AI for Banks: Key Ethical and Security Risks
The use of AI to drive efficiency and business improvement has increased significantly in the last five years across multiple sectors.
In January 2016, President Barack Obama unveiled an ambitious 10-year, US$4 billion investment to accelerate the development and adoption of fully autonomous vehicles across the country. Shortly thereafter, the National Highway Traffic Safety Administration (“NHTSA”), the agency within the U.S. Department of Transportation (“DOT”) tasked with reducing injuries and fatalities on the nation’s roadways, promised that “within six months NHTSA will propose best-practice guidance to industry on establishing principles of safe operation for fully autonomous vehicles.”
Later in 2016, the NHTSA took three significant steps toward curbing existing regulations that hamper the development of autonomous technology. First, in March 2016, John A. Volpe of the National Transportation Systems Center released a Review of Federal Motor Vehicle Safety Standards for Automated Vehicles (the “Review”) for the DOT. The Review details the existing safety standards that inhibit the sale of autonomous vehicles. Second, on September 20, 2016, the NHTSA released its first “Federal Automated Vehicles Policy” (the “Policy”). “This policy,” Secretary of Transportation Foxx said, “is an unprecedented step by the federal government to harness the benefits of transformative technology by providing a framework for how to do it safely.” Third, on December 13, 2016, the NHTSA released a proposed rule (“Standard 150”) that would make V2V communications mandatory on all new light-duty vehicles. “Advanced vehicle technologies may well prove to be the silver bullet in saving lives on our roadways,” said NHTSA Administrator Mark Rosekind. Thus far in 2017, the NHTSA has continued its momentum towards utilizing new technology to improve safety by announcing new V2I guidance in January 2017.
In last year’s edition of this white paper, we noted that a comprehensive regulatory framework for autonomous vehicles was “conspicuously absent.” This last year, however, saw the advent of new policies and rules that represent significant development in the regulatory environment. Particularly at the federal level, the Policy and Standard 150 may mark the beginning of changes towards enabling the development of commercially-available autonomous vehicles. All parties seeking to participate in the autonomous vehicle industry must understand the new rules and policies put in place and their impact on the market.
The Review identifies a significant number of federal motor safety standards that, as they currently exist, could stand as a barrier to the development of highly autonomous vehicles. The Review identifies all those rules that refer explicitly to a driver, for example.
The Review is particularly helpful for manufacturers in light of the NHTSA’s recent push for the use of interpretations of and exemptions from the Federal Motor Vehicle Safety Standards (“FMVSS”). By providing manufacturers a list of the FMVSS that may slow the development of autonomous vehicles, the DOT has handed manufacturers a laundry list of rules from which to ask for further interpretations of, and exemptions from, while the industry waits for the FMVSS to be changed.
The Review concludes that there are few regulatory barriers for autonomous vehicles to comply with current FMVSS as long as the vehicle does not significantly diverge from a conventional vehicle design. Vehicles that push the boundaries of conventional design, however, “would be constrained by the current FMVSS or may conflict with the policy objectives of the FMVSS,” as many standards are based on assumptions of a human driver, for example.
As many manufacturers are looking to create the next generation of autonomous vehicles – vehicles that by definition push the boundaries of conventional design – it would behoove manufacturers to be aware of this Review and the FMVSS it lists.
The Policy released in September 2016 is intended to foster the development of the autonomous vehicle industry. The Policy contains four sections. First, the Policy outlines best practices for the safe pre-development design, development, and testing of highly autonomous vehicles, or “HAVs.” While couched as “guidance,” this first section describes new reporting mechanisms for manufacturers, and states that such reporting may be a requirement in the future. Second, the Policy contains recommendations for the implementation of policies at a state level. Third, the Policy describes its current regulatory tools that manufacturers can utilize to change existing regulations to enable the development and testing of autonomous technology. Lastly, the Policy lists potential new regulatory tools and authorities that, if implemented, could drastically change the automotive regulatory environment.
The Policy’s Vehicle Performance Guidance for Automated Vehicles broadly applies to all individuals and companies manufacturing, designing, testing, and/or planning to sell automated vehicle systems in the United States. Its reach extends not only to comprehensive car manufacturers, but also to all equipment designers and suppliers as well.
The section’s Guidance is comprehensive. It includes all of the areas shown in Figure 1, below. Its key addition, however, is the introduction of “Safety Assessment Letters.” Starting soon, the NHTSA “will request that manufacturers and other entities voluntarily provide reports [safety assessment letters] regarding how the Guidance has been followed.” The NHTSA advises that “this reporting process may be refined and made mandatory through a future rulemaking.” Accordingly, manufacturers should consider implementing internal processes to appropriately complete the reports described within the Guidance.
Figure 1. “Guidance overview.” Reproduced from the Policy at 14. ODD refers to “Operational Design Domain.”
Although such assessments should be clear and concise, it does not appear that these assessments will be simple – there are 15 areas of guidance to be analyzed, all of which are reflected in Figure 1. “It is expected,” the Policy states, “that this would require entities to submit a safety assessment to NHTSA’s Office of the Chief Counsel for each HAV system[.]” Manufacturers, therefore, may soon have to fill out a safety assessment for each HAV System for each guidance area: data recording and sharing, privacy, vehicle cybersecurity, crashworthiness, ethical considerations, validation methods, and others. Not only will a safety assessment need to be submitted for each HAV System for each guidance area, but the NHTSA will expect manufacturers to update the assessment when any significant update(s) are made to the vehicle or HAV System.
The Policy indicates that in the coming months, the NHTSA will implement several steps aimed at facilitating the safety assessment process. These steps include publishing an objective method that manufacturers and other entities may use to classify their automated vehicle systems and publishing a safety assessment template. Manufacturers should be aware, however, the NHTSA is expressly considering both mandating safety assessments and requiring any entity planning to test or operate HAVs on public roadways to register with the NHTSA and to document and report to the NHTSA items related to the Guidance.
In this second Section, the Policy announces the DOT’s intention to regulate autonomous vehicles: “DOT strongly encourages States to allow DOT alone to regulate the performance of HAV technology and vehicles.” The DOT points out that as much as autonomous vehicle technology is a radical change in technology, it need not herald any change in the regulatory division of responsibility between the NHTSA and the States. “The division of regulatory responsibility for motor vehicle operation between Federal and State authorities is clear[,]” the Policy reminds its readers, “[t]hese general areas of responsibility should remain largely unchanged for HAVs.”
Those areas of responsibility are as follows. Generally, NHTSA’s responsibilities include:
The States’ responsibilities include other aspects of motor vehicle regulations, as follows:
In the Policy, however, the NHTSA makes clear its view that “the Vehicle Safety Act expressly preempts States from issuing any standard that regulates performance if that standard is not identical to an existing [Federal Motor Vehicle Safety Standards (“FMVSS”)] regulating the same aspect of performance.” In a sentence that the NHTSA’s lawyers would have reviewed carefully, the Policy states that not only can state safety regulations not deviate from federal safety regulations, states cannot implement any regulations that would, in any way, stand in the way of the federal safety regulations being followed to the fullest extent: “The Supreme Court has also found that State laws may be preempted if they stand as an obstacle to the accomplishment and execution of a NHTSA safety standard.”
The Policy then purports to provide guidance to the states on best practices when fulfilling their own responsibilities for motor vehicle regulations when it comes to autonomous vehicles, including, for example, that:
In the third section, the NHTSA reviews the current regulatory tools at the disposal of interested parties, and encourages the use of those tools to further autonomous vehicle technology. Specifically, the Policy details three key regulatory devices:
We discussed interpretations, exemptions, and rulemaking proposals in our first edition of this white paper. Since that edition, the basic framework has remained in place, with minor tweaks aimed at streamlining the process. In particular, the NHTSA has stated its goal that it will respond to:
This third section lays out the methods available to manufacturers and parties eager to proceed with the development and testing of autonomous vehicle technology. Interested parties should thoughtfully consider their regulatory approach, and seek guidance regarding the tools at their disposal.
The fourth and final section of the Policy is aspirational. The NHTSA acknowledges that “[t]he speed with which HAVs are evolving warrants a review of NHTSA’s regulatory tools and authorities.” As a result, it lays out a series of potential new tools and authorities that may be utilized to speed regulatory change and regulate autonomous vehicles, specifically:
The second of these authorities, in particular, is worth analyzing. The imposition of pre-market approval authority would represent a drastic deviation from the current federal vehicle regulatory scheme. Currently, manufacturers selfcertify their vehicles as being in compliance with the FMVSS. Under a new, pre-approval framework, “rather than having HAV manufacturers certify that their vehicles meet applicable FMVSS, NHTSA would test vehicle prototypes to determine if the vehicle meets all such standards.” Such a regulatory tool would “prohibit the manufacture, introduction into commerce, offer for sale, and sale of HAVs unless, prior to such actions, NHTSA has assessed the safety of the vehicle’s performance and approved the vehicle.” For vehicle manufacturers placing many models of new vehicles every year, such approval process could be quite burdensome thus potentially slowing the process by which autonomous vehicles make it to market.
