Cybercrime regulations over ‘smart’ connected vehicles and its impact on civil liability
Futuristic technology is increasingly permeating into vehicle dashboards, and this allows OEM companies and 3PLs to wire into these systems and gather millions of data points over the course of the vehicle’s lifetime. Though it can be argued that a part of the data can be used for analytics which in turn would help to improve the vehicle’s overall efficiency, some of the data sets could also tiptoe into the privacy of the person behind the wheel - which is a serious concern.
As we witness the free flow of IT information from vehicles, it is critical to introspect on the relevance of IT security regulation in the transportation industry. A ‘connected’ vehicle can face different lapses in connectivity, including software, network, and system failures. There also is the potential for data being stolen via hacking or cybercrime.
“The key objectives of IT security are confidentiality, integrity, and availability. We want to ensure that the data in your vehicle is confidential - personal data in particular - but also everything else,” said Dr. Simon Assion, specialized lawyer in Bird & Bird LLP at the Future of Transportation World Conference in Germany last week.
Ensuring the integrity of the vehicle is vital, which would allow only the organizations with the license to be privy to the vehicle’s information to control it. The vehicle also needs to be available to the driver at all times, and should not lose out on key functionalities while it is on the highway.
All these tenets combined give a structure to IT security regulations, which translate into laws governing data procurement. Then again, though the law generally talks about safety and the need to prevent health hazards to people in the vehicle, it does not adequately cover confidentiality, said Assion.
“The current product safety rules do not really cover IT security. They cover parts of it, but only parts. The lawmakers have been noticing that, and there are some new regulations coming up. There will be arguments in the German legislature related to autonomous driving, which we expect in the next month,” he said.
The EU is also looking to create its standalone EU Cybersecurity Act, which would likely implement a certification regulation similar to the CE certification that indicates conformity with health, safety, and environmental protection standards for products sold in the European Union.
Then there is the issue of understanding civil liability and the threat to vehicle owners on incidents involving autonomous driving cars. Cyber attacks on autonomous vehicles are nearly unheard of at the moment, but could be a real thing moving into the future.
Though the obvious explanation to hacking into vehicles would be to harm people, it could also be done with an economic point of view, said Dr. Philipp Egler, counsel at Bird & Bird LLC. He alluded to a similar situation where a team bus of a German soccer team was bombed a year back by a person who admitted to carrying out the attack since he believed he could make a fortune on the stock market. Another possible scenario would be demanding ransom over hacked cars of an OEM company, which could potentially put businesses in a quagmire.
Hacking connected cars would mean that private information of vehicle owners like addresses and credit card details could be stolen. The problem here is that hackers might leave no traces on the internet, making it hard for cybercrime officials to convict them. And even if they could be traced, implicating hackers from foreign lands would be troublesome.
In case of accidents, one of the angles to distribute liability would naturally fall on the vehicle owner, and the onus is on the local jurisdiction to decide on the extent of liability to be taken up by the owner. And in such situations, taking up insurance over autonomous vehicles specifically for hacking and cybercrime could be a way forward. OEM companies and software providers would have to understand their liabilities in the future as legislations would be set in place to suit the times. But as it stands now, the IT security act does not cover this situation, essentially letting them off the hook from any cybercrime issue that crops up from connected vehicles.