Connected Cars and Automated Driving: Privacy Challenges on Wheels

By: Peter J. Pizzi

Peter J. Pizzi is a business litigator with over 30 years of experience in commercial litigation, class action defense, internal investigations, internet and IP litigation, and labor and employment law. A founding member of Walsh Pizzi O’Reilly Falanga LLP, Mr. Pizzi has handled matters on behalf of corporate clients in a broad array of industries, including pharmaceuticals, insurance and financial services, advertising, social media, cosmetics, chemicals, industrial equipment, food service and others.

UCH has been written in cyber-criminal’s new frontier and the technology press pose privacy challenges. M regarding issues of privacy, Why should any of these the connected car, and the promise developments concern privacy? of automated driving and other After all, device manufacturers innovative mobility solutions. equip today’s smartphones with “Connected cars,” which are on the built-in geo-locating capabilities road today in one form or another, that enable numerous applications merge the driver’s digital world and to track the user’s every move, means of transport. Automated producing a rich stream of data driving, with the promise of true which implicates the user’s autonomous, self-driving vehicles, innermost thoughts. Apps added or holds the potential in the near future activated by the smartphone owner to revolutionize the way people and enable the platform – either Google goods move around. These or Apple for most devices – to developments, which challenge identify the movement of individual traditional ideas of tort and product stocks in the owner’s portfolio after liability and the insurance coverage the market closes each day or to that should apply, also loom as the inquire, “Are you at Le Pain Quotidien on 58th Street?” as lunch 2 DEFENSE COUNSEL JOURNAL | JULY 2017

is being served. Other apps collect I. Defining Terms the user’s heart rate, level of stress, steps taken each day, and a myriad Car connectivity generally of other data. A connected car may comprises the sets of functions and get the user to a shopping mall, but capabilities that digitally and smartphones know what individual wirelessly link automobiles to stores a patron visits inside the mall, drivers, services, and other the aisles in the store that are automobiles. 3 Thus, a “connected browsed, and the articles of clothing car” generally refers to a vehicle considered for purchase, so that equipped with technologies and tailored ads, discounts, or coupons services that transmit and receive may dispatched the user’s way. 1 data via wireless internet. The How, then, could autonomous concept of a connected car is related vehicles connected to networks and to concepts of automated driving, data centers via the cloud pose which includes efforts to create privacy challenges that haven’t yet autonomous driving and other been addressed, if not resolved, in innovative mobility solutions. the operation of smartphones? SAE International, the society of This article explores the subject automotive engineers, anticipates of privacy, connected cars, and connectivity and automated driving automated driving. Additionally, emerging and being deployed along this article will introduce the reader a continuum of functionality. SAE to current approaches to privacy therefore has developed a scale to advanced by constituencies having a describe that continuum, with the stake in the continued advancement fifth level representing a completely of connected vehicles and autonomous vehicle. In late 2016, automated driving.2 the National Highway Traffic Safety Administration (“NHTSA”) adopted the SAE definition, which NHTSA then presented as follows:

1 See generally David Brancaccio and Paulina invaluable suggestions in the preparation of Velasco, How some retailers are tracking you this article. as you walk down their aisles, MARKETPLACE 3 McKinsey & Company, Connected Car, January 31, 2017, http://www.market Automotive Value Chain Unbound, place.org/2017/01/31/business/stores- September 2014 (“McKinsey”), at 1.2, are-tracking-you-and-consequences-arent- available at http://www.mckinsey.com/ all-good. industries/automotive-and-assembly/our- 2 The author thanks Alma Murray, CIPP/US, insights/connected-car-automotive-value- Senior Counsel, Privacy, Hyundai Motor chain-unbound. America, Timothy H. Goodman, Esq., Squire Patton Boggs (US) LLP, and Kurt B. Gerstner, Lee International IP & Law Group, for their Connected Cars and Automated Driving 3

