[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2023/11/07 16:00:43

Protection of personal data in Russia

Content

Regulatory regulation

The requirements for the protection of personal data are regulated by laws:

  • Personal Data Law No. 152-FZ,
  • 149 ("On Information"),
  • 249 ("On the protection of the rights of legal entities and individual entrepreneurs in the implementation of state control (supervision) and municipal control").
  • Art. 26 of the Law "On Banks and Banking Activities" - According to Art. 26 of the Law "On Banks and Banking Activities," banking secrecy includes information about transactions, accounts and deposits of clients and correspondents. According to Russian law, a credit institution guarantees the secrecy of a bank account and bank deposit, account transactions and customer information.

On September 1, 2015, a provision designated by FZ-242 law entered into force in Russia, which obliges personal data operators to process and store personal data of Russians using databases located on the territory of the Russian Federation. Due to the fact that certain terms and formulations used in this provision allow for different interpretations, the Ministry of Telecom and Mass Communications has prepared explanations for it. The list of explanations is available at the link.

Chronology of events

2023

A tool has been developed to verify the effectiveness of personal data protection

Experts from the Big Data Association (ABD), which includes the largest Russian IT companies, have developed a concept for a data protection standard that is designed to assess the effectiveness of the information security service among personal data operators. The document is a set of assessment criteria and metrics that allow us to conclude on the effectiveness of organizational and management processes to ensure the protection of information of personal data operators. Moreover, the concept provides for a transparent mechanism for voluntary assessment of the compliance of the ISDS operator with a specially developed methodology, which allows assessing the quality of the operator's security service within the framework of public control.

Evaluation methodology

The concept provides for several stages of verification of the information security service of the PD operator: internal audit, external validation of audit results and planned self-verification of security processes, which should be carried out at least once a year. In addition, an unscheduled audit is provided in the event of a significant incident or serious modernization of the Personal Data System. In fact, a significant innovation is the validation of the results of the internal audit, which should be carried out by an external auditor who is not affiliated with the company. The concept provides that special companies can act as such an auditor, which will submit the results of verification to the ABD or other public organization.

It should be noted that the internal audit is procedurally similar to the categorization provided for by Resolution No. 127 within the framework of Law No. 187-FZ "On the Safety of the CII of the Russian Federation." A commission is also created for assessment, an analysis of all components, processes and systems is also carried out, threat modeling is also provided, and the results of self-testing are transferred to the organizer, in the role of which both ABD and other public organizations can act. The following validation procedure is much more interesting. The document describes four stages of such validation: external audit, security analysis (external or internal, instrumental or documentary), sociotechnical testing to assess awareness and cyber learning. The development of legislation within the framework of CII security has not yet reached this stage.

External audit checks the implementation quality of the following enterprise data protection components:

  1. Management of the information protection organization system;
  2. Information Security Unit;
  3. Regulation on organization of information protection;
  4. Planning of information protection measures;
  5. Identify negative consequences;
  6. Modeling of information security threats;
  7. Monitor external vendor services.
  8. Access control rules regulation;
  9. Authentication of access to information systems of the organization;
  10. Manage accounts.
  11. Identify and assess vulnerabilities;
  12. Manage security updates;
  13. Inventory of information resources;
  14. Manage configuration changes.
  15. Information security monitoring;
  16. Responding to security incidents;
  17. Actions in emergency situations;
  18. Inform and train personnel.
  19. Security of applications and software;
  20. Install the firewall.
  21. Absence of vulnerabilities on the perimeter;
  22. Absence of vulnerabilities in the software and PAC of the ISDS itself;
  23. Clear incoming network traffic from anomalies;
  24. Check email attachments;
  25. Install anti-virus protection tools;
  26. Plans for penetration testing.

Each of these points, if implemented correctly, gives one point during the audit. Moreover, personnel training is checked, among other things, with the help of sociotechnical testing or cyber training, and the absence of confidence - with the help of an external audit (pentest). Further, for the category of personal data No. 1 (in accordance with Law No. 152 "On the Safety of Personal Data"), an acceptable minimum level of 6 points is established, for category No. 2 - 10, in category No. 3 - 14 and in category No. 4 - 18.

Criteria for the effective operation of the operator's security service in relation to the categories of his personal data

Expert groups can become audit operators, which will include specialists from both the companies themselves and specialized third-party organizations, but the company's specialists, where the audit is carried out, cannot check their company. In areas where the final audit assessment is lower than recommended, companies will work to improve the effectiveness of protection. ABD participants intend to complete the concept and sign the standard in the coming months.

Role of the Concept
File:Aquote1.png
The concept of an industry standard for data protection and its audit is an important initiative of key industry players who are aware of their responsibility and set a benchmark for all data operators, "explained Irina Levova, director of strategic projects at the Big Data Association, to the publication of the document. - Companies plan to conduct such an audit at least once a year and thus confirm the high level of their information security systems. This will ensure the highest degree of data protection at the industry level
File:Aquote2.png

The document establishes clear and, most importantly, measurable assessment criteria for the work of the information security service of the personal data operator, which can show how much the company is trying to ensure the protection of its personal data, and indicating directions for further improving the protection process. The document may be useful not only for protecting personal data, but it has the opportunity to become a model for organizing the audit process and other significant digital systems: CII, APCS, state IP.

Tougher requirements for data protection developers

The Federal Service for Technical and Export Control (FSTEC) has developed a draft presidential decree that establishes the rules for protecting information in Russian organizations, and also enshrines the creation of a state organizational system for protecting information. The corresponding document, according to Kommersant, was published on January 23, 2023.

The draft regulation on the state information protection system defines the composition, directions of the system, as well as the requirements for organizing the protection of limited access information and publicly available information, the owners of which are Russia, the Russian region or a municipality. As noted in the explanatory note, the purpose of this is to form an organizational system that works on the basis of general rules at all levels.

FSTEC tightens requirements for data protection developers

The order also enshrines six categories of system participants, including security agencies - FSTEC and the FSB, organizations with the authority to certify protective equipment, and companies that provide services in the field of protecting state information.

We are not talking about all market participants, but about those who work with state information, which in the document is called "information owned by the Russian Federation and its subjects," the head of the analytical center explained to the newspaper. Zecurion Vladimir Ulyanov The requirements would apply to security contractors, he said. GIS

At the same time, the source of the publication noted that by January 2023, almost all information security companies in Russia work either directly with the public sector, or with organizations that have cases with information, the ultimate owner of which is the state. The decree expands the list of objects for which certification and certification become mandatory, the source said.[1]

2022

Courts have collected more than 50 million rubles in fines for violations with personal data

In 2022, Russian courts issued fines for more than 50 million rubles for violations when working with personal data under the claims of Roskomnadzor. This was announced by the deputy head of the department Milos Wagner in early March 2023.

File:Aquote1.png
Instead of planned checks, the interaction carried out planned measures without interaction, that is, monitoring the information resources of operators. Unfortunately, in almost half of the cases, violations were identified. Despite the restrictions, in the past [2022] year, more than 180 protocols were drawn up on detected violations in the field of personal data, "he said at the Roskomnadzor webinar (quoted by Interfax).
File:Aquote2.png

Russian courts issued more than 50 million rubles in fines for violations related to personal data

According to Wagner, in 2022, over 110 sites operating with complete non-compliance with Russian legislation were blocked. The registry of violators included Internet "breaking" services, mobile applications for collecting data from telephone books, residents' directories with addresses and phones, sites with information about people's private lives, he said.

In general, in 2022, Roskomnadzor conducted 91 unscheduled inspections of companies for compliance with personal data legislation. Of these, 78 were carried out on the grounds of personal data leaks, and in 87% these leaks were confirmed.

