“Business Russia” proposed to the State Duma to distribute and mitigate responsibility for personal data leaks

The public organization “Business Russia” sent proposals to the State Duma to mitigate the liability of personal data operators for leaks, in particular to reduce fines by an order of magnitude – from 500 million to 50 million rubles. We are also talking about sharing the responsibility of the leaking company with the data protection solution provider. Cybersecurity market participants predictably counter that the data controller is responsible for the use of their products. Reducing fines, experts and deputies believe, will reduce the effectiveness of the measures.

“Kommersant” got acquainted with the proposals of “Business Russia” for the bill on turnover fines for leaks of personal data (adopted in the first reading on January 23), sent to the State Duma on February 2. In particular, the organization considers it necessary to reduce the maximum fines for companies to 50 million rubles.

According to the current version of the bill, basic fines for legal entities will be 3–5 million rubles if the leak contained data of up to 10 thousand entities, 5–10 million rubles if the volume of data was up to 100 thousand entities, 10–15 million rubles. — with a volume of more than 100 thousand subjects. The maximum fine for repeated leaks is set at 0.1–3% of revenue for the year, but not more than 500 million rubles.

Also, the Business Russia project provides for mitigating circumstances for operators, for example, confirmation of investments in cybersecurity from 0.1% of annual revenue for three or more years before the incident. The current version does not include mitigating circumstances, although this was discussed during the preparation of the bill (see “Kommersant” dated December 4, 2023).

Moreover, Delovaya Rossiya wants to introduce “joint and several” liability of the data operator and its service provider in the field of cybersecurity: if there were no violations of the use of data protection systems, the vendor must be punished: “This encourages market participants to provide services at the proper level.” To introduce liability for vendors, it is necessary to supplement the text of the bill with a new part of Art. 18.

“At the stage of preparing the bill and now, before the second reading, we maintain a dialogue with the business community; many proposals turned out to be constructive,” says Alexander Khinshtein, head of the State Duma Committee on Information Policy, Communications and IT. “But we often hear from companies that the size of the proposed fines are unreasonably high and can lead to large losses, I strongly disagree with this.” Without increasing responsibility for data incidents, the deputy emphasized, “it is impossible to force businesses to invest in cybersecurity.”

The desire to reduce the amount of the fine tenfold is understandable, but in the current conditions this is unlikely, believes Positive Technologies business consultant Alexey Lukatsky. A reduction in the amount will also reduce the desire of personal data operators to engage in cybersecurity, he admits.

But the mechanism for calculating fines can be defined more clearly, market participants note. “Currently, the amount of fines is focused on the size of a company’s revenue without taking into account the specifics of its work,” notes Nikita Aronov, marketing director of MTS RED. “For example, in holding companies, a leak may affect only a separate segment, while liability is expected to extend to the entire holding.” In his opinion, it is reasonable to supplement the bill with data protection measures, the implementation of which could serve as a mitigating circumstance when deciding on the amount of a fine in each specific case.

Mr. Lukatsky supports the proposal for joint liability of providers of data protection solutions with operators: “This is the only way to improve the quality of both products and services.” However, the suppliers themselves believe that they should not be held responsible for anything. If responsibility is shared, emphasizes Alexander Baryshnikov, director of the consulting and audit department at Informzashchita, “it will be between the operator and the person to whom he transfers the data, but not with information security companies.”

Tatiana Isakova, Venera Petrova