DATA PRIVACY AND PROTECTION NEWSLETTER PART II - JULY 2019

DATA PRIVACY AND PROTECTION NEWSLETTER JULY 2019 – PART II

With a growing online footprint, one is at a higher risk of privacy breach than ever before and therefore, regulatory implementation around the world is ongoing, progressing rapidly with Legislators and Regulators focusing on transforming the legal framework to include policies that support innovation, but which, simultaneously protects individuals and entities from risks associated with data and privacy breaches. Part I of KARM’s newsletter in June 2019[1] focused on the importance of data protection and the classification of data, along with an introduction to specific legislation within the United Arab Emirates (“UAE”) mainland and Free Zone areas.

This month, we elaborate further thereon with keen focus on sector specific governing legislation and further, the efforts by the policymakers to design adequate data-protection practices for the UAE, notwithstanding individual efforts of persons and entities alike to counter modern day threats within this landscape.

SECTOR SPECIFIC LEGISLATION:

HEALTHCARE SECTOR

Released earlier this year, Federal Law No. 2 of 2019 on Using IT and Telecommunications in the Healthcare Sector (the “Law”) sets out the minimum requirements for securing health data of individuals in the UAE and introduces concepts that are on par with international best practices concerning information technology and privacy laws. This law applies in respect of all services relating to healthcare, healthcare information technology, health insurance or health related services (whereby entities offer / provide services directly or indirectly relating to the healthcare sector or engage in activities involving the handling of electronic health data) whereby such entities collect, process and transfer a data subject’s health information (which is personal and sensitive personal data) including a patient name, consultation details, patient diagnosis, patient treatment, specific patient identifiers – i.e. an alpha-numerical code, common procedural technology codes, medical scan images and laboratory results. Any such entity, whether onshore or in a Free Zone area, falls within the operation of this Law.

Violators are cautioned that the Health Data Protection Law imposes cumbersome sanctions for non-compliance with this law (i.e. data breaches) may impose various sanctions upon violators, including then issuance of warnings, the cancellation of the entity’s permit to use the data management system and/or fines of up to 1 000 000 (1M) AED.

The Health Data Protection Law mirrors familiar data protection concepts, such as the requirement of purpose limitation, accuracy, security measures (to protect health data, to prevent its unauthorized processing, damage, alteration, deletion or amendment) and prior patient consent for disclosure of data. The Health Data Protection Law also provides for the establishment of a new centralised data management system (see: Malaffi[2] below, which is one form of such envisioned system, operating in Abu Dhabi only) which will be operated by the UAE Ministry of Health in order to facilitate the access, storage and exchange of a patient’s health data. Healthcare Service Providers (or Healthcare-related service providers) are required to register with the UAE Ministry of Health in order to access the centralised data management system (ensuring proper security, control etc.) and too are required identify all members of their personnel who are authorised to access the data base, subject to the Ministry’s approval.

Malaffi[3] (which translated to Arabic means: “my file”) serves as a unified health data and information exchange platform that facilitates a more patient-centric approach to healthcare provision, through the introductions of the exchange of patient medical information, in a controlled, regulated and secure manner. Malaffi assists healthcare facilities, healthcare professionals and governmental authorities across the Emirate of Abu Dhabi to access and share patient medical information (sensitive personal data) with the aim to “to deliver better healthcare quality and enhance patient safety and overall health outcomes”. Malaffi provides a digitized system with instant access to crucial patient medical information, aimed to enhance the transition of care and care coordination by medical facilities and practitioners alike, also in reducing overutilization and the duplication of (unnecessary) tests, radiology examinations and other diagnostic procedures, thereby enabling the practice of “precision medicine”. The Malaffi centralized database allows access to real-time public health information, “making syndromic surveillance and management of chronic diseases possible by identifying potential spread of disease, helping prevent epidemics and enabling the government to create medical response action plans to ensure public health and safety.” Malaffi, aims to reduce disease progression, promote improved health outcomes and, ultimately, prolong patient life, by implementing the use of AI and machine learning technology. Malaffi has, to date, onboarded entities including MediClinic Middle East, NMC Health Care, the Abu Dhabi Health Services Company SEHA (Public health provider), the Cleveland Clinic - Abu Dhabi, the Imperial College London Diabetes Centre, Healthpoint, the United Eastern Medical Services group and the Oasis Hospital (Al Ain). Malaffi is presently only operational within the Emirate of Abu Dhabi.

TELECOMMUNICATIONS SECTOR

Federal Law No. 3 of 2003 regulates the Telecommunications Sector of the UAE. This law relates to the regulated activities of: the operation of a Public Telecommunications Network or the supply of Telecommunications Services to subscribers, as well as all other types of activities specified by the Tele-communications Regulatory Authority (‘TRA’)[4] Board (the ‘Board’). The TRA is a Govern-mental entity with its primary focus on regulating this sector, with the aim to enable government entities in the field of smart transformation.

