NAFA recommends that corporate and municipal vehicle fleet managers develop transparent policies governing the collection and analysis of driver behavior data.
NAFA recommends that corporate and municipal vehicle fleet managers develop transparent policies governing the collection and analysis of driver behavior data.

Security and privacy concerns surrounding connected car technologies impact not only consumer automobiles but entire fleets of corporate and municipal vehicles used for transportation, logistics, law enforcement and other business and government needs. Bearing this in mind, the National Association of Fleet Administrators (NAFA) on Monday published a new white paper containing a series of recommended policies that organizations can implement to reduce risks associated with automotive cyberthreats.

“For many [fleet managers], the issues of cybersecurity will become a front-line issue similar to safety, distracted driving, environment, etc.,” said Patrick O'Connor, president of government affairs firm Kent & O'Connor and NAFA's U.S. legislative counsel, in a webinar reviewing the paper's key tenets. To that end, NAFA will use its own recommendations as a jumping-off point for future collaboration with key players including the Automotive Information Sharing and Analysis Center (Auto-ISAC), the Department of Transportation, the National Highway Traffic Safety Administration (NHTSA), the Department of Homeland Security (DHS), lawmakers and auto manufacturers.

Among the most significant data threats currently found in vehicle fleets are telematics systems that track and wirelessly communicate the location, movement, behavior and health of a vehicle in real time, according to the report, entitled “Fleets and the Connected Vehicle.” Fleet managers fear that cyberattacks could steal such data for their own personal benefit or even hack into a vehicle's control systems via the On-Board Diagnostic (OBD II) port to which such devices are connected.

So great is the fear of hacking in Chesterfield County, Virginia, that the municipality forbids Bluetooth communications in its government vehicles, said Jeff Jeter, county fleet manager and NAFA vice president. “We've got major concerns that folks will be hacking into the county mainframe” in order to steal financials, or even “taking over control of the vehicles,” said Jeter during the webinar.

Robert Martinez, a deputy commissioner with the NYPD and former director of its Fleet Services Division, expressed his own concerns about connected car technology: “In undercover work, obviously, we could be following people and doing different surveillance… so people having access to the location of these vehicles and where they've been causes a major concern for law enforcement,” said Martinez during the webinar. “Just like criminals in the past would use a police scanner, if they have access to geolocation of [police] vehicles, they could be doing a crime somewhere and they can actually see if the vehicles are approaching their area and know whether to get out of there or not.”

From both a privacy and legal perspective, NAFA has recommended that fleet administrators and their employers develop transparent and specific policies governing the collection and analysis of driver behavior data, and to ensure that drivers are aware of these guidelines. Policies should include what kind of information is collected and how it will be used. NAFA also noted that corporate policies must account for differing privacy expectations depending on whether a corporate vehicle is driven exclusively for business purposes or for personal use as well.

Additionally, NAFA stated its intention to collaborate with car manufacturers to make sure that OEMs are responsibly tracking vehicular data. According to NAFA, the vehicle owner (whether an individual or company) is the “rightful owner of data generated and transmitted by the vehicle,” and owners should have to opt in “before data can be transmitted and collected by the OEM.”

NAFA did acknowledge, however, that OEMs should have unrestricted access to vehicle operating system data required for warranty and safety purposes, but added that such practices still should be disclosed to owners.

As for security, NAFA said it would work with the Auto-ISAC – which in July issued a list of automotive cybersecurity best practices – to establish communication protocols enabling the exchange of information related to cyber incidents. This way, if you're a fleet manager, “As incidents come through your maintenance facilities or from your third-party repair shops that you might think are cyber related… there will be a protocol in place for you to push that information up to the manufacturers,” explained O'Connor. “And in turn, as manufacturers learn that a specific [vehicle] function may be vulnerable, they can push that out to you.”

The paper also broadly recommends that fleet managers make security a high priority within their organizations.

Moreover, NAFA addressed concerns that hackers can compromise a vehicle's Electronic Control Unit via the ODB II port that many fleet managers use for telematics and vehicle diagnostics purposes. While the paper attests that proper fleet management “requires continued access to the OBD II port,” NAFA also states that it is eager to “collaborate with vehicle manufacturers and other stakeholders on alternatives to the OBD II port, provided that such alternatives guarantee the same level of access to data for fleet management.”

In the meantime, NAFA has advised fleet administrators to ensure that “only secure devices” are connected to the OBD II port.

“For fleet professionals, the rapid growth of vehicle connectivity presents challenges, as well as opportunities,” said NAFA CEO Phillip E. Russo, in an organizational press release. “For all drivers, the way North American roadways – and indeed, global roadways – function will be drastically different sooner than anyone imagines. This is a conversation that NAFA has a duty to be part of.”