Cybersecurity in the Marine Transportation System: What You Need to Know About the Coast Guard’s Final Rule
The U.S. Coast Guard (“USCG”) published a final rule on January 17, 2025, addressing Cybersecurity in the Marine Transportation System (the “Final Rule”), which seeks to minimize cybersecurity related transportation security incidents (“TSIs”) within the maritime transportation system (“MTS”) by establishing requirements to enhance the detection, response, and recovery from cybersecurity risks. Effective July 16, 2025, the Final Rule will apply to U.S.-flagged vessels, as well as Outer Continental Shelf and onshore facilities subject to the Maritime Transportation Security Act of 2002 (“MTSA”). The USCG is also seeking comments on a potential two-to-five-year delay of implementation for U.S.-flagged vessels. Comments are due March 18, 2025.
Background
The need for enhanced cybersecurity protocols within the MTS has long been recognized. MTSA laid the groundwork for addressing various security threats in 2002 and provided the USCG with broad authority to take action and set requirements to prevent TSIs. MTSA was amended in 2018 to make clear that cybersecurity related risks that may cause TSIs fall squarely within MTSA and USCG authority.
Over the years, the USCG, as well as the International Maritime Organization, have dedicated resources and published guidelines related to addressing the growing cybersecurity threats arising as technology is integrated more and more into all aspects of the MTS. The USCG expanded its efforts to address cybersecurity threats throughout the MTS in its latest rulemaking, publishing the original Notice of Proposed Rulemaking (“NPRM”) on February 22, 2024. The NPRM received significant public feedback, leading to the development of the Final Rule.
Final Rule
In its Final Rule, the USCG addresses the many comments received on the NPRM and sets forth minimum cybersecurity requirements for U.S.-flagged vessels and applicable facilities.
Training. Within six months of the Final Rule’s effective date, training must be conducted on recognition and detection of cybersecurity threats and all types of cyber incidents, techniques used to circumvent cyber security measures, and reporting procedures, among others. Key personnel are required to complete more in-depth training.
Assessment and Plans. The Final Rule requires owners and operators of U.S.-flagged vessels and applicable facilities to conduct a Cybersecurity Assessment, develop a Cybersecurity Plan and Cyber Incident Response Plan, and appoint a Cybersecurity Officer that meets specified requirements within 24 months of the effective date. There are a host of requirements for the Cybersecurity Plan, including, among others: provisions for account security, device protection, data safeguarding, training, drills and exercises, risk management practices, strategies for mitigating supply chain risks, penetration testing, resilience planning, network segmentation, reporting protocols, and physical security measures. Additionally, the Cyber Incident Response Plan must provide instructions for responding to cyber incidents and delineate the key roles, responsibilities, and decision-making authorities among staff.
Plan Approval and Audits. The Final Rule requires Cybersecurity Plans be submitted to the USCG for review and approval within 24 months of the effective date of the Final Rule, unless a waiver or equivalence is granted. The Rule also gives the USCG the power to perform inspections and audits to verify the implementation of the Cybersecurity Plan.
Reporting. The Final Rule requires reporting of “reportable cyber incidents”[1] to the National Response Center without delay. The reporting requirement is effective immediately on July 16, 2025. Further, the Final Rule revises the definition of “hazardous condition” to expressly include cyber incidents.
Potential Waivers. The Final Rule allows for limited waivers or equivalence determinations. A waiver may be granted if the owner or operator demonstrates that the cybersecurity requirements are unnecessary given the specific nature or operating conditions. An equivalence determination may be granted if the owner or operator demonstrates that the U.S.-flagged vessel or facility complies with international conventions or standards that provide an equivalent level of security. Each waiver or equivalence request will be evaluated on a case-by-case basis.
Potential Delay in Implementation. Due to a number of comments received related to the ability of U.S.-flagged vessels to meet the implementation schedule, the Final rule seeks comments on whether a delay of an additional two to five years is appropriate.
Conclusion
As automation and digitalization continue to advance within the maritime sector, it is imperative to develop cyber security strategies tailored to specific management and operational needs of each company, facility, and vessel. Owners and operators of U.S.-flagged vessels and MTSA facilities are advised to review the new regulations closely and begin preparations for the new cybersecurity requirements at the earliest opportunity. Stakeholders are also encouraged to provide comments before March 18, 2025, addressing the potential two-to-five-year delay in implementation for U.S.-flagged vessels.
[1] A reportable cyber incident is defined as an incident that leads to, or, if still under investigation, can reasonably lead to any of the following: (1) substantial loss of confidentiality, integrity, or availability of a covered information system, network, or operational technology system; (2) disruption or significant adverse impact on the reporting entity’s ability to engage in business operations or deliver goods or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death; (3) disclosure or unauthorized access directly or indirectly of non-public personal information of a significant number of individuals; (4) other potential operational disruption to critical infrastructure systems or assets; or (5) incidents that otherwise may lead to a TSI as defined in 33 C.F.R. 101.105.
Fifth Circuit Strikes Down FTC’s ‘Junk Fee’ Rule for Auto Dealers
On January 24, 2025, the Fifth Circuit Court of Appeals struck down an FTC rule aimed at curbing deceptive advertising and sales practices in the auto industry. The rule, which sought to prohibit certain “junk fees” and misleading pricing tactics, was challenged by industry groups who argued that the FTC had exceeded its authority.
The FTC’s Combating Auto Retail Scams (CARS) rule (previously discussed here) required auto dealers to provide consumers with a clear and conspicuous “Offering Price” that included all required charges, with limited exceptions. It also would have prohibited several practices, including:
Bait-and-switch Advertising. Advertising a vehicle at a certain price and then not having that vehicle available when a consumer attempts to purchase it.
Failing to Disclose Key Terms in Advertisements. Key terms for which the rule required a disclosure included the total price of the vehicle, including the enumeration of all additional all fees and charges.
Charging Consumers for Add-on Products without Consent. Such add-on products included items like extended warranties, gap insurance, and paint protection.