There are multiple conduct some parts definitions for various levels of the driving task of automation and for some and monitor the time there has been need for driving environment standardization to aid clarity in some instances, and consistency. Therefore, but the human driver this Policy adopts the [SAE] must be ready to definitions for levels of take back control automation. The SAE when the automated definitions divide vehicles system requests; into levels based on “who  At SAE Level 4, an does what, when.” Generally: automated system can conduct the  At SAE Level 0, the driving task and human driver does monitor the driving everything; environment, and the  At SAE Level 1, an human need not take automated system on back control, but the the vehicle can automated system sometimes assist the can operate only in human driver to certain environments conduct some parts and under certain of the driving task; conditions; and  At SAE Level 2, an  At SAE Level 5, the automated system on automated system the vehicle can can perform all actually conduct driving tasks, under some parts of the all conditions that a driving task, while human driver could the human continues perform them.4 to monitor the driving environment Many vehicles on the road today and performs the contain SAE Level 1 and Level 2 rest of the driving capabilities. Senator Markey’s task; report titled “Tracking & Hacking:  At SAE Level 3, an Security & Privacy Gaps Put automated system American Drivers at Risk” and the can both actually recent National Auto Dealers

4 At 8-9, available at https://one.nhtsa. gov/nhtsa/av/pdf/Federal_Automated_Veh icles_Policy.pdf. 4 DEFENSE COUNSEL JOURNAL | JULY 2017

Association and Future of Privacy accidents in 2015. The trend is not Form’s guide titled, “Personal Data positive. It is getting worse. NHTSA in Your Car,” 5 both conclude that also estimates that 27,875 vehicles on the road today have Americans died in accidents in just aspects of connectedness that place the first nine months of 2016 alone. them well along the SAE continuum. Globally, the World Health For example, cars at the present Organization estimates that 1.2 time have on-board diagnostic million lives are lost in crashes information, apps (e.g., Apple every year. These are numbers that CarPlay, Android Auto), location could be reduced significantly with information available through fully self-driving cars, especially navigation systems, and telematics since NHTSA estimates that 94% of services such as OnStar. With the crashes in the United States are SAE definitions in mind, an analysis attributed to human factors. 6 of the impact of motor vehicle Consider the impact of autonomous connectedness on the privacy of vehicles on the blind, the elderly, the owners and occupants may be disabled, or those living with other undertaken. conditions that make driving impossible. Infrastructure spending II. The Promise of Autonomous also could be diminished by Vehicles connected vehicles, which make more efficient use of existing Vehicle connectivity and highways through closer operating automated driving promise distance between vehicles, significant benefits as technology improved ride-sharing, and other advances along the SAE continuum benefits.7 from today’s Internet and app- While there are some differences equipped vehicles to SAE Level 5 in the precise timeline, at present autonomous vehicles. industry and technology leaders NHTSA estimates that 35,092 generally expect SAE Level 5 Americans lost their lives in traffic vehicles to arrive by 2025. 8 There

5 Future of Privacy Forum, Personal Data in 6 Testimony of Dr. Chris Urmson, Director, Your Car, available at https://fpf.org/wp- SelfDriving Cars, Google [x] Before the content/uploads/2017/01/consumerguide. Senate Committee on Commerce, Science pdf. and Technology Hearing: “Hands Off: The Future of SelfDriving Cars,” March 15, 2016 https://www.gpo.gov/fdsys/pkg/CHRG- 114shrg22428/html/CHRG- 114shrg22428.htm. 7 Id. 8 Global Automotive Industry Expects Self- Driving Cars on Sale by 2025, Says just Auto.com Survey, DIGITAL JOURNAL quoting Connected Cars and Automated Driving 5

