Category: Cyber Risk

Cybersecurity in the Marine Transportation System: What You Need to Know About the Coast Guard’s Final Rule

Dana S. Merkel, Vanessa C. DiDomenico, and Holli B. Packer ●


On January 17, 2025, the U.S. Coast Guard (“USCG”) published a final rule addressing Cybersecurity in the Marine Transportation System (the “Final Rule”), which seeks to minimize cybersecurity related transportation security incidents (“TSIs”) within the maritime transportation system (“MTS”) by establishing requirements to enhance the detection, response, and recovery from cybersecurity risks. Effective July 16, 2025, the Final Rule will apply to U.S.-flagged vessels, as well as Outer Continental Shelf and onshore facilities subject to the Maritime Transportation Security Act of 2002 (“MTSA”). The USCG also sought comments on a potential two-to-five-year delay of implementation for U.S.-flagged vessels. Comments were due March 18, 2025.

Background

The need for enhanced cybersecurity protocols within the MTS has long been recognized. MTSA laid the groundwork for addressing various security threats in 2002 and provided the USCG with broad authority to take action and set requirements to prevent TSIs. MTSA was amended in 2018 to make clear that cybersecurity related risks that may cause TSIs fall squarely within MTSA and USCG authority.

Continue reading “Cybersecurity in the Marine Transportation System: What You Need to Know About the Coast Guard’s Final Rule”

Cybersecurity in the Marine Transportation System: What You Need to Know About the Coast Guard’s Final Rule

Dana S. Merkel, Vanessa C. DiDomenico, and Holli B. Packer


The U.S. Coast Guard (“USCG”) published a final rule on January 17, 2025, addressing Cybersecurity in the Marine Transportation System (the “Final Rule”), which seeks to minimize cybersecurity related transportation security incidents (“TSIs”) within the maritime transportation system (“MTS”) by establishing requirements to enhance the detection, response, and recovery from cybersecurity risks. Effective July 16, 2025, the Final Rule will apply to U.S.-flagged vessels, as well as Outer Continental Shelf and onshore facilities subject to the Maritime Transportation Security Act of 2002 (“MTSA”). The USCG is also seeking comments on a potential two-to-five-year delay of implementation for U.S.-flagged vessels. Comments are due March 18, 2025.

Background

The need for enhanced cybersecurity protocols within the MTS has long been recognized. MTSA laid the groundwork for addressing various security threats in 2002 and provided the USCG with broad authority to take action and set requirements to prevent TSIs. MTSA was amended in 2018 to make clear that cybersecurity related risks that may cause TSIs fall squarely within MTSA and USCG authority.

Over the years, the USCG, as well as the International Maritime Organization, have dedicated resources and published guidelines related to addressing the growing cybersecurity threats arising as technology is integrated more and more into all aspects of the MTS. The USCG expanded its efforts to address cybersecurity threats throughout the MTS in its latest rulemaking, publishing the original Notice of Proposed Rulemaking (“NPRM”) on February 22, 2024. The NPRM received significant public feedback, leading to the development of the Final Rule.

Final Rule

In its Final Rule, the USCG addresses the many comments received on the NPRM and sets forth minimum cybersecurity requirements for U.S.-flagged vessels and applicable facilities.

To read or download the full client alert, please visit our website.

Featuring Our Blank Rome Newsletters

The BRoader Impact: Leading with Purpose at Blank Rome

We are proud to share The BRoader Impact, a new annual report highlighting the many ways our firm is making significant strides in support of our colleagues, clients, and communities. Leading with purpose, we combine our knowledge and capabilities with our passions by providing pro bono services, volunteering our time and resources, furthering diversity and inclusion initiatives, prioritizing well-being, and elevating sustainable practices. We are proud of the meaningful work that our colleagues are carrying out in our communities every day. Click here to read it.

The BR Privacy & Security Download

We invite you to read our November 2024 edition of The BR Privacy & Security Download, the monthly digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice, which covers current trends and updates in the areas of state, local, and federal laws and regulations, U.S. litigation and enforcement, and international laws and regulations, as well as the group’s recent events and webinars, media activity, and news. To view the latest edition of The BR Privacy & Security Download, please click here.

