Driverless-Car

 

2019 is just beginning and the boom for automobile technology and connectivity continues to accelerate for connected cars. Manufacturers are increasingly equipping their cars with technologies designed to meet the heightened integration and functionality demands of consumers. Increasingly, artificial intelligence is incorporated into cars to assist the drivers with directions, phone calls, entertainment, scheduling, personal tasks, and even the driving itself. Cars often contain software to provide on-board diagnostics and alert operators to potential maintenance and safety issues. With all these new features, consumers crave constant connectivity and expect a seamless integration of the smart technology in their carts with their other smart devices.

Despite the benefits smart cars can offer, increased connectivity and functionality also increases the risk of cyberattack and other cyber threats. For connected cars to maximize their functionality, the car's operating system and software must be enabled to communicate with other systems and software. However, the communication between systems and software leaves the car's network vulnerable to cyberattacks. It's no secret that other industries have been haunted by high-profile attacks and security breaches, in turn damaging those company's' brand and value. The repercussions of cyberattacks can be extensive, affecting a company's revenue and insurance, and can even result in personnel changes. Furthermore, companies that do not proactively prepare for cyberattacks may open themselves up for regulatory investigations, civil claims from business partners, shareholders, and employees, which may even take the form of class action lawsuits.

As a car's connected network gets more complex, so does maneuvering of its cybersecurity practices. This article sets forth emerging guidelines for automakers to take into consideration when planning for consumer privacy and data security.

Cybersecurity Issues and Best Practices

Cyber threats are constantly evolving, and as companies prepare and implement new security measures, hackers and other cyber criminals are finding new ways to breakthrough those same defenses. The first step to protecting your company is learning more about what data your smart automobile collects and uses so you can properly evaluate current data security issues and the best practices that are used to address them.

1. Consumer Apprehension and Creating a Culture of Security

As new cyber threats change and emerge, customer service teams, in-house counsel, marketers, public relations professionals, and senior and operational management all play a crucial role in protecting a company's and its consumers' data. And recently, it's not just consumers demanding accountability from their automakers as regulators have begun demanding that companies have their senior management become more involved in how consumer data is collected and safeguarded.

Companies should educate and train each relevant employee on cybersecurity measures and how they relate to their particular role. Adequate resources should also be given to engineering, information technology, research and development, and production teams so they have the proper knowledge to take a proactive stance in their involvement of the company's overall data security efforts. To enhance the data security of connected cars, companies should have effective buy-in, training, and messaging in place, both internally and externally. This messaging will in turn bolster the company's reputation and goodwill in the marketplace, an assuage consumer apprehension about the company's use of their data.

2. Eliminating Vulnerabilities by Design 

Over the past couple of years, government agencies, industry groups, and consumer organizations have pressured automakers into making security by design a priority. Companies should keep the nature and sensitivity of personal information at the forefront of security design, and such considerations should no longer be considered an afterthought.

In particular, R&D teams must assess security for computing, connectivity, infiltration points, software integration, and networking practices at all stages of the development process. To better account for security during the design phases, companies should make sure to periodically review and test products at multiple stages throughout the design process to maximize the reduction of vulnerabilities.

3. Car Safety and Threat Protection 

Companies should be continuously monitor and detect new and developing vulnerabilities and threats. To aid in this monitoring, automakers should implement an extensive risk assessment methodology that detects and responds to cyber threats in real time. Strong cyber threat detection and response involves cataloguing and prioritizing cybersecurity risk based on the sensitivity of the data and the potential for misuse. The cyber-protection implemented should also involve risk mitigation controls and monitoring the evolution of risks as they change over time.

Automakers also likely need strong support from third party risk monitoring suppliers to fully protect network connected automobiles. Having an understanding of the potential harm a cyber-threat can cause, in turn, enhances and feeds information to security incident response teams—allowing for heightened and more efficient control of the problem due to an earlier understanding of the issue at play.

4. Preparing for the Inevitable and Incident Response 

Like in other industries with increasingly smart technology, several high-profile security breaches effected automakers. In the U.K., thieves were able to hack into wireless automobile key fobs to enter into cars in parking lots. Hackers were also able to gain access to car owner's Amazon accounts through the connected dashboard embedded in the smart cars

Despite the fact that cyberattacks such as these are becoming more common, having an incident response program will allow companies to respond quickly, and in return mitigate (or hopefully avoid all together!) any harm to the company, business partners, and consumers resulting there from. Having an incident response policy that establishes the members of a response team in advance, including IT security and forensics, engineering, legal, management, stakeholders, and public relations/communications, is integral to providing clear guidance and details relating to the roles and obligations of each team member.

5. Security Collaboration and Engagement 

Hacktivists, engineers, and executives have come together recently to discuss and develop best practices for minimizing threats to security data. To develop a well-rounded cybersecurity program, organizations should partner closely with suppliers, industry associations, governmental agencies, academic institutions, researchers, and other business partners. When creating a smart vehicle, most companies rely on suppliers to play a major role in protecting data security, whether it be for the finished vehicle or one particular component. Multiple suppliers may provide different components such as hardware, software, development tools, assembly, integration, and testing. Relationships between the manufacturers and their suppliers should be analyzed both at the beginning of the relationship and periodically throughout the engagement to ensure security due diligence and proper risk assessments are conducted. Manufacturers should ensure that proper contractual requirements are in place with suppliers to ensure these security considerations are present in the development, installation, and maintenance phases.

Conclusion

Planning for cyberattacks requires an extensive and integrated approach. Increasingly, manufacturers and regulators seem to agree that security is not based on a single software application or technical component, but rather a truly secure vehicle requires a holistic approach.

Now more than ever, to properly plan for and implement adequate protections, all levels of the organization, and in some instances third parties, need to be involved throughout the process. Legal developments in cybersecurity seem to change each day as the regulations and laws governing cybersecurity are constantly fluctuating. By taking action now, your company will be one step ahead of the attackers as you continue to push forward into the new year.

 

Chanley T. Howell is a partner and intellectual property lawyer with Foley & Lardner LLP, where his practice focuses on a broad range of technology law matters. He is a member of the firm's Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices and the Sports, Health Care and Automotive Industry Teams. Thomas (Tom) Chisena is an associate with Foley & Lardner LLP, where he is a member of the Technology Transactions & Outsourcing Practice. He advises on all matters involving intellectual property and technology transactions, including licensing, procurement, outsourcing, and other technology law issues affecting companies of all sizes.