skip to main content

S. 2182: SPY Car Act of 2019


The text of the bill below is as of Jul 18, 2019 (Introduced).


II

116th CONGRESS

1st Session

S. 2182

IN THE SENATE OF THE UNITED STATES

July 18, 2019

(for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation

A BILL

To protect consumers from security and privacy threats to their motor vehicles, and for other purposes.

1.

Short title

This Act may be cited as the Security and Privacy in Your Car Act of 2019 or the SPY Car Act of 2019.

2.

Cybersecurity standards for motor vehicles

(a)

In general

Chapter 301 of title 49, United States Code, is amended by inserting after section 30128 the following:

30129.

Cybersecurity standards

(a)

Definitions

In this section:

(1)

Critical software systems

The term critical software systems means software systems that can affect—

(A)

the control by the driver of the vehicle movement; or

(B)

the safety features of the vehicle.

(2)

Driving data

The term driving data includes any electronic information collected about—

(A)

the status of a vehicle, including the location and speed of the vehicle; and

(B)

any owner, lessee, driver, or passenger of a vehicle.

(3)

Entry point

The term entry point includes a means by which—

(A)

driving data may be accessed, directly or indirectly; or

(B)

a control signal may be sent or received either wirelessly or through wired connections.

(4)

Hacking

The term hacking means the unauthorized access to electronic controls, critical software systems, or driving data, either wirelessly or through wired connections.

(b)

Cybersecurity standards

(1)

Requirement

All motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which regulations are promulgated pursuant to section 2(c)(2) of the SPY Car Act of 2019 shall comply with the cybersecurity standards under paragraphs (2) through (4).

(2)

Protection against hacking

(A)

In general

All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks.

(B)

Isolation measures

The measures referred to in subparagraph (A) shall incorporate isolation measures to separate critical software systems from noncritical software systems.

(C)

Evaluation

The measures referred to in subparagraph (A) shall be evaluated for security vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing.

(D)

Adjustment

The measures referred to in subparagraph (A) shall be adjusted and updated based on the results of the evaluation under subparagraph (C).

(3)

Security of collected information

All driving data collected by the electronic systems that are built into motor vehicles shall be reasonably secured to prevent unauthorized access—

(A)

while the data is stored onboard the vehicle;

(B)

while the data is in transit from the vehicle to another location; and

(C)

in any subsequent offboard storage or use of the data.

(4)

Detection, reporting, and responding to hacking

Any motor vehicle manufactured for sale in the United States that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.

.

(b)

Civil penalties

Section 30165(a)(1) of title 49, United States Code, is amended by inserting 30129, after 30127,.

(c)

Rulemaking

(1)

In general

Not later than 18 months after the date of enactment of this Act, the Administrator of the National Highway Traffic Safety Administration (referred to in this subsection as the Administrator), after consultation with the Federal Trade Commission, shall issue a notice of proposed rulemaking to carry out section 30129 of title 49, United States Code.

(2)

Final regulations

Not later than 3 years after the date of enactment of this Act, the Administrator, after consultation with the Federal Trade Commission, shall promulgate final regulations to carry out section 30129 of title 49, United States Code.

(3)

Updates

Not later than 3 years after final regulations are promulgated pursuant to paragraph (2) and not less frequently than once every 3 years thereafter, the Administrator, after consultation with the Federal Trade Commission, shall—

(A)

review the final regulations promulgated pursuant to paragraph (2); and

(B)

update the final regulations, as necessary.

(d)

Clerical amendment

The table of sections for chapter 301 of title 49, United States Code, is amended by inserting after the item relating to section 30128 the following:

30129. Cybersecurity standards.

.

3.

Cyber dashboard

(a)

In general

Section 32302 of title 49, United States Code, is amended by adding at the end the following:

(e)

Cyber dashboard

(1)

In general

All motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are promulgated pursuant to section 3(b)(2) of the SPY Car Act of 2019 shall display a cyber dashboard as a component of the label required to be affixed to each motor vehicle under section 3 of the Automobile Information Disclosure Act (15 U.S.C. 1232).

(2)

Features

The cyber dashboard required under paragraph (1) shall inform consumers, through an easy to understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers beyond the minimum requirements under section 30129 of this title and in section 27 of the Federal Trade Commission Act.

.

(b)

Rulemaking

(1)

In general

Not later than 18 months after the date of enactment of this Act, the Administrator of the National Highway Traffic Safety Administration (referred to in this subsection as the Administrator), after consultation with the Federal Trade Commission, shall issue a notice of proposed rulemaking for the cybersecurity and privacy information required to be displayed under section 32302(e) of title 49, United States Code.

(2)

Final regulations

Not later than 3 years after the date of enactment of this Act, the Administrator, after consultation with the Federal Trade Commission, shall promulgate final regulations to carry out section 32302(e) of title 49, United States Code.

(3)

Updates

Not less frequently than once every 3 years, the Administrator, after consultation with the Federal Trade Commission, shall—

(A)

review the final regulations promulgated pursuant to paragraph (2); and

(B)

update the final regulations, as necessary.

