[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 680 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  1st Session
                                 S. 680

 To protect consumers from security and privacy threats to their motor 
                   vehicles, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 21, 2017

 Mr. Markey (for himself and Mr. Blumenthal) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
 To protect consumers from security and privacy threats to their motor 
                   vehicles, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Security and Privacy in Your Car Act 
of 2017'' or the ``SPY Car Act of 2017''.

SEC. 2. CYBERSECURITY STANDARDS FOR MOTOR VEHICLES.

    (a) In General.--Chapter 301 of title 49, United States Code, is 
amended--
            (1) in section 30102(a)--
                    (A) by redesignating paragraphs (5) through (13) as 
                paragraphs (11) through (19), respectively;
                    (B) by redesignating paragraphs (2) through (4) as 
                paragraphs (5) through (7), respectively;
                    (C) by redesignating paragraph (1) as paragraph 
                (3);
                    (D) by inserting before paragraph (3), as 
                redesignated, the following:
            ``(1) `Administrator' means the Administrator of the 
        National Highway Traffic Safety Administration;
            ``(2) `Commission' means the Federal Trade Commission;'';
                    (E) by inserting after paragraph (3), as 
                redesignated, the following:
            ``(4) `critical software systems' means software systems 
        that can affect the driver's control of the vehicle 
        movement;''; and
                    (F) by inserting after paragraph (7), as 
                redesignated, the following:
            ``(8) `driving data' includes any electronic information 
        collected about--
                    ``(A) a vehicle's status, including, but not 
                limited to, its location or speed; and
                    ``(B) any owner, lessee, driver, or passenger of a 
                vehicle;
            ``(9) `entry points' includes means by which--
                    ``(A) driving data may be accessed, directly or 
                indirectly; or
                    ``(B) control signals may be sent or received 
                either wirelessly or through wired connections;
            ``(10) `hacking' means the unauthorized access to 
        electronic controls or driving data, either wirelessly or 
        through wired connections;''; and
            (2) by inserting after section 30128 the following:
``Sec. 30129. Cybersecurity standards
    ``(a) Cybersecurity Standards.--
            ``(1) Requirement.--All motor vehicles manufactured for 
        sale in the United States on or after the date that is two 
        years after the date on which final regulations are prescribed 
        pursuant to section 2(b)(2) of the SPY Car Act of 2017 shall 
        comply with the cybersecurity standards set forth in paragraphs 
        (2) through (4).
            ``(2) Protection against hacking.--
                    ``(A) In general.--All entry points to the 
                electronic systems of each motor vehicle manufactured 
                for sale in the United States shall be equipped with 
                reasonable measures to protect against hacking attacks.
                    ``(B) Isolation measures.--The measures referred to 
                in subparagraph (A) shall incorporate isolation 
                measures to separate critical software systems from 
                noncritical software systems.
                    ``(C) Evaluation.--The measures referred to in 
                subparagraphs (A) and (B) shall be evaluated for 
                security vulnerabilities following best security 
                practices, including appropriate applications of 
                techniques such as penetration testing.
                    ``(D) Adjustment.--The measures referred to in 
                subparagraphs (A) and (B) shall be adjusted and updated 
                based on the results of the evaluation described in 
                subparagraph (C).
            ``(3) Security of collected information.--All driving data 
        collected by the electronic systems that are built into motor 
        vehicles shall be reasonably secured to prevent unauthorized 
        access--
                    ``(A) while such data are stored onboard the 
                vehicle;
                    ``(B) while such data are in transit from the 
                vehicle to another location; and
                    ``(C) in any subsequent offboard storage or use.
            ``(4) Detection, reporting, and responding to hacking.--Any 
        motor vehicle that presents an entry point shall be equipped 
        with capabilities to immediately detect, report, and stop 
        attempts to intercept driving data or control the vehicle.
    ``(b) Penalties.--A person that violates this section is liable to 
the United States Government for a civil penalty of not more than 
$5,000 for each violation in accordance with section 30165.''.
    (b) Rulemaking.--
            (1) In general.--Not later than 18 months after the date of 
        the enactment of this Act, the Administrator of the National 
        Highway Traffic Safety Administration, after consultation with 
        the Federal Trade Commission, shall issue a Notice of Proposed 
        Rulemaking to carry out section 30129 of title 49, United 
        States Code, as added by subsection (a).
            (2) Final regulations.--Not later than three years after 
        the date of the enactment of this Act, the Administrator, after 
        consultation with the Commission, shall issue final regulations 
        to carry out section 30129 of title 49, United States Code, as 
        added by subsection (a).
            (3) Updates.--Not later than three years after final 
        regulations are issued pursuant to paragraph (2) and not less 
        frequently than once every three years thereafter, the 
        Administrator, after consultation with the Commission, shall--
                    (A) review the regulations issued pursuant to 
                paragraph (2); and
                    (B) update such regulations, as necessary.
    (c) Clerical Amendment.--The table of sections for chapter 301 of 
title 49, United States Code, is amended by striking the item relating 
to section 30128 and inserting the following:

``30128. Vehicle rollover prevention and crash mitigation.
``30129. Cybersecurity standards.''.
    (d) Conforming Amendment.--Section 30165(a)(1) of title 49, United 
States Code, is amended by inserting ``30129,'' after ``30127,''.

