The House of Representatives passed H.R. 3388, the “Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act” or the “SELF DRIVE Act” last month. The bill would remove regulatory barriers to develop self-driving or autonomous cars by giving the National Highway Traffic Safety Administration (NHSTA) authority to establish federal safety, design, and performance standards for automated cars, excluding commercial vehicles, such as trucks and buses. States would still be responsible for the vehicle registration, driver’s licensing, insurance, and safety and emissions inspections. The bill would also allow states to impose stricter performance requirements than those set by NHTSA.
We have outlined the privacy and cybersecurity provisions of this bill, as well as the NHTSA’s voluntary security standards for self-driving cars.
The plan must specify (i) how the manufacturer intends to collect, use, share, and store the vehicle owners’ information; (ii) how the manufacturer plans to offer choices to the owners and occupants of the car as to how the collected information will be used, shared, and stored; and (iii) the practices that the manufacturer intends to use related to data minimization, de-identification, and retention.
A manufacturer that did not have a written privacy plan in place would be prohibited from selling and/or importing any automated vehicles into the U.S. The written privacy plan would not cover information about the owners and/or occupants that is altered or combined, encrypted or anonymized so that the data is no longer identifiable to a specific person.
Within one year of enactment of this legislation, the Transportation Secretary would be required to make available to the public and to Congress their safety priority plan related to automated vehicles. The written cybersecurity policy would be required to outline how the manufacturer intends to detect and respond to cyberattacks, unauthorized intrusions, and false and spurious messages or vehicle control commands.
In addition, the manufacturer’s policy must also include the process for detecting, assessing, and mitigating foreseeable vulnerabilities from cyberattacks; outline the processes for taking preventive and corrective action to mitigate against such vulnerabilities; identify an individual within the company who is responsible for the cybersecurity; outline the process for restricting access to the automated driving data; and the employee training and supervision for those with access to automated driving systems.
Notably, there has been no discussion of possible mandates for manufacturers to purchase cybersecurity insurance or to provide coverage to their buyers. Other specific cybersecurity controls would be set by NHTSA.
Shortly after the SELF DRIVE Act passed, NHTSA unveiled its Automated Driving Systems 2.0: A Vision For Safety in September 2017 which provides voluntary guidelines for self-driving cars security standards. NHTSA recommends that auto manufacturers follow a robust development process to manage cybersecurity threats. The guidance calls for self-driving cars to comply with the best practices for vehicle cybersecurity, i.e. incorporate other “guidance, best practices, and design principles” published by NIST, NHTSA, and other industry groups, including SAE International, the Alliance of Automobile Manufacturers, and the Automotive Information Sharing and Analysis Center (Auto-ISAC).
The NHTSA recommended measures include:
- Preparing for cyber threats with an incident response plan;
- Cybersecurity-by-design approach to systems engineering;
- Maintaining an audit trail and documentation around vehicle cybersecurity, including all actions, changes, design choices, analyses, and associated testing;
- Adopting a coordinated cyber vulnerability reporting and disclosure policy; and
- Reporting cyber incidents, exploits, threats, and vulnerabilities as soon as possible to the Auto-ISAC.
Next steps for the bill
This bill has bipartisan support in the House with 20 Republican and 11 Democratic co-sponsors. There is opposition to this legislation from consumer and motor vehicle safety based groups, particularly concerning state preemption and proposed safety standards. Despite some opposition, auto manufacturers and trade groups, and technology companies are in support of this bill.
On September 28, 2017, the Senate introduced a similar bipartisan bill, the “American Vision for Safer Transportation,” or the “AV START Act.” The Senate bill largely builds onto the SELF DRIVE Act, but provides a more comprehensive set of cybersecurity requirements, while addressing the concerns of state regulators and motor safety groups.
Regardless of what legislation is ultimately passed by Congress and becomes law, the legislation will provide a framework for these important issues. The details will likely be developed through regulation and rule-making and will need to be monitored closely.
Stay Tuned: DBR on Data will cover the AV Start Act in Part 2 of our Legislative Spotlight on Self-Driving Cars.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.