impact on the value of the vehicles such as declining values, recalls, or out-of-pocket expenses for replacing or discontinuing use of their vehicles. Finally, the court distinguished driver, performance, and location data from Social Security numbers or payment card numbers, finding that this type of data is not protected under California state privacy laws.
Plaintiffs assert similar claims in another class action pending in Illinois federal court, which also includes a claim against the vehicle “infotainment” manufacturer. Plaintiffs allege that the vehicle infotainment system is part of a design defect in the vehicle because it is not properly separated from the vehicle CAN system that connects to the vehicle engine control units and is susceptible to being hacked (via the 3G cellular network and radio connection). The vehicle computer system defendants argue that the plaintiffs’ claims against them should be dismissed due to a lack of privity or any other actionable relationship between the plaintiffs and the vehicle infotainment manufacturer. The lack of any actual instances of cars being hacked could determine the outcome here, just as it did in the California litigation. Nonetheless, this case warrants following as it involves the potential liability of the component part manufacturers for data privacy and security vulnerabilities in Connected Cars.
Impact on Regulatory Framework
The evolving nature of the regulatory framework creates uncertainty for automakers, manufacturers, and technology companies that are attempting to innovate in this field. As the regulatory framework around Connected Cars evolves, it will be important for companies to keep apprised of new litigation and agency, industry, and legislative developments while maintaining flexibility in their products should new or stricter privacy and security standards be implemented or other regulators step into the fray.
As it stands, class action plaintiffs still face an uphill battle in bringing claims related to the data privacy and security of Connected Cars. Courts do not appear inclined to allow class plaintiffs to proceed on claims where no actual injury (hacking) has been manifested. Of course, if reports of actual incidents of car hacking begin to occur and there are actual instances of harm, the potential impact to businesses from the litigation and legislation that such instances might inspire could be significant.
Indeed, even the current legislation proposed by the Senate and House bills could create rigid compliance standards that could be costly, inefficient, and ineffective for protecting consumer privacy and securing vehicle safety as they are bypassed by hackers. The legislation could also subject companies that have made reasonable efforts to implement privacy and security standards to fines, and deter vehicle computer system security research. Importantly, onerous legislation could stifle innovation in the Connected Car arena by placing unnecessary limitations on the design and development of Connected Car computer systems.
For now, companies involved as stakeholders in developing privacy and data security standards for Connected Cars need to continue to remain aware of efforts by non-stakeholders to regulate this fast-moving technology. The privacy framework set forth in the Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services will likely be considered by regulators investigating these practices by automakers, manufacturers, and tech companies following a breach. The principles are largely consistent with the legislation proposed by Congress, but notably lack the guidance on security standards for Connected Cars to prevent hacking into Connected Car computer systems contained in the proposed legislation.
Companies also should continue to monitor guidance, enforcement activities, and investigations by the FTC and NHTSA. NHTSA is actively developing cybersecurity guidelines and best practices for securing automotive computer systems and reducing vulnerabilities. In addition, the FTC has expressly encouraged companies to build security into their products along with policies ensuring data minimization, notice, and choice. The use of guidelines and best practices by enforcement agencies, rather than calls for congressional action, suggests that agencies are content to allow the Connected Car industry to self-regulate at this time. Consequently, the more companies conform with this existing regulatory framework and show effectiveness in protecting consumer data from hackers, the less likely legislators are to push for specific privacy or cybersecurity legislation relating to Connected Cars. Further, companies that comply with the industry self-regulatory and agency guidance should be better positioned to defend against any claims in purported class actions that the company failed to follow reasonable privacy and security standards.
The Long View
The impact of the development of the regulatory framework governing Connected Cars on the development of IoT regulation as a whole cannot be underestimated. Many of the same privacy, data security, and physical safety concerns that arise with Connected Cars also arise with health devices, home automation systems, and smart energy grids. As a result, the industry response to the existing Connected Car regulatory framework, and the government’s assessment of the efficacy of self-regulation on consumer protection, will likely determine whether this framework is applied in other IoT settings or replaced with more government regulation.