The Fifth Circuit sided with the industry groups, vacating the FTC’s rule. The court found that the CARS rule exceeded the FTC’s authority to address “unfair or deceptive acts or practices” by regulating pricing practices that were not inherently deceptive. Additionally, the court determined that the FTC failed to provide adequate notice of the proposed rulemaking, violating procedural rules.
Putting It Into Practice: The decision to strike down the rule marks the latest development in state and federal efforts war on “junk fees” in the financial sector. While the Fifth Circuit Court determined the FTC overstepped its regulatory authority in this instance, federal and state agencies have clearly prioritized combatting “junk fees” (a trend we previously discussed here, here, and here). Companies should closely monitor this development to see if other federal circuit courts follow suit.
Listen to this post
2024 In Review: California Climate Change Legislation, Policy and Regulation
As we enter 2025 amid the devastating Los Angeles fires[1] and with a new presidential administration, we continue our series of yearly reviews of the most significant governmental actions taken by the state of California relevant to climate change in the previous year.[2]
Unless otherwise specified, the legislation discussed herein is effective as of January 1, 2025.
Climate Corporate Data Accountability Act
Senate Bill (SB) 219 amends the Climate Corporate Data Accountability Act (SB 253) and the Climate-Related Financial Risk Act (SB 261)[3] and consolidates both under the unified title of the Climate Corporate Data Accountability Act (CCDAA).
Specifically, SB 219 delays the deadline for the California Air Resources Board (CARB) to establish regulations implementing the CCDAA from January 1, 2025, to July 1, 2025. It further amends the previous legislation to authorize, instead of require, CARB to partner with third-party emissions or climate reporting organizations to collect and make relevant data publicly available. SB 219 also provides additional flexibility concerning the reporting of Scope 3 emissions – previously required to be reported within 180 days of Scope 1 and Scope 2 emissions – by allowing CARB to set a separate timeline for the reporting of Scope 3 emissions as part of its rulemaking process. Finally, SB 219 permits reporting entities to consolidate their emissions reports at the parent company level and allows payment of the statutory annual fee at any time, as opposed to at the time of filing.
Geothermal and Gas
Streamlining Geothermal Projects
Assembly Bill (AB) 1359 amends Section 3715.5 of the Public Resources Code to streamline the environmental review process for geothermal exploratory projects under the California Environmental Quality Act (CEQA). AB 1359 is classified as an urgency statute and, as such, took effect upon signature by Governor Gavin Newsom on September 27, 2024, to help accelerate the deployment of geothermal energy projects as part of California’s renewable energy generation goals.
This bill simplifies the process for applicants of “geothermal exploratory projects”[4] by allowing counties to take on lead agency roles, potentially expediting project approvals. The Geologic Energy Management Division (CalGEM) is designated as the lead agency for geothermal exploratory projects. However, upon request, the county where the project is located must assume lead agency responsibilities (as defined by CEQA), regardless of whether it has a geothermal element in its “General Plan.” If a county takes on the lead agency role, it must work with CalGEM to ensure all necessary information for environmental review is included, supporting CalGEM’s role as a responsible agency (as defined by CEQA). The previous requirement for counties to complete lead agency duties within 135 days has been removed, allowing more flexibility in managing project timelines.
Reforming Approach to Idle Oil and Gas Wells
AB 1866 amends sections of the Public Resources Code to address issues related to idle oil and gas wells in California. The bill increases fees for operators of idle wells, including those idle for less than 3 years, with fees escalating based on the duration a well has been inactive. Operators must file a management plan for all idle wells (not just long-term idle wells) by May 1st each year, focusing on prioritizing wells for plugging and abandonment based on specific criteria, such as proximity to sensitive receptors and potential threats. Wells that cannot be accessed or are subject to more stringent court-approved settlement agreements are exempt from these requirements.
Local Control Over Oil and Gas Operations
AB 3233 empowers local governments, such as cities and counties, to impose their own restrictions, including on method or location, or prohibitions on oil and gas operations within their jurisdictions through local ordinances. These local regulations can be more stringent than state laws, particularly in areas related to public health, climate, and environmental protection. If a local entity chooses to limit or prohibit these operations, responsible operators must adhere to existing regulations concerning the plugging and abandoning of wells and the decommissioning of production facilities.
Overall, AB 3233 represents a significant shift in California’s regulatory framework by decentralizing authority and enhancing local control over oil and gas operations.
Transportation
Ban of Gasoline Car Sales by 2035
On December 18, 2024, the United States Environmental Protection Agency (EPA) granted California the authority to move ahead with the state’s “Advanced Clean Cars II” program, which includes the much-publicized ban on the sale of new gasoline-powered cars after 2035.[5] As discussed in our 2023 in Review article, the EPA waiver allowing California to set its own vehicle emission standards at a more stringent level than federal standards had been granted as a matter of course until 2019, when the EPA (under the first Trump administration) revoked the waiver. Such revocation was subject to legal challenges before being reinstated by the Biden administration. The waiver was officially granted in April 2024, after the DC Court of Appeals affirmed the DC Circuit Court’s decision that the waiver did not present any constitutional issues.[6] The United States Supreme Court then denied certiorari on December 16, 2024.
It must be noted that the waiver was only approved for the Advance Clean Cars II program, not the state’s sister programs for medium and heavy-duty vehicles and locomotives. Anticipating rejection of the waivers by the incoming Trump administration, CARB withdrew its requests for these additional waivers on January 13, 2025.[7] It is also anticipated that the Trump administration will again attempt to revoke the waiver granted for the Advance Clean Cars II program, which will likely lead to additional litigation and a period of limbo for California and the 11 states (representing nearly 40% of the nation’s population) that choose to follow California’s emissions standards.[8]
Potential Mandate for Bidirectional Electric Vehicles
SB 59 grants the California Energy Commission (CEC) authority to require that battery electric vehicles of any weight class be bidirectional-capable (capable of both receiving and discharging electricity). This decision is contingent upon the CEC, in collaboration with CARB and the California Public Utilities Commission, identifying a vehicle weight class in which both the vehicle operator and the electrical grid would benefit from the mandate. In making this determination, the relevant agencies are required to assess vehicle readiness and the operational demands of vehicles used by essential service providers.
