Who might face civil liability if autonomous vehicles (AVs) are hacked to steal data or inflict mayhem, injuries, and damage? How will the civil justice and insurance systems adjust to handle such claims? RAND researchers addressed these questions to help those in the automotive, technology, legal, and insurance industries prepare for the shifting roles and responsibilities that the era of AVs may bring.

When Autonomous Vehicles Are Hacked, Who Is Liable?

Zev Winkelman, Maya Buenaventura, James M. Anderson, Nahom M. Beyene, Pavan Katkar, Greg Baumann

ResearchPublished Jul 12, 2019

Who might face civil liability if autonomous vehicles (AVs) are hacked to steal data or inflict mayhem, injuries, and damage? How will the civil justice and insurance systems adjust to handle such claims? RAND researchers addressed these questions to help those in the automotive, technology, legal, and insurance industries prepare for the shifting roles and responsibilities that the era of AVs may bring. Using four scenarios (a ransomware attack, a hacked vehicle damaging government property, hacks on a connected roadway that cause damage, and theft of information through hacking of AVs), the authors explored the civil legal theories that may come into play when real-world damages result from AVs being hacked. They also examined how those theories may affect various parties, including car manufacturers, component makers, dealers, and both corporate and individual owners. Existing civil legal structures appear flexible enough to adapt to cases involving hacked AVs except in the case of large-scale cyberattacks, but it may be useful to clarify both liability and insurance coverages.

Key Findings

Existing civil liability law will likely be sufficiently flexible to adapt to most hacked AV liability claims

  • There is no immediate necessity for Congress or state legislatures to pass statutes to address this set of risks.
  • Research on the ability of the insurance system to compensate for a large-scale cyberattack is needed.
  • Exclusions for acts of war in many insurance policies, the difficulties in determining the attackers, and the potential magnitude of the damages may create challenges to the existing liability system.
  • AV manufacturers, manufacturers and designers of component parts and software, and distributors of AVs may face civil liability for criminal hacks on AVs under well-established legal precedent.

Product liability laws, warranty laws, and state and federal privacy laws are the most relevant bodies of law

  • Cost-benefit and foreseeability analyses will influence legal analysis of responsibility for damages from cyberattacks.
  • Manufacturers of vehicles and component parts will need to stay abreast of attacks on AVs and take precautions to avoid similar attacks if they wish to avoid liability.
  • Users of AVs may face liability for cyberattacks if, for example, they reject an important security update, allowing a hacker to take control of the AV.

Government agencies may be potential defendants in civil lawsuits that arise out of incidents involving unsafe infrastructure

  • Although sovereign immunity may protect government agencies in some situations, immunity may not apply as they undertake ministerial tasks, such as road maintenance.
  • Significant municipal and state engagement in infrastructure development will be necessary if the connected vehicle environment relies on communications between AVs and roadside infrastructure.

Recommendations

  • Policymakers should consider the following questions: Should statutes be used to clarify legal responsibility for various harms that can be anticipated to arise from hacked AVs, instead of relying on the more-flexible common-law process? How should governmental and judicial expertise in technologies that will prevent cyberattacks be developed and maintained? What regulations might be appropriate to prevent or mitigate harms that would arise from hacked AVs causing damage?
  • The realization of the societal benefits of AVs would benefit from the following actions: developing a framework for measuring the cybersecurity and safety of AVs; better understanding insurance coverages for cyberattacks on AVs, both for commercial and consumer policies, to determine who will bear the costs of such attacks; and better understanding who would bear the costs of a large-scale cyberattack on AVs and whether a reinsurance backstop would be useful.

Order a Print Copy

Format
Paperback
Page count
168 pages
List Price
$25.00
Buy link
Add to Cart

Topics

Document Details

  • Copyright: RAND Corporation
  • Availability: Available
  • Year: 2019
  • Print Format: Paperback
  • Paperback Pages: 168
  • Paperback Price: $25.00
  • Paperback ISBN/EAN: 978-1-9774-0323-0
  • DOI: https://doi.org/10.7249/RR2654
  • Document Number: RR-2654-RC

Citation

RAND Style Manual

Winkelman, Zev, Maya Buenaventura, James M. Anderson, Nahom M. Beyene, Pavan Katkar, and Greg Baumann, When Autonomous Vehicles Are Hacked, Who Is Liable? RAND Corporation, RR-2654-RC, 2019. As of May 1, 2025: https://www.rand.org/pubs/research_reports/RR2654.html

Chicago Manual of Style

Winkelman, Zev, Maya Buenaventura, James M. Anderson, Nahom M. Beyene, Pavan Katkar, and Greg Baumann, When Autonomous Vehicles Are Hacked, Who Is Liable? Santa Monica, CA: RAND Corporation, 2019. https://www.rand.org/pubs/research_reports/RR2654.html. Also available in print form.
BibTeX RIS

Research conducted by

This project is a RAND Venture. Funding was provided by gifts from RAND supporters and income from operations. The research was conducted by the RAND Institute for Civil Justice within RAND Social and Economic Well-Being.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.