On December 13, 2016, the NHTSA released a FMVSS Standard 150 for public comment – a new safety standard that, if adopted, would mandate the inclusion of V2V Communications on all new light-duty vehicles. Light-duty vehicles in the context of this rulemaking, refers to passenger cars, multipurpose passenger vehicles, trucks, and buses with a gross vehicle weight rating of 10,000 pounds (4,536 kilograms) or less.
Standard 150 would require vehicles to transmit messages about their speed, heading, brake status, and other vehicle information to surrounding vehicles, and to be able to receive the same information from them. V2V range and “field-ofview” capabilities exceed current and near-term radar- and camera-based systems, in some cases, providing nearly twice the range. That longer range and 360-degree field of “view,” currently supported by DSRC, provides a platform enabling vehicles to perceive some threats that sensors, cameras, or radar cannot.
The NHTSA believes the market will not achieve sufficient coverage absent a mandate V2V capability for all new lightduty vehicles. A V2V system as currently envisioned would be a combination of many elements: a radio technology for the transmission and reception of messages, the structure and contents of “basic safety messages” (“BSMs”) through a DSRC unit, the authentication of incoming messages by receivers, and, depending on a vehicle’s behavior, the triggering of one or more safety warnings to drivers.
The NHTSA proposal would require that vehicles be capable of receiving over-the-air (“OTA”) security and software updates (and to seek consumer consent for such updates where appropriate). In addition, the NHTSA proposal also requires that vehicles contain “firewalls” between V2V modules and other vehicle modules connected to the data bus to help isolate V2V modules being used as a potential conduit into other vehicle systems.
The NHTSA is proposing that the effective date for manufacturers to begin implementing these new requirements would be two model years after the final rule is adopted, starting on September 1 following issuance of a final rule, with a three-year phase-in period to accommodate vehicle manufacturers’ product cycles at rates of 50, 75, and 100 percent, respectively. This proposed schedule allows for a total of five years until all new vehicles would be required to comply with the final rule. Assuming a final rule is issued in 2019, this would mean that the phase-in period would begin in 2021, and all vehicles subject to that final rule would be required to comply by 2023.
The NHTSA estimates that the total annual cost to comply with this proposed mandate in the 30th year after it takes effect would range from US$2.2 billion to US$5.0 billion, corresponding to a cost-per-new-vehicle of roughly US$135-$300.
In January 2017, U.S. Transportation Secretary Anthony Foxx announced new Federal Highway Administration (“FHWA”) V2I guidance. The guidance consists of several resources aimed at both transportation planners and licensees, including:
NHTSA estimates that safety applications enabled by V2V and V2I technology could eliminate or mitigate the severity of up to 80 percent of non-impaired crashes, including crashes at intersections or while changing lanes.
The past year has brought many changes at the federal level that impact the possibility of fully autonomous vehicles being commercially available in the United States. The NHTSA’s new policy suggests a willingness to work with manufacturers to utilize regulatory tools to lessen the requirements of the FMVSS when such standards unnecessarily hamper the development of autonomous technology. Similarly, the proposed Standard 150 and new V2I guidance suggests that the DOT is considering areas beyond the physical autonomous vehicle itself that would allow autonomous technology to even more dramatically improve safety and efficiencies. In this time of rapid change, anyone interested in the advancement of the technology is advised to keep abreast of new information coming from the DOT, and take the opportunity to provide comment and guidance to the DOT’s proposed regulatory changes.
As technology swiftly advances, the once imaginary concept of self-driving vehicles will soon become a reality. Autonomous vehicles are expected to be deployed on U.S. highways as early as this decade. These cars of the future will be equipped to react and respond to their immediate environment with little or no human intervention. Whether it be simply a traffic light changing from yellow to red or a vehicle ahead coming to an abrupt stop, the autonomous vehicle will be fully prepared to handle the situation. It is expected that the high aptitude of these autonomous vehicles will not only make travelling on roadways more efficient but also safer with far fewer collisions. The foundation of the vehicle’s ability to seamlessly navigate the highways rests on its communication capabilities. Autonomous vehicles will be able to communicate with other vehicles on the road and transportation infrastructure. A key piece of technology that allows for this continuous communication is DSRC.
DSRC is a two-way short- to medium-range wireless communication channel that allows autonomous vehicles to communicate with one another as well as with transportation infrastructure, such as traffic signals. Its open source nature and use of a wireless spectrum to send and receive signals makes DSRC very similar to Wi-Fi. DSRC has very low latency, which allows messages to be transmitted within milliseconds with little to no delay. Because of its short to medium range, DSRC is highly secure with limited interference by unrelated signals. As opposed to the limitations of vehicular cameras and sensors, DSRC can offer 360 degree coverage that will increase safety.
Semi-autonomous and autonomous vehicles will use applications as platforms for the DSRC technology. V2V and V2I applications will utilize DSRC to alert the drivers and, in fully autonomous vehicles, to respond to signals received by other vehicles and infrastructure. Certain V2V applications include: adaptive cruise control; emergency electronic brake lights; intersection movement assistance; blind spot and lane change warnings; forward collision warnings; left turn assistance; do not pass warnings; and vehicle turning right in front of bus warnings. Certain V2I applications include: red light violation warnings; stop sign assistance; reduced speed and work zone warnings; curve speed warnings; spot weather impact warnings; and pedestrian in signalized crosswalk warnings.
As with any new piece of advanced technology that enters the stream of commerce, questions regarding liability for accidents and injuries begin to arise. As of now, there have been no bright-line rules regarding liability for potential defects in the DSRC technology. While the DSRC technology is expected to make travel on the highways much safer and theoretically free from incident, many automotive manufacturers and insurance companies are eagerly waiting to see how the states and federal government will govern liability issues.
On September 20, 2016, the U.S. Department of Transportation’s NHTSA released the new Federal Automated Vehicles Policy. This Policy offers guidance for how the federal government plans to regulate autonomous vehicles. In the Policy, the NHTSA makes clear that it intends to focus on regulating the vehicle performance technology equipment while letting the states retain the power to regulate product liability issues. For example, the Federal Communications Commission (“FCC”) dedicated 75 MHz of spectrum at 5.9 GHz to be used by DSRC. The states will have to decide who will be liable in a variety of scenarios. States will also have to decide who will be required to carry motor vehicle insurance.
All product liability claims have something in common – a product. However, akin to Wi-Fi, DSRC channels are not physically manufactured and are not tangible products. Thus, plaintiffs are unlikely to raise a product liability challenge based on a defect in the channels themselves. Nevertheless, DSRC requires physical devices affixed to vehicles in order to function. Defects in the hardware and software utilizing the DSRC technology could offer plaintiffs an avenue with which to anchor a product liability claim under state law.
A rising concern for an Original Equipment Manufacturer (“OEM”) is the types of product liability defects that could potentially arise with DSRC technology. As a tangible product, hardware and software in the vehicle and the transportation infrastructure will utilize DSRC. Should that hardware or software malfunction, and an accident occurs as a result, plaintiffs may look to product liability law for a remedy. In the absence of federal or state legislation, the traditional theories of product liability will govern such incidents. In order for a plaintiff to allege a product liability claim against an OEM, the claim must be founded on one of the following defects: 1) manufacturing defect, 2) design defect or 3) inadequate instructions or warnings.
A product “contains a manufacturing defect when the product departs from its intended design even though all possible care was exercised in the preparation and marketing of the product.” Thus, in regards to the hardware within the autonomous vehicle, a plaintiff may assert a manufacturing defect by proving that the hardware utilizing DSRC did not function as specified by the OEMs.
A plaintiff may allege a design defect if the plaintiff can show that the design of the hardware posed foreseeable risks that could have been avoided or at least reduced by a “reasonable alternative design.” The plaintiff would have the high burden of proving that the faulty design of the hardware utilizing DSRC caused the accident and the accident could have been prevented with a safer design. With the novelty of DSRC and its components, design defect may be difficult to prove.
Finally, a plaintiff may allege a defect in the hardware utilizing DSRC by arguing that the OEM failed to adequately and reasonably warn consumers of the foreseeable harm posed by the technology.