Interested parties should follow the agencies’ ongoing research and look for opportunities to contribute to any potential rulemaking on this topic.
CARB updates Low Carbon Fuel Standard
In November 2024, after several rounds of public hearings and comments, CARB approved significant updates to the Low Carbon Fuel Standard (LCFS), aiming to drive private investment in clean transportation fuels and zero-emission infrastructure. The amendments set targets of 30% reduction in the carbon intensity of transportation fuels by 2030 and 90% by 2045, while supporting the growth of electric vehicle (EV) charging stations, hydrogen refueling infrastructure, and clean fuels for medium- and heavy-duty vehicles.
These proposed updates were submitted to the California Office of Administrative Law (OAL) on January 3, 2025. OAL has until February 18, 2025, to make a final determination on the proposals.
Proposition 4 – Climate Preparedness Bond
Proposition 4 was passed through the State’s November 5, 2024 general election and authorizes California to sell a $10 billion bond to fund natural resources and climate-related initiatives. The bond will support projects in 8 key areas, including water supply and flood management ($3.8 billion). About half of this funding ($1.9 billion) would be dedicated to improving the availability and quality of water for public use, forest health and wildfire prevention ($1.5 billion), coastal restoration and sea-level rise mitigation ($1.2 billion), land conservation ($1.2 billion), energy infrastructure development ($850 million), park expansion and maintenance ($700 million), extreme heat mitigation ($450 million), and sustainable farming practices ($300 million). At least 40% of the funds must benefit low-income or climate-vulnerable communities, and there will be regular public reporting on the spending.
Statewide Mobile Monitoring Initiative
In November 2024, CARB announced the launch of the Statewide Mobile Monitoring Initiative (SMMI) in connection with the Community Air Protection Program (CAPP) originally established in 2017 by AB 617. The CAPP’s purpose is to identify communities most at risk of air pollution within California and develop strategies to mitigate and reduce such pollution. The SMMI is designed to address the challenges of detecting elusive pollutants that pose serious health risks, particularly to disadvantaged and frontline communities. The SMMI is funded by a $27 million appropriation from the California Climate Investment program.
The SMMI focuses on detecting greenhouse gases, toxic air contaminants, and criteria pollutants, with a strong emphasis on community involvement. The initiative aims to empower local entities by providing data that validates community-reported pollution concerns. Initially, the SMMI will target 64 communities identified under the CAPP.
Looking Forward
Following his inauguration as the 47th President of the United States, Donald Trump again withdrew the United States from the Paris Climate Accord and signaled his intent to follow through on his campaign promises to slash the Biden administration’s climate change policies and combat California’s state-level climate change policies. Governor Newsom, meanwhile, issued a brief statement following the inauguration indicating that California again plans to pursue its ambitious climate targets regardless of the level of support or opposition from the federal government.
The potential for uncertainty, instability, and conflict between federal law and the laws of the state representing the nation’s largest economy bears watching closely for all those who may be impacted.
FOOTNOTES
[1] See articles related to the State’s fire response here and here.
[2] See our previous articles covering 2022 and 2023, respectively.
[3] See prior articles on these bills here and here.
[4] Projects designed to evaluate the “presence and characteristics of geothermal resources” prior to development of a geothermal energy project.
[5] See EPA Grants Waiver for California’s Advanced Clean Cars II Regulations | US EPA.
[6] Ohio et al. v. U.S. Environmental Protection Agency et al., case number 22-1081, in the U.S. Court of Appeals for the District of Columbia Circuit.
[7] See withdrawal letters at this link: Vehicle Emissions California Waivers and Authorizations | US EPA.
[8] See California Vehicle Waivers ‘Legally Solid’ as Trump Eyes Repeal; Trump takes aim at clean energy, climate change and the environment on day one – Los Angeles Times.
Ethical Hacker Uncovers Vulnerability in Subaru Starlink Service
Ethical hackers identified an arbitrary account takeover flaw in the administrator portal for Subaru’s Starlink service, which could allow a threat actor to hijack a vehicle through a Subaru employee account. This vulnerability could allow a threat actor to remotely track, unlock, and start connected vehicles. The ethical hacker reported to Subaru that they could bypass multi-factor authentication (MFA) by removing the client-side overlay from the user interface. Through various endpoints, the ethical hacker could use a vehicle search to query a consumer’s last name, zip code, telephone number, email address, or VIN number and gain access to the vehicle.
This “access” allowed the ethical hacker to:
Remotely start, turn off, lock, unlock, and retrieve the current location of any Subaru vehicle.
Retrieve a Subaru vehicle’s location history from the past 12 months, accurate to within about 15 feet.
Query and retrieve the personal information of any consumer, including emergency contacts, authorized users, physical address, billing information, and vehicle PIN.
Access other user data (e.g., support call history, previous owners, odometer reading, sales history, etc.).
The ethical hacker informed Subaru that this vulnerability could allow any threat actor to track and hijack any Subaru vehicle in the United States, Canada, or Japan. Fortunately, Subaru responded to the ethical hacker’s outreach immediately and patched the offending vulnerability within 24 hours, but this issue raises wider concerns about the motor vehicle industry. With broad access built into vehicle systems as a default, they are very difficult to secure and protect from outside threats. Manufacturers may consider security by design when building these systems and find a balance between ease of service and consumer information security.
How to Successfully Transfer Your Manufacturing Plant From Mexico to the United States
President Trump’s promise to impose a new 25% tariff on goods produced in Mexico has prompted many companies to consider alternatives to their current or planned operations in Mexico. The decades following the 1994 North American Free Trade Agreement (NAFTA) saw enormous industrial investment in Mexico, especially in northern cities like Monterrey, Tijuana, Chihuahua, and Baja California.1 The benefits of producing goods in Mexico were clear – low labor costs, modest transportation costs to the United States, and reduced tariffs under NAFTA. These benefits, however, could be eclipsed by a new 25% tariff on Mexican origin goods. Companies with industrial plants that have tight profit margins are in a precarious position, so it is not surprising that many are now “looking to shift operations to the US to avoid these additional costs and reroute cargo from Mexican ports to US ports.”2
The automotive sector is a prime example of an industry that will be significantly impacted by the proposed tariffs, if implemented. The United States imported more than US$86 billion worth of motor vehicles from Mexico and more than US$63 billion of auto parts from Mexico last year, according to US Department of Commerce data, excluding December.3 This reflects the major investments automotive manufacturers and their suppliers made in Mexico in the years since NAFTA. It also reflects the extent to which Production in Mexico and the US became highly integrated, with producers in both countries (and Canada) relying on a free flow of parts and finished goods across borders. New tariffs, therefore, pose a major challenge to the status quo.
