AV START Act Addresses Privacy and Cybersecurity Issues Associated With the Development of Highly Automated Vehicles
In proposed amendments earlier this week to the current draft of the "AV START Act," the Senate addressed important cybersecurity, data access, and privacy concerns associated with the development of highly automated vehicles (HAV) and automated driving systems. Overall, the bill aims to combat these emerging risks presented through supply-side regulations, government oversight, and consumer education.
Section 14 of the act amends 49 U.S.C. chapter 301, concerning motor vehicle safety, by adding §30108, which provides measures to combat cybersecurity risks. First, automated driving system or HAV manufacturers "shall develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks to the motor vehicle safety of such vehicles and systems." This cybersecurity plan needs to include processes to:
conduct a "risk-based prioritized identification and protection of safety-critical" systems;
facilitate recovery from incidents;
detect and respond to incidents in the field; and
adopt lessons learned through the "voluntary exchange of information" concerning cybersecurity.
The act vests authority in the Secretary of Transportation to monitor compliance. Manufacturers will need to summarize the plan and produce it for public disclosure, requiring a delicate balancing act between demonstrating compliance while avoiding unnecessary details that may compromise cybersecurity.
Second, the Transportation Secretary may cooperate with HAV and automated driving system manufacturers to incentivize the voluntary adoption of a "coordinated vulnerability disclosure policy and practice." The policy will govern how a security researcher can privately disclose a discovered vulnerability to a manufacturer and allow the manufacturer to patch the vulnerability.
Section 15 prompts the Transportation Secretary to create a committee to "discuss and make policy recommendations to Congress" concerning the "ownership of, control of, or access to" data or information collected, stored, generated, or recorded from HAVs or automated driving systems. The committee will include numerous voting members representing a variety of interests including the HAV supply chain and government.
Simultaneously, the Comptroller General of the United States will begin a study, and publish a report, recommending a uniform approach to removing personally identifiable or individually attributable information from a vehicle following the sale, or termination of a lease, by an individual owner.
Section 16 focuses on consumer education of motor vehicle cybersecurity risks. The Transportation Secretary must develop resources to assist consumers in becoming aware of and minimizing this new risk. The Transportation Secretary must also ensure that the resources are publicly available on the National Highway Traffic Safety Administration’s (NHTSA) website, and periodically update the resources.
Section 17 requires the manufacturers of motor vehicles to provide information on their publicly accessible websites, or in the owners' manuals for the motor vehicles, to direct consumers to the Section 16 resources.
Section 20 of the act authorizes NHTSA to augment privacy protections for consumers using HAVs. Specifically, Section 20 enables the creation of a publicly accessible and searchable online database—accessible through the NHTSA website—describing the type of information collected about individuals during the operation of a motor vehicle, how that information and the conclusions derived from that information will be handled, measures taken to protect against unauthorized disclosure of personally identifiable information, and manufacturers' privacy policies. Section 20 is still being debated and may be amended before the final vote on the legislation.
The AV START Act represents the most comprehensive national legislation proposed to address emerging cybersecurity and privacy issues associated with the development of autonomous driving systems. The requirement that HAV manufacturers develop written cybersecurity plans that will become public is an important new development that may raise compliance and litigation risks, particular in the event of a data breach or HAV crash.
But the act does not yet address some of thorniest privacy and cybersecurity issues arising from the use of HAVs, including ownership of data collected by HAVs and processes for the scrubbing of personal data from HAVs after a sale. HAV manufacturers, suppliers and leasing companies should pay careful attention to this proposed act as it advances through Congress.