The BR State + Local Tax Spotlight

Welcome to the October 2024 edition of The BR State + Local Tax Spotlight, our monthly newsletter from Blank Rome’s State + Local Tax team that highlights important State + Local Tax developments across numerous jurisdictions and provides updates on significant legislative developments and judicial decisions that could impact business operations. Please click here to read The BR State + Local Tax Spotlight

New Blank Rome Blogs & Newsletters

The BR Derivatives Report

Our new BR Derivatives Report blog, authored by Blank Rome’s seasoned Finance and Investment Management attorneys, sheds light on the ever-shifting regulatory landscape and developments affecting the negotiation of transactions in this dynamic sector of the financial markets. Our goal is to make the derivatives market accessible and understandable, and to provide valuable updates and observations that inform business and regulatory decisions. You can receive new content as it publishes by subscribing. Read More »

The BR Privacy & Security Download

We invite you to read our May 2024 edition of The BR Privacy & Security Download, the monthly digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice, which covers current trends and updates in the areas of state, local, and federal laws and regulations, U.S. litigation and enforcement, and international laws and regulations, as well as the group’s recent events and webinars, media activity, and news. Read More »

The BR State + Local Tax Spotlight

Welcome to the April 2024 edition of The BR State + Local Tax Spotlight, our monthly newsletter from Blank Rome’s State + Local Tax team that highlights important State + Local Tax developments across numerous jurisdictions and provides updates on significant legislative developments and judicial decisions that could impact business operations. Read More »

The BR Privacy & Security Download: October 2023

October 2023

Welcome to this month’s issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.

Read the newsletter here.

Maritime Ransomware

Vanessa C. DiDomenico, Sharon R. Klein, and Karen H. Shin


Cybersecurity concerns are certainly on the radar for shipowners and operators. Cybersecurity breaches can penetrate systems aboard and ashore and can jeopardize safety and adversely impact maritime operations, as well as disrupt the downstream distribution of the goods on board. In that light, it is imperative that shipowners and operators install tough mitigation, detection, and response plans.

As ships undergo digitalization and autonomous system upgrades, cyberattacks and ransomware attempts become more prevalent. Ransomware is defined as a type of malicious software designed to block access to a computer system until the attacked party pays a sum of money. Cybercriminals monetize their operations by extorting their victims and can further sell extracted data. Cyberattackers typically seek the highest payout possible and target companies and industries, including the maritime sector, that rely on time-sensitive data to function. Such attacks can have devastating contemporaneous consequences on multiple players.

In the 2017 NotPetya malware incident, attackers encrypted Maersk systems and demanded payment. “Without access to data held on its destroyed computer system, Maersk literally didn’t know what was in its containers. On-the-ground-staff had to check manually, with time sensitive medicines a particular supply chain concern.”[1] The attackers shut down systems in seven minutes, but the response and industry’s realization that protections were needed lasted much longer. “The key lesson Maersk learned from battling the NotPetya attack: protection is important—but it’s equally as important to ensure your recovery process is strong.”[2]

Continue reading “Maritime Ransomware”

The BR Privacy & Security Download: March 2023

March 2023

Welcome to this month’s issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.

Read the newsletter here.

Changing EU Data Transfer Requirements Create New Challenges

Karen H. Shin and Alex C. Nisenbaum


Businesses in the maritime industry may not think of themselves as engaged in significant processing of personal data. However, global shipping and logistics companies regularly transport personal data around the globe. This may include passenger data, sensitive employee data, and customer business contact information used for fulfillment and marketing purposes, all of which are vital to the operations of the business.

As a result, businesses in the maritime industry need to address compliance with a myriad of quickly evolving privacy laws around the globe, including evolving requirements for employees and business contacts in major ports in California and a newly active agency to enforce Brazil’s recently passed omnibus privacy law.

The requirements relating to cross-border transfer of personal data from the European Economic Area (“EEA”) to other jurisdictions, in particular the United States, is an acute challenge for the maritime industry. Legal requirements for such transfers have undergone substantial changes in the past 15 months that require global businesses to assess and make changes to data transfer compliance strategies.

