Translated by
2020/01/29 10:33:35

Personal data protection in Russia



Normative regulation

Security requirements of personal data are regulated by laws:

  • Law on personal data No. 152-FZ,
  • 149 ("About information"),
  • 249 ("About protection of the rights of legal entities and individual entrepreneurs at implementation of the state control (supervision) and municipal control").
  • Article 26 of the law "About Banks and Banking Activity" - According to Article 26 of the law "About Banks and Banking Activity" information on transactions, accounts and deposits of clients and correspondents belongs to a bank secrecy. By the Russian legislation the credit institution guarantees the secrecy of the bank account and a bank deposit, account transactions and the information about the client.

Since September 1, 2015 in Russia became effective the provision designated by law FZ-242 which obliges to process and store personal data operators personal data of Russians using the databases placed in the territory of the Russian Federation. Because the separate terms and formulations used in this provision allow different interpretation, the Ministry of Telecom and Mass Communications prepared explanations for it. The list of explanations is available according to the link.

Chronology of events

2020: In Russia the new protocol of safe exchange of personal data is drafted

NPK "Kriptonit" reported on June 29, 2020 to TAdviser that her scientists and specialists drafted the protocol of security "X". This protocol of security will allow to transfer personal data from the user to service only in the form of the ciphered data packet — "blob" (from engl. Binary Large Object, BLOB is an array of binary data). Each blob can be checked and certified by the inspector of personal data who confirmed information on the user. The state body (for example, tax administration or the pension fund) or commercial structure can act as the inspector, for example, (for example, bank or insurance company). Read more here.


2019: Personal data protection causes concern in business

On January 17, 2020 it became known that most often the Russian business faces spam. It was noted in survey conducted by Eset, 65% of respondents. On the second place – the malware, 47%. 22% of respondents reported that their companies became the victims of phishing attacks, 21% suffered from DDoS attacks and 35% - from coders. 54% of respondents are concerned by security of bases of contacts, the information about clients and partners, 55% consider that financial information needs special protection. Read more here.


the Maximum amount of damage on the case of information leak made 14 million rubles

On January 28, 2020 it became known that the expert analytical center InfoWatch Group published the first report on judicial practice on the affairs connected with information leaks of limited access. The research was conducted for the purpose of identification of the main and most obvious problems of law enforcement in the field of data protection. According to results of a research, every fourth case comes to an end with removal real or probation, and the maximum amount of damage on the case of information leak confirmed with the decision of Russian court in 2018 makes 14 million rubles.

As it was reported, a considerable part of cases on leaks of confidential information, was considered by rules of criminal proceedings (69.1%). However, only as a result of consideration less than 5% of all affairs the court appointed to the violator the real term of the conclusion. About another 21% of affairs were completed with probations, and in more than 30% of cases different types of penalties are taken out. Every fourth case leads only to dismissal of the violator. Only 8.6% of affairs were stopped behind reconciliation of the parties.

Abuse of access to confidential information represents more than a half of sudoproizvodstvo (59.5%). The second and third place is taken by disclosure and illegal access (24.5% and 16% respectively). The main motives of implementation of criminal acts are the self-interest (83.6%) and revenge (16.4%). More than 70% of leaks which formed the basis of judicial proceedings happened because of wrongful acts of staff of commercial and non-profit organizations and only 20% of leaks happened as a result of actions of external malefactors.

Distribution of information leaks
The striking example of unauthorized use of confidential information can be considered different fraudulent activity of staff of cellular shops. Managers of cellular retail do not hesitate to sell client information, to render illegal services in rerelease of SIM cards, sale of "beautiful" numbers, etc. It is connected with the fact that rather free access to client information along with softness of the imposed sentence actually gives carte blanche on wrongful acts. The same can be told about employees of the financial and credit sphere, divisions of mail operators, other organizations connected with service of cash flow and personal data processing.

Andrey Arsentyev, the head of the analytical department and special projects of InfoWatch Group told

According to analysts, basic reasons for "primitive" abuses in cellular retail and client offices of banks are the low wage of ordinary personnel, information illiteracy and shortcomings of work of Information Security Services.

About 1/3 all cases of the leaks of confidential information considered by courts are the share of the hi-tech companies (IT, cybersecurity, a telecom, integration, etc.). The considerable share in legal cases about leaks is occupied by violations in the industrial and transport organizations – 14.1%. It was mentioned that in the hi-tech companies the share of the cases considered by rules of criminal proceedings makes 96%.

Universal types of the compromised information for all industries can be considered the personal data and data which are a trade secret (64.6%). They it is expected prevail in distribution of leaks by data type.

