Addressing Privacy and Security Issues in the Connected Car
The modern-day car is not just a computer on wheels—it’s several computers on wheels. New cars can have 50 or more electrical control units (ECUs) networked together, and each network is analogous to a separate computer.
By 2020, an estimated 250 million connected cars will be on roads worldwide. Each car will have 200 or more sensors collecting information about road conditions, the car itself and driver behaviors and preferences.
With significant advances in smart phone car-connectivity and onboard infotainment system allowing cars to collect more and more information about our daily lives and personal interactions, privacy and security have become top-priority for OEMs and suppliers.
Here are our top four tips for addressing these privacy and security issues and concerns:
1. Practice “security by design.” This is a concept recently espoused by federal regulators, namely, the National Highway Traffic Safety Administration and the Federal Trade Commission, as well as industry self-regulatory organizations. With security by design, a company addresses data security controls when products, components and devices are still on the drawing board. The days of building it first and then layering security on top are now over.
Deal with risk assessments—addressing potential threats and attack targets—during the design process. Conduct security design reviews and product testing during the development process. Make sure secure computing, software development and networking practices address the security of connections into, from and inside the vehicle.
2. Practice “privacy by design.” While security deals with the safeguards and measures implemented to protect the data from unauthorized access or use, privacy focuses on theright and desire of individuals to keep information about themselves confidential. During the design process, companies should understand and identify what personal information a device will collect and how it will be used; what type of consumer consent they will need and how to best obtain it; and whether the intended sharing of personal information is appropriate and legal. After identifying this information, the company can reconcile privacy requirements with security safeguards during the design and development process.
3. Establish an appropriate data security governance model. Executives and senior management can no longer blindly delegate data security to the security engineering team. Regulators, courts and juries are demanding that senior management become involved in and accountable for data security. With the precise governance model depending on the nature and size of the organization, each company should actively consider what level of executive oversight is appropriate, and then document those conclusions in a data security governance policy. This will serve the dual purposes of enhancing data security of vehicles and component parts, while also bolstering the company’s defenses in the event of a security incident or investigation.
4. Address the entire supply chain. Both OEMs and suppliers should conduct appropriate due diligence and risk assessments of their respective suppliers of hardware, software, development tools assembly, integration and testing—both at the beginning of the relationship and periodically throughout.. Suppliers’ contracts should also address data security requirements.
Pavan K. Agarwal and Chanley T. Howell
Agarwal and Howell are partners and intellectual property lawyers with Foley and Lardner LLP.