The UAE has introduced new federal legislation directed towards combating increased cyber criminal activity experienced in the region. This article addresses specific issues which arise out of this new law and what impact those issues might have on the insurance cover available.
In November 2012 UAE Federal Law No 2 of 2012 Concerning Combating Information Technology Crimes (the New Law) came, unexpectedly, into effect. Prior to being published in the official gazette, no draft version of the law had been circulated, suggesting to some a response influenced in part by recent events in the Middle East. The New Law contains a number of amendments to the position previously provided under Federal Law No 2 of 2006 on the Prevention of Information Technology Crimes which the New Law has repealed.
Under the New Law, privacy of all information published online has been granted legal protection. This extends to all data, information, credit card numbers and bank account details as well as all online and electronic payment methods. Any attempt to use private information obtained by electronic or online means or to forge or create duplicates of credit cards and civil cards is expressly prohibited.
Additionally, all data, irrespective of whether it is personal or not, is protected from misuse or unauthorised access by means of information technology, which is interpreted to include the use of websites, social networks, computer programs, smart phone applications and tablets. However the New Law does not directly confer rights upon individuals regarding the use of their data. Furthermore, no data protection commissioner is established and reporting obligations for breaches of the New Law to competent authorities have not been imposed. It should be noted, however, that the UAE criminal procedures law requires anyone aware of a crime, which does not require the victim to file a claim in order to be actionable (which may apply to many of the crimes in the New Law), to report that crime to the public prosecutor or to the police.
Whilst the New Law does not, in the first instance, provide individuals with personal rights, it should be noted that the UAE criminal procedures law allows a ‘victim’ of a crime (including by inference, a breach of the New Law), to pursue their civil rights before the criminal courts where that victim has suffered damage as a result of the crime. Notably, the New Law contains a prohibition on disclosing data relating to a medical examination, potentially an area in which a breach of the New Law could result in a civil claim by a private individual. It also prohibits the breach of an individual’s privacy by online means and “publishing statements or information even if they were correct and real”.
With respect to data protection issues, regard should also be had to the specific data protection regimes in free zones in the UAE, for instance Dubai Healthcare City and the DIFC. There is also specific legislation directed towards certain industries in the UAE (for instance the telecommunications sector).
The New Law ensures that use of modern communication tools such as the various forms of social media are now recognised and better regulated. The use of these tools may have a significant impact on the service providers themselves. By way of example, under certain provisions of the New Law, Facebook could be held accountable for content posted to its network by individual subscribers which falls foul of a number of those provisions. Indeed, the New Law provides that an owner or operator of a website that has stored or made available any illegal content must respond to a request from a relevant authority to remove that content, failing which that owner/ operator will be fined and/or imprisoned.
The New Law contains a number of provisions which relate to political dissent, defamation and state security. These provisions may be seen as a response to the recent upheavals in the MENA region, particularly those movements which had their origins in social media. It is often noted that the magnitude of the unrest in the MENA region could not have occurred without the involvement of social media, which spread dissatisfaction and encouraged mass demonstration. This risk has been recognised by the authorities in the UAE and, through the New Law, strict measures have been introduced in an attempt to curb unrest (with origins in social media) from occurring within the UAE.
In the past two years, the Middle East has seen several complex cyber attacks. One of the reported incidents was an attack on Saudi Aramco, the largest oil and gas producer in the world. In August 2012, the company advised that a group of hackers had managed to infect some 30,000 computers associated with the company. Just two weeks after this attack, Qatar’s RasGas, a JV between Qatar Petroleum and ExxonMobil, was targeted by a similar group.
A business which suffers from a cyber attack can be significantly affected by that activity. Whilst a focused cyber attack may not in itself significantly affect the systems of a business or even successfully compromise intellectual property, the repercussions have the potential to be much more significant. A compromised business may be exposed to a considerable period of business interruption or indeed loss of a trusted client base which could seriously affect its ability to perform its business post-attack.
Ramifications for the insurance industry
As the objective of the New Law is to regulate criminal activity committed online, rather than lawful commercial activity, the effect of the New Law on the insurance industry remains to be seen.
It is expected that coverage offered will become more comprehensive, with a focus on increasingly detailed cyber policies being made available to those businesses, offering greater protection than that afforded under traditional general policies.
Of concern to businesses exposed to cyber risks are the penalties which can be imposed by the New Law, with a significant exposure to those who manage and undertake the day to day running of a company. This may present a new challenge for the providers of management liability insurance in the UAE, already billed as a growth line for insurers in the region in the near future.
Whilst the full impact of the New Law is yet to be felt, to keep with the times in an ever changing technological world, insurers and buyers of insurance should carefully evaluate the level of cover afforded for cyber and related exposures and ensure that the cover is specifically tailored to the risks faced by those buyers.