Data Privacy, Cyber Security, and GCC Countries

President Obama’s recent Executive Order No. 13636, issued February 12, 2013, places data privacy and cyber security as lead initiatives for critical infrastructure sectors, such as financial services, health services, and energy. Data privacy and cyber security are hot topics globally. In the U.S., data privacy and cyber security regulations are challenging and vast. The EU has stringent privacy laws as well. Today, nearly every industry sector is touched by data privacy regulations, threats, and demands, and is therefore also liable for breaches or other non-compliance when things go awry.

Many companies fail to routinely audit their compliance situation or Information Technology operations. Many do not have a breach or notification plan in place. Further, high-level executives and boards often fail to review cyber security, privacy, and risk management as part of corporate good governance operations or policies. Because financial services and energy are two prime critical infrastructure sectors that attackers target, Gulf Cooperation Council (GCC) countries and those companies operating in the region are particularly vulnerable. A Gulf Business Machine (GBM) survey of regional IT professionals revealed that 35 percent of all cyber crime and breaches were from the result of an organization’s own internal employees. Social media was noted as a primary source for attack. Other attacks come from external hackers. In 2012, hackers linked to the government of Iran attacked data and disabled 30,000 computers, thereby causing millions in damages at Aramco

In the U.S., civil and criminal liability is on the rise as class actions have mounted for breaches involving Personally Identifiable Information (PII). State and federal investigations and prosecutions are on the rise for noncompliance in nearly every industry, including financial services, health services, manufacturing, and energy. Energy companies and financial institutions are particularly vulnerable for cyber attacks, and the targets may vary from customer information to company secrets. Energy companies are routinely targeted by insiders, foreign governments, organized crime, or competitors seeking corporate secrets and intelligence, control over critical industrial control systems, or other data or intellectual property. The most widely known attack against U.S. oil and gas companies was by China through use of its Night Dragon. Night Dragon was launched to steal confidential information from major U.S. energy companies, of whom at least one company said it was not aware of any successful attacks.

Because the energy and financial sectors are prime targets for data and cyber attacks, a strong compliance program and breach plan is crucial to prevention, mitigation of losses, and protection of a company’s reputation. Billions of dollar a year are routinely lost by companies simply in stolen intellectual property. Mitigating exposure to liability as a result of data security breaches can save millions per year in lost assets or reputation, intellectual property, customer information, fines, or other damages. The risks are even direr for energy companies where an attack could result in an oil spill or other environmental damage, prolonged power outages, and loss of life.

Threats and attacks from outside hackers are usually what comes to mind when one thinks of data and cyber protection, however, what most are not aware of is that the bulk of threats actually come from inside a company by either disgruntled employees, poorly trained employees, poor compliance controls, poor oversight of employees with access to sensitive information, and employees who are interested in selling competitive corporate intelligence for whatever reason. The actual amount of breaches and other cyber crime by insiders is actually much higher than the GBM survey, and most incidents are unreported, confidential, or undiscovered.

Information technology personnel cannot front the risks alone and are not equipped to conduct assessments and analysis as are regulatory attorneys. Even the best IT personnel and management need legal guidance and assistance with investigating breaches and attacks. Legal representation at every level of compliance activities and investigation is the best insurance to successful mitigation and management of risks. It is imperative that outside counsel be involved in routine audits and assessments of compliance review and development, training, and in development of a solid breach plan. Cyber and privacy insurance rarely covers liability or damages for breaches in all scenarios. Compliance will always remain cheaper than the losses a company may suffer in stolen property or loss of reputation.

Teresa N. Taylor is Of Counsel at Akrivis Law Group, PLLC in Washington and is an Adjunct Faculty member at Georgetown University Law Center.  Her professional biography is available here.

Farhad Alavi Quoted in Abu Dhabi’s The National

I was quoted in Abu Dhabi-based The National, the leading English-language daily, with quotes in the United Arab Emirates on Wednesday, July 3. More specifically, the quotes are in two articles addressing the latest round of U.S. sanctions that went into effect against Iran on July 1 and their impact on trade between the UAE and Iran.