The question of whether to shift operations from Mexico to the United States requires a careful cost-benefit analysis to determine if there is an opportunity to increase profits by relocating to the United States. But, once this analysis is complete, how does one evaluate the opportunity? Proactive planning is essential. For example, when evaluating potential moves, it is important to: (1) select an ideal site that meets the utility and labor needs of the plant; (2) negotiate and maximize economic incentives; (3) conduct real estate due diligence and analyze real estate documents for the facility and its operations; (4) review the tax and corporate considerations with respect to the transaction; and (5) analyze supply chains to ensure products produced or processed in the United States will meet US country of origin standards.
For companies facing these challenges, the firm can assist in finding a successful solution. The firm has an internationally recognized Global Location Strategies practice and an experienced Policy and Regulatory practice with special capabilities in international trade regulation. We have strong relationships with federal, state, and local economic development and government officials all over the United States. This enables our clients to gain government assistance with evaluating when and where to move their operations in the United States. The firm has obtained incentives up to a billion US dollars for our clients and has assisted with finding the perfect site for our clients through our strong relationships with federal, state, and local governments and agencies.
Now is the perfect time to explore relocating to the United States, as doing so will better position your company to navigate future disruptions and obtain the best incentives possible when making use of the firms’ years of experience and success in obtaining those incentives.
Footnotes
1 The Los Angeles Times, p. 6.
2 State of the American Supply Chain, Averitt p. 2 January 9, 2025.
3 WDSU, p. 3, January 21, 2025.
Beach Buggy Battle: Stipulation Insufficient to Establish Trademark Distinctiveness
The US Court of Appeals for the Fourth Circuit found that a district court does not need to accept both parties’ stipulation that a mark is distinctive but instead is permitted to make an evidentiary inquiry in determining whether the mark is distinctive or generic. Moke America LLC v. Moke Int’l Ltd., Case No. 23-1634 (4th Cir. Jan. 15, 2025) (King, Groh, JJ.) (Richardson, J., dissenting).
Starting in the 1960s, British Motor Corporation (BMC) sold vehicles colloquially referred to as “Mokes” in the United Kingdom, Australia, and Portugal. By the time BMC ceased production in 1993, Mokes had garnered a small but devoted following for use as beach buggies in the United States, the Caribbean, and Australia.
In August 2015, Moke International and Moke USA sold their first vehicle using the MOKE mark and subsequently sought trademark registration. One year later, Moke America began US sales of vehicles using the MOKE mark. Both parties described their vehicles as being reengineered and redesigned versions of the BMC Moke.
The present dispute began when Moke America opposed Moke International and Moke USA’s registration based on priority use of the MOKE mark. The Trademark Trial & Appeal Board dismissed the opposition. Moke America then filed a district court complaint seeking a declaration of trademark ownership and asserting trademark infringement. Moke International and Moke USA counterclaimed for a declaration of trademark ownership and trademark infringement, as well as affirmance of the Board’s dismissal.
A party claiming ownership of a mark bears the burden of proving distinctiveness. A generic term is not distinctive. Generic terms in trademark law are those that describe a genus or class of which a particular product is a member, such as “CONVENIENT STORE retail stores, DRY ICE solid carbon dioxide, and LIGHT BEER ale-type beverages.” Generic terms can never be protected. The purpose of denying protection for these terms is to safeguard the public from having commonly used words and phrases removed from the “linguistic commons.” Certain marks that are originally distinctive may become generic through the public’s pervasive use of the term through a process known as “genericide.” Genericide occurs when the trademark ceases to identify the particular source of a product or service to the public and instead identifies a class of product or service. Common examples include ASPIRIN and ESCALATOR.
Since both parties sought ownership of the MOKE mark, the parties stipulated that the mark was distinctive and not generic. The district court found that a stipulation was insufficient and noted that the parties must set forth evidence that the mark was distinctive and not generic. The district court concluded that MOKE was once inherently distinctive but had become generic before either party sold a vehicle bearing the MOKE mark. Both parties appealed.
Seeking to overturn the district court’s finding of genericness, the parties argued that the district court was required to accept their stipulation of the MOKE mark’s distinctiveness. The Fourth Circuit disagreed, finding that blindly accepting a stipulation was incompatible with the court’s role of protecting the public interest by not allowing trademark protection for generic terms.
Turning to the merits, the Fourth Circuit concluded that an inherently distinctive mark does not necessarily convert to a generic term upon abandonment, and abandonment of an inherently distinctive mark does not foreclose the possibility that the mark at some point became generic due to genericide. The Court explained that because neither party took the position that MOKE was a generic term, and because there was no serious endeavor to prove distinctiveness at the district court, there was insufficient record evidence (particularly consumer surveys and conventional purchaser testimony) to affirm or reverse the district court’s decision.
Accordingly, the Fourth Circuit vacated the judgment and remanded to the district court to conduct further proceedings, including consideration of additional evidence, to resolve whether MOKE was generic.
Texas Railroad Commission’s New Environmental Rules: A Step Toward Sustainability or Business as Usual?
In 1984, while Ronald Reagan was securing a landslide reelection and Apple introduced the Macintosh, the Railroad Commission of Texas (RRC) last updated the state’s primary oil and gas waste regulations. Now, four decades later, the RRC is revisiting these rules to better align them with modern industry practices and rising demands for stronger environmental protections.
Oil and gas extraction methods have evolved dramatically since the 1980s. Hydraulic fracturing (fracking) and horizontal drilling have sparked a production boom, significantly increasing both the volume and complexity of waste generated. This waste includes drilling fluids, fracking chemicals, and produced water—all of which, if mishandled, pose serious risks to soil, water, and public health.
