Navigating Connected Cars in 2017: Data Protection

19 December 2016 Manufacturing Industry Advisor Blog
Authors: Chanley T. Howell Pavan K. Agarwal

It’s a fact: today’s marketplace has given connected cars the green light. As an OEM or supplier accelerating to create products to meet industry demand, what challenges can you anticipate in 2017? Here is the second installment (following up our post on IP Protection) describing where we believe your attention should be focused during the upcoming year…

Data Protection

As previously reported, the manufacturing industry is now one of the most hacked industries. It has been said that the modern day car is a computer on wheels. That is not quite right. The modern-day car is a network of several computers on wheels. Cars today can have 50 or more electrical control units (ECUs) – each of which is analogous to a separate computer – networked together. There will be an estimated 250 million connected cars on roads around the world by 2020. These cars will have 200 or more sensors collecting information about us, our cars and our driving habits.

With significant advances in smart phone car-connectivity and onboard infotainment systems, our cars are collecting more and more information about our daily lives and personal interactions. As a result, privacy and security of connected cars has evolved and quickly risen over the last year to a top priority of carmakers and suppliers. Here are our top 4 tips for addressing these privacy and security issues and concerns in 2017:

  1. Practice “security by design.” This is a concept recently espoused by federal regulators, namely, the National Highway Traffic Safety Administration and the Federal Trade Commission, as well as industry self-regulatory organizations. With security by design, a company addresses data security controls “day 1” while products, components and devices are still on the drawing board. Data security practices evolve over time, and the days of building it first and then layering security on top are now over. Risk assessments addressing potential threats and attack targets should be dealt with during the design process. Security design reviews and product testing should be conducted throughout the development process. Secure computing, software development and networking practices should address the security of connections into, from and inside the vehicle.
  2. Practice “privacy by design.” While security deals with the safeguards and measures implemented to protect the data from unauthorized access or use, privacy focuses on the right and desire of individuals to keep information about themselves confidential. During the design process, companies should understand and identify what personal information will be collected by a component or device, what notice should be provided to or consent obtained from consumers before collecting that personal information, how should the personal information be used, are those intended uses legal, with whom will the personal information be shared, and is that sharing appropriate and legal. With this information identified, the company can reconcile privacy requirements with security safeguards during the design and development process.
  3. Establish an appropriate data security governance model. Executives and senior management can no longer blindly delegate data security to the security engineering team. Regulators, courts and juries are demanding that senior management become involved in and accountable for data security. While the precise governance model will depend on the nature and size of the organization, the company should actively consider what level of executive oversight is appropriate, and then document those conclusions in a data security governance policy. This will serve the dual purposes of enhancing data security of vehicles and component parts, while also bolstering the company’s defenses in the event of a security incident or investigation.
  4. Address the entire supply chain. Whether it is the finished vehicle or a component part, most companies relevant to the data security ecosystem will rely on suppliers that play a role in data security. Hardware, software, development tools, assembly, integration and testing may all be provided by one or more suppliers. Companies impacted by this scenario should conduct appropriate due diligence and risk assessments with respect to its suppliers, both at the commencement, as well as periodically throughout, the relationship. Contractual provisions should also be utilized to address data security requirements for the relevant suppliers.

For More Information

Of course we believe these tips will help you navigate the IP landscape/data protection in 2017; however, this isn’t a comprehensive list – keeping your IP safe is much more complicated. So we invite you to join us and other industry experts as we further address these topics at Foley’s program titled “Connected Cars: Navigating Top Trends in 2017,” held in Detroit on January 11, 2017.

For additional information on the program and to register, visit

This post originally appeared on Foley’s Dashboard Insights blog.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services