On Nov. 3, Massachusetts voters overwhelmingly voted “yes” on question No. 1 of the state election ballot, thereby approving the initiative law to enhance, update and protect the 2013 Motor Vehicle Right to Repair Law as an amendment to the Massachusetts Motor Vehicle Right to Repair Act.

The initiative requires that vehicle manufacturers provide vehicle owners and independent car repair facilities with expanded access to telematic (wireless) mechanical data related to vehicle diagnostics, maintenance and repair.  While the act has been in place in Massachusetts since 2013, the act only regulated diagnostic information obtained from a “non-proprietary vehicle interface device” (e.g. a port) and did not contemplate telematic data.

Automobile manufacturers, dealers, vehicle owners and independent repair shops need to consider key provisions from the Initiative in light of the new requirements.

Key provisions

Beginning with 2022 models, the Initiative requires that all vehicle manufacturers selling new telematics-equipped vehicles into Massachusetts (including passenger and heavy duty vehicles) design their systems in such a way that vehicle owners and independent third-party repair shops have access to the vehicles’ systems through an interoperable, standardized and open access telematics system.

System specifications

The initiative requires that:

• The telematics system must be accessible through a mobile-based application.

• The system must be “secure.”

• The vehicle owner must have direct access to the telematics system through the mobile-based connection.

• Access to the telematic system must include read/write capabilities, including the ability to read mechanical data and to send commands to in-vehicle components (e.g. braking, acceleration, steering controls) for the “purposes of maintenance, diagnostics and repair.”

• Upon authorization by the vehicle owner, all mechanical data must be accessible to an independent automobile repair facility for such time as is necessary to complete a repair or for such time as agreed to with the vehicle owner for the purposes of vehicle maintenance, diagnostics and repair.

• The manufacturer may not require, whether directly or indirectly, that access to the telematic system require any type of authorization, unless the system for accessing vehicle networks and their on-board diagnostic systems is made standard across all makes and models sold into Massachusetts and is administered by an entity that is independent of the manufacturer.

When selling a vehicle that contains a telematic system, a dealership must provide a notice (to be developed by the Massachusetts attorney general) to the prospective buyer, obtain his/her signature and provide him/her with a copy of the signed notice. Failure to provide this notice can be grounds for sanctions by the dealership’s licensing authority, up to and including revocation of the dealership’s relevant licenses.

If an owner of a vehicle or independent repair facility covered by the act is denied access to the mechanical data, the owner or the facility may bring a civil action against the manufacturer for any remedies available under the law, and each denial of access is subject to treble damages or $10,000, whichever is greater.

Potential cybersecurity concerns

In a July 20 letter to Massachusetts State Representative Tackey Chan and Massachusetts State Senator Paul Feeney, the National Highway Traffic Safety Administration raised various cybersecurity concerns regarding the Initiative, including the following:

• Due to the accelerated timeline, manufacturers may have to remove existing cybersecurity protections to meet the new access requirements, thereby leaving systems at an increased risk of cyber-attacks, which would increase the risk to public safety.

• The implementation of universal and standardized access requirements may increase the risk of a cyber-attack being successful.  The requirement that systems be “secure” is vague and undefined and does not reflect best practices.

• The Initiative may prohibit manufacturers from complying with federal motor vehicle safety protocols.

Whether these concerns are well founded remains to be seen.

Key takeaways

With the 2022 deadline for implementation of the Initiative rapidly approaching, vehicle manufacturers must begin working towards compliance now. Failing to do so can lead to substantial consequences.

Gabriel Kotch is an attorney in the Orlando, Fla. office of Baker Donelson. He assists companies with building and managing industry-leading global data privacy and security compliance programs. He can be reached at gkotch@bakerdonelson.com.