Vehicle-related cyber incidents could have devastating and deadly effects, particularly as cars and trucks become more highly automated and rely more heavily on wireless technologies. To combat this threat, the U.S. Department of Transportation (DOT) has issued proposed cybersecurity guidance to ensure that vehicles are protected from hacking and other cyber threats.

The proposed guidance comes several weeks after DOT and the National Highway Traffic Safety Administration (NHTSA) issued guidance to automotive manufacturers aimed at encouraging the development of automated vehicles. That guidance touched on data recording and sharing, privacy, and cybersecurity issues, among others.

The DOT's proposed cybersecurity guidance recommends that manufacturers prioritize the protection of consumers' personal data as well as critical vehicle controls. It recommends that businesses account for the full anticipated life cycles of the products and vehicles they supply, and that they implement procedures to rapidly respond to and recover from cybersecurity incidents, whether those incidents occur when a vehicle is in use or otherwise.

The proposed guidance encourages the automotive industry to make cybersecurity a top priority, allocating resources appropriately, sharing threat information, and establishing protocols to ensure that any incidents are quickly elevated to a company's highest levels. Specifically, the proposed guidance suggests that industry participants should have an established protocol for responding to incidents, setting forth clear responsibilities for each incident response team member. NHTSA recommends that more employees than ever before be trained on new cybersecurity practices, and that companies self-audit throughout the entire process of product development, testing, implementation, and in-the-field use. Cooperation among industry leaders and their development partners is also encouraged, with DOT stressing that companies should share threat intelligence and the lessons they have learned.

Industry participants and interested members of the public are invited to provide NHTSA with public comments on the proposed guidance. The deadline for submitting comments is November 23, 2016. With the stakes of automotive-related cyber incidents so high, however, companies in this industry should not wait to establish robust cybersecurity programs with rapid response protocols or to train employees on how to address issues that arise.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors, including the automotive industry. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk. The firm's Product Liability and Mass Tort Group has substantial experience representing automotive companies in a wide range of litigation and counseling matters, including class actions and regulatory compliance.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.