General Motors and Stellantis told a federal judge they’re unable to comply with Massachusetts’ updated right-to-repair law because of cybersecurity and other practical concerns that prevent implementation.
In separate briefs filed last week, cybersecurity executives from GM and Stellantis said the automakers cannot implement the law’s requirements safely and, therefore, have taken no steps toward compliance.
The briefs were filed as part of an ongoing lawsuit between Massachusetts Attorney General Maura Healey and the Alliance for Automotive Innovation, which represents GM, Stellantis and other major automakers.
The alliance filed the lawsuit against Healey in November 2020 after voters overwhelmingly approved a ballot measure revising and expanding the state’s existing right-to-repair law.
The revised law — referred to as the Data Access Law in the lawsuit — requires makers of vehicles sold in Massachusetts to use a standardized, open-access data platform for telematics-equipped vehicles beginning with the 2022 model year. It gives vehicle owners and independent repair shops access to real-time information from the telematics, such as crash notifications, remote diagnostics and navigation.
U.S. District Judge Douglas Woodlock in September asked the parties to provide any steps taken to implement the law’s obligations.
“As Stellantis understands and interprets it, would require removing critical cybersecurity controls from its vehicles,” Stephen McKnight, Stellantis’ head of global product cybersecurity for North American engineering, wrote in a brief filed Oct. 21. “Stellantis cannot do this consistent with its federal safety obligations.”
McKnight also pointed to ongoing disagreements between the two parties on what the law means and actually requires.
“For instance, the law assumes the existence of ‘standardized’ authorization systems and an ‘unaffiliated’ third-party entity that manages those authorization systems. But Stellantis cannot create either a ‘standardized’ authorization system or an ‘unaffiliated’ third-party entity,” McKnight wrote.
“Rather, by definition, any authorization system that Stellantis creates would not be ‘standardized,’ and any third-party entity it creates to administer those authorization systems would be ‘affiliated’ with Stellantis,” he argued.
Kevin Tierney, GM’s vice president of global cybersecurity, argued the law’s requirement for a third-party entity that controls the security for accessing vehicles “creates an untenable and unacceptable cybersecurity risk by creating a single attack surface across all OEMs, and it is inconsistent with the diversity protocols that good cybersecurity practices require.”
Tierney said the effect of the updated law is “to impose a number of requirements that do not meaningfully expand Massachusetts voters’ ‘right to repair,’ but creates untenable safety risks to GM and other vehicles that GM is simply unwilling to accept.”
Massachusetts Assistant Attorney General Jared Rinehimer said Healey’s office would not enforce provisions of the updated law until after the court issues a ruling.
Since January, the judge has postponed a decision on the nearly 2-year-old court case multiple times.
Two automakers — Subaru and Kia — disabled the telematics systems in their 2022 model year and newer vehicles registered in Massachusetts to avoid compliance hiccups amid the ongoing legal battle.
The alliance maintains its argument that the state’s amended law conflicts with several federal laws, poses cybersecurity and vehicle safety risks, and sets an impossible timeline for compliance.
