The US Justice Department’s indictment of eight defendants in New York and the arrest of two Dutch nationals in Germany in connection with a sophisticated cyber fraud last year highlighted the far-reaching implications of data breaches for Middle East organisations and the need for careful management of risk in outsourcing projects. 

 

Two Middle East banks – National Bank of Ras Al-Khaimah (RAKBANK) and Bank Muscat of Oman – were both victims of an incident that reportedly stemmed from a data security breach at an Indian outsourced service provider. Elsewhere, the UK financial regulator is carrying out an enforcement investigation relating to IT failures at a leading UK bank in June and July 2012, while the same bank suffered a further IT failure on “Cyber Monday” in December 2013. Another leading UK bank is also investigating similar problems that left its customers unable to use cash machines and debit cards in January this year.

 

This article considers the potential implications of this type of breach under cyber crime and data privacy laws, and solutions for mitigating the risks through contract and insurance.

 

Cyber crime laws exist to a varying degree in several Middle East jurisdictions. In late 2012, the UAE updated its cyber crime law with a number of enhancements aimed at addressing loopholes and confirming that many “real world” offences would be criminal acts if carried out electronically. As a result, the cyber crime legislation in the UAE is one of the most comprehensive in the region. 

 

Of particular relevance to UAE-based companies is the new protection afforded to some personal information online. UAE law criminalises the disclosure of certain electronically-stored information, including credit card and bank account details and electronic payment methods, but it remains to be seen how this law will be enforced in practice. Further, the criminalisation of such activities means that offenders may face prosecution by the relevant authorities, but an affected business would still have to bring a civil action to recover any losses it had suffered.

 

Elsewhere in the GCC, Bahrain and Qatar have draft laws on computer crimes under consideration, while Saudi Arabia and Oman have cyber crimes legislation in place.

 

In the case of breach by an offshore service provider, the application of the bank’s local law may be limited and consideration would need to be given to pursuing the service provider in its own jurisdiction.

 

In common with most Middle East countries, the UAE and Oman do not currently have specific data privacy legislation in place at a national or federal level. For those financial institutions operating in the Dubai International Financial Centre (DIFC) economic free zone, the position is different as the organisation would be subject to the European-style DIFC Data Protection Law. Other obligations on a DIFC-regulated entity include specific risk management obligations in relation to outsourcing arrangements contained within the Dubai Financial Services Authority (DFSA) Rulebook.

 

Notwithstanding the formal regulatory position, it is good practice from a legal and reputational risk management perspective to treat data security as a key risk area for any corporate entity. Companies often process a significant amount of highly confidential information on a daily basis and that data is collected, used and stored on behalf of employees, clients and customers. Where a third party service provider is involved in any aspect of the data handling process, appropriate measures must be taken to ensure the security and integrity of that data. Failure to do so exposes the organisation to reputational and financial risks in addition to any potential regulatory implications.

 

It is vital for organisations seeking to outsource any business functions that the contract with the service provider specifies appropriate standards, safeguards and, where necessary, the precise data handling procedures to be implemented by the service provider. It is important that compliance with these contractual obligations is monitored and enforced to ensure that they remain effective throughout the life of the arrangement. Applicable laws may change, businesses will develop and business practices may evolve over time: in each case, the contract must be considered in light of any new data processing practices or requirements.

 

Compliance and monitoring may take the form of contractual reporting obligations or rights to carry out audits and/ or gain access to a vendor’s premises, staff or systems. A robust governance model and regular performance reviews can also be useful for helping to ensure that standards are consistently maintained in line with current best practice.

 

The contract should include appropriate remedies for failure to comply with data privacy and security obligations. These remedies might include service credits or other financial recompense. While monetary remedies may not necessarily mitigate the damage to reputation that an institution could ultimately suffer from a data loss incident, they can be a helpful tool for encouraging a service provider’s compliance with contractual procedures and obligations.

 

In essence, cyber insurance provides cover for losses and/ or liabilities arising out of unauthorised access to, or use of, an organisation’s electronic information or the destruction or loss of that information. As an insurance product, cyber cover has been available for a number of years in various forms. It is a complex and evolving cover offering a number of different protections. For example, it can include cover for data liability (including personal or corporate data and outsourcing security), business or network interruption (covering losses arising out a material interruption to an organisation’s network following a denial of service attack or network security breach), multimedia liability (covering damages and defence costs incurred in connection with a breach of third party intellectual property or negligence in connection with electronic content) and cyber extortion (covering ransom payments to third parties incurred in resolving a security threat).

 

Some elements of cyber cover may overlap with an organisation’s existing insurance coverage, for example, its crime and professional indemnity cover. However, any such overlap may be restricted and, in particular, it should be noted that business interruption resulting from unauthorised access to, or loss of, data is likely to be excluded. Nevertheless, it is important, before considering what specialist cyber cover is required, for an organisation to understand the nature of its existing cover to combat cyber threats and to then conduct a review of its business requirements to ensure that the cyber cover obtained is the most appropriate for its business.

 

Where outsourcing is undertaken by an organisation, it will be important to carry out due diligence on the extent of the cyber insurance cover held by the outsourcing company, the number of previous notifications or claims made under the cover and to monitor the extent of the cover (and the notifications and claims made under it) during regular audits. It may also be the case that an organisation’s existing cover provides an element of cover for third party contractors, for example, in relation to data breaches, and so the coverage position should be clarified at the outset before engaging the outsourcing company to ensure that there is no duplication of cover.

 

Ms Susan Dingwall is a Partner with Norton Rose Fulbright LLP and Mr Dino Wilkinson is a Partner with Norton Rose Fulbright (Middle East) LLP.