First published by Solicitors Journal

While cars equipped with internet access make life more convenient, journeys greener, and roads safer, car manufacturers face challenges in keeping personal data safe, avoiding driver distraction, and preventing cyber-attacks.

Cyber security experts have shown considerable interest in connected car vulnerabilities and, in three recently reported cases, carmakers do not appear to be adequately prepared:

  • Fiat Chrysler Automobiles (FCA) recalled 1.4 million vehicles in the US over a vulnerability in dashboard computers that allowed hackers to disable the vehicle;
  • White hat hackers broke into General Motor's OnStar system; and
  • White hat hackers also plugged into a Tesla Model S to implant malware into the car's central computer.

Ernst & Young estimate that 104 million cars will have some form of connectivity by 2025, so the above instances of cybercrime must be considered the thin end of the wedge, as hacking becomes more prevalent with the predicted growth of the connected car market.

FCA's recall may have been an understandable reaction to criticism from the US National Highway Traffic Safety Administration (NHTSA) over the 'timeliness and effectiveness' of company's handling of previous vehicle recalls. That said, reports suggest FCA initially considered the flaw not to be a safety defect and waited 18 months to notify the vulnerability to the NHTSA.

Either way, FCA's action did not deter class-action plaintiffs in Illinois and Missouri from seeking damages for diminished vehicle values caused by the hacking threat. While it is hard to envisage the losses actually suffered where software patches have been applied, one should not gainsay the ingenuity of US plaintiff lawyers.

Code of practice

What, though, would happen if a carmaker was faced with a similar problem in the UK? The General Product Safety Regulations 2005 require manufacturers to ensure their products are safe. The motor industry codes of practice (aligned with the regulations) provide a recognised and approved process to follow when a safety defect is identified.

It is therefore vital that carmakers implement effective systems to identify defects and, upon discovery, immediately to notify the Vehicle & Operator Services Agency, customers, dealers and, if appropriate, to effect a product recall. While a full blown recall may be costly and give rise to reputational damage, those concerns must be balanced against the potential civil and criminal liabilities and heightened reputational damage where appropriate action is not taken.

FCA and Tesla vehicles suffered from security flaws which enabled hackers to gain remote control of safety-critical vehicle systems (and therefore cause risk of personal injury/death). It is debatable whether the flaws caused a significant risk since no personal injuries or fatalities resulted but, even in those circumstances, the tendency to recall among UK carmakers would, and should, be strong.

Manufacturers are well-advised to collaborate with cyber security experts as software vulnerability can lead to serious safety issues and, potentially, loss of market confidence. While the FCA recall was the first automotive recall prompted by cyber security threats, those threats will undoubtedly increase and demand ever faster and more sophisticated responses.