What is a cyber security policy?
A cyber security policy is a document that specifies the vulnerable cyber assets (technology and information) that have to be protected from certain risks. Furthermore, it specifies those risks and the way of dealing with them, as well as people responsible for such protection. In other words, a cyber security policy is a statement that describes all activities towards ensuring cyber security within your organization.
Why is it important to establish a cyber security policy?
- In the current business environment, the value of information cannot be underestimated. Thus, any breach of confidential information threatens with large penalties for a company in violation;
- Due to the high value of information, crimes aimed at the unlawful storage, use or transfer of that information have increased dramatically;
These two main factors combine to cause the spread of cyberattack activities.
A recent addition is the launch of the Dubai Cyber Security Strategy. It consists of four key terms, which when analyzed begin to build a picture of the future requirements of Cyber Security in Dubai and possibly the UAE as a whole:
- Cyber Smart Society: the nation is aware of the importance of cyber security, the dangers of cybercrime, and able to manage cyber security risks among public and private sectors;
- Innovation: inspiring developments in cyber security and the establishment of a secure and safe cyberspace;
- Cyber Resilience: arranging to ensure continuity of IT systems and availability in the cyberspace;
- National and International collaboration: the domestic and international efforts to manage cyber risks.
Therefore, within the legislative and practical levels, companies must prepare their staff on the possible threats and how to deal with them. It means that companies will need to be steps ahead to ensure that their security hardware and software, internal training, skill growth, internal policies, legal contracts and insurance policies and are constantly accelerating.
What questions have to be considered when drafting cyber security policy?
- What type cyber-threats could your company face?
- Whether effective cybersecurity procedures are in place?
- Who is responsible for maintaining the security management and updating it?
- What are the risks and benefits involved in the existing/upcoming system?
- What is your responsibility to clients whose data you handle?
- The type of information that can be shared and where? Very important to consider GDPR regarding this aspect.
- Creating a response plan covering internal procedures in the event of a cyber-attack.
What items should be included in cyber security policy?
- Rules of working with company devices
- Standards of e-mail use
- Rules of Internet access and use of social media
- Use of sensitive data
- Possible cyberattacks, people and their responsibilities towards cyberattacks and cyber security as a whole
Within Cyber-attacks, the damage with regards to the “invasion of privacy” is an increasingly important subject within the legislation. Privacy involves matters regarding sharing of information, access of information, personal data about an individual, misuse of information and much more. Therefore, organizations must have in place, policies concerning; employment and client care, information regarding how to tackle cyber-risks threats, fines, and the governing provisions detailing the actions taken by the organization.
Current legislation determines that cyber security laws apply to:
- UAE companies, even if they are outside of the UAE;
- Any person who has committed cybercrime against the UAE, even if they are “outside of the country”
In addition to the above requirements, companies depending on their jurisdiction will need to take into account the following regulations and practices when drafting their policies with clients and employees.
The Federal Decree-Law No. (5) of 2012, is the main regulation that deals with the prohibition of unlawful obtaining, disclosure or publication of information through websites or electronic means. In general, this law: – defines what does term ‘electronic information’ means. With respect to that, it is important to remember that Cybercrime Laws are applicable even if the electronic information is stored on a local desktop computer or device.
- Prohibits the disclosure, publication and re-publishing of any information that was obtained by unauthorised access.
- Prohibits the use of any information technology s for the invasion of privacy.
- Prohibits the non-permission use of information technology to expose confidential information
Therefore, if any information about an employee or client is needed, their consent should be present prior before obtaining the information.
Directors and employees are subject to a duty to act in their best interests and with reasonable skill and care in the performance of their duties, as provided by the Federal Law No. (2) of 2015 on the Companies Law (the UAE Commercial Companies Law). It means that the company has to do its best in order to ensure the cyber security with all legal and available means.
UAE mainland does not have any principle data protection legislation on its own, as data privacy has been addressing across separate regulations. Examples involve:
- The Federal Law by Decree Number 3 or 2003 regarding the Organization of the Telecommunication Sector, which deals with providing protection to all data obtained through electronic communication.
- Dubai Law No. 28 of 2015 concerning the Dubai Statistics Centre (Dubai Statistics Centre Law) averting the revelation of any statistics data
- Federal Law No. (1) of 2006 On Electronic Commerce and Transaction applying electronic transaction and commerce, but not for personal matters such as marriage, divorce and wills.
- Law No. (4) of 2016 on Dubai Economic Security Center – disclosing information involving state security, and the penalties for violating such privacy that is considered confidential
Therefore, companies will need to analyse and apply the relevant laws regarding cyber security when drafting their internal policies and making sure that the appropriate measures are undertaken. All applicable laws and regulations should be complied with so that companies can achieve an adequate level of cyber security protection.
DIFC has their own data protection laws, the DIFC Law and Mainland is governed by The Federal Decree-Law on Combating Cybercrimes issued in 2012. This law aims to protect companies and individuals against various existing and upcoming cybercrime attacks. Thus, the Decree provides a number of cybercrime activities with their appropriate punishments if violated.
As per the Companies Law DIFC No.5 of 2018, directors and employees of the company are subject to a duty to act in their organization’s best interests and to exercise with reasonable care towards the performance of their duties.
As per the DIFC Data Protection Law DIFC Law No. 1/2007, Data controllers must ensure that personal data which they process is undertaken “fairly, lawfully and securely” or if simplified – with the prior consent, in accordance with law and with no intention of its illegal discovering or publishing. The commissioner of data protection must – ensure the employees’ professionalism and confidentiality about handling sensitive information regarding privacy and security. Furthermore, transferring personal data to another person located in a jurisdiction outside the DIFC can only be transferred if that other judication has adequate level of protection. The commissioner also adds this protection to third countries as set out by the European Commission.
The data commissioner will investigate any breaches of data protection regarding a person subject to DIFC’s jurisdictions.
If a data subject believes that they have been unfavourably affected by a data controller’s breach of the law, they may lodge a complaint with the commissioner.
EU GDPR Overview
Companies operating in EU or with a EU person must additionally consider GDPR (General Data Protection Regulation) practices and policies within their practices.
Companies regardless of their operation of practice within the UAE are subjected to GDPR compliance in addition to their own governing regulations. Employers and data controllers in Mainland, offshore, DIFC and all other free zones will be subjected to act in the best interest of their clients and employees and they will be liable to pay compensation if a breach of duty is established.
Here are some GDPR checkpoints:
- Companies must take into regard the data subject (means the natural person concerning whom the data id being processed) and their personal/sensitive personal data (means the information relating to identifying such natural person, for example name, surname, etc.). When drafting client/employment policies or contracts, it is important that consent by the parties is given in a clear manner.
- Data breaches must be disclosed within 72 hours after discovery.
- Moreover, as individuals have the option of having their data “right to be forgotten”. This means that individual can request that all personal data held on them be deleted arising where data about an employee is inaccurate or incomplete to be corrected.
- Under the GDPR act, companies have within a month to respond to all data subjects requests.
Taking into consideration the legal regulations aforesaid, it is important to have such information within employment or client polices, because it provides parties with clear information about their ‘data rights’ and obligations. For additional information on GDPR check out our Executive Summary here.
Therefore, an organization should aim to establish reporting protocols to undertake in the event of a cyber threat or breach in order. By doing that, the potential risks can be managed and mitigated.
The burden on law firms is to show they have properly evaluated these risks and taken appropriate precautions. Adopting such policies will enable organizations to have a clear perspective as to who holds the data, the use of such data and what security measures are employed.