- What are the potential vulnerabilities of AVs to hackers, and what types of damage could result from exploitation of those vulnerabilities?
- How might models of information assurance and legal responsibilities shift among participants in the AV economy?
- How do existing theories of civil liability (relevant to the fields of computer hacking and conventional vehicles) map to relevant scenarios to illustrate where policy responses may be needed?
Who might face civil liability if autonomous vehicles (AVs) are hacked to steal data or inflict mayhem, injuries, and damage? How will the civil justice and insurance systems adjust to handle such claims? RAND researchers addressed these questions to help those in the automotive, technology, legal, and insurance industries prepare for the shifting roles and responsibilities that the era of AVs may bring. Using four scenarios (a ransomware attack, a hacked vehicle damaging government property, hacks on a connected roadway that cause damage, and theft of information through hacking of AVs), the authors explored the civil legal theories that may come into play when real-world damages result from AVs being hacked. They also examined how those theories may affect various parties, including car manufacturers, component makers, dealers, and both corporate and individual owners. Existing civil legal structures appear flexible enough to adapt to cases involving hacked AVs except in the case of large-scale cyberattacks, but it may be useful to clarify both liability and insurance coverages.
Existing civil liability law will likely be sufficiently flexible to adapt to most hacked AV liability claims
- There is no immediate necessity for Congress or state legislatures to pass statutes to address this set of risks.
- Research on the ability of the insurance system to compensate for a large-scale cyberattack is needed.
- Exclusions for acts of war in many insurance policies, the difficulties in determining the attackers, and the potential magnitude of the damages may create challenges to the existing liability system.
- AV manufacturers, manufacturers and designers of component parts and software, and distributors of AVs may face civil liability for criminal hacks on AVs under well-established legal precedent.
Product liability laws, warranty laws, and state and federal privacy laws are the most relevant bodies of law
- Cost-benefit and foreseeability analyses will influence legal analysis of responsibility for damages from cyberattacks.
- Manufacturers of vehicles and component parts will need to stay abreast of attacks on AVs and take precautions to avoid similar attacks if they wish to avoid liability.
- Users of AVs may face liability for cyberattacks if, for example, they reject an important security update, allowing a hacker to take control of the AV.
Government agencies may be potential defendants in civil lawsuits that arise out of incidents involving unsafe infrastructure
- Although sovereign immunity may protect government agencies in some situations, immunity may not apply as they undertake ministerial tasks, such as road maintenance.
- Significant municipal and state engagement in infrastructure development will be necessary if the connected vehicle environment relies on communications between AVs and roadside infrastructure.
- Policymakers should consider the following questions: Should statutes be used to clarify legal responsibility for various harms that can be anticipated to arise from hacked AVs, instead of relying on the more-flexible common-law process? How should governmental and judicial expertise in technologies that will prevent cyberattacks be developed and maintained? What regulations might be appropriate to prevent or mitigate harms that would arise from hacked AVs causing damage?
- The realization of the societal benefits of AVs would benefit from the following actions: developing a framework for measuring the cybersecurity and safety of AVs; better understanding insurance coverages for cyberattacks on AVs, both for commercial and consumer policies, to determine who will bear the costs of such attacks; and better understanding who would bear the costs of a large-scale cyberattack on AVs and whether a reinsurance backstop would be useful.
Table of Contents
Introduction — Understanding the Context
Autonomous Vehicles and Future Roadways
How Can Hackers Exploit Autonomous Vehicles?
Hacked Autonomous Vehicles and the Harms They Can Cause
Shifting Roles and Responsibilities for Information Assurance for Autonomous Vehicle Cybersecurity
Civil Liability and Cyberattacks: General Legal Framework
Legal Analysis of Hypothetical Risk Scenarios
Cyber Exploits Against Autonomous Vehicles
The Phases of the National Institute of Standards and Technology Cyber-Physical System Draft Framework
This project is a RAND Venture. Funding was provided by gifts from RAND supporters and income from operations. The research was conducted by the RAND Institute for Civil Justice within RAND Social and Economic Well-Being.
This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.