While most oil and gas wastes are exempt from federal hazardous waste laws under the Resource Conservation and Recovery Act, states maintain broad authority to regulate their disposal and management. In Texas, the RRC oversees this responsibility. However, increasing environmental concerns and evolving industry practices have driven calls for regulatory updates, resulting in the recent revisions in the RRC’s rules.
Key Changes in the New Rules
The new rules, published in the Texas Administrative Code (“TAC”) on January 3, 2025, reflect a multiyear effort by the RRC to modernize waste management, encourage and expand recycling, and strengthen groundwater protections. These changes aim to balance industry needs with environmental stewardship, though their impact will depend on implementation and enforcement when they take effect on July 1, 2025.
Oil and Gas Waste Pits and Produced Water Recycling Pits (16 TAC §§ 4.113-114). A major change consolidates provisions from Statewide Rule 8 (“Disposal of Oil and Gas Waste”) and Rule 57 (“Produced Water Recycling”) into a new subchapter. Key updates include:
Authorization for certain pits (e.g., reserve and mud circulation pits) to operate without a specific RRC permit, with new registration requirements.
Updated standards for pit liners, groundwater monitoring, and closure procedures.
Stricter location restrictions, construction standards, and closure requirements for produced water recycling pits.
Produced Water Recycling (16 TAC § 4.112). One of the most significant shifts is facilitating produced water recycling. Operators can recycle produced water for reuse in drilling, fracking, and completion operations without requiring an RRC permit. However, they must still meet specific design, groundwater monitoring, and siting requirements. This change reflects growing interest in recycling as a solution to mitigate environmental risks, especially in areas like the Permian Basin, where seismicity concerns are increasing.
Transportation of Oil and Gas Waste (16 Tex. Admin. §§ 4.190-195). The new rules introduce enhanced accountability for waste transportation. Notable provisions include:
Detailed manifests for waste characterization.
Special waste authorizations.
Enhanced recordkeeping for waste haulers, improving tracking and compliance.
Public Participation (16 Tex. Admin. § 4.125). To boost transparency and public involvement, the new rules require that affected individuals and entities be notified about permit applications for waste facility construction. The notice must include details about the application, the protest process, and the location of the proposed facility. Notices must be sent via registered or certified mail, and recipients have 30 days to protest. If a protest is filed, the applicant must respond within 30 days. If no protests are received, the permit may be issued. Protests may lead to a hearing, with notice given to all affected parties.
Recycling Drill Cuttings (16 Tex. Admin. §§ 4.301-302)The rules aim to promote recycling of drill cuttings for beneficial use. Operators must comply with specific treatment and recycling requirements. The Commission may approve permits for using treated drill cuttings in commercial products like lease pads or roads, provided the products meet engineering standards, ensure public safety, and avoid water pollution.
Reactions to the New Rules
The revisions have sparked mixed reactions. For the oil and gas industry, the rules provide much-needed clarity, particularly on produced water recycling and waste transportation. However, many changes merely codify existing practices—like new registration requirements for certain pits—so their day-to-day impact may be minimal. That said, the ability to recycle produced water presents an opportunity for operators to reduce disposal costs and environmental impacts, especially in areas with limited disposal well capacity.
Environmental groups and landowners, however, view the revisions as insufficient. While the new rules offer clearer guidance on waste management and promote recycling, critics argue they fall short in addressing critical environmental issues. Concerns include a lack of more stringent regulations on pit liners, groundwater monitoring, and disposal in sensitive areas. Environmental advocates are also frustrated by the RRC’s decision not to require operators to notify landowners about waste disposal activities on their property. Despite these concerns, the RRC maintains it lacks the statutory authority to require such notifications or consent.
Practical Considerations for Landowners
Landowners whose properties are affected by oil and gas operations may need to take proactive steps to protect their interests. Since mandatory landowner notification is not required, surface owners should negotiate specific lease provisions, such as:
Restrictions on the types of waste disposed of on their land.
Designated disposal locations and management methods.
Operator notification before disposal activities—or even consent for certain types of waste disposal.
Landowners may also seek additional safeguards, such as stricter pit liner requirements, enhanced groundwater monitoring, or more comprehensive closure plans for waste pits.
Looking Ahead
The RRC’s overhaul of its oil and gas waste management regulations marks a significant step toward modernizing Texas’s regulatory framework in response to changing industry practices and environmental concerns. However, the real impact of these revisions will depend on how they are implemented and enforced when they take effect on July 1, 2025. Stakeholders—from industry operators to environmental advocates—should carefully consider the potential implications. For landowners, consulting legal counsel may be wise to ensure their interests are protected under the new rules. These final regulations could shape Texas’s oil and gas industry and environmental stewardship for years to come.
Advance Parole Process Unaffected by Trump EO, But Confusion + Delay Expected Anyway
Humanitarian parole programs for individuals from Cuba, Haiti, Nicaragua and Venezuela have been cancelled by President Trump’s Executive Order (EO) on Securing Our Borders. USCIS’s Uniting for Ukraine application process has also been paused. To date, although it has been reported that Afghan refugees have been removed from flight manifests, the Afghan parole program remains active on the USCIS website.
Despite the suspensions, individuals with valid advance parole documents (Forms I-512) may still board flights returning to the United States based upon guidance from the CBP’s Carrier Liaison Program (CLP). The CLP provides guidance to airlines, including guidance on requirements for allowing foreign nationals to board. Airlines are fined if individuals that they allow to board do not have the documentation required to enter the United States. The CLP has stated that the EO does not affect individuals holding valid I-512 Advance Parole documents and they can board airlines returning to the United States. This would also include DACA, TPS and general adjustment of status advance paroles.
Keep in mind that it takes time for guidance to be distributed and implemented. That means there may be confusion at airline counters and at the border. At best, entrance on advance parole is discretionary so individuals should be prepared for long waits, travel with all their relevant documentation and consider avoiding travel that is not necessary until the rules have been “tested.”
