15 Jul 2019

Avoiding Autonomous Vehicle Cybersecurity Liability

Michael Greco of Fisher Phillips shares his tips for how to avoid cyber breaches of liability with autonomous vehicles.

By Tom Dent-Spargo

MONOPOLY919 / Shutterstock.com


By Michael Greco, Fisher Phillips.



We live in a unique time where the technology being created right now will completely change life as we know it. This is especially true of autonomous vehicles (AVs). Auto manufacturers are already focused on electrification and connectivity, while the development of artificial intelligence has created new pathways. In addition, as society has become increasingly urbanised, people have become dependent on on-demand, sharable products. With all of this – plus the environmental, safety and economic benefits – it’s simply a question of if, not when, AVs will regularly populate our streets.

Despite the abundant benefits, AVs are not without risk. If AVs are to reach their full potential, interconnectivity is key. The AVs need to communicate with each other, with the surrounding infrastructure, and with a host of platforms. Because this interconnectivity is not possible without software, AVs could include millions of lines of code. This means cybersecurity needs to be a top concern for companies selling and utilising AVs. While many articles address the plentiful risks and how to thwart them, this is not one of them. 

Instead, this article outlines how companies in the AV industry can best position themselves to avoid liability when a cyberbreach does occur. Because the reality is that no matter how many precautions you take to prevent a breach, the threat cannot be completely eliminated. Even if every reasonable step is taken, malicious hacking or user negligence remains a threat. And even if you have all possible safeguards in place, a breach will inescapably happen, and lawyers will be willing to represent potential victims of that cyberbreach. It’s also a safe bet that the same lawyer will be willing to sue anyone and everyone slightly connected to the security breach. And for AVs, the liability stretches to AV owners, original equipment manufacturers (OEMs) and software manufacturers. 

With this in mind, here are eight tips to avoid AV cyberbreach liability: 

1. Identify susceptible information 

What information is vulnerable if something goes wrong with respect to your product? Is it information shared with AVs through a user’s smartphone? Is it metropolitan traffic pattern information? Is it information through which a hacker can take control of a vehicle? Identifying the information at risk is a necessary precursor to the steps outlined below.

2. Prepare your response plan

The worst time to be figuring out your response to a breach is after one has already occurred. Think through all of the possibilities in advance. Create and identify members of a breach response team. Outline who is going to do what, when and how. Retaining outside attorneys to help design and implement these plans can help preserve attorney-client privilege. Don’t forget requirements imposed by breach notification statutes. These laws, which exist in almost every state, frequently impose stringent consumer notification requirements. 

3. Identify applicable statutes and regulations

Compared to most other industries, the AV industry is still relatively unregulated. The regulatory focus to date has largely been on testing AVs and providing broad guidelines for their development. Because AVs embrace emerging technologies, the related legal landscape undoubtedly will shift. Yet, when it comes to data privacy and cybersecurity, there are existing domestic and international statutes, regulations and legal principles that industry players should take into consideration. For example, companies should consider the “privacy by design” approach endorsed by the Federal Trade Commission. Under that approach, companies are encouraged to build security into their devices early in the development stage, rather than as an afterthought. To this end, manufacturers and designers should consider conducting a privacy or security risk assessment, minimising the data they collect and retain, and testing their security measures before launching their products. 

4. Communicate across supply chain

Extremely few companies, if any, are situated to design and manufacture AVs from start to finish. Development of AVs will require contributions from software manufacturers, OEMs and vehicle manufacturers. Communication between suppliers, contractors and others is essential to understand and agree upon intended usage, integration and requirements. Specifying rights and obligations in writing is key. 

5. Utilise outside counsel

The aftermath of a data breach is no time to go it alone. AVs will accumulate extensive consumer data. The number of contributors across the supply chain continuum make it all the more likely that it will be difficult to determine who is required to do what in the event of a breach. Does the obligation to notify consumers fall on the vehicle manufacturer, the OEMs, the software manufacturer, municipalities that provided malfunctioning infrastructure, or all of them? Given the rollout of such vehicles in interstate commerce and the diverse geographic consumer footprint, which state laws apply? What must be done in the event of a breach, and when? Waiting for litigation to retain outside counsel is a poor decision. Outside counsel can help you identify steps that are not only suitable under the circumstances but that will aid in avoiding or minimising liability should litigation ensue.

6. Don’t waste time

When a breach occurs, it is hard to figure out what happened and how it happened. It can be tempting to try to “get all the answers” before taking action, but delays can sometimes run afoul of time requirements under breach notification statutes. 

7. Train your employees

Preparing policies, drafting appropriate contracts and understanding your obligations are only helpful if your employees understand why you are taking these steps and for what purpose. Thoroughly explain your policies to your employees and periodically train them. Assess your employees’ understanding and work to improve their performance. 

8. Consider cyber liability insurance

These policies can cover damage to tangible property, but they likely will not provide protection for the significant legal costs that can arise in the event of a cyberbreach. Checking with your insurance broker to understand the extent of protection in place is a wise move.


With the advancement of technology, the world is changing in valuable and unexpected ways. But these developments also bring risks, including cybersecurity concerns. Mistakes will be made, and you will have to learn how to improve as you go. Courtroom decisions and yet-to-be-enacted laws and regulations will be responsible for identifying who is legally at risk during these incidents. 

As with any legal dispute, those who have responsibly and prudently prepared will fare better. Taking a little bit of time now to organise a plan could greatly help your chances of not being legally liable when – not if – a breach occurs.


related topics