Data Privacy Concerns in the Age of Maritime Cyber Defenses: Balancing cybersecurity measures with the need to protect personal data collected from ships and crew.
1.2. Research Objective
The main objective of this research is to develop an understanding of the ways through which various cyber security measures set out by the IMO and required to be implemented by shipping companies can be said to impact compliance with data protection laws and regulations. The author’s intent is to assist the shipping industry in not only understanding the potential conflicts between a legal requirement to implement a cyber security measure and the corresponding need to protect certain information as a matter of data protection law, but also in providing information that will assist individual companies in weighing the costs and benefits of various cyber security defences in the context of the data protection legal framework. The research will provide an overview of the data protection laws and regulations relevant to shipping companies as well as an orientation on normal cyber defence frameworks and measures. With this foundation, the research will explore the ways in which specific cyber security measures recommended by the IMO can impact the ability of a company to protect data and the legal ramifications that arise if compliance with security measures conflicts with the data protection legal framework. The research will be valuable to any company possessing information that could be considered personal data (and therefore in need of protection under data protection law) but should be of particular interest to companies who are signatories of the ISM code as these companies will be forced to comply with the higher standards set out by the IMO.
1.3. Scope of the Study
The analysis in this dissertation will focus on the requirement to protect individual information gleaned from ships and their crews. Specific emphasis will be given to discussing the framing of necessary regulation to make sure that maritime cybersecurity measures do not unduly jeopardize the rights of these third parties under present and future legislation. The discussion is timely in that the EU General Data Protection Regulation (GDPR) entered into force in May 2018. This regulation has a wide extraterritorial impact and is applicable to any individual organization that processes individual data of EU citizens or residents. GDPR has specific requirements relating to the processing of criminal conviction data and data concerning health. As a substantial portion of crew and passenger data might be considered health data, understanding how this regulation impacts maritime cybersecurity measures is central to understanding the interactions of law, cybersecurity, and individual data protection in this industry. The discussion will give specific recommendations on best practices as to how such data can still be collected and utilized in today’s era of rapidly increasing maritime cyber threats. Finally, the dissertation will allude to future technological changes in data and surveillance systems in this industry and how such changes might influence the balance between security needs and individual data protection.
2. Cybersecurity Measures in the Maritime Industry
Cybersecurity is commonly perceived as prevention against unauthorized access or damage to the data or electronic infrastructure. This can be through the use of various methods to monitor, secure, and assess the electronic data and infrastructure. The result is to make sure that the data and electronic infrastructure maintain their confidentiality and availability. At the same time, there must be a safety measure to ensure that the integrity of the data and infrastructure is not compromised. However, cyber defense means cyber security and all actions that are taken to prevent damage to or unauthorized use of electronic data. This includes methods used to monitor, define, and assess what possible available options are in defending against cyber incidents. The central distinction is that cyber security would therefore consist of methods used to prevent and inform about possible incidents of cyber threats. Those threats that we define in cyber security incidents may cause data or infrastructure corruption, data and infrastructure manipulation, and there will be data or infrastructure extraction. From the above definition, we can simply define an action that would correlate cyber security by implementing various IT. A good method to implement a good cyber defense is a method that would prevent the possibility of disruptions, data and information leakage. So, in a broader sense, we can say that a good cyber defense can be the embodiment of a polite war waged against possibilities of every cyber incident, and it could only stop if we reach the ability to prevent it.
2.1. Overview of Maritime Cyber Defenses
Maintenance of cybersecurity depends on the ability to detect and immediately respond to potential security incidents. Cyber attacks can take many forms, including spreading a virus that disables shipboard computers, hacking into a port system to steal identities or sensitive information, or sabotaging a deep draft vessel to run aground or collide with another ship. The ability of an attacker to exploit a vulnerability is a function of the potential impact and likelihood of a given attack, relative to the cost for the attacker to develop and implement the attack. Consequently, the most effective attacks are those with a high potential impact. Cybersecurity is thus achieved by risk management, or the identification and mitigation of vulnerabilities to reduce the likelihood and impact of an attack.
Maritime cybersecurity is the activity of protecting information, technology, and people in the maritime industry through the adoption of measures to support the ability of the sector to operate in the connected environment. It involves the protection of sensitive data, both personal and proprietary, through the application of information security technologies and processes, the protection of safety and security of technology systems supporting the maritime industry, and ensuring the safety of seafarers and passengers. National or international security, though an important consideration, is beyond the scope of the cybersecurity of the maritime sector, which is focused on the safety and security of commercial and recreational activity on the world’s oceans and within national or international waters.
