Cybersecurity concerns are certainly on the radar for shipowners and operators. Cybersecurity breaches can penetrate systems aboard and ashore and can jeopardize safety and adversely impact maritime operations, as well as disrupt the downstream distribution of the goods on board. In that light, it is imperative that shipowners and operators install tough mitigation, detection, and response plans.
As ships undergo digitalization and autonomous system upgrades, cyberattacks and ransomware attempts become more prevalent. Ransomware is defined as a type of malicious software designed to block access to a computer system until the attacked party pays a sum of money. Cybercriminals monetize their operations by extorting their victims and can further sell extracted data. Cyberattackers typically seek the highest payout possible and target companies and industries, including the maritime sector, that rely on time-sensitive data to function. Such attacks can have devastating contemporaneous consequences on multiple players.
In the 2017 NotPetya malware incident, attackers encrypted Maersk systems and demanded payment. “Without access to data held on its destroyed computer system, Maersk literally didn’t know what was in its containers. On-the-ground-staff had to check manually, with time sensitive medicines a particular supply chain concern.” The attackers shut down systems in seven minutes, but the response and industry’s realization that protections were needed lasted much longer. “The key lesson Maersk learned from battling the NotPetya attack: protection is important—but it’s equally as important to ensure your recovery process is strong.”
Welcome to this month’s issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
Businesses in the maritime industry may not think of themselves as engaged in significant processing of personal data. However, global shipping and logistics companies regularly transport personal data around the globe. This may include passenger data, sensitive employee data, and customer business contact information used for fulfillment and marketing purposes, all of which are vital to the operations of the business.
As a result, businesses in the maritime industry need to address compliance with a myriad of quickly evolving privacy laws around the globe, including evolving requirements for employees and business contacts in major ports in California and a newly active agency to enforce Brazil’s recently passed omnibus privacy law.
The requirements relating to cross-border transfer of personal data from the European Economic Area (“EEA”) to other jurisdictions, in particular the United States, is an acute challenge for the maritime industry. Legal requirements for such transfers have undergone substantial changes in the past 15 months that require global businesses to assess and make changes to data transfer compliance strategies.
The European Union’s General Data Protection Regulation (“GDPR”) empowers regulators to impose fines of as much as four percent of global annual revenue for cross-border data transfer missteps or step in and halt non-compliant transfers, which could result in significant operational disruption. Accordingly, companies in the maritime industry cannot overlook compliance with regulatory requirements relating to cross-border data transfer.
At a time when the world has become more aware than ever before about the vital importance of the world’s ocean shipping fleet, which carried supplies, merchandise, and much-needed personal protective equipment during the COVID-19 pandemic, an increased risk from a different threat, cyberattacks, presents a set of new challenges.
Increase in Maritime- and Energy-Related Cyber Attacks
According to Israeli cybersecurity specialist Naval Dome, since February 2020, there has been a 400-percent increase in attempted hacks on the maritime realm, coinciding with a period when the maritime industry turned to greater use of technology and working from home due to the coronavirus pandemic. Increased phishing attempts, malware, and ransomware attacks can be attributed to the changes in operations and procedures during the travel restrictions and operational hurdles encountered during the pandemic. These global challenges resulted in a move by the United States to bolster the federal government’s cybersecurity practices and contractually obligate private sector to align with such enhanced security practices. For instance, the ransomware attack on Colonial Pipeline, which controls nearly half the gasoline, jet fuel, and diesel flowing along the East Coast, prompted President Biden to sign an Executive Order (“EO”) on “Improving the Nation’s Cybersecurity (14028)” on May 12, 2021. A comprehensive overview of President Biden’s EO can be found here. On August 25, 2021, the president also held a cybersecurity summit with leading tech company and Wall Street banking executives to discuss cybersecurity concerns.
“We are thrilled to launch this important and timely initiative,” said Jeffrey N. Rosenthal, who leads the Firm’s Biometric Privacy Team. “Our team includes both highly experienced compliance counsel and seasoned privacy class action defense litigators. Collectively, we are well positioned to help clients navigate today’s myriad biometric privacy laws. Whether proactively developing comprehensive compliance/risk management programs or aggressively defending clients in state and federal courts across the country, our Biometric Privacy Team possesses the technological savvy, industry knowledge, and battle-forged litigation skills needed to counsel and defend our clients as consumer privacy laws continue to expand and evolve.”