SEC. 3. CYBER DASHBOARD.

    (a) In General.--Section 32302 of title 49, United States Code, is 
amended by adding at the end the following:
    ``(e) Cyber Dashboard.--
            ``(1) In general.--All motor vehicles manufactured for sale 
        in the United States on or after the date that is 2 years after 
        the date on which final regulations are prescribed pursuant to 
        section 3(b)(2) of the SPY Car Act of 2017 shall display a 
        `cyber dashboard', as a component of the label required to be 
        affixed to each motor vehicle under section 32908(b).
            ``(2) Features.--The cyber dashboard required under 
        paragraph (1) shall inform consumers, through an easy-to-
        understand, standardized graphic, about the extent to which the 
        motor vehicle protects the cybersecurity and privacy of motor 
        vehicle owners, lessees, drivers, and passengers beyond the 
        minimum requirements set forth in section 30129 of this title 
        and in section 27 of the Federal Trade Commission Act.''.
    (b) Rulemaking.--
            (1) In general.--Not later than 18 months after the date of 
        the enactment of this Act, the Administrator, after 
        consultation with the Commission, shall prescribe regulations 
        for the cybersecurity and privacy information required to be 
        displayed under section 32302(c) of title 49, United States 
        Code, as added by subsection (a).
            (2) Final regulations.--Not later than 3 years after the 
        date of the enactment of this Act, the Administrator, after 
        consultation with the Commission, shall issue final regulations 
        to carry out section 32302 of title 49, United States Code, as 
        added by subsection (a).
            (3) Updates.--Not less frequently than once every 3 years, 
        the Administrator, after consultation with the Commission, 
        shall--
                    (A) review the regulations issued pursuant to 
                paragraph (2); and
                    (B) update such regulations, as necessary.

SEC. 4. PRIVACY STANDARDS FOR MOTOR VEHICLES.

    (a) In General.--The Federal Trade Commission Act (15 U.S.C. 41 et 
seq.) is amended by inserting after section 26 (15 U.S.C. 57c-2) the 
following:

``SEC. 27. PRIVACY STANDARDS FOR MOTOR VEHICLES.

    ``(a) In General.--All motor vehicles manufactured for sale in the 
United States on or after the date that is two years after the date on 
which final regulations are prescribed pursuant to subsection (e) shall 
comply with the requirements under subsections (b) through (d).
    ``(b) Transparency.--Each motor vehicle shall provide clear and 
conspicuous notice, in clear and plain language, to the owners or 
lessees of such vehicle of the collection, transmission, retention, and 
use of driving data collected from such motor vehicle.
    ``(c) Consumer Control.--
            ``(1) In general.--Subject to paragraphs (2) and (3), 
        owners or lessees of motor vehicles shall be given the option 
        of terminating the collection and retention of driving data.
            ``(2) Access to navigation tools.--If a motor vehicle owner 
        or lessee decides to terminate the collection and retention of 
        driving data under paragraph (1), the owner or lessee shall not 
        lose access to navigation tools or other features or 
        capabilities, to the extent technically possible.
            ``(3) Exception.--Paragraph (1) shall not apply to driving 
        data stored as part of the electronic data recorder system or 
        other safety systems on-board the motor vehicle that are 
        required for post-incident investigations, emissions history 
        checks, crash avoidance or mitigation, or other regulatory 
        compliance programs.
    ``(d) Limitation on Use of Personal Driving Information.--
            ``(1) In general.--A manufacturer (including an original 
        equipment manufacturer) may not use any information collected 
        by a motor vehicle for advertising or marketing purposes 
        without affirmative express consent by the owner or lessee.
            ``(2) Requests.--Consent requests under paragraph (1)--
                    ``(A) shall be clear and conspicuous;
                    ``(B) shall be made in clear and plain language; 
                and
                    ``(C) may not be a condition for the use of any 
                nonmarketing feature, capability, or functionality of 
                the motor vehicle.
    ``(e) Enforcement.--A violation of this section shall be treated as 
an unfair or deceptive act or practice in violation of a rule 
prescribed under section 18(a)(1)(B).''.
    (b) Rulemaking.--
            (1) In general.--Not later than 18 months after the date of 
        the enactment of this Act, the Federal Trade Commission, after 
        consultation with the Administrator of the National Highway 
        Traffic Safety Administration, shall prescribe regulations, in 
        accordance with section 553 of title 5, United States Code, to 
        carry out section 27 of the Federal Trade Commission Act, as 
        added by subsection (a).
            (2) Final regulations.--Not later than three years after 
        the date of the enactment of this Act, the Commission, after 
        consultation with the Administrator, shall issue final 
        regulations, in accordance with section 553 of title 5, United 
        States Code, to carry out section 27 of the Federal Trade 
        Commission Act, as added by subsection (a).
            (3) Updates.--Not less frequently than once every three 
        years, the Commission, after consultation with the 
        Administrator, shall--
                    (A) review the regulations prescribed pursuant to 
                paragraph (2); and
                    (B) update such regulations, as necessary.
                                 <all>