skip to main content

S. 680 (115th): SPY Car Act of 2017

The text of the bill below is as of Mar 21, 2017 (Introduced).


II

115th CONGRESS

1st Session

S. 680

IN THE SENATE OF THE UNITED STATES

March 21, 2017

(for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation

A BILL

To protect consumers from security and privacy threats to their motor vehicles, and for other purposes.

1.

Short title

This Act may be cited as the Security and Privacy in Your Car Act of 2017 or the SPY Car Act of 2017.

2.

Cybersecurity standards for motor vehicles

(a)

In general

Chapter 301 of title 49, United States Code, is amended—

(1)

in section 30102(a)—

(A)

by redesignating paragraphs (5) through (13) as paragraphs (11) through (19), respectively;

(B)

by redesignating paragraphs (2) through (4) as paragraphs (5) through (7), respectively;

(C)

by redesignating paragraph (1) as paragraph (3);

(D)

by inserting before paragraph (3), as redesignated, the following:

(1)

Administrator means the Administrator of the National Highway Traffic Safety Administration;

(2)

Commission means the Federal Trade Commission;

;

(E)

by inserting after paragraph (3), as redesignated, the following:

(4)

critical software systems means software systems that can affect the driver’s control of the vehicle movement;

; and

(F)

by inserting after paragraph (7), as redesignated, the following:

(8)

driving data includes any electronic information collected about—

(A)

a vehicle’s status, including, but not limited to, its location or speed; and

(B)

any owner, lessee, driver, or passenger of a vehicle;

(9)

entry points includes means by which—

(A)

driving data may be accessed, directly or indirectly; or

(B)

control signals may be sent or received either wirelessly or through wired connections;

(10)

hacking means the unauthorized access to electronic controls or driving data, either wirelessly or through wired connections;

; and

(2)

by inserting after section 30128 the following:

30129.

Cybersecurity standards

(a)

Cybersecurity standards

(1)

Requirement

All motor vehicles manufactured for sale in the United States on or after the date that is two years after the date on which final regulations are prescribed pursuant to section 2(b)(2) of the SPY Car Act of 2017 shall comply with the cybersecurity standards set forth in paragraphs (2) through (4).

(2)

Protection against hacking

(A)

In general

All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks.

(B)

Isolation measures

The measures referred to in subparagraph (A) shall incorporate isolation measures to separate critical software systems from noncritical software systems.

(C)

Evaluation

The measures referred to in subparagraphs (A) and (B) shall be evaluated for security vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing.

(D)

Adjustment

The measures referred to in subparagraphs (A) and (B) shall be adjusted and updated based on the results of the evaluation described in subparagraph (C).

(3)

Security of collected information

All driving data collected by the electronic systems that are built into motor vehicles shall be reasonably secured to prevent unauthorized access—

(A)

while such data are stored onboard the vehicle;

(B)

while such data are in transit from the vehicle to another location; and

(C)

in any subsequent offboard storage or use.

(4)

Detection, reporting, and responding to hacking

Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.

(b)

Penalties

A person that violates this section is liable to the United States Government for a civil penalty of not more than $5,000 for each violation in accordance with section 30165.

.

(b)

Rulemaking

(1)

In general

Not later than 18 months after the date of the enactment of this Act, the Administrator of the National Highway Traffic Safety Administration, after consultation with the Federal Trade Commission, shall issue a Notice of Proposed Rulemaking to carry out section 30129 of title 49, United States Code, as added by subsection (a).

(2)

Final regulations

Not later than three years after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue final regulations to carry out section 30129 of title 49, United States Code, as added by subsection (a).

(3)

Updates

Not later than three years after final regulations are issued pursuant to paragraph (2) and not less frequently than once every three years thereafter, the Administrator, after consultation with the Commission, shall—

(A)

review the regulations issued pursuant to paragraph (2); and

(B)

update such regulations, as necessary.