The European Union’s General Data Protection Regulation (“GDPR”) empowers regulators to impose fines of as much as four percent of global annual revenue for cross-border data transfer missteps or step in and halt non-compliant transfers, which could result in significant operational disruption. Accordingly, companies in the maritime industry cannot overlook compliance with regulatory requirements relating to cross-border data transfer.

Continue reading “Changing EU Data Transfer Requirements Create New Challenges”

Maritime Cybersecurity: Prepare, Detect, and Respond

Vanessa C. DiDomenico

At a time when the world has become more aware than ever before about the vital importance of the world’s ocean shipping fleet, which carried supplies, merchandise, and much-needed personal protective equipment during the COVID-19 pandemic, an increased risk from a different threat, cyberattacks, presents a set of new challenges.

Increase in Maritime- and Energy-Related Cyber Attacks

According to Israeli cybersecurity specialist Naval Dome, since February 2020, there has been a 400-percent increase in attempted hacks on the maritime realm, coinciding with a period when the maritime industry turned to greater use of technology and working from home due to the coronavirus pandemic. Increased phishing attempts, malware, and ransomware attacks can be attributed to the changes in operations and procedures during the travel restrictions and operational hurdles encountered during the pandemic. These global challenges resulted in a move by the United States to bolster the federal government’s cybersecurity practices and contractually obligate private sector to align with such enhanced security practices. For instance, the ransomware attack on Colonial Pipeline, which controls nearly half the gasoline, jet fuel, and diesel flowing along the East Coast, prompted President Biden to sign an Executive Order (“EO”) on “Improving the Nation’s Cybersecurity (14028)” on May 12, 2021. A comprehensive overview of President Biden’s EO can be found here. On August 25, 2021, the president also held a cybersecurity summit with leading tech company and Wall Street banking executives to discuss cybersecurity concerns.

Continue reading “Maritime Cybersecurity: Prepare, Detect, and Respond”

Blank Rome Launches Biometric Privacy Team

Blank Rome LLP is pleased to announce the formal launch of our Biometric Privacy Team. Composed of multidisciplinary attorneys from across our Firm’s offices, this dedicated team draws talent from our Cybersecurity & Data PrivacyPrivacy Class Action DefenseArtificial Intelligence Technology, and Labor & Employment groups to help clients address and minimize the risks associated with biometric privacy regulatory compliance, enforcement, and litigation.

“We are thrilled to launch this important and timely initiative,” said Jeffrey N. Rosenthal, who leads the Firm’s Biometric Privacy Team. “Our team includes both highly experienced compliance counsel and seasoned privacy class action defense litigators. Collectively, we are well positioned to help clients navigate today’s myriad biometric privacy laws. Whether proactively developing comprehensive compliance/risk management programs or aggressively defending clients in state and federal courts across the country, our Biometric Privacy Team possesses the technological savvy, industry knowledge, and battle-forged litigation skills needed to counsel and defend our clients as consumer privacy laws continue to expand and evolve.”

Recent advancements in technology and artificial intelligence have led companies to utilize biometric data—such as fingerprint scans, facial recognition, voice prints, and DNA scans—in an ever-increasingly broad number of ways to improve the efficiency and effectiveness of their operations. This, in turn, has brought about significant legal risk as legislatures across the country implement laws to tightly regulate the use of this technology, such as the now well-known Illinois Biometric Information Privacy Act and California Consumer Privacy Act of 2018. The commercial use of biometric data has also led to a wave of bet-the-company class action litigation for alleged technical statutory violations, often involving hundreds of millions of dollars in potential exposure.

“Our biometric privacy trial attorneys are frequently retained to litigate high-exposure, high-profile disputes. Due to this demand, we have developed reputations for achieving superior results against challenging odds using novel and creative strategies,” stated Ana Tagvoryan, Vice Chair of the Firm’s Corporate Litigation group and Co-Chair of Blank Rome’s Class Action Defense Team. “Our multidisciplinary team develops winning litigation strategies and formidable defenses against all manner of claims involving allegedly improper biometric data practices.”

Blank Rome’s biometric privacy attorneys are also thought leaders in this space, having extensively published and presented on compliance best practices, emerging legal trends involving biometric laws and technology around the country and the world, risk mitigation, and litigation strategy.

Exit mobile version
%%footer%%