are numerous competing platforms automotive and digital lives, while engaged in a pitched battle to at the same time appearing anxious commercialize self-navigation about that very prospect. In 2014, technology. In Singapore, a self- McKinsey surveyed consumers driving taxi service launched in about connected cars, finding that August 2016. 9 The competition 37% were “highly concerned” among Alphabet’s Waymo, Uber, about the digital safety and data Tesla, and other firms is frenzied privacy issues of connected cars and has been widely covered in the such that they would consider not business and mainstream media. 10 using a connected car because of For example, in February 2017, those concerns. 13 The survey Waymo sued Uber for theft of results appear to reflect consumers’ automated vehicle technology, and instinctive recognition that if cars in March moved for a preliminary are connected in order to operate, injunction against Uber and a literally everything that takes place former employee working for that with or in a vehicle will be captured company. 11 Waymo’s motion electronically. In the case of fully papers described what is at stake in self-driving vehicles, the data exciting terms: “Self-driving stream from the connected car will technology will revolutionize the be constant in order for the vehicle way people and goods move around, to operate. But even today, the generating untold revenues for connectedness of new vehicles is those companies that successfully considerable. Technologies that master it early.”12 allow for safer, more convenient and entertaining vehicles amass III. Consumers Today Are vast databases of information Concerned About about drivers, offering the Connectedness potential to monetize that data by generating saleable insights. These Leaving the future for a moment, insights can be used not only to there is no doubt that today, improve vehicle systems and consumers demand greater levels features, but also, if permitted, to of connection between their track and profile customers for just-auto.com, http://www.digitaljournal. 12/google-car-project-loses-leaders-and- com/pr/1975125. advantage-as-rivals-gain. 9 See https://futurism.com/the-worlds- 11 See Complaint and other pleadings, first-autonomous-taxis-just-started- Waymo LLC v. Uber Technologies, Inc., Civil driving-in-singapore/. Action No. 3:17-cv-00939 (February 23, 10 Alistair Barr, Google's Self-Driving Car 2017). Project Is Losing Out to Rivals, BLOOMBERG, 12 Id. Waymo LLC Motion for a Preliminary September 12, 2016, https://www.bloom Injunction, ECF No. 24 at 5 of 30. berg.com/news/articles/2016-09- 13 McKinsey, supra note 3, at 1.1. 6 DEFENSE COUNSEL JOURNAL | JULY 2017

targeted marketing and other as perhaps the driver is a consultant purposes. working on a technology project for So, what are some scenarios in the medical provider. Who gets which connected cars implicate access to such records? Is such personal privacy? Today, some late information subject to subpoena? model cars have the capability of The same driver has chosen to reading text messages. Cars reading purchase new insurance for his email correspondence cannot be far vehicle and to allow the insurer to behind. If the data is merely monitor his driving habits. If he passively read by the vehicle, and decides to change motor vehicle not stored, the privacy intrusions insurers to obtain a better rate, can are mitigated. If the vehicle stores the new insurer gain access to his the data for some period, the impact prior driving history as a condition could be more serious. Consider the of insuring him? driver who receives a work message With each degree of while driving to the local Starbucks. connectivity, cars will become Upon arrival, she orders a latte from highly efficient data harvesting the app on her phone. Her work- machines and a major element of related communications and credit the evolving Internet of Things. card information instantly enter and Each of these scenarios implicates exit the car’s computer. Depending a variety of legal regimes, ranging upon the technology employed, from expectations of privacy ownership rights to that data, and emanating from common law, its protection, as it passes through HIPAA, the protection of trade or is stored in the vehicle, implicate secrets under state and federal law, issues of personal privacy, state insurance laws, and corporate proprietary information, numerous other regulations. and data security.14 Other observers have conjured IV. What Law Applies? more prosaic, but equally important scenarios. A car company tracks a Unlike in Canada or in European driver regularly visiting a cancer Union countries, the United States clinic.15 The fact of those repeated has no overarching law that covers trips could be of interest to various all aspects of personal privacy. No constituencies (e.g., a prospective or single federal law or regulation incumbent health insurer), but the governs the handling and securing data may be completely misleading, of all types of sensitive personal

