This article provides an overview of data privacy in the UAE, explores the risks that companies face in relation to data loss by reference to case studies from the region and provides practical suggestions as to how businesses might seek to mitigate their exposure to risks of cyber crime.
In an era where we have increasingly put more of our lives and businesses online, individuals and businesses face new challenges protecting their information and reputation in the form of cyber crime. For individuals there is the threat of viruses, identity theft and cyber stalking. For businesses, there is the fear their systems can come under attack, either externally or by negligent and malicious acts of their employees or third parties, putting vital data and reputations at risk.
Pricewaterhouse Coopers' (PwC) Global Economic Crime Survey of 2011 highlighted cyber crime as a serious emerging risk and threat to businesses the world over. The Middle East is no exception. Indeed, one need only refer to the cyber attack suffered by Saudi Aramco in August 2012 to note this worrying trend.
As awareness of the implications of cyber crime increases around the globe, many jurisdictions have put into place specific legislative regimes, compliance with which is crucial in the effort to limit the financial and reputational harm that consumers and businesses may suffer as a result of such breaches.
Data Privacy and Data Loss
Data privacy laws are enacted to focus on the protection of and storage of personal data. These laws usually address and sanction illegal use, disclosure and processing of personal data. In most legal systems, “personal data" refers to information relating to an identified or identifiable individual.
The term 'data loss' refers not just to the accidental loss of information, but may also include any data breach. It may, therefore, take the form of infiltration of a company's IT system by external parties or a virus. Or, most likely, result from an employee's deliberate or negligent actions, such as leaking confidential information to external parties, incorrect use of email forwarding or losing (or having stolen) equipment such as laptops or USB flash drives.
UAE Legal Framework
There is no specific data protection law in the UAE, however there is a data protection law in certain free zones (explained in more detail below). For the rest of the UAE, restrictions and or penalties relating to data privacy can be found in a number of legislative sources including:
The UAE Constitution of 1971, which enshrines the right to privacy of personal information and guarantees "Freedom of communication by post, telegraph or other means of communication and the secrecy thereof."
The UAE Penal Code of 1987 (as amended), which in particular prohibits:
(a) the publication, through any means, of news, pictures or comments pertaining to the secrets of people's private or familial lives;
(b) any person who by reason of profession, craft, circumstance or art, is entrusted with a secret from disclosing or using (to his or another’s advantage) that secret without the consent of the individual concerned or where not otherwise permitted by law; and
(c) the interception and/or disclosure of correspondence or a telephone conversation without the consent of the relevant individuals. For those who fail to adhere to the law, the Penal Code sets severe penalties, which include fines and imprisonment.
The UAE Civil Transactions Law, Federal Law No. 5 of 1985 (as amended), provides that a person is liable for all acts causing harm. This could include harm caused by un-authorised use or publication of the personal or private information of another.
Some other UAE laws that contain privacy protection and or requirements relating to data collection, storage and use (other than the Penal Code; Civil Transactional Law and the Constitution) include:
Labour Law (Law No. 8 of 1980 as amended).
Electronic Transactions and E-Commerce Law (Dubai Law No.2 of 2002)
Combating Cyber Crimes Law (Federal Law 2 of 2006)
E-transactions and E-commerce (Federal Law No. 1 of 2006)
Certain Free Zone areas of Dubai International Financial Centre (DIFC) and Dubai Healthcare City (DHCC) have enacted comprehensive data protection framework based upon the European model, which place a number of obligations on businesses established in those zones. These include restrictions on transferring personal data or patient health information to recipients located in jurisdictions outside the DIFC or DHCC respectively, without the individual's consent.
Transferring Data Overseas
In addition, UAE companies performing cross-border data transfers may also be subject to data protection rules of the jurisdiction from which the data is exported. This is a particularly important consideration for intra-group transfers where, for example, under the EU Data Protection Directive, such transfers may take place only if there is an adequate level of protection for the data or information in the importing jurisdiction and the exporting company retains primary liability for any data breach.
