US proposal aims to regulate car privacy, make hacks illegal

A subcommittee of the U.S. House of Representatives has proposed requiring vehicle manufacturers to state their privacy policies, besides providing for civil penalties of up to US$100,000 for the hacking of vehicles.

The lawmakers have also proposed that the National Highway Traffic Safety Administration set up an Automotive Cybersecurity Advisory Council to develop cybersecurity best-practices for manufacturers of cars sold in the U.S.

The move comes in the wake of the increasing automation of cars, which has raised privacy concerns, and the high-profile hack of a Jeep Cherokee.

[ ALSO ON CSO: Hackers remotely take control of Jeep ]

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade has released the staff draft ahead of a hearing next week on “Examining Ways to Improve Vehicle and Roadway Safety.”

A chapter on vehicle data privacy in the draft requires that one year after the enactment of the legislature, vehicle manufacturers should “develop and implement” a privacy policy outlining their practices regarding the collection, use, and sharing of information collected through technologies and services offered by the manufacturer directly or through a third party.

The vehicle maker will also have to specify under what circumstances the information is collected and offer a commitment to retain it no longer than is determined necessary by the manufacturer for legitimate business purposes.

The maker will also need to have in place “reasonable measures” to protect the information against loss and unauthorized access or use. Vehicle makers could face a civil penalty for violation of these rules of not more than $5,000 per day, with the maximum penalty for a series of violations by a single manufacturer being up to $1 million.

A proposed section on motor-vehicle data hacking would make it illegal and impose a civil penalty of up to $100,000 for each violation if a person accesses “without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.” 

Two security experts gained access to a Jeep Cherokee and took control remotely of some vital functions of the vehicle, according to a report in July, raising concerns about the safety of vehicles with a high degree of automation.

Legislators have previously tried to bring some regulation over vehicles with regard to security and privacy. Senators Edward Markey, a Democrat from Massachusetts, and Richard Blumenthal, a Democrat from Connecticut, introduced in July the Security and Privacy in Your Car Act, also known as the SPY Car Act, that would direct the NHTSA and the Federal Trade Commission to establish federal standards to secure cars and protect the privacy of drivers.

The draft rules also aim to streamline the process of vehicle recall by manufacturers and provide incentives for crash avoidance, road safety and fuel efficiency technologies.