Text: S.1806 — 114th Congress (2015-2016)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (07/21/2015)


114th CONGRESS
1st Session
S. 1806


To protect consumers from security and privacy threats to their motor vehicles, and for other purposes.


IN THE SENATE OF THE UNITED STATES

July 21, 2015

Mr. Markey (for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation


A BILL

To protect consumers from security and privacy threats to their motor vehicles, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Security and Privacy in Your Car Act of 2015” or the “SPY Car Act of 2015”.

SEC. 2. Cybersecurity standards for motor vehicles.

(a) In general.—Chapter 301 of title 49, United States Code, is amended—

(1) in section 30102(a)—

(A) by redesignating paragraphs (4) through (11) as paragraphs (10) through (17), respectively;

(B) by redesignating paragraphs (1) through (3) as paragraphs (4) through (6), respectively;

(C) by inserting before paragraph (3), as redesignated, the following:

“(1) ‘Administrator’ means the Administrator of the National Highway Traffic Safety Administration;

“(2) ‘Commission’ means the Federal Trade Commission;

“(3) ‘critical software systems’ means software systems that can affect the driver’s control of the vehicle movement;”; and

(D) by inserting after paragraph (6), as redesignated, the following:

“(7) ‘driving data’ include, but are not limited to, any electronic information collected about—

“(A) a vehicle’s status, including, but not limited to, its location or speed; and

“(B) any owner, lessee, driver, or passenger of a vehicle;

“(8) ‘entry points’ include, but are not limited to, means by which—

“(A) driving data may be accessed, directly or indirectly; or

“(B) control signals may be sent or received either wirelessly or through wired connections;

“(9) ‘hacking’ means the unauthorized access to electronic controls or driving data, either wirelessly or through wired connections;”; and

(2) by adding at the end the following:

§ 30129. Cybersecurity standards

“(a) Cybersecurity standards.—

“(1) REQUIREMENT.—All motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are prescribed pursuant to section 2(b)(2) of the SPY Car Act of 2015 shall comply with the cybersecurity standards set forth in paragraphs (2) through (4).

“(2) PROTECTION AGAINST HACKING.—

“(A) IN GENERAL.—All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks.

“(B) ISOLATION MEASURES.—The measures referred to in subparagraph (A) shall incorporate isolation measures to separate critical software systems from noncritical software systems.

“(C) EVALUATION.—The measures referred to in subparagraphs (A) and (B) shall be evaluated for security vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing.

“(D) ADJUSTMENT.—The measures referred to in subparagraphs (A) and (B) shall be adjusted and updated based on the results of the evaluation described in subparagraph (C).

“(3) SECURITY OF COLLECTED INFORMATION.—All driving data collected by the electronic systems that are built into motor vehicles shall be reasonably secured to prevent unauthorized access—

“(A) while such data are stored onboard the vehicle;

“(B) while such data are in transit from the vehicle to another location; and

“(C) in any subsequent offboard storage or use.

“(4) DETECTION, REPORTING, AND RESPONDING TO HACKING.—Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.

“(b) Penalties.—A person that violates this section is liable to the United States Government for a civil penalty of not more than $5,000 for each violation in accordance with section 30165.”.

(b) Rulemaking.—

(1) IN GENERAL.—Not later than 18 months after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue a Notice of Proposed Rulemaking to carry out section 30129 of title 49, United States Code, as added by subsection (a).

(2) FINAL REGULATIONS.—Not later than 3 years after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue final regulations to carry out section 30129 of title 49, United States Code, as added by subsection (a).

(3) UPDATES.—Not later than 3 years after final regulations are issued pursuant to paragraph (2) and not less frequently than once every 3 years thereafter, the Administrator, after consultation with the Commission, shall—

(A) review the regulations issued pursuant to paragraph (2); and

(B) update such regulations, as necessary.

(c) Clerical amendment.—The table of sections for chapter 301 of title 49, United States Code, is amended by striking the item relating to section 30128 and inserting the following:


“30128. Vehicle rollover prevention and crash mitigation.

“30129. Cybersecurity standards.”.

