Driving in the digital age: addressing electric vehicles’ privacy and security issues

July 2023  |  SPOTLIGHT | DATA PRIVACY

Financier Worldwide Magazine

July 2023 Issue

As electric vehicles (EVs) gain global popularity, they bring not just environmental and economic benefits but also new challenges in data privacy and cyber security. The US recently passed the Bipartisan Infrastructure Law, a $7.5bn plan for creating an interconnected network of charging stations across the country and funding manufacturers looking to enter the space. This injection of government-backed funding is paired with an objective of having 50 percent of all new vehicle sales be electric by 2030.

A functioning EV requires millions of lines of code and uses technologies that obtain a wealth of data, including data about the car and personal data about the drivers. The smart technologies of EVs store considerable personal data, invoking complex legal obligations, while also attracting cyber threats that could disrupt individual vehicles or entire power grids. With countries like the US establishing ambitious EV manufacturing goals, there is an added consideration of whether expedited manufacturing will effectively monitor the cyber security and privacy issues associated with connected EVs.

Privacy lawsuits and regulations

EV manufacturers are challenged to comply with a patchwork of privacy laws in the US. Currently, the country does not have a comprehensive federal privacy law, but states and industries have adopted laws at their respective levels. Examples of state laws include the California Privacy Rights Act, the Colorado Privacy Act, Tennessee Information Protection Act and Virginia Consumer Data Protection Act.

The legal considerations of EVs provide circumstances where consumers may have a legal action against EV companies and manufacturers. In 2022, a class action was filed against a leading EV manufacturer for violation of the Illinois Biometric Information Privacy Act (BIPA). Since 2017, some models have included facial recognition features within their autopilot systems. These models utilise in-cabin cameras to gather drivers’ biometric data and track facial and eye movement to determine the driver’s level of attention within the EV, allowing these systems to analyse this data and disengage the self-driving functions of the car if the driver’s attention does not meet a certain threshold. The plaintiff argues that the manufacturer neither obtained consents nor published the required policies on data storage and destruction to comply with the BIPA. The plaintiff asserts that a breach of biometric data is irreversible as it is of a highly sensitive nature and uniquely identifies the individual, and that the manufacturer unlawfully profits from this biometric data, as it is used to enhance the self-driving systems. This ongoing lawsuit, demanding $5000 in statutory damages per infringement of the BIPA, not only carries the potential for substantial financial implications depending on the number of individuals whose privacy rights are violated, but also stands poised to set a significant precedent for breaches of state privacy laws. This case is particularly noteworthy as it mirrors recent, similar lawsuits directed against EV manufacturers concerning their misuse of data, suggesting a growing concern and legal focus on data privacy issues in the industry.

In California, the Rental Passenger Vehicle Transactions Law (RPVTL) forbids a rental car company from gathering, using or accessing any information about a consumer’s use of a rental vehicle if it was obtained through “electronic surveillance technology”. Per the RPVTL, electronic surveillance technology means a technological method or system used to observe, monitor or collect information, including telematics, global positioning system, wireless technology or location-based technologies. Any renter has a private right of action under the RPVTL and may file a lawsuit if they believe their personal data was unlawfully gathered or used. Recently, class action lawsuits have been filed in California alleging misuse of renter’s data. Plaintiffs argue that such misuse of data includes the improper retention of personal data after the rental is returned, thus allowing subsequent users of the vehicle to access the personal data of previous renters. Considering the proactive stance of California courts toward consumer data privacy, rental companies with EV fleets should carefully evaluate their personal data collection practices and proactively develop policies to deter potential class actions.

International privacy and data protection laws also come into play if the company has an eye on the European market, or simply because the vehicle uses cloud-based software that stores data in decentralised locations globally. The General Data Protection Regulation (GDPR), renowned as a highly rigorous global data protection law, applies to both companies based in Europe and international companies offering goods, services or monitoring resident behaviours within Europe. Many types of data collected by EVs and their numerous technologies fall under the GDPR’s broad definition of “personal data”, thus making the manufacturer of the vehicle subject to the law. It is also important to keep in mind that the GDPR restricts data transfers from the EU to a country without an adequacy decision from the European Commission (EC). Such “non-adequate” countries include the US. This restriction poses issues for many US-based automotive manufacturers, if they have business needs to transfer EU data to the US for purposes including analytical and marketing. Those companies, therefore, need to implement at least one appropriate mechanism to legalise such international data transfers under the GDPR. A single breach of the GDPR may be fined up to the greater of €20m or 4 percent of the company’s annual global turnover.