4.

Privacy standards for motor vehicles

(a)

In general

The Federal Trade Commission Act (15 U.S.C. 41 et seq.) is amended by inserting after section 26 (15 U.S.C. 57c–2) the following:

27.

Privacy standards for motor vehicles

(a)

Definitions

In this section:

(1)

Covered motor vehicle

The term covered motor vehicle means a motor vehicle that—

(A)

is manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are promulgated under section 4(b) of the SPY Car Act of 2019; and

(B)

collects driving data.

(2)

Driving data

The term driving data has the meaning given the term in section 30129(a) of title 49, United States Code.

(b)

Requirement

Each covered motor vehicle shall comply with the requirements described in subsections (c) through (e).

(c)

Transparency

Each manufacturer of a covered motor vehicle shall provide to each owner and lessee of the covered motor vehicle a clear and conspicuous notice, in clear and plain language, of any collection, transmission, retention, or use of driving data collected from the covered motor vehicle.

(d)

Consumer control

(1)

In general

Subject to paragraphs (2) and (3), an owner or lessee of a covered motor vehicle may opt out of the collection and retention of driving data by the covered motor vehicle.

(2)

Access to navigation tools

If an owner or lessee of a covered motor vehicle opts out of the collection and retention of driving data under paragraph (1), the owner or lessee shall not, to the extent technically possible, lose access to any navigation tool or other feature or capability.

(3)

Exception

Paragraph (1) shall not apply to driving data stored as part of the electronic data recorder system or other safety systems on board the motor vehicle that are required for post-incident investigations, emissions history checks, crash avoidance or mitigation, or other regulatory compliance programs.

(e)

Limitation on use of personal driving information

(1)

In general

No manufacturer, including an original equipment manufacturer, may use any information collected by a covered motor vehicle for the purpose of advertising or marketing without the affirmative, express consent of the owner or lessee of the covered motor vehicle.

(2)

Requests

Any request for the consent under paragraph (1) by a manufacturer—

(A)

shall be clear and conspicuous;

(B)

shall be made in clear and plain language; and

(C)

may not be a condition for the use of any nonmarketing feature, capability, or functionality of the covered motor vehicle.

(f)

Enforcement

A violation of this section shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B).

.

(b)

Rulemaking

(1)

In general

Not later than 18 months after the date of enactment of this Act, the Federal Trade Commission, after consultation with the Administrator of the National Highway Traffic Safety Administration (referred to in this subsection as the Administrator), shall issue a notice of proposed rulemaking, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act.

(2)

Final regulations

Not later than 3 years after the date of enactment of this Act, the Federal Trade Commission, after consultation with the Administrator, shall promulgate final regulations, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act.

(3)

Updates

Not less frequently than once every 3 years, the Federal Trade Commission, after consultation with the Administrator, shall—

(A)

review the final regulations promulgated under paragraph (2); and

(B)

update the final regulations as necessary.

5.

Cybersecurity tools and cyber coordinator

(a)

Definitions

In this section:

(1)

Administrator

The term Administrator means the Administrator of the Federal Highway Administration.

(2)

Cyber incident

The term cyber incident has the meaning given the term significant cyber incident in Presidential Policy Directive–41 (July 26, 2016, relating to cyber incident coordination).

(3)

Transportation authority

The term transportation authority means—

(A)

a public authority (as defined in section 101(a) of title 23, United States Code);

(B)

an owner or operator of a highway (as defined in section 101(a) of title 23, United States Code);

(C)

a manufacturer that manufactures a product related to transportation; and

(D)

a division office of the Federal Highway Administration.

(b)

Cybersecurity tool

(1)

In general

Not later than 2 years after the date of enactment of this Act, the Administrator shall develop a tool to assist transportation authorities in identifying, detecting, protecting against, responding to, and recovering from cyber incidents.

(2)

Requirements

In developing the tool under paragraph (1), the Administrator shall—

(A)

use the cybersecurity framework established by the National Institute of Standards and Technology and required by Executive Order 13636 of February 12, 2013 (78 Fed. Reg. 11739; relating to improving critical infrastructure cybersecurity);

(B)

establish a structured cybersecurity assessment and development program;

(C)

consult with appropriate transportation authorities, operating agencies, industry stakeholders, and cybersecurity experts; and

(D)

provide for a period of public comment and review on the tool.

(c)

Designation of cyber coordinator

(1)

In general

Not later than 2 years after the date of enactment of this Act, the Administrator shall designate an office as a cyber coordinator, which shall be responsible for monitoring, alerting, and advising transportation authorities of cyber incidents.

(2)

Requirements

The office designated under paragraph (1) shall—

(A)

provide to transportation authorities a secure method of notifying a single Federal entity of cyber incidents;

(B)

monitor cyber incidents that affect transportation authorities;

(C)

alert transportation authorities to cyber incidents that affect those transportation authorities;

(D)

investigate unaddressed cyber incidents that affect transportation authorities; and

(E)

provide to transportation authorities educational resources, outreach, and awareness on fundamental principles and best practices in cybersecurity for transportation systems.