November 26, 2022

Volume XII, Number 330


November 23, 2022

Subscribe to Latest Legal News and Analysis

AV START Act Addresses Privacy and Cybersecurity Issues Associated With the Development of Highly Automated Vehicles

In proposed amendments earlier this week to the current draft of the "AV START Act," the Senate addressed important cybersecurity, data access, and privacy concerns associated with the development of highly automated vehicles (HAV) and automated driving systems. Overall, the bill aims to combat these emerging risks presented through supply-side regulations, government oversight, and consumer education.

Section 14 of the act amends 49 U.S.C. chapter 301, concerning motor vehicle safety, by adding §30108, which provides measures to combat cybersecurity risks. First, automated driving system or HAV manufacturers "shall develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks to the motor vehicle safety of such vehicles and systems." This cybersecurity plan needs to include processes to:

  • conduct a "risk-based prioritized identification and protection of safety-critical" systems;

  • facilitate recovery from incidents;

  • detect and respond to incidents in the field; and

  • adopt lessons learned through the "voluntary exchange of information" concerning cybersecurity.

The act vests authority in the Secretary of Transportation to monitor compliance. Manufacturers will need to summarize the plan and produce it for public disclosure, requiring a delicate balancing act between demonstrating compliance while avoiding unnecessary details that may compromise cybersecurity.

Second, the Transportation Secretary may cooperate with HAV and automated driving system manufacturers to incentivize the voluntary adoption of a "coordinated vulnerability disclosure policy and practice." The policy will govern how a security researcher can privately disclose a discovered vulnerability to a manufacturer and allow the manufacturer to patch the vulnerability.

Section 15 prompts the Transportation Secretary to create a committee to "discuss and make policy recommendations to Congress" concerning the "ownership of, control of, or access to" data or information collected, stored, generated, or recorded from HAVs or automated driving systems. The committee will include numerous voting members representing a variety of interests including the HAV supply chain and government.

Simultaneously, the Comptroller General of the United States will begin a study, and publish a report, recommending a uniform approach to removing personally identifiable or individually attributable information from a vehicle following the sale, or termination of a lease, by an individual owner.

Section 16 focuses on consumer education of motor vehicle cybersecurity risks. The Transportation Secretary must develop resources to assist consumers in becoming aware of and minimizing this new risk. The Transportation Secretary must also ensure that the resources are publicly available on the National Highway Traffic Safety Administration’s (NHTSA) website, and periodically update the resources.

Section 17 requires the manufacturers of motor vehicles to provide information on their publicly accessible websites, or in the owners' manuals for the motor vehicles, to direct consumers to the Section 16 resources.

Section 20 of the act authorizes NHTSA to augment privacy protections for consumers using HAVs. Specifically, Section 20 enables the creation of a publicly accessible and searchable online database—accessible through the NHTSA website—describing the type of information collected about individuals during the operation of a motor vehicle, how that information and the conclusions derived from that information will be handled, measures taken to protect against unauthorized disclosure of personally identifiable information, and manufacturers' privacy policies. Section 20 is still being debated and may be amended before the final vote on the legislation.

The AV START Act represents the most comprehensive national legislation proposed to address emerging cybersecurity and privacy issues associated with the development of autonomous driving systems. The requirement that HAV manufacturers develop written cybersecurity plans that will become public is an important new development that may raise compliance and litigation risks, particular in the event of a data breach or HAV crash.

But the act does not yet address some of thorniest privacy and cybersecurity issues arising from the use of HAVs, including ownership of data collected by HAVs and processes for the scrubbing of personal data from HAVs after a sale. HAV manufacturers, suppliers and leasing companies should pay careful attention to this proposed act as it advances through Congress.

Copyright © by Ballard Spahr LLPNational Law Review, Volume VII, Number 349

About this Author

Neal Walters, Products Liability, New Jersey, Attorney, Lawyer, Ballard Spahr, Law Firm

Neal Walters is the Practice Leader of Ballard Spahr's Product Liability and Mass Tort Group, and a member of the firm's Manufacturing and Retail Industry Groups. Mr. Walters has a diverse trial and litigation practice focused on protecting product companies, as well as clients involved in technical matters, against a broad range of risks. As counsel for several consumer product manufacturers, he has defended and coordinated product liability and consumer claims, including class actions, through trial in jurisdictions across the country. He also counsels companies on contractual,...

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

Fred G. DeRitis, Ballard Spahr, Philadelphia, Pennsylvania, litigation, litigation lawyer, FTC, privacy, data security

Fred G. DeRitis is a member of the firm’s Litigation Department. While interning at the Federal Trade Commission’s Bureau of Competition, Mr. DeRitis authored a number of reports for merger and antitrust investigations in the oil, gas, software, and retail industries.

Mr. DeRitis also held internships at the Mayor’s Office of Philadelphia in the Commerce Department and the Managing Director’s Office. His duties included conducting market analysis to enhance economic development in strategic commercial regions.