Plotting the Course: Shaping the Connected Car Landscape and Cybersecurity in 2019
The first step to protecting your company is learning more about what data your smart automobile collects and uses so you can properly evaluate current data security issues and the best practices that are used to address them.
February 21, 2019 at 07:00 AM
7 minute read
2019 is just beginning and the boom for automobile technology and connectivity continues to accelerate for connected cars. Manufacturers are increasingly equipping their cars with technologies designed to meet the heightened integration and functionality demands of consumers. Increasingly, artificial intelligence is incorporated into cars to assist the drivers with directions, phone calls, entertainment, scheduling, personal tasks, and even the driving itself. Cars often contain software to provide on-board diagnostics and alert operators to potential maintenance and safety issues. With all these new features, consumers crave constant connectivity and expect a seamless integration of the smart technology in their carts with their other smart devices.
Despite the benefits smart cars can offer, increased connectivity and functionality also increases the risk of cyberattack and other cyber threats. For connected cars to maximize their functionality, the car's operating system and software must be enabled to communicate with other systems and software. However, the communication between systems and software leaves the car's network vulnerable to cyberattacks. It's no secret that other industries have been haunted by high-profile attacks and security breaches, in turn damaging those company's' brand and value. The repercussions of cyberattacks can be extensive, affecting a company's revenue and insurance, and can even result in personnel changes. Furthermore, companies that do not proactively prepare for cyberattacks may open themselves up for regulatory investigations, civil claims from business partners, shareholders, and employees, which may even take the form of class action lawsuits.
As a car's connected network gets more complex, so does maneuvering of its cybersecurity practices. This article sets forth emerging guidelines for automakers to take into consideration when planning for consumer privacy and data security.
|Cybersecurity Issues and Best Practices
Cyber threats are constantly evolving, and as companies prepare and implement new security measures, hackers and other cyber criminals are finding new ways to breakthrough those same defenses. The first step to protecting your company is learning more about what data your smart automobile collects and uses so you can properly evaluate current data security issues and the best practices that are used to address them.
1. Consumer Apprehension and Creating a Culture of Security
As new cyber threats change and emerge, customer service teams, in-house counsel, marketers, public relations professionals, and senior and operational management all play a crucial role in protecting a company's and its consumers' data. And recently, it's not just consumers demanding accountability from their automakers as regulators have begun demanding that companies have their senior management become more involved in how consumer data is collected and safeguarded.
Companies should educate and train each relevant employee on cybersecurity measures and how they relate to their particular role. Adequate resources should also be given to engineering, information technology, research and development, and production teams so they have the proper knowledge to take a proactive stance in their involvement of the company's overall data security efforts. To enhance the data security of connected cars, companies should have effective buy-in, training, and messaging in place, both internally and externally. This messaging will in turn bolster the company's reputation and goodwill in the marketplace, an assuage consumer apprehension about the company's use of their data.
2. Eliminating Vulnerabilities by Design
Over the past couple of years, government agencies, industry groups, and consumer organizations have pressured automakers into making security by design a priority. Companies should keep the nature and sensitivity of personal information at the forefront of security design, and such considerations should no longer be considered an afterthought.
In particular, R&D teams must assess security for computing, connectivity, infiltration points, software integration, and networking practices at all stages of the development process. To better account for security during the design phases, companies should make sure to periodically review and test products at multiple stages throughout the design process to maximize the reduction of vulnerabilities.
3. Car Safety and Threat Protection
Companies should be continuously monitor and detect new and developing vulnerabilities and threats. To aid in this monitoring, automakers should implement an extensive risk assessment methodology that detects and responds to cyber threats in real time. Strong cyber threat detection and response involves cataloguing and prioritizing cybersecurity risk based on the sensitivity of the data and the potential for misuse. The cyber-protection implemented should also involve risk mitigation controls and monitoring the evolution of risks as they change over time.
Automakers also likely need strong support from third party risk monitoring suppliers to fully protect network connected automobiles. Having an understanding of the potential harm a cyber-threat can cause, in turn, enhances and feeds information to security incident response teams—allowing for heightened and more efficient control of the problem due to an earlier understanding of the issue at play.
4. Preparing for the Inevitable and Incident Response
Like in other industries with increasingly smart technology, several high-profile security breaches effected automakers. In the U.K., thieves were able to hack into wireless automobile key fobs to enter into cars in parking lots. Hackers were also able to gain access to car owner's Amazon accounts through the connected dashboard embedded in the smart cars
Despite the fact that cyberattacks such as these are becoming more common, having an incident response program will allow companies to respond quickly, and in return mitigate (or hopefully avoid all together!) any harm to the company, business partners, and consumers resulting there from. Having an incident response policy that establishes the members of a response team in advance, including IT security and forensics, engineering, legal, management, stakeholders, and public relations/communications, is integral to providing clear guidance and details relating to the roles and obligations of each team member.
5. Security Collaboration and Engagement
Hacktivists, engineers, and executives have come together recently to discuss and develop best practices for minimizing threats to security data. To develop a well-rounded cybersecurity program, organizations should partner closely with suppliers, industry associations, governmental agencies, academic institutions, researchers, and other business partners. When creating a smart vehicle, most companies rely on suppliers to play a major role in protecting data security, whether it be for the finished vehicle or one particular component. Multiple suppliers may provide different components such as hardware, software, development tools, assembly, integration, and testing. Relationships between the manufacturers and their suppliers should be analyzed both at the beginning of the relationship and periodically throughout the engagement to ensure security due diligence and proper risk assessments are conducted. Manufacturers should ensure that proper contractual requirements are in place with suppliers to ensure these security considerations are present in the development, installation, and maintenance phases.
|Conclusion
Planning for cyberattacks requires an extensive and integrated approach. Increasingly, manufacturers and regulators seem to agree that security is not based on a single software application or technical component, but rather a truly secure vehicle requires a holistic approach.
Now more than ever, to properly plan for and implement adequate protections, all levels of the organization, and in some instances third parties, need to be involved throughout the process. Legal developments in cybersecurity seem to change each day as the regulations and laws governing cybersecurity are constantly fluctuating. By taking action now, your company will be one step ahead of the attackers as you continue to push forward into the new year.
Chanley T. Howell is a partner and intellectual property lawyer with Foley & Lardner LLP, where his practice focuses on a broad range of technology law matters. He is a member of the firm's Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices and the Sports, Health Care and Automotive Industry Teams. Thomas (Tom) Chisena is an associate with Foley & Lardner LLP, where he is a member of the Technology Transactions & Outsourcing Practice. He advises on all matters involving intellectual property and technology transactions, including licensing, procurement, outsourcing, and other technology law issues affecting companies of all sizes.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250