The world now spends more than 110 billion minutes on social networks per month. It is estimated that 60% of all internet users access some form of social networking site on a daily basis. In this update we provide an overview of the new information security laws that were issued in August in the UAE; the risks posed by employee use of information technology in the workplace; and the practical steps organisation can take to mitigate these risks.
With increased use, social media provides unique opportunities. Its content can be republished and can rapidly be seen by a huge audience: globally, Twitter has 200 million active users and Facebook more than 1 billion. Organisations can therefore reach the world’s population in a matter of seconds. However, the same speed of communication and dissemination also applies to insignificant, careless or damaging e-mails or posts. What may look like a small-scale incident can quickly escalate into an issue incurring significant costs and damage to an organisation’s reputation.
UAE IT Security Law
New information security laws were issued in August in the UAE (Cabinet Resolution No. 21 of 2013 regarding the regulation of information security) (IT Security Law), which prohibit fovernment employees from sending, forwarding or responding to email containing confidential information or that may infringe on intellectual property rights. They are due to come into force in November 2013.
The IT Security Law also prohibits sending, copying or forwarding email messages that contain attachments with viruses, spyware, malware or illegal content. Illegal content will include ‘disgraceful’, slandering or offensive statements, comments on race, sex, colour, disability, age, sexual issues, pornographic images or any material related to religious and political beliefs or practices.
The use of personal email such as Hotmail, Gmail and Yahoo has also been banned under the new IT Security Law and official email cannot be used for personal purposes. The Law imposes an obligation on employees, whose email is connected to their smartphones, to password protect their phone and requires all users to include a disclaimer at the bottom of each communication.
The IT Security Law also takes steps to directly address concerns regarding confidentiality. It prescribes three classes of confidentiality with respect to government information and clarifies the purposes for which such categories of information may be disclosed, accessed, modified, deleted or copied.
In order to enforce these regulations, the IT Security Law permits government authorities to periodically check all computers, mobile devices, laptops and PDAs used by employees. Where an employee is found to have violated the IT Security Law, they will be subject to disciplinary action in addition to potential criminal liability under the UAE Penal Code.
The new laws have been created to provide a legal framework for ensuring the security of information in federal agencies and to encourage users to be more aware of security.
Whilst the new laws are initially only applicable to government employees, it is likely that, in future, their coverage will extend to semi-governmental organisations. In addition, the issues that they are seeking to address are equally applicable to the private sector and the decision to block access to social media sites and restrict personal e-mail is in line with practices which have been adopted by employers globally over the last five years.
Other legal risks
The IT Security Law is the latest addition to the relatively extensive legal framework in the UAE that covers the use of social media which employers (and employees) should be aware of. The enforcement of the relevant laws primarily sits with the criminal court, and therefore employees (and their employers) may face criminal sanctions, including custodial sentences (which in some case can be quite severe) and fines. For example, these include (but are not limited to):
- Confidential Information: Law No. 3 of 1987, as amended, (UAE Penal Code) criminalises the disclosure of a ‘secret’ which is entrusted to an individual by reason of his profession, craft, situation or art and who discloses it or who uses it for his own advantage or another persons advantage, without the consent of the person to whom the secret pertains.
- Intellectual property: an employee’s use of social media could also potentially infringe copyright under Law No. 7 of 2002, as amended, (UAE Copyright Law), for example, if they were to post information online without the permission of the author or inventor. Defamation: an employee’s postings can lead to damage to the employer’s reputation, but can also result in liability to third parties for defamation.
- Defamation is a criminal offence under the UAE Penal Code. In the UAE a statement is defamatory, if, for example, it is an accusation which dishonours or discredits the person in the mind of the public generally and it has been made publicly.
Addressing the risks
Many organisations adopt a similar approach to the UAE Government, by banning employees from using social media at work and blocking social media sites. However, Smartphones and high-speed mobile networks make this increasingly impractical or ineffective.
Therefore, once social media risks have been identified, it is also crucial to develop a social media policy and provide employees and managers with guidance and training on appropriate use.
Employment contracts, policies and guidance should make clear, ideally with examples:
- where and how employees’ use of social media can affect the business;
- what information is confidential and the permitted use of such information during an employee’s employment and following termination;
- the potential criminal and civil liabilities that may be incurred by employees should they disclose confidential information; and
- what actions will be regarded as misconduct and what sanctions will be imposed. Termination of employment without notice is permitted under UAE Federal Law No. 8 of 1980, as amended (Labour Law), if an employee reveals an employer’s confidential information.
An employer’s openness to social networking sites will of course depend on the sector in which it operates. The key consideration is to set clear standards of behaviour so that an employee knows what is expected of him at the outset and the consequences of getting it wrong. Employees should also be made aware of a common misconception that social networking sites are private and be reminded that their postings will be in the public domain.