This week’s question comes from Dan.
If you want an answer to your insurance questions, just respond to this email and watch for an answer in a future email.
Has there been any credible data regarding electric vehicles being hacked by a cyber-attack? If so, how often is this occurring and with the increase of EV’s in business and personal use, how big of a concern should this be for both consumers and insurance carriers? If one of these is attacked and compromised and the attackers do something horrific with the vehicle, who should be held responsible? The owner for not installing a more robust security system to prevent such an attack or the manufacturer for not providing that from the outset?
Let’s see if we can take this apart piece by piece and come up with some good answers.
Has there been any credible data regarding electric vehicles being hacked by a cyber-attack? If so, how often is this occurring and with the increase of EV’s in business and personal use, how big of a concern should this be for both consumers and insurance carriers?
So far, we aren’t seeing any credible data that shows that EVs are being hacked. There are stories all over the internet whose headlines indicate that they are, but a quick read of the first few paragraphs shows that these articles are about researchers or security specialists hacking EVs to test their vulnerabilities.
So, no. There doesn’t appear to be any real hacking going on right now, but that doesn’t mean that it isn’t possible. Of course, anything that could go wrong should be at least a little interesting to insurance companies.
If one of these is attacked and compromised and the attackers do something horrific with the vehicle, who should be held responsible? The owner for not installing a more robust security system to prevent such an attack or the manufacturer for not providing that from the outset?
Here’s the heart of the question. If something happens, who should be held responsible? Let’s look at two theories of liability that might generally apply.
This all hinges on the concept of negligence, which requires four elements to show that someone was negligent.
· A duty owed to others.
· A breach of that duty.
· The breach was the proximate cause of injury.
· The injury resulted in damages.
Some unknown entity hacked into the vehicle, took control of it, and drove it into a building, causing bodily injury and property damage. In one sentence, we have established injuries, which would most certainly result in damages. The injuries are the bodily injury and property damage. The damages are the financial impacts of the injuries, including medical bills, pain and suffering, repairing property, and loss of use of the property.
But was there a duty owed to others and if there was, was there also a breach of that duty that caused the injuries? These are the questions that must be answered before we can assess any liability against the vehicle owner.
Would the vehicle owner have a duty to secure their vehicles against hacking? That depends. If the EV manufacturer notifies the owner in some way that there is a security update that must be installed, and the owner fails to allow the update to be installed, and the hackers exploit that vulnerability, that would seem to be a breach of the duty to take reasonable steps to protect the EV from hacking. That breach of duty would almost certainly then be the proximate cause of the injuries.
If, however, the hack resulted from an unknown vulnerability, we have to look away from the vehicle owner to the manufacturer. It seems very unlikely that a court would hold a vehicle owner responsible for a problem that she didn’t know about or wouldn’t be reasonably expected to know about. That potentially moves liability to the vehicle manufacturer, or the company that developed the vehicle’s operating system.
In this case, we might consider the theory of strict liability, where the manufacturer is found to be liable simply because there is a failure in the product that causes injury. In this case, even if the manufacturer wasn’t aware of the vulnerability that was used to hack into the vehicle, the existence of the vulnerability is enough to hold them liable.
Of course, this is all in theory because we don’t have an actual case in front of us, but you knew that already, just like you knew that I’m neither a lawyer nor a claims professional so these are my opinions based on the parameters of the question put forth. Any actual claims would be handled based on the facts of the claim.
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
South Florida Insurance Broker Pleads Guilty to Fraud in $133M ACA Enrollment Scheme 
Potential Tariff Auto Severity Impact on Travelers: Single-Digits or Less 
Wildfire Losses Drop Chubb Q1 Net Income 38%, While Tariffs Create ‘Confusion’ 
NC Committee Approves Bill to End Education Requirements for Insurance Agents 
