Cyber Security On Board: The Legal Implications

With the rapid rise in cyber attacks across the board, ranging from large corporations to powerful individuals, private yachts are an attractive target. It doesn't matter who you are or where you are, the risks are real and it's big business. In part two of this series we looked at the precautions you can take to protect your on board systems but, if your yacht is hacked, what are the legal implications for all concerned?

Hackers, whether individuals or organisations, with differing motives, well-resourced and deploying persistent expertise, can cause significant loss, reputational harm and third party liability, if proper protective steps are not taken. 

Therefore, just as a yacht-owner must consider carefully how best physically to protect its yacht and crew it should also develop a cyber security strategy.  A yacht would not undertake a voyage without appropriate planning and first ensuring its systems were fully functioning.

With most modern yachts highly dependent on computer assisted equipment, these precautions should include network security measures that protect such equipment from damage caused by malicious attack. 

Failure to address the potential cyber risks may nowadays be regarded as unwise, imprudent and possibly culpable, like embarking upon a voyage without lifesaving apparatus.

A holistic and rigorous approach

Doing nothing is no longer an option. A yacht‑owner, like all ship owners should adopt a holistic and rigorous approach to all cyber risks.  To respond effectively to a breach, it is essential to create a scenario-tested incident response plan and put in place a trained crisis management team. It is also prudent to consider:

(1) Undertaking a penetration test of the yacht's onboard computer-systems

(2) Establishing who has access to the yacht's systems (including third party suppliers)

(3) Scanning for existing security breaches to the yacht's systems

In 2013 a GPS expert and his security team demonstrated how relatively easy it is to take over the navigation system of a 210 foot yacht in the Mediterranean by spoofing its GPS guidance signal. 

The captain and his crew had no idea what was happening. Further, the Automatic Identification System (AIS) and GPS systems onboard many vessels are often left unencrypted or unauthenticated, leaving them and their high net worth passengers, an easy target. 

Yacht owners, managers and crew should assume that the risks mentioned in this and the previous articles in this series are present and very real.

At a recent seminar held by the authors on cyber security, a risk manager warned that high net worth individuals are particularly attractive targets and may be more vulnerable than large companies to successful cyber attacks. 

This applies equally whether they are on land or sea.  Their cyber security systems and portable devices may be easier to penetrate than the systems of many companies; they frequently have more liquid assets; they may be more prepared to pay a ransom to take back control; they are unlikely to have any reporting restrictions; and may well choose not to share their experience with others for fear of embarrassment or reputational damage. 

Consequently, attackers may repeat the process unchallenged using the same methods to hack others.

While relatively uncommon at the time of writing this article, it is conceivable that those using yachts as guests may increasingly seek independent technical verification of a yacht's cyber security systems and/or ask for risk‑shifting clauses to be inserted into charters and other contracts in relation to cyber liabilities. In such circumstances, an owner and his managers should know how to respond.

It is essential that an appropriate cyber breach response protocol be developed to mitigate any damage that might be caused.  Such a protocol should be designed to alleviate internal and external concerns, including the protection of confidential third party information. 

Appropriate resources should be allocated to risk identification, management, mitigation and network breach response. Instilling a top-down culture of risk awareness, education and cooperation at all levels (including owners, guests, managers, captain, crew, managers and contractors) is essential. 

It may also be wise to operate a formal network security protocol, requiring all those on board to understand and sign up to it. This will help foster a risk awareness culture and raise understanding of the need for good cyber hygiene.

Some legal considerations in the cyberseas

In the UK, the collection and use of personal data is governed by the Data Protection Act 1998 (the DPA). Personal data is defined as being information that can identify a living individual, such as names, addresses, telephone numbers, job titles and dates of birth.  

The information does not have to be confidential in nature and, since the definition is narrow, a simple list of clients or employees on a computer will amount to personal data for the purposes of the DPA. 

In contrast, confidential data is given in confidence or agreed to be kept confidential, such as information on business, health or financial details. Sensitive personal information includes data relating to race, political opinions, criminal records, political opinions, health, religious and other beliefs and, for a yacht owner or guest, simple personal data may carry a higher level of confidence.

In the UK, the 'data controller' is obliged to take 'appropriate technical and organisational security measures' to prevent unauthorised or unlawful processing, accidental loss of or damage to personal data. Further, personal data should not be transferred outside of the European Economic Area unless there is adequate protection for the rights of the data subject. 