The failure to provide these warnings must be what makes the product unsafe and therefore the cause of the accident.
It may be more difficult for a plaintiff to prove a defect in the software component of DSRC. Software is created from codes and modules. It is written rather than manufactured; thus, it may be challenging for plaintiffs to invoke a manufacturing defect against DSRC software.
A plaintiff may be able to prove design defect in the DSRC software against OEMs if the algorithms were designed with a foreseeable risk of danger. However, the software written to hold the DSRC for autonomous vehicles is so complex and innovative that it may be a challenge for a plaintiff to find a qualified expert to prove that there was a safer alternative design.
Possibly the least complicated of the defects that a plaintiff could prove to substantiate a software product liability claim against an OEM is the failure to warn. The OEM should provide some type of warning regarding the foreseeable harm that could result from use of the DSRC software technology. The adequacy of the warning may be dependent on a variety of factors such as: the product or technology description, marketing and sales materials, the reasons people are buying and using the DSRC technology, and the nature and extent of the instructions and warnings provided. OEMs may encounter a challenge with making the warning conspicuous enough as to alert consumers of the potential risks with using DSRC software. Because the DSRC software would be so integrated into the autonomous vehicle, it would not be readily apparent to the user. Additionally, OEMs may have a responsibility to provide post-sale warnings of newly discovered risks with the DSRC software. If OEMs become aware of potentially harmful software issues, they would likely also bear the burden of supplying software upgrades as quickly as possible.
Although the use of DSRC channels with autonomous vehicles is said to provide enhanced safety on the highways, there are impending issues involving the technology that have yet to be resolved. For example, former Assistant Secretary of the U.S. Department of Transportation Office of Research and Technology, Gregory Winfree, stated that his office was concerned about DSRC channel sharing the 5.9 GHz spectrum with other wireless communications. Making sure other use of the spectrum does not inundate the radio-frequency or inhibit DSRC performance will be a high priority for the DSRC technology engineers and OEMs.
A challenge for manufacturers of autonomous vehicles to overcome is ensuring state and local agency resources to maintain the transportation infrastructure. In order for autonomous vehicles to fully utilize DSRC technology and reach their ultimate potential, there must be transportation infrastructure in place to communicate with the vehicles on the road. State and local governments would have to commit to maintaining infrastructure that could communicate with the V2I applications of the autonomous vehicles.
OEMs and software engineers of semi-autonomous vehicles will have to make sure the DSRC communications elicit an appropriate response from the human driver. As the V2V and V2I applications send and receive signals, the triggers and event flags must be conspicuous enough that a human driver is appropriately alerted. The triggers and flags must also properly instruct the human driver on exactly how to respond to the environment around it. The human interaction necessary in semi-autonomous vehicles also poses some unanswered questions such as who would be liable in the event of a collision.
Another major concern for OEMs is what parties may be liable if an incident occurs regarding the DSRC technology. Regarding driverless vehicles, there are four main categories of parties that could potentially be liable in a car accident: the manufacturers, the vehicle owners, the operators, or the passengers. However, it is possible that the manufacturer of the DSRC component part may not also be the manufacturer of the autonomous vehicle.
There have been several analogous product liability cases where a component part of the vehicle that was not manufactured by the vehicle manufacturer was defective and caused injury to the plaintiff. In a few cases involving defective air bags that injured the plaintiff, the plaintiff sued the manufacturer of the vehicle as well as the manufacturer of the air bags. Similarly, if there was a defect in the DSRC technology and the manufacturer was not also the autonomous vehicle manufacturer, a plaintiff would likely attempt to drag both into court. Whether or not the plaintiff would succeed in the lawsuit would be fact specific and dependent on the law of the jurisdiction.
In semi-autonomous vehicles, plaintiffs and manufacturers may encounter a problem with determining whether the operator or manufacturer was at fault. If the DSRC technology sends a signal for the operator to respond to but the operator fails to do so resulting in an accident or injury, a question of whether the manufacturer should truly be liable could be a potential defense. Manufacturers only have a duty to shield against misuse of the product to the extent that could have been reasonably foreseen. If the DSRC properly sent the signal, it would be difficult for a plaintiff to prove that there was truly a defect and the operator may actually be liable for the injury that resulted. However, the manufacturer may also have the burden to prove that the plaintiff’s misuse and failure to follow the instructions given by the autonomous technology was not foreseeable. The manufacturer may also have to prove that the instructions and warnings given were conspicuous enough as to actually alert the operator of the vehicle. The level of proof to substantiate these claims and defenses may be so complex that the parties to the litigation may need a highly skilled expert.
DSRC will be the cornerstone for making an autonomous vehicle fully interoperable with the entire transportation system. This cutting-edge technology presents an array of new legal issues and questions that soon must be answered. With the speed at which the technology is developing, regulatory agencies, legislative bodies, and courts will have to decide how they wish to marry product liability law with the DSRC equipment in autonomous vehicles. In the past, product liability law has proven to adjust to innovative technology effortlessly and will likely do the same with DSRC technology in the future.
A key component of achieving the goal of autonomous vehicles is allowing the cars to communicate with each other and the infrastructure while they operate to better navigate the world around them. Achieving this goal of Vehicle-to-Vehicle (V2V) and its related Vehicle-to-Infrastructure (V2I) communications, however, requires a serious consideration of the risks related to potential or actual breaches of data privacy and cybersecurity.
In the United States alone, four different but related federal regulators are working on various aspects of DSRC privacy and security: the U.S. Department of Transportation, the Federal Communications Commission, the Federal Trade Commission, and the National Highway Transportation Safety Administration. The industry, however, is not standing still and has begun implementing DSRC technology as well as other communications technologies for their respective vehicles.
The current lack of standards requires a thorough review of the privacy and cybersecurity risks and how the company may best work to minimize them.
Privacy risks relate to personally identifiable information collected and transmitted by and through the V2V or V2I communications, such as vehicle identification numbers and information about the owner of, or passengers in, a vehicle. Generally, the privacy risks associated with these communications can be separated into five categories:
Although DSRC primarily enables the transmission of safety information, it allows for other types of information to be collected and transmitted. The Federal Trade Commission has long taken the position that companies have an obligation to provide reasonable security for the personal information that they collect. Several state laws require companies to provide reasonable security for personal information. The FTC has also taken the position that the types of personal information collected must be disclosed to individuals. Companies may wish to monitor the development of regulations in this area to ensure that the collection of information is conducted legally, as it is possible that future regulations could provide liability even for the wrongful collection of information. For instance, in the context of websites and online services, the Children’s Online Privacy Protection Act restricts the ability of companies to collect information from children under 13, subject to penalties of up to $16,000 per violation. Accordingly, companies may wish to avoid collecting unnecessary information.
If personally identifiable information is collected, the company must disclose its use of the data. Companies must also comply with other laws that may apply to the data. For example, Facebook was accused of analyzing private communications between its users, and the class action claimed this analysis was in violation of wiretapping laws. A $3.3 million proposed settlement is pending. Liability for privacy issues tends to correspond with the control exercised over that information and the extent to which a company uses personally identifiable information for its own purposes. For example, even one of the strictest U.S. privacy laws, the Health Insurance Portability and Accountability Act (HIPAA), includes an exception for conduits, which is defined as “a conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.” On one extreme, a company generally can lower its risk profile by acting as a mere conduit for data; yet companies typically can lawfully analyze data passing through their system when they make adequate disclosures of their practice, or have contractual or legal authority to analyze the data.
If personally identifiable information is retained, the risk associated with that storage effectively increases as the period of retention increases. This is because the risk of unauthorized access to that data increases with both the volume and time of the data stored. Cybersecurity incidents resulting in unauthorized access to personally identifiable information may require that the company to notify affected individuals, regulators, and law enforcement. If a consumer learns that a company has retained information without a “need to know” it, and some event results in unauthorized access of that information, tort actions can follow, based on breach of privacy or breach of right of publicity.
A company can decrease its risk of privacy-related actions by retaining data only for as long as there is a business need for the information, and then destroying the data or anonymizing it in a manner that it is unlikely to be reconstituted.
The FTC expects companies to explain how they share personally identifiable information with third parties for those parties’ own purposes, such as direct marketing or user profiling or analytics. Recently, two U.S. Senators expressed concerns to the Federal Communications Commission that “business could collect and analyze sensitive driving information, such as where the vehicle travels and how long it stays there, without the knowledge or consent of the consumer and then send targeted advertisements via dashboard consoles, in-car entertainment systems, or digital billboards.”
