Businesses should adopt international best practice and the strictest legal position in relation to its use of social media, whilst ensuring it is not against local laws.
The benefits of social media to a business are far reaching in their scope. Social media presents businesses with an effective marketing tool and potential to promote brand awareness in a way that is likely to be cheaper and more accessible than traditional marketing methods. It can be an important communication channel that allows businesses to share information, both internally with employees and externally with consumers and for recruitment purposes. For insurers in particular, social media provides a valuable opportunity to engage with consumers and gain market intelligence.
However, all these attractions, such as the ease of sharing information and the real-time nature of the medium, also pose significant risks. Businesses are faced with managing two strands of social media-related risks – the online persona of the business itself and the use of social media by the employees of the business. The potential for reputational damage is limitless, and privacy, data protection and data breach are all significant issues that businesses need to monitor and manage. In the highly regulated insurance sector, the risk of making improper statements or disclosing financial information is even more paramount.
The rise of social media has forced businesses to reassess their risk approach, highlighted by the fact that social media is now "ranked among the top five sources of business risk – on the same level as financial risk", according to Mr Fadi Sidani, the Partner in charge of Enterprise Risk Services, Deloitte Middle East. Social media is particularly pertinent in the Middle East, where the population is full of highly active web users. According to the Arab Social Media Report, issued by the Dubai School of Governance in November 2011, over 86% of active web users use social media to get news, information and advice on various issues. It therefore makes sense for businesses in the Middle East to tap into social media and exploit its potential; however, they need to be sophisticated and strategic in how they do so.
Legal framework
No country in the Middle East has introduced a comprehensive data protection law, although there are "pockets" of such laws, for example in the Dubai International Financial Centre and the Qatar Financial Centre. Qatar has also issued a draft Data Privacy Law for public consultation, but its introduction as law has been pending for some time. Therefore, it is the Constitution, the civil and criminal laws in each of the countries, or Shariah Law to which we turn for the general position on privacy and confidentiality, freedom of communication and penalties for any violation against it.
The UAE is probably the pioneer in the Middle East in relation to developing its "cyber laws". Further to a 2006 cyber law, the UAE recently issued Federal Law No 5 of 2012 (UAE Cyber Crime Law), which is detailed in its coverage and criminalises the disclosure of confidential information through the use of information technology obtained in the course of a person's job, without consent (Article 22).
The UAE Cyber Crime Law effectively takes what could be considered an "offline" offence and turns it into an "online" offence by prohibiting the use of information technology to defame or insult another which may subject the individual to punishment or contempt by a third party.
Furthermore, defamation or insulting a person is a criminal offence under existing UAE law (Articles 372 and 373 of UAE Federal Law No. 3 of 1987 (as amended)) or the UAE Penal Code containing provisions that deal with publicity which exposes the victim to public hatred or contempt and a false accusation that dishonours or discredits the victim in the public eye.
It is important to note that operators, publishers and owners of websites are liable and can be held accountable for offensive or illegal content posted on their websites. The UAE Cyber Crime Law prohibits any owner or operator of a website or information network from saving or providing illegal content, and the offending website or network can be shut down consequently. In some jurisdictions, such as the US and the UK, website operators can rely on the defence that they do not have "actual knowledge" of the offending user-generated content. However, it is not prudent to rely on this defence being available in the UAE, particularly in light of the cultural sensitivities and the lack of tolerance of the publication of obscene or offensive content. Websites, blogs or social media pages should therefore be effectively monitored so that any illegal content is removed immediately after it is discovered.
Social media risks
Social media can be effective in encouraging innovation whereby employees communicate with consumers via social media platforms, although this can expose businesses to significant risk if not closely controlled. A major risk of social media is the disclosure of confidential information and data protection breaches, ranging from an inadvertent posting of confidential information to an employee making disparaging comments about his employer on its own social media page. Such occurrences can have both immediate repercussions and a long-term impact on a company's success, and should not be underestimated.
Social media has made brands more vulnerable than ever; a marketing mistake or tweet from a disgruntled ex-employee can become a global hash tag phenomenon within minutes. A notable example from 2012 is McDonald's, who paid to promote their brand and engage with consumers, through the promoted trend "#mcdstories". Many Twitter users reacted to the trend by posting negative experiences about the fast food chain such that, in contrast to McDonalds' intention, the campaign inadvertently propagated a wave of negative publicity.
Furthermore, the current set of laws in most jurisdictions is aimed at governing traditional "brick and mortar" businesses, where physical presence and activities, as opposed to virtual presence, is assumed. For example, online advertising or campaigns may not have been contemplated when the advertising or marketing laws in the region were drafted. Therefore, it is always a challenge to look at the existing laws and consider legally whether they would be in breach, even though the current business activities may not be addressed or even contemplated by the laws themselves.
There is an extra challenge that comes with the no-border nature of the internet. Social media websites and hosting servers are not necessarily located in the countries where the consumer views them, which can make it difficult for authorities from an enforcement perspective. However, the local authority may take a view that it should comply with the local laws on, for example, marketing and advertising. Therefore, if a business is to use social media as a means of promoting or conducting business, multi-jurisidictional legal compliance is required. Businesses should be commercially strategic and targeted in their approach, so that they can exploit the benefits of social media while ensuring legal compliance in relation to their key markets.
Adopt international best practice
With regard to the corporate use of social media, businesses should have a social media policy in place to minimize reputational risk and vulnerability to legal issues. Such a policy should set out the business' best practice, by specifying what is and is not permitted and should be periodically reviewed and updated where necessary. In addition, any online campaign or advertising should take account of the local laws, even though such laws may not address "virtual" business presence and activities.
Businesses should also monitor employee use of social media both inside and outside of the workplace, and should ensure that social media policies are effectively communicated, so that employees are aware of the restrictions. It may also be necessary to update employment contracts and workplace policies and procedures in light of the advent and growth of social media, such as inserting appropriate confidentiality and post-termination provisions in employment contracts and updating internet and data protection policies. However, any policies and procedures should take account of the fact that employees have a reasonable expectation of privacy. A business can never be wholly immune from the risks pertaining to social media, but effective management of the risks is fundamental.
Businesses should, therefore, adopt the "international best practice" approach and the strictest legal position in relation to its use of social media for business or in relation to its employees, whilst ensuring it is not against local laws. More recently, insurers have introduced cyber liability insurance in the UAE, which has been around in the US or Europe for some time. However, businesses are still finding out about these insurance products and it remains to be seen how tailored to the regional market the product offering is.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