Coast Guard Issues Final Maritime Cybersecurity Rule: Key Requirements and Implementation Timeline
On January 17, the US Coast Guard released its much-anticipated final rule on cybersecurity in the US Marine Transportation System, which establishes mandatory minimum cybersecurity requirements for the maritime sector. The new regulations are effective July 16, 2025 and represent the most significant maritime cybersecurity regulations to date. Affected entities should review their existing policies, identify any gaps or deficiencies, and implement compliance procedures.
Jones Walker’s 2022 Ports and Terminals Cybersecurity Survey data was cited in the final rule, helping to shape some of the new regulations.
I. Scope and Applicability
The primary goal of the final rule is to enhance the cybersecurity of the US Marine Transportation System. The new regulations establish minimum mandatory requirements for US flag vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to the Maritime Transportation Security Act of 2002. The rule aims to address the increasing risks posed by cyber threats due to the growing reliance on interconnected digital systems within the maritime industry. It emphasizes both preventing cyber incidents and preparing to respond to them effectively.
The rule applies to:
a. US flag vessels subject to 33 CFR part 104
33 CFR part 104 applies to:
Cargo vessels greater than 100 gross tons
Commercial passenger vessels certified to carry more than 150 passengers
Offshore Supply Vessels (OSVs)
Mobile Offshore Drilling Units (MODUs)
Towing vessels more than 26 feet long engaged in towing certain dangerous cargo barges
Cruise ships and passenger vessels carrying more than 12 passengers on international voyages
b. Facilities subject to 33 CFR part 105
These facilities are covered by the regulation:
Container terminals
Chemical facilities with waterfront access
Petroleum terminals
Cruise ship terminals
Bulk liquid transfer facilities
LNG/LPG terminals
Barge fleeting facilities handling dangerous cargo
Facilities that receive vessels carrying more than 150 passengers
Marine cargo terminals otherwise subject to the Maritime Transportation Security of 2002
c. OCS facilities subject to 33 CFR part 106
These OCS facilities are affected:
Offshore oil and gas production platforms
Offshore drilling rigs
Floating production storage and offloading units (FPSOs)
Deepwater ports
Offshore wind energy facilities
Offshore loading/unloading terminals
II. Core Requirements
The cybersecurity plan must include measures for account security (e.g., automatic account lockout, strong passwords, multifactor authentication), device security (e.g., approved hardware/software lists, disabling executable code), and data security (e.g., secured logging, data encryption). Entities must also create or implement the following:
a. Cybersecurity Officer — Each covered entity must designate a Cybersecurity Officer (CySO) responsible for implementing and maintaining cybersecurity requirements. The rule allows for designation of alternate CySOs and permits one individual to serve multiple vessels or facilities, providing welcome flexibility for operators.
b. Cybersecurity Plans and Assessments — Organizations must develop and maintain the following:
A comprehensive Cybersecurity Plan
A separate Cyber Incident Response Plan
Regular cybersecurity assessments
Plans must be submitted to the Coast Guard for review within 24 months of the rule’s effective date.
c. Training and Exercises — The rule mandates the following:
Cybersecurity training for all personnel using IT/OT systems beginning July 17, 2025
Two cybersecurity drills annually
Regular penetration testing aligned with plan renewal cycles
d. Technical Controls — Required security measures include the following:
Account security controls including multifactor authentication
Device security measures and approved hardware/software lists
Data encryption and secure log management
Network segmentation and monitoring
Supply chain security requirements
III. Implementation Timeline
Key phase-in compliance dates include:
Rule effective date: July 16, 2025
Training requirements begin: July 17, 2025
Initial cybersecurity assessment: Due by July 16, 2027
Cybersecurity Plan submission: Due by July 16, 2027
The Coast Guard is seeking comments on extending implementation periods for the new requirements by two to five years for US flag vessels. Comments are due no later than March 18, 2025. After review of these comments, the Coast Guard may issue a future rule to allow additional time for US flag vessels to implement the new regulations.
IV. Harmonization with Other Requirements
The Coast Guard has worked to align these requirements with other cybersecurity regulations, including the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Incident Reporting for Critical Infrastructure Act of 2022 reporting requirements. The rule establishes the National Response Center (NRC) as the primary reporting channel for maritime cyber incidents, simplifying compliance for regulated entities.
V. Some Basic Questions and Answers
What are the mandatory cybersecurity measures outlined in the rule? Owners and operators must implement a range of cybersecurity measures that are based on “cybersecurity performance goals” developed by CISA. This includes vulnerability identification of critical IT and OT systems, addressing known exploited vulnerabilities in those critical systems, and conducting penetration testing in conjunction with renewing the Cybersecurity Plan.
What constitutes a reportable cyber incident, and to whom do I report it? A reportable cyber incident is defined as any incident leading to substantial loss of confidentiality, integrity, or availability of a covered system; to disruption to business operations; to unauthorized access to nonpublic personal information of a large number of individuals; or to operational disruption of critical infrastructure. Such an incident also includes any event that may lead to a “transportation security incident.” Such incidents must be reported to the NRC.
What is the Coast Guard’s approach to compliance and enforcement of this new rule? The rule takes a performance-based approach, meaning that it focuses on outcomes rather than prescribing specific technical solutions, thus providing some flexibility to the entities in meeting the requirements. However, the rule does not specify the methods of enforcement, and the Coast Guard is currently working with policymakers to define the compliance criteria. The Coast Guard will address those questions at upcoming symposiums. Noncompliance with the rule could lead to penalties, legal action, and financial losses.
Is there any flexibility or possibility of waivers in complying with this rule? Yes. After completing a cybersecurity assessment, owners and operators can seek a waiver or an equivalence determination for the requirements, based on the waiver and equivalency provisions of 33 CFR parts 104, 105, and 106. Owners and operators must also notify the Coast Guard of temporary deviations from the requirements.
VI. Key Takeaways
Begin preparation now — the 24-month implementation period will pass quickly given the scope of required changes.
Evaluate current cybersecurity staffing and capabilities against new CySO requirements.
Review existing security measures against the detailed technical requirements.
Plan for increased training and exercise obligations.
Consider whether to comment on the proposed implementation extension for vessels.