Although guidance on privacy requirements regarding information sharing for V2V and V2I is not a top priority for regulators, legislators and regulators have addressed information sharing in other contexts. By way of example, health information governed by HIPAA or children’s information governed by COPPA, requires prior consumer consent to be shared.
The purpose of DSRC is to share information, rapidly, and primarily for safety reasons. Although it may be possible to easily disclose information regarding data sharing practices to the owner of a vehicle, it may be more difficult to disclose this information to other individuals whose personal information could be at issue, such as non-owner drivers or passengers.
The type of data collected and how it is shared can lead to liability. For example, the FCC settled with Verizon Wireless for $1.35 million for using a “supercookie” that was installed on consumers’ computers without their consent, and shared information about the consumers’ online activities with third parties. In April of 2017, the Massachusetts Attorney General reached a settlement with an advertising company that was using geofencing technology to benefit its customers by sending digital ads to consumers who were at or near reproductive health centers and methadone clinics in several cities. The Attorney General claimed that these actions violated Massachusetts consumer protection laws and enjoined the practices. Courts can impose preliminary and permanent injunctions as well as other monetary penalties, including substantial regulatory fines.
Limiting the risk in this area can be accomplished by minimizing the data that is collected and shared to only that information that is necessary for the vehicle to perform the required function. For example, V2V and V2I communications require that vehicles be able to communicate hazards or other obstacles to other drivers in order to minimize any impact on the flow of traffic. That functionality does not require any specific identification of vehicles or individuals. Of course, with appropriate disclosures and contractual provisions, companies may be able to share personally identifiable information with third parties for their own purposes.
Unnecessary collecting and sharing any such identification information could lead to liability under the Federal Communications Act, the Federal Trade Commission Act, HIPAA, COPPA, state consumer protection laws, and/or state tort laws. Companies should therefore consider whether they should avoid collecting or sharing this type of information.
Now more than ever, manufacturers are purchasing components that have their own independent ability to obtain, store, and share information about those who interact with it. As a result, there can be privacy and security risks in a company’s own supply chain for which they may be held responsible.
Both the Federal Communications Commission and Federal Trade Commission have brought regulatory proceedings against companies for the actions of their suppliers or advertisers (such as the Verizon Wireless “supercookie” example, where an advertiser reportedly was misusing the data from the supercookie), as have private plaintiffs (as was the case where supplier Actiontec provided an open source component in routers, which Verizon distributed to customers—both Actiontec and Verizon were sued). A company can help lower its risk by reviewing and auditing its suppliers to make sure that the company understands what each supplier is providing, whether the supplier is independently collecting any data from the company’s use of its product or services, and, if so, how the supplier is using, sharing, or further disclosing the data.
As with the data privacy issues concerning V2V and V2I technology, as the communications capabilities in automobiles continue to grow, so do the cybersecurity risks. DSRC technology, however, makes these risks particularly acute. By its very design, DSRC is meant to communicate with others very rapidly. There may be no time or practical ability to screen the messages for spoofed or malicious content. As a result, these communications pose a unique opportunity for bad actors to use them as attack vectors or listening posts for personal information.
Any such breaches can result in a variety of reactions, none of which are mutually exclusive which individually can result in significant costs and expenses, and collectively can be devastating. For example, the Federal Trade Commission or state Attorneys General as well as any other regulators are increasingly pursuing companies for such breaches. Furthermore, private actors, including class action plaintiffs and financial institutions (banks and credit card companies) now seek reimbursement for any breach and pursue their own private actions in order to address their grievances. In addition to these legal actions, upon learning of a particular breach, companies frequently take their own independent steps in an effort to address the PR issues raised by those intrusions, including setting up call centers, providing credit monitoring, auditing and investigating their operations as well as increasing information security and training. These already significant costs do not include the other harder-to-quantify costs, such as lost employee productivity, lost customers, and increased customer acquisition costs.
One particular example of how the costs surrounding these incidents can arise is the 2013 security breach suffered by retailer Target Corporation. Target had agreed to share contract management data with a small HVAC vendor, but that connection was sufficient for a hacker to get into Target’s systems and steal credit card information. As a result, according to Target’s publicly filed SEC documents:
More than three years after the breach occurred, in its 10-K filed on January 28, 2017, Target reported that, since the data breach, Target incurred cumulative expenses of $202 million.
Of potentially even greater concern are risks to life and limb that may arise from the exploitation of potential vulnerabilities in V2V and V2I communications. It is conceivable that hackers could tamper with such communications to cause vehicle crashes or other property damage. This risk is not theoretical: in 2015, hackers were able to remotely take control of a Jeep vehicle, leading to a recall of 1.4 million vehicles.
As with data privacy, the issues surrounding these communications can be grouped into four categories:
Currently, the lack of common standards means that automotive communications currently are brand specific – Brand A vehicles communicate only with other Brand A vehicles. This allows specific manufacturers to develop and implement their own communication protocols, including the type of encryption used to protect the communications streams and the data within them. In order to achieve the National Highway Transportation Safety Administration (NHTSA) goals of avoiding the nearly 80 percent of vehicle accidents by implementing V2V communications, the interoperability of these systems must continue to rise.
Until such time as industry standards or regulations exist, companies can minimize the risk of unauthorized access to the data sent from vehicles by encrypting the data.
To the extent that personal data must be retained at all (see above), companies may wish to consider encrypting data “at rest” (i.e., when the data is not in use) to help minimize the risk of unauthorized access to the data. Encrypting can also help reduce the need to provide notices under many state breach notification laws.
NHTSA’s proposal includes the use of digital certificates that carry a vehicle’s pseudonym as a means of authentication, plus a form of cross-check with other received messages or onboard vehicle sensors. Not only does the NHTSA method use a “minimum necessary” amount of information, it also provides for multiple security certificates, so that each message would have a randomly selected certificate to provide further protection of the vehicle’s and driver’s identifying information. At this point, companies may not be willing to incur the costs of this form of security. Instead, until industry standards or regulations exist, companies can try to minimize the risk of unauthorized messages by “whitelisting” trusted data sources and only accepting messages from those sources. However, such an approach may be penny-wise and pound-foolish –one of those trusted sources could be hacked or receive a spoof message, putting the entire trusted network at risk.
Companies also should ensure that the integrity of the communications protocol is maintained. Recent headlines have shown how hackers can compromise Internet of Things (IoT) devices and re-purpose them to conduct denial of service (DoS) attacks. Such a risk is of equal concern with respect to V2V and V2I communications. For example, hackers conceivably could conduct DoS attacks on the V2V and V2I communication network, preventing or delaying vehicles from transmitting safety information. Companies may wish to implement strong safeguards for the communications protocols to help guard against DoS attacks and to help recognize or disregard safety messages that may have been delayed by an overburdened communications protocol. Using robust hardware security modules to safeguard and manage the device’s digital keys would also help increase security, and they typically provide evidence of tampering.
Autonomous vehicle manufacturers and their component suppliers should continue to monitor the legal and regulatory landscape relating to their use of consumer data and cybersecurity protocols. Because even “minor” cyber-incidents can result in the significant loss in time, money, and resources, efforts should be made to manage and minimize the risks related to this technology.
Driver assistance technologies such as adaptive cruise control (“ACC”), automatic emergency braking (“AEB”), and lane keeping assist (“LKAS”) are becoming common “technology packages” in many cars sold today and, eventually, will become standard features in all vehicles. These available technologies allow a car to “see” what is happening in the environment around it. However, these technologies are limited by the capabilities of the sensors upon which they rely for input. The radar sensor on the front of a vehicle with ACC and AEB may be obscured by road grime, glare, or other obstacles. Further, the laser emission from a LIDAR sensor may be obscured by environmental conditions such as rain or snow.
To not only combat the shortfalls of vehicle sensors but also allow these technological wonders to fulfill their full potential, the next advancement towards the full automation of vehicles will be the connected vehicle (“CV”), a car capable of “listening” and “speaking” to the vehicles around it. A method being developed for V2V communication is via DSRC. This technology will soon be hitting the auto market. The NHTSA has initiated the rulemaking process for issuing a new FMVSS, No. 150, which would require that all new light vehicles be capable of V2V communications. At least one manufacturer, Cadillac, stated that it would begin selling a V2V-enabled car in the U.S., the Cadillac CTS.
The DSRC network is, broadly, a wireless ad hoc network (WANET). A WANET is a decentralized network that lacks existing infrastructure or fixed nodes such as fixed routers or access points. With DSRC, each vehicle is a network node, and as such, each vehicle may receive and transmit messages to other vehicles. Because the vehicle nodes may also retransmit messages, DSRC is a mesh network, in which each vehicle passes information throughout the network. A key attribute of the ad hoc network is the ability of each vehicle member to automatically develop a communication link for the temporary communication with other vehicle members, all of whom are continually and dynamically entering and departing the network.
