NHTSA/FTC Joint Workshop

Similar documents
December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Connected & Autonomous Vehicles

Network, Policy & Privacy Considerations for Connected Autonomous Vehicle Initiatives

HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA

Along for the Ride Reducing Driver Distractions

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Third-Party Cyber Risk Management Webinar May 23, 2017

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

I. PROPOSED DEFINITION OF PRIMARY PURPOSE IS INCONSISTENT WITH THE STATUTORY LANGUAGE OF THE CAN-SPAM ACT

Department of Justice Policing and Victim Services BUSINESS PLAN

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

Cyber Security and Cyber Fraud

March 20, Re: Removing Regulatory Barriers for Vehicles with Automated Driving Systems, Docket No. NHTSA

WHAT SECTION 215A OF THE FEDERAL POWER ACT MEANS FOR ELECTRIC UTILITIES. Stephen M. Spina J. Daniel Skees Arjun P. Ramadevanahalli December 17, 2015

Legal and Regulatory Developments for Privacy and Security

2. What do you think is the significance, purpose and scope of enhanced cooperation as per the Tunis Agenda? a) Significance b) Purpose c) Scope

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Views on the Framework for Improving Critical Infrastructure Cybersecurity

Cyber Security Law --- Are you ready?

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

The J100 RAMCAP Method

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

MEMA Perspectives on Connected Vehicles Policy. Leigh Merino Senior Director, Regulatory Affairs Northern Virginia Technology Council April 27, 2017

Data Privacy & Protection

Public Power Forward Challenges & Opportunities

INTERNET OF THINGS. Presented By Erin Bosman & Julie Park, Morrison & Foerster LLP ACC 14th ANNUAL GC ROUNDTABLE AND ALL DAY MCLE

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

STATE OF ILLINOIS ILLINOIS COMMERCE COMMISSION ORDER

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Erik Puskar Standards Coordination Office 30 May, 2013 World Trade Center Moscow

DFARS Cyber Rule Considerations For Contractors In 2018

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Assessment of the progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society

AML/CTF Graduate Program

THE CAN-SPAM ACT OF 2003: FREQUENTLY ASKED QUESTIONS EFFECTIVE JANUARY 1, December 29, 2003

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Re: Filing of Windstream's Comments to Notice of Proposed Rulemaking; Case No. NNTRC

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

NAI Mobile Application Code

Implementation of INFCIRC 901: Promoting Certification, Quality Management and Sustainability of Nuclear Security Training

Security Takes Center Stage

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

IDENTITY ASSURANCE PRINCIPLES

NIS Standardisation ENISA view

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

HPH SCC CYBERSECURITY WORKING GROUP

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

GDPR: A QUICK OVERVIEW

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

ICB Industry Consultation Body

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules. David Bodenheimer Evan Wolff Kate Growley

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

The Role of Standards in Ensuring Toy Safety

Cyber Risk and Networked Medical Devices

MNsure Privacy Program Strategic Plan FY

136 FERC 61,039 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. [Docket No. RM ] Smart Grid Interoperability Standards

Information technology - Security techniques - Privacy framework

NOKIA FINANCIAL RESULTS Q3 / 2012

Mapping to the National Broadband Plan

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C COMMENTS

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Bad Idea: Creating a U.S. Department of Cybersecurity

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

Enterprise resilience and the role of Standards

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

SEC Issues Updated Guidance on Cybersecurity Disclosure

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

Personal Information You Provide When Visiting Danaher Sites

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Privacy Policy. England Athletics Limited commitment to Privacy. Introduction. The information we collect about you. The information provided to us

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

GUIDING PRINCIPLES I. BACKGROUND. 1 P a g e

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

OUTCOME DOCUMENT OF THE INTERNATIONAL CONFERENCE ON CYBERLAW, CYBERCRIME & CYBERSECURITY

Policing our Roads Together

An ordinance adding Section to CHAPTER 28, MOTOR VEHICLES AND

Samsung Galaxy S9/S9+ Qantas Points Pre-Sale Promotion 2018 TERMS & CONDITIONS

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

National Policy and Guiding Principles

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

gridconnext provides an unprecedented

Vehicle & Transportation Infrastructure Cyber Security Discussions. IQMRI

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Cisco Smart+Connected Communities

Global Cybersecurity Agenda

Transcription:

