Bankers ask the Ministry of Digital Development to abandon the introduction of turnover fines for information leaks

Representatives of the banking community appealed to the authorities with a request to abandon the introduction of turnover fines for information leaks. Market participants call the measure discriminatory, since government institutions, for example, have no turnover and the punishment will not be effective for them. At the same time, bankers emphasize that their filing of regressive claims against software suppliers could lead to the bankruptcy of a significant number of companies working in the field of cybersecurity.

The Association of Banks of Russia (ADB) in early March contacted the Ministry of Digital Development (“Kommersant has read the letters”) with a proposal to abandon the introduction of turnover fines for leakage of information in the event of a repeated violation – a bill on this was adopted by the State Duma in the first reading (see “Kommersant” dated 10 January).

In one of the documents, the ADB calls the measure discriminatory, since government institutions do not have a turnover and, accordingly, it is impossible to collect this fine from them, unlike commercial organizations. That is, “the commission of the same offense entails different liability for the first and second, which is a violation of the constitutional principle of equality of all before the law and the court,” the ADB emphasizes. The letter provides examples where leaks occurred specifically from state and municipal institutions.

In addition, as another letter states, turnover fines “could have negative consequences for information security companies and the IT industry as a whole.” The credit institution interacts with many services, ADB explains, and in all cases files are exchanged automatically. Thus, if one of the exchange participants penetrates the system, “there is a high probability of infection or theft of data from other participants.” Taking into account the established judicial practice, an administrative fine relates to real damage, the ADB clarifies, that is, recourse claims can be made against the counterparty.

The Ministry of Digital Development did not respond to Kommersant’s request.

As Alexey Voylukov, acting president of the ADB, explained to Kommersant, the situation when for commercial organizations liability for leaks is significantly tightened, while government agencies remain virtually unpunished, “appears unfair.” In his opinion, it is possible to abandon turnover fines and “fix the range that is currently indicated in the law – 20–500 million rubles.”

At the same time, Mr. Voylukov considers the upper threshold of the fine “totally excessive, since, for example, a large bank, having received such a fine, can bring a regressive claim against the supplier company from which it received the software that caused the leak.” For most of these companies, a fine of hundreds of millions of rubles “will lead to bankruptcy,” believes Alexey Voylukov.

The head of the National Council of the Financial Market, Andrei Emelin, adds that a turnover fine as a sanction presupposes that the violator derives economic benefit from his behavior: “Such a fine is actually aimed at withdrawing funds received in the form of economic benefits as a result of illegal actions.”

However, leaks of personal data only result in losses for the companies and banks that allowed them, since they are associated with direct and indirect costs – they entail damage to the IT infrastructure, business processes, cause reputational damage, and lead to an outflow of clients, Mr. Emelin emphasizes. The entire set of losses, taking into account turnover fines, in his opinion, “can lead to business suspension and even bankruptcy.”

The head of the consulting and audit department of Angara Security, Alexander Khonin, confirms that if the bill is adopted in its current version, risks arise for all market participants, including IT companies.

“In some cases, data leaks do not cause any harm to their owners, and such aspects should be taken into account when determining both the size of the fine and the general need for its application,” believes Mr. Khonin. In his opinion, the bill requires improvement “both in terms of defining the general mechanisms for applying turnover fines and individual criteria for issuing them.”

Maxim Builov, Tatyana Isakova