Cyber security and data protection breaches: a brief comparative review

Date published

13/02/2017

Locations

A United States intelligence report has recently confirmed that cyber hacking took place during the 2016 US presidential elections, in an attempt to influence the outcome. To what extent this cyber attack achieved its aim may never be known.

This incident conclusively sends an uncomfortable message to the world that no company, organisation or government is immune from cyber security and data breaches. This article reviews some of the cyber security and data breaches that have occurred in recent years and examines how certain governments, organisations and regulators are grappling with this increasing problem.

In 2016, Yahoo publicly disclosed that it had suffered a cyber attack in 2014. It was reported that the hackers were able to steal data on approximately 500 million users. This attack is believed to have impacted the subsequent deal Yahoo made with Verizon. Verizon agreed to purchase Yahoo for USD 4.8 billion prior to the disclosure. There are questions still surrounding the reasons why it took so long for Yahoo to detect the cyber attack. Customers have reported losing sensitive data.1

In 20152 an administrator at Anthems (one of the US's largest medical health provider) noticed an unusually complex query running on the company's computer network. This prompted a check, which detected that the query was coming from outside. It is believed that hackers had been operating undetected in the company's network for months. Hackers managed to gain access by tricking an employee to click on a phishing email that was disguised to look like an internal message. This exposed the personal details of over 78 million individuals who had been enrolled on insurance plans since 2004, including names, social security numbers, dates of birth and other sensitive personal data. The cyber breach cost Anthem approximately USD 230 million in legal and consultants' fees. Most of the costs were covered by Anthem's cyber insurance policy. Other US insurers including Premera, BlueCross and CareFirst have announced cyber breaches affecting at least 22 million individuals in 2015.

The Saudi Aramco attack of 2012 has been described3 as the first 'hackavist-style' assault to use malware. The attack managed to destroy 30,000 computers within the Aramco network, which were believed by security researchers to have been infected with the Shamoon malware.

The consequences faced by organisations who experience a cyber attack or a data breach can be significant. They include financial loss, regulatory investigations, reputational damage, and loss of customers to name a few. It is estimated that cyber crime costs in the United Arab Emirates (UAE) alone reached AED 5 billion in 2016.4

Some countries in the Middle East have taken steps to counter cyber risks and attacks by implementing laws that, in the first instance, criminalise the acts. For example, UAE Federal Decree - Law No 5 [2012] on combating cyber crimes introduces a wide range of offences and penalties. These include the unauthorised access of websites, electronic systems, computer networks or information technology with the intent of causing a change to its design, or deleting and destroying information. Article 21 prohibits the publishing of news, the transfer or storage of pictures to third parties, or the transfer or disclosure of communications in violation of an individual's privacy. Conviction may result in a penalty of imprisonment for a minimum of one year and a fine of between AED 250,000 (USD $68,000) and AED 500,000 (USD $136,000).

The Electronic Commerce and Transaction Law No.2 [2002] in Dubai states that anyone who has obtained access to information in electronic files, documents or communications and has intentionally disclosed that information, shall be liable to imprisonment and or a fine not exceeding AED 100,000 (USD $27,000).

In Saudi Arabia, the Anti-Cyber Law [2007] states that its aim is to 'combat cybercrimes by identifying such crimes and determining their punishment to ensure, enhancement of information security, protection of rights pertaining to the legitimate use of computers and information networks, protection of public interest, morals and common values and the protection of the national economy5. Several acts are prohibited and, if committed, are punishable by a term of imprisonment of between one and ten years and/or a fine of up to SAR 3 million. The Anti-Cyber Law has recently been amended to permit the naming and shaming of offenders. This allows a court to publish a summary of a ruling in a cyber case in one or more local newspapers.

In Oman, Royal Decree No 12/211 issuing the Cyber Crime Law provides a list of cyber crimes that carry, in extreme circumstances, a death penalty6  for anyone who establishes an electronic site or transmit information on the informational network or the information technology facilities with the intent of trafficking or promotions of drugs or the psychotropic substances...." The law also provides for punishment by imprisonment and fines for other offenses.

There are no specific data protection laws in place in the UAE and many other countries in the Middle East. However, there are a number of protective provisions set out in various different UAE laws that are applicable to the collection, processing, storage and use of personal data. For example, the UAE Penal Code7 stipulates that an individual may be liable to a fine in circumstances in which, through any means of publicity, he publishes news, pictures or comments pertaining to the secrets of a person's private or family life, even if such publications are true. The Penal Code8 also provides that an individual may be liable to a fine if 'by reason of his profession, trade, position or art' he is entrusted with a secret and he discloses that secret in cases other than those permitted by law, or uses that secret for his own or another person's advantage, unless the individual to whom the secret relates has consented to that secret being disclosed or used.

In contrast to Middle Eastern Countries, the European Union (EU) has taken a more comprehensive approach to data protections laws, with the recent introduction of the General Data Protection Regulations (GDPR), which comes into force on 25 May 2018. This will mark the introduction of new accountability obligations on organisations and stronger rights and restrictions on international data flows. There are strict obligations for any organisation that handles data about EU citizens, whether that organisation is located in the EU or not.

For the first time, the GDPR will introduce a data breach notification requirement (albeit that this is only triggered if there is likely to be a high risk to the data subjects' rights and freedoms) into European law and imposes stricter responsibilities on organisations to demonstrate that they are adequately managing and protecting personal data of EU citizens. Companies that work with information relating to EU citizens will have to comply with the requirements of the regulations, making the GDPR the first global protection law.

This may in fact contribute towards companies around the world taking data protection more seriously than before. The GDPR broadens the definition of personal data, which includes any data that can be used to identify an individual, including genetic, mental, cultural, economic or social information. It also requires all organisations collecting data to be able to prove that they have clear, affirmative consent to process data and the ability to erase data. Service providers that touch personal data will also come under the GDPR and will need to comply with its rules. EU citizens will have the right to approach any data protection authority of their choice to lodge a complaint. The potential fines for breach or non-compliance with the regulations are substantial, and can result in a fine of up to EUR € 20 million or 4 per cent of a corporate group's total annual turnover.

Companies are aware of the growing threat of cyber and data protection breaches to their businesses. In some cases companies are taking a proactive approach to combat these risks, including buying cyber insurance as a way of mitigating cyber risks. Cyber insurance varies in the cover provided, but essentially can include cover for loss of information, IT systems and networks, theft of money, assistance with management of the incident, regulatory enforcement action, customer notification requirements and business interruption.

Other mitigation approaches include increased investment in cyber security technology, the introduction of employee training and awareness programmes and different governance functions within an organisation, better processes related to cyber detection, including detailed scenario planning, board level reporting and management of cyber risks as part of business continuity and compliance requirements. Companies that have understood and adapted their mitigation processes to be more holistic are more successful in protecting and dealing with cyber security and data breaches.

Footnotes

1. BBC, September 2016
2. Financial Times, 2016
3. Reuters Regulatory News, August 26 2012
4. Gulf News, November 22 2016
5. Article 2 Anti-Cyber Law of 2007
6. Article 25 Oman Royal Decree No 12/211 - Cyber Crime Law
7. Article 378 of the UAE Penal Code
8. Article 379 of the UAE Penal Code