Under Federal Law by Decree Number 3 of 2003, telecommunication services include: transmitting, broadcasting, switching or receiving by means of a Telecommunications Network of any of the following: wired/wireless telecommunications; voice, music and other sounds; visual images; signals used in radio and TV broadcasting; signals used to operate or control any machinery or apparatus; the installation, maintenance, adjustment, repair, replacement, moving or removal of apparatus which is, or will be connected to a Public Telecommunications Network; the construction maintenance and operation of networks for telegraph, telephone, telex, leased circuits, domestic and international data networks, Internet and Wireless Transmission; and any other Telecommunications Services approved by the Board.[5]

Specifically related to data: The law provides that the data collected through telecommunication service shall be protected. The Consumer Protection Regulations of 2017 further provide certain rules to adhere to prohibit Licensees from using Subscriber Information for any purpose, other than interconnection. In particular, it states that data may not be used for any marketing purposes or anticompetitive practices; and that Licensees shall not require Subscribers to provide any personal information related to any other person that is not essential in relation to their service offering / subscription.

Penalties for infringements of this law could result in imprisonment and/or fines of up to AED 1,000,000.

INTERNET OF THINGS - IOT

In addition to the Federal Law No. 3 of 2003, the TRA added another framework within the telecommunications sector that embodies the crucial principles of data protection. The IoT Regulatory Policy (the “Policy”) dated 22 March 2018 and IoT Regulatory Procedures (the “Procedures”) dated 6 March 2019 establish a mandatory registration process for "IoT Service Providers" within the UAE. The Policy defines an IoT Service Provider as "any Person that provides loT Service to users”. For the purposes of the Policy and the Procedures, “Users” include individuals, businesses and the Government of the UAE. Through this framework, the TRA seeks to achieve the following objectives throughout the UAE: ensuring protection of consumer data; meeting all reasonable demands for IoT Service; supporting ongoing innovation; managing scarce resources efficiently; protecting the rights and interests of user of IoT, and providing clarity for IoT market development.

Being perceived as a step closer to the data protection regime, the framework introduces several concepts that have been considered as the ‘spine’ for several overseas data protection regulations, i.e.: the definition of “Consent”, “Personal Data”, “Data Subject” “Data Processor”, “Data Controller” derive their essence from EU’s General Data Protection Regulation, including: 1. Purpose limitation, which provides that data shall be collected for specified, explicit and legitimate purposes only and shall not further be processed in a manner that is incompatible with those purposes; 2. Data minimization: which provides that data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it was processed; 3. Storage limitation: which provides that data shall be kept in a form that permits identification of data Subjects for no longer than is necessary for the purposes for which the data is processed.

The Regulation classifies the categories of data as ‘Open’, ‘Secret’, ‘Sensitive’ and ‘Confidential’ for individuals, businesses and the Government. While the rules relating to the storage of such data for the individuals and businesses allows for some flexibility, higher standards for protection are applicable when dealing with the secret, sensitive and confidential data for the Government, and which is mandatorily to be stored within the UAE.

The Procedures supporting the Policy set forth the formal process for registration for an IoT Service. The TRA has retained a wide discretion to accept or reject any request application and has made it obligatory for the applicant/licensee and IoT Service Providers to ensure sufficiency of compliance with the entire regulatory framework. Strong emphasis on the classification of consumer data, the methods of storing and processing such data and the territory for data storage indicates TRA’s commitment to value and protect consumer data and the intention impose enhanced accountability upon the licensees and IoT Service Providers in relation to handling of the consumer data. A violation of the Policy & Procedures may result in the temporary or permanent suspension of the offending services, and any such breach would contravene the Federal Law by Decree No 3 of 2003, imposing penalties for infringements of imprisonment and/or fines of up to AED 1,000,000.

DIGITAL PAYMENTS

Stored Value Digital Payments are regulated by the Central Bank of the UAE, with the said Regulations having been published in January 2017, aimed at a robust approach to digital payments across the UAE, and to facilitate such payments in a manner so as to ensure the safety, security thereof, in addition to maintaining the public’s trust in the UAE payment ecosystem.. Licenses for Digital payment services can be issued to four (4) categories of entities digital payments services, namely: retail; micropayment; government; and non-issuing entities.

The Regulations impose data protection and privacy obligations on Payment Service Providers (PSPs) which specifically requires, inter alia that, all transactional records and user data must be stored in the UAE only (and not in a financial free zone) and for a minimum retention period. The Regulations further provide that PSPs shall not disclose any personal consumer data to third parties [barring the UAE Central Bank or by means of an Order by a Court with Competent Jurisdiction, or to another regulatory Authority (so permissioned)].