Recent advancements in technology and artificial intelligence have led companies to utilize biometric data—such as fingerprint scans, facial recognition, voice prints, and DNA scans—in an ever-increasingly broad number of ways to improve the efficiency and effectiveness of their operations. This, in turn, has brought about significant legal risk as legislatures across the country implement laws to tightly regulate the use of this technology, such as the now well-known Illinois Biometric Information Privacy Act and California Consumer Privacy Act of 2018. The commercial use of biometric data has also led to a wave of bet-the-company class action litigation for alleged technical statutory violations, often involving hundreds of millions of dollars in potential exposure.
“Our biometric privacy trial attorneys are frequently retained to litigate high-exposure, high-profile disputes. Due to this demand, we have developed reputations for achieving superior results against challenging odds using novel and creative strategies,” stated Ana Tagvoryan, Vice Chair of the Firm’s Corporate Litigation group and Co-Chair of Blank Rome’s Class Action Defense Team. “Our multidisciplinary team develops winning litigation strategies and formidable defenses against all manner of claims involving allegedly improper biometric data practices.”
Blank Rome’s biometric privacy attorneys are also thought leaders in this space, having extensively published and presented on compliance best practices, emerging legal trends involving biometric laws and technology around the country and the world, risk mitigation, and litigation strategy.
Once upon a time, a shipping company in a land far, far away fell victim to a sophisticated, yet common, e-mail scam that resulted in the loss of more than a million dollars. Due to a slight manipulation to a legitimate e-mail address, in the stroke of a key this company transferred millions of dollars into the account of a cyber-criminal. The story you are about to read is true, and should serve as a cautionary tale to all players in the maritime industry who rely on e-mail communications to conduct business and transfer funds on a regular basis.
The summer of 2017 has been noteworthy for developments in maritime cybersecurity and cyber risk management. Major global cyber attacks from the WannaCry attack to the NotPetya attack, including mass GPS spoofing attacks in the Black Sea, have significantly affected the maritime industry, leaving no doubt of the importance of cybersecurity and cyber risk management. Continue reading “Cyber Risk Management Guidelines for the Maritime Industry”
Blank Rome Associate Kate B. Belmont authored the chapter, “Maritime Cyber Security: The Unavoidable Wave of Change,” in Issues in Maritime Cyber Security, edited by Joseph DiRenzo III, Nicole K. Drumhiller, and Fred S. Roberts (2017, Westphalia Press, an imprint of the Policy Studies Organization).
ABOUT THE BOOK:
The world relies on maritime commerce to move exceptionally large portions of goods, services, and people. Collectively, this effort comprises the Maritime Transportation System (“MTS”). Cyber networks, and the infrastructure they control, are a major com- ponent of this daunting multifaceted enterprise.
The impact of the cyber element on the international MTS is significant. The need for all stakeholders in both government (at all levels) and private industry to be involved in cyber security is more significant than ever as the use of the MTS continues to grow.
This pioneering book is beneficial to a variety of audiences, as a text book in courses looking at risk analysis, national security, cyber threats, or maritime policy; as a source of research problems ranging from the technical area to policy; and for practitioners
in government and the private sector interested in a clear explanation of the array of cyber risks and potential cyber defense issues impacting the maritime community.
To learn more or to purchase Issues in Maritime Cyber Security, please click here.
Cyber risk management continues to be one of the most significant challenges currently facing the maritime industry. With an overreliance on information technology (“IT”) and operational technology (“OT”), the shipping industry is vulnerable to cyber risks, cyber threats, and cyber attacks that could result in significant damages and loss, including loss of business and damage to reputation and property. While the maritime industry has yet to be regulated, various stakeholders have recognized the need for the industry to address cyber risk. As the United States Coast Guard continues to assess and evaluate cyber risk throughout the marine transportation system, the International Maritime Organization (“IMO”) and various industry organizations have issued guidelines on cyber risk management this past year. Most notably, on May 20, 2016, the IMO approved Interim Guidelines on Maritime Cyber Risk Management (“IMO Interim Guidelines”). Continue reading “IMO Interim Guidelines: Recent Developments in Maritime Cyber Risk Management”