Big Data Association proposes not to penalize companies for imaginary leaks of personal data

The publication of databases with personal data, independently disclosed by their subjects, should not lead to prosecution for leaks, according to the Big Data Association (ABD, unites Yandex, VK, Rostelecom, MegaFon, etc.). The business proposed introducing such a clause into the turnover fines bill sent to the government and establishing penalties for fake leaks. Experts note that specialists can easily distinguish the compilation of public information from leaked databases, and restrictions on the dissemination of data on incidents will create risks of pressure on the media.

“Kommersant” got acquainted with the recall of the ADB on turnover fines bill for the leakage of personal data. A letter dated August 4 was sent to the government apparatus, the Ministry of Digital Development, the Ministry of Economy and the Ministry of Justice. The Association, in particular, notes the risk of holding companies liable when compilations of data independently disclosed by their subjects appear in the public domain. Such compilations are already being published under the guise of leaks, the letter says.

After the outbreak of hostilities in Ukraine, the data of users of many large Russian services (Yandex.Food, SDEK, Ozon, etc.) became publicly available. In a number of cases, companies and organizations featured in leak reports claimed that the databases were collected from old, already published data. This, in particular, was announced in January and February 2023 by Russian Post and SberLogistics.

Creating compilations of public data is not considered a violation of the law, and companies affected by “false leaks” are deprived of the opportunity to compensate legal costs from the creators of databases.

• The DBA proposes to include a clause in the draft law, according to which the provisions of the article on punishment for leakage “do not apply to cases of self-disclosure of data to an indefinite circle of persons by the subject of personal data”. Without it, the document creates risks for social networks, instant messengers and companies that are required to disclose employee data, according to the ABD.
• They also propose to introduce into the Code of Administrative Offenses of the Russian Federation liability for knowingly false information about the leakage of personal data and falsification of evidence of leaks.

The government apparatus and the Ministry of Justice told Kommersant that the letter had not been received, the rest of the addressees did not respond to requests.

The rarer real data leaks occur, the more often compilations appear on the network, now up to ten such databases are published monthly, says Ashot Oganesyan, founder of the DLBI data leak intelligence and darknet monitoring service: “They are sold most often under the guise of supposedly new leaks, the demand for which is formed novice scammers who are not very versed in what they are buying. According to him, it is almost impossible to pass off a compilation as an original database, because the data from the original databases is unique: “Even a superficial analysis of the database by cybersecurity specialists allows us to accurately determine whether it is a leak or a compilation.”

Mr. Hovhannisyan adds that enriched databases (made up of several separate databases combined by phone numbers or mail addresses) also belong to compilations, but they are not in great demand: “Such databases are mainly of interest to marketers and spammers.”

The idea to introduce punishment for reporting a leak “will create conditions for pressure on the media,” said Vladimir Ozhereliev, head of the DRC intellectual property practice. But Positive Technologies cybersecurity business consultant Aleksey Lukatsky believes that it will be difficult to apply the article about “fake leaks” to the media: “Those who sue the media will have to prove that the information was deliberately published falsely. It’s hard to prove it.” Leak reports, the expert added, are mostly published in anonymous channels, so the proposed Code of Administrative Offenses “is unlikely to greatly affect the current situation.”

Yuri Litvinenko