Risk: liability and security to the fore

Who’s liable if a driverless vehicle crashes? And how vulnerable are they to cyber attack?

Tomorrow’s cars raise some challenging questions for those who are going to make them.dada

Who’s to blame – software, hardware or humanware?

A principal driver of connected autonomous vehicle (CAV) technology is safety.

One day, we may reach a point when every vehicle on the road is a CAV. With fail-safe technology, road accidents – and the more than 1.2 million annual death toll from traffic-related incidents – will become a thing of the past. But until we reach that point, there are still going to be accidents involving humans behind the wheel.

Currently of course, a driver is usually to blame for an accident. Third-party liability (TPL) insurance policies are mandatory in most jurisdictions and the insurance industry is experienced in dealing with a large volume of motor insurance claims.

As more autonomous vehicles take to the road, the liability for accidents will shift from drivers to manufacturers. Individual product liability claims – currently rare – will become much more common, particularly subrogation ones.

But is product liability law ready to deal with autonomous vehicles? Under EU legislation, a product has to be defective in some identifiable way to be caught. A defect could be introduced during the design or manufacturing process, or found within the user instructions or the monitoring systems. But while a faulty accelerator is easy to spot, it’s not so easy to identify a defect in a piece of software. Litigation could become very expensive as the parties try to determine at what point the defect was introduced – and whether testing should have identified it.

Karin Geissl, counsel in Freshfields automotive group, says: ‘At this stage it’s about preventative product liability. We’re looking at what issues could arise in the future, and how we can help limit the manufacturer’s or supplier’s liability. We’re also working with engineers to get extra safeguards and warnings put in place to guard against “foreseeable misuse”, but the divergence of highway regulations is a big challenge. The Vienna convention, for example, prohibits the use of smartphones behind the wheel but the regulations in Nevada allow occupants of self-driving cars to use their handsets. This raises issues for automakers, even if motorists are aware of the restrictions.’

What needs to change to bring greater certainty around liability? A solution might be to change insurance law to bring manufacturers and their suppliers into the TPL insurance regime. They would have either a joint policy with the vehicle owner or their own. In the latter case, their liability would be limited to damages caused by defective autonomous systems – similar to product liability.

But as cars become more autonomous, manufacturers could be seen as a – and with full autonomy the – responsible driver of the vehicle. This could make them liable even if no defect is found.

Motor insurance – what Germany is doing

Like many other countries, Germany wants to become a leading market for autonomous driving. To support this aim, it amended its driving laws in 2017 to define and allow automated driving, helping remove legal uncertainty for drivers, owners and manufacturers.

Under the revised Road Traffic Act, a driver could be held liable if they fail to resume manual control when alerted by the automated driving system. If the accident is caused by a failure of the system when the driver was properly relying on it, the driver will not be liable.

The vehicle’s owner remains liable in relation to any victim of the accident under Germany’s car owner liability regime. But their insurer could claim compensation from the manufacturer. 

The law was criticised for not including a specific product liability claim against the vehicle’s manufacturer. But the German government has said that the general product liability rules should be sufficient.

An alternative might to amend the product liability regime so that manufacturers and suppliers could be held liable for the way their products performed, ie identifying a defect would not be required.

‘This would obviously raise considerable objections so would need to be limited in scope and only apply in very limited contexts,’ says Karin Geissl. ‘Defining the rules would needs an unprecedented level of co-operation and engagement between the automotive sector, the insurance industry, governments and regulators. But it’s been accomplished in the aviation industry, and that could provide the model for the auto sector.’

Motor insurance – what the UK is doing

The UK introduced a law in 2018 that confirmed, in the first instance, motor insurers are generally liable for accidents caused by an automated vehicle when in self-driving mode. Following an accident, the injured party would claim compensation from the insurer, which would then make a claim against the carmaker or – depending on who was ultimately at fault – one its suppliers, such as a software developer or part manufacturer.

The legislation does allow for contributory negligence, ie where the injured party was partly to blame for the accident or it was inappropriate for the driver to put the vehicle in autonomous mode.

The insurer would not be liable if the accident was caused by a prohibited software update or a failure to install safety-critical software updates.

Back to top.

Are cars safe from cyber attack?

Cyber attacks are common and can be costly. But while a strike on a business can disrupt operations and cause financial and reputational damage, a cyber attack on a car can lead to the loss of personal data and – in worst-case scenarios – loss of life. That in turn could reduce public confidence in autonomous driving.

Any system with multiple nodes connected over a network is vulnerable to attack. The number of nodes in cars in the form of electronic control units (ECUs) is increasing, so manufacturers are working hard to ensure their ECUs are secure. This includes working with suppliers to ensure components cannot be compromised and, if a vulnerability is exposed, to allow software patches to be applied remotely – just like updating a ‘traditional’ computer operating system.

‘Cyber vulnerability is a major legal issue as well as a practical business risk for corporations,’ says Theresa Ehlen, a Freshfields senior associate and member of the firm’s cyber security team. ‘Under the EU’s general date protection regulation, for example, companies must – within 72 hours of becoming aware – report certain types of personal data breach. Failure to do so can result in fines of between 2 and 5 per cent of global revenues.’

It’s a little more complex in the US, which has more of a patchwork of sector-specific and state rules and regulations. But for cyber breaches involving consumer data, it’s the Federal Trade Commission that would step in. In 2018 for example, the Commission reached a settlement with Uber regarding a 2016 cyber security incident that occurred while it was investigating Uber for a similar incident from two years earlier.’

Jane Jenkins, Freshfields partner and cyber security specialist, said: ‘Preventing a cyber attack involves more than expensive technology. Companies must educate their customers and have robust compliance procedures in place to govern staff behaviour. They need to plan their PR response and understand their disclosure obligations in the event of a crisis. And once the attack is over, they also need to deal with the regulatory fallout, the possibility of product recalls and potential litigation. There is a growing trend for mass claims following data breaches, with claimants seeking compensation not just for any financial loss but also the inconvenience and distress the breach causes them.’

Again, like autonomous safety standards, a global approach could be the answer. Carmakers and technology companies already sit side by side in industry bodies to develop autonomous technologies. There’s no reason why these could not be expanded to include all carmakers and technology suppliers, who can them work towards standardising the way products are designed, tested and deployed.

Back to top.