File:Aquote1.png
The operators were handed orders to eliminate violations, protocols on an administrative offense were drawn up. Now the courts are completing the consideration of the protocols, in all cases the courts have decided to bring to administrative responsibility, - added the deputy head of Roskomnadzor in early March 2023.
File:Aquote2.png

He also noted that in 2022 the courts satisfied 95% of the claims prepared by the Center for Legal Assistance to Citizens in the Digital Environment, which was created by Roskomnadzor in 2021. Since its inception, more than 2,500 citizens from different regions of the country have approached its lawyers. The main topic of appeals is the unlawful processing of personal data of applicants, which occurs without their knowledge or consent. Such appeals to the center - more than 52%, said Milos Wagner.[2]

Mishustin approved new rules in the field of cross-border transfer of personal data

In January 2023, Prime Minister Mikhail Mishustin signed a decree approving "the rules for making a decision to prohibit or restrict the cross-border transfer of personal data by the authorized body for the protection of the rights of personal data subjects and informing operators about the decision." The document, which comes into force on March 1, 2023, involves the following innovations:

Mikhail Mishustin
  • The name of the foreign state in respect of which it is proposed to make a decision to prohibit or restrict the cross-border transfer of personal data (PD);
  • Description of the circumstances indicating the need to make such a decision, as well as the indication of the norms of the legislation of the Russian Federation that served as the basis for the submission;
  • Conclusion on the content of the decision proposed for adoption following the review of the submission;
  • Information about the operator who is invited to prohibit or limit the cross-border transfer of PD - the name of the legal entity, the full name of the individual, the taxpayer's identification number, phone numbers, postal addresses and e-mail. In addition, the submission must contain the date on which cross-border transfer is to be prohibited or restricted

Earlier, the Ministry of Digital Development of the Russian Federation prepared two more projects regulating the procedure for transferring personal data abroad. According to the first, conditions and cases are established for prohibiting or restricting the transfer of data of Russian citizens abroad in order to protect their morality, health, rights and interests.

In the second draft, the ministry proposed to establish cases in which operators engaged in the cross-border transfer of personal data do not need to notify Roskomnadzor about this, as well as cases in which decisions on the prohibition or restriction of cross-border transfer of personal data are not applied.

Resolution of the Government of the Russian Federation of 10.01.2023 No. 6 "On Approval of the Rules for Making a Decision on the Prohibition or Restriction of Cross-Border Transfer of Personal Data by the Authorized Body for the Protection of the Rights of Personal Data Subjects and Informing Operators about the Decision"

The Ministry of Digital Development supported the introduction of prison sentences for the theft and sale of personal data

The Ministry of Digital Development supported the introduction of prison sentences for the theft and sale of personal data. This became known in mid-December 2022.

{{quote 'A bill on amending the Criminal Code of the Russian Federation already exists, it was developed by a group of senators with the participation of the Ministry of Digital Development. This bill has been submitted to the government for consideration and has already been agreed, Ministry of Digital Development of the TASS ministry said. }}

The Ministry of Digital Development supported the introduction of prison sentences for the theft and sale of personal data

The document provides for the introduction of fines from 300 thousand to 2 million rubles and imprisonment for up to six years.

The Ministry of Digital Development explained that in some cases violators face up to 10 years in prison, for example, if illegal handling of personal data led to serious consequences, was committed using their official position or was organized by a group of persons.

The department added that if the targeted actions of the attacker led to the leakage of significant amounts of data or if the publication of sensitive data can be harmful to specific people, responsibility will come regardless of the position.

In May 2022, the head of Roskomnadzor, Andrei Lipov, said that a bill was being prepared to introduce criminal liability for the sale of stolen personal data.

The head of the State Duma Committee on Information Policy, Information Technology and Communications, Alexander Khinshtein, said in July 202 that responsibility should be borne not only by those who leaked personal data, but also by those who carry out illegal trafficking in personal data, and, possibly, those who use this data, knowingly realizing their illegal nature.

Hinstein clarified that criminal liability for leaks should be introduced for civil servants. According to him, we are talking about cases where the leak led to grievous bodily harm or death.[3]

Roskomnadzor will ban the transfer of data to Meta and other prohibited foreign organizations

Roskomnadzor will prohibit the transfer of personal data Russian companies in the event of sending information abroad to prohibited Russia or undesirable organizations. Among them - (Meta RUSSIAN FEDERATION in declared an extremist company, its activities are prohibited) About this September 15, 2022 writes "" with Kommersant reference to the developed Ministry of Digital Development documents.

From March 1, 2023, personal data operators will have to inform Roskomnadzor of their intention to carry out cross-border transfer. But after the adoption of the new amendments, Roskomnadzor will be able to restrict cross-border data transmission, including after statements from the FSB, the Ministry of Defense and the Ministry of Foreign Affairs. Such measures are taken to protect the economic and financial interests of the Russian Federation.

Roskomnadzor will prohibit the transfer of personal data to Russian companies if information is sent abroad prohibited in Russia

The newspaper's source in the online services market, whose representatives criticized the original version of the amendments, says that it does not expect difficulties due to the new norms.

According to the managing partner of Enterprise Legal Solutions Yuri Fedyukin, users of social networks act as subjects of personal data, and not operators of their transfer. When a person transfers his own personal data to Meta, amendments and by-laws do not create risks of liability, he explained.

Interaction with Meta carries risks primarily for professional users of its social networks - bloggers, advertising agencies and store owners - as well as for "users expressing their political position," says Vladimir Ozhereliev, head of intellectual property practice at DRC law firm. According to Karen Ghazaryan, general director of the Institute for Internet Research, risks for individuals and legal entities that will simply be privately registered on Facebook and Instagram will not arise. At the same time, the expert believes that the Ministry of Digital Development projects can still be finalized, since "it is not yet clear how to apply them in practice[4]

The Ministry of Digital Development, the FSB and FSTEC will be engaged in an audit of data security in Russian companies

At the end of August 2022, it became known that the Ministry of Digital Development, the FSB and the FSTEC will audit the security of data in Russian companies that are personal data operators (PD).

According to Vedomosti, by the end of August 2022, the data protection requirements regulated by the orders of the FSB and FSTEC often do not have time to update due to the emergence of new cyber threats. It is assumed that the annual voluntary audit of data security will contribute to more active investment of companies in information security systems.

The Ministry of Digital Development, FSB and FSTEC will be engaged in audit of security of data

According to the source of the publication, the audit could be carried out by state-accredited companies that deal with information security.

According to the newspaper, Ministry of Digital Development is in favor of companies investing more actively in information security systems, in this context the proposal for an annual voluntary audit of data security is being discussed. As noted, the discussed voluntary audit can be considered as a mitigating circumstance and be a confirmation of data protection measures.

According to the source of the publication, such an audit could be carried out by state-accredited information security companies, for example, Positive Technologies, Kaspersky Lab or Group-IB.

At the same time, Vedomosti's interlocutors did not specify whether such an audit would replace the mandatory requirements for analyzing the state of information security in the company or whether it would be carried out on the basis of the mandatory requirements of the FSB and FSTEC.

Earlier it was reported that by July 1, 2022, 58 key state corporations had to assess the level of protection of their information systems from cyber threats. To evaluate the company, any specialized organizations certified by the FSTEC and the FSB could be involved.[5]

In Russia, banned forcibly collect biometrics

On July 6, 2022, the State Duma in the third (final) reading adopted amendments to the law "On Personal Data," developed by a group of deputies headed by the head of the State Duma Committee on Information Policy Alexander Khinshtein. One of the initiatives involves a ban on the forced collection and processing of biometric data. Read more here.

