Turnover penalty for data breach
Maksut Shadayev said at the presidential meeting of the Communist Party fraction in the State Duma that the Russian Ministry of Digital Development has prepared a bill that imposes fines of up to 3% of the annual turnover of companies for leaking the personal data of citizens. . According to him, the initiative is being discussed with representatives of the IT industry.
“The Ministry of Digital Development has drafted a law on turnover penalties, there are quite serious fines – up to 3% of turnover is given if the company did not ensure the security of data,” Shadayev said.
In assessing the State Duma’s initiative, he announced that the ministry would insist on correcting several extenuating circumstances. According to him, first of all, it is necessary to take into account that “the company certifies and certifies all its infrastructure, strengthens safety measures and voluntarily proves that investments in protective equipment are made”. The head of the Ministry of Digital Development is confident that with this it will show that the organization has done “the maximum that can be done”.
“And secondly, whether the company will compensate for the damage done to citizens with their data (leaked – socialbites.ca). If, respectively, two-thirds of the citizens (company – socialbites.ca) are adjudicated and compensated out of court, this will also be an extenuating circumstance, ”the minister stressed.
According to him, this initiative does not aim to raise more money for the budget. He believes turnover penalties will only “force companies to invest more in security”.
In addition, the Ministry of Digital Development plans to impose an obligation on companies to hide leaks, with a larger fine than the fact of the leak.
Currently, fines from 60 to 500 thousand rubles are imposed for the leakage of personal data for businesses.
A week ago, on December 7, President Vladimir Putin agreed at a meeting with members of the HRC that the country should tighten its responsibility for leaking personal data.
“Probably, there is a need to toughen responsibility for crimes in this area. As for turnover fines and criminal liability, I understand that you are talking about criminal liability for illegal circulation (stolen data – socialbites.ca), because those who use this data should know and understand that they are using stolen data,” he said. aforementioned.
Leaks in Yandex.Food & Delivery Club
On March 1, the Yandex.Food security service reported a data leak.
“As a result of dishonest actions of one of the employees, information about customers’ phone numbers and orders was published on the Internet: composition, delivery time, etc. The leak did not affect users’ banking, payment and registration data, i.e. logins and passwords. These data are secure. The service team apologizes to the users”.
The company said that after an internal audit, Yandex is “tightening its approach to storing sensitive information, including those related to orders.”
“Manual processing of such data will be eliminated and the number of employees with access to information about orders will be reduced by at least three times. Legal action will be taken against the employee responsible for the leak. Also, Yandex.Food filed a complaint with law enforcement about unauthorized access to customer data, ”the company’s security service concluded.
In April, the company was fined 60 thousand rubles. On August 3, the magistrate of the judicial district of Moscow’s Zamoskvorechye district fined Yandex.Food 60 thousand rubles for the same leak of user data, as stated by the company.
A similar situation occurred with the Delivery Club food delivery service. At the end of May, there were messages on Telegram channels and in the media that the files containing the personal data of the service couriers were made public. It was announced that a total of 521.5 thousand lines including the names, e-mail addresses and phone numbers of the couriers were leaked.
According to RIA Novosti, Article 13.11 of the Code of Administrative Offenses of the Russian Federation. In accordance with the first part of its article, the service was threatened with a fine of 60 to 100 thousand rubles. On August 18, the Moscow Airport district court fined Delivery Club 80,000 rubles for violating Russian legislation in the field of personal data.
DNS leaks and Vkusvill
On December 6, DNS, a major Russian electronic network, confirmed that employee data had been leaked, including names, work email addresses and phone numbers. The company explained to RIA Novosti that Roskomnadzor had carried out an inspection and the network was held responsible.
At the same time, DNS announced that “the eviction was the result of an attack by a hacker group in October 2022.”
The company emphasized that they have taken measures to prevent similar cases in the future.
On December 9, Vkusvill’s press service told the agency that some of the store’s customers’ personal data – their phone, email and the last four digits of a bank card number – are public.
“We learned about the leak on the night of 8-9 December. Our experts independently discovered the situation and immediately took measures to rectify it. “We’ve noticed that files containing publicly available data from some of our customers have been compromised by third parties.”