The cyberization of ship systems and systems for control of port facilities has enhanced the efficiency and safety of maritime transportation. However, it has also increased the vulnerability of the maritime sector to a wide array of cyber attacks. Threats to information systems that support the operation of ports, terminal facilities, and ships can disrupt and disable supply chains and transportation networks with dire consequences for trade and the economy. Bearing in mind that the world economy is dependent on the efficient flow of goods, services, and people through a safe and secure maritime transportation system, the cybersecurity of maritime systems is of paramount importance.
2.2. Cyber Threats and Vulnerabilities in the Maritime Sector
A study by the Security Association for the Maritime Industry (SAMI) identified that the transnational nature of the shipping industry and the use of multicultural crews has led to an increase in the number of insider threats as well as the threat from cyber-espionage [2]. Insider threats occur when current or former employees damage, steal, or misuse an organization’s data or resources [3]. Insider threats can range from employees with low morale looking to gain monetary compensation in any way possible to employees who consciously act against an employer to further the interests of another party. Insider threats are considered a severe risk to the data and security of organizations, and it is suggested that 88% of IT professionals believe that insider threats are as significant or more significant than threats from outside attackers [4]. The fact that the shipping industry employs people from developing countries with high levels of poverty means that these people are more susceptible to bribery and corruption tactics used by rival companies or organizations looking to exploit certain types of data from a company. Insider threats can be difficult to detect as an employee will often have good knowledge of security systems and will be able to make use of their legitimate access to data. Insider threats from crews can also occur through crew members being forced into espionage or sabotage activities for other parties while the ship is in port in certain countries.
Vulnerabilities to cyber threats can be understood as weaknesses in security that can be exploited by a cyber threat, whereas a cyber threat can be defined as “a person or thing that has the potential to cause damage to an asset or an organization” [1]. There is evidence to suggest that specific features of the shipping industry as well as the reliance on certain technologies make the industry susceptible to certain cyber threats.
2.3. Importance of Cybersecurity Measures
Processing of personal data has become an integral part of ships’ operations and plays a critical role in successful crew management and ensuring that seafarers are healthy and perform their duties effectively. However, it is noted that seafarers can be more vulnerable to the impacts of data protection infringements or personal data breaches due to the transient and international nature of their occupation and their consequential difficulties in obtaining legal redress and effective remedies.
This is due to the nature of personal data, such as the records maintained on seafarers, which could be used to identify an individual seafarer and consists of two types of information: (i) routine personal information necessary for the administration of the employment relationship; and (ii) other personal information concerning health and healthcare. The former type of information is likely to be that processed in routine crew documentation, whereas the latter is typically obtained in pre-employment medical examinations and may subsequently involve data processing of a sensitive nature, such as fitness for work assessments, monitoring and treatment of medical conditions, and fitness to return to work following an illness or injury.
The importance of cybersecurity measures in the maritime sector cannot be overemphasized due to the significant adverse impact of cyber threats and attacks on safety and security, environmental protection, the availability and reliability of critical information and operational systems, economic activities, and national security. However, the importance of cybersecurity measures has to be balanced with the need to protect personal data collected from ships and seafarers.
2.4. Case Studies: Cyber Attacks on Maritime Infrastructure
The infrastructure of the maritime sector is renowned for its diversity, spanning both legacy systems and new technology, and for its global nature. Cyber attacks could, in the most extreme cases, disrupt or destroy operations and have a significant impact on the safety of life and the environment. In order to illustrate the vulnerabilities and implications of a cyber attack, as well as identify effective cyber security measures, this paper analyses a selection of case studies on the maritime sector. This builds understanding for the range of potential consequences of a cyber attack, from the benign to the severe, and shows that as yet there is no widespread appreciation of the nature of the risk. This section identifies and examines several key case studies concerning cyber attacks on maritime infrastructure. WannaCry is a malicious software (malware) that was released in May 2017. It was seemingly intended to ransom individuals’ data to financial ends, leveraging a Windows exploit because on many systems Microsoft Server Message Block (SMB) was accessible from the internet and not behind a firewall. Though it has affected entities in many different sectors, the attack on the French shipper was particularly damaging. Any attack occurring during sea time essentially lowers ship situational awareness; in this case, the company was forced to stop shipping for several days and although the servers with the infection were not directly related to ships in transit, it was decided that the risk was too great and voyage operations would resume when patches were completed for all systems.