Ministry of Digital Development agreed on a bill on fines for business for data leaks

At the end of May 2022, the Ministry of Digital Development of the Russian Federation agreed on a bill on business fines for leaks of personal data of customers. The punishment involves the imposition of a fine of 1% of the company's annual turnover and a possible increase to 3% in the event of an attempt by entrepreneurs to hide the incident.

According to Kommersant, the development of the initiative could be accelerated due to high-profile data leaks, which became known in the first months of 2022.

Ministry of Digital Development agreed on a bill on fines for business for data leaks

The Ministry of Digital Development believes that only multimillion-dollar negotiable fines for leaks of personal data of Russian users will be able to force companies to strengthen security and information storage mechanisms.

As a source in the cybersecurity market told Kommersant, personal data is processed by both large IT companies and banks, as well as a small business (for example, from the service sector), which rarely spends money on information security. If the organization does not invest in protecting information, it will be much more difficult to quickly investigate. Often in such cases, the company learns about a leak from the media or social networks, said Alexei Kubarev, an expert at the Dozor product center of RTK-Solar.

The State Duma Committee on Information Policy supports the introduction of negotiable fines for the leakage of personal data.

File:Aquote1.png
Business should be motivated to keep user data safe, because a fine of 60,000 rubles for leaking Yandex.Eda is a mockery of common sense, "said the head of the committee, Alexander Khinshtein.
File:Aquote2.png

In his opinion, the adoption of such a bill will force businesses to invest more in the development of their information security systems.

To quickly establish the fact of a leak and subsequent investigation, the company will need appropriate software, added Alexey Parfentiev, head of analytics at SearchInform. [6]

Russia adopted a law on fines for illegal collection of personal data when buying goods and services

On May 19, 2022, the State Duma of the Russian Federation adopted a law on fines for illegal collection of personal data when buying goods and services. Amendments are made to Article 14.8 of the Code of Administrative Offenses, the author of the initiative was the Government of the Russian Federation.

Fines are imposed for refusing to conclude an agreement with the consumer if he does not want to provide additional personal data. The exception will be cases when the submission of personal data is mandatory in accordance with the law or directly related to the execution of the contract.

Russia adopted a law on fines for illegal collection of personal data when buying goods and services

For officials, the amount of the fine will be from 5 thousand to 10 thousand rubles, and for legal entities - from 30 thousand to 50 thousand rubles.

As the Chairman of the State Duma Vyacheslav Volodin explained, a ban was established to force consumers to provide personal data when the current legislation does not require this. In addition, the law "On the Protection of Consumer Rights" enshrined a list of unacceptable terms of the contract that infringe on consumer rights. Such conditions include, for example, the provision of additional services for a fee without the consent of the consumer, restriction of the right to choose the method and form of payment.

Earlier, Prime Minister Mikhail Mishustin noted that "often people are forced to indicate excessive personal data for any purchases," despite the fact "even in cases where, according to the law, this is not at all necessary." In this regard, the law was adopted on fines for unreasonable collection of personal data from buyers.

As Dmitry Vyatkin, a member of the State Duma Committee on State Building and Legislation, said during the discussion of the bill, the second reading of the document received two amendments, which are of a legal and technical nature. Their parliamentarians decided to support.

The law will come into force on September 1, 2022.[7]

Russia has adopted a law prohibiting sellers from refusing service to customers without providing personal data

On April 20, 2022, the State Duma in the third (final) reading adopted a law prohibiting sellers from refusing service to customers without providing personal data. The document was initiated by the Government of the Russian Federation and amends the law "On Protection of Consumer Rights."

The law, which should enter into force on September 1, 2022, prohibits sellers, performers and owners of aggregators from refusing to conclude and execute an agreement to a consumer who refused to provide his personal data. At the same time, the exception will be cases provided for by law or the execution of this agreement. At the same time, the consumer will have the right to request an explanation of the reason for the refusal and its legal grounds.

On April 20, 2022, the State Duma in the third (final) reading adopted a law prohibiting sellers from refusing service to customers without providing personal data.

The amendments, according to their creators, were developed in order to suppress unfair behavior in the consumer market, including expressed in the forced or unjustified collection of consumer personal data for purposes not related to the conclusion or execution of the contract.

File:Aquote1.png
Now, when shopping or paying for services, people collect phone numbers, email addresses and other personal information under various pretexts. Even in cases where the provision of such information is not mandatory. First of all, this applies to online stores. The adoption of the relevant amendments will further protect consumer rights, explained State Duma Chairman Vyacheslav Volodin.
File:Aquote2.png

The changes introduced by law comply with UN guidelines for consumer protection, which, among the principles of good business practice, call the protection of personal information and the use of mechanisms for obtaining consent to the collection and use of personal data of consumers, as well as recommendations of the Council of the Organization for Economic Cooperation and Development (OECD) Consumer Protection in Electronic Commerce Act of 24 March 2016, which requires companies to protect consumer privacy by ensuring that their practices regarding the collection and use of consumer data are legal, transparent and fair.[8]

Roskomnadzor named the best way to protect yourself from personal data leaks

To reduce the risks of illegal access to personal data, you need to leave as little personal data as possible somewhere, said Deputy Head of Roskomnadzor Milos Wagner at a press conference dedicated to the International Day for the Protection of Personal Data on January 28.

File:Aquote1.png
Only those data that no one has saved or provided will not leak, the official said.
File:Aquote2.png

Roskomnadzor advises to correlate the risks and benefits of services that provide personal data "(photo - Izvestia/Pavel Bednyakov)"

We need to think about whether you really need a new service that everyone around you uses, whether you need to get this or that service that requires a lot of data. Each time you need to wonder how much what you get in return outweighs the risk of possible compromise that always exists, said Milos Wagner.

File:Aquote1.png
Nothing is free. Whether you want it or not, any service on the Internet will collect data. Sometimes he honestly and frankly informs about it, and sometimes all this is buried in user agreements, the essence of which is difficult for an ordinary person to understand, "says the deputy head of Roskomnadzor.
File:Aquote2.png

Vladimir Bengin, director of the Ministry of Digital Development cybersecurity department, who was present at the press conference, advised to start a separate phone that would be used for advertising, discount cards, etc. He also noted that the larger the site, the more sensitive it will be to personal data, "with rare exceptions."

File:Aquote1.png
Very often I hear from security experts about legend. People use different names, different surnames, because it seems like why the same marketplace should know exactly what your name is or when your birthday is. If only you have a discount. In this case, I will advise everyone [date of birth] - the end of December is very convenient, just a discount for gifts for the New Year, "Bengin said.
File:Aquote2.png

And the recommendation from Roskomnadzor from the point of view of personal data operators is, first of all, to think about whether it is possible to carry out their business processes without collecting data at all. If this is impossible, if, for example, there are requirements for legislation to identify customers, then you need to think about how much it would be possible to use trusted services like the portal of public services for this. He does not assume that the data is copied or transferred to external operators, but at the same time provides sufficient identification, explained Milos Wagner.

Every year, about 40 thousand complaints related to personal data are received by Roskomnadzor, said the deputy head of the department. Basically, they complain about three categories of personal data operators: Internet sites, organizations that manage the housing stock, as well as banks and other financial organizations.

2021

Where are the landings? Advisor to the President of the Russian Federation and Natalya Kasperskaya propose to judge the Criminal Code and fine billions for leaks of personal data

Advisor to the President of the Russian Federation, Chairman of the Presidential Council for the Development of Civil Society and Human Rights Valery Fadeev advocates tougher punishment for personal data leaks. For them, it is necessary to attract under the articles of the Criminal Code and introduce fines that amount to billions of rubles, he said on December 16, 2021[9] OF[10].