UAE Data Breach Examples
Companies in the UAE have not been immune to data breaches. Indeed, there have been a number of widely reported incidences of hacking, phishing, identity theft and cyber attacks which go beyond the scope of this article. Some of the more recent examples include:
Accidental Email leading to Disclosure of Personal Data
In this case, a UAE-based company outsourced its payroll function, as is common practice. An employee of the payroll company (also based in the UAE) accidentally sent an email to all employees of the client company, which contained the personal and private financial information of those employees. The payroll company took a number of steps in an effort to minimise the further dissemination of the personal data but the damage had already been done.
The legal implications in the UAE's data protection regime are not immediately obvious, but included consideration of the extent of:
(i) any obligation on the company to notify the breach to the authorities, including the Ministry of Labour who, given certain rules relating to data handling in the Labour Law, may wish to investigate the breach;
(ii) any breach of the Penal and/or Civil Code including the technical requirement to report a criminal offence;
(iii) any possible civil action by an employee for harm caused by the disclosure of his/her personal data; and
(iv) any other data protection legislative regimes that might have been triggered as a result of the breach.
Employee Using Email to disclose Confidential Company Information
In this case, an in-house Legal Counsel at (the "Employer") was charged with revealing company secrets to another company via email. The company secrets in question included Employer's financial information, names of the Employer's clients and allegations that the Employer had failed to execute certain projects and was facing financial ruin.
The Legal Counsel denied the charges, saying he simply emailed a friend from work a couple of times about what was going on in his life. He did not believe that the Employer had suffered any loss or that the other company gained a competitive advantage as a result of the email. However, the Employer said he provided the information in an attempt to secure a position elsewhere.
The Legal Counsel was convicted in absentia and sentenced to 3 years imprisonment. A civil suit was also filed and temporary compensation of AED 200,000 was ordered. This case serves to highlight the interplay between the civil and criminal laws to combat cyber crime.
The PwC Global Economic Crime Survey 2011 reported that 34% of respondents had experienced economic crime in the last 12 months, an increase of 21% from 2009, with almost 1 in 10 of respondents reporting losses of more than USD 5 million, illustrating the huge financial losses that companies can face.
As an emerging market, there is no reason to think companies in the UAE will not suffer at least the similar growth in cyber crime as experienced globally. In addition, the variety of legal regimes and the risks posed by cyber crime should encourage UAE businesses to take reasonable measures to prevent data breaches.
It may be prudent of a company to draw up policies and procedures based on international best practices that comprise:
assigning responsibility at senior level for dealing with data security;
establishing a specific committee to assess, monitor and control data security risk;
putting in place written policies which are accessible and easily understandable by all and reflect the uptake by individuals in using social media tools;
introducing appropriate software which assists with data management;
establishing an emergency response plan; and
providing training, regular updates and notifications to employees on their obligations and permitted use of confidential and commercially sensitive information.
To help bear the costs associated with data breaches, businesses may also wish to consider cyber liability insurance as part of their overall risk management strategy. Such specialised insurance products are now available from international insurers based in the region. The insurance is designed to address first and third party losses or liabilities associated with data breach.
Cover for first party losses (i.e. a business's own losses) arising from cyber risks include: the costs of data recovery and rectification whether through a network security breach or another cause such as human error, cyber extortion, business interrupt and crisis management costs. Cover for third party liabilities (i.e. liability to pay others) on the other hand include: claims arising from privacy/confidentiality breach, defamation or copyright infringement through email or website content and damage to another's network systems through transmissions of viruses. With the assistance from insurance brokers with specialist knowledge of cyber risks, businesses could benefit from purchasing such insurance.
To conclude, in a world of increasing reliance on the electronic storage and transfer of information, the risk of data loss, by whatever means, is only becoming greater. However, businesses could limit their exposure by ensuring that the right mitigation measures are in place.