In 1984 Motown released “Somebody’s Watching Me,” a single and album recorded by a singer whose stage name was “Rockwell.” The song became a minor hit and is known for having Michael and Jermaine Jackson doing guest vocals — and for the fact that Rockwell was a son of producer and Motown CEO Berry Gordy. For the purposes of this article, I would like to draw attention to a portion of the chorus:
“I always feel like somebody’s watching me. And I have no privacy.”
So, how does this relate to compliance? The focus here is not on “somebody” watching you, but rather on cars “watching” you. Today’s cars have a treasure trove of data from sensors, onboard Wi-Fi modems, cameras, and even the OBD-II port. Who owns all this data?
Server Rooms on Wheels
Consider the types of data harvested by your car. A small sample would include trip duration, acceleration, where you drive, who is on your contact list, and even camera data. Some in the auto industry see all this customer car data as a revenue stream, which has been estimated to be worth millions of dollars. If your car has a Wi-Fi modem on board, your data can be recorded and streamed to automakers. Likewise, certain apps like Waze or even GM’s Marketplace app monitor where you go, what you buy and even where you eat.
While most of the available data may not fit into the traditional definition of nonpublic personal information under the Gramm-Leach-Bliley Act (which focuses on “personally identifiable financial information”), the information we have described above is still worthy of protection. Most of the type of data your car harvests about you raises privacy concerns. But from a compliance perspective, your home address, your home phone number, your email address, your speeding, and all of your personal contacts raise additional issues.
There is a type of software that authenticates electronic signatures provided by a company called DocuSign. DocuSign suffered a data breach in which, according to DocuSign, only a non-core system which was used to provide service related emails to clients was hacked. No Social Security numbers nor names or addresses were accessed. What the hackers did obtain, however, was possibly 100 million email addresses. The hackers then embarked on a malicious phishing email attack directed against those harvested email addresses. If you clicked on the link in the email from “DocuSign,” then you can only imagine what would happen.
So let’s get back to your car. In your car’s computer memory, I am betting that there is a contact list containing hundreds of contacts. Those same contacts, while not traditional NPI, could subject you and all your contacts to a spearfishing attack like what happened to DocuSign customers!
You car’s address book in its computer memory is open to techs in every service department you visit. The driving records it creates are open to the techs plugging into the diagnostic port, and all of your data collected by your car is possibly open to any hacker through your onboard Wi-Fi modem.
Car data logging and car data harvesting is fertile ground for compliance and privacy issues to arise. Who owns your data stored in various “computers” in your car? Who has the duty to safeguard all this data? What happens if this data is harvested and innocent victims are subject to a malicious phishing attack?
Some companies present a “click-through” consent screen on your car to enable access to your car’s data through the built-in Wi-Fi modem. Is this sufficient?
Car data — and more importantly, securing car data — is currently one frontier in which the outlines of permissible conduct have not been firmly established. So we know the answer posed by the song and title of this article, it is your car that is watching you. ... But that begs the question. Who is harvesting your data from your car, and how are they using your data?
Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney-client relationship is being created by your review or use of this material.