DSRC can be further categorized as a mobile ad hoc network (MANET) because the network members are mobile, and in particular, it can be categorized in a subclass of MANET – vehicular ad hoc network (VANET).
The DSRC network is based upon wireless communication in the super high frequency (“SHF”) radio spectrum, and in particular, includes seven channels reserved by the FCC amongst 75 MHz of the 5.9 GHz band (5.850-5.925 GHz). Based upon typical signal strength, the range of DSRC is approximately 1,000 meters (slightly more than a half mile).
The 5.850-5.925 GHz radio spectrum is divided between Federal operations and non-Federal operations. For Federal operations, the 5.850-5.925 GHz radio spectrum is reserved for Radiolocation Service, which is predominately used by the Department of Defense for radar applications. For non- Federal operations, the 5.850-5.925 GHz radio spectrum is primarily reserved for Mobile and Fixed Satellite Services, and on a secondary basis, Amateur Radio Service. Other devices operating within the 5 GHz spectrum include Wi-Fi-enabled radio networks, cordless telephones, and fixed outdoor broadband transceivers used by wireless internet providers. Recently, internet services providers have requested that the 5.850-5.925 spectrum also be made available for wireless broadband, a request that may impact the availability of the spectrum for DSRC.
The Mobile Service segment is reserved for DSRC and the Intelligent Transportation System (“ITS”) radio service. The FCC established the 5.850-5.925 GHz band for ITS services in 1999, and subsequently began developing standards for DSRC operations. The FCC established service rules and licensing for DSRC in 2004.
DSRC is divided into seven 10 MHz channels (172, 174, 176, 178, 180, 182 and 184) along with one 5 MHz channel (170). The single 5 MHz segment is reserved for future growth and development. The FCC has designated channels 172 and 184 for Public Safety and channel 178 as a control channel. There is the potential for some 10 MHz channels to be combined to create up to two 20 MHz channels (175 and/or 181). The current bandplan is illustrated below:
In order for vehicles to communicate with one another on a VANET, they must first speak the same language. One such standard bearer for a common vehicle language is the pair of SAE International publications J2735 and J2945, which define a standardized system of message sets for carrying information between vehicles. The message sets standardize the message exchanges, messages, data frames (complex elements) and data elements (atomic elements) for use on the 5.9 GHz Dedicated Short Range Communications spectrum. One exemplary message format, the Basic Safety Message, is discussed below.
The rules for the wireless connection of vehicles on the DSRC network are standardized by IEEE 1609 and IEEE 802.11p. IEEE 802.11p is an amendment that adds Wireless Access in Vehicular Environments (“WAVE”) to the existing 802.11 standard. 802.11 may sound familiar because it is the standard by which wireless routers operate (e.g., 802.11a, b, g, n, etc.). IEEE 802.11p is important because it updates the media access control (“MAC”) requirements of the 802.11 standard to allow a fast moving vehicle to quickly pass information without the requirements of association and authentication. 802.11p is designed for vehicles moving at speeds of up to 250km/h and at a range of up to 1,000 meters.
IEEE 1609 is a family of WAVE standards (P1609.0, P1609.1, P1609.2, etc.) which supplement 802.11p with high layer messaging. The IEEE 1609 standards allow V2V and V2I wireless communications by providing higher layer messaging beyond that provided by 802.11p.
For example, IEEE 1609 provides multichannel operation, networking services, resource manager and security services, and allows WAVE to offer services such as vehicle safety, automated tolling, enhanced navigation, and traffic management.
The Basic Safety Message (“BSM”) is the primary message for V2V communication. The BSM is transmitted approximately ten times per second by a vehicle and includes high priority data elements such as a timestamp along with the vehicle’s position, direction, speed, acceleration, brake status and vehicle size. The BSM may also include other optional information based upon events such as the activation of anti-lock brakes, exterior lights, wipers/rain sensor, roadway friction, air temperature, air pressure and the vehicle’s yaw rate. The optional information may not be transmitted as frequently as the high priority data elements, depending upon the priority of the information. DSRC equipped vehicles do not have storage for the long-term archiving of the BSM data. In addition to BSMs, other messages defined by J2735 include:
The first Tier 1 supplier to supply Vehicle-to-everywhere (“V2X”) communications to a U.S. production vehicle is Delphi Automotive, who will provide the V2X module for the upcoming Cadillac V2V-enabled models. The V2X communication platform being supplied by Delphi is based upon a RoadLink™ chipset from NXP Semiconductors as well as the remaining hardware and application software from Cohda Wireless.
As seen by the illustration above, a V2X module requires little space. A V2X module – such as the Cohda Wireless module above – may include multiple IEEE 802.11p radios, a processor for operating the V2X software and related applications, a GNSS positioning system with lane accuracy, along with security key storage and hardware acceleration. V2X modules may be either Roadside Units (“RSU”) or On Board Units (“OBD”), such as the one pictured above. OBD V2X modules receive their vehicle information from the vehicle’s control module, which is the hub for the various driver assistance sensors.
Mobile providers have recently begun advocating in earnest for an alternative to DSRC using cellular capabilities, such as 4G LTE. They argue that current cellular device technology is well established and always improving, and as such, would take minimal development to apply the technology to V2X communication. Cellular component providers are quickly developing technology for the V2X market. For example, Qualcomm recently introduced a new Snapdragon LTE modem to support V2X communications.
DSRC and LTE are not necessarily mutually exclusive. Delphi recently announced that it has partnered with AT&T and Ford to enhance the range of DSRC by incorporating LTE, which the partnership displayed at the 2017 CES . trade show in Las Vegas.
DSRC does not have its own patent classification in either the U.S. Patent Classification system (“USPC”), Cooperative Patent Classification system (“CPC”), or International Patent Classification system (“IPC”). The patent class G08G 1/01 is reasonably apprised to include most patent applications with DSRC-related claims. G08G0001160000
|IPC/CPC patent classification for DSRC|
|G08G: Traffic control systems|
|G08G 1/00 Traffic control systems for road vehicles|
|G08G 1/16 Anti-collision systems (road vehicle drive control)|
|[CPC Only] G08G 1/161 Two-way communication between vehicles|
|[CPC Only] G08G 1/162 Two-way communication between vehicles determined or triggered by an event like turning, braking, …|
|[CPC Only] G08G 1/163 Involving continuous checking|
IPC results, G08G 1/16. We began our patent procurement analysis with the filters shown in the table below.
|Country code: U.S.|
|Filing date: January 1, 2010-October 1, 2015 (18 months prior)|
|Patent classification: IPC G08G 1/16|
Using these three filters, we found 1,400 patent applications divided across 1,245 families. The top five assignees are shown below.
CPC results, G08G 1/16. We next used the same filters as above, but exchanged the IPC classification with the CPC classification, as shown in the table below.
|Country code: U.S.|
|Filing date: January 1, 2010-October 1, 2015 (18 months prior)|
|Patent classification: CPC G08G 1/16|
For CPC G08G 1/16, we found 2,105 patent applications divided across 1,770 families. The top five assignees remain the same, although their ranks do change compared with the IPC results. Also notice that the CPC results provided slightly greater results than the IPC results.
CPC results, G08G 1/161. CPC class G08G 1/161 is a subset of G08G 1/16. Only the CPC classification has sub-classifications of G08G 1/16, not the IPC. We used the same filters as CPC G08G 1/16 filters, but further refined the CPC classification to G08G 1/161.
|Country code: U.S.|
|Filing date: January 1, 2010-October 1, 2015 (18 months prior)|
|Patent classification: CPC G08G 1/161|
For G08G 1/161, we found 538 patent applications divided across 461 families. The top five assignees do change, although four of the five assignees remain the same.
CPC results, G08G 1/162. CPC class G08G 1/162 is a subset of G08G 1/161, in which the two-way communication between the vehicles is prompted by an event, such as braking or turning.
|Country code: U.S.|
|Filing date: January 1, 2010-October 1, 2015 (18 months prior)|
|Patent classification: CPC G08G 1/162|
CPC results, G08G 1/163. CPC class G08G 1/163 is also a subset of G08G 1/161, in which the two-way communication is continuous.
|Country code: U.S.|
|Fling date: January 1, 2010-October 1, 2015 (18 months prior)|
|Patent classification: CPC G08G 1/163|
For G08G 1/163, we found 288 patent applications divided across 247 families. The top five assignees again change. Toyota reappears and Bosch does not make the top five.
