Law on Corporate Espionage in the UAE

10 May 2022

Overview:

The term “espionage” often brings images of double agents and covert undercover missions to mind. This is how espionage is depicted in the movies, but in real life, it can take on many other forms. Businesses should be concerned about corporate espionage as it can affect companies of every size.

 

Corporate espionage, often referred to as industrial espionage, is the practice of gathering intelligence for financial or commercial gain. This type of espionage typically involves one organization spying on another in order to obtain information that could benefit their business or harm their competitor’s business.

Corporate espionage poses a serious threat to businesses of all sizes and in all industries, which is why it’s important to know how this activity can occur and what you can do to stop it.

We spend a lot of time talking about cyber security risks and how to best mitigate them, so it’s worth looking at what makes corporate espionage different from a typical cyber security breach. At their core, the two are the same. Gathering intelligence and cyber-attacks often both aim to steal valuable information, but espionage is arguably more nefarious and can be even more difficult to notice because it’s typically conducted by an insider. It also involves the theft of physical components or documents by transferring proprietary files to a personal storage device, taking photographs of sensitive materials, or any number of tech-savvy and not-so-tech-savvy means suppliers, employees, or business partners find necessary to get their hands on valuable information.

In 1996, the U.S. Congress officially recognized the threat posed by gathering evidence, and the economic importance of trade secrets and intellectual property, with the enactment of the Economic Espionage Act of 1996. The act is divided into two provisions, with the first directed at foreign espionage performed to benefit a government and the second directed and the most common threat: commercial theft regardless of beneficiary.

Espionage is one of the types of Cyber-attacks that have overlapping objectives of its own. In today’s world of communication, the most valuable intellectual property is electronic communication and data which also includes development and research property. This type of attack does not even come into knowledge until it appears in the market or some other company introduce declaring itself as actual developers of the product. Cyber espionage is a type of cyberattack in which an unauthorized user attempts to access sensitive or classified data or intellectual property (IP) for economic gain, competitive advantage or political reasons. Information ripe for stealing includes trade secrets (current or future products), financial data that can help competitors undercut prices or target potential acquisitions, and customer information or vendor details.

Elements of Espionage are - The knowing and willful disclosure of classified information to an unauthorized person, or its use in any manner prejudicial to the country or beneficial to any foreign government to the detriment of the prejudicial country.

 

What does it mean by Corporate Espionage?

Corporate Espionage is the unlawful theft/acquisition of intellectual property, such as key trade secret and patent information as well as industrial manufacturing techniques and processes, ideas and formulas. It is also known as Industrial Espionage, Economic Espionage or corporate spying. It is the practice conducted using techniques for commercial or financial purposes. Economic espionage is orchestrated by governments and is international in scope, while industrial or corporate espionage generally occurs between organizations.

A simple form of corporate espionage is an insider transferring trade secrets from one company to another — a disgruntled employee, for instance, or an employee who has been hired away by a competitor and takes information with them that they shouldn't. The analysis is comprised of two parts, the first of which defines the two types of espionage: covert operations and covert intelligence, distinguishing between the human and cyber variants of both.

Corporate espionage can occur in a number of different ways. Some of the most common types include:

  • Hacking into a company’s network to access sensitive information
  • Attacking a company’s website with malware or viruses
  • Using phishing or email spoofing scams to get confidential information from a company’s employees
  • A disgruntled employee stealing their employer’s sensitive information or sending it to a competitor
  • A disgruntled employee working with a competitor in order to steal or access sensitive information from their employer on the competitor’s behalf
  • An employee taking their employer’s information with them after being hired by a competitor

 

Forms of Economic and industrial espionage:

  • Acquisition of intellectual property, such as manufacturing processes or techniques, locations of production, proprietary or operational information, policies, prospective bids, planning or marketing strategies.
  • Theft of trade secrets, bribery, blackmail or technological surveillance with different types of malware

 

A number of techniques that fall under the umbrella of industrial espionage are:

  • Trespassing onto a competitor's property or accessing their files without permission;
  • Posing as a competitor's employee in order to learn company trade secrets or other confidential information;
  • Wiretapping a competitor;
  • Hacking into a competitor's computers;
  • Attacking a competitor's website with malware.

