Maine legislators voice cybersecurity and enforcement concerns to R2R Working Group
By onLegal
Maine’s Right to Repair Working Group listened to concerns from two state legislators Wednesday who said data cybersecurity isn’t up to par according to legislation that created the working group and aims to create an independent entity that would enforce the state’s new “right to repair (R2R)” law.
The working group is the result of a referendum and subsequent law. LD 1677, passed in November 2023, as is the requirement for the creation of a standardized telematics platform among automakers. The process began with a petition circulated by the Maine Right to Repair Coalition.
Among Rep. Tiffany Roberts’ (D-District 149) concerns during a public hearing on Wednesday was that the entity itself should be regulated by legislation as a licensing board. Rep. Amanda Collamore (R-District 68) agreed, and both said, as the legislation stands now, personal data generated and collected in vehicles isn’t secure.
Roberts serves as co-chair of Maine’s Joint Standing Committee on Innovation, Development, Economic Advancement and Business (IDEA Committee), which worked to amend an alternative bill to the one that passed. The Alliance for Automotive Innovation (Auto Innovators) drafted LD 1911 shortly after LD 1677 as a competing bill. The alternative bill passed the House and then died between houses.
“The entity’s structure, function, and ultimate success are inextricably tied to the law’s core promises of consumer protection and fair access to repair information,” Roberts said. “The right to repair law and the valid initiative that preceded it were presented as consumer protection measures, a cause I am deeply committed to… This group’s work was meant to guarantee consumers access to vehicle repair information, empowering them to seek repairs at independent repair shops and leaving private data access control where it is.
“Yet, much of the discussion in this room has shifted toward business concerns, particularly between independent repair shops and manufacturers. While fairness in the marketplace is important, it is certainly not the role of one state’s government to mediate a marketing feud between industries, especially when the voters were promised consumer-focused protections.”
Regarding the data access platform, Roberts said it raises significant cybersecurity concerns, and with that comes a cost which a funding plan for hasn’t been determined.
“The platform must have robust protections to ensure consumer privacy and safeguard sensitive data from breaches.” she said. “The law provides that information must be made necessary for repairs, maintenance, and diagnostics. Does diagnostics include active monitoring of the vehicle for low oil, tire pressure, or other ongoing routine maintenance needs? If so, that would require continuous access. Personal data protection, and cybersecurity — this all falls under the entity. The independent entity must have clear protocols to manage these challenges effectively, ensuring accountability and technical functionality. Concerns about transparency are significant. The public and the federal government, through the National Highway Transportation and Safety Administration, expect this entity to be accountable and operate in a way that protects their rights.”
Collamore voiced similar concerns, many of which come from her constituents.
“The entity, in whatever shape it may take in the future, is fully in charge of the access and use of our vehicle-generated data as it’s stated in statute currently. I have many concerns about cybersecurity when having an unregulated independent entity access or control my data, any data repair or otherwise, when looking at the makeup of the entity currently written into law. There are actually no cybersecurity experts on that committee. How will we, the Maine consumers, be protected from the entity’s access to our data?
“The current law gives access to all telematic data that can relate to repair and diagnosis… We need to ensure that we have guardrails built into the law so that we can protect our data and not make it easier for groups to access it… I would ask this working group to seriously consider statutory language changes when discussing the potential entity that may oversee and enforce this law. We can’t do this only by rulemaking. This will set clear limitations access by the entity and repair shops to protect the people of Maine.”
When it comes to the standardized platform, Collamore said, in the statute, it’s defined as a mobile app.
“Is that what we should be confining it to? What does it have access to? Should it be fully remote access so that you can diagnose and repair anything? That’s the same as when it’s tethered, which is currently what the law says… Should it have reasonable safety and security written restrictions defined in statute?”
She added similarly to Roberts that the entity may not be an independent entity as described under statute but a licensing board. Callimore suggested all technicians using telematics and diagnostics to complete repairs have the same training and background checks. Perhaps, she added, the state would only require a license for people looking to make repairs using telematics data or maybe it should include those who would access OBD II ports.
In February, Maine’s IDEA Committee — which Collamore is also a ranking member of — voted 7-1 to recommend that the legislature eliminate the requirement in the new R2R law for a standardized bidirectional data access platform.
Collamore brought the amendment that the committee approved. If it had been approved by the full legislature, it would’ve revised the current law to do away with the creation of the non-governmental independent entity.
On Wednesday, the working group asked several questions but didn’t make any decisions regarding the entity or platform. The group plans to meet every two weeks, with the next meeting scheduled for Oct. 30.
Images
Featured image: Inside the Maine State Capitol Building in Augusta, Maine. (Credit: Ray Tan/iStock)