PUBLICATIONS AND PUBLISHING SECTOR:

Section 79 of Federal Law Number 15 of 1980 provides that news, photographs, comments relating to the secrets of the private or family life of individuals may not be published.^[6]

CYBER SECTOR:

Cybercrimes are offences that are committed against individuals or groups of individuals with the motive to intentionally harm the reputation of the victim, or to cause physical or mental harm, or loss, to the victim (directly or indirectly so), using modern telecommunication networks such as the Internet or mobile devices, i.e. social media, chat rooms, emails, notice boards and groups, mobile phones[7], being a non-exhaustive list. Cybercrime may threaten a person or a nation's security and financial health[8].

Article 2 of Federal Law Number 5 of 2012[9] was promulgated with the aim of combating cybercrimes within the UAE, including the criminalization of acts, such as the unauthorised access to a website, electronic information system, computer network or any information technology-related system. The law criminalises all kinds of misuse of social media, including the making of threats, impersonations, solicitations, insulting religions and/or religious rituals, slandering public officials, forging electronic official documents, sending or re-publishing pornographic materials, reproducing credit or debit card data, obtaining secret pin codes or passwords etc. – this again being a non-exhaustive list of offences. Further hereto, should any acts of cybercrimes result in the deletion, omission, destruction, disclosure, deterioration, alteration, copying, publication or re-publishing of any data or information, this shall be considered as an aggravating factor for imposition of a greater penalty, in relation to the offense.

The most severe penalties under this law concern the act(s) of running malicious software that may cause / intend to cause a network or Information Technology (IT) system to stop functioning, or which results in the crashing, deletion, omission, destruction and alteration of an IT programme, system, website, data or information. It is notable that penalties under this legislation include imprisonment (including that of a life sentence) and/or fines varying between 50,000 AED and 3 million AED, depending the severity and seriousness of the cybercrime(s).

DATA BREACHES AND CYBERCRIMES IN THE UAE

Newspaper headline reads: “Confidential data theft becoming a major threat - In one of the biggest exposures of data breaches, over 700 million email addresses and nearly 22 million passwords were reportedly compromised last month”[10] written by Alkesh Sharma of The National Newspaper[11] dated February 21, 2019.

In reiteration of an insert contained in Part one of the KARM Newsletter of June 2019, the TRA has launched the 2020 – 2025 UAE National Cyber Security Strategy[12] in the hope to enable the prompt and strategically coordinated response to cyber incidents within the UAE.[13]

Eng. Mohammad Al Zarooni, Director of the Policies and Programs Department at the TRA is quoted in saying: “Part of the strategy is that data privacy is crucial to the cyber (sic) and the UAE is regulating and drafting a data protection law. We will look at the best performing practices performed worldwide; GDPR will be one of the inputs to it. We want to make sure that whatever regulations are put, are easy to be implemented across different sectors”.[14] Mr Al Zarooni, in cautioning against the threat of impacts of deficits in cyber security, data protection and data privacy strategies is quoted in saying that: “Large organisations are impacted by the GDPR but we observed, unlike in Europe where privacy has been a topic for a very long time, in the Middle East there is a lower understanding of how privacy impacts organisations”.[15]

We, at KARM, have had the privilege of having consulted with Mr Marc Green, Senior Cyber Threat Intelligence Analyst (EMEA) on behalf of Anomali[16] whom operate globally, and locally within the UAE (Anomali Solutions with offices in Dubai). He advises that: “Working day-to-day within the cyber threat intelligence (CTI) realm, CTI classically being defined here as the process and product of collecting, processing, analyzing, and the interpretation of acquired threat information (data), provides insight of the constant risk to organizations and individuals from the ever-evolving cyber threat actor. There is a vast array of attack types and vectors which can cause operational and financial damage and the high profile incidents often make the front pages in the media. Ask any Chief Information Security Officer (CISO), or Security Operations Center (SOC) or Incident Response (IR) folks what is currently causing the most concern and you will likely hear a spectrum of answers. However, one recurring answer is likely to be ransomware. Ransomware outbreaks are repeatedly observed, both targeted and opportunistic, across all verticals and regions by financially motivated cyber threat actors, and pose a significant threat to enterprise.”

Mr Green adds that: “This concern is no different in the Middle East, with cyber security peers and those within trusted communities also relaying their efforts to continually optimize security control detection and protection strategies to mitigate newly observed techniques. As a simplistic measure, the scale of the ransomware threat is evident as we look at active observable data (domains, IPs, hashes, URLs, etc.) from the last 90 days in the Anomali ThreatStream platform[17] that shows ~460k indicators that have been marked with a “ransomware” tag from Anomali Threat Research and the wider Anomali Preferred Partner (APP) network.”