The automotive industry’s autonomous vehicle revolution has spurred the most active several years of automotive supplier and automotive manufacturer acquisitions, partnerships and investments in a decade, with more coming as parts makers struggle to keep up with the pace of technological transformation.
Vehicle connectivity, safety and efficiency are emerging as major drivers of growth and change in the automotive industry and are helping fuel growing M&A, investment and collaboration activity in the industry. Connecting vehicles to each other, to other road users, and to the surrounding infrastructure will be increasingly important as other transportation technologies pervade the market, particularly, vehicle automation. Vehicle-to-vehicle (V2V) and vehicleto- infrastructure (V2I) technology, two aspects of what are collectively referred to as vehicle-to-everything (V2X) communication technology, allow vehicles to communicate with each other and with roadside infrastructure. These technologies provide the capability of alerting or warning drivers of surrounding conditions or hazards and have the potential to prevent accidents, save lives, reduce energy consumption and improve traffic flow.
The leading standard in V2V and V2I technology is Dedicated Short Range Communication (DSRC), one method of communication for autonomous vehicles. However, in the time it has taken for DSRC to develop and gain a foothold in the field, other communication channels, like cellular, have emerged as late newcomers but potential alternatives to DSRC. Though DSRC continues to be the frontrunner for standardized automotive communication moving forward, transactions in this space are proceeding on the basis that regardless of the specific communications technology utilized, V2V and V2I will be needed. As such, gaining access to relevant technologies such as sensors, semiconductors, GPS mapping systems, telematics, data science and other connectivity solutions will be critical for original equipment manufacturers (“OEMs”) and traditional suppliers.
While partnerships between or among automakers, suppliers, telecom providers, ride-sharing companies and large technology firms outside of the automotive space have grown recently in the self-driving car sector, a large number of startups developing V2X components, software and connectedcar products and technologies, some of which utilize DSRC, have emerged as targets for acquisition, partnership or investment opportunities for industry players. These startups are increasingly dealing with the issue of whether to sell their technologies, partner with automakers, OEMs, larger technology companies or others, and/or accept funding from corporate strategic investors.
DSRC is a two-way short to medium range wireless communications capability. Using DSRC-based technology, vehicles can exchange information between one another such as location, direction, speed, acceleration and braking, with data that is updated and broadcast up to 10 times per second, helping to identify risks and provide warnings to drivers. As opposed to the limitations of vehicle sensors and cameras, DSRC can offer 360 degree coverage that will increase safety. The U.S. Department of Transportation paved the way for vehicle communication standards by developing the Federal Motor Vehicle Safety Standard, No. 150, on V2V communications. Published in the Federal Register in January 2017, the proposed standard would require manufacturers to begin installing DSRC radios in new light vehicles two years after the final rule is adopted, with a three yearphase in period. If the proposed rule becomes standard, it would be a big win for DSRC module manufacturers, among others. According to Navigant Research, global revenue from DSRC-based V2X systems is expected to surpass $25.5 billion by 2025. Under the new administration in Washington, it is not clear if and when the proposed standard will get the final approval. Additionally, while DSRC is now well-defined and being tested for deployment, a number of mobile providers and other companies are pushing for the use of next-generation cellular technology instead. However, cellular standards have not yet been developed and widespread network deployment is still several years away. Whether the future standard of vehicular communication will be DSRC, cellular, both, or one or more alternative technologies remains to be seen.
What is clear, however, is that the regulatory landscape is in flux and that in the absence of clear regulation standards, the industry is likely to move forward with deployment of more than one V2X technology. Accordingly, it is understandable why many companies in the automobile, telecommunications and technology industries are investing in research and development or technology startups, or engaging in acquisitions or collaborations to benefit from their respective capabilities and forming strong alliances in the connected vehicle space.
To date, there have been only a few corporate transactions specifically in the DSRC space. One reason is that many of the component manufacturers have DSRC activities which they develop in-house. Additionally, corporate transactions in the DSRC space are difficult to detect, because there are very few DSRC-specific entities. Most businesses offering automotive communications products describe their business as V2V/V2X or, simply, as wireless communications. Conversely, because of that generalization, it is not unreasonable to speculate that some businesses that describe their products as V2V/V2X are in some form or fashion utilizing or otherwise involved with DSRC. Based on that assumption, we prepared and attached hereto as Exhibit A, a table of select recent corporate transactions in the V2X space that relate to or are reasonably likely to be connected to DSRC technologies. As is evident from the table, these corporate transactions have varied across numerous factors. Transactions have varied in size, ranging from a few million dollars to those valued at many billions; they have spanned various industries, with transactions linking software providers, satellite communication specialists, semi-conductor producers, and automakers; and they have differed in transaction form. It is clear that there is no one-sizefits-all approach to this developing area.
in the car connectivity solution Technology startups are increasingly being looked to as part of the car connectivity solution by the major automakers and participants in the automotive supply chain, as well as by telecom providers, larger technology companies and others, and we expect this trend to continue. Gaining access to relevant technologies and products such as sensors, semiconductors, GPS mapping systems, telematics, data science and other connectivity solutions, whether using DSRC or another communications technology, will be important, particularly for traditional suppliers and OEMs. Many companies do not have the talent, skills, or fast-moving culture to build all these new technologies in-house on their own. Often technology startups are at a too-early stage for an acquisition or partnership and will need substantial capital to grow. If fortunate, these companies are faced with a range of financing options, including traditional financial investors such as venture capital and other institutional funds, and corporate strategic investors who look to take an equity stake for strategic reasons, typically to supplement or support their activities and gain some sort of competitive advantage. GM, BMW, Volvo, SAIC, Honda and Audi, among others, all have distinct venture arms.
Corporate strategic investors, whether investing directly or through a dedicated investment or venture capital arm (Strategic Investors), represent a double-edged sword to startups. Strategic Investors can be valuable partners. Advantages of equity financing from Strategic Investors include implied credibility and validation of a company’s technology and/or business, a large network of customers who may be relevant to the business, expanded distribution opportunities, and access to industry knowledge, experience and money. Strategic Investors often will pay a higher share price than financial investors because they are generally less sensitive to valuation and financial results and more concerned with access to new technology and products, key personnel/talent, customers and markets. Strategic Investors may also be a potential option for an exit. Strategic Investors are also generally more patient and have longer time horizons than traditional venture capital and other institutional funds. That said, it is important for startups to understand that Strategic Investors have different motivations, priorities and decision–making processes than traditional financial investors and taking investments from them pose certain risks that a startup should consider.
Some of these risks include:
The autonomous vehicle industry is transforming at a rapid pace. Industry players and new entrants, including technology startups, are striving to play a leading role in the business of building the different elements that make up connected vehicles, including vehicle communication technologies. How companies fare in the race to provide products in this space will largely be a function of whether they can build, acquire or partner today for the distinct technologies and capabilities of the autonomous vehicle industry of the future.