While not necessarily caught by UK law, yachts (particularly those involved in large scale chartering operations - which by their nature may carry a lot of personal data on passengers and crew), should in any event pay particular attention to this requirement for reputational and operational reasons.

The legal implications and liabilities of a data breach on board a yacht (and the applicable governing law) are likely to depend on a number of factors, including, for example: who is in control of the data and responsible for its security; whether the data breach involved a loss of personal, confidential and/or sensitive data; the location of the yacht at the time of the attack (i.e. the law of the applicable port or coastal state); the law of the yacht's flag state; where the attack emanated from and, if the yacht is under charter, the governing law of the charter. 

In the event of a data breach, the yacht owner, manager, charterer, captain or crew may owe statutory, contractual or tortious duties of care to third parties in relation to their personal data. 

This brings greater uncertainty as to the penalties which could be faced as a result of such a breach. In the UK, the penalties vary considerably but it is important to highlight that many breaches of the DPA are criminal offences. Furthermore, as cyber security and data protection are hot topics, at a political level, the statutory and regulatory framework is constantly evolving in this area. 

In Europe, a new data protection regulation is in the pipeline which will usher in significant changes and additions to the current regime by harmonising data protection procedures and enforcement across the EU. 

Insurance - financial protection and expert advice

Unauthorised security breaches are damaging on many levels and having in place appropriate insurance may help manage the risk. At present, many hull and machinery policies have adopted the Institute Cyber Attack Exclusion Clause (CL380).  

The effect of this clause is that, in the event of a cyber attack, the cover will only respond if it can be established that the actions of the cyber attacker were maliciously motivated.  

This leaves an insured with the practically difficult task of trying to identify the attacker. Damage which has been caused by an accident or mistake is unlikely to be covered.  

The introduction of a cyber 'buy-back', allows the insured to cancel the exclusion. However, this is not widely available to all. The risk assessments are understandably stringent. Without demonstrable cyber security by yacht owners, many will find that there are some risks that underwriters are simply not prepared to write.

The authors are unaware of any established yacht-specific cyber insurance policies being available in the insurance market, although such products are being investigated by a number of insurance brokers and underwriters.  It is to be hoped that tailored network security and cyber liability cover will be commercially available soon.

If a cyber security insurance policy is obtained, policyholders should check and understand how it responds to the risks which it is intended to protect.  In addition, a specific cyber policy will need to be integrated with the existing insurances for the yacht and her owners/users. 

As always, the devil is in the detail. A range of possible scenarios must be considered, from a minor containable data breach to direct hacking of the computer and/or navigational systems, theft of commercial assets, possible ransom demands and exposure on social media.

This should be done in conjunction with a scenario-tested incident response plan to establish what is intended to be covered and what is actually covered, and whether there is any acceptable residual risk.

With appropriate planning and due diligence, when (not if) the cyber attack occurs, yacht owners and managers will be in a reasonable position to respond. Otherwise, they may have to attribute a new meaning to a 'partial or total loss'.

Related Articles in the Series:

Part I: Cyber Attacks: Are You on the Radar?
Part II: Cyber Security; Are You Protected?

About the authors:

Lizzie Gray, Associate, Holman Fenwick Willan LLP
Lizzie specialises in all aspects of insurance and reinsurance including professional negligence claims, brokers' E&O claims, property damage, business interruption, cyber, marine, mining and onshore and offshore energy. Lizzie is regularly involved in large complex disputes and has contentious experience across a range of industries at arbitration and in the Commercial and Chancery divisions of the High Court.

William MacLachlan, Senior Associate, Holman Fenwick Willan LLP
William advises a wide variety of companies and financial institutions on a range of transactional shipping matters in both the commercial shipping and yachting industries. He has particular expertise in ship sale and purchase, shipbuilding and ship repair contracts. William also has considerable experience of advising those operating in complex security environments including contractual and licensing issues. William acts for a number of private security companies and logistic providers, both onshore and offshore and is actively involved in the UK's Security in Complex Environments Group (SCEG). William lectures frequently, most recently on issues arising out of the cyber security threat at sea at an event hosted by the Security Association for the Maritime Industry (SAMI). 

 

*Image credits: Flickr