(c)

Clerical amendment

The table of sections for chapter 301 of title 49, United States Code, is amended by striking the item relating to section 30128 and inserting the following:

30128. Vehicle rollover prevention and crash mitigation.

30129. Cybersecurity standards.

.

(d)

Conforming amendment

Section 30165(a)(1) of title 49, United States Code, is amended by inserting 30129, after 30127,.

3.

Cyber dashboard

(a)

In general

Section 32302 of title 49, United States Code, is amended by adding at the end the following:

(e)

Cyber dashboard

(1)

In general

All motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are prescribed pursuant to section 3(b)(2) of the SPY Car Act of 2017 shall display a cyber dashboard, as a component of the label required to be affixed to each motor vehicle under section 32908(b).

(2)

Features

The cyber dashboard required under paragraph (1) shall inform consumers, through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers beyond the minimum requirements set forth in section 30129 of this title and in section 27 of the Federal Trade Commission Act.

.

(b)

Rulemaking

(1)

In general

Not later than 18 months after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall prescribe regulations for the cybersecurity and privacy information required to be displayed under section 32302(c) of title 49, United States Code, as added by subsection (a).

(2)

Final regulations

Not later than 3 years after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue final regulations to carry out section 32302 of title 49, United States Code, as added by subsection (a).

(3)

Updates

Not less frequently than once every 3 years, the Administrator, after consultation with the Commission, shall—

(A)

review the regulations issued pursuant to paragraph (2); and

(B)

update such regulations, as necessary.

4.

Privacy standards for motor vehicles

(a)

In general

The Federal Trade Commission Act (15 U.S.C. 41 et seq.) is amended by inserting after section 26 (15 U.S.C. 57c–2) the following:

27.

Privacy standards for motor vehicles

(a)

In general

All motor vehicles manufactured for sale in the United States on or after the date that is two years after the date on which final regulations are prescribed pursuant to subsection (e) shall comply with the requirements under subsections (b) through (d).

(b)

Transparency

Each motor vehicle shall provide clear and conspicuous notice, in clear and plain language, to the owners or lessees of such vehicle of the collection, transmission, retention, and use of driving data collected from such motor vehicle.

(c)

Consumer control

(1)

In general

Subject to paragraphs (2) and (3), owners or lessees of motor vehicles shall be given the option of terminating the collection and retention of driving data.

(2)

Access to navigation tools

If a motor vehicle owner or lessee decides to terminate the collection and retention of driving data under paragraph (1), the owner or lessee shall not lose access to navigation tools or other features or capabilities, to the extent technically possible.

(3)

Exception

Paragraph (1) shall not apply to driving data stored as part of the electronic data recorder system or other safety systems on-board the motor vehicle that are required for post-incident investigations, emissions history checks, crash avoidance or mitigation, or other regulatory compliance programs.

(d)

Limitation on use of personal driving information

(1)

In general

A manufacturer (including an original equipment manufacturer) may not use any information collected by a motor vehicle for advertising or marketing purposes without affirmative express consent by the owner or lessee.

(2)

Requests

Consent requests under paragraph (1)—

(A)

shall be clear and conspicuous;

(B)

shall be made in clear and plain language; and

(C)

may not be a condition for the use of any nonmarketing feature, capability, or functionality of the motor vehicle.

(e)

Enforcement

A violation of this section shall be treated as an unfair or deceptive act or practice in violation of a rule prescribed under section 18(a)(1)(B).

.

(b)

Rulemaking

(1)

In general

Not later than 18 months after the date of the enactment of this Act, the Federal Trade Commission, after consultation with the Administrator of the National Highway Traffic Safety Administration, shall prescribe regulations, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act, as added by subsection (a).

(2)

Final regulations

Not later than three years after the date of the enactment of this Act, the Commission, after consultation with the Administrator, shall issue final regulations, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act, as added by subsection (a).

(3)

Updates

Not less frequently than once every three years, the Commission, after consultation with the Administrator, shall—

(A)

review the regulations prescribed pursuant to paragraph (2); and

(B)

update such regulations, as necessary.