Exhibit A: Select Recent M&A and Equity investments related to automotive communication
|Expected to close by 2017 year-end||NXP Semiconductors||Qualcomm||$47 billion||Acquisition||NXP Semiconductors is a large maker of semiconductors for automobiles, and is active in DSRC-based V2X. Qualcomm has stated it will generally support either DSRC or cellular-based V2X technologies.|
|04/12/2017||Peloton Technology||Omnitracs, Intel Capital, DENSO International America, BP Ventures, Lockheed Martin, Nokia Growth Partners, UPS Strategic Enterprise Fund, Volvo Group, Sand Hill Angels, Band of Angels and Birchmere Ventures, B37 Ventures, Mitsui USA, Okaya, Schlumberger, US Venture and Breakthrough Fuel||$60 million - Series B funding||Equity Investment||Peloton Technology is focused on connected and automated vehicle technology, specifically for freight transportation. Their technology includes DSRC.|
|03/29/2017||Kymeta Corp||Intelsat, and others||$73.5 million round of funding||Equity Investment||Kymeta develops satellite antenna technology services used in automotive connectivity.|
|03/22/2017||Autotalks||Magma Venture Capital, Gemini Israel Fund, Amiti Fund, Mitsui & Co. Global Investment, Liberty Media’s Israeli Venture Fund, Delek Motors, Fraser McCombs Ventures, Vintage Investment Partners, Samsung Catalyst Fund, and other Israeli institutions||$30 million - Series D funding||Equity Investment||Autotalks specializes in V2X communications in autonomous driving, and has supported DSRC-based V2X technologies.|
|03/21/2017||Cohda Wireless||Government of South Australia||Grants of $2 million||Equity Investment||Cohda Wireless supplies V2X solutions and is developing connective autonomous vehicle solutions for cars, smart cities, and mining.|
|03/11/2017||Harman International Industries, Inc.||Samsung Electronics||$8 billion||Acquisition||Harman International Industries Inc. is a leading provider of connected car systems, audio and visual products, enterprise automotive solutions and connected services.|
|02/07/2017||NXP Semiconductor’s Standard Products business||Beijing Jianguang Asset Management Co., Ltd, and Wise Road Capital LTD||$2.75 billion||Asset Acquisition||NXP Standard Products business is a supplier of semiconductors, with a focus on the automotive markets.|
|01/03/2017||Movimento||Delphi Automotive PLC||Undisclosed||Acquisition||Movimento is a provider of Over-the-Air software lifecycle and data management for the automotive sector.|
|08/08/2016||Hivron Inc.||iA, Inc.||$11.9 million, bringing iA’s stake in Hivron Inc. to 83.06%||Equity Investment||iA is a provider of automotive semiconductors and modules, including a DSRC processor. Hivron provides electronic semiconductors.|
|07/29/2016||ams’s assets related to NFC and RFID reader business||STMicroelectronics||$77.8 million and deferred earn-out contingent on future results estimated at about $13 million, but not to exceed $37 million||Asset Acquisition||STMicroelectronics is actively engaged in both the automotive and connectivity industries. It is acquiring ams’s assets related to its Near-Field Communication and Radio-Frequency Identification reader business.|
|07/08/2016||AllGo Systems, Inc., USA||Visteon Corporation||$15 million, another $7 million of contingent consideration||Acquisition||Visteon is active in developing technologies in the automotive communications field, including DSRC. It acquired AllGo Embedded Systems, an India-based supplier of embedded multimedia and smartphone connectivity software solutions for the global automotive industry.|
|05/13/2016||Cruise Automation Inc.||General Motors Co.||$581 million at closing ($291 million in cash)||Acquisition||Cruise Automation is an autonomous vehicle company.|
|02/11/2016||Veniam||Verizon Ventures, Cisco Investments, Orange Digital Ventures, Yamaha Motor Ventures, True Ventures, Union Square Ventures, Cane Investments||$22 million - Series B funding||Equity Investment||Veniam produces products that combine DSRC, 4G, Wi-Fi and mesh networking that are aimed at fleets, cities and logistics operations.|
|01/28/2016||Savari Inc.||Delta Electronics Capital Company, SAIC Capital and an undisclosed strategic investor||$8 million in Series A funding||Equity Investment||Savari Inc. is a leader in V2X communication technology. While its products support both DSRC and cellular-based V2X technologies, it recently joined the 5G Automotive Association, which is aimed at developing standards regarding cellular-based V2X technologies.|
|01/06/2016||MMB Networks||Roadmap Capital, Arctern Ventures, VentureLink Funds, NXP Semiconductor||$7 million - Series B funding||Equity Investment||MMB Networks provides a line of hardware and software products built around Rapid Connect, an embedded software platform that reduces time-to-market for connected device vendors.|
Industry experts are in agreement; the rise of autonomous vehicles will change the nature of the automobile insurance industry. As Allstate’s chief executive officer, Tom Wilson, stated, change “isn’t going to happen tomorrow, but it is going to happen soon.”15 Autonomous vehicles are expected to make driving safer, reduce personal vehicle ownership, and shift responsibility for accidents from drivers to manufacturers and service providers. These factors may reduce the need for personal automobile insurance. But as the market for personal automobile insurance decreases, opportunities arise for insurers focusing on other customers and types of policies. To remain competitive, insurers should consider getting involved in research, development, and policymaking related to autonomous vehicles, and also consider diversifying their products to cover ancillary liabilities.
The increased use of partially-autonomous vehicles and the eventual use of fully-autonomous vehicles will greatly impact the insurance industry. The most significant changes are likely to be that autonomous vehicles will be safer, will be increasingly owned by companies rather than individuals, and will cause liability for the accidents that do happen to shift away from the “driver.”
Autonomous vehicles are expected to be safer than traditional vehicles. Former President Barack Obama has written that autonomous vehicles “have the potential to save tens of thousands of lives each year.” KPMG predicts that accidents per vehicle will decline from about .043 accidents per vehicle in 2013 to .009 accidents per vehicle in 2040, but that costs per accident will increase from about US$14,000 per accident in 2013 to US$35,000 per accident in 2040. Still, KPMG expects that these changes could result in a 40 percent decline in total losses from automobile accidents, from about US$145 billion in 2013 to about US$86 billion in 2040. KPMG projects that losses covered by personal automobile insurance will shrink from 87 percent of automobile accident losses in 2013 to 58 percent of losses in 2040. Thus, with a projected 80 percent decline in accident frequency, our roads will be safer, and losses covered by personal automobile insurance will decline significantly. As Warren Buffett commented, making cars safer is “very pro-social,” but “it’s bad for the auto insurance industry.”
Widespread use of autonomous vehicles may further the ongoing shift from individual car-ownership to reliance on caror ride-sharing services. Services like Zipcar, which allow users to rent a car by the hour, provide an economic alternative to owning a car in urban areas. Services like Uber and Lyft, which allow users to easily hail a driver from their smartphones, have also encouraged individuals to depend more on transportation services and less on their own driving. These companies are embracing autonomous vehicles. Zipcar has partnered with the University of Michigan Mobility Transformation Center, “a collaborative organization working on smart cities and autonomous cars,” and claims that autonomous vehicles will be what turns its vision of “a world where car sharers outnumber car owners” into a reality. Similarly, one of Uber’s goals is to reduce the number of cars on the road to clear up congestion and free up land currently used for parking. It should come as no surprise then, that Uber is already working on establishing its own fleet of self-driving cars. In Pittsburgh, users can hail a self-driving Uber that – at least for now – has a human driver who can take control of the car in the event of emergency. Uber also recently began tests of self-driving vehicles in San Francisco.
Lyft may not be far behind Uber in embracing autonomous vehicles; it has begun testing autonomous cars in San Francisco and Phoenix. The novelty of being picked up by a self-driving car may encourage more commuters to use these services. In any event, these car-sharing and ride-sharing services are making autonomous vehicles part of their business plan, and hope to reduce private vehicle ownership in doing so.
Private vehicle ownership may also decrease because self-driving cars make sharing cars within households more convenient. The extent to which a car may be shared depends on working out the logistics of the passengers’ schedules and destinations. A University of Michigan study examined transportation habits of over 150,000 households and determined that autonomous vehicles could allow the average number of automobiles per household to decrease from 2.1 to 1.2 – a 43 percent decline. This study did not take into account whether and to what extent reliance on vehicle-sharing services might further reduce household vehicle ownership. Regardless, it is clear that autonomous vehicles have the potential to drastically reduce the number of privately-owned vehicles.
These changes in vehicle ownership may also change the nature of who obtains automobile insurance. If personal vehicle ownership declines and corporate vehicle ownership increases, we should naturally expect the market for personal automobile insurance to shrink and the market for commercial automobile insurance to grow. The changes to vehicle ownership are also likely to prompt changes to automobile insurance laws. If future accident investigations reveal that manufacturers tend to be at fault, lawmakers may require vehicle manufacturers, rather than drivers, to carry liability insurance. Or, lawmakers could make no-fault liability systems more widespread and comprehensive, making no-fault liability insurance the nationwide standard. Another option would be to establish a national fund for the payment of losses related to autonomous vehicle accidents. In any case, a decline in personal vehicle ownership should be expected to reduce the market for personal automobile insurance.
Autonomous vehicles shift the responsibility for a car’s handling of the road from the driver to the car itself. This shift also alters who bears responsibility when a vehicle is in an accident. Today, when a car is in an accident, the assumption is typically that a driver made an error that caused the accident. But when drivers no longer make most of the decisions behind the wheel, it will be more difficult to find them at fault. Consider how liability would be determined under negligence, strict liability, or no-fault liability principles.
Currently, most jurisdictions determine liability based on traditional negligence principles, whereby the driver may be held liable for harm caused by his or her failure to use reasonable care. In the context of fully-autonomous vehicles, a “driver” would be unlikely to face any liability in the event of a car accident because he or she does not truly do any driving and therefore would not be found to have acted without reasonable care.
