全球智库信息集成服务系统

Existing civil liability law will likely be sufficiently flexible to adapt to most hacked AV liability claims

• There is no immediate necessity for Congress or state legislatures to pass statutes to address this set of risks.
• Research on the ability of the insurance system to compensate for a large-scale cyberattack is needed.
• Exclusions for acts of war in many insurance policies, the difficulties in determining the attackers, and the potential magnitude of the damages may create challenges to the existing liability system.
• AV manufacturers, manufacturers and designers of component parts and software, and distributors of AVs may face civil liability for criminal hacks on AVs under well-established legal precedent.

Product liability laws, warranty laws, and state and federal privacy laws are the most relevant bodies of law

• Cost-benefit and foreseeability analyses will influence legal analysis of responsibility for damages from cyberattacks.
• Manufacturers of vehicles and component parts will need to stay abreast of attacks on AVs and take precautions to avoid similar attacks if they wish to avoid liability.
• Users of AVs may face liability for cyberattacks if, for example, they reject an important security update, allowing a hacker to take control of the AV.

Government agencies may be potential defendants in civil lawsuits that arise out of incidents involving unsafe infrastructure

• Although sovereign immunity may protect government agencies in some situations, immunity may not apply as they undertake ministerial tasks, such as road maintenance.
• Significant municipal and state engagement in infrastructure development will be necessary if the connected vehicle environment relies on communications between AVs and roadside infrastructure.

Who might face civil liability if autonomous vehicles (AVs) are hacked to steal data or inflict mayhem, injuries, and damage? How will the civil justice and insurance systems adjust to handle such claims? RAND researchers addressed these questions to help those in the automotive, technology, legal, and insurance industries prepare for the shifting roles and responsibilities that the era of AVs may bring. Using four scenarios (a ransomware attack, a hacked vehicle damaging government property, hacks on a connected roadway that cause damage, and theft of information through hacking of AVs), the authors explored the civil legal theories that may come into play when real-world damages result from AVs being hacked. They also examined how those theories may affect various parties, including car manufacturers, component makers, dealers, and both corporate and individual owners. Existing civil legal structures appear flexible enough to adapt to cases involving hacked AVs except in the case of large-scale cyberattacks, but it may be useful to clarify both liability and insurance coverages.

• Chapter One

  Introduction — Understanding the Context

• Chapter Two

  Autonomous Vehicles and Future Roadways

• Chapter Three

  How Can Hackers Exploit Autonomous Vehicles?

• Chapter Four

  Hacked Autonomous Vehicles and the Harms They Can Cause

• Chapter Five

  Shifting Roles and Responsibilities for Information Assurance for Autonomous Vehicle Cybersecurity

• Chapter Six

  Civil Liability and Cyberattacks: General Legal Framework

• Chapter Seven

  Legal Analysis of Hypothetical Risk Scenarios

• Chapter Eight

  Conclusions

• Appendix A

  Cyber Exploits Against Autonomous Vehicles

• Appendix B

  The Phases of the National Institute of Standards and Technology Cyber-Physical System Draft Framework