Crunch time for Maritime

The latest round of maritime regulations — the Maritime Security Act rules — apply to far more than just ports and vessels. The new rules encompass a wide spectrum of facilities that are located on or adjacent to the navigable waters of the U.S.

Companies need to become aware of these rules and determine — either on their own or with counsel — to what extent their operations fall under the rules. Because of the speed at which these rules were necessarily developed, many companies that are subject to these provisions are unaware that they must comply by December 31, 2003. You don’t want to wake up on January 1 facing both a New Year’s Eve hangover and the failure to comply.

Following are 10 ways to cope with the new maritime rules.

1. Start to comply now
The new regulations are more complicated than they seem at first glance. The rules are flexible, but that flexibility also means they give companies little in the way of guidance as to what exactly is required. This puts an enormous burden on companies to get it right.

Developing a security plan that is assured of approval is not a short-term endeavor. Companies should begin this process so that they have the time to work through issues, clear up uncertainties and seek guidance before the compliance deadline is looming over their heads.

2. Tailor your plan to your threats, risk and circumstances
There is no “one size fits all” here. What will work at one maritime facility will likely be very different from what will work at another facility — and the rules were designed to give the flexibility required to tailor your plan to your circumstances.

For some facilities the most appropriate way to meet the access control requirement will be chain link fences. However, at facilities where more is at risk, effective access control may necessitate closed- circuit television monitoring systems, pipe barricades and other more extensive protections. Regulated parties need to be aware of the level of threat and risk their operations face, and then match the level of their security planning to those circumstances.

3. Don’t underestimate your risks
Many companies look at their risks and rightly say, “The chances of me being an al Qaeda target are a billion-to-one.” However, the risks here are far greater than just a foreign terrorist hitting a particular entity. The biggest risk for most companies isn’t a terrorist attack; it is the cost of failing to fully comply with the rules.

We expect the U.S. Coast Guard to take a hard look at security plans. If a plan comes up short, the penalties can include having your operations curtailed or your facility shut down. The risk of noncompliance penalties is a very real, across-the-board risk. Moreover, the threats here go beyond terrorists to include disgruntled employees, criminals and others who might take advantage of inadequate security. And, with these new rules in place, if a facility’s security remains sub-standard and something does happen, there is the real potential for end-of-the-company liabilities in lawsuits.

4. Don’t overlook simple solutions
In this post-9/11 world there is a tendency to seek a “silver bullet” — expensive, highly technical solutions that may or may not be cost-effective for a given company. Because of this, simpler, low-cost solutions often get overlooked. Not every visitor’s badge needs to be a smart badge loaded up with the latest biometric technology. Sometimes, the most effective monitoring system is a well-trained workforce that has been made security-aware and is on the look out.

These simple solutions will not be enough for every company, but they should be a part of every company’s overall approach to security.

5. Watch out for interdependencies
As you develop your security and related contingency plans, be on the look out for interdependencies. Interdependencies — places where your company’s operations are dependent on others or where others are dependent on you — are where the real costs add up. The bulk of the costs from the 9/11 attacks came in the form of business interruption losses when downstream companies found their operations hamstrung by the damages inflicted in the attacks.

Interdependencies are also where real risks can come in. If, for example, your company allows employees from suppliers or shippers or clients access to your facility, your security is only as good as the screening programs of these other companies. If your company has an integrated information technology (IT) system that allows your clients or suppliers access, your IT security is only as strong as the weakest link in a cyber-chain that stretches out from you, to these other entities, and to all those who have access to their systems.

6. Treat this like any other regulatory matter
Corporate security has until now been in the hands of the private sector. These new rules are one of the first instances where security has become a regulatory matter. With these rules in place, security planning takes on a new dimension. Having a good plan isn’t enough; now you need a plan that checks all the boxes of the rules and satisfies your regulators.

Companies are advised to ensure that their lawyers — whether in-house or outside counsel — are part of their security compliance team. In addition, by using counsel, companies can seek to use the attorney/client privilege to shield some of the tough choices that security planning may entail from disclosure down the road if something should happen.

7. Take a multi-disciplinary approach
In addition to having your lawyers on your security team, smart companies will take a multi-disciplinary approach to their security. Your team should include your communications professionals who will have to field calls from the media, local residents and others about your security.

In this new era of corporate accountability, your corporate leadership should be on the team, or at minimum, kept apprised of developments and actions. Further, security can’t exist in a vacuum — it needs to be integrated with your operations so that it doesn’t reduce the cost-effectiveness of the company. In other words, your operations people need to be at the table and must consider what each change will entail. For example, installing a