The two articles are and can be accessed by clicking the below links.

(1) UAE businesses to feel effect of fresh US sanctions on Iran
(2) Is trade with Iran worth the risk for UAE companies?

Anti-Corruption in the GCC – Where is Compliance Headed?

Dubai-based Gulf Business published an short interview with Imelda Dunlop of the Pearl Initiative and Michael Adlem of Ernst & Young in the UAE regarding the spread of Anti-Corruption measures in the Persian Gulf region.  For me, the fact that such a topic was getting press and the content of the interview itself presented a significant milestone of sorts.  Working on sanctions compliance and fielding calls and clients alike in that part of the world, it’s very necessary to keep a finger on the region’s pulse when it comes to matters regarding trade and anti-corruption.  As such, I see that the arguments made forth by the two interviewees made sense.  Surely, the importance of compliance is rising.

It is unclear if strict local laws will be adopted.  Until then the de facto standards for trade compliance may likely be guided by US and UK benchmarks. With respect to US practices, the need for robust compliance programs on sanctions, export controls, anti-money laundering, and foreign corrupt practices is increasingly recognized.  Gulf operations of US companies often do not work in a vacuum, and with the imposition of secondary sanctions and wide-ranging grounds for jurisdiction of US law, the issue is becoming more tangible.

For American companies, the significance is quite clear – even many companies that have little business in the Gulf may use that region as a transit point for Africa, other points in MENA and South Asia. For local companies, as the Gulf Business interview hints, going global is increasingly on the minds of some. As such, compliance programs featuring preemptive measures (such as screening and reporting procedures) will be increasingly commonplace.

In the realm of sanctions, the impact is very much evident. On my most recent visit to the UAE earlier this year, my general impression was that the topic was much more salient than it was when I first started going to the region years ago.

New Legal Frontiers as GCC Health Care Infrastructure Expands

As I have alluded on this blog before, the GCC states are pouring more and more money into health care infrastructure. It was only a matter of time before medical tourism became high on these countries’ agenda, and now plans are increasingly starting to take shape. There has been much in the news for the past years over the Cleveland Clinic Abu Dhabi which will soon be opened.  But this center will have an increasing number of competitors in the market, with a slate of new facilities being introduced such as the new AED 3 billion Rashid Hospital development in Dubai which was announced in recent days..  What are the legal and business challenges to this new landscape for those seeking to take their wares into the region?

Here are two critical factors that come into mind for those who manufacture medical technologies seeking to sell in the region.

1. Exclusivity of Technologies and Brand Penetration. In a relatively small region flush with cash, it is to be expected that there is a high probability that there will be an overlap or redundancy of technologies and services.  Companies bringing in foreign technologies (such as advanced medical devices) into the GCC may feel compelled to demand exclusivity rights for whatever they import, particularly pricey technologies that require high margins to be viable. For the foreign manufacturer or seller, the question becomes – if you have one bite at the apple (meaning the market) you should surely make sure your contract enables you to get out of a contract if the local partner is not up to par.  Establishing benchmarks for sales, etc. can be one way to do this.

2. Service and Parts.  Manufacturers and distributors should be very cautious to ensure that their equipment is serviced adequately. Otherwise, the probability of legal issues regarding warranties, etc. can be come problematic.  Having trained local technicians can be a good first step – if you simply have a service arrangement with a local company, the chances of poor repair may increase, and this can increase liability, not to mention diminish the appeal of the product.

These are only a sampling of concerns that one may have. As with entering any market, healthcare is dicey and the MENA / GCC regions bring their own unique concerns.

 

Exchanges and Banking: Will Istanbul Become a Global Finance Center?

Turkey’s goal of positioning Istanbul as a major global financial center is no secret. The government has long planned to move the Turkish Central Bank there. Now there is talk of the soon to be consolidated exchanges of Istanbul (Bourse Istanbul) to work in some type of partnership Levent, Istanbulwith the NASD or the London Stock Exchange. Turkey’s economy has been largely robust in recent years and the country is becoming much more noticed. The question, is, dovetailing on the previous post of Abu Dhabi’s new planned zone, how many new financial nerve centers can the MENA region (and more broadly Asia) handle?

