Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers. The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber AIR”) Act were each introduced but not enacted in a previous session of Congress. In a joint press release, the Senators noted that the legislation was designed to “implement and improve cybersecurity standards for cars and aircraft.”
The SPY Car Act
The SPY Car Act would require cars manufactured for sale in the U.S. to comply with “reasonable measures to protect against hacking attacks,” including measures to isolate critical software systems from non-critical systems, evaluate security vulnerabilities, and “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.” It would also require “driving data” collected by cars to be “reasonably secured to prevent unauthorized access,” including while such data is in transit to other locations or subsequently stored elsewhere. Violations of these cybersecurity requirements are subject to civil penalties of up to $5,000 per violation.
In addition to these cybersecurity requirements, the SPY Car Act would require car manufacturers to display a “cyber dashboard” as part of the label affixed to each car which would “inform consumers, through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers” beyond the minimum legal requirements. The National Highway Traffic Safety Administration is directed to issue regulations in conjunction with the FTC to implement the cyber dashboard requirement.
Finally, the Spy Car Act would amend the FTC Act to require “clear and conspicuous notice” of the collection, transmission, retention, and use of driving data. Consumers must be able to opt-out of the collection and retention of driving data (with the exception of data stored in safety systems), which must not interfere with “access to navigation tools or other features or capabilities, to the extent technically possible.” And manufacturers must obtain “affirmative express consent” before using “any information collected by a motor vehicle” for advertising or marketing purposes. Violation of this section would be treated as an unfair or deceptive act or practice in violation of the FTC Act.
If enacted, the SPY Car Act requirements would become effective on various timetables within two to three years of promulgation of final regulations, which must be issued within one to three years of enactment.
The Cyber AIR Act
The Cyber AIR Act would require covered air carriers and manufacturers to disclose to the Federal Aviation Administration (“FAA”) any “attempted or successful cyberattack on any system on board an aircraft,” regardless of whether the system is “critical to the safe and secure operation of the aircraft.” The FAA would then use this information to improve its regulations and notify stakeholders of cybersercurity vulnerabilities in aircraft systems.
It would also require the Secretary of Transportation, in consultation with various government agencies, to issue cybsersecurity-related requirements for obtaining air carrier or aircraft production licenses. The regulations must include “reasonable measures to protect against cyberattacks,” including isolating critical systems from non-critical ones, periodic evaluation for security vulnerabilities, and periodic updating of the cybersecurity measures based on those evaluations.
Finally, the Cyber AIR Act requires the Commercial Aviation Communications Safety and Security Leadership Group established last year by the Department of Transportation and the FCC to evaluate and report to Congress on “the cybersecurity vulnerabilities of broadband wireless communications equipment designed for consumer use on board aircraft.” The Group’s responsibilities include ensuring the development of effective methods for preventing “foreseeable cyberattacks” to wireless communications equipment on aircraft and requiring air carriers, manufacturers, and communications service providers to implement “technical and operational security measures” to prevent such attacks.
The Cyber AIR Act’s requirements would become effective within one year of enactment.