3. Data Collection and Privacy Regulations in the Maritime Sector
The type of personal data can vary obtained by a ship management company, a service company, and the government related to the operation of the ship and logistics. For example, a company engaged in the management of ships has crewing activities, then the company will require information on individuals who are looking for a job as a ship crew. Then this can be done for coordination between job-seekers with the company in the search for a job. Any information obtained should be related facilitated the employment of the better candidate again in a position expected by each company’s potential crew. So, the company the crewing wants the most complete information about the potential employee. Any personal data obtained is stored in the employee’s job application letter to so the company must prepare a storage media that is safe for this information. Decisions to the recruitment also still require the information until the time the crew is still working in the company the ship management.
Data can be considered as a building block for future business. Data can be considered as bits and bytes of information for the company. So, data has to be processed and generated accurately, especially for the company engaged in shipping and logistics. Various information will be generated in the process of ship operations and logistics to get the most return. Information about the type of goods carried, the information about the source and destination of the goods, the information about the shipping routes, and other information must be recorded and stored in a certain period. At this point, information about the operation of the ship has indirectly included personal data about the identity of the ship and the crew, which is personally identifiable. The identity of the ship and the crew that is personally identifiable includes the name, address, kind/type, registration code, the IMO number, the phone number, email, and others. Here on out, the information will be referred to as personal data.
3.1. Types of Personal Data Collected from Ships and Crew
Personal data that is collected from shipping companies and seafarers can be put into various categories. These relate to information concerning the seafarer’s identity, their abilities, work performance, and career development. The types of personal data collected vary according to the specific company and the seafarer’s skill, experience, and seniority. An example identity data to be collected could be the seafarer’s name, national identity number, photograph, and fingerprint. It has become quite common for seafarers to provide this data in order to obtain a biometric identity card, as a means of increasing security in ports.
Crew members will usually have to provide information regarding their education, qualifications, skills, and previous work experience as this is a recruitment requirement. This information is maintained and used for assessing the seafarer’s capabilities and performance, to allocate jobs, to identify training needs, plan career development, and for appraisal and statistical purposes. Data collected in these areas may end up being substantial and most definitely relevant to the seafarer concerned. An officer with valuable and specialized skills and experience could be identified as a key employee whose data will be something the company cannot afford to lose. This could ultimately determine the extent to which his career and work within the company is managed.
3.2. Privacy Concerns and Risks Associated with Data Collection
The automatic collection of data can cause identity mismatches if proper measures are not taken to ensure that the data actually belongs to the individual in question. This can occur if two or more people share common official credentials (e.g., a seaman’s qualification).
Data profiling is used to evaluate an individual’s behavior, location, movements, and decisions over a period of time. This can be linked with predictive modeling, which aims to forecast behavior. This form of data analysis can have detrimental effects on privacy, especially in the case of employment (whether past, current, or potential future employers are the ones doing the profiling) and insurance.
Data tracking is a serious concern as the technology to monitor an individual or object’s location is becoming more prevalent and is increasingly being used within the shipping industry. This data may be used to build profiles of individuals and their habits, which can be a risk to their privacy. Information regarding the location, or the date and time of an event, is all examples of data that could be used to track an individual or behavior.
Privacy concerns may be related to the utilization of submitted data, the technology used to submit data, or identity authentication. Data submitted can be categorized as data about an identifiable individual. An individual could be identified by the data or through linking it with other data, whether this data is an opinion or in any form. This kind of data is considered to be sensitive as its misuse can have significant adverse effects upon an individual.
3.3. International and Regional Privacy Regulations in the Maritime Industry
The GDPR represents the leading edge of a global movement toward strict data privacy laws. Other countries and regions have their own data privacy laws that similarly control the flow of personal data across national borders and these laws affect shipping companies located in those countries and ships from those jurisdictions. Japan requires the consent of individuals to transfer their personal data to other countries and imposes restrictions on the same. Canada (a large ship owning and flag state nation) has long had comprehensive data privacy laws, which are currently subject to an overhaul to ensure “adequacy” with the GDPR. For US-based shipping industry stakeholders, arguably the most pressing data privacy law is the California Consumer Privacy Act (CCPA), which goes into effect on January 2020. This law requires large companies (including many shipping companies) to disclose the personal data that they collect, use, store or share, and gives California residents the rights to access, delete, and prevent the sale of their personal information. While the CCPA is not specifically a data access regulation, it will likely have a substantial impact on shipping companies with a presence in California.
The need to balance the benefits of data collection with the privacy rights of individuals has prompted a worldwide response, exemplified by the European Union’s GDPR, the most widely known and comprehensive data privacy law. The GDPR applies to all businesses worldwide that process personal data connected to individuals in the EU, including shipping companies and ship management companies located in EU countries or those that do business in EU nations. It requires such businesses to satisfy very strict conditions for obtaining valid consent to process and store personal data and to provide clear evidence of the same. The GDPR also requires the appointment of a Data Protection Officer, imposes strict data protection impact assessment testing for new services and procedures, imposes substantial administrative fines for non-compliance, and notably prohibits the transfer of personal data to countries outside the EU that do not have adequate data protection laws.