Authors of a research note that judicial practice on cases of information leaks develops rather for benefit of owners of information, than on the contrary. For January, 2020 the main problems are caused by inconsistency between the regulatory and guarding legislation. It is result of quickly developing information environment behind which the guarding legislation is not in time.

The reason for most of which often cases of date leaks are considered by rules of criminal proceedings is in features of two most liquid information types which are exposed to a compromise is a financial information and personal data which leakage affects not only owners of information, but also on its carriers, i.e. citizens. Within civil production cases where information leak affects only the owner of information are considered.

Sergey Hayruk, the top analyst of InfoWatch Group told

According to specialists of Expert analytical center InfoWatch Group, the most part of illegal acts of employees concerning confidential data could be prevented using a combination of the organizational and technical measures including, for example, prohibition of mobile devices with a photo (video) the camera in workplaces will lock applications personal (or not entrusted) cloud services and personal e-mail and also control of observance of these rules by application of the automated means.

24% of leaks of confidential information from the state and business companies are integrated to fraudulent activity

On June 25, 2019 the InfoWatch company reported that in Russia about 24% of leaks of confidential information from the state and business companies are integrated to fraudulent activity. Fraud level on the basis of the data stolen from the Russian companies is almost three times higher, than in the world. About 80% of similar incidents in Russia are connected with actions of heads and employees. In half of incidents it is swindled on the basis of data from paper sources. Most often cases of a fraud are noted in the banking sector and the companies of the sphere of communication. Read more here.

2017: Customer bases of insurance companies are available in the shadow market

According to results of a research of analytical center "MFI Soft" for September, 2017, already 5.6 million data writings of clients of insurance companies are detected in the black market, they can be purchased at open piracy forums. Relevance of data the freshest — 2016-2017. At the same time two thirds of all offers concern car insurance — possibly, clients of the COMPREHENSIVE INSURANCE/CMTPL are appreciated first of all by the competing insurance companies. Together with it, offers of bases of an autoinsurance are updated most quicker — some sellers offer updating on a monthly basis.

Cost of databases

Bases of insurance companies — some of the most expensive and demanded in the market of information. Databases of different volumes — from several hundred clients to tens and hundreds of thousands at "the black market" are presented. The cost of one contact in small, but relevant base can reach 10 rubles while in large bases it falls up to 0.001 rubles. Can purchase such base everyone at the price from 250 up to 40 thousand rubles. Cost is influenced by such parameters as the number of contacts, relevance and completeness of data. The most often found price label — 3500 rub, with a size of bases up to 60 thousand records, specified in MFI Soft.

Geographical coverage

Slightly less than a half of offers on sale make bases of insurance companies of the Moscow region (41% of the studied offers). Bases of the Leningrad Region — on the second place (21%). About 26% of bases cover all Russia. Offers of the databases covering only one not capital city or the region meet in isolated cases (12%). In 59% of cases of base contain complete data about clients, including not only the personal informations, but also data on the car, history of insurance transactions, copies of documents.

Risks for clients and the companies

By estimates of MFI Soft, the risk for the user of services of insurance company in case of leak varies from receiving spam before large fraud with property as data can be of interest to criminal structures. For insurance companies except real loss of clients large leaks are fraught with loss of reputation and sanctions from regulators upon violation of the law 152-FZ "About personal data". Such precedents in the industry were already recorded in 2012.

Sources of leaks

As researchers found out, customer information of insurance companies flows away not at a collecting stage, and from information systems. The structure of the database often points to a leak source, in certain cases can point even to department in the company (when understanding on what business process record is enriched with these or those to data), however to set the owner of the most information system rather difficult. As data can arrive as directly from insurance companies, and from other information systems — traffic police, the RSA uniform base, etc.

The basic suppliers of data in the companies are insurance agents, the leaks provoked by system administrators also meet. Quite often the offer on lease of remote access in the IC of insurance companies meets on marketplaces (for example, partner portals) via which it is possible to do unloadings on clients.

The high demand on insurance databases in the black market creates all new and more and more relevant offers from insiders who quite often work to order.


For safety of data and prevention of leakages of analytics MFI Softs recommend to insurance companies to control more carefully legitimacy of access to the databases in the organization, to pay attention to mass unloadings from storage systems of information and to abnormal actions of privileged users and also to control vulnerabilities of the used DBMS.

2016: Personal data of millions of Russians already in the "black" market

Based on the research "Black Market of Databases" of analytical center "MFI Soft" for November, 2016, the size of the market of illegal databases in Russia — is more than 30 million rubles if to transfer to a record count of individuals – more than 1.2 billion turn out. In only several hours of search it is possible to find databases of clients of large banks, insurance companies and online casino in the Internet.