14 KPMG, Your Connected Car is Talking: Who com/uk/en/home/insights/2016/12/your- is Listening?, December 2016 (“KPMG”), connected-car-is-talking-whos- available at https://home.kpmg. listening.html. 15 See id. Connected Cars and Automated Driving 7

information. Rather, on the federal conflicting and duplicative level, U.S. privacy law has evolved notification laws of dozens if not all in a sectoral approach, covering forty-seven states. “Hodge-podge,” consumer credit, financial services, “patchwork”, and “mess” are terms health care, government, securities, that come to mind when considering and Internet sectors. An example of the current state of affairs in regard this sectoral approach is the HIPAA to data privacy and breach Privacy Rule16adopted pursuant to notifications. The Health Insurance Portability Federal regulatory enactments and Accountability Act of 199617 to specific to personal privacy in the cover “protected health automotive realm include the information.” Financial privacy is Driver’s Privacy Protection Act of regulated by The Gramm-Leach- 1994, which is not to be confused Bliley Act18 (“GLB”), which requires with the Driver Privacy Act of 2015. financial institutions – companies The former regulates the disclosure that offer consumers financial of personal information contained in products or services like loans, the records of state motor vehicle financial or investment advice, or departments, prohibiting such insurance – to explain their disclosure unless for a purpose information-sharing practices to permitted by an exception listed in their customers and to safeguard one of 14 statutory subsections. The sensitive data. 19 In the Internet latter covers ownership of data sector, the Children’s Online recorded by monitoring devices, Privacy Protection Act (“COPPA”) such as a vehicle’s event data governs online marketing aimed at recorder (“EDR”), providing that children.20 ownership of that data vests in the In the absence of a owner of the vehicle or the lessor of comprehensive federal statute the car, in the case of a rented vehicle. governing personal privacy, forty- Privacy in regard to connected seven states stepped into the void, vehicles appears ill-suited to state- each with its own breach by-state regulation, given that notification laws, 21 requiring motor vehicles are by definition organizations that suffer a data mobile, and manufacturers cannot breach potentially to comply with be expected to design different

16 45 CFR Part 160 and Subparts A and E of Data Security Breach Notification Laws April Part 164. 10, 2012, available at https://fas.org/ 17 104 P.L. 191, 110 Stat. 1936, enacted sgp/crs/misc/R42475.pdf (“CRS”). August 21, 1996. 20 15 U.S.C. §§ 6501–6506 . 18 106 P.L. 102. 21 See Congressional Research Service, 19 For a further explanation of the sectoral supra note 19 (surveying the forty-seven approach to personal privacy in the United state enactments). States, see Congressional Research Service, 8 DEFENSE COUNSEL JOURNAL | JULY 2017

vehicles for different states. At the observed: “An individual operating present time, an overarching federal or traveling in an automobile does privacy regime covering connected not lose all reasonable expectation of vehicles has not emerged, while the privacy simply because the technologies are still in automobile and its use are subject to development. government regulation. … [P]eople are not shorn of all Fourth V. SCOTUS on Vehicular Privacy Amendment protection when they step from their homes onto the Consideration of how courts will public sidewalks. Nor are they shorn deal with the phenomenon of of those interests when they step connected, digitally monitored cars, from the sidewalks into their generally begins with a discussion of automobiles.” the “reasonable expectation of In U.S. v. Jones, 24 the Court privacy,” which is the traditional affirmed the suppression of evidence standard used to resolve issues of obtained by police through the personal privacy since the era of the placement of a GPS tracking device Warren Court. The 1967 United on the suspect’s car. Though nine States Supreme Court decision, Katz justices joined in the result, the v. United States, 22 is credited with reasoning was fractured. Five having originated the concept of justices led by Justice Scalia relied reasonable expectations of privacy. upon a trespass-to-property In Katz, conversations recorded by rationale for the holding rather than police listening from outside a public the Katz expectation of privacy phone booth were excluded from approach; the balance of the justices evidence, with the Court holding that applied the Katz “reasonable the public location of the defendant expectation” analysis. Thus, the did not vitiate his expectations of opinion may reflect a weakening in privacy because the Fourth the adherence to Katz and its Amendment "protects people, not progeny. Post Jones, U.S. v. Katzin 25 places."23 represents the first relevant appeals Later decisions answered in the court ruling to address the topic. The affirmative whether a “reasonable Third Circuit held that a warrant was expectation of privacy” applies to indeed required to deploy GPS individuals operating motor vehicles tracking devices and, further, that on public thoroughfares. In Delaware none of the narrow exceptions to the v. Prouse, the Supreme Court Fourth Amendment's warrant