The Dubai International Financial Centre (DIFC), established almost a decade ago, has become a critical piece in the city’s aspiration to become a major banking, tourism, and knowledge hub, parallel to a track Singapore is on (albeit at perhaps a more advanced stage) in East Asia. Abu Dhabi is now seeking to establish its own zone in Al Maryah island. This is not to mention the Qatar Financial Centre (QFC) in Doha. 

To be fair, Istanbul can occupy a very different niche than many of the Gulf countries. Being centrally located between Europe and Asia, it is a gateway not only to the Middle East, but also Central Asia and Eastern Europe. Istanbul is becoming a transport hub in its own right.  It is much closer to western Europe than the GCC hubs (and certainly Singapore) and has an arguably solid industry. Further, Istanbul is one of the world’s largest cities, so it’s more than a financial free zone.

The question is whether Istanbul has the other critical factors necessary to attract international finance the way London, Singapore and even the DIFC have been able to. This requires a few critical traits, such as: 

1. Well-developed laws regulating financial services.  Turkey has done much along the line of legal reform, but it is hard to develop robust financial regulations that allow transactions to take place but at the same time ensure regulation is not overlooked and protections endure. 

2. Well-developed dispute resolution systems and quality judges and arbitrators. Arbitrators do travel, judges generally do not. Does the judicial system of Istanbul and more broadly Turkey have the sophistication to handle major international banking and business disputes?

3. English. While English is generally spoken by many of Istanbul’s smart set, it needs to become more pervasive for it to become a hospitable center for expatriates and foreign investors. Otherwise it will remain in some part regional. 

Many out there will attest to Turkey being a junior “BRIC” (Brazil, Russia, India, China) state, and its economy holds much promise. It will be interesting to see how the development goes forward.

A New Financial Free Zone in Abu Dhabi?

I spotted an article today that stated that Abu Dhabi plans on creating a new financial free zone. The Abu Dhabi World Financial Market, created based on UAE Federal Decree No. 15 of 2013 will be located at Al Maryah (also known as Sowwah Island, the new Wall Street of Abu Dhabi). Among the benefits are reportedly 100% foreign ownership. The whole notion begs the question – how will another financial free zone fare in the GCC?

The Dubai International Financial Centre (DIFC) was opened in 2004 with much fanfare. It was soon thereafter followed by the Qatar Financial Centre (QFC). Part of what has made the DIFC a success has been the adoption of comparatively sophisticated laws based on English law. In fact the zone, which houses everything from banks to law firms to consultancies (as well as some great restaurants) is a city or even country within Dubai. 

As one person quoted in the Reuters article aptly points out, a niche will be critical for Abu Dhabi’s financial zone. Abu Dhabi is rich and the presence of sovereign wealth funds (SWFs) like the Abu Dhabi Investment Authority (ADIA) and other quasi-governmental giants like Mubadala will certain help foster some modicum of growth. But what will the Abu Dhabi zone specialize in?

For now, it appears unclear. There is little out there on this new free zone and accordingly details are scant. It will, however, be critical to keep on the lookout to the particulars of this very noteworthy project. 

 

Expanding Horizons for US-Turkey Trade?

It was announced this week that Turkey’s Economy Minister has proposed the upcoming creation of a working group for a US-Turkey Free Trade Agreement (FTA). This overlapped a visit to Washington by a Turkish delegation which included a US Chamber of Commerce hosted event in honor of Turkish Deputy Prime Minister Ali Babacan on Wednesday. The recurring theme in that event by seemingly all the speakers was the need to expand US-Turkish bilateral trade. Certain indicators albeit perhaps anecdotal can lead one to think that this relationship will only grow over time.

Most measures indicate that Turkey’s economy has been booming in the past decade.  Indeed, it is now the world’s 17th largest. According to the US Trade Representative’s Office, US exports to Turkey increased 38% in 2012 alone, and the general figure is 292% from 2000. However, anybody who visits Turkey will likely notice that US commercial penetration is probably not where it should be and Turkey’s business footprint in the US is still somewhat faint. More can clearly be done.

