The state will toughen penalties for leaks of personal data

[tanjimajuha20]

The first versions of the new bills were announced at a press conference in Moscow by Russian Senator, Deputy Chairman of the Council for the Development of the Digital Economy under the Federation Council Artem Sheikin. In particular, he spoke about the bill on cyber insurance of risks and threats, which increases the operator's liability for leaks of personal data. Based on the wording, companies will now be responsible not only to the state, but also to citizens through a bank guarantee or insurance contract.

Read also

The main result of the work ecuador whatsapp number database of the State Duma Committee on Information Policy, Information Technology and Communications in 2023 was the signed bills on the introduction of turnover fines for personal data leaks. In addition, the committee is working on a proposal to introduce criminal liability for repeated violations.

Alexander Dvoryansky, Director of Information Security (IS) at Element JSC (microelectronics manufacturer), supported the bill: "The initiative is correct and expected, as it encourages companies to maximally protect the personal data of their clients and partners. Along with the potential tightening of administrative sanctions for leakage of personal data, it will be easier and more cost-effective for companies to carry out the entire required set of measures aimed at ensuring security than to pay significant fines, coupled with reputational risks."

Andrey Mishukov, CEO of the information security integrator company iTPROTECT, spoke about the nuances of the bill: "The initiative is very labor-intensive in terms of determining the data leakage incident itself. How to calculate its cost? How to compare it with previously leaked data? Should citizens pay each time or just once? Whose fault was the leak? Sometimes the user himself, through carelessness, leaves information where he shouldn't, for example, in the technical support chat. Therefore, it will be necessary to take into account many different nuances. The bill itself will not be able to reduce the number of leaks, it will only determine the financial responsibility of operators to the subjects. And this responsibility will allow us to take the protection of personal data from leaks more seriously."

Artem Sheikin also presented a bill on the legalization of white hat hackers. He noted that specialists are outside the legal field, which is why circumstances do not contribute to attracting personnel to the industry. "Together with information security experts, we have developed a separate draft federal law "On the activity of searching for vulnerabilities and assessing the security of information systems." We propose introducing a conceptual apparatus, defining the subject composition of participants in this activity, establishing types of activity such as "search for vulnerabilities," "assessment of security," "independent initiative activity," and also defining regulators," explained Artem Sheikin.

Alexander Dvoryansky believes that the initiative concerning white hackers requires further development: "There is no need to rush into decisions, as long as there is no full-fledged regulatory framework for this. But taking into account the successful practice of using bug bounty, perhaps the current initiative will be further developed in one form or another."

Andrey Mishukov suggested a solution to the problem: "White hackers almost always work on the edge of what is permitted by law. They are only separated from criminal liability by an explicit request from the owner of the structure they are testing. If the owner of the company hiring white hackers begins to refuse testing, then they have no rights to defend their position and prove that they provided a service and did not commit an illegal act. Therefore, the main task here is to simplify the life of white hackers and give them the rights and opportunities to legally conduct activities and receive income for this. Perhaps it is worth considering the introduction of licenses for such activities and the registration of such specialists, similar to the registration and licensing of the right to carry self-defense equipment."

In addition, Artem Sheikin raised the issue of telephone fraud at a press conference, which often arises due to the problem of issuing SIM cards without confirming passport data. To this end, he proposed legislatively equating SIM cards to means of payment.

Leading information security consultant at Innostage, Tatyana Nikonorova, questioned this decision: "Equating SIM cards to payment methods is a very long and uncertain process. The problem of unregistered SIM cards or those issued to the wrong people can only be solved in this way for new phone numbers, which are too few in comparison with existing cards. A large number of regulations are aimed at reducing the scale of fraud using gray SIM cards in Russia, which are not fully implemented - for example, requirements for updating passport data."