 

Industrial and economic espionage is commonly associated with high-tech industries such as:

  • Computer software
  • Hardware
  • Biotechnology
  • Aerospace
  • Telecommunications
  • Transportation and engine technology
  • Automobiles
    • Machine tools
    • Energy
    • Materials
    • Coatings.

 

Then there's competitive intelligence— which is, to put it in infosec terms, the white hat hacking of corporate espionage. Competitive Intelligence is the continuous process of monitoring a firm's industry or market to identify current and future competitors, their current and announced activities, how their actions will affect the firm, and how to respond.  Competitive intelligence companies say they are legal and above board, and gather and analyze information that's largely public that will affect their clients' fortunes: mergers and acquisitions, new government regulations, chatter on blogs and social media, and so forth. They might research the background of a rival executive — not to dig up dirt, they say, but to try to understand their motivations and predict their behaviour. That's the theory, anyway, though sometimes, as we'll see, the line separating these operators from criminality can be thin. It's also worth noting here that not all corporate espionage involves private businesses gathering intelligence on other private businesses.

It's not illegal to obtain information about competitors via legal means, even if those means are secretive or deceptive. For instance, you can send "secret shoppers" into a rival's store to see how they do business or hire a private investigator to lurk around a trade show and see what they can overhear. In general, acquiring trade secrets (commercial secrets that have monetary value to the businesses that own them) without the consent of their owners is against the law.

However, it's important to note that not every case of corporate espionage merits criminal prosecution, the factors include:

  • The scope of the criminal activity, including evidence of involvement by a foreign government, foreign agent, or foreign instrumentality;
  • The degree of economic injury to the trade secret owner;
  • The type of trade secret misappropriated;
  • The effectiveness of available civil remedies;
  • The potential deterrent value of the prosecution.

 

Instances of Corporate Espionage has been seen in the early 1700s when a French Jesuit missionary in China sent detailed porcelain manufacturing information back to France. In the 1800s, the British East India Co. hired Robert Fortune, a Scottish botanist, to travel to China and smuggle tea to help India gain a competitive edge in the tea market. And in 2018 and 2019, two Apple Ic. engineers were accused of stealing valuable trade secrets (photos and electronic files) related to Apple’s autonomous car program, Project Titan. In the Apple example mentioned above, both of the accused were Apple employees, both had access to one of the company’s most guarded projects, and both used this access to take information for use outside the company covertly

Just as business has changed along with the technology, we use daily, so too have the methods of spying. But the essence of corporate espionage–known also as industrial or economic espionage–remains unchanged. The entire process still involves someone taking a major risk and getting their hands dirty, and the goal remains the same: find a company’s valuable trade secrets and share them with a rival in the interest of making money, seeking revenge, and decreasing a company’s competitive advantage.

The Telecommunications Regulatory Authority (TRA) affirmed that the legal and regulatory framework in the UAE strictly prohibits espionage in any of its forms, stressing that any of these acts is regarded as a crime that is punishable under the applicable laws and that it imposes strict standards to protect the privacy of users.

The UAE is committed to encouraging the appropriate investment environment to support entrepreneurship and innovation in various fields. The country is also seeking to adopt and support the latest technologies such as the 5G, blockchain and Internet of Things and artificial intelligence applications.

The perception of cybercrime is changing earlier it was perceived as an external threat. Organizations are now understanding the risk as internal implicating the IT department because IT personnel are quite adept at using the system and the skills required to ‘misuse’ it. IT personnel might have 'super 29 user' access, which gives them extra administrative rights to access systems and the ability to delete audit trails, making it harder to detect their wrongdoing. Along with financial costs, it also includes other commercial costs and consequences such as business disruption, insiders’ wrong practices, and the reputation of the company.

