Skip to main content
Home » Empowering Our Truckers » NAFA’S Cybersecurity Recommendations for New Vehicles
Empowering Our Truckers

NAFA’S Cybersecurity Recommendations for New Vehicles

NAFA Fleet Management Association is undertaking guidelines and actions for the trucking industry in response to the new technologies in vehicles. Taking on spheres such as security and privacy, NAFA seeks to catch up with technology.


With vehicles becoming more and more dependent on technology, performance and convenience features, automakers are growing increasingly concerned with cyber hackers and vulnerabilities in their line-ups. These vulnerabilities present challenges for fleet management in being able to continue utilizing new technology, while also ensuring that the fleet is protected from malicious or criminal activity.

  • Action: NAFA will collaborate with the Automotive Information Sharing and Analysis Center (Auto-ISAC) to establish communication protocols for the exchange of information related to cyber incidents.
  • Recommendation: As vehicles become increasingly connected and autonomous, the security and integrity of automotive systems must become a high priority for fleet managers.


Today’s vehicles collect personal information through in-car technologies. The collection of sensitive information, such as geolocation and driver behavior information, merits heightened protections. Privacy advocates are asking Congress and the federal government to develop privacy standards to protect consumers. The Alliance of Automobile Manufacturers and the Association of Global Automakers have published Consumer Privacy Protection Principles.

  • Action: The driver of a vehicle has an expectation of privacy. Yet, there is an important distinction between the expectation for a driver of a consumer vehicle and the driver of a fleet vehicle. The driver of a fleet vehicle is responsible for the operation of an asset owned or leased by the employer, while the consumer is responsible for his or her own vehicle. NAFA will educate legislators and regulators on the distinction between privacy expectations for the consumer and the privacy expectations for the driver of a fleet’s asset.
  • Recommendation: Fleet managers should recommend that employers develop a policy governing the collection and use of driver behavior data, such as geolocation and vehicle operation information, speed and braking, and other aspects. The policy should be fully transparent and shared with the driver of the employer-provided vehicle.
  • Recommendation: The privacy policy should specify the types of information that will be collected, how such information will be used and stored, and under what circumstances the information can be retrieved.
  • Recommendation: If personal use of the vehicle is permitted, the privacy policy should distinguish between privacy expectations for business and personal use.
  • Recommendation: Because driver behavior data may be discoverable in a court of law or subject to freedom of information requests in public fleet cases, the fleet manager should make the employer aware of the information collected and stored and advise the employer of the need to assess its tolerance for risk.
  • Recommendation: Because disclosure of vehicle specific information, such as geolocation, could impede the ability of certain government agencies to conduct necessary business, Federal and state laws and regulations should provide limitations on the access to and disclosure of such information for purposes of law enforcement, national security, and public health and safety.

Access to the on-board diagnostic (OBD II) port

The OBD port was designed to collect emissions data, but is now used by fleets for telematics and vehicle diagnostics. For a fleet maintenance facility, access to the electronic control module of the vehicle is needed for both diagnostics and repair. Aftermarket telematics devices that depend on access to the OBD port offer fleet managers a range of advantages, including safety, reduced cost of ownership, and environmental protection.

  • Action: NAFA is eager to collaborate with vehicle manufacturers and other stakeholders on alternatives to the OBD II port, provided that such alternatives guarantee the same level of access to data for fleet management.
  • Recommendation: Fleet management requires continued access to the OBD II port.
  • Fleet maintenance facilities require unrestricted access to vehicles’ ECUs.
  • Recommendation: Fleet managers should have policies in place to ensure that only secure devices are connected to the port.

Ownership and collection of data 

The connected vehicle generates and transmits large amounts of data. Some of this data is collected by original equipment manufacturers (OEMs) to monitor driving history and vehicle performance.

  • Action: NAFA will collaborate with the OEMs to determine what information is transmitted by the vehicles to the manufacturer and how that information is analyzed and stored.
  • Recommendation: The owner of the vehicle is the rightful owner of data generated and transmitted by the vehicle.
  • Recommendation: The OEM should have unrestricted access to information from the vehicle’s operating system for warranty and safety purposes provided this is disclosed to the owner.
  • Recommendation: In the case of a leased vehicle, collection, storage and use of data from the vehicle should be reflected in the lease agreement.
  • Recommendation: The owner of the vehicle should opt-in before data can be transmitted and collected by the OEM. Exceptions regarding an opt-in requirement need to be allowed for safety and identified vehicle operation needs. NAFA will collaborate with the OEMs to develop a transparent list of exceptions.


The technology of telematics will improve exponentially over the next several years. Public policy adopted today must be forward looking.

  • Recommendation: Clearly define that the information extracted from a vehicle’s telematics system is the property of the vehicle owner and cannot be accessed, transmitted, collected or stored by others, including the vehicle manufacturer, without prior approval from the vehicle owner.
  • Recommendation: The vehicle manufacturer should clearly disclose to the owner and lessee the exact types of information capable of being transmitted and collected by the manufacturer from the vehicle’s telematics system. Such information should be available as read only.
  • Recommendation: Vehicle manufacturers should build telematics systems with the capability to communicate data for fleet purposes using a standardized interface, such that the information can be directly transmitted, read, and used for fleet management.
Next article