NHTSA/FTC Joint Workshop July 2017 Connected cars were a topic of active discussion in Washington DC at the end of June 2017. Congress held hearings on a range of proposed legislation designed to address the development and regulation of connected cars. Two regulatory agencies with oversight on connected and autonomous vehicles, the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC), held a workshop on the topic of connected cars. This ML Automotive Update analyzes key themes garnered from the workshop. The joint workshop included presentations from the NHTSA, the FTC and a representative from the Automotive Information Sharing and Analysis Center ( Auto-ISAC ), as well as panel discussions in which industry representatives, consumer organization officials, academics, and other researchers participated. The NTHSA and the FTC expressed a commitment to implement a flexible approach so as to support innovation, and to promote industry efforts on privacy and cybersecurity. Both agencies will provide guidance aiming to establish a framework addressing privacy and cybersecurity while not impeding innovation. Other key developments included: The NHTSA expressed a clear commitment to fulfilling the potential of connected cars as a means to improve safety and reduce motor vehicle deaths and injuries; The contents of Morgan Lewis AUTOMOTIVE are provided for your convenience and do not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Attorney Advertising. Morgan, Lewis & Bockius UK LLP is a limited liability partnership registered in England and Wales under number OC378797 and is a law firm authorised and regulated by the Solicitors Regulation Authority (SRA). The SRA authorisation number is 615176. For further information, or if you would like to discuss the implications of these legal developments, please do not hesitate to get in touch with your usual contact at Morgan Lewis. The NHTSA is working on a new guidance document designed to: (i) support industry innovation and encourage open communications between and among the NHTSA, industry participants and interested parties; (ii) make the NHTSA processes nimbler and responsive; and (iii) encourage new entrants and the exchange of ideas to aid the development of safer vehicles; The FTC will adopt an approach of regulatory humility, recognizing that connected cars promise to reduce fatalities and injuries, and to improve both safety and accessibility. Given these potential benefits, the FTC acknowledged the need to not allow its efforts to hinder innovation; The FTC recognizes that there is a tension between its role in protecting personal and sensitive information, and preventing unreasonable data security practices in a framework that allows for continued innovation and growth in the development of connected and autonomous vehicles;

The FTC has an important role in educating consumers and providing guidance. This will enable development of connected cars and improve the collective understanding concerning the scope of data that is being utilized and the manner in which that data may be used. Another important element of the workshop was that the NHTSA and the FTC recognized that industry participants have undertaken important measures to address privacy and cybersecurity. Both agencies acknowledged that those efforts were effective self-regulation measures entitled to a significant measure of respect and, to some degree, deference given that government actors will not be in a position to respond as immediately or effectively to innovation and security threats. Key points included: Self-regulatory efforts that were acknowledged as significant included Consumer Privacy Protection Principles 1, the Auto-ISAC, and Automotive Cybersecurity Best Practices; 2 The FTC and other participants emphasized that the FTC has enforcement capabilities with respect to the Privacy Principles a point that may require further consumer education; It was also emphasized that cybersecurity requires constant attention and is the subject of considerable efforts by the Auto-ISAC and standards setting organizations, which are often better positioned than government agencies to anticipate, to respond to, and to address cybersecurity threats to connected cars; Government agencies and industry members have an important role in improving consumer education on connected cars and the self-regulatory efforts to addressing privacy, cybersecurity and safety. Such efforts are integral to consumer acceptance of connected and autonomous vehicles. The discussion also offered insight into approaches and considerations in the development of connected-car technology and related consumer education efforts. Some key takeaways from the discussion include: Compartmentalizing data and systems is a best practice from both a privacy and cybersecurity standpoint. Systems that are integral to safety should be separate from other systems, like infotainment, that do not have a safety role. Separation mitigates the risk that non-critical systems create a cybersecurity vulnerability and gateway to critical vehicle control and safety systems; 1 The Principles can be found at https://autoalliance.org/wpcontent/uploads/2017/01/consumer_privacy_principlesfor_vehicletechnologies_services.pdf. 2 The Best Practices can be found at https://www.automotiveisac.com/best-practices/.