(d) Conforming amendment.—Section 30165(a)(1) of title 49, United States Code, is amended by inserting “30129,” after “30127,”.

SEC. 3. Cyber dashboard.

(a) In general.—Section 32302 of title 49, United States Code, is amended by inserting after subsection (b) the following:

“(c) Cyber dashboard.—

“(1) IN GENERAL.—All motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are prescribed pursuant to section 3(b)(2) of the SPY Car Act of 2015 shall display a ‘cyber dashboard’, as a component of the label required to be affixed to each motor vehicle under section 32908(b).

“(2) FEATURES.—The cyber dashboard required under paragraph (1) shall inform consumers, through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers beyond the minimum requirements set forth in section 30129 of this title and in section 27 of the Federal Trade Commission Act.”.

(b) Rulemaking.—

(1) IN GENERAL.—Not later than 18 months after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall prescribe regulations for the cybersecurity and privacy information required to be displayed under section 32302(c) of title 49, United States Code, as added by subsection (a).

(2) FINAL REGULATIONS.—Not later than 3 years after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue final regulations to carry out section 32302 of title 49, United States Code, as added by subsection (a).

(3) UPDATES.—Not less frequently than once every 3 years, the Administrator, after consultation with the Commission, shall—

(A) review the regulations issued pursuant to paragraph (2); and

(B) update such regulations, as necessary.

SEC. 4. Privacy standards for motor vehicles.

(a) In general.—The Federal Trade Commission Act (15 U.S.C. 41 et seq.) is amended by inserting after section 26 (15 U.S.C. 57c–2) the following:

“SEC. 27. Privacy standards for motor vehicles.

“(a) In general.—All motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are prescribed pursuant to subsection (e) shall comply with the features required under subsections (b) through (d).

“(b) Transparency.—Each motor vehicle shall provide clear and conspicuous notice, in clear and plain language, to the owners or lessees of such vehicle of the collection, transmission, retention, and use of driving data collected from such motor vehicle.

“(c) Consumer control.—

“(1) IN GENERAL.—Subject to paragraphs (2) and (3), owners or lessees of motor vehicles shall be given the option of terminating the collection and retention of driving data.

“(2) ACCESS TO NAVIGATION TOOLS.—If a motor vehicle owner or lessee decides to terminate the collection and retention of driving data under paragraph (1), the owner or lessee shall not lose access to navigation tools or other features or capabilities, to the extent technically possible.

“(3) EXCEPTION.—Paragraph (1) shall not apply to driving data stored as part of the electronic data recorder system or other safety systems on-board the motor vehicle that are required for post-incident investigations, emissions history checks, crash avoidance or mitigation, or other regulatory compliance programs.

“(d) Limitation on use of personal driving information.—

“(1) IN GENERAL.—A manufacturer (including an original equipment manufacturer) may not use any information collected by a motor vehicle for advertising or marketing purposes without affirmative express consent by the owner or lessee.

“(2) REQUESTS.—Consent requests under paragraph (1)—

“(A) shall be clear and conspicuous;

“(B) shall be made in clear and plain language; and

“(C) may not be a condition for the use of any nonmarketing feature, capability, or functionality of the motor vehicle.

“(e) Enforcement.—A violation of this section shall be treated as an unfair and deceptive act or practice in violation of a rule prescribed under section 18(a)(1)(B).”.

(b) Rulemaking.—

(1) IN GENERAL.—Not later than 18 months after the date of the enactment of this Act, the Commission, after consultation with the Administrator of the National Highway Traffic Safety Administration (referred to in this subsection as the “Administrator”), shall prescribe regulations, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act, as added by subsection (a).

(2) FINAL REGULATIONS.—Not later than 3 years after the date of the enactment of this Act, the Commission, after consultation with the Administrator, shall issue final regulations, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act, as added by subsection (a).

(3) UPDATES.—Not less frequently than once every 3 years, the Commission, after consultation with the Administrator, shall—

(A) review the regulations prescribed pursuant to paragraph (2); and

(B) update such regulations, as necessary.