Business will be taken in half a turn – Newspaper Kommersant No. 240 (7441) dated 12/26/2022

As it became known to Kommersant, for turnover fines for leaks of personal data, which are provided for by the draft law of the Ministry of Digital Development, an upper limit of 500 million rubles can be set, and a lower limit of 5 million rubles. Experts believe that fines will push companies to increase security measures, but market participants warn that the initiative could lead to the “fragmentation” of Russian business, for example, into regional divisions in order to reduce the revenues subject to fines.

The Ministry of Digital Development has finalized a bill on turnover fines for leaks of personal data in companies, sources told Kommersant. The size of the fine in the current version of the project is provided in the range from 5 million to 500 million rubles, clarified the interlocutor of Kommersant, who is familiar with the final version of the document. He explains that the “upper ceiling” is provided if the company has leaked data again since the entry into force of the law and violated a number of regulatory requirements, for example, tried to hide the incident. Within the range, Kommersant’s interlocutors say, the fine will be calculated from the amount of the company’s revenue for the calendar year preceding the year in which the incident was detected. If adopted, the initiative should come into force in September 2023. The Ministry of Digital Development did not answer “Kommersant”.

Minister Maksut Shadayev, at a meeting with the presidium of the Communist Party faction in the State Duma on December 14, stated that a fine of up to 3% of the company’s annual turnover is provided for non-compliance with the safety of personal data. Mitigating circumstances, he said, would be “reimbursement of damage to two-thirds of those affected by the leak,” as well as certification of “the entire infrastructure in accordance with safety requirements.”

According to Kaspersky Lab, the amount of personal data that got into the network as a result of the largest leaks in 2022 exceeded 1.5 billion records (see Kommersant of December 16). Among the latest leaks are from the Main Radio Frequency Center subordinate to Roskomnadzor and the Citymobil taxi service. As a result of the latter, 4 thousand photos of passports belonging to drivers appeared on the network, the company acknowledged the incident (see Kommersant on December 23).

The establishment of large fines is intended to increase the level of security for the processing of personal data, “it used to be cheaper to pay a fine than to introduce protection measures if the leakage of personal data does not entail reputational risks,” says Irina Zinovkina, consulting director at InfoWatch Group. As a result, the expert believes, the implemented measures, both technical and organizational, are not enough.

The initiative encourages companies to “revise what needs to be done in terms of data protection, and possibly strengthen security measures somewhere,” says Lev Fisenko, executive director of Cross Technologies. However, according to him, the question remains what will happen to state organizations. “Incidents with database leaks also occur in them, will similar penalties be imposed and how will they be calculated if non-profit organizations do not have working capital and, accordingly, revenue?” he says.

Amount RUB 500 mln. in the case of maximum responsibility of the company, it will be significant even for a large company, says the interlocutor of Kommersant in the IT industry. He questions the notion of repetition of a violation: “Intruders compile databases that they publish on the network, and their publication does not always mean a violation of data storage rules.”

The introduction of turnover fines for businesses could lead to a “splintering of companies” in order to reduce the base in case of possible leaks, including by regional divisions or areas of activity, according to a Kommersant source in one of the IT companies. “So, a large company can divide delivery, specialized services and core business so that the revenue of each individual legal entity decreases markedly and, accordingly, the percentage of it is lower,” he notes. But Kommersant’s interlocutor believes that companies will comprehensively assess such a step and the associated risks, since the “fragmentation” entails serious legal and financial changes.

Tatyana Isakova