3.4. Compliance Challenges and Best Practices
The complexities of data protection laws extend across international borders and are not uniform. Organizations collecting data are responsible for knowing the legalities of how this data is client anywhere in the world. The main data protection act in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). In the European Union, the Directive on Privacy and Electronic Communications has stringent laws mandating opt-in permission from the subject before the data can be collected. In 2018 this will be superseded by the General Data Protection Regulations. In the United States, data protection laws vary from state to state. This can present an exceptional challenge for multinational organizations that collect and transmit personal data across many borders. To cover all of these jurisdictions would require a deep understanding of the specific legislation of each country and a complex matrix of policies and procedures to ensure data privacy to the required standard in each one. Of course, this approach is not feasible and would waste an inefficacious amount of resources.
It can be noted that many regulations have different stipulations about how data should be protected but are thinner on the specifics of what measures should be in place. This means that there is no one size fits all solution to compliance and a firm may find itself with a huge investment in data security but still not compliant with the law. In the worst case scenario, a company may find that they are complying with data protection laws, but at a cost to the ability and efficiency with which they can operate.
4. Balancing Cybersecurity and Data Privacy in the Maritime Sector
An effective approach to achieving this is to carry out a single risk assessment that covers both data privacy and cyber security requirements, combining the results into one coherent set of security measures that can be used to protect all information assets. This specific approach to protecting personal data is stated as one of the GDPR’s key requirements known as ‘privacy by design and by default’. This means that data protection should be an integral part of system design rather than an afterthought. For the most part, applying privacy by design and by default means implementing similar controls to those already in place for cyber security, it’s just that these are directly focused on protecting personal data. An example of this would be that when encrypting data it should be specifically encrypted storage for personal data rather than applying it to all data storage areas. This process can also involve anonymising or pseudonymising personal data so that it can’t be directly linked to an individual without the use of additional information. This adds an extra layer of protection because the now ‘less sensitive’ data can still be subject to standard cyber security measures as a means of protecting the additional information used to link it back to an individual.
Organisations need to plan and implement effective cyber security measures to protect their valuable data resources, and not too long ago security was the only major concern. Now, with the onset of the GDPR, personal data privacy has become a major issue in its own right due to the potential penalties for getting it wrong. So what does this mean for the maritime sector? A recent study ‘The State of Data Protection, Privacy & Cyber Resilience in the Maritime Industry’ produced by Epsco-Ra found that varying levels of understanding between cyber security and data protection often resulted in cyber security taking precedence and personal data being left at risk. This can be attributed to the fact that until now most cyber security measures have been focused on protecting IT systems rather than personal data. The process of linking data protection with cyber security is one of the first, vital steps in the maritime industry.
4.1. The Need for a Comprehensive Approach
Recent high-profile cyber-attacks such as the 2008 breach of the BMA Medical Register which led to the theft of personal data of around 5 million individuals and subsequent attempts to purchase personal data back from the hackers to cover up the breach have highlighted the need for a more comprehensive approach and have brought the issues of cyber security and data protection more into the public eye. In the maritime industry, the consequences are often more severe due to the fact that maritime infrastructure is a vital resource and any breach can lead to serious repercussions, particularly with increasing automation of ships. As of yet however, there is little incentive for many shipping companies to do more to protect personal data as there is often no legal requirement to disclose data breaches and the consequences of a breach are not always immediately apparent. This will likely change as more law and regulation about data protection will appear in the maritime industry and there will be more awareness and understanding about the value of personal data and the consequences of a breach.
At the same time, there is currently a widespread lack of understanding about what data protection is and what form it should take. This can be attributed to the fact that for many years, the main concerns concerning the storage and processing of personal data have been about data loss and the potential for organisations of various sizes to access data and exploit it for commercial gain. This is reflected in the outdated status of the international legal framework for data protection within the maritime industry. The current framework still largely revolves around resolution 2 of the 19th International Conference of Data Protection and Privacy Commissioners in 1987, and it is essentially unchanged since the pre-internet days with the exception of the introduction of the GDPR in 2016. Many shipping companies and software vendors today are unaware of just how much more they should be doing to protect personal data and are often more concerned with the cybersecurity measures aimed at protecting the data mediums themselves. In many cases, data mediums are well protected whilst the data itself is not.
