On February 11, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced legislation aimed at establishing federal data security and privacy standards for Internet-connected automobiles (“smart cars”). This announcement follows a January Federal Trade Commission (“FTC”) Staff Report recommending generally applicable, technology-neutral data security and privacy regulation for the “Internet of Things” (the increasing number of everyday objects connected to the Internet). The smart car legislation, in contrast, embodies an approach favoring industry-by-industry data regulation.
Prior to announcing the smart car legislation, Senator Markey released a report titled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.” The report outlines the data security and privacy practices of 16 car manufacturers and makes several findings related to the collection, transmission, and use of driver and passenger data and the security of wireless access points and other vehicle systems. The report calls for new regulatory standards from the National Highway Traffic Safety Administration (“NHTSA”) in consultation with the FTC to correct the “alarmingly incomplete and inconsistent” data security and privacy practices.
The announced legislation would follow the recommendations of Senator Markey’s report and require security-related standards including penetration testing for vehicle wireless access points; “appropriate” security and encryption of collected information; and that third-party providers be able to detect, report, and respond to security breaches. Privacy-related requirements include making drivers explicitly aware of data collection, transmission, and use; consumer choice as to whether data is collected; and a prohibition on the use of personal driving information for advertising or marketing purposes. The legislation also would require a security rating system to be displayed on vehicles in a manner similar to the display of fuel economy information. NHTSA and the FTC would promulgate the standards.
While last month’s FTC report recommended against legislation targeting the Internet of Things as such, the new bill represents a somewhat different, industry-by-industry approach. As more industries and devices join the Internet of Things, the importance of the regulatory framework for data security and privacy will only increase.