Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Legislative Spotlight: Self-Driving Cars Part 1

Share

The House of Representatives passed H.R. 3388, the “Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act” or the “SELF DRIVE Act” last month. The bill would remove regulatory barriers to develop self-driving or autonomous cars by giving the National Highway Traffic Safety Administration (NHSTA) authority to establish federal safety, design, and performance standards for automated cars, excluding commercial vehicles, such as trucks and buses. States would still be responsible for the vehicle registration, driver’s licensing, insurance, and safety and emissions inspections. The bill would also allow states to impose stricter performance requirements than those set by NHTSA.

We have outlined the privacy and cybersecurity provisions of this bill, as well as the NHTSA’s voluntary security standards for self-driving cars.

Privacy

The SELF DRIVE Act would set data privacy policy standards for automated cars and would require manufacturers to have a written data privacy plan.

The plan must specify (i) how the manufacturer intends to collect, use, share, and store the vehicle owners’ information; (ii) how the manufacturer plans to offer choices to the owners and occupants of the car as to how the collected information will be used, shared, and stored; and (iii) the practices that the manufacturer intends to use related to data minimization, de-identification, and retention.

A manufacturer that did not have a written privacy plan in place would be prohibited from selling and/or importing any automated vehicles into the U.S. The written privacy plan would not cover information about the owners and/or occupants that is altered or combined, encrypted or anonymized so that the data is no longer identifiable to a specific person.

Cybersecurity

Within one year of enactment of this legislation, the Transportation Secretary would be required to make available to the public and to Congress their safety priority plan related to automated vehicles.  The written cybersecurity policy would be required to outline how the manufacturer intends to detect and respond to cyberattacks, unauthorized intrusions, and false and spurious messages or vehicle control commands.

In addition, the manufacturer’s policy must also  include the process for detecting, assessing, and mitigating foreseeable vulnerabilities from cyberattacks; outline the processes for taking preventive and corrective action to mitigate against such vulnerabilities; identify an individual within the company who is responsible for the cybersecurity; outline the process for restricting access to the automated driving data; and the employee training and supervision for those with access to automated driving systems.

Notably, there has been no discussion of possible mandates for manufacturers to purchase cybersecurity insurance or to provide coverage to their buyers. Other specific cybersecurity controls would be set by NHTSA.

NHTSA Recommendations

Shortly after the SELF DRIVE Act passed, NHTSA unveiled its Automated Driving Systems 2.0: A Vision For Safety in September 2017 which provides voluntary guidelines for self-driving cars security standards. NHTSA recommends that auto manufacturers follow a robust development process to manage cybersecurity threats. The guidance calls for self-driving cars to comply with the best practices for vehicle cybersecurity, i.e. incorporate other “guidance, best practices, and design principles” published by NIST, NHTSA, and other industry groups, including SAE International, the Alliance of Automobile Manufacturers, and the Automotive Information Sharing and Analysis Center (Auto-ISAC).

The NHTSA recommended measures include:

  • Preparing for cyber threats with an incident response plan;
  • Cybersecurity-by-design approach to systems engineering;
  • Maintaining an audit trail and documentation around vehicle cybersecurity, including all actions, changes, design choices, analyses, and associated testing;
  • Adopting a coordinated cyber vulnerability reporting and disclosure policy; and
  • Reporting cyber incidents, exploits, threats, and vulnerabilities as soon as possible to the Auto-ISAC.

Next steps for the bill

This bill has bipartisan support in the House with 20 Republican and 11 Democratic co-sponsors. There is opposition to this legislation from consumer and motor vehicle safety based groups, particularly concerning state preemption and proposed safety standards. Despite some opposition, auto manufacturers and trade groups, and technology companies are in support of this bill.

On September 28, 2017, the Senate introduced a similar bipartisan bill, the “American Vision for Safer Transportation,” or the “AV START Act.” The Senate bill largely builds onto the SELF DRIVE Act, but provides a more comprehensive set of cybersecurity requirements, while addressing the concerns of state regulators and motor safety groups.

Regardless of what legislation is ultimately passed by Congress and becomes law, the legislation will provide a framework for these important issues. The details will likely be developed through regulation and rule-making and will need to be monitored closely.

Stay Tuned: DBR on Data will cover the AV Start Act in Part 2 of our Legislative Spotlight on Self-Driving Cars.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

October 12, 2017
Written by: Discerning Data Editorial Board
Category: Cybersecurity, Privacy
Tags: Connected Cars, cybersecurity, Department of Education, NHTSA, NIST, policy

Post navigation

Previous Previous post: Connected Car Resolution adopted by the International Conference of Data Protection and Privacy Commissioners
Next Next post: FTC and Department of Education to Co-Host Workshop and Webcast on Privacy Issues in Education Technology

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT