When the threat comes from within: UAE courts take insider leaks seriously

Cybersecurity risks are not just limited to external hackers or organised cyberattacks. Some of the most damaging incidents originate from within an organisation. Insider threats, whether deliberate or accidental, can cause serious harm. Employees with authorised access to systems and data may misuse that access, often without triggering traditional security alerts.

This reality underscores the need to treat cybersecurity not only as a technical matter, but also a legal, operational and governance concern. A recent case in Abu Dhabi illustrates the severe consequences that can result when internal threats go unchecked.

According to court records, an employee signed a non-disclosure agreement when joining the company and was issued a corporate email account. After she resigned, her employer carried out an internal investigation, which revealed that sensitive and confidential information had been leaked, and a subsequent forensic report confirmed that the information had been sent from her email account.

The company filed a criminal complaint in the Abu Dhabi Criminal Court. The court found the employee guilty of leaking confidential information and imposed a fine of AED 30,000.

The company also filed a civil claim in the Abu Dhabi Family, Civil and Administrative Claims Court, seeking AED 50,000 in damages from the leak. The court ruled in the company’s favour and ordered the former employee to pay the amount.

Although the precise details and sequence of events remain unclear, the case highlights the serious risks posed by insider breaches, the importance of robust data protection and that UAE courts take such matters seriously. The disclosure of this information already constituted a data breach, and if it had been shared further, it could have placed the company at even greater risk from breaches of obligations it may have had to other parties in respect of confidentiality.

Insurers are increasingly requiring policyholders to demonstrate strong access controls, continuous monitoring, staff training and prompt incident response for cyber coverage.

Internal threats are often underestimated, yet they can lead to losses just as severe as those caused by external factors. Effective governance is now even more essential, not only to ensure sound risk management but also to support underwriting decisions and minimise insurers’ exposure on policies.

For directors’ and officers’ liability insurers, the case also raises concerns around potential exposure from failures in cybersecurity oversight. If boards or senior management do not implement adequate data protection measures or respond appropriately to known risks, they may face claims for breach of duty or negligence.

If you have any questions about cyber insurance or directors’ and officers’ liability insurance, please feel free to contact us.