As Turkey works to expand its economic influence throughout the globe, it is only natural that trade with the United States will increase.  Furthermore, it is to be expected that US interest in Turkish trade will also expand as Turkey will become a more critical regional and global player.  Given Turkey’s goal of becoming a top 10 economic power by 2023, Turkey and the US may find their economic ties increasingly indispensable and needing of expansion.

Sanctions Prosecutions Abound in US

A review of federal court dockets throughout the United States highlights a general trend – the U.S. Department of Justice is bringing forth numerous criminal cases against individuals and entities which have traded with Iran in vioation of the US embargo against that country. Here are a few pending cases:

US v. Tehrani. This is an indictment from the Eastern District of Wisconsin. Mostafa Saberi Tehrani was indicted for violations of 18 USC §371 (Conspiracy to Commit Offense or to Defraud United States), 50 USC §§ 1702 and 1705 (part of the International Emergency Economic Powers Act, known more commonly as IEEPA) and 31 CFR §§ 560.203 and 560.204 (part of the Iranian Transactions and Sanctions Act or ITSR, which is implemented under IEEPA authority). The facts behind this case are not clear, but it is clear that the charges are violation of US sanctions laws.

US v. Sarvestani. This case is out of the Southern District of New York. Seyed Amin Ghorashi Sarvestani and his companies have been charged with exporting sensitive satellite-related equipment to Iran over the span of 7 years.

US v. Saboonchi. Ali Saboonchi and Arash Rashti Mohammad were indicted in the Southern District of Maryland last month for, again, conspiracy to violate the IEEPA. This case, like others, involves the use of exportation of goods to the United Arab Emirates (UAE) as a transit point for reexport to Iran. Examples of the goods in this case are as cyclone separators (used in oil refining processes) and thermocouples (used to measure oil and gas temperatures). Rashti Mohammad was based in the UAE and the two conspired to create Saboonchi’s company, Ace Electric Company to sell the prohibited goods through the UAE to buyers in Iran.

The list really goes on. What is interesting is that these cases dovetail a story last summer involving an Iranian-American lady who, along with her tourist uncle was denied the sale of an Apple iPad allegedly due to their speaking Persian (see this article on the BBC website fom last June, where I was quoted) . The theory posited for the Apple employee’s decision was that it would be a violation of export control laws if Apple knowingly sold the device to somebody who the company had reason to know would take the product to Iran. Export controls apply to many products that have so-called “dual use,” in other words both civilian and military use. These can include computers, certain industrial parts, etc.

The above cases highlight two key themes – first, obviously that the Department of Justice is pursuing trade violation cases, particularly with sensitive goods. Also, it highlights something those in the compliance industry have known for a long time – the illegality of the use of third countries as reexport points. Dubai in particular has been a focus of US authorities as it is considered a reexport point to many sensitive jurisdictions, Iran among them. Sending goods to a third country does not legitimize an illegal export. It is sufficient that one merely have reason to know that the goods will be exported to the prohibited destination.

Coming to America: What to Know When Investing in the US

With all the news of south-south trade and the increasing shift in the Middle East business scene’s focus towards Asia, some would say the United States is becoming a less appealing investment market for MENA family businesses and individual investors. For sure, taxes, complicated laws and regulations, and even distance can discourage some from investing.  However, there is strength in stability and stability is a major part of the United States’ value proposition. So, if you have decided to take the plunge and invest your money in a business or property in the United States, here are some basics to consider:

1. Make sure you create the right legal entity.  Companies are created at the state leval, but they are generally taxed at the federal level as well.  The US’ federal tax administrator, the Internal Revenue Service (IRS), maintains strict definitions on different types of entities (even those abroad) so it is essential that you set up an entity that gives you the tax treatment you need and qualify for. Broadly, there are corporations, which have shareholders, and then “pass-through” entities that are generally taxed only at the personal member  level. Examples include limited liability companies (LLCs), an increasingly popular option since their inception decades ago. Tax treatment is critical and a tax specialist can be an invaluable asset.

