The California DMV is Putting Its Foot Down on Regulation for Top Notch Cybersecurity Laws in Autonomous Cars

By: Thomas Gaffney*| Staff Writer

By Dllu (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

By Dllu (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

Imagine yourself on your morning commute to work, but instead of sitting behind the wheel you are comfortably reclined in your bucket seat reading the newspaper and eating waffles for breakfast.  Does this sound too far-fetched?  Maybe not. No one is surprised that autonomous vehicles are currently a super-hot topic in the tech and auto industries.  Every big name in the tech industry (UBER, Google, Apple, Microsoft, Telsa, etc.) is working on its own version of autonomous driving software; and why would they not?  The first company to develop an autonomous car with driving capabilities better than that of a human will get an enormous upper hand in a market that is projected to be worth at least 42 billion dollars by 2025. No one is going to purchase an autonomous car if it is not safe, however, and some of the threats facing these vehicles are not coming from the road but from the internet.

Anything that is connected to the internet is subject to cyber-attacks on their operating systems, and autonomous cars will not be an exception to that rule.  That is why the California Department of Motor Vehicles is requiring automakers to obtain specific certifications for the cybersecurity requirements of self-driving vehicles before deploying them on the road.  These regulations require that the automakers have “[a] certification that the autonomous vehicles have self-diagnostic capabilities that meet current industry best practices for detecting and responding to cyber-attacks, unauthorized intrusions, and false or spurious messages or vehicle control commands.” The reasoning the California DMV gave for adopting the regulations is to “require a certification that the vehicles have self-diagnostic capabilities that meet current industry best practices to detecting and responding to cyber-attacks.”  Although the rules are designed for the highest protection of driver safety on California roads, the regulations have been met with heavy resistance and criticism from the auto and tech industries.

After lobbying to the DMV, the automakers did obtain some victories in having the regulations softened.  The new version of the proposed rule released on March 10 removed the controversial “instant breach notification” requirement in the original rules proposed.  The automotive and tech industries fought this rule vigorously because it required them to “provide written disclosures to vehicle operators of any data collected by the vehicle that is not essential to safe operation.”  Furthermore, the automakers believe these state regulations will impede the future development of the cars and cause significant setbacks.  These regulations have driven companies to conduct testing in other states that are more receptive and lenient to the development of self-driving cars.  One such company, Uber, has moved to jurisdictions like Michigan, Nevada, Arizona, Washington D.C., and Pittsburg, all of which have laws that are significantly less restrictive than the proposed California regulations.

Although companies are moving their testing to other states, California still plays a pivotal role in the development of these cars, and automakers cannot avoid the state forever.  For instance, the state of California is the world’s sixth largest economy, in terms of GDP, and Silicon Valley is the beating heart of the tech industry in terms of engineering and software development capabilities and talent. “Artificial intelligence, vision systems, lidar sensors, memory chips, app creation, communications expertise, investment capital: The development of everything that goes into a driverless car, other than the car itself, is centered in California.”

The California DMV will hold a public hearing on the proposed rules to give the public an opportunity to make comments on the proposed regulation on April 25 in Sacramento, CA.  The National Highway Traffic Safety Administration has encouraged the California DMV to collaborate with other states on regulations for autonomous vehicles, and the Administration has also offered its services to help create regulations to “support the development of vehicle automation in ways that maximize the safety benefits of these emerging technologies and the exciting opportunity they represent to the American public.”  Hopefully these strategies will provide sufficient opportunities for automakers and regulators to find an appropriate middle ground.  For the time being, it seems that automakers will avoid California for the testing of their driver-less cars. However, they cannot avoid the state for long, if they want to sell their cars in California’s enormous market.

Thomas Gaffney is a third year law student at Wake Forest University School of Law. He holds a degree in Political Science and a minor in History from The Pennsylvania State University.  Thomas is also a published freelance equity research author on SeekingAlpha.  Upon graduation, he plans to practice in the areas of banking and finance law, with a specialization in Financial Technology and Banking Regulation.