In 2016, the National Highway Traffic Safety Administration (NHTSA) published a document outlining the agency’s recommended best practices for cybersecurity for the automobile industry, entitled “Cybersecurity Best Practices for the Safety of Modern Vehicles.” This document, which is described by NHTSA as “non-binding and voluntary guidance,” was intended to cover cybersecurity issues for all motor vehicles and motor vehicle equipment (including software) and provide a solid foundation for developing a risk-based approach to cybersecurity practices.
The original 2016 Cybersecurity best practices document was developed with stakeholder input from motor vehicle manufacturers and their first-tier suppliers. However, other stakeholder voices, such as vehicle owners, automobile repairers, or advocates for consumer protection or competition were not included.
Similarly, from 2017 to 2020, the Trump administration released a series of guidance documents related to autonomous vehicles (AVs) and cybersecurity. The most recent document, titled “Ensuring American Leadership in Automated Vehicle Technologies: Autonomous Vehicles 4.0,” outlines nonbinding guidance from the U.S. Department of Transportation (USDOT) for AV manufacturers and other stakeholders for safe and cybersecure development of AVs. AV 4.0 defines three principles that the federal government recognizes in developing AV technologies: protect users and communities, promote efficient markets, and facilitate coordinated efforts.
In 2020, NHTSA released an updated version of Cybersecurity Best Practices for the Safety of Modern Vehicles for public comment. This document was designed to reflect innovations and industry changes since the original document was published in 2016. The document cites substantive steps and changes that have occurred since the previous document was published, including the creation of the Automotive Information Sharing and Analysis Center (Auto-ISAC), and the International Standards Organization publication of “Road vehicles — Cybersecurity engineering” guidelines.
In response to the updated cybersecurity best practices document, the American Alliance for Vehicle Owner’s Rights (AAVOR) — which is made up of a broad coalition of stakeholder groups including the Automotive Service Association (ASA), the American Car Rental Association (ACRA), the American Property Casualty Insurance Association, and other industry and consumer groups — submitted comments urging NHTSA to amend the document in consideration of vehicle owners. Below is an excerpt from AAVOR’s submitted comments:
AAVOR supports federal and state policies that safeguard individual and commercial fleet owners’ rights:
· to access and control their vehicles’ data (including authorizing access by third parties such as independent automotive repairers, insurance companies and vehicle manufacturers).
· in a manner that is direct, in-vehicle, intelligible, and in real-time.
· utilizing technology-neutral, standards-based, secure interfaces; and
· that enables interoperable and bidirectional communication with the vehicle.
The rights of vehicle owners to access directly and control the data generated by their vehicles is too important to be left unaddressed by NHTSA in its updated cybersecurity best practices document and by other federal agencies, such as the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS). In the context of NHTSA’s cybersecurity best practice guidance, AAVOR supports NHTSA establishing a framework for securing the continued rights of vehicle owners – and entities that secure the express permission of vehicle owners — to control vehicle-generated data on a secure and competitive basis.
For independent repair shops, having access to vehicle telematics data is becoming increasingly important as vehicles become more technologically advanced. It is essential for third-party repair shops to have access to the vehicle data they need to effectively and safely repair the automobiles that are brought to them.
Issues of data ownership, access, and even privacy are at the forefront of upcoming legislative agendas — in every industry, not just automobiles. The Automotive Service Association and the other partners of AAVOR are optimistic that NHTSA observes these comments, and the updated Cybersecurity Best Practices for the Safety of Modern Vehicles will reflect the interest and views of important stakeholders such as vehicle owners and independent automotive repairers, and that the conversation about vehicle data ownership, safety, and cybersecurity will continue in a productive way.
