Size of personal data leak determined in the law on turnover-based fines

Size of personal data leak determined in the law on turnover-based fines

The implementation of such penalty is currently being considered by a work group in the Digital Ministry. However, experts view data specifications as more important than the amount of data.

Companies that leak information on over 10,000 subjects of personal data, that is, citizens, will be penalized with turnover-based fines. This is the option that is currently being considered by the Digital Ministry’s work group that is preparing a draft on turnover-based fines for data leaks, according to an RBC’s source close to the ministry and engaged in the IT industry. In case the amount of data leaked is lesser than the one stated, companies will be penalized as well, but the fine will be fixed rather than turnover based.

In April, head of the Digital Ministry Maksut Shadayev came up with a proposal to impose turnover-based fines on companies that leak personal data, adding that businesses are now wary of reputational damage rather than fines. The project is being prepared jointly with Roskomnadzor and will not apply to state bodies, Mr. Shadayev said. It was stated that fines will not exceed 1 % of turnover. However, major IT companies claimed that there are data breach risks regardless of how much a company has invested in cybersecurity and asked to tone down the document. They proposed implementing a three-stage system of penalties for leaks: if this is the first time the data of clients or employees of a company have leaked, it should receive a simple warning; if the leak is repeated, the company should pay a big fine; after the third leak, it should pay a turnover-based fine.

In mid-July, the Digital Ministry reported that the following details of the draft were being discussed:

·      Penalties will be applied in two stages: the fine for the first leak will be fixed and depend on the amount of data; in case the leak is repeated, a turnover-based fine will be imposed. The limits of turnover-based penalties, that is, the maximum and minimum percentages of revenue, will be defined. 

·      When determining a fine, mitigating and aggravating circumstances will be taken into account. The fact that a company has made every effort to protect data will be considered a mitigating circumstance; the fact that it has concealed a data leak, an aggravating one. 

·      The ways to determine whether a certain company is responsible for a leak, that is, whether a new leak occurred, or scammers are trying to pass off various previously leaked databases as a new leak, will be identified. 

·      Thought was given to the possibility of creating a special foundation along the lines of the Deposit Insurance Agency. The collected fines can be allocated to the foundation from which compensation can be paid to those citizens who have been affected by leaks.

Another RBC’s source from the IT market says discussions around the draft’s wording continue, and the text can still change. For example, it was proposed to introduce individual criminal responsibility for personal data leaks on several occasions during the discussions, but “for now, it seems, the idea was abandoned.”

A representative of the Digital Ministry reported that the draft on turnover-based fines imposed for data leaks is a work in progress and will be submitted in the middle of September. “We’re seeking a compromise with the business and industry. The Digital Ministry stands for toughening and increasing the responsibility for personal data leaks. However, imposing fines is not the goal. Additional responsibility, that is, turnover-based fines, will encourage businesses to invest in information security infrastructure development and personal data protection,” the representative said.

Is there really a problem?

Since late February, Russian companies have experienced several major personal data breaches. On March 1, Yandex.Eda informed that, due to dishonest actions of one of its employees, clients’ phone numbers and information about their orders were exposed on the Internet. On April 21, after Roskomnadzor had drawn up a protocol against Yandex.Eda, the company was fined 60,000 rubles by a magistrate at a court in the Zamoskvorechye district. Also, some of the clients affected by the incident filed a class-action lawsuit against the company. Zamoskvoretsky District Court of Moscow, however, refused to recognize the lawsuit as class action and allow the involvement of over 700 affected clients. This decision is now being challenged.

In late May, the Delivery Club service discovered that information on some of its clients’ orders had leaked. According to DLBI (Data Leakage & Breach Intelligence), the data of a total of 8 million clients of food delivery services have likely been exposed on the Internet since February. The Gemotest Medical Laboratory experienced a major data breach as well: the data of 30 million clients were exposed.

According to current law, the maximum penalty that applies to legal entities for data leaks is a fine of 500,000 rubles. In mid-July, the Digital Ministry pointed out in a statement that personal data leaks have become a serious problem. “The data that fall into the hands of attackers can become a tool of spam calls, unwanted emails, blackmail, and fraud schemes. The leaked data often provide a basis for creating fraudulent online services that attract citizens due to their simplicity and usability but eventually expose them to serious harm,” the ministry stated. It is expected that additional responsibility will “encourage businesses to invest in information security infrastructure development and personal data protection.”

According to Ashot Oganesyan, founder of DLBI, a leak that exposes the data of 10,000 subjects is a major one, it is more than enough to start talking about the operator’s systemic weaknesses in data protection, which makes a turnover-based fine justified. “However, we’ll face problems, as usual, while proving the size of the leak, since, firstly, databases are often divided in smaller parts before being sold in the black market, and secondly, the operator will claim that the data leaked as a result of several incidents, each of which exposed less information than was reported,” Mr. Oganesyan elaborated.

Business Consultant on Information Security at Positive Technologies Alexey Lukatsky believes what matters is not so much the number of personal data subjects whose data leaked as the nature of data. “It’s one thing when 10,000 names and their respective phone numbers leak, it’s a completely different thing when passport information and financial data leak. Things get even worse when information concerning minors or medical data are exposed. In other words, we should take into account not only the amount of data but also the type of data,” Mr. Lukatsky thinks.