When Autonomous Vehicles Are Hacked, Who Is Liable?
Jul 12, 2019
An Initial Investigation into How Civil Liability Systems Can Prepare
|PDF file||0.1 MB||
Use Adobe Acrobat Reader version 10 or higher for the best experience.
Autonomous vehicles (AVs) are intended to deliver a future of safer, easier transportation. Hackers, however, may interfere with that promise by attacking these heavy, fast, artificial intelligences on wheels and steering them toward mischief.
RAND researchers examined the liability implications should hackers gain access to AVs and sow mayhem. While the probability could be low, the stakes could be high, given that hacks on AVs could lead to deaths, property destruction, ransomware attacks, or theft of information.
The researchers found that existing civil liability law initially will likely be flexible enough to adapt to most legal claims arising from hacked AVs. Still, all parties involved in putting AVs on the roadways — manufacturers, owners, insurers, policymakers, and others — would be well advised to start thinking now about the risks, their liability implications, and both regulatory and statutory policy responses.
Adoption of the technology and its ability to pay social dividends depend not only on the actual risks but also on the perception of those risks and the legal structures that might compensate for them. Even if the risks are small, policymakers will need to anticipate and react to them to secure the potential benefits of AVs.
AVs' promises — greater mobility for those who cannot drive, safer roadways, driving time dedicated to more-productive tasks — are spurring massive investment in the technology. Policymakers, in turn, are beginning to grapple with how to integrate AVs into society.
Along with such concerns as economic displacement of professional drivers, the specter of tens of thousands of cars running amok at the bidding of malicious hackers should give policymakers and AV advocates pause — even if its likelihood is small.
AVs are subject to multiple avenues of hacking attack. Software vulnerabilities, physical hacks via devices loaded with malicious code, and hacking of key hardware components all must be contemplated. These hacks can disable an AV, steer it toward destructive ends, and manipulate or steal user data, to name a few threats.
To assist policymakers in envisioning the civil legal implications of hacked AVs, RAND researchers investigated multiple plausible scenarios in which AVs could be hacked that resulted in some sort of loss that might be compensated through civil action.
A number of scenarios that RAND researchers developed around hacked AVs helps illustrate the diversity of policy challenges facing the civil legal system, insurers, and others. These vignettes were generated by starting with real-world hacking events or damages involving conventional vehicles and playing out scenarios to assist in liability analysis. They included
The civil liability of various parties was analyzed for these scenarios. That discussion identified the parties likely to be named as defendants in lawsuits arising from cyberattacks on AVs, focusing on
Because there are very few federal and state statutes on autonomous and connected vehicles, product liability laws — along with warranty law and state and federal privacy laws — are likely to be the most relevant bodies of law in suits arising from cyberattacks on AVs.
Negligence and strict liability are two legal theories that will play key roles in civil lawsuits arising from cyberattacks on AVs. Both of these theories involve balancing the foreseeability of specific cyberattacks and the costs associated with adopting alternative technologies that are less vulnerable to hacks.
Other areas of law that may shape liability in the context of hacked AVs include
The RAND researchers' application of the existing civil law framework to the scenarios they developed led them to multiple findings that will interest those shaping the future of AVs, including users, owners, manufacturers, insurers, and policymakers:
The finding that existing civil legal frameworks are likely to adapt to widespread introduction of AVs does not prevent policymakers from considering whether statutory approaches that define roles and responsibilities would facilitate adoption of the technology.
Such a statutory framework might offer the benefit of clarifying duties but may be inflexible when compared with the common law system in the face of both hard-to-anticipate technological developments and novel fact patterns.
Similarly, it would be helpful to better understand and perhaps clarify insurance coverage for cyberattacks on AVs for both consumer and commercial policies so that consumers, automakers, and policymakers can better understand which parties will bear the costs of such attacks.
Policymakers may also want to carefully consider how the legal system might cope with a large-scale attack. Such an attack could lead to bankruptcies and uncompensated losses and could exceed the capacity of insurers and reinsurers to cover the risk. Similar concerns in the wake of the September 11, 2001, attacks led to the passage of the Terrorism Risk Insurance Act.
Unfortunately, consumers have grown accustomed to hacks that compromise their personal information. Cybersecurity breaches have not led to a strong consumer demand for increased cybersecurity. Thus far, consumers have shrugged, changed their passwords, and moved on. Hacked AVs, however, threaten a range of consequences that vastly exceed those of most consumer hacks in terms of potential for death and property destruction. This may lead to increased consumer incentives for cybersecurity of AVs.
This report is part of the RAND Corporation Research brief series. RAND research briefs present policy-oriented summaries of individual published, peer-reviewed documents or of a body of published work.
This research in the public interest was supported by RAND, using discretionary funds made possible by the generosity of RAND's donors, the fees earned on client-funded research, and independent research and development (IR&D) funds provided by the Department of Defense.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.