22 389 U.S. 374 (1967). 24 565 U.S. 400 (2012). 23 See Dorothy J. Glancy, Symposium Article: 25 732 F.3d 187 (3rd Cir. 2013). Privacy in Autonomous Vehicles, 52 SANTA CLARA L. REV. 1171, 1217 (2012). Connected Cars and Automated Driving 9

requirement (e.g. exigent Transportation issued its Federal circumstances, the “automobile Automated Vehicles Policy,27 which exception”) was applicable. used the Federal Trade Despite the fractured rationale Commission’s (“FTC”) Fair on display in Jones, cases like Katzin Information Privacy Principles have led one academic (“FIPP”) as its guidepost. Such commentator to opine that courts principles rely upon concepts of are expanding rather than notice to the consumer, choice contracting Fourth Amendment exercised by the consumer, access to protection for people in vehicles on data by the consumer, and public roadways and to forecast that cybersecurity protection of such recognition of reasonable data. 28 As part of the December expectations of privacy related to 2016 NHTSA V2V (Vehicle to Vehicle) persons in vehicles on public Notice of Proposed Rulemaking, roadways may well be NHTSA provided a Privacy Impact unquestioned.26 Assessment29 which shows NHTSA’s recognition of the privacy issues VI. The Regulatory Perspective associated with V2V technologies and the tension between the Although the industry would benefits of new technology and prefer self-regulation (i.e., the personal privacy. Consumer Privacy Protection Further, any disconnect between Principles discussed below), some manufacturer privacy policy form of federal pre-emption will be representations and a firm’s actual necessary in order to avoid the practices may draw the attention of patchwork of laws that emerged in the FTC, which has undertaken regard to breach notification. In the numerous court and administrative prior administration, regulators actions aimed at enforcing privacy focused considerable attention on commitments on the part of vehicle privacy issues. In September organizations. In so doing, the FTC 2016, the U.S. Department of has relied upon statutes such as the

26 Glancy, supra note 23, at 1218-1219. 27 The Federal Automated Vehicle Policy is available at https://www.transportation. gov/AV. 28 The Fair Information Privacy Principles are available at https://web.archive. org/web/20100309105100/http://www.ft c.gov/reports/privacy3/fairinfo.shtm#Noti ce/Awareness. 29 See https://www.transportation.gov/ individuals/privacy/vehicle-vehicle- v2vnprm-%E2%80%93-december-20- 2016. 10 DEFENSE COUNSEL JOURNAL | JULY 2017

Fair Credit Reporting Act, COPPA, The Principles obligate GLB, and other regimes, or upon the manufacturers to disclose to broad authority conferred by § 5 of consumers the types of data collected the Federal Trade Commission Act,30 and how that data is to be used or which proscribes “unfair” and shared. Disclosure will be made in “deceptive” acts or practices owner’s manuals, on displays inside affecting commerce. Such authority vehicles or on internet-based was recently given an expansive registration portals managed by the reading in the FTC’s action against companies. Consumers will be able to Wyndham Worldwide Corp. for its review the policies before buying a failure to implement reasonable data car. The Principles cover the range of protection practices.31 data that may be collected, including geolocation information, driver VII. The Industry Response biometric data and driving behavior. To use any personal information for In November 2014, participating marketing purposes, car companies members of the Alliance of agree to first obtain permission from Automobile Manufacturers and the customers. Thus, before suggesting a Association of Global Automakers, a restaurant along the route which the group of nineteen automobile driver has entered in the vehicle, the manufacturers, published a set of driver would have to have given Consumer Privacy Protection consent to receive such prompts. Principles, subtitled “Privacy Automakers also commit to refrain Principles for Vehicle Technologies from, for example, sharing driver and Services.” The Principles “apply behavior data with insurance to the collection, use, and sharing of companies without that customer’s Covered Information in association consent. The last commitment serves with Vehicle Technologies and as some comfort to those with a Services available on cars and light heavy foot on the accelerator. trucks sold or leased to individual While the Principles provide a consumers for personal use in the step toward the goal of having user United States.” As might be expected, privacy “baked-in” to connected covered information means data vehicles, the document has received “linked or reasonably linkable to i) some criticism. In early 2015, the the vehicle from which the British Columbia Freedom of information was retrieved, ii) the Information and Privacy Association Owner of that vehicle, or iii) the published a 123-page document Registered User.” titled “The Connected Car: Who is in the Driver’s Seat?” That document