Security incidents and industry best practices

In recent years, several security incidents have exposed the dangers remote hackers pose to EVs. In 2019, a 19-year-old security researcher remotely accessed the digital car keys of more than 25 of one leading manufacturer’s EVs around the world then breached a third-party software made available for the drivers to upload and access data relating to their vehicle. After gaining access to the digital car keys, the researcher then set certain commands into action on the different vehicles. Such commands included controlling the windows, unlocking the doors and disarming the vehicle’s security mode. Although an act of ethical hacking, this exercise illustrates the ability of hackers to remotely access vehicles and put the driver in danger. The third-party vendor addressed this attack by updating the software, and the manufacturer notified the drivers involved.

Another example occurred this year when a group of ethical hackers exposed security vulnerabilities in the application programming interfaces of cars from 16 different manufacturers. In Ferraris, the hackers gained access to the account of employee administrators through which they could access the records of all Ferrari customers. With Mercedes-Benz, the hackers breached a single sign-on authentication and, thus, could act as employees of the company in communications with drivers. Additionally, the hackers gained access to a device-independent telematics company connected to more than 15 million vehicles through services such as Goldstar and OnStar. With this access, the attackers could influence the internal controls, such as unlocking doors and turning on engines, of civilian vehicles and law enforcement vehicles. Overall, this ethical infiltration exposed the ability of remote hackers to obtain privileged access to consumer information and manipulate the internal controls of the vehicles from thousands of miles away.

Several non-binding guidelines offer support for the EV industry in dealing with cyber security vulnerabilities, including the National Highway Traffic Safety Administration (NHTSA) framework, the ISO/SAE 21434 standard, the EU Agency for Cybersecurity’s tool for the internet of things (IoT) and smart infrastructures, and resources from the International Telecommunications Union.

NHTSA updated its Cybersecurity Best Practices for the Safety of Modern Vehicles in 2022, which emphasises the automotive industry’s obligation to tackle cyber security and privacy vulnerabilities. The NHTSA framework focuses on risk-based prioritisation for safety-critical vehicle control systems and sensitive information, alongside promoting swift detection and response to threats.

The International Organisation for Standardisation (ISO) and the Society of Automotive Engineers (SAE) have jointly published the ISO/SAE 21434 standard. This guide aids automotive product developers and manufacturers in incorporating cyber security protocols for connected vehicles throughout each stage of an EV’s lifecycle, from initial design to decommissioning, underlining the importance of regular cyber security testing.

The EU Agency for Cybersecurity’s ‘Good Practices for IoT and Smart Infrastructures Tool’ offers an interactive guide, detailing security measures on a range of smart infrastructures, including smart cars. The tool provides resources on key aspects of an EV, such as its data security, its communication via networks, interactions with other devices, and internal operations like software and vehicle functions.

In sum, the automotive industry is shifting gears to an electric future, a transition that presents data privacy and cyber security risks throughout the entire grid. Specifically, EVs and the related infrastructure collect and handle a significant amount of data, including personal data. Any vulnerability within an EV or charging station can provide a hacker with a platform to harm individuals or the grid. EV manufacturers and all associated parties must ensure that safeguards and guidelines are in place to protect the data of EV drivers. Participants within the EV industry can look to existing guidelines and continue to strengthen existing current cyber security and privacy protocols through rigorous testing.

 

Hannah Ji-Otto is of counsel and Stefan R. Kostas is an associate at Baker Donelson. Ms Ji-Otto can be contacted on +1 (615) 726 5758 or by email: hjiotto@bakerdonelson.com. Mr Kostas can be contacted on +1 (615) 726 5697 or by email: skostas@bakerdonelson.com.

© Financier Worldwide

BY

Hannah Ji-Otto and Stefan R. Kostas

Baker Donelson

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.