Personal data leaks are theft, Art. 158 of the Criminal Code of the Russian Federation, Fadeev believes. Sometimes this is the result of hackers, but it seems that in most cases small employees of the organizations themselves are involved in this, where personal data is stored that is stolen and sold to attackers.

File:Aquote1.png
But I have not heard anything that under Art. 158 of the Criminal Code of the Russian Federation were punished by the direct perpetrators of this theft, - said the chairman of the Presidential Council for the Development of Civil Society and Human Rights.
File:Aquote2.png

There is also Art. 293 of the Criminal Code of the Russian Federation (Negligence), which could be applied to the boss, the head of the employee who committed the theft, believes Valery Fadeev: "It means that this leader allowed the theft, it is called 'negligence'." These two articles should be applied in the case of personal data leaks.

The amount of fines for such incidents should also be revised.

File:Aquote1.png
We must now understand that personal data of citizens is of great value, and fines should not be hundreds of thousands of rubles or even millions, but billions, if we are talking about large companies, about banks, "says Fadeev.
File:Aquote2.png

He gave an analogy with the situation in the field of ecology, where earlier minor fines were established for the damage caused, and then they were raised, and there were already incidents where fines for environmental damage were in the billions.

Natalya Kasperskaya believes that it is necessary to adjust the Criminal Code "(photo - there should be real deadlines for leaking mass data)"

The head of the developer of DLP solutions InfoWatch Natalya Kasperskaya, following a study of law enforcement practice in Russia for 2020 related to data leaks, gave an amount of 1 million rubles as the maximum penalty for a legal entity, and for an individual - 50 thousand rubles. We are talking about fines under the Administrative Code in the field of personal data.

File:Aquote1.png
While we have such fines, the situation will be the same as with the environment many years ago: the owners of companies, managers will not pay attention to these fines, - said Valery Fadeev.
File:Aquote2.png

Personal data leaks are one of the key problems in the field of citizens' rights in the digital space, and they have become widespread. This applies to Russia and the whole world. Natalya Kasperskaya says that over the past year, the number of leaks has grown colossal, and the amounts of money stolen by fraudsters from accounts amount to tens of billions of rubles. Like Fadeev, Kasperskaya noted that no landings are observed.

File:Aquote1.png
It is necessary to adjust the Criminal Code from the point of view of the fact that these should be real terms for the leakage of mass data, because now the legislation is organized in such a way that the punishment will be on the complaint of a person who has leaked this data. A citizen must apply, and then a case is initiated, while there are millions of leaks, and no one is responsible for them, - said Natalya Kasperskaya.
File:Aquote2.png

I must say that such loud statements may ultimately turn out to be not only words: work is underway to strengthen the protection of personal data and the rights of Russian citizens in the digital space. And the question is "on the pencil" of the president Vladimir Putin and in the spotlight. governments Valery Fadeev recalled that there is an order from the president following the annual meeting on human rights in December 2020 on the creation of a digital code, where problems related to rights and freedoms would be carefully spelled out and solutions would be proposed. At a meeting in December 2021, the President confirmed his serious concern about the problem of personal data and their leaks.

A temporary working group was formed to prepare a concept for the protection of human rights and freedoms and citizens in the digital space of the Russian Federation, which includes members of the HRC and invited experts from public authorities, the Institute of State and Law of the Russian Academy of Sciences and other organizations, closely cooperates with the government on behalf of the president. The origins of the creation of a temporary working group include, among other things, entrepreneur and investor Igor Ashmanov, who is a member of the HRC.

According to Ashmanov, one of the main authors of this concept, which by August was handed over to the government and went to the presidential administration, is Viktor Naumov, "the most advanced digital lawyer in our country," who protects the interests of all Western digital platforms in Russia, with the exception of Yahoo.

As of December, the concept was considered in the legal department, in the expert department of the presidential administration, the FSB also sent its comments, and now the document is under consideration by the Security Council of the Russian Federation. If in the end the president approves the concept, then the work of lawyers on the digital code will begin, Igor Ashmanov explained.

FSB named data for the collection of which you can become a foreign agent

At the end of September 2021, the Federal Security Service (FSB) of Russia listed the data for the collection of which you can become a foreign agent. This is not gosteina and unclassified information. Read more here.

Putin introduced fines for disseminating data on security forces

The President Russia Vladimir Putin signed a law on punishment for the publication of these security forces. The corresponding document was published on June 11, 2021 on the official Internet portal of legal information.

According to Kommersant, up to 300 thousand rubles will be fined for disseminating information about employees of law enforcement agencies. Responsibility is being introduced for disseminating information about employees of the prosecutor's office, the Ministry of Internal Affairs, the Investigative Committee, the FSB, the Russian Guard, customs authorities and other departments, as well as military personnel and judges. Fines are provided for the publication of personal data of security officials "in connection with their performance of official activities or the fulfillment of public duty by such persons." They will also be punished for disseminating information about their loved ones.

Vladimir Putin introduced fines for disseminating data on security forces

Fines for disseminating information about security forces:

  • for individuals - 20-40 thousand rubles;
  • for officials - 50-100 thousand rubles;
  • for individual entrepreneurs - 100-200 thousand rubles;
  • for legal entities - 200-300 thousand.

Changes will be made to the Criminal Code of the Russian Federation on the illegal receipt and disclosure of information constituting commercial, tax or bank secrets (Article 183 of the Criminal Code of the Russian Federation) and on the disclosure of information on security measures against an official (Article 320 of the Criminal Code of the Russian Federation).

In addition, the law toughens the punishment for illegal disclosure or use, collection of information constituting commercial, tax and bank secrets (Article 183 of the Criminal Code of the Russian Federation), increasing the maximum term of forced labor or imprisonment for this offense from three to four years. At the same time, sanctions remain unchanged in the form of a fine of up to 1 million rubles or in the amount of the convicted person's income for a period of up to two years, deprivation of the right to occupy certain positions and occupy certain activities for up to three years and correctional labor for up to two years.[11] [12]"

Russia adopted a law on a 10-fold increase in fines for the disclosure of personal data

On May 19, 2021, the State Duma in the third (final) reading adopted a law on a significant increase in fines for the disclosure of personal data. So, citizens who violated this law will pay up to 5-10 thousand rubles instead of the previous 0.5-1 thousand rubles.

The amount of punishment for officials increased from 4-5 thousand rubles to 40-50 thousand rubles. Also, the amendments introduce liability for legal entities - a fine from 100 thousand to 200 thousand rubles.

Russia adopted a law on a 10-fold increase in fines for the disclosure of personal data

The adopted law also provides for an increase in fines for disclosing information about security measures that are applied to law enforcement or regulatory officers, as well as their loved ones. Now they can reach:

  • up to 70 thousand rubles for citizens;
  • up to 500 thousand rubles for officials. They will also face disqualification for up to three years;
  • up to 500 thousand rubles for legal entities.

In addition, illegal collection, transfer, distribution and access to personal data of judges, prosecutors, investigators, employees of internal affairs bodies and a number of law enforcement agencies in connection with the performance of professional or public duty, data on their loved ones will entail a fine for citizens from 20 thousand to 40 thousand rubles. For officials, the fine will be from 50 thousand to 100 thousand rubles with possible disqualification for up to three years, for individual entrepreneurs - from 100 thousand to 200 thousand rubles, for legal entities - from 200 thousand to 300 thousand rubles.

The explanatory note to the bill states that the reason for its appearance was the expanding practice of unauthorized publication of information about the facts, events and circumstances of the private life of law enforcement officers. According to the authors, the goals of such actions "are often not obstruction of the official activities of law enforcement officers, but other aspirations (self-interest, revenge, PR, etc.)." [13]

Putin instructed the Cabinet to accelerate the strengthening of the protection of personal data of Russians

As it became known on April 26, 2021, the president Russia Vladimir Putin instructed Government of the Russian Federation to accelerate work to strengthen the protection of personal data of citizens.