As it appeared, at piracy forums and portals data of clients of financial institutions – 34% and also customers of large online stores – 19%, brokers of-18% and telecom operators – 6% are especially distributed.

Within the research bases of clients of 18 large Russian banks were detected — among them there are representatives TOP-10 the largest Russian banks and also base of popular microfinance institutions. To such bases the high level of interest at different swindlers if the base is enriched with information on accounts. Almost every tenth record (8% of the detected data) in the stolen base can cause with high probability serious negative consequences — for example, to be used for counterfeit of loan agreements, frauds with the real estate, bank fraud or to more serious consequences. One more option of succession of events — a design of the credits for passport data of users of banking services and resale of base to collectors. It is possible to find a complete contact information of the person in the sold base, with its passport data, the current place of residence, the statement on bank accounts and transfer of property, information on taxes and penalties.

How much are personal data in the black market?

In recent years the cost of personal data strongly depreciated. According to research 134 of the databases which are in free sale in the black market the average cost of one contact for bases of mailings is 2 kopeks. Bases of insurance companies have the greatest value – the price of record reaches 10 rubles at the average price in 2.73 rubles, data of clients of banks are estimated on average in 0.28 rubles for record. In fact, each Internet user can purchase such base, some of idle curiosity, others — for a profit.

What contains in gray databases and what it threatens with?

Databases may contain not only names and contacts of users of services, but also all documents, from passport data and the car driver license to numbers of bank cards and accounts with indication of deposit amounts. There are even bases on activities, for example, bases of heads of security services, bases of directors of regions and other not less interesting options.

At best such bases buy for spam mailings and call-down with service offerings. Slightly less often databases in the black market are bought up by swindlers for the purpose of commission of financial frauds. On passport data using social engineering it is possible to get access to card accounts of the user and to display from them means and also to blackmail owners of these data or to issue on them the credit in microfinance institution.

Sources of leak of databases

Be responsible for date leak of users – owners of bases as this direct violation of FZ-152 "About personal data". But it is frequent they do not even suspect that their bases were stolen, and learned about it only after the notorious incidents. According to selection of MFI Soft, the database get on the black market in four ways: the malicious insider – 78%, cracking – 2%, bad faith (purposeful distribution of these clients on a commercial basis) – 13%, parsing (collecting and structuring data from open sources) – 7%. What follows from – that the main problem of the Russian companies is a leak of databases through employees. 137,090,136 compromised accounts in base

How to ensure safety?

To the organizations performing personal data processing to avoid violations, it is necessary to hold a number of events which include the following works:

  • the direction of the notification on personal data processing in regulatory authority, Roskomnadzor;
  • development of a form and receiving consent of each subject to processing of its personal data (consent should contain the sign manual of the subject (or his digital signature));
  • documentary the description of information systems of personal data processing (appointment, structure of data, a legal basis for their processing) and also designation of the group of people, working with personal data and having to them access;
  • development of a number of the regulating documents describing models of threats and means of protecting from them personal data;
  • ensuring personal data protection technical (program, hardware) and organizational methods;
  • passing of necessary checks for confirmation of conformity of the systems of personal data protection to requirements of the legislation.

For successful carrying out these works it is necessary to appoint, first, the employee responsible for questions of personal data protection, secondly, for all resources and subsystems containing personal data, to define their status, and, at last, to define methods and terms of data processing and also storage lives".

First of all, the most efficient and not cost approach to a personal data storage is their storage in the depersonalized form. It is necessary to generalize, depersonalize as much as possible information, to refuse excessive — thus it is possible just not to be afraid of deliberate or accidental information leak — it will not be of almost any value for malefactors. By the way, the legislation of the United States, recommends such approach for security of personal data. Of course, it is a two-edged sword. Such approach, undoubtedly, reduces the need for data protection, however considerably complicates a possibility of their processing.

Personal data operators now in the majority refused works on information security support. The law will change, in it there is a need and about it there are certificates so it is quite wasteful to make investments in implementation of formal requirements irrespectively of their importance.

In an ambiguous situation there are also companies which are engaged in production of products for personal data protection. In search of solutions which will allow to satisfy, on the one hand, regulators, with another — customers, and, at last, not to remain in loss, they come that reorganization of the settled model of a system of personal data protection is inevitable.

At the same time the difference between the leading companies in the area and firms supporting voices is accurately traced. The last, in the majority, were quickly reoriented on compliance to requirements of the law. The range of the services offered by them extended such offers as the help in obtaining the license, carrying out inspection and classification of an information system, consulting support. There were handymen and on methods of manner of the law — article under the name "Five Rather Legal Methods of Resistance FZ-152" widely dispersed.