Our cross-disciplinary team has extensive experience helping clients navigate complex regulatory requirements. We can assist with:
Gap analysis against new requirements
CySO program development
Cybersecurity Plan creation and review
Training program development
Technical compliance assessment
LNG by Rail: The D.C. Circuit Vacates a DOT Rulemaking and Outlines a Path for Challenges Yet to Come
In Sierra Club v. United States Dep’t of Transportation[1], a panel of the United States Court of Appeals for the District of Columbia Circuit (“D.C. Circuit”) vacated and remanded a final rule[2] issued by the Department of Transportation (“DOT”) permitting the transportation of liquefied natural gas (“LNG”) in approved rail cars. The final rule was subsequently stayed and never took effect.
DOT Rulemaking & the Sierra Club Decision
The rulemaking proceeding began with an executive order published on April 10, 2019. Then President Trump directed the Secretary of Transportation to propose a rule to permit LNG to be transported in approved rail cars within 100 days from the date of the executive order and to finalize the rule within thirteen months.[3] DOT subsequently issued a proposed rule that would permit the transportation of LNG by rail in DOT-113 rail cars. The proposed rule proposed no limit on the number of cars to be used to transport LNG on a single train and imposed no mandatory speed limit. The proposed rule also included a preliminary environmental assessment finding that the proposed rule would have no significant environmental impact.[4]
The proposed rule was challenged by environmental organizations, states, and the National Transportation Safety Board, all citing potentially grave risks related to potential explosions or fires related to transportation of LNG by rail and separately arguing that the proposed rule failed to mitigate those risks.[5]
In July 2020, the DOT modified the final rule in several respects. The Court summarizes the changes as follows:
The final Rule authorizes transportation of LNG by rail, but it differs from the Proposed Rule in several respects. First, the final LNG Rule imposes new requirements for the outer tank of approved railcars: The outer tank must be both thicker and made of stronger steel than that used in existing 120W cars. Specifically, the tanks must be 9/16″ thick, rather than the current minimum of 7/16″. The outer tank also must be made of TC-128 Grade B normalized steel, which is less likely to crack or puncture than the steel typically used in DOT-113 cars. Second, the Pipeline and Hazardous Materials Safety Administration (“PHMSA”) boosted the maximum filling density from 32.5% to 37.3%. Finally, the LNG Rule includes additional operating controls to promote safety: (1) Tank cars carrying LNG must be equipped with remote monitoring devices for detecting and reporting each car’s internal pressure and location; (2) Any train with at least 20 LNG tank cars in a continuous block or with 35 such cars throughout the train must be equipped with advanced braking capabilities; and (3) PHMSA adopted the routing requirements of 49 C.F.R. § 172.820, which require railroads to consider safety risk factors, such as population density, when analyzing potential routes for transporting LNG.[6]
The final rule reiterated the finding that the rule would have no significant environmental impact. As a result, no environmental impact statement was prepared. The petitions for review that are the subject of the Sierra Club case followed.
The Court determined that the case was ripe for review even though the rule had never been finalized and was at the time of the decision stayed.[7]
The Court affirmed that each class of petitioners had requisite standing to pursue its appeal.[8]
On the merits, the Court found that the final rule authorizing transportation of LNG by rail was arbitrary and capricious:
[Petitioners] claim that PHMSA failed to take a hard look at how the LNG Rule would affect public safety and therefore violated [National Environmental Policy Act (“NEPA”)]. In support of their argument, they note that PHMSA disregarded the checkered safety record of the 120W tank car and ignored the risks of including numerous cars of LNG within a single train without any required speed limit. We agree and vacate the LNG Rule.[9]
The Court’s decision in this respect was very narrow. The error was not preparing an Environmental Impact Study (“EIS”). The Court explained:
In this case, PHMSA determined that an EIS was not required because authorizing LNG transport by rail under the LNG Rule would have no significant impact on the environment. But the record reflects that transporting LNG by rail poses a low-probability but high-consequence risk of a derailment that could seriously harm the environment: A breach of one or more rail cars containing LNG could cause an explosion, an inferno, or the spread of a freezing, flammable, suffocating vapor cloud. The real possibility of such catastrophes significantly affects the quality of the human environment. For that reason, NEPA required PHMSA to prepare an EIS.[10]
The Court reminded observers that the scope of NEPA review is itself narrow:
NEPA is “primarily information-forcing,” so it “directs agencies only to look hard at the environmental effects of their decisions, and not to take one type of action or another.” Sierra Club v. FERC, 867 F.3d 1357, 1367 (D.C. Cir. 2017) (cleaned up). After preparing an EIS, the agency will be best positioned to determine whether the environmental risk is worth taking. Any future legal challenges to the substance of that decision would then be brought under some other statute, not NEPA. Because we vacate the instant LNG Rule due to PHMSA’s failure to prepare an EIS, such questions are left for another day.[11]
Takeaways for Future Regulatory Reforms
The challenges the Court elected not to address are also significant. These include variations on the argument that the DOT’s modification to the standards applied to the cars to be used to transport LNG by rail after the notice of proposed rulemaking was issued violated the notice and comment provisions of the Administrative Procedure Act and the public participation requirement of NEPA, as well as arguments related to the failure to take into account environmental justice concerns and the impact of LNG transport by rail on greenhouse gas emissions. At least some of these challenges (perhaps variations of all) could be deployed against future regulatory reform efforts. For example, in Liquid Energy Pipeline Ass’n v. FERC[12], a panel of the D.C. Circuit vacated a Federal Energy Regulatory Commission (“FERC”) oil pipeline index rule that was modified on rehearing by FERC without being subjected to another round of notice and comment rulemaking.
For those industry stakeholders who support, wholly or in part, regulatory reform initiatives, this decision highlights the need to anticipate and to address alleged administrative process flaws at an early stage in policy development to ensure that any such concerns are fully addressed and resolved on the administrative record. The failure to do so can delay or undermine entirely proposed changes, regardless of their public policy bona fides. It will likely not be enough to wait and hope that affected departments and agencies who are managing multiple initiatives and challenges will have the time and resources to develop a full and adequate administrative record that can withstand judicial review. All affected stakeholders need to take affirmative steps to ensure that procedural missteps do not take on outsized consequences.