The need for a comprehensive approach to the issue lies in the fact that more and more personal data will be collected and processed as technology becomes increasingly prevalent in the maritime industry. The GDPR stipulates that such data must be protected, and while it can be easy to argue that personal data such as crew members’ medical histories does not necessarily need to be stored on a ship’s computer, there are many cases where easy access to such data could be crucial to the well-being of the crew member in question. In the age of telemedicine, it is not inconceivable that a crew member could consult with a medical professional located on shore who needs access to the patient’s medical history. Furthermore, there are already systems in development that aim to use data collection and analysis to improve safety at sea through greater understanding of the causes of accidents i.e. “The development of EU guidance on maritime safety and risk analysis methodology with the goal to provide practical and unified guidance for conducting safety and risk analyses within maritime organisations and in the development of their framework”. In any case, personal data is often crucial to the proper functioning of technology and it is likely that the more valuable personal data becomes, the more of a target it will be for cyber-attacks.
4.2. Strategies for Protecting Personal Data without Compromising Cybersecurity
In order to address the potential of cyber threats to their ships, crews, and cargoes, the maritime industry has begun taking steps to fashion cyber security measures that are effective and appropriate, yet also mindful of the industry’s unique complexities and constraints. Primarily to comply with ISPS requirements, shipping companies and vessel operators seek to prevent unauthorized access to their ships while in port or at sea. Cyber policies and practices employed vary, however, according to the type of company or vessel involved. Larger companies may have an IT manager or security professional on staff, or a designated security department. Smaller companies, where “the IT manager” may be the owner or a family member, may have relatively little in the way of dedicated IT, let alone IT security. In all cases, enterprise-level factors and business models will influence the extent to which cyber security is prioritized vis-à-vis other safety or financial concerns. For the foreseeable future, security measures implemented should be cost-effective, and build upon, or be integrated into, existing safety, security, and risk management regimes. This should be done in a way that does not add to the already considerable administrative responsibilities of ship personnel, and allows the industry to adapt to future changes in regulatory regimes.
4.3. Role of Stakeholders in Ensuring Data Privacy and Cybersecurity
This does not leave the data processors without resource. Suppliers of data storage and software solutions can strive to offer innovative solutions such as privacy-preserving data storage as means to mitigate the impact of increased security on the privacy of personal data. In any event, it will be necessary for the industry to remain in constant dialogue with the data protection authorities.
As this essay has identified, it will be necessary to balance these cybersecurity measures with data protection principles and best practices. The data controllers will need to think through the privacy and data protection implications at the outset of any new initiative or project and engage in a proper and mandatory Data Protection Impact Assessment. This is imperative in ensuring that the data protection by design and default principles are respected. Undertaking consultation with the Data Protection Authorities is advisable but not mandatory in assessing the legality of the intended data processing (especially where it is unclear) as the DPAs have expressed a repeated desire to engage with the maritime industry. The data controllers will have to carefully consider how long data should be retained and may need to revisit retention policies as increased security measures may reduce the need for long retention periods. Data minimization should be implemented where possible and a cost-benefit analysis should be undertaken in determining whether certain data processing activities are worthwhile incurring the increased security and potential liability.
The general question of privacy protection under the 1995 Directive and the Charter of Fundamental Rights will remain a theme to which the data protection authorities, data protection community and maritime industry will have to return to repeatedly. How well the stakeholders in the maritime sector address data protection will be of concern to the educated consumer of goods and services that is seeking assurances about the privacy of personal data in the wake of well-publicized security breaches in a variety of industries.
4.4. Future Trends and Recommendations for the Maritime Industry
The maritime industry is increasingly embracing digitalisation and interconnectivity in its operations, functioning, and processes. In light of the fast-paced technological advancement, the European Union’s General Data Protection Regulation (GDPR) and the recent IMO’s push for maritime cyber risk management adds onto the complexity of managing data privacy and cyber defense in the shipping industry. A research study was hence conducted to gain a good understanding of the implications cyber risks have on the management of sensitive personal data through the collection and processing of AIS (Automatic Identification System) transmissions on ships. This paper discusses the data privacy concerns and cyber defense strategies in the maritime sector and the difficulties encountered in finding the right balance between the two. This includes protecting personal data without jeopardizing cybersecurity and getting all stakeholders to play their part in achieving a comprehensive approach. The paper also advocates the proactive anticipation of cyber threats and data privacy issues in the future and outlines key recommendations for an industry where the awareness of the importance of personal data protection is lacking. This final part of the paper draws together material from the preceding sections to critically discuss and evaluate future trends in the maritime industry and to provide well-defined recommendations.