From a privacy standpoint, separation also allows for variation with respect to the collection and use of data generated by different in-vehicle data collection systems. Since notice and choice may prove to be impractical options for safety systems where data will need to be used and shared to enable connected cars safety enhancements, separation would allow for different approaches to notice and choice with respect to other systems data; There is a need to plan for improved communications concerning the nature of the data that will be collected, how it may be used for safety and vehicle operations purposes and when it may be used for commercial purposes. Education of consumers, regulators and legislators concerning the different categories of data will enable a better understanding and appreciation of the need to use and share certain data, and the circumstances when it may be appropriate (or inappropriate) to attempt to limit the use and sharing of certain data. The process will need to distinguish between safety critical data, personal information, and IP sensitive data, for example, and also set out what third parties have (and do not have) access to what categories of data; Over-the-air updates for vehicle safety and cybersecurity enhancement will be a necessary component for the development of connected cars. There will need to be development of processes (regulation or legislation) that will make those updates mandatory. These processes will eliminate commercial and technical barriers to enabling vehicle manufacturers and distributors to automatically provide such updates, as those parties will be in the best position to control vehicle data systems and provide for technical and operational enhancements; Automotive manufacturers and allied technology companies will need to continue to focus on safety by design, and vehicle and system fail-safe designs, in order to enhance vehicle safety and protect against cybersecurity risks. The NHTSA s flexible and nimble approach is designed to support and enable those efforts. Congressional Hearings Recent congressional hearings on connected cars reflect that, while numerous and often distinct bills have been introduced, the US Senate and House of Representatives have some significant areas of consensus with respect to enabling the development of connected and autonomous vehicles. To the extent that there were areas of disagreement, the primary focus concerned whether there was a need for the imposition of legislation mandating certain safety and cybersecurity elements while connected and autonomous vehicles are largely in the development stage, or whether such efforts would hinder development and innovation.

There appears to be a division among legislators who believe that it is premature to impose a statutory safety regime given that connected and autonomous vehicles are in a development stage and that the technology that will ultimately be utilized is an unknown factor and other legislators who believed that it was imperative to impose a statutory safety regime at this nascent stage. There was also significant discussion on whether there were benefits from cybersecurity and safety purposes to have multi-layered regulation of connected cars at the state and federal (and in some cases, local) levels, or whether the development of connected and autonomous cars and associated safety and security standards was better addressed in a coordinated fashion by federal agencies in conjunction with industry participants and other interested parties. The hearings preceded the joint FTC/NHTSA workshop which reflected a high level of collaboration with respect to these matters. There were certain areas of general consensus and efforts were made to set out principles to guide the legislative process going forward. Key areas of consensus included: Recognition of the importance of federal oversight of safety and establishing new federal safety standards once connected and autonomous vehicle development is at a more advanced stage; While some disagreement remains concerning the role of state and local governments, there was an appreciation that the traditional role was for the federal government to regulate the vehicle itself, while states regulated driver behavior. Legislation will need to clarify the responsibilities of federal and state regulators and avoid (or preempt) conflicting laws and regulations; Promotion of innovation and reduction of regulatory roadblocks are key federal roles. Legislation must create exemptions that enable testing and development so that existing regulatory standards, which will need to be revised over time, do not impair innovation in the United States; As the future of vehicle technology and automotive business models are in a state of evolution, legislation must be technology neutral and avoid favoring any technologies or business models; Cybersecurity is a top priority, and must be an integral feature of connected and autonomous vehicles, and legislation needs to address vehicle connectivity in a manner that enhances cybersecurity protection; Public education on connected and autonomous cars is important to their development and acceptance, and government and industry should work together to address public education needs. While the hearings preceded the joint FTC/NHTSA workshop, the Senate and House are likely to explore whether legislation is needed to further promote such efforts or whether the efforts that were discussed at the workshop will continue without the need for legislative mandate.

MORGAN LEWIS S AUTOMOTIVE TEAM Morgan Lewis s automotive team partners with global automotive industry companies in complex transactions and matters, building and protecting their IP portfolios, as well as crafting and implementing customized business, finance, and tax strategies that are effective for many years. Taking a holistic view of the auto industry the advent of unprecedented government involvement, a shifting competitive landscape, the race for new technology and talent, and greater consumer and regulatory demands involving safety and the environment we assist in developing precise legal strategies aimed at advancing our clients specific business objectives. CONTACTS Timothy Bransford Mark L. Krotoski 1111 Pennsylvania Avenue, NW 1400 Page Mill Road Washington, DC 20004 USA Palo Alto, CA 94304 USA +1.202.373.6140 +1.650.843.7212 timothy.bransford@morganlewis.com mark.krotoski@morganlewis.com Ronald W. Del Sesto, Jr. Daniel S. Savrin 1111 Pennsylvania Avenue, NW One Federal Street Washington, DC 20004 USA Boston, Massachusetts 02110-1726 USA +1.202.373.6023 +1.617.951.8674 ronald.delsesto@morganlewis.com daniel.savrin@morganlewis.com Ethel J. Johnson David L. Schrader 1000 Louisiana Street, Suite 4000 300 South Grand Avenue, 22nd Floor Houston, TX 77002-5006 USA Los Angeles, CA 90071-3132 USA +1.713.890.5191 +1.213.612.7370 ethel.johnson@morganlewis.com david.schrader@morganlewis.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback