Kate B. Belmont
Cybersecurity has become a critical focus for all industries reliant on information technology (“IT”). Massive data breaches, cyber espionage, and hacking events sponsored by nation states around the globe occur with growing frequency.
Trailblazing Cybersecurity Regulations in the Financial Services Industry
In response to the obvious and undeniable necessity of cybersecurity, certain industries, such as financial services, have aggressively tackled the challenges of cybersecurity head on.
For example, in late 2016, the New York Department of Financial Services issued first-of-its-kind cybersecurity regulations for banks and insurers that focus on protecting and ensuring the security and privacy of sensitive personal information. These regulations require banks, insurers, money service businesses, and virtual currency operators to put in place cybersecurity programs, increase the monitoring of third party vendors, and appoint chief information security officers. Additionally, risk assessments are to be performed periodically, and it is further required that a company’s cybersecurity plan is to be reviewed and approved by either a senior officer or the board of directors.
These regulations are trailblazing, as no other state or federal regulatory agency has yet to adopt formal cybersecurity regulations. These rules and regulations could become the model for cybersecurity regulation across various industries nationwide.
Where the Maritime Industry Stands on Cybersecurity
Unlike the financial services industry, the maritime industry does not yet have any cybersecurity regulations, but it is moving forward to address the challenges of incorporating comprehensive cybersecurity into business operations. There were significant developments in 2016, with the introduction of the Industry Guidelines on Cyber Security Onboard Ships, produced in January by the Baltic and International Maritime Council (“BIMCO”), Cruise Lines International Association (“CLIA”), International Chamber of Shipping (“ICS”), INTERCARGO, and INTERTANKO (“the BIMCO working group”), followed by the release of the International Maritime Organization’s Interim Guidelines on Maritime Cyber Risk Management, approved in June. However, the maritime industry has yet to adopt formal regulations. As such, the New York Department of Financial Services’ cybersecurity regulations could serve as a model for the maritime industry.
Passenger shipping, in particular, is a sector of the maritime industry that is routinely responsible for personal, private, and/or highly sensitive information, including addresses, credit card numbers, health and medical information, and passport details. This industry must be vigilant and proactive in protecting such data from intentional and unintentional dissemination, and has taken significant steps to address the challenges of cybersecurity in order to mitigate the risk of massive losses arising out of data breaches.
Industry-Focused Cyber Attacks: A Cautionary Tale
In today’s world, the risk of a hack and subsequent data breach is great for all industries, and the cost of such a breach is even greater. Over the past several years, many companies have suffered data breaches that resulted in losses of hundreds of millions of dollars. For example, after Target suffered a massive data breach that compromised the credit and debit card information for 40 million of its customers, Target accrued well over $252 million in expenses, including settlements paid to banks and credit card companies as well as a settlement of a federal class action lawsuit brought by customers.
The recent Ashley Madison data breach settlement is yet another example of the risks companies face when failing to protect customers’ personal information in the cyber realm. In July 2015, Ashley Madison was the victim of criminal hackers and suffered a data breach that exposed millions of customers’ addresses, credit card numbers, and sexual preferences. As a result, Ashley Madison was subject to claims that lax cybersecurity was responsible for the breach. In December 2016, it was announced that the U.S. Federal Trade Commission, as well as several state attorneys general, had reached a settlement with Ashley Madison that included sanctions against the company of $17.5 million (which was reduced to $1.6 million because of the company’s inability to pay). The settlement agreement also requires Ashley Madison to bolster its cybersecurity practices and its protection of customer data.
The Ashley Madison case was one of the largest data breaches that the Federal Trade Commission has investigated, and its cooperation with overseas regulators was unprecedented. As such, this is a clear warning that state and federal authorities will continue to prioritize cybersecurity and hold companies accountable for failing to protect the privacy and personal information of consumers.
The maritime industry must be vigilant, and continue to develop comprehensive cybersecurity and cyber risk management programs. We recommend including cybersecurity training for crew members, upgrading IT products, maintaining system performance and integrity, and developing breach response plans. The fall-out from the Ashley Madison data breach serves as a cautionary tale, and the recent cybersecurity regulations issued by the New York Department of Financial Services are instructive in developing an effective cybersecurity regime for the maritime industry.