It is far more interesting that representatives of the serious companies which are engaged in data protection think of an innovation. Many vendors began active completion of the solutions, having asked a question of whether they conform to requirements of regulators. Others do not hurry with so cardinal measures yet, expecting further changes in the legislation. However the key moment according to many companies is formation of culture of personal data protection. So, for example, Alexey Sabanov, the deputy CEO of Aladdin company considers that No. 152-FZ imparts the culture of information security in society and at all levels of the Russian business. Alexander Sharamok, the representative of Orticon company holds the opinion that the situation with personal data protection will improve if the transparent legal and normative and technical base is created and in society the culture of personal data protection will be created, to what he also sees the first steps in law No. 152-FZ "About personal data".

Nevertheless, except improvement of technical security measures, the companies without fail need to pay attention to a methodological component. Already now many companies offer the clients creation of model of security risks of personal data. Besides, the help in determination like an information system, information support concerning licensing and passing of checks, finding of methods of decrease in a class of the processed data — all this already slowly begins to occupy the niche in the market of services in data protection and, further,[1] will only develop[1].

How to organize data protection in a cloud and to undergo testing of Roskomnadzor, FSB and FSTEC. TADetails (2016)

Depersonalization of personal data

Requirement of the legislation for depersonalization of data

Depersonalization of personal data should provide not only protection against unauthorized use, but also a possibility of their processing. For this purpose the depersonalized data should have the properties saving the main characteristics depersonalized personal [2].

Properties of the depersonalized data

  • completeness (preserving of all information on specific subjects or groups of subjects which was available before depersonalization);
  • structuredness (preserving of structural communications between the depersonalized data of a specific subject or group of the subjects corresponding to the communications which are available before depersonalization);
  • relevance (a possibility of request processing on personal data processing and obtaining answers in an identical semantic form);
  • semantic integrity (preserving of semantics of personal data at their depersonalization);
  • applicability (a possibility of solving of tasks of personal data processing, facing the operator performing depersonalization of the personal data processed in the personal data information systems including created and functioning within implementation of federal target programs (further - the operator, operators), without preliminary deobezlichivaniye of all volume of records about subjects);
  • anonymity (impossibility of unambiguous identification of subjects of the data obtained as a result of depersonalization without application of the additional information).

Typical approaches to depersonalization of data

  • Data are not depersonalized (use of NDA with contractors)

  • After depersonalization features of data (excessive masking of data) are lost
  • After depersonalization the coherence of data is lost
  • There is no uniform tool for depersonalization of data
  • Only the applications given according to documentation are depersonalized
  • Identical politicians on depersonalization of data for different tasks
  • On depersonalization of data considerable time is required
  • After change of sources (for example, after installation of patches) considerable time for change of processes of depersonalization is required

Depersonalization of the most critical data in real time

What data need to be masked in real time?

  • Data of VIP clients
  • Contact information
  • Financial information
  • Trade secret
  • Any other sensitive information
  • Information to which different user groups have accesses

Rules of personal data protection of the company executive

Apply reliable multifactor authentication

Theft of personal data – one of the most dangerous and often found threats in the field of data protection. It is the reason of cracking in four of five cases of Verizon. Report on date leak of 2013. Thus, for access to a personal system it is not enough to enter a user name and the password. It is necessary to apply reliable authentication to personal data protection. For example, two-factor authentication within which it is necessary to confirm the personality twice will be one of optimal solutions: by means of the certificate – a token, a smart card, mobile application and also by means of input of the confidential password. In the future, perhaps, the additional biometric factor at which for confirmation of the identity of the employee prints of his fingers can be required will be entered.

Cipher the confidential e-mail addresses and files

E-mail is the most important instrument of communication in any organization, use it both heads, and other staff of the companies. To protect e-mail, it is necessary to use the special certified program which allows to cipher separate files or messages in such a way that only the specific receiver having a key will be able to get access to the ciphered information. It is also necessary to conduct accurately base of contacts that information in a random way did not get to the incorrect addressee.

Set rules of respect for information security for heads

Certainly, all above-mentioned recommendations will work on condition of additional investments from company management. In this situation intermediaries who will be able to provide a necessary training for the head are necessary and will tell all basic rules of information security support. This practice will help to change behavior of the head and motivates employees to follow an example of the management.

Activity of cybercriminals is stirred up, and any organization should think of protection of corporate data. In many companies information security support is an obligatory measure which needs to be observed upon the demand of regulators, but the data security issue of heads of the companies still remains dug out and requires special approach which will provide data protection and, at the same time, will not mention a mobile way of life of the head.

You See Also


  1. 1,0 1,1 [ the Law on personal data
  2. dannykh*prikaz Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) of September 5, 2013 N 996 Moscow "About the approval of requirements and methods on depersonalization of personal data"