Advices offered by Mr Green: “There is established ransomware impact prevention guidance which should be considered by all:

1. Ensure you have a back-up plan for data and files which you consider important or sensitive, create and store back-up copies securely.
2. Enterprise should maintain an effective defense-in-depth posture that is aligned to satisfactory risk management principles. This will encompass, but is not limited to, the usage of asset and software inventories, robust endpoint protection, patch management, network segmentation and perimeter controls, operationalize cyber threat intelligence, finally, manage accounts and authentication mechanisms appropriately.
3. Everyone should be wary of links and attachments in emails, particularly those arriving from unknown senders or with unusual requests.
4. Stay abreast of the latest cyber threat information. One can do so by subscribing to available resources, such as the Anomali Weekly Threat Briefing[18], and actively participate in trusted industry and regional threat intel sharing communities.

REPORTED STATISTICS

In 2018, IBM & Michigan-based Ponemon Institute published study on data breach wherein they interviewed more than 2,200 IT, data protection and compliance professionals from 477 companies that have experienced a data breach in the said year. The study revealed that the average cost of data breaches in 2018 for the two biggest economies of Gulf – the UAE and Saudi Arabia – was $5.31m. The report further highlighted that the UAE and Saudi Arabia collectively spent $1.47m on post data breach response - the second-highest after the US that spent $1.76m.[19]

It is reported that the average cost globally of identifying and stopping a data breach is $2.1 million (Dh7.7m), compared to $3.5m in the Gulf Cooperation Council (GCC) region, according to US researcher Gartner.[20] It is notable that more than 300 cyber attacks were reported in 2017 in the GCC region with a minimum of half a dozen resulting in data breaches.[21]

“Compared to the global trend where personal data and payment details are the common targets of cyber attackers (66.5 percent and 18.2 percent, respectively), the majority of data breaches in the wider Middle East and North Africa (MENA) region involve trade secrets and ‘know-hows’ (38.6 percent), personal data (29.6 percent) and state secrets (25 percent), according to another study by information security group InfoWatch.”[22]

PUBLICISED DATA BREACHES IN GLOBAL JURISDICTIONS

Herewith brief examples of recent data breaches during 2018[23] and 2019, affecting global jurisdictions:

1. Capital One Financial Corporation[24]:
   On July 29, 2019 it was reported that Agents of the Federal Bureau of Investigation (FBI) arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server, allegedly that of Amazon. Capital One has said the incident affected approximately 100 million people in the United States and six million in Canada.It is further alleged that the data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.

2. Aadhaar:
   Losses affecting 1,1 billion data subjects whereby the Indian Government, which manages the ID database “Aadhaar,” ignored repeated attempts by security researchers to secure a database leak caused by an unsecured Application Programme Interface (API) endpoint connected to a state-owned utility company. It was only after the vulnerability was publicly disclosed that the government secured the database.[25]

3. Marriott International Hotel Group:
   Losses affecting 500 million data subjects (guests). Marriott received an alert from an internal security tool about an attempt to access the Starwood guest reservation database. During the investigation, Marriott learned that there had been unauthorized access to the Starwood network since 2014, and that an unauthorized party had copied and encrypted information and had taken steps to remove it.[26]

4. Facebook:
   The Federal Trade Commission formally announced its $5 billion settlement with Facebook on Wednesday 24 July 2019, following lengthy investigations into the Cambridge Analytica scandal and other privacy breaches. The FTC alleged that Facebook had violated the law by failing to protect data from third parties, serving ads through the use of phone numbers provided for security, and lying to users that its facial recognition software was turned off by default. In order to settle those charges, Facebook has now agreed with the FTC to pay $5 billion fine.[27]

5. Fortnite[28]:
   January 16, 2019: A flaw within the online video game Fortnite has exposed players to being hacked. According to the security firm Check Point[29], who discovered the vulnerabilities, a threat actor could take over the account of any game player, view their personal account information, purchase V-bucks (in-game currency), and eavesdrop on game chatter. Fortnite has 200 million users worldwide, 80 million of whom are active each month.[30]

CONCLUSION

Education, collaboration, communication and implementation of necessary protective measures are essential for effective protection to ensure effective cyber resilience against any threat against data security and privacy.

KARM Legal Consultants are advocates for the education of persons and entities in all areas of our Practice specialization and in so doing, are proud of the development of our dedicated Data Protection Department, with broad application across the spectrum of the service offerings of our Practice. We strive to continue our efforts in the education of persons and entities in so far as Data Protection and Privacy is concerned, in addition to our professional advisory services for mandated output, both from a Technical and a Regulatory perspective, together with necessary collaboration and outsourced resources , as per the requirements of our clientele, with various associated entities.