File:Aquote1.png
Accelerate the preparation and introduction of amendments to the federal law "On Personal Data" aimed at strengthening the protection of personal data of citizens, as well as to promote the development of Russian organizations developing software and software and hardware complexes, - said in a statement published on the Kremlin website.
File:Aquote2.png

Prime Minister Mikhail Mishustin has been appointed responsible for the implementation. The corresponding report must be submitted by July 1, 2021.

Vladimir Putin instructed the Cabinet to accelerate the strengthening of the protection of personal data of Russians

Shortly before this order, Vladimir Putin called for the protection of personal data of citizens. He noted that the recommendations of professionals on how to develop digital services are especially in demand, "preventing the risks of violating people's rights to privacy, privacy, and freedom of expression."

The Russian leader also added that issues related to the protection of personal data, according to sociological surveys, are very worried about people.

As part of the investment forum Russia , Vladimir Putin "calls" in 2020 said that Russia does not intend to introduce prohibitive measures in cyberspace and is thinking about how to ensure the protection of personal data during digitalization.

File:Aquote1.png
I will not speak final decisions now, we are thinking about this [protection of personal data during digitalization]. But we, of course, do not intend to introduce such prohibitive measures that would nullify the idea itself, - said the head of state.
File:Aquote2.png

He also noted that the digitalization of the country's economy and life is an important area, in particular, in matters of protecting personal data.[14]

Hyde from ARinteg: How to simply resolve the issue of reporting under No. 152 of the Federal Law "On the Protection of Personal Data"

What is needed to close the question on the requirements of the FZ-152 "On the protection of personal data"? Memorize the duties of the "operator" by heart, set deadlines for the delivery of documentation (which must be drawn up) and mark in red in the calendar of 12-hour working days of accelerated preparation before checking "from above." Or can you do it differently?

Main article: Hyde from ARinteg: How to simply resolve the issue of reporting under No. 152 of the Federal Law "On the Protection of Personal Data"

The Ministry of Digital Development will prohibit telecom operators from selling subscriber data without their consent

At the end of March 2021, it became known about new measures to protect personal data, which were developed Ministry of Digital Development of the Russian Federation. According to the amendments proposed by the department to the law on personal data, telecom operators will not be able to sell information about their subscribers without their consent.

According to RIA Novosti, citing the press service of the Ministry of Digital Development, a person's permission will be needed not only to use information about him, but also to depersonalize them.

File:Aquote1.png
For example, citizens often complain about advertising calls. Now, without the consent of customers, telecom operators will not be able to sell phone numbers indicating the gender, age and communication costs of their subscribers, the ministry explained.
File:Aquote2.png

The Ministry of Digital Development Science intends to prohibit telecom operators from selling subscriber data without their consent

The amendments also propose to empower state authorities to provide domestic IT companies with access to impersonal personal data from state information systems. Authorities will receive impersonal data from personal data operators solely for the exercise of government functions.

The Ministry of Digital Development assured that each case when any data is required from the business will be considered separately. The decision will be made, among other things, taking into account the volume of the future burden on the data depersonalization business and the preparation of the necessary data sets.

Earlier, the Working Group "Regulatory Regulation" ANO "Digital Economy" proposed to exclude from the document the norm according to which business should provide anonymized data of Russians to the state free of charge. Also, the ANO called the requirement to obtain separate consent from users for depersonalization redundant. According to the source of the newspaper, the government requested the position of the Digital Economy, since it was the ANO that initiated the bill.[15]

The Ministry of Digital Development equates impersonal data with personal data

The head of the Ministry of Digital Development Maksut Shadayev signed a bill defining the procedure for processing impersonal data. Soon it will be submitted to the government. Vedomosti wrote about this on March 12, 2021, citing Deputy Minister of Digital Development Oleg Ivanov.

It is assumed that now the operator will not be able to use any additional information that helps to determine the ownership of personal data to a specific subject. In addition to impersonal data, it will be prohibited to transfer information to third parties that will identify a specific person. De-denigration of data will be banned, except in cases where it is necessary to protect the life or health of a person. Thus, impersonal data will be equated with personal data.

The Ministry of Digital Development intends to equate impersonal data with personal data

According to Oleg Ivanov, the new requirements for the circulation of impersonal information are caused by the fact that by March 2021 technologies are available that allow you to de-expose data and determine a specific person by them.

File:Aquote1.png
Depersonalization and anonymization are different concepts. De-denigration is a reversible thing, "he explained.
File:Aquote2.png

The bill proposes to make changes to federal legislation that largely eliminate the difference in legal relations that arise when collecting, processing and using personal and impersonal data, Yuri Fedyukin, managing partner of Enterprise Legal Solutions law firm, told Vedomosti.

The ANO "Digital Economy" explained that the document contains excessive requirements for the identification of a personal data subject: its previous version provided for the ability to obtain consent to the processing of personal data using e-mail or a telephone number, and the current one - that the user must indicate his full name to receive certain services.[16]

2020

The State Duma adopted a law prohibiting the dissemination of personal data of citizens without their consent

State Duma adopted in the third, final reading a law banning the distribution of personal data citizens without their special consent. The law (N1057337-7) spelled out the procedure for mandatory approval on processing of personal data Russians any data operator. This became known on December 23, 2020.

The document prohibits obtaining consent to the processing of personal data by default and with the inaction of its owner, notes Interfax"." The agreement for the processing of such public data must contain information about its owner and the operator himself, the category of data received and the purpose of their processing, the validity of the consent and the list of sites on which the public personal data operator is allowed to publish.

The agreement may also prohibit the transfer of data to an "unlimited circle of persons" and their processing of personal data. At the same time, the operator cannot refuse the proposed prohibitions and conditions prescribed in this initiative. The owner of the data also has the right to withdraw his consent at any time, after which the operator is obliged to suspend its use.

The adopted amendments also oblige all persons who processed the citizen's data "to provide evidence of the legality of their subsequent distribution or other processing" if such data were in the public domain due to an offense or force majeure circumstances. In addition, by the second reading of the bill, the author replaced the concept of "publicly available personal data" with the wording "data allowed for distribution." As noted in the explanatory note to the bill, the initiative is directed against the uncontrolled collection of personal data published on the Internet for use for purposes that do not correspond to the purpose of the original publication. The document was submitted to the State Duma in November 2020 by Anton Gorelkin, a member of the Duma Committee on Information Policy, Information Technology and Communications[17] of [18].

A new protocol for the safe exchange of personal data has been developed in Russia

Kryptonit NPK reported to TAdviser on June 29, 2020 that its scientists and specialists had developed the IKS security protocol. This security protocol will allow transferring personal data from a user to the service only in the form of an encrypted data packet - "bloba" (from the English Binary Large Object, BLOB - an array of binary data). Each blob can be checked and certified by the personal data inspector, who confirmed the information about the user. The inspector may, for example, be a public authority (for example, a tax office or a pension fund) or a commercial structure (for example, a bank or an insurance company). Read more here.

Researches

2023:75% of companies fail to comply with personal data law requirements

On March 1, 2023, K2 Integration announced a survey among enterprises on the implementation of the requirements of the federal law "On Personal Data." It turned out that 75% of companies have not yet complied with the provisions of the law, which began to operate in September 2022. Read more here.

