This summer, U.S. automakers pledged to ramp up motor vehicle cyber protection measures by launching a new centre for cybersecurity intelligence and analysis. This initiative, dubbed the Auto Information Sharing and Analysis Centre (Auto ISAC, one of a number of industry ISACs that have formed in recent months), is intended to function as a clearinghouse for intelligence regarding cyber threats to cars and their data networks.
The goal of Auto ISAC is to create an efficient means for the timely identification and amelioration of cyber threats and other tech-based vulnerabilities impacting the auto sector. The announcement recognizes that today’s cars are connected – able to navigate, run engine diagnostics, monitor driver behaviour, and provide customized on-board infotainment services.
This increased level of connectivity also engages privacy and safety concerns. Automakers say that their concern for the cybersecurity of their cars is just an extension of their shared commitment to auto safety. Accordingly, Auto ISAC has the backing of both the Alliance of Automobile Manufacturers and the Association of Global Automakers. The associations have also suggested that they would like to see auto suppliers, telecommunications providers, and technology companies join their security carpool. The involvement of these partners is important given the modern realities of technology integration across platforms and devices into various in-vehicle networks and motor vehicle electronics.
Balancing Connection and Protection
The announcement may also be driven by some political tailgating – on both sides of the border. In February, U.S. Senator Ed Markey (D.-Mass.) released a report on the cyber-preparedness of major automakers, finding that security measures were inconsistent and only 2 of the 16 companies studied had the capabilities to diagnose or respond to a threat in real time. Senator Markey introduced legislation in July that would set minimum standards and rules to protect data, security, and privacy of drivers.
Policy for the information highway has also been a subject of debate in Canada. Ontario, through Ontario Centres of Excellence, has pledged $1 million to support innovative and commercially viable projects through the Connected Vehicle/Autonomous Vehicle Program, including projects aimed at addressing the significant regulatory and infrastructure hurdles such connected cars create.
In March, the public interest group B.C. Freedom of Information and Privacy Association (FIPA) released its study on privacy, consumer choice, and onboard vehicle technology. The report, entitled The Connected Car: Who is in the Driver’s Seat?, focuses on the privacy concerns created by connected cars and recommends that the federal government enact data protection regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA) aimed specifically at regulating the auto sector.
Implications for the Rules of the Road
There are a number of concerns with any approach to motor vehicle cybersecurity that relies on sector-specific regulation. This is particularly true given the rapidly evolving interplay of networked services, consumer practices, and technological developments. A single vehicle may have an infotainment system operated by a digital music company, a navigation system supplied by an electronics company, telephone contacts populated over Bluetooth, and a telematic system installed on behalf of an insurance company. Indeed, it is difficult to define parameters for such a narrowly-targeted policy in such a dynamic space. Regulating a sector is problematic when the concept of ‘sectors’ itself is fluctuating, both in the business landscape and people’s personal environments. A preferred approach would maintain a uniformly applicable standard across industries, products, and provinces.
Canadian automakers should not be lulled into a false sense of security by the (current) absence of sector-targeted cybersecurity regulations, nor should they be comforted by the thought that they can hitch a ride on voluntary U.S. protocols like Auto ISAC. Canadian automakers are subject to their own legal requirements under Canada’s privacy legislation, and complying with US regulations or voluntary codes will likely not be sufficient in Canada. For instance, there are notable differences between PIPEDA and the Privacy Principles of the U.S. Alliance of Automobile Manufacturers. In addition, Canada’s anti-spam laws (CASL) may require a different approach to software updates, and the detailed management of appropriate consents.
OEMs and others in the auto industry may want to consider establishing a privacy management program to stay abreast of legal developments that impact their products and to address privacy compliance in a meaningful and systematic way.
© McCarthy Tétrault LLP
Douglas Judson is an articling student in McCarthy Tétrault’s Toronto office.