Just because an act doesn't merit prosecution doesn't make it legal, and violations can serve as the basis for lawsuits in civil court. Many states in different countries have their own laws about corporate espionage that are stricter than federal law {the Hewlett-Packard "pretexting" case (more on which in a moment) involved conduct that wasn't illegal under U.S. federal law but was in California, and resulted in a $14 million fine}.

       One of the truths about corporate espionage is that most cases go unreported, even if the victims learn about it. That's because the harm to the victim's reputation if it's revealed that they haven't done their security due diligence, may outweigh the benefit of taking legal action against their attacker. Nevertheless, there have been many high-profile cases of corporate espionage, particularly in the tech industry, where ideas and code are all-important and easily pasted into an email.

       It is not illegal to spy on a private company as long as the information is obtained by legal means. However, acquiring trade secrets without the consent of the intellectual property holder is generally against the law.

It is difficult to convict an offender due to the divergence of laws among other countries because the nature of the internet creates a question of jurisdiction about from where the offence is committed and initiated every part of the world is connected over the internet and someone sitting in one part of the world can assault target the globe. The laws differ from country to country and it is difficult to arrest the attacker if he initiated the offence from a different country and its difficult to punish the offender if that country’s law is different in a given situation. 

Standard law should provide protection against cybercrime acts and safeguard the information, national infrastructure and the rights of individual property. A convention on cyber law was commissioned by UAE as a signatory which agreed to inaugurate the convention. Later jurisdiction decided to implement new law after seeing the growth in cybercrime across the world where offenders were easily escaping after committing the offence. Hence eventually the jurisdiction was formed to implement a law to monitor such acts. Thereby US and UK have implemented a common-law and others are following suit. 

After UAE introduced the cyber-law for other vulnerabilities caused to the national infrastructure, damage to the premises or theft, this criminality was focused on the law. Apart from this, they have no right to access unauthorized systems or data. If access is achieved to the intruder, they can destruct the data or can create a denial of service.

 

Legalities with which UAE is handling Corporate Espionage:

The ways in which the UAE is currently tackling instances of cybercrimes have been laid down below:-

  • The telecom regulatory authority (TRA) actively monitors the information and content available online and takes prohibitory measures for content that is malicious in nature.
  • TRA also initiates curbing measures against unlicensed VoIP service providers, including illegal websites.
  • The licensing telecom service providers in the UAE such as ‘Du’ and ‘Etisalat’, also take prohibitory measures to block online content based on complaints received for abusive or defamatory aspects.
  • UAE authorities often take stringent legal action against unauthorized websites after verifying the validity and seriousness of each cyber complaint. Stringent penalties are imposed depending on the veracity of the act;
  • For example, An act of IP address forgery can be punished with imprisonment of up to three years and a fine of up to AED 500,000.
  • Privacy violations, whether it is illegal hacking and obtaining private pictures or other reformation, are very strictly punished.
  • Acts of forgery can be punished with fines ranging from AED 100,000 to up to 300,00, and if such an act is committed against the government, then the penalties can be up to AED 1 million in fines and imprisonment sentence.
  • Acts of cyber hacking against banks in order to obtain illegal data concerning banking accounts and card information can be punished with huge fines of up to AED 1 million and also with imprisonment.

UAE is one of the emerging economies of the world, and there is an urgent need to have cyber-security measures implemented in the country. Even though the western world is contributing to developing cyber security in the UAE, still UAE is fairly a young and fast-growing economy that is presently on its way to upgrading its cybercrime laws to protect the interests of the people and also of the companies.

The UAE is committed to encouraging an appropriate investment environment to support entrepreneurship and innovation, the TRA said. The country is also seeking to adopt and support technologies such as 5G, blockchain, Internet of Things and artificial intelligence for the safety and security of the country.