The fine is calculated based on revenue – Kommersant FM

Banks opposed the introduction of turnover fines for personal data leaks. The National Financial Market Council sent such a letter to the Central Bank, the Ministry of Digital Development and the State Duma. The bill on penalties for businesses entered the lower house of parliament at the end of 2023. According to the authors, the size of the fine will depend on the number of victims. For example, if more than 1 thousand records are publicly available, the company will pay up to 5 million rubles. The maximum fine is 15 million rubles.

In case of repeated violation, the business will have to pay from 0.1% to 3% of annual revenue. In this case, the fine cannot exceed 0.5 billion rubles. It is unjustified to apply turnover fines for violations related to data leaks, noted Andrei Emelin, Chairman of the National Financial Market Council:

“The only area where this is now applied and seems justified is antimonopoly legislation, where such a sanction is provided for cases of abuse in the market. That is, if, as a result of some illegal actions, the organization receives economic benefits. Only then does this organization have something to seize in the form of a turnover fine.

It is obvious that the theft of personal data from an organization has nothing to do with compensation for some kind of profit, but, on the contrary, with large-scale losses (financial, reputational, legal claims), if demands are made against them from the subjects of personal data, and we are on top of them we finish with a turnover fine.

The developers offer completely incomparable figures. We are dealing with the Code of Administrative Offences, and suddenly the application of sanctions is proposed, comparable in size to the main criminal penalties.

Among other things, the project does not take into account the specifics of credit institutions, for which it is generally very difficult to count turnover, because they manage other people’s money, unlike other legal entities.

And that is why, for example, fines for credit institutions are calculated based on the minimum authorized capital, and not at all on their turnover.”

Turnover fines can encourage companies to spend more money on information security, noted Roman Yankovsky, a lawyer and partner at Tomashevskaya and Partners. In addition, according to him, companies come up with their proposals for the bill because they fear the harshness of its application:

“Large companies that are not ready to pay a turnover fine find many arguments, saying, why is the fine 500 million rubles, and not 50 million rubles; why this percentage and not another; why is the different ratio of turnover to profit not taken into account, and finally, why do you think that turnover fines will be better at dealing with leakages than fixed ones? It seems to me that this is a matter of political will, because, of course, it is not companies who suffer from leaks, but citizens.

In general, this is a philosophical question: how to calculate in money the damage that citizens suffered if attackers used only part of the data? It seems to me that in such situations, turnover fines can draw the company’s attention to security problems and stimulate them, because with the current fines they have no particular interest in changing anything.

If we look at European practice, they have a different approach depending on whether the company was directly to blame for the data leak and to what extent, that is, whether security standards were followed, what data was obtained, how tangible it was. All this must be assessed together.

These issues need to be resolved at the level of application of the law. The fact that our companies are trying to prevent the very operation of this law speaks both of their desire to limit their risks and of distrust of law enforcement officials; they literally say that they are afraid that government agencies will always calculate fines to the maximum.”

For information leaks from banks, it is also proposed to disqualify top managers, we are talking about deputy chairmen for information security. This is a relatively new position, introduced by presidential decree in 2022.

As Izvestia wrote in mid-January, the bill was developed with the participation of the Central Bank, and now it must be approved by various departments. This applies not only to banks, but also to pension funds, microfinance organizations and insurance companies.

---

Everything is clear with us – Telegram channel “Kommersant FM”.

Elena Ivanova