30 15 U.S.C. § 45(a). 31 FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2016). Connected Cars and Automated Driving 11

measured the automaker’s privacy inform consumers about the type of pledge together with privacy data collected by vehicles. Global policies of individual automakers Automakers and the Auto Alliance available online, against the dictates supported the publication. Press of Canadian data protection reception has been favorable.33 strictures.32 Following that exercise, Manufacturers of connected cars the BC group concluded: “The are finding issues of choice privacy pledge issued by a large challenging. For example, some group of major automakers in privacy advocates urge that notice November 2014 is promising but should be provided physically in the falls far short of Canadian legal vehicle through interior displays as standards. In particular, it does not opposed to in the owner’s manual or meet Canadian legal standards with other methods. Providing a respect to openness, accountability, sequence of notices must be individual access, consent, or balanced against the NHTSA limiting collection, retention, use Distracted Driver Guidelines, 34 and disclosure of personal data. Nor, which call upon manufacturers to in our view, does it meet the prevent utilization of certain requirement for purposes to be secondary, non-driving devices limited to those that a reasonable which are believed by the agency to person would consider appropriate interfere inherently with a driver’s in the circumstances.” ability to safely control the vehicle. A In February 2017, the Future of stream of notices, moreover, may Privacy Forum and the National have adverse consequences for the Automobile Dealers Association user experience. Displays for each released a consumer guide entitled, potential occupant of a vehicle may “Personal Data in Your Car” to

32 As noted, the United States has no 33 See FPF, NADA release consumer privacy nationwide data protection regime similar guide Biometric Update, February 6, 2017, to the Canadian or European models. Even available at https://www.biometric so, such comprehensive privacy laws which update.com/201702/fpf-nada-release- are the norm outside the United States serve consumer-privacy-guide and IAPP Daily as a useful benchmark for the Principles. Dashboard: FPF, National Automobile Dealers Association announce car data Guidance, available at https://iapp.org/ news/a/fpf-national-automobile-dealers- association-announce-car-data-guidance/. 34 National Highway Transportation Safety Administration, Visual-Manual NHTSA Driver Distraction Guidelines for In-Vehicle Electronic Devices, February 15, 2012, https://www.nhtsa.gov/staticfiles/rulema king/pdf/Distraction_NPFG-02162012.pdf. 12 DEFENSE COUNSEL JOURNAL | JULY 2017

also compromise the passenger information a connected, self-driving compartment in unacceptable ways. car can be expected to generate. Car companies also are wrestling with how to provide notice to VIII. Securing That Data subsequent owners or purchasers of used connected vehicles. To achieve In-depth consideration of the notice and consent, the manufacturer challenges of maintaining the may have to track changes in security of connected car data is ownership, which is not always beyond the scope of this article. It possible for a distributor, even when must be recognized, however, that this information is necessary for the flipside of connectedness is the recall notices. NHTSA has challenged challenge of securing the data − in automakers to achieve greater other words, cybersecurity. As much accuracy in the delivery of recall as connected cars make sense to notices, but changes of ownership consumers who spend so much of remain difficult to track. The their lives digitally connected, a alternative appears to be in-vehicle hacked car 35 could prove a danger, display screen notices, which pose potentially a weapon, and a means of the challenges referenced above. destruction in the hands of highly Similar problems will be sophisticated actors. Part of the encountered in giving notice to process of building-in privacy drivers of connected rental cars. protections involves ensuring the A further privacy question cybersecurity of connected vehicles. involves ownership of the data Fiat/Chrysler learned a costly stream itself. Is ownership vested in lesson when it introduced a 2014 the vehicle manufacturer or the Jeep Cherokee with built-in Wi-Fi owner of the car? While the Driver for passengers. In 2015, two ethical Privacy Act provides that the data hackers hired by Wired magazine available in the EDR is the property spent four months fashioning a of the owner or lessee of the car, such “zero day” 36 attack against the data may only be obtained by vehicle. First, they infiltrated its physical access to the car and cellular connectivity. Then they represents only a snapshot in time moved laterally to compromise the (i.e. before airbag deployment). As backbone of the car’s electronics, such, EDR information pales in called the controller area network comparison to the other stream of bus (CANBus). Then they tapped the systems connected to the CANBus