2. Know the Immigration Laws. It is not uncommon for foreign workers, particularly executives to come into the GCC region as tourists to work on short assignments, meaning they do not procure work visas. This is frowned upon in the United States. There are multiple types of business-related visas, from the B-visa to the H-visa to the L-visa. Make sure you have the right type – consult with an immigration law expert. If you are a private investor, make sure you pick the right vehicle for yourself – there are business visas such as the E-2 and EB5, the latter which can result in US Permanent Residency (or Green Card). Speaking of which, you may know that having a Green Card can make you subject to US taxation even on foreign income, right?

3. Document Everything. There are many reasons (including the strict tax laws) that effectively require you to keep very organized records as well as solid contracts. Litigation here is common, and it is critical that contracts be used and that they be drafted clearly, regardless of the size. If you are franchising or licensing your brand to a US company make sure the contract is tight and inclusive. 

4. Don’t forget your Intellectual Property Rights. This is critical if you have not considered it already, but you may find that registering your logo, trademarks, and other intellectual property will be critical to maintaining your branding.  This is especially important if you are granting a license or a franchise (even if you own the brand back home!). 

5. Various Other Regulations. Depending on your business, you may need to consider other issues beyond corporate, tax, and immigration law. Whether it’s environmental regulations or US trade compliance (such as Customs laws for bringing goods into the country or sanctions laws) it is critical to be in compliance as fines can be hefty.

Investing the United States offers unique opportunities still not seen in many places in the world. However, as with other more mature economies, it is generally very heavy on laws and regulations.  Being able to navigate the waters is challenging, but some help it will not be so hard and may be rewarding.

Legal Takeaways from Gulfood 2013

Last week I attended Gulfood, an annual event in Dubai where food (and food service equipment) processors and exporters gather to show their wares to businesses from around the world.  This year’s was supposedly the largest and it was truly gargantuan by any measure.  The global nature of the exhibit was impressive, highlighting among many things the increasing trend of south-south trade. Stands in pavilions from the United States, France, South Africa, Iran, Tunisia, and China among others competed for visitors.  What was particularly striking was the truly global nature of the world food industry, especially to those of us from the United States, where imported foods largely remain a luxury. It almost seems as if every country produces soft drinks, potato chips, and biscuits.

From a legal angle, Gulfood highlighted several key concerns – elements that were more highlighted when speaking to some of the people at the trade stands.

1. Everybody wants to trade but not everyone knows what that really means.  My continual observation was affirmed – businesses are often unsophisticated.  Even business people who have traveled across the world to attend a food show often do not really know the ins and outs of international business in their industry.  Simply wanting to “sell” your products is very unclear. Do you even know all the legal structures? Here are some to think about:

  • Exporting to a direct buyer/end-user
  • Appointing an agent overseas who will find buyers
  • Exporting to a local distributor who will sell locally
  • Licensing production and marketing of the product overseas by a foreign party

2. Too much emphasis on getting a deal but little thought to negotiating a solid deal that protects and envisions contingencies. It’s amazing how many of these business people brush aside (or fail to consider) the probability that problems can arise. You can face difficulty when doing business with your next door neighbor, much moreso with a company overseas that is likely operating under a different legal regime and business culture.

Some things to keep in mind:

  • Do you have a contract in place? 
  • How are you going to get paid?
  • What happens if you don’t get paid?
  • Can the foreign counterparty use your logo in its brochures and ads? If so, when and where? What if it uses your brochure on something unrelated or abuses your trademarks and content?
  • What if your foreign distributor underperforms?
  • Can you sue your foreign counterparty? If so, where do you want to sue? A local court where the proceedings are not in English?
  • Do you have a way to secure yourself from a default? 

Doing business overseas is truly an exciting proposition. However, as the above short summary illustrates, it’s best to go in informed and to be familiar with the legal concerns. You may not necessarily want to address every contingency but you should make sure the critical issues are foreseen and papered. Better to plan a way out ahead of time than to try to navigate through a nightmare scenario after the fact. A little bit of planning can help tremendously. 

 

 

 

A review of MENA Region Legal and Business Affairs.