U.K. Unveils Connected Vehicle Cybersecurity Guidance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

Companies that manufacture smart-cars in the U.K. should ensure the safety of any personal data stored and used in their web-connected vehicles, according to new government guidance.

The guidance from the Department for Transport and the Centre for the Protection of National Infrastructure encourages senior executives, suppliers, designers, and engineers to protect connected and autonomous vehicles (CAVs) by following basic principles, including securing transmissions to and from the vehicle.

“Whether we’re turning vehicles into Wi-Fi-connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks,” Transport Minister Lord Martin Callanan said in an Aug. 6 statement.

Auto industry and technology groups welcomed the guidance as a first step in establishing cybersecurity standards for the growing number of connected and autonomous vehicles on U.K. roads. But the guidance is tied to broad cybersecurity principles and doesn’t clearly address emerging uses of information, such as big data analytics

Christopher Escobedo Hart, privacy and cybersecurity counsel for Foley Hoag LLP in Boston, told Bloomberg BNA that the guidelines just tweak cybersecurity best practices and apply them to the smart car sector, suggesting that there is “more thinking to be done.”

More than half of all new cars sold in the U.K.'s 77.4 billion pound ($100.5 billion) auto market feature autonomous safety features, according to the Society of Motor Manufacturers and Traders (SMMT) auto industry group, which predicts that CAVs will add more than 50 billion pounds ($65 billion) to the U.K. economy by 2030.

“As connected and autonomous vehicles become more prevalent on our roads, it is crucial that manufacturers consider security requirements in the vehicle’s design and help to protect our national infrastructure,“ Gerry Keaney, chief executive of the British Vehicle Rental and Leasing Association (BVRA), which represents businesses that buy approximately 80 percent of U.K. manufactured vehicles sold in the U.K., told Bloomberg BNA Aug. 8.

Handling Big Data

John Pryor, chairman of the industry group the Association of Car Fleet Operators, told Bloomberg BNA that more time is needed to see if the guidance goes far enough, particularly to deal with the arrival of big data.

Managers of fleet operators need clarity, he said. “They want to understand how suppliers, such as vehicle manufacturers and contract hire and leasing companies, will access and use ‘big data’; and, critically, they want to know what the law is in respect of managing and using ‘big data’ sourced directly from ‘intelligent’ vehicles.”

Keaney said the government report comes after the auto industry in the U.K. called for cybersecurity support. “We will work closely with decision-makers to explore how the proposed principles are governed and enforced within our sector,” he said.

A spokeswoman for techUK, a tech industry association representing 950 tech companies, told Bloomberg BNA that the principles will keep all parties in the manufacturing and supply chain on the same page, providing them “with a consistent set of guidelines on security for connected cars.”

To contact the reporter on this story: Ali Qassim in Washington at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The guidance is available at http://src.bna.com/rtw.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security