Hisham Almansoor – Associate ([email protected])
Recent years have witnessed several cyber attacks targeted against the largest and most prolific global corporations and banks and have left many vulnerable to attacks threatening one’s personal data. Against this background, there has been a significant increase in states’ efforts to combat cybercrime and online fraud. The Middle East is no exception to this phenomenon. The Kingdom of Bahrain has witnessed a sharp climb in the frequency of cyber attacks, online fraud and scams targeting individuals as opposed to corporations. The most notable of these are the BenefitPay and Aramex scams in which citizens receive fraudulent SMS messages containing links directing the customer to enter payment information, following which people have reported losing large amounts of money. In this article, we consider how Bahrain has regulated cybercrime more generally as well as IT crimes and online fraud, what criminal penalties are prescribed under the law, and how individuals may report incidents to the competent authorities.
Legal Instruments on Cybercrime & Online Fraud
On a regional level, legal systems of various MENA jurisdictions have recognized the threat of cybercrimes and online fraud as they pose wide ramifications on an individual level as well as a broader economic level if corporations have been targeted by cyberattackers and online fraudsters. The Arab Treaty on the Combatting of Information Technology Crimes (ratified in Bahrain under Law No. 2/2017) typifies the region’s commitment to imposing state-level responsibility in maintaining a secure online environment. However, to the average individual, corporations and banks operating in the country, we address the more specific laws that have been implemented to date.
Bahrain’s efforts at enacting a specific piece of legislation on IT crimes may be traced back to 2014 following the enactment of the Information Technology Crime Law (Law No. 60/2014) (the “Law”).
What cybercrimes are envisaged?
The Law recognizes three categories of IT crimes: (i) crimes against IT systems, (ii) crimes related to the ‘means of IT’, and (iii) ‘content’ crimes.
The first category of cybercrime relates to breaching an IT system, which is broadly constructed under the Law. The Law criminalizes the unlawful access of the whole or part of an IT system and prohibits the act of damaging an IT system and/or the data contained therein. It is an aggravating factor which doubles the penalty where the perpetrator causes an impediment to any public facility or public interest works, or a threat to people’s lives, security or health, or causes the alteration, corruption or deletion of an individual’s medical records. Accordingly, where the perpetrator targets a hospital, for instance, this is likely to be deemed an aggravating factor to the offence.
The second category largely mirrors the Penal Code’s (Decree Law No. 15/1976) conception of one of the fraud offences, which punishes “any person who seizes, for himself, a movable property, or obtains a document or signature thereon, cancellation or destruction thereof or amendment thereto by fraudulent means, or by assuming a false name or capacity, or who disposes of real estate or movable property knowing that such a property is not owned by him or that he has no right to dispose thereof […] ”. The Law merely grounds this offence in an IT context by criminalizing the introduction, adaptation, suspension, cancellation, deletion, destruction, alteration, or modification of the data on an IT device, or the breach of an IT system. This is deemed an aggravating factor under the Penal Code.
The third category is premised on the type of content that is being produced, obtained or shared by the perpetrator, namely pornography including child pornography.
Penalties & Criminal Sanctions
A sentence of imprisonment and/or a maximum fine of BHD Thirty Thousand may be imposed on the perpetrator who has unlawfully accessed (breached) an IT system, meanwhile as per Article 3 of the Law, an imprisonment sentence and/or a maximum fine of BHD Fifty Thousand may be imposed on the perpetrator who interrupts any public facility or public interest works, or a threat to people’s lives, security or health, or causes the alteration, corruption or deletion of an individual’s medical records. The Article 3 penalty may become life imprisonment where the breach has deliberately led to the death of a person.
This pertains to fraudulent conduct by the perpetrator and may be linked to online scams in which fraudsters assume the identity of corporations or financial institutions or breach the IT systems of the same. An imprisonment sentence and/or maximum fine of BHD One Hundred Thousand may be imposed on the perpetrator who uses encryption in order to commit or conceal any of the crimes provided for in the Law or any other law.
The content-related offences carry different penalties which become more stringent when it relates to child pornography. Where this is the case, a minimum imprisonment term of one year and/or a maximum fine of BHD Ten Thousand may be imposed on the perpetrator.
Reporting Online Fraud & Cybercrime
Bahraini law currently does not prescribe a mandatory obligation to report incidents of cybercrimes by individuals and corporations. Individuals and corporations may instead voluntarily report said incidents to the General Directorate of Anti-Corruption and Economic and Electronic Security under the Ministry of Interior Affairs. This may be done by calling the Directorate on the hotline (992), contacting the same via WhatsApp (+973 17108108) or completing a prescribed form available at https://www.acees.gov.bh/acees-form/.
CBB licensees are, however, under an obligation in accordance with Rule BR 1-1.8 of the CBB Rulebook Volume 5 to report an incident or attempt of fraud to the appropriate authorities including the CBB.
The importance of public awareness of the danger and scale of cybercrime, phishing and other online fraudulent practices cannot be understated. The CBB has been vocal about the rise of phishing and cyber attacks particularly in the wake of the COVID-19 pandemic by urging retail banks to enhance their awareness campaigns on the risks and indicators of phishing to their customers. We consolidate the key red flags to bear in mind to help spot phishing:
- Telephone and WhatsApp calls from unknown numbers;
- SMS, WhatsApp messages and emails with or without attachments from unknown senders;
- Unsecured website links (i.e. ‘http’ rather than ‘https’ URLs);
- Incorrect English usage;
- Requests to disclose personal information (financial or otherwise), or requests to update or confirm the same;
- Not respond to any calls received through smartphone apps claiming to be the bank service provider and requesting personal and banking information.
Anyone may fall victim to a scam. It is necessary to not only police cybercrimes and online fraud effectively but to instill enough public awareness to prevent acts of fraud against individuals or cyber attacks against corporations and financial institutions.
For more information, please contact us on [email protected].