- Generative AI Draws Increased Scrutiny from Data Protection Regulators
- Debriefing the 2023 U.S. National Cybersecurity Strategy - Part I: Impacts on Federal Funding and Investments
- Privacy and Advertising Considerations When Using Large Language Models like ChatGPT or Bard
- With Recent Enforcement Action, DOJ and FTC Join the FCC in Targeting the Use of Ringless Voicemails
- Navigating the Biometrics Minefield: Illinois Supreme Court Rules That a BIPA Claim Accrues With Each Scan or Transmission
- Illinois Supreme Court Applies Uniform Five-Year Statute of Limitations to BIPA Claims
- NIST Publishes Artificial Intelligence Risk Management Framework
- The Growing Need to Adopt Properly Implemented Multi-Factor Authentication to Accomplish Reasonable Data Security
- Ohio Supreme Court Weighs In On “Silent Cyber” Fight
- Consumer Financial Protection Bureau Unveils Proposals for Financial Data Rights Rule
- Artificial Intelligence
- Data Privacy
- National Security
- U.S. Law
- Cyber Insurance
- State Privacy Law
- Infosec Plan
- Consumer Protection
- Data Breach
- Financial Institutions
- Website Accessibility
- Workplace Privacy
- Vendor Management
- SHIELD Act
- Owen Agho
- Denise M. Barnes
- Danielle F. Bass
- Michael Baumert, CIPP/US
- Jewel Haji Boelstler
- Sara J. Brundage
- Brandy Bruyere, NCCO
- Daniel S. Elkus
- Angela I. Gamalski
- Emily E. Garrison
- Michael P. Hindelang, CIPP/US, CIPM
- Karl A. Hochkammer, CIPP/US
- Matthew Keuten
- Molly K. McGinley, CIPP/US
- Emory D. Moore Jr.
- Ahmad H. Sabbagh
- Jad Sheikali, CIPP/US
- Jenna R. Simon
- Steven M. Wernikoff
- Mahja D. Zeon
- May 2023
- March 2023
- February 2023
- January 2023
- November 2022
- October 2022
- September 2022
- August 2022
- June 2022
- May 2022
- April 2022
- March 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- April 2020
- March 2020
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
On September 23, 2020, Representatives Bob Latta (R-Ohio) and Greg Walden (R-Ore.) re-introduced the “Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution Act’’ or the ‘‘SELF DRIVE Act” to create a federal framework for autonomous vehicles (“AVs”). The measure lacks bipartisan support and is not expected to reach the floor of the House of Representatives during this session. But the continued effort demonstrates the importance that many lawmakers put on promoting a U.S.-led effort in the development of self-driving vehicles. The matter likely will be among the key transportation themes before the next session of Congress, which convenes in January. On the Senate side, policymakers have not advanced autonomous vehicle bills. In the previous congressional session, an autonomous vehicle policy measure advanced in the House but came up short in the Senate.
The SELF DRIVE Act would contain a number of key provisions, including:
Federal Motor Vehicle Safety Standards (FMVSSs)
The Department of Transportation would be required to update or issue new FMVSSs for highly automated vehicles on an expedited schedule.
The law would allow the Secretary of Transportation to grant exemptions to FMVSSs that require cars to have human operators. Initially, 25,000 vehicles per automaker could be operated if companies can prove they meet existing safety standards for traditional cars. After a 12-month period, the number of exemptions per manufacturer would increase to 50,000, and it would go up to 100,000 in the third and fourth years.
Safety Assessment Letters
Companies manufacturing highly automated vehicles would be required to issue safety assessment letters to the National Highway Traffic Safety Administration (“NHTSA”) as contemplated by the Federal Automated Vehicles Policy issued in September 2016.
Before selling any highly automated vehicle or automated driving system, manufacturers would be required to develop a cybersecurity plan that includes:
- a written cybersecurity policy with respect to the practices of the manufacturer for detecting and responding to cyber-attacks, unauthorized intrusions, and false and spurious messages or vehicle control commands, including:
- a process for identifying, assessing, and mitigating reasonably foreseeable vulnerabilities from cyber-attacks or unauthorized intrusions, including false and spurious messages and malicious vehicle control commands; and
- a process for taking preventive and corrective action to mitigate against vulnerabilities in a highly automated vehicle or a vehicle that performs partial driving automation, including incident response plans, intrusion detection and prevention systems that safeguard key controls, systems and procedures through testing or monitoring, and updates to such process based on changed circumstances;
- the identification of an officer or other individual of the manufacturer as the point of contact with responsibility for the management of cybersecurity;
- a process for limiting access to automated driving systems; and
- a process for employee training and supervision for implementation and maintenance of the policies and procedures required by this section, including controls on employee access to automated driving systems.
The NHTSA would be required to establish the Highly Automated Vehicle Advisory Council that would be responsible for, among other things, devising best practices and recommendations for cybersecurity for the testing, deployment, and updating of automated driving system as well as advancing mobility access for the disabled community and senior citizens.
The law would not allow a manufacturer to sell any highly automated vehicle or automated driving system unless the manufacturer developed a privacy plan that includes:
- a written privacy plan with respect to the collection, use, sharing, and storage of information about vehicle owners or occupants collected by a highly automated vehicle, vehicle that performs partial driving automation, or automated driving system that includes:
- the way that information about vehicle owners or occupants is collected, used, shared, or stored;
- the choices offered to vehicle owners or occupants regarding the collection, use, sharing, and storage of information;
- data minimization, de-identification, and retention of information about vehicle owners or occupants, and
- the practices of the manufacturer with respect to extending its privacy plan to the entities with which it shares such information;
- a method for providing notice to vehicle owners or occupants about the privacy plan;
- if information about vehicle owners or occupants is altered or combined so that the information can no longer reasonably be linked to the highly automated vehicle, vehicle that performs partial driving automation, or automated driving system from which the information is retrieved or to the vehicle owner or occupants, the manufacturer is not required to include the process or practices regarding that information in the privacy plan; and
- if information about an occupant is anonymized or encrypted, the manufacturer is not required to include the process or practices regarding that information in the privacy plan.
A violation of this provision would be treated as an unfair or deceptive act or practice under the Federal Trade Commission (“FTC”) Act.
The law would require the FTC to conduct a study and submit a report to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the highly automated vehicle marketplace, including an examination of the following issues:
- Which entities in the ecosystem have access to vehicle owner or occupant data?
- Which entities in the highly automated vehicle marketplace have privacy plans?
- What are the terms and disclosures made in such privacy plans, including regarding the collection, use, sharing, and storage of vehicle owner or occupant data?
- What disclosures are made to consumers about such privacy plans?
- What methods are available to enable deletion of information about vehicle owners or occupants from any data storage system within the vehicle (other than a system that is critical to the safety or operation of the vehicle) before the vehicle is sold, leased or rented, or otherwise occupied by a new owner or occupant?
Steve Wernikoff is a litigation and transactional partner who co-leads two of the firm's technology-based practice areas–the Data, Privacy, and Cybersecurity group and the Autonomous Vehicle group. As a previous officer and ...