2022

Only 4% of companies have fully prepared for the implementation of the updated requirements of the legislation on personal data

On September 1, 2022, the first part of the requirements of the Federal Law of 14.07.2022 No. 266-FZ "On Amendments to the Federal Law" O "entered into force. In this personal data regard, the company CROC conducted a survey on the readiness the Russian of companies for change. More than 100 Russian companies from various companies took part in the survey. industries economies CROC announced this on September 1, 2022.

The results of the CROC survey showed that at the end of August 2022, only 4% of companies fully adapted the processes of processing personal data to new requirements. 28% of respondents answered that they managed to prepare partially. More than 20% of organizations do not plan to carry out work on the implementation of measures to comply with the 266-FZ in the near future.

File:Aquote1.png
Since February 2022, according to Roskomnadzor, there have been more than 40 leaks of personal data databases, and it was the increased number of leaks that became the main trigger of changes in legislation. The need for changes is long overdue, since earlier many companies interpreted the requirements in two ways, not counting themselves as personal data operators. However, this is erroneous, since any company with employees and customers is a priori a personal data operator. Now the latest requirements of the law have eliminated uncertainty, and have unequivocally determined the obligations to protect personal data, "said Anastasia Fedorova, head of the analytics, audit and technical support groups of the information security company CROC.
File:Aquote2.png

The results of the study confirmed the thesis that not all companies consider themselves to be PD operators. For example, 17% of respondents said that their organization did not send a notification about the start of processing personal data, since they are not operators. At the same time, the overwhelming majority of respondents (70%) replied that it is necessary to introduce fines for PD leaks.

In most of the surveyed companies (39%), the head of information security is responsible for the processing of personal data. In 27% of organizations, the head of human resources is responsible for this. Some of the respondents said that special positions were created in their companies, for example, the head of the personal data department.

One of the most important requirements in accordance with the 266-FZ is that from September 1, 2022, all personal data operators must amend contracts with persons processing personal data on their behalf, reduce the time for responding to requests from personal data subjects, and amend their local regulations regarding the processing of personal data. At the beginning of September 2022, according to the results of the study, 17% of organizations do not maintain and do not control the register of persons entrusted with the processing of PD.

File:Aquote1.png
In general, we observe that gradually companies are beginning to realize the value of personal data, the need to introduce measures to safely process it and introduce liability for leaks. For example, the survey showed that 70% of organizations consider it necessary to introduce fines for PD leakage. At the same time, we also see that so far not all companies are ready for changes, there is a lot of work to bring processes and documentation into compliance with new requirements, - said Anastasia Fedorova.
File:Aquote2.png

In this regard, the CROC expert recommends that organizations implement a number of steps that will allow them to adapt to the latest legal requirements. First, check the availability and place the PD Processing Policy on the organization's website. Secondly, it is necessary to revise the internal documentation: to revise the contracts-grounds for processing personal data of subjects, contracts for the order of processing personal data and local regulations in the field of processing and protection of personal data. Thirdly, establish interaction with Roskomnadzor and check the need and ensure the connection of State system of detection, prevention and elimination of consequences of computer attacks. Finally, begin an audit of cross-border flows of personal data transfer and an assessment of data protection measures by foreign counterparties.

92% of Runet users are not worried about the transfer of personal data to third parties

On February 2, 2022, the antivirus solutions company ESET shared the results of a study that conducted to determine how residents of the country relate to the collection and transfer of personal data on sites and in applications.

At the first stage of the study, experts found out whether respondents know what a user agreement is. The answers were almost equally divided: 51% of the respondents said - they understand exactly what the user agreement is and why it is needed, the other 49% shared that they had heard about the user agreement in passing or did not know about it at all.

File:Aquote1.png
Companies and services need a user agreement to protect themselves from ruinous lawsuits. Often, very exotic or even impossible conditions are included in the user agreement. However, people perceive the licensing agreements of sites and software as an annoying hindrance, pressing "Accept" on the machine, "explained Kirill Podgorny, director of marketing at ESET.
File:Aquote2.png

The Russian Internet-users only occasionally read the contracts proposed by him to the end: this was stated by 81% of the study participants. Another 13% do not study user agreements on the network at all.

At the second stage of the study, ESET experts learned the opinion of Russians about the use of personal data on the network. It turned out that 40% of survey participants have a negative attitude towards the collection of personal data, because they do not believe in the confidentiality of this process. 38% of respondents expressed neutrality: they do not care whether they collect and transmit information about them.

At the same time, every fifth (22%) user approves the collection of personal data and believes that this improves the user experience and develops the quality of applications and sites.

92% of survey participants are not worried if data about them is transmitted to third parties - they do not try to leave the site or application in the user agreement of which such a function is indicated.

2019: Protecting personal data causes concern for businesses

On January 17, 2020, it became known that most often the Russian business is faced with. spam This was noted in the survey conducted by Eset 65% of respondents. In second place - 47 malware%. 22% of respondents reported that their companies were victims, 21% phishing attacks suffered from and 35% DDoS-attacks from. 54% of of encryptors respondents are concerned about safety contact databases, information about clients and partners, 55% believe that financial information needs special protection. More. here

2018

The maximum amount of damage in the case of information leakage amounted to 14 million rubles

On January 28, 2020, it became known that the InfoWatch Group of Companies expert and analytical center published the first report on judicial practice in cases related to leaks of limited access information. The study was conducted in order to identify the main and most obvious problems of law enforcement in the field of information protection. According to the results of the study, every fourth case ends with the issuance of a real or suspended sentence, and the maximum amount of damage in the case of information leakage, confirmed by the decision of the Russian court in 2018, is 14 million rubles.

As reported, a significant part of cases of leaks of confidential information was considered according to the rules of criminal proceedings (69.1%). True, only as a result of the consideration of less than 5% of all cases, the court appointed the offender a real term of imprisonment. Another 21% of cases ended in suspended sentences, and in more than 30% of cases various types of fines were issued. Every fourth case leads only to the dismissal of the offender. Only 8.6% of cases were dropped after reconciliation of the parties.

Abuse of access to confidential information represents more than half of legal proceedings (59.5%). The second and third places are occupied by disclosure and illegal access (24.5% and 16%, respectively). The main motives for the implementation of criminal actions are self-interest (83.6%) and revenge (16.4%). More than 70% of the leaks that formed the basis of the court proceedings were due to the illegal actions of employees of commercial and non-profit organizations and only 20% of the leaks happened as a result of the actions of external intruders.

Distribution of information leaks
File:Aquote1.png
A vivid example of the misuse of confidential information can be considered various fraudulent actions of salon employees. communications Managers cellular retail do not hesitate to sell client information, provide illegal re-release services, " SIM cards to sale beautiful" numbers, etc. This is due to the fact that relatively free access to client information, along with the leniency of the punishment imposed, actually gives carte blanche for misconduct. The same can be said for employees financially of the credit sector, divisions of postal operators, other organizations related to cash flow maintenance and processing. personal data

told Andrey Arsentiev, Head of Analytics and Special Projects at InfoWatch Group of Companies
File:Aquote2.png

According to analysts, the main reasons for "primitive" abuses in cellular retail and client offices of banks are low salaries of ordinary personnel, information illiteracy and shortcomings in the work of information security services.

About 1/3 of all cases of confidential information leaks considered by the courts fall on high-tech companies (IT, information security, telecom, integration, etc.). A significant share in court cases of leaks is occupied by violations in industrial and transport organizations - 14.1%. It was noted that in high-tech companies the share of cases considered under the rules of criminal proceedings is 96%.

Universal types of compromised information for all industries can be considered personal data and information constituting trade secrets (64.6%). They are expected to prevail in the distribution of leaks by data type.

The authors of the study note that judicial practice in cases of information leaks develops more in favor of information holders than vice versa. As of January 2020, the main problems are caused by inconsistencies between regulatory and protective laws. This is the result of a rapidly developing information environment, which does not keep pace with protective legislation.

