Corporate Liability in Cyber Space UAE Perspective By D. Prem Kamath, (LL.M.

.) Cyber Law Consultant & Managing Partner RAD & Partners, Legal Consultants, Dubai Email: premkamath@radnpartners.ae
www.radnpartners.ae Tel: +971 4 453 4317 Fax: +971 4 453 4316 - Jumeirah Lake Towers - HDS Towers Unit: 2032 P O. Box: 120858 - Dubai-U.A.E

What could be the scenario if a hacker has created an army of zombies by hijacking the networks of a corporate business house and uses it as a platform to launch a DDoS attack against networks of another business house/s? In such a scenario one is hit by something astonishingly new a liability suit by a company that has been devastated by a cyber-attack. Probably and most likely, companies have already been victim to such attacks exist and have probably resisted from suing the other, for being unwilling to face the embarrassment of publicly accepting the fact that their systems had been compromised, but it is only a matter of time when hacker victims commence legal action against the owners of the systems that were used as Launchpad for mounting the attack. There could be a situation of i. ii. The systems in your organization gets hacked and Your organization gets sued for damages caused by using your networks to launch the attack.

Imagine all this happening where there are no specified or codified policies, rules or regulations for a minimum level of security, which poses an important query as to Should there be a requirement that all systems connecting to the internet have a certain minimum level of security ? As far as I am concerned, the answer is a resounding YES as companies as well as individuals have a duty to be responsible Netizens. I now embark to lay out some cognate reasons as to why there must be a law, guidelines, policy and procedure for having in place a minimum amount of things a corporate will have to do while operating a computer on the internet. i. The bottom line for cyberspace is Everyone is vulnerable. There has to be a farsighted effort to draft and implement appropriate laws, rules, regulations & policies to support security in cyberspace. In a liability lawsuit, which would put on the dock, the compromised companys security, wherein the plaintiff company would have the onus to prove that the defendant company had a legal mandate to keep its network secure. The defendant company will have to convince the court that its measures on security were reasonable. But who decides what is reasonable and subjecting it to which standard or accepted practice by law?

ii.

iii.

www.radnpartners.ae Tel: +971 4 453 4317 Fax: +971 4 453 4316 - Jumeirah Lake Towers - HDS Towers Unit: 2032 P O. Box: 120858 - Dubai-U.A.E

iv.

With the ever growing bodies of security regulations, it is time that the law makers foresee a general duty to implement a certain level of security imposed by a legislation which would extend protection beyond the industry specific controls.

More so, is corroborated by the factual situation highlighted by the recent report published in the Gulf News i. ii. iii. http://gulfnews.com/news/gulf/uae/crime/police-fight-rising-swell-of-cybercrime1.1150099 http://gulfnews.com/business/technology/cybercrime-targets-banks-most-in-the-uae1.1131638 Previous article in The National http://www.thenational.ae/thenationalconversation/editorial/a-cooperative-plan-tofight-cyber-crime

Time To Become Proactive The UAE governments reinforced commitment towards combating cybercrime is clearly visible by the newly enacted law Decree (5) of 2012- catering to prevention of Information Technology Crimes. All the same we need to understand that in cyberspace, the speed of change is phenomenal; new tips of icebergs appear every day; and the trans-border nature, buries the last nail to the coffin. Hence, the need is always to be more proactive than reactive understanding the volatile nature of cyber space and evidence in cyber space. In todays times the amount of value a business can create is mostly proportionate to the amount of information that it can put into play that its competitors cant and theft of business information can eliminate most of this information differential. This means that information thefts could cause entire businesses and even entire national industries to lose the ability to survive in the global economy. If a major attack could be a spark igniting the spate of liability law suits, then appropriate law/s, rules, regulations & policies are the kindling. When standards are imposed by legislation/s implemented by the State, it would help determine whether a corporate met the standards or were negligent!
Warm Regards,

Prem Kamath

www.radnpartners.ae Tel: +971 4 453 4317 Fax: +971 4 453 4316 - Jumeirah Lake Towers - HDS Towers Unit: 2032 P O. Box: 120858 - Dubai-U.A.E