On April 1, the National Highway Traffic Safety Administration issued an Enforcement Guidance Bulletin that outlines the agency's views on emerging automotive technologies. Critically, the bulletin suggests guiding principles and best practices for vehicle and equipment manufacturers as they develop and implement new technologies and report safety related defects.
A copy of the Enforcement Guidance Bulletin is available here. Any comments must be submitted on or before Monday, May 2, 2016. NHTSA plans to develop and issue final guidance after receiving and considering comments from the public.
In essence, NHTSA has taken the position that under the National Traffic and Motor Vehicle Safety Act, it has broad enforcement authority to regulate new and advanced automotive technologies, including automation and crash avoidance technologies, software and “after-market software updates.” NHTSA asserts thatall manufacturers, whether original equipment manufacturers or aftermarket suppliers, of new and advanced automotive technologies have a responsibility to ensure that their products are free of safety-related defects.
Regulated technologies include not just automation and crash avoidance technologies, but software and “after-market software updates.”This includes software “installed in or on a motor vehicle,” and could apply to software located outside of the vehicle that permits portable devices to connect to and control vehicle functionality and safety systems, i.e., mobile applications that connect to your car. We expect that the focus on aftermarket suppliers of new and emerging automotive software and technology, among others, signals an agency intent regarding increased regulatory scrutiny in that market segment.
In the Enforcement Guidance Bulletin, NHTSA proposes a set of broad guidelines and best practices for manufacturers to follow to “proactively identify and resolve” safety concerns before selling advanced technologies to the public. The proposed guidance also indicates that NHTSA will look to whether cybersecurity vulnerabilities of advanced technologies pose an unreasonable safety risk.
To make this determination, the Agency will consider a number of factors, such as the “amount of time elapsed since the vulnerability was discovered” and the expertise and equipment needed to “exploit” the vulnerability. NHTSA cautioned that “even before evidence of a [malicious cybersecurity] attack, it is foreseeable that hackers will try to exploit cybersecurity vulnerabilities. For instance, if a cybersecurity vulnerability in any of a motor vehicle’s entry points (e.g., Wi-Fi, infotainment systems, the OBD–II port) allows remote access to a motor vehicle’s critical safety systems . . . NHTSA may consider such a vulnerability to be a safety- related defect compelling a recall.”
Manufacturers that fail to identify and provide NHTSA notice about and rectify safety defects are subject to regulatory enforcement, including but not limited to civil fines.
Although the Enforcement Guidance Bulletin does not have the full force and effect of law, we anticipate that NHTSA’s proposed guidance will have far-reaching implications for OEMs and aftermarket suppliers alike, both of whom should take care to ensure that they have established processes in place to identify and weed out safety-related defects before selling these technologies to the public.
Comments are due on May 2, 2016.