Extracted from Law360
In an effort to increase safety, the National Highway Traffic Safety Administration is proposing a rule that will require new cars to have vehicle-to-vehicle (“V2V”) communication systems that warn about collisions.[1] Because the V2V system will wirelessly link all cars, it presents unique security and liability concerns. Hackers may be able to use V2V to remotely control vehicles. This is different from the attacks that have been litigated to date, such as hackers stealing credit card information from large retail stores. Hacking into networked cars can injure people and destroy property. Thus, auto manufacturers could be the first defendants to be held strictly liable for such criminal attacks, under a theory that “defects” in the car allowed the hacker to gain access. This would not be an appropriate application of strict liability, because it would require manufacturers to do the impossible: create a complex system of wirelessly networked computers that cannot be hacked. As NHTSA correctly suggests, federal preemption of strict liability would be appropriate in such instances.
V2V Presents Unique Security Concerns
V2V technology uses a short-range wireless network to allow cars to “talk” to each other in order to avoid collisions. Each car would broadcast information regarding its speed, heading and brake status to other cars in the area, and would constantly receive similar safety data from nearby vehicles. This would allow cars to “see around corners” and determine whether they are on a collision course. For example, consider two cars approaching an intersection where a parked truck obstructs their view — each car would provide a warning of the other’s position and direction, even though the drivers cannot see each other. V2V would also help to provide other types of warnings, such as a driver four cars in front of you suddenly hitting the brakes. Instead of a chain reaction collision, each car in the chain would be warned about the danger in front of it. According to NHTSA’s analysis, V2V technology could prevent hundreds of thousands of accidents each year.[2]
Unfortunately, V2V communication systems create unique concerns regarding hacking. Even without being networked together, cars are already vulnerable to hacking. The computer systems and software in most cars were not designed to be connected to a network — they were developed in the 1990s when cars only communicated with themselves.[3] But now cars are starting to connect to networks that provide GPS information, phone service and satellite entertainment. These wireless connections provide potential points of entry for hackers; a problem that security experts predict will become even worse once every car on the road is networked together using V2V.[4] For example, researchers have been able to hack into the cellphones that are built into modern vehicles, and take control of the brakes.[5]
Networking all cars together opens additional points of entry for malware and remote control. As such, NHTSA is studying how the V2V communications system, its infrastructure, and the cars themselves could become possible targets for hackers.[6] Even if the V2V network is not the point of attack, it could still possibly serve as a way for hackers to transmit bad code and instructions. One infected car sitting in rush hour traffic could instantly go viral — using V2V to infect the cars around it, which in turn pass the virus on to the cars around them. This creates a prime target for intentional disruption and terrorism. Hacked cars could be used as weapons — accelerating to 90 miles per hour while the brakes and air bags are disabled, and the steering is remotely controlled. In the ensuing litigation, the auto manufacturers who were required to install V2V in their cars will be targeted for designing vehicles that were not secure enough.
V2V’s Unique Security Concerns Present Unique Liability Issues
To date, litigation regarding hacking has mainly involved data breaches in information systems, rather than remote control over products that cause physical injury. When a store or videogame system was hacked, the economic loss rule was often used to preclude liability.[7] Hacking into a car through its V2V system presents different considerations. Cars are products, and when they cause injury manufacturers face strict liability and negligence; the economic loss rule does not apply.[8]
NHTSA is aware of the unique liability considerations that attach to networked cars, which it identified as an “unprecedented challenge to risk management.”[9] In its recent technical report, NHTSA concluded that manufacturers’ liability would be limited by difficulties in proving causation. Because V2V technology only provides warnings (rather than control of the vehicle), NHTSA reasoned that plaintiffs would have a difficult time showing that the accident would have been avoided if the V2V system had provided a warning.[10]
There is a tension between this analysis and the very reason for NHTSA’s V2V program. NHTSA estimates that V2V technology will prevent hundreds of thousands of accidents each year. The statistical analysis that supports NHTSA’s estimate could be used by plaintiffs to argue that V2V’s absence causes accidents.
Further, NHTSA’s conclusions regarding causation presume that an attack on V2V would only affect a car’s warning systems, rather than control functions such as the steering and brakes. However, it might be possible for hackers to move from a car’s warning system to its controls — the computer systems in some cars are linked together, as well as to the car’s communications hub.[11] For example, consider the recently discovered “Bash Bug.” A weakness in a program that translates commands between interconnected devices allowed hackers to use any device in an Internet-connected “smart” home as a point of entry for malware that quickly spread to all other devices.[12] Thus, hacking into a “smart” lightbulb could provide access to everything behind that network’s firewall. The affected operating system (Linux) is used in some cars.
Finally, NHTSA’s predictions regarding causation would only apply for a limited period. As we move toward autonomous vehicles, more and more safety critical functions will be controlled by a car’s computers. V2V warnings will be more directly integrated into those functions, so that a warning about a car cutting into your lane would be accompanied by the autonomous vehicle steering or braking to avoid a collision. Put another way, in an autonomous vehicle an attack on V2V could have a direct impact on vehicle control, because those systems would be linked together.
In these scenarios, strict liability is not an appropriate fit.