File:Aquote1.png
The reason why most often cases of data leaks are considered according to the rules of criminal proceedings lies in the features of the two most liquid types of information that are compromised - this is financial information and personal data, the leakage of which is reflected not only in the owners of the information, but also in its carriers, that is, citizens. In the framework of civil proceedings, cases are considered where information leakage is reflected only on the owner of the information.

told Sergey Khairuk, chief analyst of InfoWatch Group of Companies
File:Aquote2.png

According to experts from the InfoWatch Group of Companies Expert and Analytical Center, most of the illegal actions of employees in relation to confidential data could be prevented by a combination of organizational and technical measures, including, for example, the prohibition of mobile devices with photos(video) by a camera in the workplace, prohibiting the use of personal (or untrusted) cloud services and personal e-mail, as well as monitoring compliance with these rules by using automated means.

24% of confidential information leaks from government and commercial companies are associated with fraudulent actions

On June 25, 2019, InfoWatch reported that in Russia, about 24% of confidential information leaks from state and commercial companies are associated with fraudulent actions. The level of fraud based on data stolen from Russian companies is almost three times higher than in the world. Approximately 80% of such incidents in Russia are related to the actions of managers and employees. In half of the incidents, fraud is committed on the basis of data from paper sources. The most common cases of fraud are in the banking sector and communications companies. Read more here.

2017: Insurance companies' customer bases available in shadow market

According to a study by the MFI Soft analytical center for September 2017, 5.6 million records of customer data of insurance companies have already been found on the black market, they can be purchased on open pirate forums. The relevance of the data is the latest - 2016-2017. At the same time, two-thirds of all proposals relate to car insurance - probably, CASCO/OSAGO customers are valued primarily by competing insurance companies. At the same time, the offers of auto insurance bases are updated the fastest - some sellers offer an update on a monthly basis.

Cost of databases

The bases of insurance companies are one of the most expensive and demanded information on the market. The "black market" presents databases of various volumes - from several hundred customers to tens and hundreds of thousands. The cost of one contact in a small but current database can reach 10 rubles, while in large bases it falls to 0.001 rubles. Everyone can buy such a base at a price of 250 to 40 thousand rubles. Cost is affected by parameters such as number of contacts, relevance, and completeness of data. The most common price tag is 3500 rubles, with a base size of up to 60 thousand records, indicated in MFI Soft.

Geographic coverage

Slightly less than half of the offers for sale are the bases of insurance companies in the Moscow region (41% of the proposals studied). The bases of the Leningrad Region are in second place (21%). About 26% of the bases cover all of Russia. Database proposals covering only one non-capital city or region occur in isolated cases (12%). In 59% of cases, databases contain complete customer data, including not only personal information, but also data on the car, the history of insurance transactions, copies of documents.

Risks to Customers and Companies

According to MFI Soft of estimates, the risk to the user of the insurance company's services in the event of a leak ranges from receiving spam to major property fraud, since the data may be of interest to criminal structures. For the insurance companies themselves, in addition to the direct loss of customers, large leaks are fraught with loss of reputation and sanctions from regulators on the fact of violation of the 152-FZ Law "On Personal Data." Such precedents in the industry have already been recorded in 2012.

Leak sources

As the researchers found out, information about the clients of insurance companies leaks not at the collection stage, but from information systems. The composition of the database often indicates the source of the leak, in some cases it can even indicate the department within the company (if you understand which business process the record is enriched with certain data), but it is rather difficult to establish the owner of the information system itself. Since the data can come both directly from insurance companies and from other information systems - the traffic police, a single PCA database, etc.

The main data providers within companies are insurance agents, and there are also leaks provoked by system administrators. Often there is a proposal on renting remote access to the IP of insurance companies (for example, partner portals) on trading platforms, through which you can make downloads for customers.

The high demand for insurance databases on the black market is creating more and more relevant offers from insiders who often work to order.

Recommendations

To preserve data and prevent leaks, MFI Soft analysts recommend that insurance companies more carefully monitor the legitimacy of access to their databases within the organization, pay attention to mass uploads from information storage systems and the abnormal actions of privileged users, as well as control the vulnerabilities of the used DBMS.

2016: Personal data of millions of Russians already on the "black" market

According to the results of the study "Black Database Market" of the analytical center "MFI Soft" for November 2016, the volume of the market for illegal databases in Russia is more than 30 million rubles, if translated into the number of records of individuals - it turns out more than 1.2 billion. In just a few hours of searching the Internet, you can find customer databases of large banks, insurance companies and online casinos.

As it turned out, data from clients of financial organizations - 34%, as well as customers of large online stores - 19%, brokers - 18% and telecom operators - 6% are especially common on pirated forums and portals.

As part of the study, customer bases of 18 large Russian banks were discovered - among them there are representatives of TOP-10 largest Russian banks, as well as databases of popular microfinance organizations. There is a high level of interest in such databases among various kinds of fraudsters, if the database is enriched with information on accounts. Almost every tenth record (8% of the data found) in a stolen database can be highly likely to have severe negative consequences - for example, used to forge loan agreements, fraud with real estate, bank fraud or more severe consequences. Another option for the development of events is the registration of loans for passport data of users of banking services and the resale of the database to collectors. In the database being sold, you can find the full contact details of the person, with his passport details, current place of residence, bank statement and transfer of property, information about taxes and fines.


How much is personal data on the black market?

In recent years, the cost of personal data has greatly depreciated. As a study of 134 databases on the black market, the average cost of one contact for mailing bases is 2 kopecks. The databases of insurance companies have the greatest value - the recording price reaches 10 rubles with an average price of 2.73, ruble the data of bank customers are estimated at an average of 0.28 rubles per record. In fact, each user Internet can buy such a base, some of idle curiosity, others - for profit.


What is contained in gray databases and what threatens it?

Data Base can contain not only the names and contacts of service users, but also all documents, from passport data and driver's license to bank card and account numbers indicating deposit amounts. There are even bases in areas of activity, for example, bases of heads of security services, bases of directors by region and other equally interesting options.

At best, such databases are bought for spam mailing and calling with service offers. A little less often, fraudsters buy up databases on the black market in order to commit financial fraud. According to passport data, using social engineering, you can access the user's card accounts and withdraw funds from them, as well as blackmail the owners of this data or apply for a loan from a microfinance organization.

Database Leak Sources

The owners of the databases are responsible for the leakage of user data, as this is a direct violation of the "About Personal Data" FZ-152. But often they themselves do not even suspect that their bases were stolen, and only find out about it after high-profile incidents. According to the MFI Soft, databases enter the black market in four ways: malicious insider - 78%, hacking - 2%, dishonesty (targeted distribution of customer data on a commercial basis) - 13%, parsing (collection and structuring of data from open sources) - 7%. What follows - that the main problem of Russian companies is the leakage of databases through employees.

phonenumber.to: 137,090,136 compromised accounts in the database

How to ensure security?

Organizations that process personal data in order to avoid violations need to carry out a number of measures, which include the following works:

  • sending a notification on the processing of personal data to the regulatory body, Roskomnadzor;
  • development of the form and obtaining the consent of each subject to the processing of his personal data (the consent must contain the personal signature of the subject (or his digital signature));
  • documented description of personal data processing information systems (purpose, composition of data, legal grounds for their processing), as well as designation of the number of persons working with personal data and having access to them;
  • development of a number of regulatory documents describing threat models and means of protection against personal data;
  • ensuring the protection of personal data by technical (software, hardware) and organizational methods;
  • passing the necessary checks to confirm the compliance of personal data protection systems with the requirements of the law.

