Skip to content

Implementing Effective Security Measures for Data Privacy for Autonomous Vehicles

May 16, 2022

This is the fourth part in a series of advisories on data privacy best practices for autonomous and connected vehicles. To read previous advisories in this series, please visit: Best Practices, Documenting Collected Data and Defining Data Privacy Principles. 

Autonomous vehicles can be vulnerable to cyber attacks, including those with malicious intent. Identifying an appropriate framework with policies and procedures will help mitigate the risk of a potential attack.

The National Highway Traffic Safety Administration (NHTSA) recommends a layered approach to reduce the likelihood of an attack’s success and mitigate ramifications if one does occur. NHTSA’s Cybersecurity Framework is structured around the five principles of identify, protect, detect, respond and recover, and can be used as a basis for developing comprehensive data security policies.

NHTSA goes on to describe how this approach “at the vehicle level” includes:

  • Protective/Preventive Measures and Techniques: These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood of a successful hack and diminish the potential impact of a successful hack.
  • Real-time Intrusion (Hacking) Detection Measures: These measures continually monitor signatures of potential intrusions in the electronic system architecture.
  • Real-time Response Methods: These measures mitigate the potential adverse effects of a successful hack, preserving the driver’s ability to control the vehicle.
  • Assessment of Solutions: This [analysis] involves methods such as information sharing and analysis of a hack by affected parties, development of a fix, and dissemination of the fix to all relevant stakeholders (such as through an ISAC). This layer ensures that once a potential vulnerability or a hacking technique is identified, information about the issue and potential solutions are quickly shared with other stakeholders.

Other industry associations are also weighing in on best practices, including the Automotive Information Sharing and Analysis Center’s (Auto-ISAC) seven Key Cybersecurity Functions and, from a technology development perspective, SAE International’s J3061, a Cybersecurity Guidebook for Cyber-Physical Vehicle Systems to help AV companies “[minimize] the exploitation of vulnerabilities that can lead to losses, such as financial, operational, privacy, and safety.”

To build an effective data security protection posture, Varnum’s Data Privacy Team recommends in-house counsel be flexible. Prescriptive requirements aren’t always well-suited to cybersecurity protection. It’s important to learn to adapt and understand evolving best practices and key cybersecurity principles, with a focus on prevention, monitoring and response.

Varnum’s Mobility Practice has helped leading autonomous vehicle companies craft their data privacy policies. How robust is your plan? Schedule a meeting with our mobility data privacy and security attorneys.

Sign up to be the first to access our leading legal insights.

Request a Meeting

Name

Please be aware that contacting us via e-mail does not create an attorney-client relationship between you and the firm. Do not send confidential information to the firm until you have spoken with one of our attorneys and receive authorization to send such materials.

Sign up to be the first to access our leading legal insights.

Please be aware that contacting us via e-mail does not create an attorney-client relationship between you and the firm. Do not send confidential information to the firm until you have spoken with one of our attorneys and receive authorization to send such materials.

The link you have selected will redirect you to a third-party website located on another server. We are offering the link for your convenience. Varnum has no responsibility for any external websites and makes no express or implied warranties about any external websites.

Please be aware that contacting us via e-mail does not create an attorney-client relationship between you and the firm. Do not send confidential information to the firm until you have spoken with one of our attorneys and receive authorization to send such materials.