Manufacturers Should Not Be Held Strictly Liable If V2V Systems Are Hacked
Strict liability was never meant to be absolute liability — manufacturers are not insurers of the safety of their products.[13] However, the boundaries between strict and absolute liability can become blurred when criminal activity is involved. In certain circumstances, courts have held auto manufacturers strictly liable for the criminal acts of third parties.[14] For example, when a rock thrown from a freeway overpass penetrated a truck’s windshield and injured the driver, strict liability applied because that kind of hazard was foreseeable. Windshields must be designed to stop rocks whether they are intentionally thrown by a criminal, or accidentally kicked up by another vehicle’s tires.[15]
By analogy, one could argue that strict liability should attach for the criminal hacking of a car’s V2V system. That type of hazard (hacking) is foreseeable, because NHTSA was studying it before V2V was ever implemented. However, the analogy does not hold. There is a difference between a rock being thrown through a windshield and a hacker using a V2V system to remotely control a vehicle. Rocks are a type of naturally occurring road debris; that type of hazard can occur without criminal action. There is no “naturally occurring” form of hacking. By definition, it is an intentional act by a person.
Further, the cases that impose strict liability on manufacturers for the criminal acts of third parties do not require those manufacturers to do the impossible. For example, trucks do not have to be designed like tanks — using armored plates to make it impossible for any rock to penetrate the windshield.[16] However, holding auto manufacturers liable for hacking would require the impossible, because hacking cannot be avoided.[17] The connectivity required for V2V to work creates vulnerability. Therefore, strict liability would become the sort of absolute liability that it was never intended to be.
That said, one can easily see how different courts could come to different conclusions on this topic. These inconsistent results could create target states for class or mass actions, as lawyers chose the jurisdictions that are willing to apply strict liability. Thus, NHTSA correctly recognizes that Congress may need to preempt some aspects of liability for V2V systems.[18] In so doing, Congress should not only preempt strict liability for hacking of V2V systems, but it should also authorize NHTSA to set a single, definitive standard of care for negligence actions. Absent such guidance, even negligence could become a form of absolute liability where hacking is involved. It will always be possible for an expert to come in after an attack has occurred and point out that a specific vulnerability should not have existed (i.e., that it would cost “practically nothing” to have written the code differently). Which means it will always be possible to hold an automaker liable for an attack; they would still be the “insurers of product safety” that the law never meant them to be.
On the other hand, NHTSA is uniquely qualified to set the bar for security in the V2V systems that it is mandating. NHTSA has already been studying the issue for a decade, and will continue to do so. NHTSA’s analysis will be informed by the manufacturers’ research, but the agency will come to its own conclusions about the standard of care it will demand from that industry. In this way, there is balance — the manufacturers have a clear technical standard to follow, and the public has legal recourse if V2V systems do not meet that standard.
Conclusion
Strict liability was initially used to spur the auto industry to develop safer vehicles. And it worked. But that incentive is not necessary in the case of hacking V2V systems. Even though there have not been any reported incidents of hackers causing accidents to date, manufacturers are proactively working on security issues. For example, the Association of Global Automakers and the Alliance of Automobile Manufacturers are developing programs to collect and share information regarding cybersecurity vulnerabilities in cars and their communications networks. However, complying with industry standards is not a defense to an action sounding in strict liability. Thus, law makers should follow NHTSA’s lead and proactively address the unique liability issues presented by hacking V2V systems.
[1] Federal Motor Vehicle Safety Standards: Vehicle-to-Vehicle Communications, 79 Fed Reg. 49270 (to be codified at 49 CFR pt. 571) (proposed August 20, 2014) (“ANPRM”); see also Nat’l Highway Traffic Safety Admin., Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application (2014) (Report No. DOT HS 812 014) (“V2V Report”).
[2] V2V Report, at 259.
[3] Your Car Is A Giant Computer – And It Can Be Hacked, CNN.COM, June 1, 2014, http://money.cnn.com/2014/06/01/technology/security/car-hack/index.html?iid=EL
[4] Talking Cars: The Next Hacking Target, CNN.COM, June 10, 2014, http://money.cnn.com/2014/06/10/technology/security/talking-cars-hacking/
[5] Fed. Trade Comm’n Workshop, Internet of Things: Privacy & Security in a Connected World (Nov. 19, 2013), remarks of Professor Tadayoshi Kohno, Transcript at 245-247.
[6] See ANPRM, supra, at 49273 (asking for comment regarding the new threat vectors created by V2V that would allow hackers to control or manipulate a vehicle’s response).
[7] See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F.Supp.2d 942, 960-62 (S.D. Cal. 2012) (using the economic loss rule to preclude tort liability for the hacking of a videogame system, because no injuries to person or property resulted); In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 834 F.Supp.2d 566, 584-91 (S.D. Tex. 2011) (same regarding the hacking of payment card systems).
[8] See Greenman v. Yuba Power Products, Inc. (1963) 59 Cal.2d 57, 62-63; see also In re Sony, supra, at 903 F.Supp.2d 961 (instructing that the economic loss rule does not apply where personal injury or property damage occurs).
[9] V2V Report, supra, at 209.
[10] Id., at 212-213.
[11] Your Car Is A Giant Computer – And It Can Be Hacked, supra; see also Miller and Valasek, A Survey of Remote Automotive Attack Surfaces (August 2014).
[12] “Bash” Bug Could Let Hackers Attack Through A Light Bulb, CNN.COM, September 24, 2014, http://money.cnn.com/2014/09/24/technology/security/bash-bug/
[13] Anderson v. Owens-Corning Fiberglas Corp. (1991) 53 Cal.3d 987, 994.
[14] Collins v. Navistar, Inc. (2013) 214 Cal.App.4th 1486.
[15] Id., at 1504.
[16] Id., at 1504.
[17] In re Heartland, supra, at 834 F.Supp.2d 593 (observing that in today’s known world of sophisticated hackers, data theft, software glitches, and computer viruses, there is no such thing as absolute data security).
[18] V2V Report, supra, at 211.