35 David Schneider, Jeep Hacking 101, IEEE 36 A zero-day attack is one that has never SPECTRUM, August 6, 2015, available at been seen before. http://spectrum.ieee.org/cars-that-think/ transportation/systems/jeep-hacking-101. Connected Cars and Automated Driving 13

that control starting, stopping, guidance” offering “voluntary best accelerating, and steering, giving practices” to improve motor vehicle them complete control over the car cybersecurity. NHTSA calls for a while a Wired editor drove (or “layered approach,” adopting the attempted to drive) the vehicle. 37 National Institute of Standards and When the exploit was published, Technology (“NIST”) Cybersecurity Fiat/Chrysler’s stock price tumbled Framework40 and its five principles: and it was hit with a class action.38 identify, protect, detect, respond and Dangers from the deployment of recover. NHTSA also calls for vehicles vulnerable to being hacked implementation of ISO 27000 series can hardly be understated. standards and like strictures, such as Connected vehicles will generate the Center for Internet Security’s huge amounts of data, creating the Critical Security Controls for potential for unwanted third-party Effective Cyber Defense. Although access to that data, increasing the NHTSA concedes that these risk of a cyberthreat. A hack exposes standards were developed to personal data of a driver, such as mitigate threats against networks location and potentially the identity and not necessarily automotive of others in the car, enabling the devices, it forecasts application of perpetrator to know whose home such protocols for use in the may be unoccupied. Additionally, a automotive industry. As with hacked vehicle could have fatal NHTSA’s cyber-guidance for auto- consequences, not just for the driver nomous vehicles,41 NHTSA also calls and passengers inside the vehicle, for information sharing among but for anyone or anything automobile manufacturers and the physically surrounding the self- development of a process for driving car.39 vulnerability reporting. In October 2016, NHTSA published a paper entitled “Cybersecurity Best Practices for Modern Vehicles.” The Best Practices document represents “non-binding

37 Schneider, supra note 35. 39 Chris Achatz, Self-Driving Cars at a Glance, 38 https://www.bloomberg.com/news/arti (2015) http://www.bryancavedatamat cles/2015-08-04/hackers-force-car ters.com/self-driving-cars-at-a-glance/. makers-to-boost-security-for-driverless-era. 40 Available at https://www.nist.gov/cyber The class action was filed as Flynn v. FCA US framework. LLC, Civil Action No. 3: 15-cv-00855-MJR- 41 See https://www.huntonprivacyblog. DGW, U.S.D.C., S.D.Ill. The case is still com/2016/09/22/department-transporta- pending as of this writing. tion-issues-cyber-guidance-autonomous- cars/.

14 DEFENSE COUNSEL JOURNAL | JULY 2017

IV. Conclusion

While it is difficult to find anyone happy with the patchwork that is the law of privacy in the United States, it appears premature to expect an overarching regulatory regime on the federal level to address privacy and data protection in the realm of connected cars. The industry is moving down the SEA continuum toward fully self-driving vehicles. But how the various 5th level self-driving modalities will look is conjecture at this juncture. Until we reach that point, courts will likely be called upon to address privacy concerns involving connected vehicles applying traditional privacy principles and existing regulatory structures.