However, the autonomous vehicles currently available or in testing are only partially autonomous, and for that reason, liability for any accidents may still fall on the driver. Some vehicles currently on the road have parking systems that automate steering but require the driver to control acceleration and braking. More autonomous prototype vehicles may drive autonomously for some portions of a trip, but require the driver to assume control for other parts of a trip or to override the automated systems in case of emergency. To the extent the driver could have avoided an accident by overriding the car’s autonomous features, the driver may maintain some responsibility for an accident. On the other hand, driver intervention with autonomous systems can also invite human error when a well-meaning but errant driver makes a mistake that the autonomous vehicle may not have made. In either case, the driver maintains some degree of control and, therefore, some risk of liability.
Consider the highly-publicized fatal accident of a Tesla driver using Tesla’s Autopilot program in May 2016. The Tesla Model S was driving on a highway when a white tractor trailer crossed the highway perpendicular to the Tesla. According to Tesla, the Autopilot program did not notice the white side of the tractor trailer against the brightly lit sky.
Neither the Autopilot program nor the driver applied the brake. Importantly, the Autopilot program reminds drivers to keep their hands on the wheel and to be ready to take control of the vehicle at any time. Seemingly, then, the driver did not take control of the vehicle when the Autopilot program failed to recognize the white tractor trailer. Although fault for the accident has not been adjudicated, the driver arguably may bear some responsibility for failing to override Autopilot by applying the brakes. So long as drivers retain some control over their vehicles, drivers will continue to bear some risk of liability when accidents occur.
The more autonomous vehicles become, the more risk manufacturers and service providers will face in tort actions. Manufacturers will not only have potential liability for the mechanical aspects of driving, but also for sensing the vehicle’s surroundings and determining the vehicle’s responses to those surroundings. Various service providers may have potential liability for failing to maintain and repair autonomous vehicle systems, or failing to manage the networks that allow those systems to communicate. When the failure of these systems and services cause accidents, manufacturers and service providers may be held liable.
Instead of relying solely on traditional negligence principles, plaintiffs who have been injured in autonomous vehicle accidents are likely to also assert theories of strict liability. Generally, under strict liability theories, plaintiffs attempt to hold defendants responsible for manufacturing unreasonably dangerous products or for engaging in conduct that is unreasonably dangerous. Because autonomous vehicle systems are new technologies, and since traditional negligent driving claims may not be viable, plaintiffs in autonomous vehicle accident lawsuits are likely to test strict liability theories. Therefore, the assertion of strict liability in vehicular accident litigation is likely to increase as autonomous vehicles become more common.
Under strict products liability theories, a product manufacturer may be liable for physical harm caused by an unreasonably dangerous defect in its product, whether the defect was created by design, by a manufacturing error, or by improper marketing, instructions or warnings. When a fully-autonomous vehicle is involved in an accident which could have been avoided, a plaintiff may claim that the accident was foreseeable, that the vehicle should have been designed to avoid the accident, and that the accident itself is evidence that the vehicle was defectively designed or manufactured.
Thus, accidents involving autonomous vehicles are likely to be followed by strict products liability claims.
Plaintiffs in autonomous vehicle accident litigation may also argue that strict liability applies to “drivers” of autonomous vehicles. An activity may be considered abnormally dangerous if it “creates a foreseeable and highly significant risk of physical harm even when reasonable care is exercised by all actors” and if “the activity is not one of common usage.” Driving a traditional car is not considered an abnormally dangerous activity, but plaintiffs may assert that driving an autonomous car is an abnormally dangerous activity, in an effort to impose strict liability on the “driver.” When early adopters of autonomous vehicle technologies are involved in an accident before that technology’s safety has been proven, strict liability arguments against a driver may provide a colorable theory of liability.
Ultimately, however, autonomous vehicles are expected to make roadways safer. Vehicle and software manufacturers will need to conduct extensive testing of their automated systems before releasing them for public use, and should publicize the results to demonstrate the safety of their products to the public. They must also comply with regulatory safeguards. Assuming that autonomous vehicles systems demonstrate acceptable safety before their release onto public roads, it seems unlikely that “drivers” would often be held strictly liable for failures of the autonomous driving systems. On the other hand, for accidents which could have been avoided by a human driver, manufacturers will now face the risk of liability.
At the opposite end of the spectrum from strict liability is no-fault liability. Twelve states and Puerto Rico have a no-fault liability insurance system. Under these systems, insureds are compensated by their own insurance up to a legislatively determined threshold based on the seriousness of the incident or dollar amount of the damages. Injured parties may not sue unless their damages cross that threshold. Absent legislative changes, no-fault liability would only apply to autonomous cars in the 13 jurisdictions with no-fault liability systems.
Expanding no-fault liability to other jurisdictions and making those systems more robust may be an appropriate way for legislatures to address the ways in which autonomous vehicles will shift liability away from drivers. When autonomous vehicles dominate the roadways, the plaintiffs in vehicular accident litigation are likely to be individuals, and the defendants are likely to include the companies that manufactured or serviced the autonomous vehicles involved. The claims will likely include, if not focus on, product liability. Thus, the litigation would be more complex and more expensive, since determining liability would require more expert testimony than would a traditional negligence case. For these reasons, policymakers may support heavier reliance on no-fault systems – whether they be systems that require all owners or users of autonomous vehicles to carry no-fault insurance, or a system that creates a government-managed fund that compensates automated vehicle accident victims.
Given that autonomous vehicles have the potential to drastically change the insurance market, automobile insurers need to consider the possible ramifications of this new technology and get ahead of these changes in order to stay viable. Insurers should keep up with developments in this area, consider getting involved in testing and policymaking, and consider diversifying their insurance products to take advantage of the changes that autonomous vehicles will bring.
Insurance companies have a history of assisting in the implementation of technologies that make vehicles safer, and their involvement with autonomous vehicle systems should be no different. Already, insurance companies have partnered with car manufacturers and other companies on research, development, and policymaking related to autonomous vehicles. Aon, an insurance broker and risk adviser, has partnered with other companies to test self-driving cars on a test track in the Netherlands. State Farm Mutual Automobile Insurance Company has partnered with the University of Michigan and Ford to research whether driver-assist technologies may lower the rate of rear collisions as part of the “Blueprint for Mobility” project.
State Farm has also partnered with the University of Michigan and other companies to lead the university’s Mobility Transformation Center, which focuses not only on the research and development of automated vehicles, but also on addressing the “legal, political, social, regulatory, economic, urban planning, and business issues” implicated by autonomous vehicles.
Insurers may gain a competitive advantage by getting involved in autonomous vehicle research, development, and policymaking. Such involvement would give insurers access to information that they can use to build their autonomous vehicle knowledge base, to create autonomous vehicle insurance products, and to better handle risk assessment. Their involvement would also provide the ability to influence priority setting for safety goals. Insurers’ participation in policymaking would give them a voice in shaping how lawmakers will handle the changes to the insurance market—perhaps by amending minimum insurance standards, altering who is required to obtain insurance, or expanding no-fault liability systems. By taking an active role in research, development and policymaking, insurers can drive the change, rather than allowing the change to drive them.
Although autonomous vehicles are expected to reduce the demand for personal automobile insurance, they give rise to other types of liabilities that will need to be insured. In that way, autonomous vehicles create new opportunities for the insurance industry. Insurers interested in leading the industry in autonomous vehicle insurance should consider products targeted at manufacturers and at insuring new technologies. As an example, Tokio Marine & Nichido Fire Insurance won second place in the Efma-Accenture Innovation in Insurance Awards 2016 in the Best Disruptive Product or Service category for providing insurance for autonomous vehicle testing on public roads.
Another nontraditional insurance product likely to grow as a result of autonomous vehicles is cybersecurity insurance. According to Munich Re, 55 percent of corporate managers surveyed believe cybersecurity is the biggest insurance concern related to autonomous vehicles.
There is reasonable cause for concern. For example, in July 2015, two hackers were able to wirelessly control a Jeep – manipulating the air conditioner, radio, windshield wipers, transmission, and even the brakes. Soon after, Chrysler recalled 1.4 million vehicles that may have been affected by the vulnerability revealed in the Jeep hack. The demonstrated ability of hackers to control vehicles raises obvious concerns. Hackers could, for instance, cause autonomous vehicles to get into accidents or redirect vehicles transporting goods to perpetrate theft. Thus, although the personal automobile insurance market may shrink, the market for cybersecurity insurance related to autonomous vehicles should grow.
Technological change is inevitable, and the automobile insurance industry is no exception. While the rise of autonomous vehicles creates risks to existing business models, it also creates opportunities for existing players to provide new products, create new expertise, and serve their customers in new ways.
The use of AI to drive efficiency and business improvement has increased significantly in the last five years across multiple sectors.
© Norton Rose Fulbright LLP 2021