Download This Alert
[1] No. 20-1317, 2025 WL 223869 (D.C. Cir. Jan. 17, 2025).
[2] Hazardous Materials: Liquefied Natural Gas by Rail, 85 Fed. Reg. 44,994 (July 24, 2020).
[3] Sierra Club at *2 (citing Executive Order 13,868, 84 Fed Reg. 15,495, 1497 (April 10, 2019)).
[4] Id. at **2-3.
[5] Id.
[6] Id. at *3
[7] The Court also found that the stay did not moot the case. “Voluntary cessation does not moot a case unless it is absolutely clear that the allegedly wrongful behavior could not reasonably be expected to recur.” Id. at 5 ( citing West Virginia v. EPA, 142 S.Ct. 2587, 2602 (2022)).
[8] Id. at **6-7.
[9] Id. at *7.
[10] Id. at *8.
[11] Id. *10, n. 6.
[12] 109 F.4th 543 (D.C. Cir. 2024).
Essentials Every Teen Should Have in Their Car
As Teen Driving Awareness Month rolls around this January, it’s another reminder for young drivers to equip their vehicles with essential items for their safety and comfort. Whether they’re going to school, hanging out with friends, or setting out on a road trip, being prepared can make a stressful situation more manageable and prevent issues on the road.
Below is a list of necessities every teen should keep in their car:
1. Must-Haves
License, registration, and insurance: Keeping important documents organized and easily accessible is key, especially if your teen gets pulled over. Vehicle registration and proof of insurance should be kept in the glove compartment, and they should always keep their driver’s license in their wallet.
Phone charger: A charged phone is necessary for navigation and for them to always have a way to reach you and authorities.
Blanket: If a breakdown happens and it is freezing outside, it’s important to keep a blanket in the vehicle if the driver must wait for roadside assistance, which can sometimes be up to an hour or longer.
2. Safety Gear
First-aid supplies: Create a first-aid kit that includes band-aids, hand sanitizer, alcohol and antiseptic wipes, antibiotic ointment, and medications (for allergies, motion sickness, or pain relief.)
Flashlight: A reliable flashlight with working batteries can be helpful in low-light situations.
Seatbelt cutter and window breaker: These should be kept in the door next to the driver’s seat or in the glove compartment.
3. Car Maintenance Supplies
Jumper cables and emergency battery booster: Dead batteries are common, and jumper cables can help get a vehicle back on the road. If there aren’t any other motorists to assist with jumping their battery, emergency battery boosters are ideal.
Tire pressure gauge, inflator, and tire sealant: If your teen notices their tire pressure is low or gets a flat tire, these small, inexpensive tools can temporarily help until arriving at an auto shop.
Spare tire and jack: Show your teen how to change a tire in case of emergencies, or have them watch a YouTube video, so they are prepared in case of emergency.
Emergency contact list: A physical contact list or saved phone numbers, including roadside assistance numbers, your insurance company, and a local car repair shop, can be vital in emergencies.
Ice scraper: If you live in a cold climate, an ice scraper is a lifesaver to clean off your car and make it safer for the road.
4. Personal Comfort and Convenience Items
Umbrella: When it’s raining outside, the last thing anyone wants to forget is an umbrella.
Sunglasses: Protecting their eyes from the sun is essential and prevents them from squinting, which could affect their driving.
Water bottle: Having a sealed water bottle in case of a vehicle breakdown or vehicle maintenance is key.
Conclusion
Stocking their car with these essential items can help your teen driver feel safer, more confident, and better prepared for the road ahead. Teen Driving Awareness Month is a reminder for young drivers to prioritize safety and responsibility through good driving habits and preparedness.
Top 10 Safe Driving Tips for Teens
Driving is an exciting milestone for many teenagers, but it also comes with significant responsibilities and preparation. According to the Governors Highway Safety Association (GHSA), young drivers are almost four times more likely to be involved in a fatal car crash. January is Teen Driver Awareness Month and to ensure your child stays safe on the road, here are some essential driving tips to teach them:
1. Always Buckle Up
Make it a habit to wear your seatbelt, regardless of how short the trip is. Seatbelts are one of the simplest and most effective ways to protect yourself in an accident.
2. Stay Focused
Distractions can come from your cell phone, passengers, or even the radio. Avoiding distractions can be challenging, so it’s crucial to keep your attention on the road. If you need to make a call or send a text, pull over safely first.
3. Follow the Speed Limit
Speed limits are designed for your safety as well as everyone else on the road. Following them not only keeps you safe, but also gives you more time to react to unexpected situations.
4. Avoid Driving Under the Influence
Never get behind the wheel if you’ve been drinking alcohol or using drugs. Plan for a designated driver or use a rideshare service if you do not plan on staying sober. Your safety—and the safety of others—depends on it.
5. Get Enough Sleep
Driving while sleep-deprived can be just as dangerous as driving under the influence of alcohol or drugs. Poor sleeping habits can lead to fatigue, which can cause a driver to fall asleep or lose focus behind the wheel. It’s important to pull over to a safe place and take a break if you feel drowsy.
6. Keep a Safe Distance
Maintain a safe following distance from the vehicle in front of you. Tailgating is never a good idea. This gives you enough time to react in case the car suddenly stops or brakes.
7. Use Turn Signals
Always signal your intentions when changing lanes, merging, or turning. This communicates your plans to other drivers and helps prevent accidents.
8. Be Cautious in Poor Conditions
Rain, snow, and fog can substantially impact visibility and traction. Slow down and drive with extra caution in these conditions, especially when there may be ice on the roads.
9. Know Your Vehicle
Familiarize yourself with your car’s features, including hazard lights, brakes, headlights, and windshield wipers. Understanding how your vehicle works can help you react better in emergencies and feel more comfortable while driving.
10. Be a Defensive Driver
Always be aware of your surroundings. Anticipate the actions of other drivers and be prepared to react appropriately. Stay alert and keep your eyes moving to scan the road.
Conclusion
By following these safe driving tips and teaching them to your teen, they can help ensure a safer driving experience for everyone on the road. Remember, responsible driving not only protects you but also those around you. Drive safe!