To successfully carry out these works, it is necessary, firstly, to appoint an employee responsible for the protection of personal data, secondly, for all resources and subsystems containing personal data, to determine their status, and finally, to determine the methods and terms of data processing, as well as storage periods. "

First of all, the most effective and not costly approach to storing personal data is to store them in an impersonal form. It is necessary to summarize as much as possible, depersonalize information, abandon redundant information - in this way you can simply not be afraid of deliberate or accidental information leakage - it will not represent almost any value for attackers. By the way, the legislation of the United States recommends this approach to ensure the security of personal data. Of course, this is a double-edged sword. This approach undoubtedly reduces the need for data protection, but makes it much more difficult to process.

For the most part, personal data operators have now abandoned information security work. The law will change, there is a need for this and there is evidence of this, so investing in the implementation of formal requirements, regardless of their importance, is rather wasteful.

Companies engaged in the production of products for the protection of personal data are also in an ambiguous situation. In search of solutions that will allow, on the one hand, to satisfy regulators, on the other, customers, and, finally, not to be lost, they come to the conclusion that a restructuring of the established model of the personal data protection system is inevitable.

At the same time, the difference between the leading companies in their field and the subheader firms is clearly traced. The latter, for the most part, quickly reoriented themselves to comply with the requirements of the law. The range of services offered by them has expanded with such offers as assistance in obtaining a license, conducting a survey and classification of the information system, consulting support. Craftsmen were also found in terms of methods of circumventing the law - an article entitled "Five relatively legal ways of resisting FZ-152" was widely circulated.

Much more interesting is what representatives of serious information protection companies think about the innovation. Many vendors have begun to actively refine their solutions, wondering whether they meet regulatory requirements. Others are in no hurry with such drastic measures, waiting for further changes in legislation. However, the key point in the opinion of many companies is the formation of a culture of personal data protection. For example, Alexey Sabanov, Deputy General Director of Aladdin, believes that No. 152-FZ instills a culture of information security in society and at all levels of Russian business. Alexander Sharamok, a representative of Orticon, is of the opinion that the situation with the protection of personal data will improve if a transparent legal and regulatory technical base is created and a culture of personal data protection is formed in society, the first steps to which he also sees in law No. 152-FZ "On personal data."

Nevertheless, in addition to improving technical safety measures, companies certainly need to pay attention to the methodological component. Already, many companies offer their customers to build a model of threats to the security of personal data. In addition, assistance in determining the type of information system, information support on licensing and verification, finding ways to reduce the class of processed data - all this is slowly beginning to occupy its niche in the market for information protection services and, in the future, the[19] will only develop[19].

How to organize data protection in the cloud and pass the check of Roskomnadzor, FSB and FSTEK. TADetals (2016)

Personal Data Depersonalization

Data depersonalization legislation requirement

The depersonalization of personal data should provide not only protection against unauthorized use, but also the possibility of their processing. To do this, impersonal data must have properties that preserve the main characteristics of impersonal personal data [20]
."

Impersonal Data Properties

  • completeness (preservation of all information about specific subjects or groups of subjects that was available before depersonalization);
  • structuring (preservation of structural links between the impersonal data of a particular subject or group of subjects corresponding to the links available before the impersonal);
  • relevance (the ability to process requests for processing personal data and receive answers in the same semantic form);
  • semantic integrity (preservation of semantics of personal data during their depersonalization);
  • applicability (the possibility of solving the tasks of processing personal data facing an operator who depersonalizes personal data processed in personal data information systems, including those created and functioning within the framework of the implementation of federal target programs (hereinafter referred to as the operator, operators), without first de-exposing the entire volume of records about entities);
  • anonymity (impossibility of unambiguous identification of data subjects obtained as a result of depersonalization without applying additional information).

Typical approaches to data depersonalization

  • Data not de-identified (NDA use with contractors)

  • Data features are lost after depersonalization (excessive data masking)
  • Data connectivity is lost after depersonalization
  • There is no single tool for data depersonalization
  • Only data is de-identified according to the appendix documentation
  • Same data depersonalization policies for different tasks
  • Data depersonalization takes a long time
  • After changing sources (for example, after installing patches), significant time is required to change depersonalization processes

Depersonalization of the most critical data in real time

What data should be masked in real time?

  • VIP customer data
  • Contact information
  • Financial information
  • Trade secret
  • Any other sensitive information
  • Information to which different user groups have access

Rules for the Protection of Personal Data of the Company's

Use reliable multifactor authentication

Identity theft is one of the most dangerous and common threats in the field of information protection. She is the reason for the hack in four out of five Verizon cases. Data Breach Report 2013. Thus, to access the personal system, it is not enough to enter a username and password. To protect personal data, reliable authentication must be used. For example, one of the optimal solutions will be two-factor authentication, within which you need to double-verify your identity: using a certificate - a token, smart card, mobile application, as well as by entering a secret password. In the future, an additional biometric factor may be introduced, in which his fingerprints may be required to confirm the identity of the employee.

Encrypt sensitive email addresses and files

E-mail is the most important communication tool within any organization, it is used by both managers and other employees of companies. To protect email, it is necessary to use a special certified program that allows you to encrypt individual files or messages in such a way that only a specific recipient with a key can access encrypted information. It is also necessary to clearly maintain a database of contacts so that the information does not randomly hit the wrong addressee.

Set information security rules for managers

Of course, all of the above recommendations will work subject to additional investments from the company's management. In this situation, intermediaries are needed who can conduct the necessary training for the manager and tell all the basic rules for ensuring information security. This practice will help change the behavior of the manager and motivate employees to take an example from management.

Cybercriminals are becoming more active, and any organization should think about protecting corporate data. In many companies, information security is a mandatory measure that must be followed at the request of regulators, but the issue of data security of company executives remains open and requires a special approach that will protect information and, at the same time, will not affect the mobile lifestyle of the manager.

See also

Notes

  1. FSTEC Information Security Bodies Tighten Requirements for Data Protection Developers
  2. The courts in 2022 collected more than 50 million rubles in fines for violations with personal data
  3. The Ministry of Digital Development supported the introduction of criminal liability for the theft and sale of personal data
  4. " Personal data will face metarism
  5. The Ministry of Digital Development, FSB and FSTEC will be engaged in audit of security of data
  6. Leaks will be taken into circulation
  7. Fines will be imposed for illegal collection of personal data when buying goods and services
  8. passed a law to protect buyers from unreasonable collection of personal data
  9. [http://pressmia.ru/pressclub/20211216/953473209.html , DIGITAL TRANSFORMATION: PROTECTION
  10. THE RIGHTS OF CITIZENS]
  11. Putin introduced fines for disseminating information about security forces
  12. Federal Law of 11.06.2021 No. 206-FZ "On Amendments to the Code of Administrative Offenses of the Russian Federation
  13. Administrative penalties for disclosure of restricted data will increase
  14. List of instructions following the meeting with members of the Government
  15. The Ministry of Digital Development has developed new measures to protect personal data
  16. Impersonal data will be equated with personal
  17. [https://xco.news/article/2020/12/23/gosduma-prinyala-zakon-zapreschauschii-rasprostranyat-personalnye-dannye-grazhdan-bez-ih-soglasiya?utm_source=email&from=email , the State Duma adopted a law prohibiting the dissemination
  18. personal data of citizens without their consent]
  19. 19,0 19,1 [http://safe.cnews.ru/reviews/index.shtml?2010/08/09/404375_1 Law on Personal Data
  20. * Order of the Federal Service for Supervision of Communications , Information Technologies and Mass Media (Roskomnadzor) of September 5, 2013 N 996 Moscow "On Approval of Requirements and Methods for Impersonal Personal Data