On June 14, 2021, the federal court bench trial commences in Alliance for Automotive Innovation v. Healey, where a motor vehicle manufacturer trade association seeks to invalidate a 2020 ballot initiative amending that state’s Right to Repair Law. Beginning with model year 2022 (which for some OEMs, has already begun) the amendment requires, among other things, that OEMs equip vehicles sold in Massachusetts with a standardized, non-proprietary, open access telematics platform “across all of the manufacturer’s makes and models” and make telematics data available to independent repair shops and vehicle owners.
The Alliance contends that the new law is preempted by the federal National Traffic and Motor Vehicle Safety Act (the “Safety Act”) and the Clean Air Act. The Massachusetts Attorney General argues that federal regulations do not preempt a validly adopted ballot initiative and that Massachusetts voters have spoken on this issue. Although heavily redacted, the pre-trial briefing and proposed findings of fact reveal the arguments each side is making. Here are five key questions that Judge Douglas Woodlock will need to decide:
Does NHTSA Cybersecurity Guidance Preempt State Law?
The Alliance argues that the new law—referred to by the parties as the “Data Law”—would require OEMs to remove or otherwise degrade key cybersecurity controls that protect safety-critical vehicle functions, which conflicts with the purposes and objectives of the Safety Act. Congress has delegated authority to the National Highway Traffic Safety Administration (“NHTSA”) to issue and enforce Federal Motor Vehicle Safety Standards (“FMVSS”). Although NHTSA has not issued any specific cybersecurity regulations, it has released detailed guidance in which it has encouraged OEMs to proactively adopt and use available guidance and best practices to ensure adequate cybersecurity protection.
The Alliance concedes that the NHTSA has declined to codify particular cybersecurity controls in a regulation, but contends that it has made mandatory the integration of adequate cybersecurity controls, particularly because NHTSA has used its recall authority to address flaws in vehicle software security in the past. The Attorney General says that the Alliance overstates the preemptive effect of NHTSA’s guidance because federal rights can only conflict with state law when they stem from the Constitution or valid statutes enacted by Congress. Moreover, the Attorney General contends that simply because NHTSA may, in the future, order a recall over cybersecurity issues does not create a conflict between the Data Law and federal law.
Does the Data Law Compel OEMs to “Make Inoperative” Vehicle Design Elements?
The Alliance also argues that the Data Law conflicts with the Safety Act’s provision prohibiting OEMs from “making inoperative” design elements, like cybersecurity controls, that protect safety-critical functions. The Alliance suggests that the provision applies not only to features specifically identified by FMVSS, but to any element of design that OEMs install in a motor vehicle to comply with FMVSS. And because OEMs have installed a variety of cybersecurity protections as elements of design to protect core vehicle functions, these protections are key parts of the element of design of vehicles to allow them to comply with FMVSS. Making them inoperative, as the Alliance contends the Data Law would require, would accordingly conflict with the Safety Act.
The Attorney General points out that none of the FMVSS cited by the Alliance preempt the Data Law because they do not address the secure data access issues the Data Law deals with. Moreover, the Attorney General argues that the Data Law does not make it impossible for an OEM to comply with both the state law and any FMVSS because the Data Law does not require removing or disabling safety equipment or features, such as disabling a vehicle’s airbag or breaking system. And in any event, the Attorney General argues that the “make inoperative” provision of the Safety Act is enforceable only by the Secretary of Transportation, not by private individuals through an individual right of action, therefore the Alliance lacks a cause of action in equity to even raise its preemption claims.
Are There any Circumstances Under Which the Data Law Does Not Conflict With Federal Law?
The Attorney General argues that where, as here, a statute is challenged pre-enforcement, the Alliance has the burden of proving that there is no possible set of conditions under which the Data Law would not conflict with federal law. In other words, the Alliance must show that compliance with both the Data Law and federal law is a physical impossibility, not that it would merely be difficult or costly to comply with. The Attorney General suggests that OEMs have highly capable cybersecurity teams that can use existing methods and technology to comply with the Data Law. As for the Data Law’s requirement that owners and independent repair shops be given access to telematics systems through an “inter-operable, standardized and open access platform” through a mobile-based application, OEMs have several potential ways to comply, including by choosing not to equip vehicles with a telematics system or disabling the telematics systems on vehicles that already have them.
The Alliance claims that the Attorney General and her experts have admitted that the systems required to comply with the Data Law do not currently exist. The Alliance further argues that there is no currently existing system architecture that allows standardized access to all aspects of vehicle onboard diagnostic systems, nor is there any existing system architecture that would allow access to vehicle networks that are administered by a third-party unaffiliated with a manufacturer. And finally, there is no currently existing “platform” that would allow for the “inter-operable, standardized and open access” to all vehicle data related to vehicle diagnosis, repair, or maintenance. All of these systems and platforms would need to be created from scratch, and with some OEMs already in model year 2022, that simply is not going to happen in time.
Must OEMs Begin Redesigning Vehicles in Anticipation of A Change in Law?
The Attorney General suggests that OEMs have made no meaningful attempt to find a feasible way to comply with the Data Law, despite knowing as early as 2015 that aftermarket associations were advocating to give independent repair shops greater access to telematics systems. By September 2019, when the Attorney General certified the ballot question, OEMs knew the precise language that would appear on the ballot, but did not take reasonable steps to prepare to comply with the ballot question if it passed, as was likely given the overwhelming passage of the previous right to repair ballot question. The Attorney General suggests that OEMs’ refusal to use that time to prepare is not grounds for impossibility preemption.
What Role Will Recent High Profile Cybersecurity Incidents Play in the Trial?
The Alliance in its pre-trial brief highlighted several recent cybersecurity attacks in the United States, suggesting that a cyberattack on even a single motor vehicle carries enormous public safety risk. And that risk is magnified dramatically if all vehicles sold in Massachusetts suddenly become potential points of attack. The Alliance warns that if the Data Law is allowed to take effect, serious cyberattacks would become much more likely and deadly than recent attacks on oil pipelines and meat processing plants.